Practice of IA: Managing

Question 1

A chief audit executive invests considerable time in developing his annual and long-term budgets. The budgeting process is an example of which basic function of internal audit management?

1. Directing
2. Planning
3. Organizing
4. Monitoring

Answer 1

2- Planning

Rationale
A well-developed budget is the key component of planning that enables the internal audit activity to perform its mission on time and within established financial parameters.

Question 2

Which of the following is a valid method to use when performing a control self-assessment (CSA)?

1. Management-produced analyses
2. Walkthroughs
3. Observation
4. Human resources complaint procedures

Answer 2

1- Management-produced analyses

Rationale
CSAs can take the form of management-produced analyses. Although complaints may be reviewed, investigated, and documented, the purpose of a CSA is to collect all information related to the nature and scope of the audit. The information gathered needs to be extensive, objective, and specific.

Question 3

A Certified Internal Auditor directs the audit function for a large city and is planning the audit schedule for the next year. The city has a number of different funds, some that are restricted in use by government grants and some that require reports to the government. One of the programs for which the city has received a grant is job retraining and placement. The grant specifies certain conditions a participant in the program must meet in order to be eligible for the funding. The auditor randomly selects participants in the job retraining program for the past year to verify that they met all the eligibility requirements. This type of audit is best referred to as a(n)

1. program audit.
2. economy and efficiency audit.
3. operational audit.
4. compliance audit.

Answer 3

4- compliance audit.

Rationale
The auditor is determining that the participants have complied with the eligibility requirements. An operational audit would focus on the overall operations of the jobs retraining program. An economy and efficiency audit would address the cost of the program and compare it with the objectives achieved. A program audit is broader in context and would address the achievement of the overall program objectives.

Question 4

Assume that your company is considering purchasing a small toxic waste disposal company. As an internal auditor, you are part of the team doing a due diligence review for the acquisition. Your scope (as an auditor) would most likely include

1. a review of the waste company’s procedures for acceptance of waste material and comparison with international toxic waste disposal companies.
2. analysis of the waste company’s compliance with and disclosure of loan covenants.
3. an evaluation of the merit of lawsuits currently filed against the waste company.
4. assessment of the waste company’s privacy policies to ensure that customer dropoffs do not generate negative publicity.

Answer 4

2- analysis of the waste company’s compliance with and disclosure of loan covenants.

Rationale
It is important to ensure that a prospective company is not at risk of default on loans. While the procedures for acceptance of waste material are of interest, comparing them to those of international companies would not have much relevance, as other countries would have different laws and regulations. Rather, they should be compared against relevant laws and regulations of the country in which the company operates. The merit of a lawsuit is a matter of legal judgment; it is beyond the expertise of the internal audit activity. If the waste company is operating in compliance with laws and regulations, it should be transparent rather than secretive.

Question 5

An internal auditor has been given the task of determining if a vendor is meeting its contract requirements. Which is a factor to be considered?

1. Whether the vendor is outsourcing some of the production
2. Whether the quality of the product meets specifications
3. Whether accounts payable is processing payments on or before the payment deadline
4. Whether the vendor is going above and beyond minimum requirements

Answer 5

2- Whether the quality of the product meets specifications

Rationale
In a contract audit, the internal auditor is concerned only with items specified in the actual contract. Normally, this includes such things as the quality of the product and the correct quantity and timing of deliverables rather than if the vendor is paid on time or correctly. Additional actions may be identified that are not part of the contract; these actions might increase the efficiency and effectiveness of the work being performed.

Question 6

Which of the following poses the greatest risk in external business relationships?

1. Organization’s responsibility for actions of its partners
2. External business partner’s inefficient business processes
3. External business partner’s lack of compliance metrics
4. External business partner’s lack of confidentiality standards

Answer 6

1- Organization’s responsibility for actions of its partners

Rationale
An overarching risk of external business partners is that the organization will be held responsible for the actions of its partners and perhaps even of the partners of those partners (i.e., third-tier supply chain). Contractual provisions can help transfer some of this risk, but other risks, such as reputation risk, cannot be transferred. Lack of confidentiality standards and/or compliance metrics and/or inefficient processes would not pose risk as significant as the organization being responsible for the actions of its partners.

Question 7

In evaluating the organization’s privacy framework, internal audit performs compliance audits, including assessing practices, processes, and controls. This level of involvement demonstrates which level of organizational maturity concerning privacy protection?

1. Repeatable
2. Defined
3. Managed
4. Optimizing

Answer 7

2- Defined

Rationale
In a model with five levels of privacy protection maturity (initial, repeatable, defined, managed, optimizing), this would be the defined level. At this stage, the organization has demonstrated senior management commitment, complete privacy policy, and privacy organization. Leadership is in place. Risk assessments have been performed, and consistent organization-wide controls are underway.

Question 8

The costs of quality that are incurred to evaluate purchased materials, processes, products, and services to ensure conformance to specifications are referred to as

1. internal failure costs.
2. external failure costs.
3. appraisal costs.
4. prevention costs.

Answer 8

3- appraisal costs.

Rationale
Appraisal costs are those costs incurred to evaluate purchased materials, processes, products, and services to ensure conformance to specifications These costs include inspecting and testing raw materials and work-in-process inventory.

Question 9

In order to provide the board and senior management with an overall opinion on internal control, a chief audit executive (CAE) is compiling the results of internal control evaluations accumulated from individual audit engagements. The CAE notes that management consistently fails to correlate objectives, risks to objectives, and internal controls designed to address identified risks. Which of the following is the CAE’s best course of action?

1. Recommend that internal controls units be established for major lines of business, to support risk management activities.
2. Recommend an organization-wide implementation of an internal control framework.
3. Recommend extensive internal controls training for all process owners and supervisors.
4. Recommend that the audit committee review details of all internal audit reports rather than only executive summaries.

Answer 9

2- Recommend an organization-wide implementation of an internal control framework.

Rationale
The implementation guidance for Standard 2130, “Control,” states the following: “To promote continuous improvement in maintaining effective controls, the internal audit activity typically provides the board and senior management with an overall assessment or compiles the results of control evaluations accumulated from individual audit engagements. The CAE may recommend the implementation of a control framework if one is not already in place.” None of the other answer choices are likely to result in an understanding of the correlation between objectives, risks, and controls.

Question 10

If a department outside of the internal audit activity is responsible for reviewing a function or process, the internal auditors should

1. ignore the work of the other department and proceed with an independent audit.
2. yield the responsibility for assessing the function or process to the other department.
3. reduce the scope of the audit, since the work has already been performed by the other department.
4. consider the work of the other department when assessing the function or process.

Answer 10

4- consider the work of the other department when assessing the function or process

Rationale
Review and testing of the other department’s procedures may reduce necessary audit coverage of the function or process.

Question 11

As part of the internal audit activity’s internal quality assurance program, periodic self-assessments should include

1. an independent evaluation of conformance to the Standards by a qualified external assessor.
2. recommendations on use of information technology to enhance internal audit efficiency and effectiveness.
3. validation of continued conformance with the Standards and the Code of Ethics by a member of the internal audit activity.
4. reporting results to external stakeholders, such as regulatory examiners.

Answer 11

3- validation of continued conformance with the Standards and the Code of Ethics by a member of the internal audit activity.

Rationale
Validation of continued conformance with the Standards and the Code of Ethics by a member of the internal audit activity is the substance of periodic self-assessments. Recommendations on use of information technology may be but aren’t necessarily an output of a periodic self-assessment. The external assessor’s evaluation of Standards conformance is part of the external quality assessment activity, not internal periodic self-assessments. The results of periodic self-assessments are reported to senior management and the board at an agreed-upon frequency.

Question 12

The foundation of internal audit resource allocation should be the

1. time and budget constraints.
2. risks and expectations of how internal audit can add value.
3. audit universe.
4. existing skill sets of internal audit resources.

Answer 12

2- risks and expectations of how internal audit can add value.

Rationale
If the chief audit executive has a strong understanding of organizational risks and how internal audit can add value, he or she can then ensure that appropriate resources are available, whether in-sourced, co-sourced, or out-sourced. Existing internal audit resources or time and budget should not be the primary focus and constraint in how the internal audit activity addresses organizational risks.

Question 13

A consulting activity appropriately performed by the internal audit function is

1. drafting procedures for systems of control.
2. designing systems of control.
3. installing systems of control.
4. reviewing systems of control before implementation.

Answer 13

4- reviewing systems of control before implementation.

Rationale
Reviewing systems, even before implementation, is an activity appropriately performed by the internal audit function, and it does not impair objectivity.

Question 14

Reporting on the internal audit activity’s performance relative to its risk-based annual audit plan

1. is a best practice for audit activities of public companies.
2. is mandated by the Standards for all internal audit activities.
3. is a required performance metric for the chief audit executive.
4. is essential for proper audit activity resource allocation.

Answer 14

2- is mandated by the Standards for all internal audit activities.

