Practice of IA: Planning

Question 1

Which of the following criteria for measuring the quality of employee performance would be appropriate for use with a group of non-sales professionals, such as a college faculty?

1. Cost, capital requirements, and revenue produced
2. Quantity, quality, and timeliness of output
3. Quantity, quality, and timeliness of output; cost; capital requirements; revenue produced
4. Quantity and quality of output, cost

Answer 1

2- Quantity, quality, and timeliness of output

Rationale
Cost, capital, and revenue are uncontrollable by the faculty members and are therefore excluded.

Question 2

The internal auditors are planning an engagement focusing on the organization’s hiring process. Which of the following must be considered when planning the engagement?

1. Significant risks to the hiring process objectives, resources, and operations. The internal auditors should also consider the means by which the potential impact of these risks is kept to an acceptable level.
2. Significant risks to the hiring process objectives, but not the resources and operations. These are management decisions and thus outside the scope of an audit engagement.
3. Significant risks to the hiring process objectives, resources, and operations. However, the internal auditors have no responsibility to consider the means by which the potential impact of these risks is kept to an acceptable level.
4. Significant risks to the hiring process objectives and operations but not the resources. Resources are a management decision and thus outside the scope of an audit engagement.

Answer 2

1- Significant risks to the hiring process objectives, resources, and operations. The internal auditors should also consider the means by which the potential impact of these risks is kept to an acceptable level.

Rationale
Per Standard 2201, “Planning Considerations,” internal auditors must consider these factors in planning an engagement:
* The strategies and objectives of the activity being reviewed and the means by which the activity controls its performance
* The significant risk to the activity’s objectives, resources, and operations and the means by which the potential impact of the risk is kept to an acceptable level
* The adequacy and effectiveness of the activity’s governance, risk management, and control processes compared to a relevant framework or model
* The opportunities for making significant improvements to the activity’s governance, risk management, and control processes

Question 3

Which of the following is an example of an adequate criterion for an internal audit?

1. Level of employee job satisfaction
2. Management cooperation with audit procedures
3. Individually determined time ranges for department tasks
4. Living up to the spirit of travel booking principles

Answer 3

1- Level of employee job satisfaction

Rationale
Audit criteria should provide benchmarks against which audit objectives can be measured; therefore, items like compliance rates and measures of performance or attitude would be reasonable criteria. Criteria may be generated internally if no meaningful external criteria exist to evaluate the objective, but each individual should not determine his or her own acceptable time ranges. While management cooperation may be measured, it is probably not aligned with an audit objective. Travel booking should have specific procedures that could be the subject of a criterion.

Question 4

The transportation department for a large manufacturing company maintains its vehicle inventory and maintenance records in a database on a stand-alone computer in the fleet supervisor’s office. Which audit approach is most appropriate for evaluating the accuracy of the database information?

1. Using program tracing to show how and in what sequence program instructions are processed in the system
2. Verifying a sample of records extracted from the database with supporting documentation
3. Simulating normal processing by using test programs
4. Submitting batches of test transactions through the current system and verifying with expected results

Answer 4

2- Verifying a sample of records extracted from the database with supporting documentation

Rationale
Verifying is the most common technique in testing the accuracy of information maintained by a system, whether manual or automated. Test decking of a database and simulating normal processing will test the program but not the accuracy of data in the database. Tracing would require that additional coding be inserted into the database system programs.

Question 5

Internal auditing is conducting an assurance audit of the implementation of a quality assurance program in a manufacturing facility. Which of the following sources might be used to generate effective criteria to evaluate program implementation?

1. Industry journal articles on comparable quality initiatives
2. Historical data on administrative waste and rejected applicants
3. Quality benchmarks for a retail sales business
4. Texts written by experts in the field of quality purchasing criteria

Answer 5

1- Industry journal articles on comparable quality initiatives

Rationale
Criteria should yield specific information about performance useful to the client. Industry journals might provide examples of criteria used in other organizations. Historical data could be used to measure improvement, but the historical data described here is off subject. Quality texts might suggest areas for evaluation and ways to measure the implementation of processes, but these are about purchasing quality rather than manufacturing quality. Criteria from an unrelated industry or business area will not yield useful information.

Question 6

Engagement objectives should reflect which of the following?

1. Results of the assessment of the organization’s governance, risk management, and control processes
2. Results of management’s determination of the potential impact of the risk
3. Results of laws and regulations imposed by statutory bodies
4. Results of the preliminary assessment of risks relevant to the activity under review

Answer 6

4- Results of the preliminary assessment of risks relevant to the activity under review

Rationale
Per Standard 2210.A1, internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment.

Question 7

What are the internal auditors’ responsibilities with regard to planning a consulting engagement?

1. The internal auditors must establish an understanding with consulting engagement clients about objectives, scope, respective responsibilities, and other client expectations. For consulting engagements of any size, this understanding must be documented.
2. The internal auditors must establish an understanding with consulting engagement clients about objectives, scope, respective responsibilities, and other client expectations. For significant engagements, this understanding must be documented.
3. The internal auditors are not required to establish an understanding with consulting engagement clients about objectives, scope, respective responsibilities, or other client expectations. These are necessary only for assurance engagements.
4. The internal auditors must establish an understanding with consulting engagement clients about objectives, scope, respective responsibilities, and other client expectations. For consulting engagements of any size, documentation of this understanding is not required.

Answer 7

2- The internal auditors must establish an understanding with consulting engagement clients about objectives, scope, respective responsibilities, and other client expectations. For significant engagements, this understanding must be documented.

Rationale
Per Standard 2201.C1, internal auditors must establish an understanding with consulting engagement clients about objectives, scope, respective responsibilities, and other client expectations. For significant engagements, this understanding must be documented.

Question 8

The internal audit function is performing a consulting engagement with the order fulfillment area of an online retailer to define weaknesses in the workflow that might increase the amount of time between order receipt and customer delivery. During a preliminary survey of the area conducted to create a workflow diagram, the internal auditor notes that company recommendations designed to reduce injuries from repetitive stress have not been implemented. What is the best course of action for the internal auditor?

1. Add the probable risk to the engagement objectives since it represents considerable economic risk to the organization.
2. Document the condition in audit working papers, but do not report it to the client.
3. Discuss the matter with area management, but do not add it to the engagement objectives unless the client agrees to revise the project objective.
4. Alert the human resources department.

Answer 8

3- Discuss the matter with area management, but do not add it to the engagement objectives unless the client agrees to revise the project objective.

Rationale
Implementation Standard 2210.C1 states that the consulting audit engagement should address risks to the extent agreed upon by the client. If the client is willing to revise the agreement with internal auditing, assessing this new risk might be added as an objective. Since this is not an assurance engagement, the internal auditor should not include this risk without the client’s agreement. However, the risk would be communicated informally to management as an area needing attention, and the observation would be documented in the audit working papers.

Question 9

Which of the following procedures would provide the best evidence of the effectiveness of a credit-granting function?

1. Reviewing the trend in receivables write-offs
2. Observing the process
3. Asking the credit manager about the effectiveness of the function
4. Checking for evidence of credit approval on a sample of customer orders

Answer 9

1- Reviewing the trend in receivables write-offs

Rationale
The purpose of the credit-granting function is to minimize write-offs while at the same time accepting sales likely to result in collection. Reviewing the trend in write-offs will provide some insight concerning the minimization of write-offs.

Question 10

If a department’s operating standards are vague and thus subject to interpretation, an auditor should

1. seek agreement with the departmental manager as to the criteria needed to measure operating performance.
2. determine best practices in the area and use them as the standard.
3. omit any comments on standards and the department’s performance in relationship to those standards, because such an analysis would be inappropriate.
4. interpret the standards in their strictest sense, because standards are otherwise only minimum measures of acceptance.

Answer 10

1- seek agreement with the departmental manager as to the criteria needed to measure operating performance.

Rationale
If the internal auditor finds that the area’s standards are vague or the engagement objectives are unclear, time is usually spent working with operational management to develop appropriate ones. The auditor should first seek to gain an understanding with the departmental manager on the appropriate standards and how they are applied to the organization. If internal auditors must interpret standards, they should seek agreement with the engagement client. Best practices may produce overly high standards.

