Audit exam 1

Which of the following statements about internal control is true?

-A limitation of internal control is that management makes judgments about the extent of controls it implements.

A chief audit executive (CAE) for a very small internal audit department has just received a request from management to perform an audit of an extremely complex area in which the CAE and the department have no expertise. The nature of the audit engagement is within the scope of internal audit activities. Management has expressed a desire to have the engagement conducted in the very near future because of the high level of risk involved. Which of the following responses by the CAE would be in violation of the Standards?

-Accept the audit engagement and begin immediately, since it is a high-risk area.

Which of the following actions is required of the CAE in regard to the objectivity of internal auditors?

-Assess (The CAE must establish policies and procedures to assess the objectivity of individual internal auditors.

Periodic self-assessments are a component of a quality assurance and improvement program (QAIP) for an internal audit activity (IAA). They most likely include

-Assessments by senior internal auditors or certified internal auditors.

A certified internal auditor performed an assurance engagement to review a department store's cash function. Which of the following actions will be deemed lacking in due professional care?

-Because of a highly developed system of internal control over the cash function, the final engagement communication assured senior management that no irregularities existed.

The effective organizational independence of the internal audit activity is most likely evidenced by

-Board inquiries about inappropriate scope limitations.

Internal auditors have a responsibility for helping to deter fraud. Which of the following best describes how this responsibility is usually met?

-By evaluating the adequacy and effectiveness of controls in light of the potential exposure or risk.

• Check kiting

-Can proceed in a circle of accounts at any number of banks.

An internal auditor should be concerned about the possibility of fraud if

-Cash receipts, net of the amounts used to pay petty cash-type expenditures, are deposited in the bank daily.

According to COSO, the use of ongoing and separate evaluations to identify and address changes in internal controi effectiveness can best be accomplished in which of the following stages of the monitoring-for- change continuum?

-Change identification

•Which of the following is an inherent limitation of internal control?

-Collusion

• To achieve the effective organizational independence of the internal audit activity (IAA), the chief audit executive (CAE) most likely should

-Communicate with the board about the IAA's performance.

Under the IIA's Code of Ethics, an entity that provides internal auditing services is specifically require to

-Comply with the International Standards for the Professional Practice of Internal Auditing

Which of the following fraudulent entries is most likely to be made to conceal the theft of an asset?

-Debit expenses and credit the asset.

An employee steals money from his company's bank deposits, then makes up for the stolen cash with cash from the next day's deposits. If there is not enough cash the next day, the emplóyee has to wait another day to make up for the deposit. And the cycle continues. This can go undetected for months. Which of the following controls could the organization implement as a preventive control to address this situation?

-Deposit slips and deposit bags have sequential numbers. The manager is required to write the deposit bag number on the deposit slip. The reason for any voided deposit slips or bags is to be documented.

Which of the following describes one of the responsibilities of the internal auditor for the deterrence of fraud in an organization?

-Evaluating the adequacy of controls to prevent fraud.

The use of financial statement analysis, quality control procedures, and employee performance evaluations are all examples of

-Feedback controls

Auditors must always be alert for the possibility of fraud. Assume the controls over each risk listed below are marginal. Which of the following possible frauds or misuses of organization assets should be considered the area of greatest risk?

-Grants are made to organizations that might be associated with the president or are not for purposes dictated in the organization's charter.

Part of The IIA Rules of Conduct for competency?

-Internal auditors shall engage only in those services for which they have necessary knowledge, skills, and experience.

Which of the following correctly classifies governance functions as internal or external?

-Internal: internal audit function External: government regulation

The storeroom supervisor explained that each of the 15 stockroom personnel selected one item each day for cycle count based on how efficiently the item could be counted. The opportunity for control-related problems including fraud has been increased in the stockroom because

-Items for cycle count are selected by stockroom personnel.

Management's aggressive attitude toward financial reporting and its emphasis on meeting projected profit goals most likely would significantly influence an entity's control environment when

-Management is dominated by one individual who is also a shareholder.

A restaurant chain has over 680 restaurants. All food orders for each restaurant are required to be entered into an electronic device that records all food orders by food servers and transmits the order to the kitchen for preparation. All food servers are responsible for collecting cash for all their orders and must turn in cash at the end of their shift equal to the sales value of food ordered for their I.D. number. The manager then reconciles the cash received for the day with the computerized record of food orders generated. All differences are investigated immediately by the restaurant. Organizational headquarters has established monitoring controls to determine when an individual restaurant might not be recording all its revenue and transmitting the applicable cash to the corporate headquarters. Which one of the following is the best example of a monitoring control?