Rationale
According to Standard 2060, “Reporting to Senior Management and the Board,” the chief audit executive (CAE) has the responsibility to report periodically to senior management and the board on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan. Reporting performance relative to plan may also be part of the audit activity’s ongoing monitoring related to its internal quality assurance and improvement program elements. Such reporting is a best practice for all audit activities as it is required by Standard 2060. Internal audit guidance does not mandate CAE performance metrics. While proper resource allocation may be essential to achieving the audit plan, reporting on performance relative to plan is not essential to proper resource allocation.

Question 15

A new chief audit executive (CAE) needs to establish reporting protocols for the frequency of communicating significant risk and control issues to senior management and the board. To determine the frequency of reporting, the CAE should

1. consider resource constraints impacting internal audit communications of significant risk and control matters.
2. collaborate with senior management and the board to establish appropriate reporting frequencies.
3. collaborate with compliance, risk management, and other second line leadership on their reporting protocols.
4. consider the past results of and the timing and extent of planned external auditor testing.

Answer 15

2- collaborate with senior management and the board to establish appropriate reporting frequencies

Rationale
The interpretation to Standard 2060, “Reporting to Senior Management and the Board,” states, “The frequency and content of reporting are determined collaboratively by the chief audit executive, senior management, and the board.” External auditor testing would not impact the frequency of internal audit reporting. Resource constraints would not be a primary consideration for establishing protocols for the frequency of internal audit reporting, and the frequency would not be impacted by second line reporting protocols.

Question 16

To promote continuous improvement in control effectiveness, the internal audit activity may

1. establish a logical structure for documenting and analyzing the organization’s design and operation of controls.
2. help management keep abreast of emerging issues, laws, and regulations related to control requirements.
3. design internal controls to address residual risks related to operations, compliance, and reporting objectives.
4. implement management monitoring activities to ensure ongoing effectiveness of internal controls.

Answer 16

2- help management keep abreast of emerging issues, laws, and regulations related to control requirements.

Rationale
According to the implementation guidance for Standard 2130, “Control,” the internal audit activity may help management keep abreast of emerging issues, laws, and regulations related to control requirements to promote continuous improvement in control effectiveness. Residual risks are generally unmitigated. Nevertheless, management is responsible for internal control design, not internal audit. Management, not internal audit, is responsible for establishing a structure for documenting and analyzing controls and implementing management monitoring activities.

Question 17

Which of the following is an example of an efficiency measure?

1. Rate of customer complaints
2. Number of insurance claims processed per day
3. Goal of becoming a leading manufacturer
4. Rate of absenteeism

Answer 17

2- Number of insurance claims processed per day

Rationale
Efficiency is the ratio of effective output to the input required to achieve it. Insurance claims processed per day compares the output (claims processed) to the input (a day’s work).

Question 18

When interviewing candidates for an internal auditing position, a manager prefers to ask questions about how the candidate handled challenges in his or her previous position. This is an example of

1. structured interviewing.
2. behavioral interviewing.
3. situational interviewing.
4. initial screening.

Answer 18

2- behavioral interviewing.

Rationale
This is an example of behavioral interviewing, trying to predict future job performance based on past behaviors. Situational interviewing is similar but is based on hypothetical questions such as How would you handle the following situation?…”

Question 19

Internal auditors can evaluate the management function of planning (as opposed to organizing, directing, or monitoring) by determining

1. whether employee compensation is consistent with the organization’s specifications for compensation ranges by employee grade.
2. whether new standards of performance are established and disseminated when the old standards are inadequate or ineffective.
3. what managers are responsible for and what they are authorized to do.
4. whether each management plan carries a means of measuring its success.

Answer 19

4- whether each management plan carries a means of measuring its success

Rationale
Determining whether each plan carries a means of measuring its success is one way internal auditors facilitate the management function of planning. Determining what managers are responsible for and what they are authorized to do relates to the management function of organizing. Determining whether employee compensation is consistent relates to the management function of directing. Determining whether new standards of performance are established and disseminated when the old standards are ineffective relates to the management functions of directing and monitoring.

Question 20

According to Implementation Guide 2050, what does the chief audit executive (CAE) need to do prior to coordinating with other assurance and consulting service providers?

1. Meet with the providers to understand their specific roles.
2. Establish rapport by informally socializing with them.
3. Get the permission of the board to start coordinating.
4. Establish trust by indicating that the internal audit function can rely on their work.

Answer 20

1- Meet with the providers to understand their specific roles

Rationale
Implementation Guide 2050 states: “The roles of assurance and consulting service providers vary by organization. Thus, to start the task of coordinating their efforts, the chief audit executive…identifies the various roles of existing…providers. The CAE meets with each of the providers to gather sufficient information so that the organization’s assurance and consulting activities may be coordinated.”

Question 21

A chief audit executive (CAE) decides to recruit independent contractors to augment the skill sets of his internal audit team in order to accomplish the annual risk-based plan. The CAE should

1. enhance the audit activity’s training programs to build the lacking skill sets within the current internal audit team.
2. ensure that all contracted service providers are either Certified Internal Auditors (CIAs) or Certified Information Systems Auditors (CISAs).
3. ensure that the independent contractor arrangement is exclusive; contractors should not perform work for other audit activities.
4. establish a process and criteria to determine whether the internal audit activity may rely on the work of independent contractors.

Answer 21

4- establish a process and criteria to determine whether the internal audit activity may rely on the work of independent contractors.

Rationale
According to the implementation guidance for Standard 2050, “Coordination and Reliance,” it is essential that the CAE establish a consistent process and set of criteria to determine whether the internal audit activity may rely on the work of another provider. Using independent contractors who hold CIA or CISA certifications may or may not provide the needed skill sets. The CAE should ensure that confidentiality expectations are upheld, but an exclusive relationship may not be realistic or may require an employer-employee relationship, depending on employment and tax laws in the jurisdiction. Training may not produce the required skill sets in a timely fashion, may not be a substitute for necessary experience, or may be costly and therefore may not be a reasonable solution.

Question 22

In designing a control self-assessment (CSA) workshop, which of the following elements merits the most serious attention?

1. Developing metrics to assess respondents’ answers to pre-workshop questionnaires
2. Scheduling time for participants to review information and suggest improvements
3. Designing carefully worded yes-no questions to ensure the gathering of precise information
4. Carefully briefing management to be certain to get higher-level commitment to the process

Answer 22

2- Scheduling time for participants to review information and suggest improvements

Rationale
All of the answers identify valid concerns, but the essence of CSA is the involvement of staff and management with a sense of ownership to be active process participants. Their knowledge and experience in the process being discussed will enhance the opportunity for agreement on process improvement.

Question 23

An approved risk-based internal audit plan should

1. be frozen once completed and monitored for actual performance, with results reported to the audit committee no less frequently than monthly.
2. primarily consider cybersecurity and fraud risks, leaving things like brand and reputation risks to the enterprise risk management teams.
3. be flexible to allow adjustment, as necessary, due to changes in business, programs, systems, controls, and emerging risks.
4. meet the generally accepted expectations of industry standards-setting bodies and regulatory compliance examiners.

Answer 23

3- be flexible to allow adjustment, as necessary, due to changes in business, programs, systems, controls, and emerging risks.

Rationale
Implementation guidance for Standard 2010, “Planning,” states, “The internal audit plan is flexible enough to allow the CAE to review and adjust it as necessary in response to changes in the organization’s business, risks, operations, programs, systems, and controls.” The IIA’s guidance does not prescribe the frequency of reporting actual performance compared to the audit plan. Annual risk-based audit planning considers all significant risks to achieving organizational objectives and strategies and considers input from many stakeholders.

Question 24

An organization is considering establishing a B2B (business-to-business) e-commerce relationship with a new trading partner. Which would be appropriate risk factors to consider when setting the objectives of an external business relationship assurance engagement?

1. Assurance of trustworthiness
2. Channel security through appropriate controls (i.e., encryption)
3. Privacy of data arrangements
4. Redundancy and failover of trading partner systems (in relation to downtime tolerance)

Answer 24

3- Privacy of data arrangements

Rationale
Privacy considerations are germane to a B2B e-commerce risk assessment and achieving an acceptable level of comfort regarding B2B linkages with a current or prospective trading partner. Trustworthiness is not something that can be easily assured. This objective would be better stated in a different way, such as prior contract compliance, history of good faith dealing, and so on, so it is not the best answer. The remaining answer choices are more technical in nature and are not good objectives but could be inclusions in a subsequent investigation.

Question 25

Knowledge of controls gained from consulting engagements

1. must be disregarded when internal controls are excluded from consulting engagement objectives.
2. must be incorporated into controls assessment engagements.
3. should be communicated to senior management and the board.
4. should not be considered during assurance engagements.

Answer 25

2- must be incorporated into controls assessment engagements.

Rationale
Implementation Standard 2130.C1 (Consulting Engagements) states, “Internal auditors must incorporate knowledge of controls gained from consulting engagements into evaluation of the organization’s control processes.” Therefore, this knowledge should be considered during assurance engagements but doesn’t necessarily need to be communicated to senior management and the board. Knowledge of controls gained from consulting engagements should not be disregarded whether controls are included or excluded from consulting engagement objectives.

Question 26

Which of the following best describes the internal audit activity’s role in supporting the board in enterprise-wide risk assessment?