Question 11

The internal auditors are performing an assurance engagement focusing on the inventory for a dealership location. During a review of the engagement scope, management informs the auditors that a significant amount of the dealership inventory is housed on consignment at several customer locations. What should the internal auditors do with regard to inventory maintained at customer locations?

1. The engagement scope should not include a review of inventory on consignment at customer locations. Management does not have control of this inventory and thus is not accountable for it. Additionally, customers are third parties and thus outside the scope of an audit engagement.
2. The engagement scope should not include a review of inventory on consignment at customer locations. This inventory is no longer the property of the dealership and should be excluded from the inventory population.
3. The engagement scope should include a review of inventory on consignment at customer locations. These inventory amounts are significant and thus relevant to the audit of dealership inventory, regardless of location.
4. The engagement should focus solely on this portion of the inventory, as it is at the highest risk for theft and fraud.

Answer 11

3- The engagement scope should include a review of inventory on consignment at customer locations. These inventory amounts are significant and thus relevant to the audit of dealership inventory, regardless of location.

Rationale
Per Standard 2220.A1, the scope of the engagement must include consideration of relevant systems, records, personnel, and physical properties, including those under the control of third parties.

Question 12

The internal auditors are determining the engagement resource allocation for an upcoming audit engagement. What is the primary goal of this determination?

1. To determine the appropriate and sufficient resources needed to complete the engagement in order to evaluate the need for assistance from the audit client personnel as guest auditors
2. To determine the appropriate and sufficient resources to develop and cross-train the various auditors working in the department
3. To determine the appropriate and sufficient resources to complete the engagement within the time allotted as documented in the annual audit plan
4. To determine the appropriate and sufficient resources to achieve the engagement objectives

Answer 12

4- To determine the appropriate and sufficient resources to achieve the engagement objectives

Rationale
Standard 2230, “Engagement Resource Allocation,” states that internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources. According to interpretation of the standard, appropriate refers to the mix of knowledge, skills, and other competencies needed to perform the engagement. Sufficient refers to the quality of resources needed to accomplish the engagement with due professional care.

Question 13

An internal auditor is performing a due diligence engagement in connection with the possible acquisition of a small business. An audit objective is to validate large customer accounts receivable balances. Which of the following is the most relevant and reliable audit evidence of the small business’s largest customers’ accounts receivable balance?

1. Positive confirmation of the customer’s balance that matches the subsidiary ledger exactly, received directly by the internal auditor from the customer
2. Original reconciliation of the accounts receivable subsidiary ledger to the general ledger, certified by the controller and reviewed by the internal auditor
3. Detailed cash receipt listing, accompanied by check copies, showing a payment on the account receivable made by the large customer
4. Detailed sales invoices that total to the accounts receivable balance, sent via an email attachment from the accounting manager directly to the internal auditor

Answer 13

1- Positive confirmation of the customer’s balance that matches the subsidiary ledger exactly, received directly by the internal auditor from the customer

Rationale
The direct customer confirmation of the balance is reliable, as it comes from a credible source and the auditor obtained the evidence directly. This is also relevant to the audit objective to validate the accounts receivable balance. The detailed sales invoices totaling to the accounts receivable balance may be relevant, but they are not reliable as they were sent via an email attachment and electronic documents may be falsified, forged, or altered. A certified reconciliation is not relevant to the audit objective, nor is it reliable audit evidence to validate the accounts receivable balance. A subsequent payment from the customer is not relevant audit evidence for the audit objective, but it may be reliable in regard to evidence that the customer owes an account receivable of some amount.

Question 14

Writing an audit program occurs at which stage of the audit process?

1. As the audit is performed
2. At the end of each audit (The standard audit program is revised for the next audit to ensure coverage of noted problem areas.)
3. Subsequent to testing internal controls, to determine whether to rely on the controls or audit around them
4. During the planning stage

Answer 14

4- During the planning stage

Rationale
Planning must include writing the audit program (Implementation Standard 2201.A1).

Question 15

The auditor-in-charge for a financial audit of a global organization has assigned specific tasks to team members and reserved for himself the responsibility of maintaining contact with the managers of financial departments in eight countries. In reviewing the workpapers of one auditor, the auditor-in-charge notes that some of the work is incomplete. The auditor explains that she is unfamiliar with the accounting practices and software systems used in this country and that this has slowed her work considerably. How could the auditor-in-charge have managed this situation in a more efficient, effective manner?

1. By allowing more time in the schedule for the auditor to become familiar with local practice and technology
2. By working more closely with the audit client to secure support for the assigned auditor
3. By building enough slack into the schedule to deal with the types of problems that are likely to occur in a global project
4. By aligning auditor skills and knowledge with area needs before making assignments

Answer 15

4- By aligning auditor skills and knowledge with area needs before making assignments

Rationale
The most efficient way to manage this situation is to avoid it through better planning. In this case, the knowledge and skills of audit team members should have been considered before making assignments. The auditor in question might have been assigned to a different country or might have been teamed with an auditor more familiar with the country’s practices and technology. The other answer choices are not efficient solutions.

Question 16

Management and the board have established governance, risk management, and controls criteria to determine whether objectives and goals have been accomplished. However, the internal auditors have ascertained that these criteria are inadequate. Who is responsible for identifying adequate criteria?

1. The external auditors. If management’s criteria are determined to be inadequate, the external auditors must determine the appropriate evaluation criteria, as this would impact the opinion that can be rendered on the audited financial statements.
2. The internal auditors. The internal auditors must identify appropriate evaluation criteria through discussion with management and/or the board.
3. Management and/or the board. The internal auditors cannot identify the appropriate evaluation criteria, as this would leave them in the position of auditing their own work.
4. The Institute of Internal Auditors. If management’s criteria are determined to be inadequate, The Institute of Internal Auditors will provide appropriate evaluation criteria to preserve the working relationship between the internal auditors and management.

Answer 16

2- The internal auditors. The internal auditors must identify appropriate evaluation criteria through discussion with management and/or the board.

Rationale
Standard 2210.A3 states that adequate criteria are needed to evaluate governance, risk management, and controls. Internal auditors must ascertain the extent to which management and/or the board has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must identify appropriate evaluation criteria through discussion with management and/or the board.

Question 17

Management has requested an audit of promotional expenses. The sales department has been giving away expensive items in conjunction with new product sales to stimulate demand. The promotion seems successful, but management believes that the cost may be too high. Which of the following engagement procedures would be the most useful to determine the effectiveness of the promotion?

1. Performing a review of the sales department’s incentives and bonuses for making sales
2. Comparing product sales during the promotion period with sales during a prior promotion period that offered a substantial discount
3. Comparing the unit cost of the products sold before and during the promotion period
4. Performing an analysis of marginal revenue and marginal cost for the promotion period compared to the period before the promotion

Answer 17

4- Performing an analysis of marginal revenue and marginal cost for the promotion period compared to the period before the promotion

Rationale
Engagement procedures are the means to attain engagement objectives, so it is important to determine which procedures apply to which engagement objectives. The challenge is to address the effectiveness of the promotion. An analysis of marginal revenue and marginal cost tests whether the benefits of the promotion outweigh the costs. Reviewing sales incentives and bonuses could be a good engagement procedure for a different audit objective. Comparing one sale to a different sale would not provide a good baseline for analysis. Instead, the promotion period should be compared to a non-promotional period (perhaps in the same season if there is seasonality). There is no indication that the cost of the products sold has changed.

Question 18

The internal auditors are performing an assurance engagement of the backup data storage facility. The backup data storage is maintained by an outside company. What must the internal auditors do when planning this assurance engagement?

1. The internal auditors cannot perform an assurance engagement of parties outside the organization. Engagements with outside parties must be consulting engagements that are performed under the direction of applicable organization management.
2. The internal auditors must submit a written request for the outside company’s most recent SSAE SOC 1 report, which will detail all the relevant controls applicable to this engagement. The internal auditors are not permitted to perform an assurance engagement of parties outside the organization.
3. The internal auditors must establish a written understanding with the outside company about objectives, scope, respective responsibilities, and other expectations. This written understanding must also include restrictions on distribution of the results of the engagement and access to engagement records.
4. The internal auditors must not provide a written understanding or notify the outside company in advance of the audit, as this will allow the company the opportunity to hide control deficiencies and skew the results of the assurance engagement.

