Chapter 3, 6, and 7 Internal Audit

Which of the following is not one of the top 10 technology risks facing organizations? a. Cybersecurity. b. Use of older technology. c. IT governance. d. Mobile computing.

b. Use of older technology.

Which of the following would not be considered a first line of defense in the Three Lines of Defense model? a. A divisional controller conducts a peer review of compliance with financial control standards. b. An accounts payable clerk reviews supporting documents before processing an invoice for payment. c. An accounting supervisor conducts a monthly review to ensure all reconciliations were completed properly. d. A production line worker inspects finished goods to ensure the company's quality standards are met.

a. A divisional controller conducts a peer review of compliance with financial control standards.

Which of the following would be considered a first line of defense in the Three Lines of Defense model? a. An accounts payable supervisor conducting a weekly review to ensure all payments were issued by the required payment date. b. A divisional compliance and ethics officer conducting a review of employee training records to ensure that all marketing and sales staff have completed the required FCPA training. c. The external audit team observes the counting of inventory on December 31. d. An internal audit team conducting an engagement to provide assurance on the company's Sarbanes-Oxley compliance with internal controls over financial reporting.

a. An accounts payable supervisor conducting a weekly review to ensure all payments were issued by the required payment date.

The possibility of someone maliciously shutting down an information system is most directly an element of: a. Availability risk. b. Access risk. c. Confidentiality risk. d. Deployment risk.

a. Availability risk.

Which of the following are typically governance responsibilities of senior management? I. Delegating its tolerance levels to risk managers. II. Monitoring day-to-day performance of specific risk management activities. III. Establishing a governance committee of the board. IV. Ensuring that sufficient information is gathered to support reporting to the board. a. I and IV. b. II and III. c. I, II, and IV. d. I, II, III, and IV.

a. I and IV.

The requirement that purchases be made from suppliers on an approved vendor list is an example of a: a. Preventive control. b. Detective control. c. Compensating control. d. Monitoring control.

a. Preventive control.

Which of the following best exemplifies a control activity referred to as independent verification? a. Reconciliation of bank accounts by someone who does not handle cash or record cash transactions. b. Identification badges and security codes used to restrict entry to the production facility. c. Accounting records and documents that provide a trail of sales and cash receipt transactions. d. Separating the physical custody of inventory from inventory accounting.

a. Reconciliation of bank accounts by someone who does not handle cash or record cash transactions.

The purpose of logical security controls is to: a. Restrict access to data. b. Limit access to hardware. c. Record processing results. d. Ensure complete and accurate processing of data.

a. Restrict access to data.

Who is responsible for establishing the strategic objectives of an organization? a. The board of directors. b. Senior management. c. Consensus among all levels of management. d. The board and senior management jointly.

a. The board of directors.

Appropriate internal control for a multinational corporation's branch office that has a department responsible for the transfer of money requires that: a. The individual who initiates wire transfers does not reconcile the bank statement. b. The branch manager must receive all wire transfers. c. Foreign currency rates must be computed separately by two different employees. d. Corporate management approves the hiring of employees in this department.

a. The individual who initiates wire transfers does not reconcile the bank statement.

Which of the following would be considered a second line of defense in the Three Lines of Defense model? a. An accounts payable supervisor conducting a weekly review to ensure all payments were issued by the required payment date. b. A divisional compliance and ethics officer conducting a review of employee training records to ensure that all marketing and sales staff have completed the required FCPA training. c. A shift supervisor inspecting a sample of finished goods to ensure quality standards are met. d. An internal audit team conducting an engagement to provide assurance on the company's Sarbanes-Oxley compliance with internal controls over financial reporting.

b. A divisional compliance and ethics officer conducting a review of employee training records to ensure that all marketing and sales staff have completed the required FCPA training.

Which of the following best illustrates the use of EDI? a. Purchasing merchandise from a company's internet site. b. Computerized placement of a purchase order from a customer to its supplier. c. Transfer of data from a desktop computer to a database server. d. Withdrawing cash from an ATM.

b. Computerized placement of a purchase order from a customer to its supplier.