1. Oversee risk management processes to determine whether they are adequate and effective.
2. Examine, evaluate, report on, and recommend improvements on the adequacy and effectiveness of risk processes.
3. Implement risk management methodologies and controls to address risks identified.
4. Ensure that sound risk management processes are in place and functioning.

Answer 26

2- Examine, evaluate, report on, and recommend improvements on the adequacy and effectiveness of risk processes.

Rationale
Internal auditors are experts in understanding organizational risks and internal controls and are engaged to help management protect their organizations from present and future risk exposure. The internal audit activity assists both management and the oversight body in enterprise risk management (ERM) by helping management to examine and evaluate governance, internal controls, and risk management processes. After audit activities have been completed, the auditor(s) will report their findings to the board and recommend relevant improvements.

Question 27

A company recently acquired a small competitor organization because of its complementary line of business. Prior to the acquisition, high regulatory and compliance risks had led the company’s chief audit executive (CAE) to focus primarily on compliance assurance, but she is now recognizing the enhanced operational and strategic risks associated with the acquisition. Based on her updated risk assessment and resulting audit plan amendments, the CAE plans to communicate her resource requirements to senior management and the board. She must also communicate information about

1. internal audit’s needed strategies for favorably impacting the governance of the combined organization.
2. the needed changes to the audit charter and the audit activity’s purpose, authority, and responsibility.
3. the ten Core Principles and how they are or are not evidenced in the culture of the acquired organization.
4. the acquired organization’s adherence (or lack thereof) to the COSO Internal Control—Integrated Framework or other control framework.

Answer 27

2- the needed changes to the audit charter and the audit activity’s purpose, authority, and responsibility.

Rationale
According to Standard 2060, “Reporting to Senior Management and the Board,” the CAE must report periodically to senior management and the board on the internal audit activity’s purpose, authority, and responsibility. The interpretation for Standard 2060 states that the CAE’s reporting must include information about the audit charter. Since the CAE plans to shift focus from primarily compliance assurance, adding operational and strategic risk elements to the audit plan, the internal audit charter should be amended to reflect the expanded purpose and responsibility of the audit activity. The ten Core Principles, as one element of mandatory guidance, apply to the internal audit activity, not the culture of the organization. Adherence to a control framework is not a mandated communication by the CAE. There is no mandate in internal audit guidance to communicate strategies for impacting governance to senior management and the board.

Question 28

Which of the following is the most important provision for an internal auditor from a start-up company to recommend for inclusion in a contract for the third-party augmentation of the company’s new customizable business application system?

1. Limitation-of-liabilities clause
2. Source code escrow clause
3. Copyright clause
4. Right-to-audit clause

Answer 28

2- Source code escrow clause

Rationale
Source code is likely a start-up company’s most valuable asset. Therefore, it is important to protect the company’s intellectual property (IP) in any external business relationship in which the organization must share this confidential information. By using a third party, the company can work easily with customers on older or retired products while never having to disclose proprietary information and code. In third-party relationships, the third party has a right to audit the contractor and will likely share liabilities.

Question 29

The chief audit executive (CAE) of a small community bank needs to recruit and hire three entry-level internal auditors, due to the bank’s rapid growth through mergers and acquisitions. The audit activity is currently staffed with a cohesive group of experienced high performers. The CAE wants her team to gain supervisory and managerial skills through the development, coaching, and mentoring of the three new staff members. While recruiting at a local university, which of the following is the most effective interview approach for the CAE to use?

1. Situational
2. Behavioral
3. Structured
4. Stress

Answer 29

3- Structured

Rationale
In a structured interview, applicants are asked the same questions, with follow-up questions as needed. A guide is developed to focus on necessary skills, knowledge, experience, and attitudes, which helps ensure consistency and completeness in the interviewing process and also supports legal compliance. This approach is appropriate for entry-level professional positions, such as internal audit roles.

Question 30

In a top-down approach to new systems development, what should be reviewed before designing any system elements?

1. Controls in place over the current system
2. Types of processing systems used by competitors
3. Computer equipment needed by the system
4. Information needs of managers for planning and control

Answer 30

4- Information needs of managers for planning and control

Rationale
Users’ information needs and objectives should be of primary concern. The other answer choices may be irrelevant, unknown, or unimportant.

Question 31

According to the Standards, internal audit must report to senior management and the board on its conformance

1. with the Code of Ethics and the Standards.
2. with the Mission Statement and the Core Principles.
3. with the Core Principles and the Code of Ethics.
4. with the Standards and Implementation Guidance.

Answer 31

1- with the Code of Ethics and the Standards.

Rationale
Standard 2060, “Reporting to Senior Management and the Board,” states the following: “The chief audit executive must report periodically to senior management and the board on its conformance with the Code of Ethics and the Standards.” The Standards do not include a requirement to report on internal audit’s conformance with the Mission Statement, the Core Principles, or Implementation Guidance.

Question 32

A chief audit executive (CAE) is preparing his overall opinion on internal control for presentation to senior management and the board. The CAE disregards a co-sourced service provider’s opinion regarding several material internal control weaknesses related to information technology general controls. This is

1. an example of audit detection risk.
2. appropriate, if based on the CAE’s professional judgment.
3. a violation of The IIA’s Standards.
4. a disservice to the chief information officer (CIO).

Answer 32

3- a violation of The IIA’s Standards.

Rationale
According to the interpretation for Standard 2450, “Overall Opinions,” the communication will include consideration of all related projects, including the reliance on other assurance providers. Since interpretations to the Standards are mandatory requirements, failure to consider the co-sourced service provider’s opinion is a violation of The IIA’S Standards and would not be appropriate. Audit detection risk is caused by the auditor’s failure to discover material internal control weaknesses. In this case, the service provider identified the weaknesses but the CAE failed to consider this in his overall opinion. Failure to consider material IT general controls weaknesses would not necessarily be a disservice to the CIO, since the CIO may prefer that these weaknesses are not considered or at least not disclosed to senior management and the board as part of an overall opinion on internal control.

Question 33

Because of the nature of work at a company’s plants, radiation safety is important. An audit to test the system of controls over the purchase, distribution, and use of radioactive material is being conducted. The process is well documented, and employees in the safety department are very familiar with the department’s procedures. Since the purchasing and facilities departments are involved in the process, the auditor is considering reviewing their procedures for handling radioactive material as well. The auditor should

1. adjust the audit schedule and budget, if needed, and interview the appropriate individuals in purchasing and facilities to ascertain whether additional controls exist that complement those identified within the safety department.
2. test the controls identified within the safety department; if results are unfavorable, consider whether to involve the other departments.
3. defer questions regarding purchasing, facilities, and other departments until audit projects can be scheduled for those departments.
4. have confidence in the rigorous and detailed safety department procedures, since that department has the main responsibility for radiation safety; the auditor should not use audit time to review other departments.

Answer 33

1- adjust the audit schedule and budget, if needed, and interview the appropriate individuals in purchasing and facilities to ascertain whether additional controls exist that complement those identified within the safety department.

Rationale
The risk of having radioactive materials on site that are not accounted for in the facility’s inventory is sufficiently serious that all key controls should be identified and evaluated. The auditor is obliged to note that the risk extends beyond the safety department and should request resources to finish this important work.

Question 34

As part of cash management procedures, the treasurer of a nonprofit organization has decided to invest in a variety of new financial instruments. The audit committee has asked the internal audit department to conduct an audit of the adequacy of controls over the new investing techniques. Which is an important part of such an audit?

1. Determining if policies exist that describe the risks the treasurer may take as long as there is no loss of principal balances in stock market investments
2. Determining the extent of management oversight of investments in sophisticated instruments
3. Determining the nature of controls established by compliance professionals to monitor the risks in the investments
4. Determining whether the treasurer is getting higher or lower rates of return on investments than are treasurers in comparable organizations

Answer 34

2- Determining the extent of management oversight of investments in sophisticated instruments

Rationale
It is important to determine the extent of management oversight of investments, especially for sophisticated instruments. No control or policy can guarantee that a stock market investment will not lose value. The treasurer is responsible for establishing controls over monitoring the risks in investments. Although a comparative analysis of investment returns might be informational, there is no need to benchmark investment returns against those of other organizations. Indeed, financial investment scandals have shown that such comparisons can be highly misleading because high returns can be due to taking on a high level of risk. Also, this is not a test of the adequacy of the controls.

Question 35

Several members of an organization’s senior management have questioned whether the internal audit activity should report to the newly established quality audit function as part of the total quality management process within the organization. The chief audit executive (CAE) has reviewed the quality audit standards and the programs that the quality audit manager has proposed. The CAE’s response to senior management should include which of the following?

1. Estimating departmental cost savings that would result from the elimination of the internal audit activity
2. Changing the applicable standards for internal auditing within the organization to provide compliance with quality audit standards
3. Identifying appropriate liaison activities with the quality audit function to ensure coordination of audit schedules and overall audit responsibilities
4. Changing the qualification requirements for new staff members to include quality audit experience

Answer 35

3- Identifying appropriate liaison activities with the quality audit function to ensure coordination of audit schedules and overall audit responsibilities

Rationale
An internal auditor should always consider the added value of coordinating internal and external audit work to increase economy, efficiency, and effectiveness of the overall audit process—for example, with other internal assurance functions, such as quality control. By coordinating, the two functions can provide support for each other and potentially make the audit process more efficient. Therefore, when responding to management in this scenario, the CAE should identify ways in which he or she believes working with the quality audit function can enhance the audit function.

