Pre-Test

Question 1

An organization uses a risk heat map with impact and likelihood values to classify fraud. The theft of proprietary customer data (i.e., credit card numbers) is classified as high likelihood and high impact. Based on this classification, the organization should

a) reduce the risk impact.
b) reduce the risk likelihood.
c) pay little attention to the risk.
d) share the risk with a backup plan.

Answer 1

b) reduce the risk likelihood.

Rationale
The risk heat map for likelihood and impact looks at each type of fraud and determines how likely the fraud is to occur and how significant it would be if it did occur. Any fraud that has a high probability and high significance of material effect must be addressed with controls, processes, and procedures to prevent it or, more realistically, to drastically reduce its likelihood. Reducing the impact implies that the organization is willing to incur the theft. This would not be true for a high-impact loss of proprietary data. A backup plan is not an valid example of sharing the risk.

Question 2

Key risk responses include which of the following?

a) Sharing, acceptance, control, avoidance.
b) Avoidance, sharing, control, pursuit.
c) Acceptance, avoidance, reduction, sharing.
d) Control, avoidance, reduce, acceptance.

Answer 2

c) Acceptance, avoidance, reduction, sharing.

Rationale
According to the Textbook: Risk response/risk treatment is “an action, or set of actions, taken by management to achieve a desired risk management strategy. Risk responses can be categorized as risk avoidance, reduction, sharing, or acceptance. Control is not a type of risk response; the chosen risk response determines how the organization will control the risk.

Question 3

A chief audit executive (CAE) receives a call from an audit client complaining that the audit team is deviating from the audit announcement letter by going into areas that are not within the scope of the audit. What is the best way for the CAE to resolve this issue if she believes the internal audit team was doing the right thing?

a) Send a copy of the internal audit charter to the audit client, highlighting that internal audit has “access to any and all areas.”

b) Schedule a meeting with the audit client and the CEO to collaborate on how to address the audit need while staying within the announcement letter scope.

c) Explain to the audit client how the area being reviewed relates to the original audit described in the announcement letter.

d) Persuade the audit client to allow the review of the additional area.

Answer 3

c) Explain to the audit client how the area being reviewed relates to the original audit described in the announcement letter.

Rationale
Internal auditors need to be competent in communication in order to deliver internal audit engagements. While it is true that internal audit has access to any and all areas, explaining why the team chose to review the additional areas is a better example of good communication, which is in line with Performance Standard 2420, “Quality of Communications,” in that communications must be constructive. The more forceful explanation can be reserved for times when access has been improperly denied.

Question 4

Which activity would be presumed to impair the objectivity of an internal auditor if done within the past year?

a) Recommending standards of control for a new information system application

b) Performing reviews of procedures for a new computer application before it is installed

c) Drafting procedures for running a new computer application to ensure that proper controls are installed

d) Noting that the chief audit executive has multiple direct interactions with the board related to a new information system

Answer 4

c) Drafting procedures for running a new computer application to ensure that proper controls are installed

Rationale
Standard 1130.A1 says in part, “Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year.” The other answer choices are not presumed to impair objectivity per Standard 1130.

Question 5

An auditor is performing a paycheck distribution at a company location that is a three-hour drive from the office. The audit test is being performed to verify that employees listed on the payroll exist. It has started to snow outside, and the auditor has validated 99 of the 100 employees listed. The remaining employee works on the night shift. The location manager is concerned about the auditor driving in the snow and offers to validate the employee’s existence over the phone and to have the employee sign the auditor’s workpaper to attest to his existence. The auditor agrees to this. Did the auditor make the right decision?

a) Yes, the manager is a trusted and well-respected employee, and the auditor’s decision was reasonable and prudent given the circumstances.

b) No, the auditor should have requested some additional evidence, such as taking a picture of the employee and emailing that.

c) No, the auditor should have returned on another day or waited for the employee to report to work.

d) Yes, 99 of 100 employees were verified, which meets the materiality threshold.

Answer 5

c) No, the auditor should have returned on another day or waited for the employee to report to work.

Rationale
Attribute Standard 1220, “Due Professional Care,” states: “Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility.” The auditor should have returned on another day or waited for the employee to report to work.

Question 6

Which would impact an internal auditor’s objectivity?

a) Providing advice to the new CFO (who started nine months ago) on best practices in an accounts payable department

b) Using five years of job experience in a department (transfer from the department was nine months ago) to recommend eliminating several poor procedures

c) Relying on the work of an external subject matter expert who used to work for the organization as recently as nine months ago

d) Following up on the recommendations made by internal audit in an audit that concluded nine months ago

Answer 6

b) Using five years of job experience in a department (transfer from the department was nine months ago) to recommend eliminating several poor procedures

Rationale
Standard 1130.A1 states that “internal auditors must refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year.”