Which of the following is not a role of the internal audit function in best practice governance activities? a. Support the board in enterprisewide risk assessment. b. Ensure the timely implementation of audit recommendations. c. Monitor compliance with the corporate code of conduct. d. Discuss areas of significant risks.

b. Ensure the timely implementation of audit recommendations.

What types of business events tend to drive new legislation and guidance? a. Economic downturns. b. Fraud or other corporate wrongdoing. c. Elections or other political changes. d. Economic growth.

b. Fraud or other corporate wrongdoing.

Which of the following is the best source of IT audit guidance within the IPPF? a. Control Objectives for Information and Related Technologies (COBIT). b. GTAG. c. National Institute of Standards and Technology (NIST). d. ITIL.

b. GTAG.

COSO's Internal Control Framework consists of five internal control components and 17 principles for achieving effective internal control. Which of the following is/are (a) principle(s)? I. The organization demonstrates a commitment to integrity and ethical values. II. Monitoring activities. III. A level of assurance that is supported by generally accepted auditing procedures and judgments. IV. A body of guiding principles that form a template against which organizations can evaluate a multitude of business practices. V. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. a. II only. b. I and V only. c. II and IV only. d. I, II, III, IV, and V.

b. I and V only.

Which of the following is true about new and emerging technologies? a. New technologies have security login controls built into them. b. New technologies take time for the users to transition and adapt to the new technology, so training is critical. c. New technologies always come from large multinational companies. d. New technologies have the best controls embedded in them.

b. New technologies take time for the users to transition and adapt to the new technology, so training is critical.

Companies in industries that are heavily regulated may be subject to audits by the regulator's auditors. While not specifically covered in the Three Lines of Defense model, such auditors would most likely be considered: a. Part of the first line of defense. b. Part of the second line of defense. c. Part of the third line of defense. d. Not a line of defense.

b. Part of the second line of defense.

When assessing the risk associated with an activity, an internal auditor should: a. Determine how the risk should best be managed. b. Provide assurance on the management of the risk. c. Update the risk management process based on risk exposures. d. Design controls to mitigate the identified risks.

b. Provide assurance on the management of the risk.

Who is ultimately responsible for identifying new or emerging key risk areas that should be covered by the organization's governance process? a. The board of directors. b. Senior management. c. Risk owners. d. The internal audit function.

b. Senior management.

An adequate system of internal controls is most likely to detect an irregularity perpetrated by a: a. Group of employees in collusion. b. Single employee. c. Group of managers in collusion. d. Single manager.

b. Single employee.

An effective system of internal controls is most likely to detect a fraud perpetrated by a: a. Group of employees in collusion. b. Single employee. c. Group of managers in collusion. d. Single manager.

b. Single employee.

An internet firewall is designed to provide protection against: a. Computer viruses. b. Unauthorized access from outsiders. c. Lightning strikes and power surges. d. Arson.

b. Unauthorized access from outsiders.

Which of the following statements regarding an internal audit function's continuous auditing responsibilities is/are true? I. The internal audit function is responsible for assessing the effectiveness of management's continuous monitoring activities. II. In areas of the organization in which management has implemented effective monitoring activities, the internal audit function can conduct less stringent continuous assessments of risks and controls. a. Only statement I is true. b. Only statement II is true. c. Both statements I and II are true. d. Neither statement I nor statement II is true.

c. Both statements I and II are true.

An internal auditor plans to conduct an audit of the adequacy of controls over investments in new financial instruments. Which of the following would not be required as part of such an engagement? a. Determine whether policies exist that describe the risks the treasurer may take and the types of instruments in which the treasurer may invest. b. Determine the extent of management oversight over investments in sophisticated instruments. c. Determine whether the treasurer is getting higher or lower rates of return on investments than treasurers in comparable organizations. d. Determine the nature of monitoring activities related to the investment portfolio.

c. Determine whether the treasurer is getting higher or lower rates of return on investments than treasurers in comparable organizations.