-Management prepares a detailed analysis of gross margin per store and investigates any store that shows a significantly lower gross margin.

Which of the following is considered a fraudulent activity?

-Misappropriation of assets.

An internal auditor observes that a receivables clerk has physical access to and control of cash receipts. The auditor worked with the clerk several years before and has a high level of trust in the individual. Accordingly, the auditor notes in the engagement working papers that controls over receipts are adequate. Has the auditor exercised due professional care?

-No, alertness to conditions most likely indicative of irregularities was not shown.

An internal auditor discovered some material inefficiencies in a purchasing function. The purchasing manager is the internal auditor's next-door neighbor and best friend. In accordance with The IIA's Code of Ethics, the internal auditor should

-Objectively include the facts of the case in the engagement communications.

• Number 2, "Randy was always handling the most urgent...," is an example of a(n)

-Opportunity to commit

The Deming Cycle may be applied to an internal audit activity's quality assurance and improvement program (QAIP). The QAIP's formal documentation of practices occurs in which step of the Deming Cycle?

-PLAN

Which of the following engagement procedures, performed by the internal auditor, is most likely to detect this fraud?

-Performing a trend analysis of printing supplies ex penses for a 2-year period.

The risk of the addition of fictitious employees to the payroll by the person performing the payroll processing function is reduced by

-Performing periodic floor checks of employees on the payroll.

Which of the following controls, if properly implemented, is most likely to decrease the likelihood of fraud?

-Require that receiving reports be sent directly to accounts payable.

Which of the following is not an objective of application controls? A.Confirming input data are accurate, complete, authorized, and correct. B.Establishing logical access controls over infrastructure, aplications, and data. C.Maintaining a record to track the process of data from input to storage and to the eventual output. D.Processing data as intended in an acceptable time period. Controls may be classified according to the function they are intended to perform, for example, as detective, preventive, or directive. Which of the following is a directive control?

-Requiring all members of the internal audit activity to be CIAS.

When the executive management of an organization decided to form a team to investigate the adoption of an activity-based costing (ABC) system, an internal auditor was assigned to the team. The best reason for including an internal auditor internal auditor's knowledge of

-Risk management processes

Internal auditors are most likely to perform procedures to detect fraud when

-Significant control deficiencies exist.

An entity defines its risk appetite in which component of the COSO ERM framework?

-Strategy and objective-setting.

A typical code of ethical conduct for financial managers or management accountants in an organization requires all of the following except

-Subjectivity in presenting information, preparing reports, and making analyses. (the code of ethical conduct for financial managers or management accountants in n an organization should require objectivity in presenting information, preparing reports, and making analyses)

When the internal audit activity performs an assurance engagement, how many parties are involved?

-THREE (process owner, internal auditor, user of the assessment)

Which of the following engagement procedures is most likely to detect the fraud?

-Take a sample of paid invoices and verify receipt of services by departments involved.

purposes of the International Standards for the Professional Practice of Internal Auditing ("the Standards") is to

-The IIA provides the following purposes of the Standards: Guide adherence with the mandatory elements of the IPPF. Provide a framework for performing and promoting a broad range of value-added internal audit activities. Establish the basis for evaluating internal auditing performance. Foster improved organizational processes and operations.

Which of the following is the common name for Internal Control: Guidance for Directors on the Combined Code?

-The Turnbull Report

Which of the following controls allowed the fraud to occur?

-The accounting for customer food checks by the supervisor.

Violates The IIA's Code of Ethics and the Standards?

-The chief audit executive (CAE) disagrees with the engagement client about the observations and recommendations in a sensitive area. The CAE discusses the detail of the observations and the proposed recommendations with a fellow CAE from another organization.

After the chief audit executive receives approval from the board to offer consulting services, what should be done?

-The internal audit charter should be amended.

Which of the following is an example of a detective control?

-The manager is given a check log reconciliation at the close of each business day.

When the internal auditor called to arrange the annual control review during the third quarter, the VAN stated that it could not accommodate the internal auditor because the peak processing period started earlier than normal this year and all VAN personnel were occupied. This scope limitation, along with its potential effect, must be communicated to which one of the following?

-The organization's board of directors.

Which of the following is an example of the "Act" step in the Deming Cycle?

-Undertaking improvement initiatives and documenting lessons learned.

A newly hired CAE discovered the CFO is paying personal expenses through the organization. Upon further investigation, the CAE found that the CFO is submitting these expenses as research and development. The CFO has worked for the organization for 15 years. The CAE immediately notified the audit committee. The CAE

-Upheld the Code of Ethics principle of integrity.

When the internal audit activity lacks the expertise to perform a specific engagement, the chief audit executive (CAE) should do which of the following?