Question 7

Which of the following best describes an internal auditor’s purpose in reviewing the organization’s existing risk management, control, and governance processes?

a) To determine whether the processes ensure that the accounting records are correct and that financial statements are fairly stated

b) To provide reasonable assurance that the processes will enable the organization’s objectives and goals to be met efficiently and economically

c) To ensure that weaknesses in the internal control system are corrected

Td) o help determine the nature, timing, and extent of tests necessary to achieve engagement objectives

Answer 7

b) To provide reasonable assurance that the processes will enable the organization’s objectives and goals to be met efficiently and economically

Rationale
The purpose stated in Implementation Guide 2120 is to provide reasonable assurance that the risk management, control, and governance processes will enable the organization’s objectives and goals to be met efficiently and economically.

Question 8

Which of the following goals sets risk management strategies at the optimum level?

a) Minimizing losses
b) Minimizing costs
c) Maximizing shareholder value
d) Maximizing market share

Answer 8

c) Maximizing shareholder value

Rationale
Maximizing shareholder value is a comprehensive approach that will relate to risk management strategies across the enterprise.

The other goals are not part of a comprehensive approach to risk management.

Question 9

A board’s role in organizational governance is best described as

a) providing assurance to shareholders.
b) establishing the entity’s value system.
c) serving as the focal point.
d) managing strategies for the achievement of organizational objectives.

Answer 9

c) serving as the focal point.

Rationale
The board is the focal point for all governance activities, and it establishes the “tone at the top.” The board is also responsible for implementing best governance practices and providing oversight of organizational activities.

Question 10

Appropriate internal control for a multinational corporation’s branch office that has a monetary transfer unit requires that

a) corporate management approve the hiring of monetary transfer unit employees.

b) the individual who initiates wire transfers not reconcile the bank statement.

c) foreign currency rates be computed separately by two different employees.

d) the branch manager receive all wire transfers.

Answer 10

b) the individual who initiates wire transfers not reconcile the bank statement.

Rationale
Independent reconciliation of bank accounts is necessary for good internal control. Foreign currency translation rates are not computed but instead verified. Having two employees in the same department perform the same task will not significantly enhance internal control.

Question 11

In an organization with a less mature governance system, which of the following would be an appropriate action by the internal audit function?

a) Evaluating best practices for use by the organization

b) Comparing the current governance structure and practices against regulations and other compliance requirements

c) Analyzing the transparency and disclosure practices among parts of the governance structure

d) Auditing the design and effectiveness of specific governance-related processes

Answer 11

b) Comparing the current governance structure and practices against regulations and other compliance requirements

Rationale
When less maturity in governance processes prevails, the internal audit function tends to focus more on performing discrete audits, providing advice regarding optimal structure and practices, and comparing the current governance structure and practices against regulations and other compliance requirements.

Question 12

Which action below could endanger individual objectivity?

a) The same internal auditor performs the same specific audit in consecutive years.

b) The internal audit staff is required to submit conflict-of-interest statements.

c) Two years after an internal auditor transfers from an operating department, he is given an audit engagement in that area.

d) A guest auditor from a subsidiary is added to the audit team for a specific period for her technical expertise.

Answer 12

a) The same internal auditor performs the same specific audit in consecutive years.

Rationale
Policies and ongoing assessment of individual objectivity set the stage for an internal auditor to perform his or her duties objectively. Additional best practices for perpetuating individual objectivity include rotating internal auditor staff assignments periodically whenever it is practical to do so.

Question 13

During a regularly scheduled audit of a billing area, an internal auditor is told by an employee that a new manager frequently takes the place of workers who are absent or on break. The predecessor never did this. What should the auditor do next?

a) Gather evidence to establish either cause for fraud investigation or a lack of cause.

b) Include the comment in the auditing report so that the chief audit executive can decide on further action.

c) Immediately inform senior management.

d) Nothing. This is only rumor and does not constitute proof of wrongdoing.

Answer 13

a) Gather evidence to establish either cause for fraud investigation or a lack of cause.

Rationale
Although the report is not proof, the activity is suspicious and must be investigated further by the internal auditor to determine if fraud may be occurring. The results of this preliminary investigation are included in the audit report.

Question 14

A company with older facilities is taking on asbestos abatement in their buildings to safeguard their employees. The operating department and procurement work closely together to ensure that a competent asbestos abatement firm is hired. This is an operating contract. A project manager has not been assigned to oversee the firm’s activities. What would be the best step the company could take to improve the controls over this area?

a) Request a consulting engagement of the internal audit department to review the vendor’s compliance to the contract.

b) Implement an effective environmental compliance program that includes systems for monitoring, auditing, and reporting on activities and results in this compliance area.

c) Assign a project manager to this project.

d) Issue policies and procedures over the monitoring of environmental firms and give new contractors an admonition to “always act ethically.”