Answer 18

3- The internal auditors must establish a written understanding with the outside company about objectives, scope, respective responsibilities, and other expectations. This written understanding must also include restrictions on distribution of the results of the engagement and access to engagement records.

Rationale
Per Standard 2201.A1, when planning an engagement for parties outside the organization, internal auditors must establish a written understanding with them about objectives, scope, respective responsibilities, and other expectations, including restrictions on distribution of the results of the engagement and access to engagement records.

Question 19

What should be included in the internal audit scope for an assurance engagement with purchasing?

1. Duties performed by purchasing
2. Purchasing management input
3. Interface with other functions such as shipping or accounts receivable as deemed appropriate to verify the quality of controls
4. Manual but not automated procedures

Answer 19

1- Duties performed by purchasing

Rationale
Standard 1110.A1 states: “The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results.” Management input could potentially thwart internal audit from fulfilling the intended scope. Internal audit might interface with receiving or accounts payable, not shipping or accounts receivable, to verify the existence of controls. Automated procedures should not be omitted from scope.

Question 20

It would be most appropriate for internal auditing departments to use consultants with expertise in health-care benefits when the department is

1. comparing the cost of the organization’s health-care program with that of other programs offered in the industry.
2. training its staff to conduct an audit of absenteeism in a major division of the organization.
3. conducting an audit of the organization’s estimate of its liability for post-retirement pension plans.
4. auditing the organization’s health and wellness programs for their effectiveness.

Answer 20

1- comparing the cost of the organization’s health-care program with that of other programs offered in the industry.

Rationale
A consultant with expertise in health-care benefits would be most useful in a situation where benefit plans are being assessed and/or compared against benchmarks. The other answer choices are less applicable or health-care benefits would play only a minor role.

Question 21

According to the Standards, which of the following would be considered a scope limitation?

1. An audit committee reviews the audit plan for the year and deletes an audit that the chief audit executive thinks is important.
2. A sales manager indicates that certain customers should be contacted with a certain sensitivity because the organization is in the process of negotiating long-term contracts with them.
3. Divisional management indicates that since the division is in the process of converting a major computer system, the information systems portion of a planned audit will have to be postponed until next year.
4. Senior management requests a performance audit of a cellular manufacturing area; the chief audit executive agrees but also decides to omit performance audits from the planned assurance engagement in that area.

Answer 21

3- Divisional management indicates that since the division is in the process of converting a major computer system, the information systems portion of a planned audit will have to be postponed until next year.

Rationale
Standard 1110.A1 states: “The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results. The chief audit executive [CAE] must disclose such interference to the board and discuss the implications.” Being told not to audit an information system that would otherwise be part of a planned audit is therefore a scope limitation. The case of the CAE determining the scope of the cellular manufacturing division audit is the CAE’s own decision and is related to avoiding duplication of efforts. Project review and approval by the audit committee is not a scope limitation; rather, it is the audit committee’s responsibility to review and approve the planned scope of activities for the year. While being asked not to contact certain customers would be a scope limitation, the sales manager’s request to not damage pending business relationships is reasonable.

Question 22

The internal auditors are performing an assurance engagement focusing on the treasury process. The audit team prepares an engagement work program during the planning stage of the audit, and this program is reviewed and approved by the audit manager in accordance with the audit operations manual prior to the commencement of fieldwork. During the first few days of fieldwork, the audit team discovers information that relates to concerns not currently addressed by the engagement work program. The lead auditor assigned to the engagement is aware of the standard requiring work programs to be approved prior to their implementation. How should this issue be addressed by the lead auditor?

1. The lead auditor should develop adjustments to the engagement work program to address the new concerns identified. These adjustments can be reviewed and approved by the audit manager at the completion of the audit fieldwork. Work programs for assurance engagements can be adjusted after implementation if the adjustments are approved prior to completion of the audit engagement.
2. The lead auditor should make note of the concerns identified but continue with the engagement as planned using the approved work program. Work programs for assurance engagements must be approved prior to implementation and cannot be adjusted once approved.
3. The lead auditor should discuss the concerns identified with the audit client. If the client wishes, a consulting engagement work program can be developed and the issues can be examined as a separate consulting engagement. Work programs for assurance engagements must be approved prior to implementation and cannot be adjusted once approved.
4. The lead auditor should develop adjustments to the engagement work program to address the new concerns identified and should contact the audit manager immediately to review and approve these adjustments. Work programs for assurance engagements can be adjusted after implementation if the adjustments are approved promptly.

Answer 22

4- The lead auditor should develop adjustments to the engagement work program to address the new concerns identified and should contact the audit manager immediately to review and approve these adjustments. Work programs for assurance engagements can be adjusted after implementation if the adjustments are approved promptly.

Rationale
Per Standard 2240.A1, work programs must include the procedures for identifying, analyzing, evaluating, and documenting information during the engagement. The work program must be approved prior to its implementation and any adjustments approved promptly.

Question 23

The chief financial officer (CFO) has requested the internal auditors to perform a consulting engagement of accounting practices related to the efficiency and effectiveness of the month-end close process. What responsibilities (if any) do the internal auditors have in addressing the governance, risk management, and control processes for this engagement?

1. The internal auditors must not address the governance, risk management, and controls of the month-end close process, as this would change the nature of the engagement from a consulting engagement to an assurance engagement.
2. The internal auditors must not address the governance, risk management, and controls of the month-end close process, as they are prohibited to do this by the Standards.
3. The internal auditors must address the governance, risk management, and controls of the month-end close process, since ignoring these would lead to an ineffective consulting engagement.
4. The internal auditors must address governance, risk management, and controls for the month-end close process to the extent agreed upon with the CFO.

Answer 23

4- The internal auditors must address governance, risk management, and controls for the month-end close process to the extent agreed upon with the CFO.

Rationale
Standard 2210.C1 states that consulting engagement objectives must address governance, risk management, and control processes to the extent agreed upon with the client.

Question 24

Corporate management has just implemented a policy that every department must downsize by immediately cutting 10% of its staff and budget. The chief audit executive (CAE) has reacted to these plans by notifying the audit managers that the time allocated for all jobs must be cut by 10%. Which of the following statements is true of the CAE’s and the potential managers’ actions?

1. The CAE’s action should result in approximately the same amount of risk coverage as the previous audit plan but reduced by 10%.
2. Individual audit managers can attain 90% of the previously defined audit coverage by uniformly cutting audit procedures by 10%.
3. The CAE should have reprioritized risks and cut out specific audit engagements rather than cutting 10% across the board.
4. The CAE should have informed corporate management that the audit department is not subject to this 10% cut in staff and budget.

Answer 24

3-The CAE should have reprioritized risks and cut out specific audit engagements rather than cutting 10% across the board.

Rationale
Reprioritizing risks and reducing audit engagements is the preferred response. This should enable the auditor to develop an optimum plan to cover the maximum amount of risk with the more limited resources. Cutting all jobs by 10% does not necessarily mean that the risks addressed will drop by 10%. A uniform 10% reduction in audit procedures or audit scope may result in gathering insufficient evidence across a number of audit areas.

Question 25

While conducting a risk assessment, internal auditors may use a number of criteria. Which would be considered subjective rather than objective?

1. Productivity ranked against industry benchmarks
2. Priority ranking of organizational objectives
3. Market value of oil futures the organization owns
4. Change in size of market share

Answer 25

2-Priority ranking of organizational objectives

Rationale
Measures of quality and significance are inherently subjective (or qualitative). Market share, market values of regularly traded derivatives such as futures, and benchmarks are all measurable quantitatively, so they can be considered objectively (although the importance of achieving a benchmark or a particular percentage of market share is subjective).

Question 26

An organization has stated that its values include providing the least-cost products to its customers possible, and part of this philosophy is reflected in a refusal to adopt a corporate social responsibility program. When setting objectives for a requested consulting engagement on how to reduce labor costs, which represents the best engagement objective listed to present to management for discussion and approval?