Question 36

As part of an internal audit, a benchmark must be established for the defect rate for an innovative new production process. The auditor can either use a large sample that is already available from other production processes in the same plant or draw a fresh sample from the new process. However, a fresh sample would be expensive, time-consuming, and much smaller in size. Which of the following is the best course of action for the auditor?

1. The auditor should accept the historical sample but use nonparametric statistics to analyze it.
2. The auditor should accept the large historical sample because analyses based on it will have high statistical power.
3. The auditor should first determine how similar the new process is to the old process before deciding what to do.
4. The auditor should draw a fresh sample and combine it with the old sample.

Answer 36

3- The auditor should first determine how similar the new process is to the old process before deciding what to do.

Rationale
The first question that should always be asked concerning the use of historical data is how representative the process that generated it is compared to the process currently under study.

Question 37

Which of the following costs of quality are incurred when defects are discovered before sending products to customers?

1. Appraisal costs
2. Internal failure costs
3. Prevention costs
4. External failure costs

Answer 37

2- Internal failure costs

Rationale
The internal failure costs of quality include handling and fixing defective products or disposing of them and the opportunity cost of not being able to sell disposed-of products.

Question 38

A chief audit executive (CAE) performs an internal audit staff skills and experience analysis and then maps this analysis to requirements of her proposed risk-based plan. The output of this gap analysis will enable the CAE

1. to justify an increased internal audit activity budget in order to obtain lacking skills and experience to fulfill plan requirements.
2. to communicate the impact of identified resource limitations to senior management and the board.
3. to eliminate routine testing of internal controls over financial reporting for the external auditors in favor of other priorities.
4. to eliminate those engagements from the plan for which the audit activity lacks the necessary skills and experience.

Answer 38

2- to communicate the impact of identified resource limitations to senior management and the board.

Rationale
Standard 2020, “Communication and Approval,” states, “The chief audit executive must also communicate the impact of resource limitations.” Eliminating engagements from the proposed risk-based plan due to lack of skills and experience is inappropriate. While the analysis may support an increased audit activity budget, the standard requires communicating the impact of resource limitations. While eliminating external audit support activities may free up resources for other audit engagements, it is inappropriate for the CAE to unilaterally make the decision to do so.

Question 39

A company recently experienced substantially reduced net profit from sales of product line A, which is produced in a dedicated machine shop. The internal auditors have been assigned the task of determining the cause of the reduced net profit. As a first step, the in-charge auditor should

1. test material vouchers for validity.
2. compare production records with cost standards.
3. analyze scrap and surplus records.
4. evaluate the elements of cost and compare them to those of prior periods.

Answer 39

4- evaluate the elements of cost and compare them to those of prior periods.

Analysis of the elements of cost can point out problem areas. Testing material vouchers for validity would not be best, since material is only one element of cost. Comparing production records with cost standards would not be the auditor’s first step, as there is no assurance that the standards are valid. Analyzing scrap and surplus records would point to only one element, production inefficiencies.

Question 40

Internal auditing has been asked to help the marketing department of a health-care services company assess its performance and identify areas for improvement. Which of the following types of benchmarking would be most useful to the internal auditor in accomplishing this task?

1. Competitive
2. Generic
3. Internal
4. Functional

Answer 40

1- Competitive

Since there are many businesses competing to provide health-care services, it would be feasible to identify successful competitors and compare their skill sets, activities, and sophistication in process with the client activity. Functional benchmarking would use performance in another industry and might offer too many variables for easy comparison. Generic benchmarking would probably yield data that is too general. Internal benchmarking, which might compare the current marketing function with previous marketing functions in the organization, would not allow for the introduction of new ideas being tried outside the organization.

Question 41

While preparing his overall opinion on internal control for presentation to senior management of a large government agency, a chief audit executive (CAE) notices a pervasive lack of accountability as the root cause for numerous internal control weaknesses discussed in audit reports. The CAE should

1. recognize this as a normal element of the complex bureaucracy.
2. make recommendations to enhance the control environment.
3. lead by example by ensuring that auditors are accountable for deadlines.
4. consider progressive discipline policies in his risk assessment.

Answer 41

2- make recommendations to enhance the control environment.

Rationale
The implementation guidance for Standard 2130, “Control,” states, “Internal auditors may make recommendations that enhance the control environment.” “Enforces accountability” is one of the five COSO Internal Control—Integrated Framework principles related to the control environment component. Progressive discipline policies may be considered in the scope of an audit engagement but would not likely be assessed in an internal audit risk assessment. The CAE should not accept a culture of lack of accountability as normal for the bureaucracy. While the CAE’s posture of leading by example may impact the audit activity, it will not address a pervasive lack of accountability throughout the organization.

Question 42

What is the highest level of approval that should be obtained for any significant changes to the internal audit activity plan of engagements?

1. Chief executive officer
2. Senior management
3. Chief audit executive
4. Board of directors

Answer 42

4- Board of directors

Rationale
The internal audit activity plan of engagements should be approved by the board and communicated to the audit committee. As indicated in Implementation Guide 2020, “Communication and Approval,” significant interim changes should be submitted to the board for approval and information.

Question 43

A company recently experienced substantially reduced net profit from sales of product line A, which is produced in a dedicated machine shop. The internal auditors have been assigned the task of determining the cause of the reduced profit. Which of the following would most likely identify the problem?

1. Review of prior audit results
2. Walkthrough of the machine shop
3. Analysis of the financial and operational reports
4. Interviews with the staff engaged in the production of line A

Answer 43

3- Analysis of the financial and operational reports

Rationale
The analysis of these reports should identify where the problem lies.

Question 44

Which of the following is a significant control weakness for a medical instruments company that outsources all component parts manufacturing and performs all warehousing, assembly, sales, and distribution activities internally?

1. Failure to monitor external business partner performance according to contractual requirements
2. Failure to obtain and review SOC 1 and SOC 2 reports (SSAE 18) for all business partner manufacturers
3. Failure to require that cost reimbursement (cost-plus) contracts are used
4. Failure to require that direct manufacturing overhead be omitted from contract pricing

Answer 44

1- Failure to monitor external business partner performance according to contractual requirements

Rationale
Management monitoring of external business partner performance according to contractual provisions (e.g., quality, timeliness, regulatory and/or ISO standards compliance, pricing) is an essential control activity to mitigate the risk of producing substandard products. SOC 1 (internal controls over financial reporting) and SOC 2 (data center security) reports relate to service provider organizations and are for use by customers of a contracted service, not manufacturing organizations. Unit-price or fixed-price contracts would more likely be used in this instance; cost reimbursement contracts would not likely be used. Manufacturing overhead may or may not be included in contract pricing; accepting the inclusion of this business partner cost would not be an internal control weakness to the organization.

Question 45

Which activity is included in determining the audit schedule?

1. Developing audit programs
2. Getting new staff positions approved by the board
3. Planning workload requirements
4. Identifying auditable personnel

Answer 45

3- Planning workload requirements

Rationale
The CAE must consider the organization’s schedule, the schedule of individual internal auditors, and the availability of auditable entities when generating the schedule for internal audit engagements. This would include gaining an understanding of and planning workload requirements for the planned engagements and the auditors to be assigned to them. The development of specific audit programs occurs during the planning phase of an individual audit, not during the development of the audit schedule. Note that management, not the board, typically has the responsibility for approving new staff positions.

Question 46

A health-care products company engages with the internal audit activity to map the manufacturing process for one of its major products. The company wants to identify risks that would interrupt production and thereby endanger the company’s financial well-being. How could the business process mapping engagement help achieve this objective?

1. By eliminating redundancies in the manufacturing process
2. By identifying interdependent components in the process
3. By improving relations with shareholders
4. By improving relations with external regulators

Answer 46

2- By identifying interdependent components in the process

Rationale
The process mapping activity should reveal sequences and requirements of each component in the process as well as interdependencies, for example, the need to receive parts from internal or external suppliers, analyses of purity, or certifications of equipment from external agencies. Risks will have to be identified for each area and contingency strategies developed that account for these interdependent tasks. While the process may also reveal redundancies, this is not a risk of production interruption. It is instead an area for identifying cost-saving opportunities, so it would be a different objective.

Question 47

A typical purpose of the internal audit manual is

1. to provide evidence of a well-controlled internal audit activity for regulatory authorities and external auditors.
2. to coordinate roles and responsibilities within audit and in relation to other internal and external bodies.
3. to provide guidance to internal auditors to support compliance with The IIA’s position papers.
4. to provide the audit committee with evaluation criteria for chief audit executive (CAE) performance.

Answer 47

2- to coordinate roles and responsibilities within audit and in relation to other internal and external bodies.