Answer 14

b) Implement an effective environmental compliance program that includes systems for monitoring, auditing, and reporting on activities and results in this compliance area.

Rationale
Environmental and social safeguards are a broad category of external laws and regulations and internal policies, risk management strategies, and programs of management, control, and assurance. Compliance and ethics programs are used to provide incentives for compliance, disciplinary measures for noncompliance, and assurance that these external laws and regulations and internal policies are being followed. Operating contracts typically do not require a separate project manager.

Question 15

An organization creates an initiative involving all employees to develop a thorough enterprise risk management (ERM) process that focuses on significant risks and promotes proactively managing risk exposures. It builds early warning mechanisms into existing management information systems. Employees are given specific responsibilities to monitor for the identified risks in their purview. A year later, the system is continuing to function as it was built. What might be missing from this ERM system?

a) Way of embedding control into the organizational processes

b) Focus on those risks that have been identified by senior management as being potentially damaging to the achievement of the organization’s objectives

c) Feedback process to learn from mistakes and to harness potential improvements and risk reductions

d) Adoption of a risk-based approach to internal control and the assessment of its effectiveness

Answer 15

c) Feedback process to learn from mistakes and to harness potential improvements and risk reductions

Rationale
Ongoing, continuous monitoring of risk and control is an important part of ERM. An organization’s risk management and internal control strategies and policies must be continuously monitored and fine-tuned in response to changing exposures. A feedback process should be in place to learn from mistakes and to harness potential improvements and risk reductions. The question makes no reference to improvements or ongoing updates to the ERM system but does discuss the items in the incorrect answer choices as already occurring.

Question 16

Which is an essential skill for a forensic auditor?

a) Awareness of evidence requirements in criminal but not civil cases

b) Ability to persuade others through selective choice of information to withhold

c) Commitment to discussing the principles of accounting without prejudice to the case

d) Ability to track down and recover evidence

Answer 16

d) Ability to track down and recover evidence

Rationale
A forensic auditor has special skills apart from a knowledge of accounting practices, including understanding evidence requirements in civil and criminal courts, uncovering evidence, and assembling the evidence into a convincing narrative. Withholding key information would not be ethical. Forensic auditors are not impartial.

Question 17

Communication skills are important to internal auditors. According to the Standards, the auditor should be able to effectively convey what to the auditee?

a) Audit objectives designed for a specific auditable entity

b) Risk assessment used in selecting the area for audit investigation

c) Recommendations that are generated by managers of other auditable entities

d) Evaluations that are constructive in that they omit information that would lead to unwise conclusions regarding needed controls

Answer 17

a) Audit objectives designed for a specific auditable entity

Rationale
Performance Standard 2410, “Criteria for Communicating,” states, “Communications must include the engagement’s objectives, scope, and results.” Auditors should be proficient in communicating audit objectives, evaluations, and their own recommendations. Evaluations should be complete and should not omit information contrary to the point the auditor would like to make. The risk assessment process is not normally communicated to the auditee.

Question 18

Organizational control systems are made up of various components that govern the operations of all levels of the organization. Some of these components originate at the senior management level, while others can be developed at the department level. What is the most basic component of the organizational control system meant to guide the daily operations of the organization or a department?

a) Performance appraisals
b) Statistical reports
c) Strategic plans
d) Policies and procedures

Answer 18

d) Policies and procedures

Rationale
Policies and procedures are the most basic control subsystem of an organization.

Question 19

Which of the following is true of quality assessments that are implemented according to IIA guidance?

a) The quality assessment process may include feedback from engagement clients through interviews and questionnaires or surveys.

b) A quality assessment team would not be expected to review the internal audit activity’s efficiency and effectiveness.

c) The results of a quality assessment can be shared with the board but not senior management.

d) Company managers or members of the board may be members of the external quality assessment team if they are qualified, since they are independent of the internal audit activity.

Answer 19

a) The quality assessment process may include feedback from engagement clients through interviews and questionnaires or surveys.

Rationale
Implementation Guide 1311 recommends feedback from audit customers and other stakeholders (the clients). Implementation Guide 1312 explicitly states that assessment team members must be from outside of the organization being assessed. Therefore, use of company managers or members of the board is not permitted. Efficiency and effectiveness are among the recommended key components of an external assessment’s scope, per Implementation Guide 1312. Reporting results to senior management and the board is the final step of a quality assessment.

Question 20

The primary reason bank executives would decide to maintain a separate compliance function is to

a) strengthen controls over the bank’s investments.

b) better respond to shareholder expectations.

c) ensure the independence of line and senior management.

d) better manage perceived high risks.