1. Evaluate whether adoption of a corporate social responsibility program would reduce long-term labor costs
2. Evaluate salaries against the local labor market to find areas of overcompensation.
3. Determine whether workers make a living wage and if this is adequate for purposes of morale.
4. Evaluate the use of contractors to avoid payment of benefits.

Answer 26

2-Evaluate salaries against the local labor market to find areas of overcompensation.

Rationale
Implementation Standard 2210.C2 states: “Consulting engagement objectives must be consistent with the organization’s values, strategies, and objectives.” The internal auditor should not use the consulting engagement to suggest policies that would be at odds with this corporation’s values. However, suggesting the use of contractors to avoid paying benefits could create a legal liability, because many countries have laws and regulations to prevent this.

Question 27

A preformatted numeric data entry field in a user interface would be characterized as which of the following control types?

1. Hybrid, input, and detective
2. Application, process-level, and active
3. Processing, corrective, and passive
4. Application, input, and preventive

Answer 27

4-Application, input, and preventive

Rationale
Input controls verify the integrity of data as it is entered into a system, and they are a subset of application controls, which are process- or transaction-level controls specific to an application. Preventive controls are proactive and deter undesirable events from occurring, such as entering alpha characters as an abbreviation for a month, which could cause problems in the database. A pre-formatted numeric data entry field is an example of all three types.

Question 28

Which of the following is the best example of an assurance engagement objective related to auditable governance activities?

1. To determine customer satisfaction with shareholder communications
2. To determine the operating effectiveness of the whistleblower process
3. To evaluate the design adequacy of organizational training
4. To assess compliance with cultural expectations

Answer 28

2-To determine the operating effectiveness of the whistleblower process

Rationale
The IPPF Glossary defines engagement objectives as “broad statements developed by internal auditors that define intended engagement accomplishments.” “To determine the operating effectiveness of the whistleblower process” is a broad statement and is pertinent to a likely risk related to governance. Customer satisfaction is more related to marketing effectiveness than auditable governance activities. Organizational training is much more broad than just being a governance activity. Training of senior management or the board would be more appropriate. Cultural expectations would not be subject to compliance and would be difficult to test.

Question 29

If the annual audit plan does not allow for adequate review of compliance with all material regulations affecting the company, the internal audit activity should

1. decrease the scope of operational and financial audits to make additional audit time available.
2. ensure that the board of directors and senior management are aware of the limitation.
3. include a memo with the audit planning file listing the reasons for the lack of coverage.
4. document that regulations not included will be reviewed in the subsequent year.

Answer 29

2-ensure that the board of directors and senior management are aware of the limitation.

Rationale
Senior management and the board of directors should be informed of the implications of gaps in audit coverage, including the review of compliance with applicable laws and regulations. The knowledge of incomplete audit coverage should not be known only to the internal audit activity. Audit coverage in other areas should not be automatically reduced. The internal audit activity may require additional resources to provide adequate coverage of risks.

Question 30

An internal auditor has drafted an engagement work program for an assurance audit of a financial operations area and submitted it to the audit manager for review. They agree that some portions of the program will probably have to be changed later, and the manager believes that another objective should be added about evaluating the procedure used to place a monetary value on vacant land owned by the organization. The manager states that with the addition of the new objective and a few other specified revisions, the program looks acceptable. By the time the internal auditor has revised the work program, the manager has left to attend a series of meetings that will take several weeks. The internal auditor had planned the engagement schedule to start immediately, but, not having obtained written approval from the manager, the auditor revises the engagement schedule so that it can be initiated after the manager returns. Which aspect of this scenario is in violation of the Standards and/or their associated Implementation Guides?

1. Waiting for documented approval to begin the engagement
2. Seeking approval from the client or senior management on the new objective
3. Accepting a program that both the audit manager and the internal auditor know will have to be modified
4. Submitting the draft program to the audit manager for review and approval

Answer 30

2-Seeking approval from the client or senior management on the new objective

Rationale
Internal auditors develop and obtain documented approval of work programs before commencing the internal audit engagement. The work program includes methodologies to be used per Implementation Guide 2240. Modifications to the work program as the engagement proceeds are to be expected. Obtaining input from the client or senior management regarding new objectives is an ongoing practice in many organizations, but seeking the approval of the client or senior management would violate auditor independence and objectivity.

Question 31

In planning internal audit engagements, internal auditors must consider

1. the key controls over external financial reporting for U.S. public companies.
2. the cost-benefit of performing a detailed engagement-level risk assessment.
3. management requests related to the objectives of the engagement established by the internal auditor.
4. the significant risks to the activity’s objectives, resources, and operations.

Answer 31

4-the significant risks to the activity’s objectives, resources, and operations.

Rationale
According to Standard 2201, “Planning Considerations,” in planning the engagement, internal auditors must consider the significant risks to the activity’s objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level. Internal auditors are not required to consider management requests related to engagements. Internal auditors are not required to consider key controls over reporting; engagement objectives may be primarily related to compliance, operational, and or other business objectives. Internal auditors are not required to consider the cost-benefit of performing an engagement-level risk assessment.

Question 32

An internal auditor is conducting a preliminary survey to prepare for an assurance audit of the information technology area in a financial services company. Area management has provided a list of probable risks and associated controls to assist internal auditing. In the course of conducting a physical survey of the offices, the internal auditor notices several places where terminal screens are easily visible to those outside the secure area. This risk has not been identified by the client. What should the internal auditor do?

1. Refrain from assessing this risk since it is outside the engagement scope.
2. Incorporate this observed risk into the engagement objectives.
3. Report the situation to senior management.
4. Note the condition for discussion during the next regularly scheduled audit engagement.

Answer 32

2-Incorporate this observed risk into the engagement objectives.

Rationale
According to Implementation Standard 2210.A2, the objectives of an assurance engagement should not be limited to entity risk assessment. Probable risk exposures must be considered when developing engagement objectives. If the client refuses to address an identified risk, internal auditing would be justified in bringing this matter to the attention of senior management.

Question 33

A standardized internal audit engagement program would be appropriate for which of the following situations?

1. Complex or changing operating environment
2. Stable operating environment undergoing only change in management
3. Multiple branches with similar operations
4. Subsequent inventory audit engagements performed at locations with material shrinkage

Answer 33

3-Multiple branches with similar operations

Rationale
A standardized engagement program would not be appropriate for a complex or changing operating environment because the engagement objectives and related work steps might no longer have relevance.

Question 34

The internal auditors are determining the engagement resource allocation for an upcoming audit engagement. The internal auditors need to determine that appropriate and sufficient resources are available to achieve the engagement objectives. What is meant by “sufficient” in this context?

1. It refers to the knowledge, skills, and other competencies needed to perform the engagement.
2. It refers to the level of technology experience needed to adequately evaluate the critical systems applicable to the engagement.
3. It refers to the complexity of the systematic, disciplined approach needed to complete the engagement.
4. It refers to the quantity of resources needed to accomplish the engagement with due professional care.

Answer 34

4-It refers to the quantity of resources needed to accomplish the engagement with due professional care.

Rationale
Standard 2230, “Engagement Resource Allocation,” states that internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources. According to interpretation of the standard, appropriate refers to the mix of knowledge, skills, and other competencies needed to perform the engagement. Sufficient refers to the quality of resources needed to accomplish the engagement with due professional care.

Question 35

Which of the following is a possible assurance engagement objective related to the purchasing function?

1. To review and authorize purchases eligible for competitive bids
2. To ensure that goods received are properly reflected in purchasing records
3. To run background checks on unauthorized vendors
4. To get external auditors to verify receiving reports

Answer 35

2-To ensure that goods received are properly reflected in purchasing records

Rationale
Engagement objectives may be stated in various ways, but it should be clear what assurances internal audit will provide. If the audit is intended to consider potential unauthorized vendors, an appropriate objective might be to determine if vendors are authorized in accordance with management criteria. The other answer choices also make it unclear what internal auditing will provide or improperly create a task for external auditors.

Question 36

An internal audit function is charged with measuring the compliance of the organization’s human resources area with applicable laws, regulations, and internal policies. Which of the following objectives would be appropriate for this engagement plan?