Rationale
The purpose of the audit manual is, in general, to:
* Provide guidance that will support adherence to the profession’s code of ethics and professional standards.
* Define a high level of performance expectations for staff.
* Focus activity members on key objectives and values.
* Coordinate roles and responsibilities within audit and in relation to other internal and external bodies.
* Codify critical processes.
* Provide the basis on which to evaluate the internal auditing activity’s performance.

An operating manual does not provide evidence of a well-controlled activity. Evaluation criteria for CAE performance is likely established through performance metrics and/or other action plans, goals, and objectives. The IIA’s position papers are written for a broad audience of interested parties; the audit manual would support internal audit compliance with The IIA’s mandatory guidance such as its Code of Ethics and Standards.

Question 48

Systems development audits include reviews at various points to ensure that development is properly controlled and managed. What should the reviews include?

1. Verifying the use of controls and quality assurance techniques for program development, conversion, and testing
2. Conducting a technical feasibility study on the available hardware, software, and technical resources
3. Examining the level of user involvement during planning and systems design and checking that this appropriately tapers off later
4. Determining if system, user, and operations documentation is frozen at an early stage

Answer 48

1- Verifying the use of controls and quality assurance techniques for program development, conversion, and testing

Rationale
An important review step is to verify the use of controls and quality assurance techniques for program development, conversion, and testing. A feasibility study should be conducted in the systems analysis stage. User involvement should continue in later stages such as at implementation. Documentation should not be frozen at an early stage due to the need to incorporate changes made during later development stages.

Question 49

The audit universe for a large multinational corporation should focus on

1. employment laws, codes, and practices applicable in each of the countries and regions.
2. opportunities for and threats to achieving the organization’s strategic plan.
3. cultural norms and market practices that shape policies and procedures.
4. operating nuances of country and regional entities.

Answer 49

2- opportunities for and threats to achieving the organization’s strategic plan.

Rationale
As noted in Implementation Guide 2010, the audit universe in a risk-based perspective should encompass the organization’s strategic plan. It should also consider the controls management has in place to mitigate risks, achieve organizational goals and objectives, and ensure that customer needs are being met. The other answer choices can influence opportunities for and threats to the organization’s strategic plan.

Question 50

Which of the following is the best reason for the chief audit executive to consider the strategic plan in developing the annual audit plan?

1. To ensure that the internal audit plan supports the overall business objectives
2. To make recommendations to improve the strategic plan
3. To emphasize the importance of the internal audit function
4. To ensure that the internal audit plan will be approved by senior management

Answer 50

1- To ensure that the internal audit plan supports the overall business objectives

Rationale
Considering the strategic plan in the development of the internal audit plan will ensure that the audit objectives support the overall business objectives stated in the strategic plan.

Question 51

Which of the following is true of periodic review of the internal audit charter and its presentation to senior management and the board for approval?

1. It is addressed in the IIA’s optional guidance and the Practice Guide titled “Audit Committee and Internal Audit Activity Charters.”
2. It is optional for small internal audit activities as well as internal audit activities of public-sector and nonprofit organizations.
3. It indicates that the internal audit activity has the authority and backing of the board in carrying out its activities as long as it conforms to the charter.
4. It is required so that internal audit activities can effectively coordinate work with external and internal assurance providers.

Answer 51

3- It indicates that the internal audit activity has the authority and backing of the board in carrying out its activities as long as it conforms to the charter.

Rationale
Periodic approval of the internal audit charter by senior management and the board demonstrates that the internal audit activity has the authority and backing of the board in carrying out its activities as long as it conforms to the charter. Such review and approval is not optional; it is mandatory guidance articulated in Standard 1000, “Purpose, Authority, and Responsibility.” The IIA does not have a Practice Guide titled “Audit Committee and Internal Audit Activity Charters.”

Question 52

If an internal auditor is verifying that financial consultants at a bank have met both the organization’s and the industry’s requirements for training, what type of audit is being performed?

1. Financial
2. Performance
3. Compliance
4. Operational

Answer 52

3- Compliance

Rationale
In this case, the auditor is determining if the consultants are in compliance with required standards.

Question 53

An internal audit department is asked to perform an audit to determine whether the organization is in compliance with a particular set of laws and regulations. The audit does not reveal any issues of noncompliance but does reveal that the organization does not have an established system to ensure such compliance. The auditor’s responsibility is to

1. report that the organization has a significant control deficiency because management has not established a system to manage compliance.
2. report that one significant compliance issue was noted related to the lack of a compliance system.
3. get management approval to establish a system to ensure compliance with applicable laws and regulations.
4. report that the organization has no issues of noncompliance and inform the chief audit executive that a consulting project to design a compliance monitoring system should be recommended.

Answer 53

1- report that the organization has a significant control deficiency because management has not established a system to manage compliance.

Rationale
The auditor’s responsibility includes reporting on significant deficiencies in controls (or the lack of controls, in this case), reporting the findings of the current audit (including the control deficiency), meeting with management to determine what follow-up action will be taken, and providing follow-up work to determine if sufficient actions have been taken.

Question 54

In determining whether to conduct an audit of compliance with environmental regulations or a consulting engagement in the tax department, the chief audit executive should give the lowest weight to which of the following considerations?

1. The audit staff has more expertise in taxation than in environmental compliance, necessitating reliance on outside consultants for environmental audits.
2. In the state where the organization is headquartered, a recently elected official campaigned on a promise to go after polluters in the organization’s industry.
3. Tax laws have recently changed in ways that may affect the organization’s very substantial write-offs.
4. Management has expressed a desire for a tax audit.

Answer 54

1- The audit staff has more expertise in taxation than in environmental compliance, necessitating reliance on outside consultants for environmental audits.

Rationale
Available resources should not be a major consideration in this decision.

Question 55

Having completed a thorough risk assessment process and selection of areas to audit, the internal audit activity should give first priority to which of the following engagements?

1. Payables, because an audit committee member has received an anonymous tip alleging that a staff member has been directing payments to fictitious accounts
2. Receivables, because they ranked highest in potential dollar loss
3. Information technology, because network software has recently been upgraded by an external consultant
4. Financial statements, because the report had a qualified opinion on a recent external audit report

Answer 55

1- Payables, because an audit committee member has received an anonymous tip alleging that a staff member has been directing payments to fictitious accounts

Rationale
The first priority is to investigate the potential fraud in payables. A high ranking on particular measures (the large potential loss, for example) is not necessarily of highest priority if other measures of risk have been identified as significant.

Question 56

A quality audit concludes that a manufacturing organization’s quality and continuous improvement plans are adequate and are being followed. This should mean that

1. minimum compliance with quality laws and regulations will be attained.
2. the organization’s products will be substantially free from internal and external failure costs.
3. the desired quality will be attained.
4. the organization’s products will be worth more to consumers, though they will cost more to produce.

Answer 56

3- the desired quality will be attained.

Rationale
The purpose of quality audits is to provide assurance that an organization’s quality plans, activities, and operations are such that, if followed, the desired quality will be attained.

Question 57

The chief audit executive (CAE) is responsible for sharing information and coordinating activities with other internal and external service providers to ensure proper coverage and minimize duplication of efforts. With the exception of the external auditors responsible for auditing the organization’s financial statements, which of the following coordination activities should be limited to internal assurance and consulting providers?

1. Copies of regulatory reports relevant to audit engagements
2. Common understanding of audit techniques, methods, and terminology
3. Access to audit programs, working papers, and management letters
4. Exchange of organizational charts

Answer 57

3- Access to audit programs, working papers, and management letters

Rationale
Reviews conducted by internal assurance and consulting providers and the external auditors responsible for auditing the organization’s financial statements typically address areas and issues that are relevant to internal auditing’s scope of work.

Question 58

Which procedure would be appropriate for testing whether cost overruns on a construction project were caused by the contractor improperly accounting for costs related to contract change orders?

1. Verifying that change orders were both necessary and addressed in the original project scope
2. Verifying that the change orders were properly approved by management
3. Verifying that the contractor has not charged change orders with costs that have already been billed to the original contract
4. Determining if the contractor has already performed original contract work that was canceled as a result of change orders

Answer 58

3- Verifying that the contractor has not charged change orders with costs that have already been billed to the original contract

Rationale
Two important tests include verifying that the contractor is not double-billing through use of change orders and determining if the contractor has billed for original contract work that was canceled as a result of change orders. It is important to test whether the company agreed to the work before it was done by the contractor, but this does not indicate whether the contractor properly accounted for the costs related to the work, so this test is unrelated to the objective. Determining if the changes were necessary is likewise important, but this would be part of the change control process and of an audit of that function. Change orders by definition are not in the original project scope.

Question 59

The internal auditor is considering performing a risk analysis as a basis for determining which areas of the organization ought to be examined. Which of the following statements is correct regarding risk analysis?

1. The extent to which management judgments are required in an area could serve as a risk factor in assisting the auditor in making a comparative risk analysis.
2. The highest risk analysis should always be assigned to the area with the largest potential loss.
3. The highest risk analysis should always be assigned to the area with the highest probability of risk occurrence.
4. Risk analysis must be reduced to quantitative terms in order to provide meaningful comparisons across an organization.