Answer 20

d) better manage perceived high risks.

Rationale
Managing risk includes a variety of activities to identify, assess, and control risk across the entire spectrum of an organization, ranging from single events or projects, to narrowly defined types of risk (e.g., market risk), to threats and opportunities facing the entire enterprise. Organizations such as brokers, banks, and insurance companies may view risks as sufficiently critical to warrant continuous oversight and monitoring. A separate compliance function may have recommendations to help strengthen controls, but this is not its primary purpose. It will help respond to shareholder needs, but this is not the primary reason for establishing the compliance function. Management is not independent, and risk management is a direct responsibility.

Question 21

Who is responsible for overseeing the evaluation of information security (data protection) and control?

a) Chief audit executive (CAE)
b) Senior managers
c) Audit committee
d) Chief risk officer (CRO)

Answer 21

c) Audit committee

Rationale
Every person in an organization has a role in implementing internal controls. The audit committee (or the board of directors if no audit committee exists) oversees the evaluation of the organization’s internal control system. The CRO establishes policies related to information security, and senior managers ensure compliance with the policies. The CAE assesses (evaluates) the system of controls over information security.

Question 22

What is the first step in establishing an effective performance measurement process for an internal audit activity?

a) Interview key internal and external stakeholders.

b) Define internal audit effectiveness.

c) Align the internal audit process with performance measurement processes used throughout the organization.

d) Propose specific measures of effectiveness and efficiency.

Answer 22

b) Define internal audit effectiveness.

Rationale
The first step is to define internal audit effectiveness, based on the Core Principles, the Definition of Internal Auditing, the Code of Ethics, the Standards, existing charters, internal audit deliverables that the activity has agreed to produce, and internal consensus.

Question 23

Which practice supports the mandate of an internal audit function?

a) Unfettered access to corporate employees, facilities, and records (including those of contractors)

b) Approval of the written charter by the chief audit executive (CAE)

c) Disclosure of operational accountability for functions subject to subsequent internal audit review

d) Overriding of the written charter with current best practices

Answer 23

a) Unfettered access to corporate employees, facilities, and records (including those of contractors)

Rationale
Unfettered access to corporate employees, facilities, and records relates to the authority of internal audit.

Disclosure does not preclude the fact that internal audit should not have any operational accountability or perform functions that would be subject to subsequent internal audit review.

If the written charter does not agree with current best practices, it should be updated and re-approved by the board or the audit committee (not the CAE).

Question 24

When considering the risk and control implications of an organizational structure, which is an element of effective organizational structure design?

a) Formal lines of authority
b) Single pool of organizational resources
c) Segregation of diverse organizational tasks
d)Traditional hierarchy structure

Answer 24

a) Formal lines of authority

Rationale
Regardless of what an organizational structure looks like on paper, an effective design will establish formal lines of authority, coordinate diverse organizational tasks, and allocate and deploy organizational resources, among other things. Not all organizational structures need to be of the traditional hierarchy type.

Question 25

An internal auditor believes that the accounts receivable account balances may not be accurate. Which procedure listed would best demonstrate his/her professional skepticism?

a) Issuing third-party confirmations to the customers owing the money

b) Performing a statistical sample of the accounts and tracing them to the source documentation

c) Interviewing the company’s salespeople responsible for generating the sales

d) Tracing the fund balance to the general ledger

Answer 25

a) Issuing third-party confirmations to the customers owing the money

Rationale
Maintaining professional skepticism ensures that internal auditors do not make undue assumptions about the validity of support such as verbal explanations from management or other information received without an appropriate level of objective verification of such support. Issuing third-party confirmations to the customers owing the money would be an independent source to verify the accounts. The information would be from outside of the company and so demonstrates an attitude of professional skepticism.

Question 26

The chief risk officer is most effective when he or she

a) manages risk as a member of senior management.

b) shares the management of risk with line management.

c) works with management in their areas of responsibility.

d) shares the management of risk with the chief audit executive.

Answer 26

c) works with management in their areas of responsibility.

Rationale
The chief risk officer is most effective when working with other executives and managers in establishing effective risk management practices, monitoring progress, and assisting in reporting.

Senior management has an oversight role.

The chief audit executive is not responsible for managing risk. Risk knowledge at the line level would be specific only to that area of the organization.