1. To ensure that applicant pools represent a fair cross section of the population
2. To question recently hired employees to assess compliance with the interviewing process
3. To assess the process used by human resources to respond to employee complaints
4. To establish proof of citizenship by requiring a birth certificate

Answer 36

3-To assess the process used by human resources to respond to employee complaints

Rationale
An engagement objective is a broad statement intended to define the engagement’s accomplishments. This might include evaluating such items of compliance as documentation of proof of residency and complaint response processes. Ensuring that applicants represent a cross section of the population would be an operational objective for human resources rather than an engagement objective for internal auditing. It might also be an objective to evaluate compliance of the interview process with laws, regulations, and policies, but the objective would not specify the manner of accomplishing it (e.g., by interviewing recently hired employees or requiring a birth certificate).

Question 37

Which of the following describes the risk and control matrix?

1. Must be used for engagement-level planning, according to The IIA’s Performance Standards
2. Developed exclusively by the internal auditor, without client involvement, to ensure internal auditor objectivity
3. Most widely adopted framework for enterprise-wide risk assessment
4. Useful tool for internal auditors to help ensure significant risks are identified and subsequently addressed during fieldwork

Answer 37

4-Useful tool for internal auditors to help ensure significant risks are identified and subsequently addressed during fieldwork

Rationale
The risk and control matrix is a useful, but not required, tool that may be used for completing risk assessments as part of engagement planning.

Question 38

After conducting a risk-based assessment and establishing an audit schedule, with appropriate review and approval, the internal audit activity begins work on the high-priority audits. The auditors quickly discover that one of the assurance engagements will require more technical expertise than originally anticipated. Which of the following would be the most appropriate response of the chief audit executive?

1. Rely upon the technical expertise of staff members in the area being audited.
2. Continue with the engagement and schedule weekend or after-hours training sessions for the internal auditors initially assigned to the engagement.
3. Bring in technical help from an appropriate source, such as an independent consulting firm or a university.
4. Cancel the engagement and inform the audit committee that it will be rescheduled when resources permit.

Answer 38

3-Bring in technical help from an appropriate source, such as an independent consulting firm or a university.

Rationale
The most appropriate response is to acquire the expertise from an independent source. The least appropriate response is to drop scheduled engagements; they were selected because of their assessed risks.

Question 39

The internal auditors are planning a consulting engagement in which they will use data analytics software to assist management in a payables recovery audit. The goal of the project is to identify duplicate payments, unused credits, and other monies due to the organization. What requirements do the internal auditors have in establishing an understanding with accounts payable management?

1. The internal auditors must establish an understanding with accounts payable management about objectives, scope, respective responsibilities, and other management expectations. For consulting engagements of any size, documentation of this understanding is not required.
2. The internal auditors must establish an understanding with accounts payable management about objectives, scope, respective responsibilities, and other management expectations. If this is considered a significant engagement, this understanding must be documented.
3. The internal auditors are not required to establish an understanding with accounts payable management about objectives, scope, respective responsibilities, or other management expectations. These are necessary only for assurance engagements.
4. The internal auditors must establish an understanding with accounts payable management about objectives, scope, and other management expectations. If this is considered a significant engagement, this understanding must be documented.

Answer 39

2-The internal auditors must establish an understanding with accounts payable management about objectives, scope, respective responsibilities, and other management expectations. If this is considered a significant engagement, this understanding must be documented.

Rationale
Per Standard 2201.C1, internal auditors must establish an understanding with consulting engagement clients about objectives, scope, respective responsibilities, and other client expectations. For significant engagements, this understanding must be documented.

Question 40

An auditor has developed objectives for an upcoming engagement. However, the chief audit executive (CAE) has instructed the auditor to make a preliminary assessment of risks relevant to the activity under review and to include the results of this assessment in the engagement objectives. Why is the CAE requiring this?

1. Risks relevant to the activity are more important than other inputs to the engagement objectives.
2. Risks relevant to the activity provide a more comprehensive review and enhance the value of the audit engagement.
3. The CAE wants the auditor to perform a longer audit.
4. Risks relevant to the activity are important just to comply with the Standards.

Answer 40

2-Risks relevant to the activity provide a more comprehensive review and enhance the value of the audit engagement.

Rationale
Per Standard 2210.A1, internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment.

Question 41

Based on a risk assessment, the audit committee of an insurance company has requested that the annual internal audit plan include an engagement to review the company’s actuarial claims reserves and supporting actuarial policies and procedures. If the internal audit activity currently lacks actuarial expertise, which of the following would be the chief audit executive’s best response?

1. Postpone the engagement until the internal audit activity has acquired actuarial expertise.
2. Decline the engagement due to a lack of actuarial expertise.
3. Accept the engagement and plan to use the services of an external actuary.
4. Accept the engagement and plan to use an in-house actuary as part of the audit team.

Answer 41

3-Accept the engagement and plan to use the services of an external actuary.

Rationale
According to Implementation Guide 2230, it is important for internal auditors to inventory not only staff resources but also available technology that may be helpful or necessary to perform a quality engagement. They may also consider whether additional outside resources or technology is necessary to complete the engagement. The external actuary is independent and capable of providing the necessary level of actuarial proficiency to assist in completing the engagement. The CAE will need to ensure that such work is supervised and reviewed and consistent with the engagement.

Question 42

The internal audit activity of a large corporation has established its operating plan and budget for the coming year. The operating plan is restricted to the following categories: a prioritized listing of all engagements, staffing, a detailed expense budget, and the commencement date of each engagement. Which of the following best describes the major deficiency of this operating plan?

1. Knowledge, skills, and disciplines required to perform work are ignored.
2. Measurability criteria and targeted dates of completion are not provided.
3. Requests by management for special projects are not considered.
4. Opportunities to achieve operating benefits are ignored.

Answer 42

2-Measurability criteria and targeted dates of completion are not provided.

Rationale
The goals of the internal audit activity, as stated in specific operating plans and budgets, should include measurability criteria and targeted dates of accomplishment. Requests for special projects would be considered while prioritizing the engagements. By reviewing staffing, prioritization of engagements, and expenses, operating benefits can be achieved. Staffing for each engagement would include the consideration of knowledge, skills, and disciplines required.

Question 43

At the kickoff meeting for an internal audit of regulatory compliance aspects of a high-risk biotech research activity, the lead auditor learns that the client’s key contact person will be out on family leave for the duration of planned fieldwork. The lead auditor should

1. address the matter with the chief audit executive and consider delaying fieldwork until the return of the client’s key contact.
2. discuss the importance of cross-training and rotating duties during staff vacations and other absences as an internal control.
3. coordinate fieldwork through qualified compliance department personnel in lieu of the client’s key contact.
4. explain the necessity of completing the annual audit plan within the current fiscal year and proceed with planned fieldwork.

Answer 43

1-address the matter with the chief audit executive and consider delaying fieldwork until the return of the client’s key contact.

Rationale
For a compliance engagement of a high-risk biotech research activity, the presence of the client’s key contact person would likely be essential to a successful audit. Coordinating fieldwork through compliance department personnel is impractical and would not likely be effective. Proceeding with fieldwork in the absence of the client’s key contact person in an attempt to complete the annual audit plan would be inappropriate. Discussing the importance of cross-training and rotating duties during staff vacations and other absences (as an internal control), as an answer to the client’s key contact person’s absence during planned fieldwork, would be inappropriate during the engagement kickoff meeting.

Question 44

Which of the following documents would provide the best evidence that a purchase transaction has actually occurred?

1. Cancelled check issued in payment of the procured goods
2. Supplier’s invoice for the procured goods
3. Ordering department’s original requisition for the goods
4. Receiving memorandum documenting the receipt of the goods

Answer 44

4-Receiving memorandum documenting the receipt of the goods

Rationale
The receiving memorandum indicates that the goods were received; therefore, a purchase transaction has occurred.

Question 45

The internal auditors are determining the engagement resource allocation for an upcoming audit engagement. The internal auditors need to determine that appropriate and sufficient resources are available to achieve the engagement objectives. What is meant by “appropriate” in this context?