Answer 59

1- The extent to which management judgments are required in an area could serve as a risk factor in assisting the auditor in making a comparative risk analysis.

Rationale
The auditor could appropriately consider the extent of management judgments and accounting estimates as a risk factor. Risk analysis should consider both the potential loss (or damages) and the probability of occurrence.

Question 60

An operational assurance engagement may include an assessment of which of the following?

1. Necessary quantity of output standards
2. Assignment of responsibility and delegation of authority
3. Reliability of financial statements
4. Frequency of interaction between operating management and the board

Answer 60

2- Assignment of responsibility and delegation of authority

Rationale
In operational auditing, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization’s governance, operations, and information systems. It should go beyond traditional concerns and include reviews of policies, procedures, and systems, the quality of management, the use of resources to achieve organizational goals efficiently and effectively, and the safeguarding of assets.

Question 61

Which would the chief audit executive (CAE) be required to report to senior management and/or the board?

1. Significant interim changes to the approved audit work schedule and financial budget
2. Minor risk and control issues
3. The fact that subsequent to the completion of an audit but prior to the issuance of the audit report, the internal auditor performing the audit was offered a permanent position in the auditee’s department
4. The fact that an audit plan was approved by senior management and the board but that, subsequent to the approval, senior management informed the audit director not to share information with other division managers because the division’s activities were very sensitive

Answer 61

1- Significant interim changes to the approved audit work schedule and financial budget

Rationale
Reporting on interim changes is a standard part of the required reporting to senior management and the board per Standard 2060. Since the audit plan was approved by both senior management and the board, the change dictated by senior management should be reported to the board. The job offer would not have to be communicated. The CAE would have to determine that there was no impairment of the independence of the auditor’s work, but if there was none, the report could be issued without reporting the personnel change. While significant risk and control issues should be reported, reporting on minor issues are at the discretion of the CAE. Since the senior management request was not to share information about the division with other operational managers rather than an attempt to restrict information from the board, this is not an issue that needs to be shared with the board.

Question 62

The chief audit executive (CAE) believes that the proposed organizational budget will not enable the activity to perform planned risk management projects. What action should the CAE take?

1. Arrange to co-fund risk management projects with other functions.
2. Go around senior management and appeal directly to the board for the necessary budget.
3. Use time at a board meeting to educate senior management about the process and benefits of risk management.
4. Plan the annual audit schedule accordingly, performing as many risk management activities as possible within the budget.

Answer 62

3- Use time at a board meeting to educate senior management about the process and benefits of risk management.

Rationale
Interpretation of Standard 2000, “Managing the Internal Audit Activity,” notes that the internal audit activity adds value to the organization when it “contributes to the effectiveness and efficiency of governance, risk management, and control processes.” The CAE can effectively fulfill this role by educating the board and senior management on the benefits of risk management to the organization.

Question 63

Which of the following should an internal auditor review to determine if a computer security system meets management objectives?

1. Industry best practices for management objectives
2. Relevant publications concerning the latest technology for security systems
3. Regression testing of the security system
4. Previous audit findings

Answer 63

2- Relevant publications concerning the latest technology for security systems

Rationale
Determining current and potential future standards for the industry enables an internal auditor to decide if the current computer security system is adequate for the organization.

Question 64

Which of the following would most likely be a key performance indicator (KPI) for an internal audit activity?

1. Frequency of meetings with the board members
2. Implementation of new audit computer software
3. Percentage of required continuing education hours completed
4. Audit expenditures compared to financial budgets

Answer 64

3- Percentage of required continuing education hours completed

Rationale
KPIs focus on “accomplishments or behaviors that are valued by the organization” and are valid indicators of performance (i.e., they measure the correct target). They must be understandable to the internal audit staff, who then use them to guide and improve their performance. Of the options, the percentage of completed continuing education hours is a measurable indicator of staff performance with a direct impact on their ability to perform their roles. The other answer choices are not KPIs. Expenditures-vs.-budgets data would not take into consideration other variables or causation, implementation of new computer software is a recommendation, and the frequency of board meetings doesn’t provide a measurement that can improve performance.

Question 65

While conducting a control self-assessment (CSA) project in an IT division, an internal auditor asks managers to rate the severity of each identified risk and the strength of each related control. Which of the following represents the most significant disadvantage of this exercise?

1. Management may omit important control weaknesses.
2. Subsequent audits of the division may not be conducted in a timely fashion.
3. Budget hours expended will likely exceed any tangible benefits.
4. The internal audit activity will be viewed as responsible for controls.

Answer 65

1- Management may omit important control weaknesses.

Rationale
In CSAs or reviews of management performance, audit data and evidence will be qualitative and subjective to some degree. In these cases, some way should be found to corroborate the information. Because management may not be intimately involved in the processes and controls of the IT division, they may be unaware of certain important controls and their weaknesses. Alternatively, they may have their own biases in relation to this division and may omit weaknesses and instead identify only how a division is supposed to work as opposed to how it actually does function.

Question 66

Ongoing monitoring typically includes

1. the results of periodic self-assessments of the internal audit activity’s conformance with the Core Principles.
2. the audit activity’s conformance with the list provided in The IIA’s External Quality Assessment Manual.
3. periodic reporting to senior management and the board on internal audit key performance indicators and recommendations for improvement.
4. the performance metrics used by similarly sized internal audit activities in the same industry.

Answer 66

3- periodic reporting to senior management and the board on internal audit key performance indicators and recommendations for improvement.

Rationale
According to Implementation Guide 1320, ongoing monitoring typically includes reporting on internal audit key performance indicators, and the CAE may provide an annual report to senior management and the board regarding the results of ongoing monitoring and include any recommendations for improvement. Results of periodic self-assessments of the internal audit activity’s conformance with the Core Principles is not part of ongoing monitoring. Ongoing monitoring should be customized to the needs of the audit activity and the organization and should not follow a generic list, such as provided in The IIA’s guidance. Metrics used by other audit activities in the same industry may be irrelevant to the needs of the organization’s internal and external stakeholders.

Question 67

Which is a required communication for the chief audit executive (CAE) to have with senior management and the board?

1. Impact of any resource limitations
2. Minor interim changes to plans and resources
3. Staffing needs analysis results
4. Audit client plans and resource requirements

Answer 67

1- Impact of any resource limitations

Rationale
Standard 2020, “Communication and Approval,” states that the CAE “must communicate the internal audit activity’s plans and resource requirements, including significant interim changes, to senior management and the board for review and approval. The chief audit executive must also communicate the impact of resource limitations.”

Question 68

The form and content of internal audit policies and procedures are

1. required by The IIA’s Standards to be updated on an annual basis.
2. specifically prescribed in The IIA’s Standards.
3. mandated by The IIA’s publication “Internal Audit Policies and Procedures.”
4. dependent upon the size and structure of the internal audit activity and the complexity of its work.

Answer 68

4- dependent upon the size and structure of the internal audit activity and the complexity of its work.

Rationale
Interpretation of Performance Standard 2040 stipulates that “the form and content of policies and procedures are dependent upon the size and structure of the internal audit activity and the complexity of its work.” Internal audit standards do not provide specific requirements regarding the form and content of internal audit policies and procedures. The IIA does not have a publication titled “Internal Audit Policies and Procedures.” The IIA’s Standards do not require that policies and procedures be updated annually.

Question 69

A communication of a chief audit executive’s (CAE’s) overall opinion on internal control

1. must include reasons for an unfavorable overall opinion.
2. must consider the context of the regulatory environment.
3. must discuss the impact of resource constraints on the opinion.
4. must include control weaknesses identified by external auditors

Answer 69

1- must include reasons for an unfavorable overall opinion.

Rationale
According to the interpretation to Standard 2450, “Overall Opinions,” the communication must state the reasons for an unfavorable overall opinion. Neither mandatory nor non-mandatory guidance from The IIA requires consideration of the regulatory environment, the impact of resource constraints, or discussion of control weaknesses identified by external auditors in the communication of the CAE’s overall opinion on internal control.

Question 70

A primary purpose of establishing key performance indicators (KPIs) for the internal audit activity is

1. to demonstrate the chief audit executive’s capability in controlling the internal audit activity.
2. to establish a basis for quality improvement.
3. to set expectations for internal audit staff performance in conjunction with annual performance appraisals.
4. to demonstrate understanding of reporting, compliance, and operations objectives.

Answer 70

2- to establish a basis for quality improvement.

Rationale
According to The IIA’s Practice Guide Measuring Internal Audit Effectiveness and Efficiency when establishing KPIs to monitor, measure, and report, the chief audit executive may consider those areas that need improvement as identified by the quality assurance and improvement program. KPIs for audit activity performance are not generally the same as those associated with internal audit staff performance related to annual performance appraisals. Demonstrating the chief audit executive’s capability in controlling the internal audit activity is not a primary purpose of establishing KPIs. Understanding the three categories of objectives of the COSO internal control framework is unrelated to internal audit activity KPIs.

Question 71

Which would be the most effective tool for gathering reliable information about an organization’s “tone at the top”?