Question 27

Which of the following situations would most likely be considered a violation of the Code of Ethics?

a) As chief audit executive, you are perplexed as to how to resolve a disagreement between yourself and management regarding a finding and recommendation in a very sensitive audit area. Unsure as to what to do, you discuss the details of the finding and your proposed recommendation with a fellow chief audit executive you know from your work in the local chapter of The Institute of Internal Auditors.

b) After researching and developing the proposed yearly audit plan, you, as director, are required by the company audit charter to present the plan to the audit committee for its approval and suggestions.

c) Your audit manager has just removed your most significant finding and recommendation from your audit report. Being the in-charge auditor, you have voiced your opposition to the removal and have explained that you know that the reported condition exists. Although you agree that, technically, the audit lacks sufficient evidence to support the finding, management cannot explain the condition and your audit finding is the only reasonable conclusion.

d) Because your department lacks skill and knowledge in a specialty area, your audit director has engaged the services of an expert consultant. As audit manager, you have been asked to review the expert’s approach to the assignment. You are knowledgeable regarding the area under review but are hesitant to accept the assignment because you lack the expertise to judge the validity of the expert’s conclusion.

Answer 27

b) After researching and developing the proposed yearly audit plan, you, as director, are required by the company audit charter to present the plan to the audit committee for its approval and suggestions.

Rationale
Discussing findings and recommendations with a fellow chief audit executive would be a violation, because the Code of Ethics requires confidentiality. The Standards allow for each of the other situations.

Question 28

Internal auditor proficiency in IT that supports business processes is best exemplified by

a) assisting IT auditors with the testing of manual and automated controls.

b) ensuring that appropriate technical policies and procedures are developed and communicated to IT staff.

c) collaborating with IT auditors in integrated audits by pulling results together at the report phase.

d) ensuring that appropriate manual and automated controls are identified, documented, evaluated, and tested.

Answer 28

d) ensuring that appropriate manual and automated controls are identified, documented, evaluated, and tested.

Rationale
According to interpretation of Standard 1210, “Proficiency is a collective term that refers to the knowledge, skills, and other competencies required of internal auditors to effectively carry out their professional responsibilities.” It encompasses consideration of current activities, trends, and emerging issues, to enable relevant advice and recommendations. In today’s environment of sophisticated systems, business risks include all risks in a process, whether technological or manual. Internal auditors should understand how processes are automated and generally how applications facilitate the movement of information. Insufficient understanding of the transaction flow between systems can lead internal auditors to miss key automated controls during their reviews.

Question 29

An internal auditor uses Benford’s Law analysis to search for potential fraud. This probability principle is the cornerstone of

a) numerical analysis.
b) multidimensional analysis.
c) trend analysis.
d) regression analysis.

Answer 29

a) numerical analysis.

Rationale
Most auditing programs performing numerical analysis are based on Benford’s Law, a probability principle using observations about the frequency of occurrence of the leading digit in a series of numbers.

Question 30

The IIA’s Standards require internal auditors to have knowledge about red flags that have proven to be associated with management fraud. Which is a factor generally associated with management fraud?

a) Manager delegation of responsibility, but not oversight, to subordinates

b) Generous performance-based reward systems

c) Manager complaints about government regulation and health-care laws

d) Regular comparison of actual results to budgets

Answer 30

b) Generous performance-based reward systems

Rationale
Generous performance-based reward systems could provide motive and perhaps opportunity for fraud. The reward systems may also create pressure or additional needs that stem from company expectations. Regular actual-to-budget comparisons encourage performance and detect problems before they become too big. Delegation by managers while retaining oversight is usually considered a positive management trait. Managers complaining about government regulations or health-care laws is simply an expression of a political viewpoint.

Question 31

In regard to risk management and/or internal control, the chief audit executive (CAE) is responsible for

a) designing and monitoring control processes.

b) overseeing the establishment, administration, and assessment of the system of risk management and control.

c) providing oversight of the organization’s risk management and control processes.

d) communicating an overall judgment of the organization’s enterprise risk management (ERM) process effectiveness to management.

Answer 31

d) communicating an overall judgment of the organization’s enterprise risk management (ERM) process effectiveness to management.

Rationale
Performance Standard 2120, “Risk Management,” states, “The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.” The CAE is responsible for communicating an overall judgment of the organization’s ERM process effectiveness to management and the audit committee. Oversight is the board’s responsibility; establishment, administration, and assessment are senior management’s responsibility; and designing and monitoring control processes is operational management’s responsibility.

Question 32

What is the distinction between hotline anonymity and confidentiality?

a) Anonymity does not disclose the caller’s identity, while confidentiality discloses it securely.

b) Anonymity can be maintained only within the limits allowed by law, while promises of confidentiality must be kept.

c) The two terms are synonyms.

d) Anonymity provides nondisclosure of the caller’s identity, and confidentiality removes reference to gender or other identifying information, even if a name is not provided.

Answer 32

a) Anonymity does not disclose the caller’s identity, while confidentiality discloses it securely.