-Use external resources with sufficient expertise to accomplish the engagement.

Use of standard operating procedures as controls is most likely to be effective in an organization that has which of the following characteristics?

-an aversion to risk.

Due professional care calls for

-consideration of the possibility of material irregularities during every engagement.

According to The IIA Glossary appended to the Standards, which of the following are most directly designed to ensure that risks are contained?

-control processes

Which of the following items is an example of an inherent limitation in an internal control system?

-human error in decision making

An entity should consider the cost of a control in a relationship to the risk. Which of the following controls best reflects this philosophy for a large dollar investment in heavy machine tools?

-imprinting a controlled identification number on each tool

Company A recently acquired Company B. Company B is in a very different industry from Company A. Ten internal auditors have been assigned to review key areas of Company B's operations. The CAE has arranged for the auditors to receive industry training prior to the commencement of work. How should the CAE explain to the board why the industry training is needed?

-internal auditors do not have the necessary knowledge, skills, or experience to complete the work.

Full external assessment of the internal audit activity's (IAA's) conformance with the Standards and Code of Ethics

-is conducted by an external assessor or assessment team

In an assurance engagement performed with due professional care, internal auditors must

-not guarantee that all significant risks are identified.

A distinguishing feature of an external assessment is its objective to

-provide independent assurance.

Violation of The IIA's Code of Ethics by an internal auditor?

-purchasing stock in a target entity after overhearing an executive's discussion of a possible acquisition.

A formal code of ethics should do all of the following except

-reflect only legal standards of conduct for individuals and the organization.

Company management completes event identification and analyzes the risks. The company wishes to assess its risk after management's response to the risk. According to the COSO ERM framework, which of the following types of risk does this situation represent?

-residual risk

• A chief audit executive (CAE) has been requested by the audit committee to conduct an engagement at a chemical factory as soon as possible. The engagement will include reviews of health, safety, and environmental (HSE) management and processes. The CAE knows that the internal audit activity does not possess the HSE knowledge necessary to conduct such an engagement. The CAE must

-seek permission from the audit committee to obtain appropriate support from an HSE professional.

Which of the following is a financial statement fraud?

-senior management overstates assets and conceals liabilities.

Which of the following should be defined in the internal audit plan for an assessment of governance?

-the nature of the work, the governance process, the nature of the assessments

Which of the following most likely should be stated in an entity's vision statement?

-the strategy for maintaining a culture consistent with legal responsibilities.

What are the major components of governance? 1. Strategic direction 2. Oversight 3. Regulations 4. Ethics

1 and 2 only.

Which of the following should be stated in an organization's code of conduct? 1. The organization's values and objectives 2. The behavior expected 3. The strategies for maintaining a culture inconsistent with legal, ethical, and societal responsibilities

1 and 2 only.

Which of the following statement(s) is (are) true regarding the deterrence of fraud? 1. The primary means of deterring fraud is through effective controls initiated by senior management. 2. Internal auditors are responsible for assisting in the deterrence of fraud by examining and evaluating the adequacy of controls. 3. Internal auditors are responsible for designing and implementing fraud prevention controls. 4.Internal auditors should determine whether communication channels provide management with adequate and reliable information about the effectiveness of controls and the occurrence of unusual transactions.

1,2,4

Which of the following facts, by themselves, could contribute to a lack of independence of the internal audit activity? 1. The CEO accused the new auditor of not operating "in the best interests of the organization." 2. The majority of audit committee members come from within the organization. 3. The internal audit activity's charter has not been approved by the board.

1.2.3.

A company has denied for years which corporate social responsibility strategy? trucks to public roads. No further actions have been taken by the company. This is an example of that it bears any responsibility for damage alleged caused by its A. Reaction. B. Defense C. Accommodation. D. Proaction.

A. Reaction Reaction is when the organization denies or ignores responsibility and tries to maintain the of a reaction strategy.

Which of the following is a false statement about the COBIT 2019 framework? A.Governance and management activities and structures can be combined to support a holistic approach. B.A governance system design may be unique to a particular organization. C.A governance framework should reflect relevant compliance standards. D.The COBIT Performance Management model uses capability levels and maturity levels to measure performance.

A.Governance and management activities and structures can be combined to support a holistic approach. Governance distinct from management is one of the six principles for a governance system. Governance tasks should be differentiated from management tasks. Accordingly, governance and management activities and structures cannot be combined.

• Up to this point, the internal audit activity has reported to the chief operating officer. Due to the significant changes, there has been some discussion as to changing this reporting relationship. What would be the best reporting relationship?

Administratively to the president and functionally to the board.