1. Analysis of articles on the subject in professional journals
2. Focus groups with senior management
3. Employee questionnaires asking for a ranking of specific characteristics as they apply to senior management
4. Control self-assessment workshops with participants from many parts of the organization and various levels, including a range of stakeholders

Answer 71

4- Control self-assessment workshops with participants from many parts of the organization and various levels, including a range of stakeholders

Rationale
Gathering information about soft controls such as “tone at the top” is best done through face-to-face discussions that give informants a chance to hear explanations of complex or subtle matters and to express themselves freely in response. (Confidentiality may be crucial in getting honest answers.) Senior management’s views on the subject are likely to be biased but would be worth considering, among other sources.

Question 72

A chief audit executive (CAE) of a large school district contracts with an external service provider to perform audits of internal controls over financial reporting (ICFR) of the district’s charter schools. Where reliance is placed on the external service provider’s work, the CAE

1. should be certain that the service provider does not perform any other professional services for the school district.
2. must evaluate the service provider’s quality assurance and improvement program (QAIP), in accordance with The IIA’s standards.
3. must provide appropriate supervision, including thorough reviews of service provider workpapers and auditor conclusions.
4. is still responsible for ensuring adequate support for conclusions and opinions reached by the internal audit activity.

Answer 72

4- is still responsible for ensuring adequate support for conclusions and opinions reached by the internal audit activity.

Rationale
The interpretation of Standard 2050, “Coordination and Reliance,” states, “Where reliance is placed on the work of others, the CAE is still accountable and responsible for ensuring adequate support for conclusions and opinions reached by the internal audit activity.” The CAE is responsible for establishing a consistent process for the basis of reliance on the work of others, considering the competency, objectivity, and due professional care of the providers, which may or may not require supervision of provider staff, including workpaper reviews and auditor conclusions. The standards do not require the audit activity’s evaluation of the service provider’s QAIP. The CAE should consider the service provider’s objectivity and independence in conducting internal audit services, which would include consideration of other professional services provided to the organization by the service provider.

Question 73

A chief audit executive (CAE) has determined the need to transition from manual to electronic workpapers and has prepared a software purchase, training budget, and detailed proposal to present to senior management. Which of the following is the CAE’s best course of action?

1. Explain the impact of not transitioning to electronic workpapers to senior management.
2. Explain the professional development opportunities for improved understanding of IT risk and control through the audit software.
3. Explain the details of the request for proposal to senior management as well as the pros and cons of each respondent.
4. Explain that similarly sized audit activities in the same industry have greatly enhanced audit efficiency through audit software.

Answer 73

1- Explain the impact of not transitioning to electronic workpapers to senior management.

Rationale
According to the interpretation for Standard 2060, “Reporting to Senior Management and the Board,” the chief audit executive’s reporting and communication to senior management and the board must include information about resource requirements. The cost/benefit of transitioning to electronic workpapers must be evaluated and explained to senior management. All the other answer choices may support the CAE’s request for investment in software but are unrelated to the Standards and, therefore, are not the best course of action.

Question 74

Who has primary responsibility for providing information to the audit committee on the professional and organizational benefits of coordinating internal audit assurance and consulting activities with other assurance and consulting activities?

1. Chief audit executive (CAE)
2. External auditor
3. Chief executive officer (CEO)
4. Each assurance and consulting function

Answer 74

1- Chief audit executive (CAE)

Rationale
According to Performance Standard 2050, the CAE should share information and coordinate activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimize duplication of efforts. Implementation Guide 2050 indicates that oversight of the work of external auditors, including coordination with the internal audit activity, is the responsibility of the board. Coordination of internal and external audit work is the responsibility of the CAE. The CAE obtains the support of the board in coordinating audit work effectively.

Question 75

Before formally presenting a proposed risk-based audit plan to senior management and the board for review and approval, the chief audit executive must

1. refrain from consultation with operating management, in the interest of independence and objectivity.
2. consult with regulators to understand significant compliance risks and opportunities for coordination of work.
3. consult with senior management and the board to understand organizational strategies, business objectives, and risks.
4. provide senior management and the board with assurance regarding the adequacy and effectiveness of management’s risk assessment.

Answer 75

3- consult with senior management and the board to understand organizational strategies, business objectives, and risks.

Rationale
The interpretation to Standard 2010, “Planning,” states, “To develop the risk-based plan, the chief audit executive (CAE) consults with senior management and the board and obtains an understanding of the organization’s strategies, key business objectives, associated risks and risk management processes.” Consultation with regulators is not required for the CAE to understand compliance risks; coordination of work is not a consideration of risk-based annual audit planning. Providing assurance regarding management’s risk assessment may be part of the proposed plan but is not required prior to presentation of the plan. Consultation with operating management is not prohibited by The IIA’s guidance.

Question 76

Management at a university hospital has been releasing data on voluntary test subjects to university researchers after getting consent and stripping out volunteers’ names and replacing them with numeric codes. What is the most important question an internal auditor can ask of an expert familiar with what is being released?

1. Are the numeric codes truly random and unable to be associated with the individual?
2. Could this information be combined with publicly available data to potentially identify the volunteers’ identities?
3. Do the university researchers have requirements not to disseminate the data to other parties?
4. Is senior management exercising proper oversight over the name replacement process to ensure that it is occurring?

Answer 76

2- Could this information be combined with publicly available data to potentially identify the volunteers’ identities?

Rationale
Personal information generally refers to information that is associated with a specific individual or that has identifying characteristics that, when combined with other information, can be associated with a specific individual. For this reason, it is important to determine whether the data needs to be further aggregated or have other processes applied to it to ensure that it cannot be traced to specific individuals prior to release.

Question 77

A chief audit executive (CAE) of a small community bank refreshes his risk assessment four months into the current audit plan year. From the refresh, he decides it is necessary to adjust the audit plan by adding an assessment of a newly launched, high-risk loan product that was urgently initiated by the vice president of lending due to competition from a local credit union. The CAE should

1. request a meeting with the vice president of lending for her approval of the new engagement objectives and scope.
2. notify regulatory authorities to understand their scheduled lending activity examinations for proper coordination of work.
3. substitute the high-risk loan product audit for other routine loan compliance work in the approved plan to stay on budget.
4. communicate the significant audit plan change to the board and senior management for review and approval.

Answer 77

4- communicate the significant audit plan change to the board and senior management for review and approval.

Rationale
Performance Standard 2020, “Communication and Approval,” states: “The chief audit executive must communicate the internal audit activity’s plans and resource requirements, including significant interim changes, to senior management and the board for review and approval.” Eliminating previously approved engagements from the audit plan in favor of other work would be considered a significant interim change. It is not appropriate for management of the audited area to approve engagement objectives and scope; this is the CAE’s role. Notification to regulatory examiners regarding a new high-risk lending activity would not be appropriate.

Question 78

A recent penetration test of information technology security vulnerabilities disclosed a significant control weakness related to physical access to the organization’s data center. Management has explained that due to budget and staffing constraints, it is unable to resolve the control weakness for an indefinite period of time and will accept the risks associated with the vulnerability. The chief audit executive’s best course of action is to

1. accept the reality of resource constraints and include data center security in ongoing internal audit risk assessments.
2. communicate the control weakness and IT management’s response to senior management and the board.
3. ensure that the enterprise risk management team is aware of the vulnerability for inclusion in its risk assessment.
4. seek guidance from The IIA’s Global Technology Audit Guide (GTAG) “Information Technology Risks and Controls.”

Answer 78

2- communicate the control weakness and IT management’s response to senior management and the board.

Rationale
The interpretation for Standard 2060, “Reporting to Senior Management and the Board,” states, “The chief audit executive’s reporting and communication to senior management and the board must include information about management’s response to risk that, in the chief audit executive’s judgment, may be unacceptable to the organization.” While the chief audit executive may seek guidance from GTAGs and other sources in planning and performing the audit engagement, doing so after a significant control weakness has been identified and management has responded is too late in the audit process. Lack of effective internal controls over data center security brings significant risk to an organization; accepting the reality of resource constraints and deferring the issue to future risk assessments would not be an appropriate course of action. While ensuring that the enterprise risk management team is aware of the vulnerability is effective sharing of risk/control information, this is not the best course of action.

Question 79

A performance audit engagement typically involves

1. a review of financial statement information, including the appropriateness of various accounting treatments.
2. an evaluation of organizational and departmental structures, including assessments of process flows.
3. an appraisal of the environment and comparison against established criteria.
4. tests of compliance with policies, procedures, laws, and regulations.

Answer 79

3- an appraisal of the environment and comparison against established criteria.

Rationale
Performance audit engagements involve the review of performance against set criteria. The other answer choices are part of financial, operational, or compliance audits.

Question 80

Which of the following would be an internal audit responsibility during an information technology audit?

1. Evaluating metrics related to operating system capacity, resilience, and monitoring
2. Providing oversight of corrective measures to resolve an information security breach
3. Implementing preventive, detective, and mitigating measures to ensure data privacy
4. Promoting an appropriate organizational mindset to reengineer traditional business processes

Answer 80

1- Evaluating metrics related to operating system capacity, resilience, and monitoring

Rationale
It would be a logical responsibility for an internal auditor to evaluate metrics related to operating system capacity, resilience, and monitoring, as an operating system crash can have a severe impact on many employees. Management owns the other responsibilities.