Rationale
Confidentiality and anonymity are mutually exclusive.

Question 33

An internal auditor has been asked to perform a review of the company’s process for developing accruals for its liability to clean up toxic waste sites. The audit should determine

a) whether company leadership makes periodic admonitions “to always act ethically” in regard to toxic waste site clean-ups.

b) whether clean-up costs are reasonable and, if not, which should be resisted through lobbying.

c) whether the company monitors governmental investigations to identify which waste site clean-ups to prioritize and which can be safely ignored.

d) whether the company has identified the situations in which it is potentially responsible for cleaning up a waste site.

Answer 33

d) whether the company has identified the situations in which it is potentially responsible for cleaning up a waste site.

Rationale
Determining whether the company has identified situations in which it may be responsible for cleaning up a waste site is a check that management is using risk identification and is appropriate to an audit of an organization’s environmental compliance programs.

Question 34

Which of the following exemplifies a key performance indicator (KPI) that targets performance necessary to meet audit activity objectives?

a) Extent of coordination of work with a compliance function or the enterprise risk management activity

b) Monitoring, measuring, and reporting internal audits completed compared to the approved risk-based audit plan

c) Measured timeliness of clients’ responses to internal control questionnaires (ICQs)

d) External auditor’s opinion regarding the quality of internal controls over financial reporting

Answer 34

b) Monitoring, measuring, and reporting internal audits completed compared to the approved risk-based audit plan

Rationale
A primary operational objective for an internal audit activity is to accomplish its audit plan; a KPI that targets performance necessary to meet this objective would be to compare audits completed to the approved work plan. The external auditor’s opinion regarding the quality of internal controls over financial reporting is related to the financial reporting activity, not the internal audit activity. Timeliness of client responses to ICQs would not be an effective measure of internal audit performance in meeting audit activity objectives. The extent of coordination of work with other internal assurance providers would not be a KPI that targets performance necessary to meet audit activity objectives.

Question 35

Which control would prevent the ordering of quantities in excess of an organization’s needs?

a) Policy requiring agreement of the receiving report and packing slip before storage of new receipts

b) Policy requiring review of the purchase order before receiving a new shipment

c) Automatic reorder by the purchasing department when low inventory level is indicated by the system

d) Review of all purchase requisitions by a supervisor in the user department prior to submitting them to the purchasing department

Answer 35

d) Review of all purchase requisitions by a supervisor in the user department prior to submitting them to the purchasing department

Rationale
Of the options provided, supervisory review at the originating department level is the only one that specifically controls the number of items ordered.

Question 36

While screening proposals for a contract, a bid solicitor overlooks the fact that a company has no references and minimal related work history and qualifications. The bid solicitor helps the company falsify its documentation in exchange for a cut of the contract. What type of fraud is this an example of?

a) Bribery
b) Cash theft
c) Fraudulent disbursement
d) Misuse of assets

Answer 36

a) Bribery

Rationale
This is an example of bribery, in the form of kickbacks. Money was paid to influence the bid solicitor to make a decision that benefited the bribe payer.

Question 37

Which is an example of an internal auditor living up to the principles described in Implementation Guide 1220, “Due Professional Care”?

a) The auditor conducts examinations and verifications to the fullest extent possible.

b) The auditor considers the possibility of material irregularities or noncompliance on any internal audit assignment.

c) The auditor checks for material irregularities or noncompliance if the probability of these issues is high.

d) The auditor gives absolute assurance that noncompliance or irregularities do not exist.

Answer 37

b) The auditor considers the possibility of material irregularities or noncompliance on any internal audit assignment.

Rationale
Implementation Guide 1220 tells us that due professional care implies reasonable care and competence, not infallibility or extraordinary performance. Due professional care requires the internal auditor to conduct examinations and verifications to a reasonable extent. Internal auditors cannot give absolute assurance that noncompliance or irregularities do not exist.

Question 38

Which of the following describes the board’s major responsibilities related to risk management?

a) Ensuring that an effective, ongoing process to manage risk is in place

b) Apprising management of the most significant risks and determining whether mitigating actions are appropriate

c) Assuming direct responsibility

d) Ensuring that the risk management architecture enhances shareholder value

Answer 38

a) Ensuring that an effective, ongoing process to manage risk is in place

Rationale
Management has responsibility for risk management and ensuring that the risk management architecture enhances shareholder value. The board needs to be certain that this responsibility is carried out—effectively, proactively, and in an ongoing manner.

Question 39

Several internal audit customers have indicated that audit reports are not impactful by the time they receive them. The chief audit executive (CAE) has identified the root cause of the issue as the reporting process, which requires several levels of review, resulting in numerous edits and delays in audit report release. The CAE should

a) establish a performance metric measuring the number of days between fieldwork completion and report issuance.

b) consider report-writing training designed to improve the written communication skills of the auditor-in-charge.

c) limit reviewer report edits to a maximum number per reviewer.

d) be the only internal audit leader who reviews audit reports.