The internal and external auditors report directly to an audit committee composed of independent directors. This practice is directly related to which of the following governance principles? 1. Effective use of internal and external auditors. 2. Effective interaction among the board, management, and assurance providers. 3. An organizational structure that supports accomplishing strategic objectives. 4. An organizational structure used to measure organizational and individual performance.

B. 1 and 2 only.

Which of the following is most likely an internal audit activity's function in a less structured governance process? A. Designing processes to address basic risks. B. Compliance with procedures, policies, and plans. C. Evaluating the effectiveness of specific governance processes that are distinct from control. D. Acting as a consultant in optimizing governance practices.

B. Compliance with procedures, policies, and plans.

Each of the following is a method to evaluate internal controls based on the framework set by the Committee of Sponsoring Organizations (COSO), except A.Testing to determine whether the controls are operating effectively and have prevented losses in the past. B.Distinguishing economy risk from industry risk and enterprise risk. C.Identifying mitigating controls to prevent losses. D.Evaluating internal control systems that focus first on risk identification of specific losses.

B.Distinguishing economy risk from industry risk and enterprise risk.

Which of the following is not an objective of application controls? A.Confirming input data are accurate, complete, authorized, and correct. B.Establishing logical access controls over infrastructure, aplications, and data. C.Maintaining a record to track the process of data from input to storage and to the eventual output. D.Processing data as intended in an acceptable time period.

B.Establishing logical access controls over infrastructure, aplications, data. Establishing logical access controls over infrastructure, applications, and data is IT general control. According to lIA GTAG, application controls are those that pertain to the scope of individual business processes or application systems. The objective of application contr is to er re that input data are accurate, complete, authorized, and correct; (2) data are processed as intended in an acceptable time period; (3) data stored are accurate and complete; (4) outputs are accurate and complete; and (5) a record is maintained to track the process of data from input to storage and to the eventual output.

Which of the following controls is the least effective in preventing a fraud conducted by sending purchase orders to bogus vendors? A.Require that all purchases be made from an authorized vendor list maintained independently of the individual placing the purchase order. B.Require that total purchases for a month not exceed the total budgeted purchases for that month. C.Require that only approved vendors be paid for purchases. D.Require contracts with all major vendors from whom production components are purchased.

B.Require that total purchases for a month not exceed the total budgeted purchases for that month.

- The internal audit charter includes all of the following except A.The internal auditor's responsibility to provide assurance and consulting services. B.The organization's core values, mission, and vision statements. C.The nature of the chief audit executive's relationship with the board. D.A formal definition of the purpose, authority, and responsibility of the internal audit activity.

B.The organization's core values, mission, and vision statements.

Although corporate social responsibility (CSR) involves the incurrence of certain costs, in what ways can CSR also produce benefits? 1. Positive public perception on a local, national, and international level 2. Retention of workers 3. Charity as a form of advertising 4. Deductibility of charitable donations

C. 1, 2, 3, and 4.

In which CSR business activity would an organization consider CSR risks before projects are approved? A. Monitoring, evaluating results, and benchmarking. B. External and internal reporting of results. vo C. Integrating CSR principles and controls into the decision-making process. D. Establishing and communicating policies and procedures.

C. Integrating CSR principles and controls into the decision-making process.

In the risk management process, management's view of the internal audit activity's role is likely to be determined by all of the following factors except A.Local conditions and customs of the country. B.Organizational culture. C.Preferences of the independent auditor. D.Ability of the internal audit staff.

C.Preferences of the independent auditor. Ultimately, the role of internal auditing in the risk management process is determined by senior management and the board. Their view on internal auditing's role is likely to be determined by factors such as the culture of the organization, ability of the internal audit staff, and local conditions and customs.

Organizational culture is reflected in which of the following? 1. Measuring performance II. Specifying accountability III. Complying with corporate social responsibilities

D. I, II, and III

Which of the following is a purpose of governance practices? A. Enhancing the interests of specific stakeholders only in the short term. B. Delegating organizational oversight to the internal audit activity. C. Satisfying ethical principles but not society's expectations. D. Reporting fully and truthfully to the public.

D. Reporting fully and truthfully to the public.

• Which of the following statements is not accurate with regard to soft controls? A.Soft controls have become more necessary as technology advances have empowered employees. B.The COSO and CoCo models emphasize soft controls. C.The communication of ethical values and the fostering of mutual trust are soft controls in the CoCo model. D.Control self-assessment is not an approach to audit soft controls.

D.Control self-assessment is not an approach to audit soft controls.

According to ISO 31000, which of the following is not a principle of risk management? A.Considers human and cultural factors. B.Considers the best available information. C.Promotes continuous improvement. D.Delegates accountability and authority.