1. Mix of knowledge, skills, and other competencies needed to perform the engagement
2. Level of audit management overseeing and evaluating the assigned internal auditors and the completion of the engagement
3. Mix of knowledge and mastery of the governance, risk management, and control processes related to the engagement
4. Determination that auditors assigned to the engagement are both independent and objective

Answer 45

1-Mix of knowledge, skills, and other competencies needed to perform the engagement

Rationale
Standard 2230, “Engagement Resource Allocation,” states that internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources. According to interpretation of the standard, appropriate refers to the mix of knowledge, skills, and other competencies needed to perform the engagement. Sufficient refers to the quality of resources needed to accomplish the engagement with due professional care.

Question 46

A specific objective of an audit of a company’s expenditure cycle is to determine if all goods paid for have been received and charged to the correct account. This objective would address which of the following primary objectives?

1. To determine compliance with laws, regulations, and contracts
2. To evaluate the preservation of asset values
3. To determine the effectiveness and efficiency of operations
4. To determine the reliability and integrity of financial and operational information

Answer 46

4-To determine the reliability and integrity of financial and operational information

Rationale
Implementation Standard 2130.A1 states, “The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to the risks within the organization’s governance, operations, and information systems regarding the achievement of the organization’s strategic objectives; reliability and integrity of financial and operational information; effectiveness and efficiency of operations and programs; safeguarding of assets; and compliance with laws, regulations, policies, procedures and contracts.” The specific engagement objective of determining if goods are charged to the appropriate account would address the objective regarding the reliability and integrity of information; the specific objective of determining if all goods paid for have been received would address the objective regarding the safeguarding of assets (not preservation of asset values).

Question 47

If the internal auditor believes the organization has risk exposure that is outside the organization’s risk appetite, the internal auditor should

1. discuss the matter with management and escalate it to senior management and the board, if appropriate.
2. discuss the matter with management and escalate it to enterprise risk management and/or the legal department, if necessary.
3. discuss the matter with the audit committee chair, who will directly address the issue with the chief executive officer.
4. discuss the matter with the audit committee chair, who will evaluate the issue according to his/her oversight responsibilities.

Answer 47

1-discuss the matter with management and escalate it to senior management and the board, if appropriate

Rationale
According to The IIA’s implementation guidance for Standard 2060, “Reporting to Senior Management and the Board,” if the chief audit executive (CAE) believes that senior management has accepted a level of risk that the organization would consider unacceptable, the CAE should first discuss the matter with senior management. If the CAE and senior management cannot resolve the matter, the CAE should communicate the matter to the board. If such issues are too urgent to wait until a scheduled board meeting (e.g., a major fraud), the CAE would be well advised to make arrangements to communicate sooner.

Question 48

The internal auditors are planning an engagement focusing on the marketing process. Which of the following must be considered when planning the engagement?

1. Consistency of marketing materials across product lines and the accuracy of advertising claims listed in the materials
2. Marketing ad revenue volume and the percentage increase in sales per ad dollar spent
3. Strategies and objectives of the marketing process and the means by which marketing controls its performance
4. Strategy and objectives of the production department and their ability to support the marketing claims as advertised

Answer 48

3-Strategies and objectives of the marketing process and the means by which marketing controls its performance

Rationale
Per Standard 2201, “Planning Considerations,” internal auditors must consider these factors in planning an engagement:
* The strategies and objectives of the activity being reviewed and the means by which the activity controls its performance
* The significant risk to the activity’s objectives, resources, and operations and the means by which the potential impact of the risk is kept to an acceptable level
* The adequacy and effectiveness of the activity’s governance, risk management, and control processes compared to a relevant framework or model
* The opportunities for making significant improvements to the activity’s governance, risk management, and control processes

Question 49

Are risks relevant to the activity under review an important consideration when determining engagement objectives?

1. No. Risks relevant to the activity can be vague and cause the auditors to waste time on unnecessary testing.
2. Yes. Risks relevant to the activity are more important than any other consideration in determining the engagement objectives.
3. Yes. A preliminary assessment of relevant risks can have a significant impact on the engagement objectives.
4. No. Risks relevant to the activity may be outside the engagement objectives and lead to scope creep.

Answer 49

3-Yes. A preliminary assessment of relevant risks can have a significant impact on the engagement objectives.

Rationale
According to Standard 2210.A1, internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment.

Question 50

An electric utility company records capital and maintenance expenditures through the use of a computerized project tracking system. Labor, material, and overhead are charged to the applicable project number. Monthly reports are produced that detail individual charges for each project, and expenditure totals are provided for the current month, fiscal year, and project life to date. An auditor is reviewing monthly reports distributed by management information system personnel to determine if access to confidential information is limited to project supervisors. Which of the following steps should the auditor perform?

1. Review the operating system job control language (JCL) code for abend (abnormal end) conditions.
2. Verify that the correct transaction file was used.
3. Determine if someone has provided a signature upon delivery of the reports.
4. Review a sample of report end-of-job indicators.

Answer 50

3-An electric utility company records capital and maintenance expenditures through the use of a computerized project tracking system. Labor, material, and overhead are charged to the applicable project number. Monthly reports are produced that detail individual charges for each project, and expenditure totals are provided for the current month, fiscal year, and project life to date. An auditor is reviewing monthly reports distributed by management information system personnel to determine if access to confidential information is limited to project supervisors. Which of the following steps should the auditor perform?

Rationale
Determining if someone has provided a signature upon delivery of the reports is the only procedure that would provide information on report access.

Question 51

The director of purchasing has requested the internal auditors to perform a consulting engagement of purchasing practices to save additional money in the competitive bidding process. The director is planning to do away with the current sealed-bid process (where the lowest bid initially submitted wins the contract) in favor of an open-bid process. He wants to go back to the vendors and give them the lower bids submitted to drive each vendor to lower their bid even further. This process would be repeated several times. Additionally, the director would like to use false bids (that he makes up himself) to drive the actual vendor bids “to the absolute rock bottom.” The director wants the internal auditors to review and endorse his money-saving plan and approach. The organization does have “fair and honest dealings with our vendors” as a core value on its website, but it also has a mission “to be the preferred, high-quality, low-cost supplier of our products.” What should the internal auditors do with regard to this consulting engagement?

1. The internal auditors should not accept this consulting engagement. Consulting engagement objectives must be consistent with the organization’s values, strategies, and objectives.
2. The internal auditors should not accept this consulting engagement. The director of purchasing has already decided what he wants to do and is only looking for the internal auditors to endorse his idea.
3. The internal auditors should accept this consulting engagement. Saving money and keeping the organization competitive help the organization to fulfill its mission “to be the preferred high-quality, low cost supplier of…products.”
4. The internal auditors should accept this consulting engagement. Consulting engagements are at the request of management, and management sets the scope of the engagement.

Answer 51

1-The internal auditors should not accept this consulting engagement. Consulting engagement objectives must be consistent with the organization’s values, strategies, and objectives.

Rationale
Standard 2210.C2 states that consulting engagement objectives must be consistent with the organization’s values, strategies, and objectives. While saving money can help the organization to provide low-cost products, this approach (in addition to being unfair and ethically questionable), could impact quality and long-term vendor relations for short-term gain. The question of why the director of purchasing wants internal audit to review and approve this approach should also be concerning to the auditors.

Question 52

The internal auditors are performing a consulting engagement focusing on the treasury process. During the engagement, the internal auditors become aware of possible significant control issues. However, these issues are outside the scope of the engagement. What should the internal auditors do?

1. They should proceed with the engagement as planned, since the significant control issues are not part of the consulting engagement. A separate assurance engagement should be performed to address these issues at a later date.
2. They should proceed with the engagement as planned, since there is no requirement to be alert for significant control issues outside the scope of the consulting engagement.
3. They should amend the scope of the consulting engagement to review the possible significant control issues. These issues should be communicated to management as part of the consulting engagement.
4. They should cancel the consulting engagement and switch to an assurance engagement to more properly address the significant control issues identified.

Answer 52

3-They should amend the scope of the consulting engagement to review the possible significant control issues. These issues should be communicated to management as part of the consulting engagement.

Rationale
Per Standard 2220.C2, internal auditors must address controls consistent with a consulting engagement’s objectives and be alert to significant control issues.

Question 53

Which of the following is an appropriate audit engagement objective?