Answer 39

a) establish a performance metric measuring the number of days between fieldwork completion and report issuance.

Rationale
According to The IIA’s implementation guidance for Standard 1311, “Internal Assessments,” the internal audit activity may perform steps to support periodic self-assessment, such as analyzing key performance indicators (KPIs) related to the efficiency of standard internal audit practices (e.g., number of days between fieldwork completion and report issuance). While the other three answer choices may help to accelerate the delivery of audit reports, establishing a process to measure, monitor, and report on the timeliness of audit report delivery will drive improvement.

Question 40

Which of the following is part of the Mission of Internal Audit?

a) Protecting organizational value

b) Promoting an ethical culture in the profession of internal auditing

c) Respecting the value and ownership of information received and not disclosing information without appropriate authority

d) Reducing the occurrence of fraud

Answer 40

a) Protecting organizational value

Rationale
The Mission of Internal Audit is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight. Promoting an ethical culture is the purpose of The IIA’s Code of Ethics, and respecting the value and ownership of information received and not disclosing it is the confidentiality principle from the Code of Ethics. Reducing the occurrence of fraud is management’s responsibility.

Question 41

A CAE reports directly to the CEO. An auditor discovers a material cash shortage. When questioned, the person responsible explains that the cash was used to cover sizable medical expenses for a child and agrees to replace the funds. Despite the corrective action, the CAE decides to inform management. In this instance, the CAE

a) has both organizational independence and objectivity.

b) has neither organizational independence nor objectivity.

c) has organizational independence but not objectivity.

d) has objectivity but not organizational independence.

Answer 41

d) has objectivity but not organizational independence.

Rationale
Because the CAE reports directly to the CEO, the IA activity lacks organizational independence. However, by keeping an unbiased mental attitude and reporting the serious offense despite the potentially mitigating circumstances, the CAE is exercising objectivity.

Question 42

The operating manager of a department requests the chief audit executive (CAE) to perform a consulting review of industrial escalator maintenance at the plant. The manager wants the CAE to identify best practices in similar industries. The CAE also wants to recommend those best practices that the department should implement. Is the recommendation part of the project something the CAE should add?

a) No, these recommendations would constitute management work.

b) Yes, the CAE is independent from the operating location and has the purpose, authority, and responsibility to do so.

c) No, the recommendation work should have been requested by the operating manager.

d) Yes, the operating department would want that information.

Answer 42

c) No, the recommendation work should have been requested by the operating manager.

Rationale
Consulting services are advisory in nature and are generally performed at the specific request of an engagement client. The nature and the scope of a consulting engagement are subject to agreement with the engagement client. Benchmarking internal areas with comparable areas of similar organizations to identify best practices would add value to the organization.

Question 43

Which of the following groups has the primary responsibility for the establishment, implementation, and monitoring of adequate controls in the posting of accounts receivable?

a) Accounting management
b) Accounts receivable staff
c) Internal auditors
d) External auditors

Answer 43

a) Accounting management

Rationale
Management is responsible for controls. External auditors are responsible for audits of financial statements. Accounts receivable staff are responsible for daily transaction handling.

Question 44

In planning an audit, the internal auditor should design audit objectives and procedures to address the risk associated with the activity. Risk is defined as

a) the possibility that an event may affect the achievement of objectives.

b) the failure to accomplish established objectives and goals for operations or programs.

c) the failure to adhere to organizational policies, plans, and procedures or relevant laws and regulations.

d) the possibility that the financial statements contain material misstatements.

Answer 44

a) the possibility that an event may affect the achievement of objectives.

Rationale
The IPPF glossary defines risk as “the possibility of an event occurring that will have an impact on the achievement of objectives.”

Question 45

An auditor performing an operational audit of a division observes that an unusually large quantity of goods are on hand in the shipping and materials rework areas. They are labeled as re-ship items. Upon inquiry, the auditor is told that they are goods that have been returned by customers and have either been repaired and shipped back to the original customer or repaired and shipped out as new products because they are fully warranted. Assume that the auditor finds that most of the goods are repaired and sold as new items. Such sales are not in compliance with either company policy or governmental regulations. The auditor does not know whether fraud is involved or the extent to which divisional management has been involved in the scheme. The auditor should report the finding to

a) divisional management and relevant regulatory bodies, since it is a clear violation.

b) divisional management, the audit committee, and senior management.

c) relevant regulatory bodies.

d) divisional management only, since they are responsible for correcting the problem.