D.Delegates accountability and authority.

Which of the following is not a type of control? A.Preventive. B.Directive. C.Detective. D.Reactive.

D.Reactive.

The internal audit activity collectively must possess or obtain certain competencies, excluding A.The ability to assess relevant basic macroeconomic factors. B.Knowledge of the IPPF. C.Knowledge of cost accounting concepts. D.The ability to conduct training sessions in quantitative methods.

D.The ability to conduct training sessions in quantitative methods. (The ability to conduct training sessions in specific areas is not among the required competencies.)

The IIA Rules of Conduct set forth in The IIA's Code of Ethics

Describe behavior norms expected of internal auditors.

Senior management is primarily responsible for information. A. Ensuring that external auditors oversee risk management and control processes. B. Evaluating the controls over the reliability and integrity of financial and operational C. Implementing and monitoring controls designed by the board of directors. D. Determining who will be risk owners.

Determining who will be risk owners.

Which of the following statements regarding governance is false? A. Governance requirements vary by entity type and regulatory jurisdiction. B. Governance has a range of definitions depending on the circumstances. C. Governance does not exist as distinct processes and control structures. D. Governance models generally treat governance as a process or a system that is static.

Governance models generally treat governance as a process or a system that is static.

board of director's primary responsibility regarding internal control is to A. Implement and monitor controls designed. B. Identify stakeholders and the outcomes that are unacceptable. C. Establish a system of risk management. D. Review the reliability and integrity of financial and operational information.

Identify stakeholders and the outcomes that are unacceptable.

A chief audit executive (CAE) learned that a staff internal auditor provided confidential information to a relative. Both the CAE and staff internal auditor are CIAS. Although the internal auditor did not benefit from the transaction, the relative used the information to make a significant profit. The most appropriate way for the CAE to deal with this problem is to

Inform The IIA's Board of Directors and take the personnel action required by organizational policy.

The Rule of Conduct requirement for internal auditors to "perform their work with honesty, diligence, and responsibility" falls under which principle of The IIA's Code of Ethics?

Integrity

Your organization has selected you to develop an internal audit activity. Your approach will most likely be to hire

Internal auditors who collectively have the knowledge and skills needed to perform the responsibilities of the internal audit activity.

Number 6, "He also joined an expensive country club," is an example of

Lifestyle symptom

manner. This practice subsidiary, Risky Corp., to ensure that the transactions is most closely related to which Careful Corp. always has its internal auditors review transactions between Careful Corp. and its are carried out in a fair and transparent of the following governance principles? A. Effective interaction among the board, management, and assurance providers. B. An organizational structure used to measure C. Oversight of related party transactions and conflicts of interest. organizational and individual performance. D. An organizational structure that supports accomplishing strategic objectives.

Oversight of related party transactions and conflicts of interest.

The requirement that purchases be made from suppliers on an approved vendor list is an example of a

Preventive control

According to the Standards, governance is A. The combination of processes and structures implemented by the board to inform, organization toward the achievement of its objectives. B. The leadership, organizational structures, and processes that ensure that the enterprise's information technology supports the organjzation's strategies and objectives. C. A process to identify, provide reasonable assurance regarding the achievement of the organization's assess, manage, and control potential events or situations to objectives. oversee the organization's activities and hold senior management accountable. D. The highest level governing body charged with the responsibility to direct and or

The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.

An internal auditor is performing services in a division in which the chief financial officer is a close personal friend, and the internal auditor learns that the friend is to be replaced after a series of critical labor negotiations. The internal auditor relays this information to the friend. Has a violation of The IIA's Code of Ethics occurred?

Yes. The internal auditor was not prudent in the use of information acquired in the course of his or her duties.

• In analyzing the differences between two recently merged businesses, the chief audit executive of Organization A notes that it has a formal code of ethics and Organization B does not. The code of ethics covers such things as purchase agreements, relationships with vendors, and other issues. Its purpose is to quide individual behavior within the firm. Which of the following statements regarding the existence of the code of ethics in A can be logically inferred?

has established objective criteria by which an individual's actions can be evaluated.

Examples of CSR include all of the following except A. A delivery company uses its distribution network to deliver supplies for free to areas affected by natural disasters. B. A professional services firm pays its employees a bonus each year for providing services as volunteers to local not-for-profit organizations. C. A pharmaceutical company that produces potentially addictive pain medication donates to addiction treatment facilities. D. A tobacco company donates money to stop-smoking initiatives as a result of the settlement to a lawsuit.

tobacco company donates money to stop-smoking initiatives as a result of the settlement to a lawsuit.