1. To observe the physical inventory count
2. To include information about stockouts in the engagement final communication
3. To determine whether inventory levels are sufficient to meet projected sales
4. To search for the existence of obsolete inventory by computing inventory turnover by product line

Answer 53

3-To determine whether inventory levels are sufficient to meet projected sales

Rationale
Engagement objectives are “broad statements developed by internal auditors that define intended engagement accomplishments.” “To determine whether inventory levels are sufficient to meet projected sales” is a statement of what the audit engagement is to accomplish. It is also specific, since it ties the inventory balance to the criterion of meeting projected customer needs. The other answer choices are engagement program steps.

Question 54

The first phase of the risk assessment process is to identify and catalog the auditable activities of the organization. Which is an auditable activity?

1. Computerized audit tools and techniques
2. Pending statutory laws and regulations as they affect the organization’s lobbying efforts
3. General ledger account balances
4. Agenda established by the audit committee for one of its quarterly meetings

Answer 54

3-General ledger account balances

Rationale
The audit committee’s agenda for an audit committee meeting and computerized audit tools and techniques would not be auditable activities (also called auditable units), as the audit function cannot audit itself. Pending laws and regulations are not auditable until they become enforceable, so the internal audit activity could not audit how those pending laws and regulations affect the organization’s lobbying efforts. The lobbying efforts themselves could be audited, however.

Question 55

Should internal audit focus on the risks relevant to the activity under review?

1. Yes. Risks relevant to the activity should also include risks from other related processes.
2. Yes. Risks relevant to the activity are on topic, and knowing about them helps avoid scope creep.
3. Yes. However, internal audit should also focus on all organizational risks for every audit.
4. Yes. Risks relevant to the activity under review also include all risks to the organization.

Answer 55

2-Yes. Risks relevant to the activity are on topic, and knowing about them helps avoid scope creep.

Rationale
Per Standard 2210.A1, internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment.

Question 56

A risk-based approach to engagement-level planning requires internal auditors to first understand

1. the motivations of process owners being audited.
2. the impact, likelihood, and velocity of risks.
3. the organization and its environment.
4. the detailed processes being audited.

Answer 56

3-the organization and its environment.

Rationale
A risk-based approach requires internal auditors to first understand the entity and its environment in order to identify risks. Evaluating impact, likelihood, and velocity is essential to risk assessment, which occurs after gaining an understanding of the organization and its environment and risk identification. Gaining an understanding of detailed processes and motivations of process owners occurs after the other activities described.

Question 57

A company has two manufacturing facilities. Each facility has two manufacturing processes and a separate packaging process. The processes are similar at both facilities. Raw materials used include aluminum, plastic pellets, various chemicals, and solvents. Pollution occurs at several operational stages, including raw materials handling and storage, process chemical use, finished goods handling, and disposal. Waste products produced during the manufacturing processes include several that are considered hazardous. The nonhazardous waste is transported to the local landfill. An outside waste vendor is used for the treatment, storage, and disposal of all hazardous waste. Management is aware of the need for compliance with environmental laws. The company recently developed an environmental policy, which includes a statement that each employee is responsible for compliance with environmental laws. If the internal auditing activity is assigned the responsibility of conducting an environmental audit, which of the following actions should be performed first?

1. Conduct risk assessments for each site.
2. Review the environmental management system.
3. Provide the assigned audit staff with technical training.
4. Review company policies and procedures.

Answer 57

3-Provide the assigned audit staff with technical training.

Rationale
If the internal auditing activity is given the task of environmental audits, the first action that should be accomplished is training auditors to give them the technical expertise needed to identify and recommend corrective actions for environmental issues.

Question 58

Management has requested an audit of an activity but has not identified the objectives of the engagement. What action should internal audit take?

1. Work with management to develop the objectives after commencing the engagement.
2. Proceed with the testing requested by management without establishing objectives.
3. Work within the audit team to develop objectives for the engagement without management input.
4. Work with management to develop the objectives prior to commencing the engagement.

Answer 58

4-Work with management to develop the objectives prior to commencing the engagement.

Rationale
According to Standard 2210, “Engagement Objectives,” objectives must be established for each engagement.

Question 59

Can internal auditors deviate from management’s established criteria for governance, risk management, and controls?

1. No. The internal audit activity establishes these criteria.
2. Yes, but only if management’s criteria are considered to be inadequate.
3. No. Internal auditors must use management’s established criteria.
4. Yes. Internal auditors have no requirement to use management’s criteria. These criteria are set by the Public Company Accounting Oversight Board (PCAOB).

Answer 59

2-Yes, but only if management’s criteria are considered to be inadequate

Rationale
Standard 2210.A3 states that adequate criteria are needed to evaluate governance, risk management, and controls. Internal auditors must ascertain the extent to which management and/or the board has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must identify appropriate evaluation criteria through discussion with management and/or the board.

Question 60

During an audit of the service department, the internal auditor notes that the service department manager has become more confrontational, is irritable in answering audit questions, and continually complains about being audited by a “bunch of auditors barely out of diapers.” The behavior of the service manager is beginning to adversely affect the auditors assigned to the audit. The audit manager should

1. ask the service manager to sit down with the audit staff to explain the rationale for the feelings toward the staff; group interaction has been shown to significantly improve communications and should be used here.
2. discuss the purposes of the audit with the service manager and indicate that common professional courtesy expressed both ways will improve the timeliness and contribution of the audit.
3. request the director of internal auditing to assign more experienced staff to the audit.
4. directly confront the service manager to understand the basis for the biases expressed and address them directly; indicate that continued intimidation of the staff will not be tolerated and will be reported to the audit committee.

Answer 60

2-discuss the purposes of the audit with the service manager and indicate that common professional courtesy expressed both ways will improve the timeliness and contribution of the audit.

Rationale
There may be many reasons, including personal problems, for the service manager’s actions toward the audit staff. The audit supervisor should begin by directly addressing the nature of the problem and the effect of the manager’s actions and attitudes on the audit engagement.

Question 61

Internal auditing is conducting a consulting engagement for the project management area of a global company that has become frustrated with project delays. The client has asked internal auditing to evaluate the ability of its multinational teams to communicate successfully, stay on schedule, and resolve differences and also to suggest ways in which the teams’ abilities might be improved. In the course of meeting with managers to define the scope of the project, the internal auditor becomes convinced that while the project teams could probably improve, their ability to function is not the most serious risk facing the organization. A more serious risk is a lack of commitment by various departments to the organization’s business strategies. What should internal auditing do with this observation?

1. Schedule a meeting with the audit client to discuss a possible expansion of the scope of the engagement.
2. Do not change the scope of work, but include these observations in the audit report.
3. Maintain the privacy of the interviews, and proceed with the scope of work as originally defined.
4. The chief audit executive must meet with senior management to report this newly discovered risk to the organization.

Answer 61

1-Schedule a meeting with the audit client to discuss a possible expansion of the scope of the engagement.

Rationale
According to Implementation Standard 2220.C1, if internal auditing develops reservations regarding whether the scope of work will accomplish the client’s objective, internal auditing must discuss the issue with the client and determine whether to proceed with the engagement. In this case, internal auditing could be focusing on the wrong part of the equation for the problem. The management of this area should have the opportunity to address this risk before the matter is brought to senior management.

Question 62

An internal auditing manager confides to another senior member of the function that the manager’s assigned assurance engagement may exceed its budget. Additional software had to be installed to implement planned procedures, and learning to use the new software took more time than anticipated. The manager is wondering what to do at this point. Should the team reduce the amount of work they have scheduled for the rest of the engagement? They might be able to save time and enough money to cover the software expenses. What is the best advice the colleague could give the manager?

1. “Deadlines and budgets are critical to the organization, our department, and our clients. Do what you have to in order to meet your budgets.”
2. “Don’t change course. If your engagement plan was sound, you should execute it.”
3. “Take a risk management approach to your own project. Consider the organization’s goals, the engagement objectives, and the risks of altering the procedures.”
4. “Ask the manager of the department you’re auditing to explain in writing why the additional steps you took were reasonable.”

Answer 62

3-“Take a risk management approach to your own project. Consider the organization’s goals, the engagement objectives, and the risks of altering the procedures.”