Question 81

A chief audit executive (CAE) has established a rotation program whereby interested, qualified business unit personnel work in internal audit for two years and then rotate back out into a business unit, taking an enhanced understanding of governance, risk, and control with them. Some business unit managers have criticized the CAE, saying that rotational auditors are not objective in performing their work, since they “know where the skeletons are” and have relationships with former coworkers in the areas they are auditing, in spite of the rotational auditors not working in the business units for at least one year. The CAE’s best course of action is to

1. communicate to the business about internal audit’s independence and functional and administrative reporting lines.
2. communicate to senior management and the board regarding action plans to address any issues of conformance to the Code of Ethics.
3. refer business unit management to the internal audit activity’s purpose, authority, and responsibility as defined in its charter.
4. consider stopping the rotation program in favor of other, more appropriate internal audit staffing options.

Answer 81

2- communicate to senior management and the board regarding action plans to address any issues of conformance to the Code of Ethics.

Rationale
The interpretation for Standard 2060, “Reporting to Senior Management and the Board,” states that the CAE’s reporting and communication to senior management and the board must include information about conformance with the Code of Ethics and action plans to address any significant conformance issues. Since objectivity is one of the principles of the Code of Ethics, the CAE should have appropriate policies and procedures in place to ensure internal auditor objectivity in performing the work and, as such, could communicate this to concerned business unit management. Communicating internal audit’s independence and reporting lines or referring business unit management to the internal audit charter will not address the assertion of lack of auditor objectivity. Rotation is a best practice, and stopping this program would not be the best course of action.

Question 82

A service company is currently experiencing significant downsizing and process reengineering. Its board of directors has redefined the business goals and established initiatives using internally developed technology to meet these goals. As a result, a more decentralized approach has been adopted to run the business functions by empowering the business branch managers to make decisions and perform functions traditionally done at a higher level. The internal auditing staff is made up of the chief audit executive, two audit managers, and five staff auditors. Every staff auditor has a financial background. In the past, the primary focus of successful audit activities has been the service branches and the six regional division headquarters that support the branches. The division headquarters are the primary targets for possible elimination. The support functions—such as human resources, accounting, and purchasing—will be brought into the national headquarters, and technology will be enhanced to enable and augment these operations. Based on these changes and assuming that total audit resources remain the same, what activities should the internal auditing department perform to best serve the organization?

1. Increase audit time in systems development.
2. Increase audit time in service branches.
3. Increase audit time in functions being centralized.
4. Continue the allocation of audit time as before.

Answer 82

1- Increase audit time in systems development.

Rationale
Due to the focus on technology, audit time spent reviewing systems development should be increased. More testing of the same controls just because volume has increased is not a productive use of time. While a small incremental increase in audit time may be feasible, the benefit derived would be minimal. Changes to business goals, processes, and focus will also require proactive changes by the internal auditing department.

Question 83

A Certified Internal Auditor directs the audit function for a large city and is planning the audit schedule for the next year. The city has a number of different funds, some that are restricted in use by government grants and some that require reports to the government. One of the programs for which the city has received a grant is job retraining and placement. The grant specifies certain conditions a participant in the program must meet in order to be eligible for the funding. The auditor plans an audit of the job retraining program to verify that the program complies with applicable grant provisions. One of the provisions is that the city adopt a budget for the program and subsequently follow procedures to ensure that the budget is adhered to and that only allowable costs are charged to the program. In performing an audit of compliance with this provision, which is a valid procedure the auditor can perform?

1. Verify that all funds used include reports to the government.
2. Determine whether the budget was reviewed and approved by supervisory personnel within the granting agency.
3. Select a sample of graduates from the training and placement program and survey them to determine if they have been successful after their training.
4. Compare actual results with budgeted results and determine the reason for deviations; then determine if such deviations have been approved by appropriate officials.

Answer 83

4- Compare actual results with budgeted results and determine the reason for deviations; then determine if such deviations have been approved by appropriate officials.

Rationale
The overall regulation provides that the city establish a budget in a manner consistent with the objectives of the program. The requirements do not state that the agency must approve the budget, only that the entity develop a reporting mechanism to provide assurance of compliance with the objectives of the grant and the applicable laws and regulations. Not all funds necessarily require reports to the government, so only the relevant funds sources would carry this requirement. While information on job retraining and placement success rates is important, it is not necessarily required for compliance. This may be part of a performance audit.

Question 84

An auditor reviews an organization’s plan for developing a performance scorecard. Which of the following potential performance measures should the auditor recommend including in the scorecard if not already present?

1. Product life cycle
2. Customer satisfaction
3. Share price
4. Employee participation

Answer 84

2- Customer satisfaction

Rationale
Customer satisfaction is integral to performance and could be overlooked in favor of more traditional financial measures. Share price is affected by multiple factors and can be problematic to include, as managers have little control over it. A product life cycle and employee participation are general concepts; something that is more specific to performance and is measurable would be better.

Question 85

What is the first thing an internal auditor should do regarding errors uncovered during a financial statement audit?

1. Report the material errors.
2. Discuss the situation with the engagement client.
3. Assess the risk of misrepresentation.
4. Inform the audit committee.

Answer 85

3- Assess the risk of misrepresentation.

Rationale
The objective of external financial reporting is to prepare relevant and reliable financial statements that fairly and accurately represent the recent historical activities of the organization. The objective of a financial audit is to provide assurance regarding the effectiveness of the processes and procedures (controls) supporting the reliability, timeliness, transparency, and completeness of the organization’s financial reporting. After discovering errors during a financial statement audit, the auditor must first assess the risk of misrepresentation of the data. Only then should he or she discuss the issue with relevant stakeholders, as they will be able to provide appropriate recommendations for a course of action.

Question 86

In assessing organizational risk in a manufacturing environment, which of the following would have the most long-range impact on the organization?

1. Product quality
2. Production scheduling
3. Inventory policy
4. Advertising budget

Answer 86

1- Product quality

Rationale
Product quality is a long-range planning topic because it affects market positioning. The other answer choices are concerns, but they have less long-range impact than product quality.

Question 87

What is a valid reason to omit some evidence from official audit communications related to an assurance engagement?

1. The information is irrelevant to the objectives.
2. The evidence, while objective, required subjective analysis.
3. Legal counsel advises against disclosure due to privacy implications.
4. The evidence simply confirms that a control is operating correctly.

Answer 87

3- Legal counsel advises against disclosure due to privacy implications

Rationale
In cases where an organization’s internal records include private or sensitive information on individuals or other entities, the information is usually protected by confidentiality agreements and/or government regulations. When in doubt about privacy implications, the auditor should have legal counsel review the information before disclosing it as evidence in official audit communications, especially if there may have been potential privacy violations. This will balance the auditor’s need to disclose findings against the counsel’s legal requirement to defend the organization. The Standards also allow irrelevant evidence to be omitted, but they prohibit omission of any other types of evidence.

Question 88

An effective internal audit performance measurement process includes

1. regularly scheduled updates to the internal audit activity’s policies and procedures.
2. monitoring all key performance indicators identified in The IIA’s guidance titled “Measuring Internal Audit Effectiveness and Efficiency.”
3. an independent external quality assessment at least once every five years.
4. identification of internal and external stakeholders and their needs and expectations.

Answer 88

4- identification of internal and external stakeholders and their needs and expectation

Rationale
According to The IIA’s Practice Guide “Measuring Internal Audit Effectiveness and Efficiency,” the second step in establishing an effective performance measurement process is to identify internal and external stakeholders and their needs and expectations. The internal audit activity may not need improvement in all areas identified in The IIA’s guidance; monitoring all key performance indicators identified may not be necessary. Regularly scheduled updates to internal audit policies and procedures may not be necessary; audit activities generally update policies and procedures as needed. While the external quality assessment may include a review of internal audit’s performance measurement process, the process itself does not include the external quality assessment.

Question 89

Which of the following statements is true of the role of internal audit in reporting on the effectiveness of the internal control and risk management framework?

1. Internal audit should incorporate general observations based on experiences in consulting engagements.
2. Internal audit should assess the adequacy of controls implemented based on findings from a consulting engagement conducted by the activity.
3. Internal audit should restrict findings in consulting engagements to the engagement objectives.
4. Internal audit should assume responsibility for implementing controls if management fails to act.

Answer 89

1- Internal audit should incorporate general observations based on experiences in consulting engagements.

Rationale
Internal audit is responsible for evaluating and reporting on all risk exposures relating to governance, operations, and information systems.

Question 90

According to the Standards, internal audit reporting to senior management and the board must cover significant risk and control issues, including

1. fraud risks.
2. compliance risks.
3. operational risks.
4. strategic risks.

Answer 90

1- fraud risks.

Rationale
Standard 2060, “Reporting to Senior Management and the Board,” states the following: “Reporting must also include significant risk and control issues, including fraud risks, governance issues, and other matters that require the attention of senior management and/or the board.” While compliance, operational, and strategic risks may be reported to senior management and the board, Standard 2060 specifically requires reporting significant fraud risks.