Answer 45

b) divisional management, the audit committee, and senior management.

Rationale
Divisional management should be aware of the auditor’s findings since management fraud and not personal fraud is involved. It is not clear whether divisional management is an integral part of the scheme to sell the goods, but the important findings should be reviewed with divisional management as the auditee. The Standards clearly indicate that findings such as these should be reported to the audit committee and senior management. When fraud is suspected, a best practice is for the internal auditor to refer the case to the chief audit executive, who will inform the parties above and secure appropriate resources for further investigation—for example, a certified fraud examiner or an IT security specialist.

Question 46

What method of auditing corporate social responsibility (CSR) is the chief audit executive (CAE) for a large transportation company pursuing if she has instructed the audit staff to consider reviewing the relevant portions of CSR as part of every audit they perform?

a) Audit by stakeholder
b) Audit by common subject
c) Audit by element
d) Audit by risk-management-based priority

Answer 46

c) Audit by element

Rationale
Various elements of CSR will likely be audited on a cyclical basis. In this case, the CAE wants the staff to perform separate audit engagements for each CSR element, such as governance; environment; ethics; community involvement; health, safety, and security; transparency; and working conditions and human rights.

Engagements can subdivide elements by business location or external partner.

Question 47

A written charter that outlines the internal audit department’s purpose, authority, and responsibility and is approved by the audit committee or board of directors is primarily meant to enhance the department’s

a) due professional care.
b) independence.
c) relationship with management.
d) stature within the organization.

Answer 47

b) independence

Rationale
A charter establishes the department’s independence from management. Due care is a function of audit work, not the charter.

Question 48

A small company has an internal audit department of one auditor, and she both serves as the chief audit executive (CAE) and performs all audit work. She performs an independent risk assessment of the company and attends executive meetings. While she reports administratively to the chief financial officer (CFO), she reports functionally to a three-person audit committee. What should she do in regard to adherence to the quality assurance and improvement program (QAIP) standard?

a) As the CAE, she will have to request resources from the audit committee to have an external assessment performed.

b) It would be acceptable for the CAE to perform the internal assessment of her own work since there is no one else in the department.

c) The QAIP standard is waived for a department of one person.

d) The QAIP standard indicates that her superior, the CFO in this case, should perform the assessment.

Answer 48

a) As the CAE, she will have to request resources from the audit committee to have an external assessment performed.

Rationale
The size of the internal audit department has no effect on the evaluation of the internal audit activity’s conformance with Code of Ethics, the Standards, and its charter along with the extent of its use of current best practices and its program of continuous improvement. These evaluations may also include recommendations to enhance conformance to the Standards.

Question 49

A chief audit executive (CAE) has established several internal controls to monitor the conduct of internal audits and consulting projects performed in the department. This includes a monthly dashboard report depicting audit start dates, completion dates, budgeted hours, and actual hours. What is the CAE trying to accomplish by having the dashboard?

a) The CAE is trying to assure the department’s own efficiency and effectiveness.

b) The CAE is creating a mandatory record for the performance of audits.

c) The CAE is generating documentation for the internal auditors’ annual performance evaluations.

d) The CAE is using the dashboard for project management, but this is not the best tool for such a task.

Answer 49

a) The CAE is trying to assure the department’s own efficiency and effectiveness.

Rationale
In order to perform its assurance role in the areas of governance, risk management, and operational effectiveness and efficiency, the internal audit activity must assure its own efficiency and effectiveness and report its performance to senior management and the board at agreed-upon intervals.

For internal assessments, the CAE may share the results, necessary action plans, and their successful implementation with stakeholders such as senior management and the board. A monthly dashboard report depicting audit start dates, completion dates, budgeted hours, and actual hours would assist in monitoring that.

Question 50

Audit committees have been identified as a major factor in promoting the independence of both internal and external auditors. Which of the following is the most important limitation on the effectiveness of audit committees?

a) Audit committees may be composed of independent directors. However, those directors may have close personal and professional friendships with management.

b) Audit committee members are compensated by the organization and thus favor a stockholder’s view.

c) Audit committee members do not normally have degrees in the accounting or auditing fields.

d) Audit committees devote most of their efforts to external audit concerns and do not pay much attention to internal auditing and the overall control environment.

Answer 50

a) Audit committees may be composed of independent directors. However, those directors may have close personal and professional friendships with management.

Rationale
Having close relationships with management is a major limitation that has hampered the effective operation of audit committees.

Audit committee members are usually outside directors. Many of these directors have a broad viewpoint and are not limited to a stockholder’s view.

Audit committees devote considerable time to the external audit function, but the evidence is that they are increasingly devoting time to internal audit reports.

A committee member need not have an accounting degree to understand most reporting and control issues.