Rationale
Creating budgets and schedules during the planning phase is based on best estimates, and judgment must be used if, for any reason, those estimates are not matched. Proceeding as planned may not be a good use of resources if procedures could be altered without affecting the integrity of the internal audit. Similarly, altering procedures just to meet budgets may compromise the audit’s objectives. The decision belongs to the leader of the internal audit team.

Question 63

If the auditor determines that criteria related to management goals and objectives are inadequate or nonexistent, which action would be appropriate?

1. Recommend alternative sources of criteria, such as acceptable industry standards, to management.
2. Perform the audit in the absence of such criteria or use the criteria he or she does have.
3. Formulate criteria he or she believes to be adequate, and perform the audit and report in relationship to the alternative criteria.
4. Tell management to develop such criteria, and wait for this to be done before auditing that area.

Answer 63

3-Formulate criteria he or she believes to be adequate, and perform the audit and report in relationship to the alternative criteria.

Rationale
When there are no generally accepted criteria consistent with the audit engagement objectives, the lead internal auditor will need to identify the criteria suitable for the engagement through consultation with client management. If management doesn’t create a set of criteria, internal auditors should develop some for use in the audit. These can be provided to management for discussion and their own use, if desired.

Question 64

The chief audit executive for a city has just completed a quarterly meeting with the audit committee. The committee has expressed two major concerns it would like the audit department to examine as part of its operational audits during the next year:

• Is the downsizing that the city has been going through resulting in the right-sizing of staff for the city? The audit committee has suggested that a review of a few areas might be appropriate and could provide some preliminary evidence in addressing the committee’s concerns.
• Is the city making suboptimal long-range decisions in an effort to improve short-range cash flow? In particular, the audit committee has suggested that the internal audit department perform an operational audit of the transportation department, which is responsible for the operation of the city bus line.

During a meeting with staff auditors to discuss the possibility of doing such an audit, a staff member suggests that the department ought to gather some statistics on employee morale and potential changes in employee absenteeism. Another staff member asserts that such criteria are not important because they are not measurable and not relevant—only results are relevant. With respect to the debate, which of the following statements is true?

1. Absenteeism and employee morale cannot be objectively measured, but they should be subjectively assessed by auditor walkthroughs.
2. Job performance and results are more easily and accurately measured than employee morale, but objective tests can be created to measure morale.
3. Because employee absenteeism is more readily measurable than employee morale, the auditor should gather evidence only on absenteeism.
4. The audit should focus entirely on the objectives expressed by the committee’s two major concerns and spend no time on morale or absenteeism since they are off subject.

Answer 64

2-Job performance and results are more easily and accurately measured than employee morale, but objective tests can be created to measure morale.

Rationale
Performance and results are more easily identified and measured than a personal feeling such as morale. Objective tests are available to measure things like morale; such measures are not left merely to subjective evaluation from observation. Auditors do not gather only the most easily collected evidence; ease of collection should not be the sole criterion of evidence selection.

Question 65

The internal auditors are determining the engagement resource allocation for an upcoming audit engagement. What criteria need to be evaluated in order to ensure that appropriate and sufficient resources are available to achieve the engagement objectives?

1. Total years of experience possessed by the internal auditors assigned to the engagement, technology tools required to efficiently perform the testing, and level of cooperation expected from audit client personnel
2. Nature and complexity of the engagement, time constraints, and available resources
3. Level of executives directly affected by the audit engagement, level of significance of anticipated issues, and importance of the engagement to senior executives and the board
4. Risk appetite of audit client management, familiarity of audit client management with the audit process, and level of formality required in the final audit report

Answer 65

2-Nature and complexity of the engagement, time constraints, and available resources

Rationale
Standard 2230, “Engagement Resource Allocation,” states that internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources. According to interpretation of the standard, appropriate refers to the mix of knowledge, skills, and other competencies needed to perform the engagement. Sufficient refers to the quality of resources needed to accomplish the engagement with due professional care.

Question 66

An internal auditing manager is assembling an audit team to conduct an assurance audit of the data processing center for a credit card company. Which individual would be the most problematic choice for inclusion on the team, assuming that there is a moderate risk that specialized fraud and IT experience will be necessary?

1. Moderately experienced internal auditor with expertise in using fraud detection software
2. Moderately experienced internal auditor who has special knowledge of the client because she worked there before joining internal auditing
3. External auditor skilled in information technology security but not fraud auditing
4. Newly hired internal auditor skilled in internal auditing practices but not knowledgeable about the organization or its departments

Answer 66

2-Moderately experienced internal auditor who has special knowledge of the client because she worked there before joining internal auditing

Rationale
Appointing an internal auditor who might have personal connections with the department would be inappropriate, since it might lead to loss of objectivity. It is appropriate to include those with special expertise—even if they must be hired from an external organization—and those who need training and experience. Hiring a new internal auditor is also appropriate since not all team members need IT expertise or specialized fraud expertise. Rather, the team as a whole needs these competencies.

Question 67

Audit engagement programs testing internal controls should

1. be tailored for the audit of each operation.
2. be generalized to fit all situations without regard to departmental lines.
3. be generalized in order to be usable at the various international locations of an organization.
4. reduce costly duplication of effort by ensuring that every aspect of an operation is examined.

Answer 67

1-be tailored for the audit of each operation.

Rationale
A tailored program is more relevant to an operation than a generalized program. Every aspect of an operation need not be examined—only those aspects likely to conceal problems and difficulties.

Question 68

Internal audit is conducting risk assessment in engagement planning. Management has already created an assessment of risk as part of an enterprise risk management framework. The internal audit function should do which of the following related to the management assessment?

1. Adopt the management assessment without reservations to avoid duplication of effort.
2. Avoid using the management assessment because adopting it would hinder independence and objectivity.
3. Assess the reliability of the management assessment prior to adopting it.
4. Avoid using the management assessment because its objectives differ significantly from those of an audit risk assessment.

Answer 68

3-Assess the reliability of the management assessment prior to adopting it.

Rationale
Implementation Guide 2210, “Engagement Objectives,” states, “It is helpful for internal auditors to determine whether a risk assessment was performed during the engagement’s planning phase and to attain a thorough understanding of the risks of both the organization and the area or process under review. In addition, it is critical to understand the expectations of stakeholders including senior management and the board.” The internal auditor also considers the reliability of management’s acceptance of risk.

Question 69

Inventory levels for a packing facility are controlled by the use of just-in-time techniques. If the auditor’s objective is to evaluate ordering and stocking standards, which of the following procedures would be relevant?

1. Using audit software to compute the number of shipping crates used per day
2. Comparing actual stocking levels to industry averages
3. Reviewing shipping records to ensure that the result is stable inventory levels throughout the year
4. Reviewing sales records for defective returns

Answer 69

1-Using audit software to compute the number of shipping crates used per day

Rationale
Shipping requirements and timing would be recomputed to verify the just-in-time standards used for quality control. Sales adjustments would meet product quality objectives, not stocking standards. Actual stocking levels would meet the objective of achieving just-in-time standards, not establishing them. There are no industry averages for just-in-time (zero balance) techniques, and, rather than creating stable inventory levels throughout the year, the objective would be to have the minimum needed amounts of inventory, which could be zero.

Question 70

Which of the following is an example of an internal audit engagement objective related to external non-financial reporting?

1. Validate the accuracy and timeliness of quarterly U.S. Occupational Safety and Health Administration (OSHA) lost-time injury reports.
2. Confirm the accuracy and timeliness of subsidiary reporting for consolidated financial statement reporting.
3. Validate the accuracy and timeliness of productivity reports for each key performance indicator by manufacturing division.
4. Confirm the accuracy of the number of compensated overtime hours by product line, by quarter, for fiscal year-end (FYE) 3/31/XX.

Answer 70

1-Validate the accuracy and timeliness of quarterly U.S. Occupational Safety and Health Administration (OSHA) lost-time injury reports.

Rationale
An example of an internal audit engagement objective is to validate the accuracy and timeliness of OSHA lost-time injury reports, which would be an external non-financial regulatory compliance reporting requirement. Confirming the accuracy and timeliness of subsidiary reporting for consolidated financial statement reporting is an audit objective related to financial reporting. Validation and/or confirmation of accuracy and timeliness of productivity reports and/or the accuracy of compensated overtime hours for a fiscal year-end are internal audit objectives related to internal non-financial reporting.