ABC utility company sells electricity to residential customers and is a member of an industry association that provides guidance to electric utilities, lobbies on behalf of the industry, and facilitates sharing among its members. From ABC's perspective, what type of stakeholder is this industry association? a. Directly involved in the operation of the company. b. Interested in the success of the company. c. Influences the company. d. Not a stakeholder.

c. Influences the company

Reasonable assurance, as it pertains to internal control, means that: a. The objectives of internal control vary depending on the method of data processing used. b. A well-designed system of internal controls will prevent or detect all errors and fraud. c. Inherent limitations of internal control preclude a system of internal control from providing absolute assurance that objectives will be achieved. d. Management cannot override controls, and employees cannot circumvent controls through collusion.

c. Inherent limitations of internal control preclude a system of internal control from providing absolute assurance that objectives will be achieved.

The software that manages the interconnectivity of the system hardware devices is the: a. Application software. b. Utility software. c. Operating system software. d. Database management system software.

c. Operating system software.

The risk assessment component of internal control involves the: a. Independent outside auditor's assessment of residual risk. b. Internal audit function's assessment of control deficiencies. c. Organization's identification and analysis of the risks that threaten the achievement of its objectives. d. Organization's monitoring of financial information for potential material misstatements.

c. Organization's identification and analysis of the risks that threaten the achievement of its objectives.

The internal audit function should not: a. Assess the organization's governance and risk management processes. b. Provide advice about how to improve the organization's governance and risk management processes. c. Oversee the organization's governance and risk management processes. d. Coordinate its governance and risk management-related activities with those of the independent outside auditor.

c. Oversee the organization's governance and risk management processes.

Requiring a user ID and password would be an example of what type of control? a. Detective. b. Corrective. c. Preventative. d. Reactive.

c. Preventative.

Which of the following is not an appropriate governance role for an organization's board of directors? a. Evaluating and approving strategic objectives. b. Influencing the organization's risk-taking philosophy. c. Providing assurance directly to third parties that the organization's governance processes are effective. d. Establishing broad boundaries of conduct, outside of which the organization should not operate.

c. Providing assurance directly to third parties that the organization's governance processes are effective.

The control that would most likely ensure that payroll checks are written only for authorized amounts is to: a. Conduct periodic floor verification of employees on the payroll. b. Require the return of undelivered checks to the cashier. c. Require supervisory approval of employee time cards. d. Periodically witness the distribution of payroll checks.

c. Require supervisory approval of employee time cards.

Which of the following represents the best governance structure? Operating ManagementExecutive ManagementInternal Auditing a. Responsibility for riskOversight roleAdvisory role b. Oversight roleResponsibility for riskAdvisory role c. Responsibility for riskAdvisory roleOversight role d. Oversight roleAdvisory roleResponsibility for risk

c. Responsibility for riskAdvisory roleOversight role

What is residual risk? a. Impact of risk. b. Risk that is under control. c. Risk that is not managed. d. Underlying risk in the environment.

c. Risk that is not managed.

Who has primary responsibility for the monitoring component of internal control? a. The organization's independent outside auditor. b. The organization's internal audit function. c. The organization's management. d. The organization's board of directors.

c. The organization's management.

Which of the following best describes continuous auditing? a. Development of computer-assisted audit techniques (CAATs). b. Oversight of continuous monitoring. c. The use of continuous risk assessment, continuous controls assessment, and assessment of continuous monitoring. d. The ability of internal auditors to continually perform auditing steps.

c. The use of continuous risk assessment, continuous controls assessment, and assessment of continuous monitoring.

Which of the following best describes an internal auditor's purpose in reviewing the organization's existing governance, risk management, and control processes? a. To help determine the nature, timing, and extent of tests necessary to achieve engagement objectives. b. To ensure that weaknesses in the internal control system are corrected. c. To provide reasonable assurance that the processes will enable the organization's objectives and goals to be met efficiently and economically. d. To determine whether the processes ensure that the accounting records are correct and that financial statements are fairly stated.

c. To provide reasonable assurance that the processes will enable the organization's objectives and goals to be met efficiently and economically.

If a sales transaction record was rejected during input because the customer account number entered was not listed in the customer master file, the error was most likely detected by a: a. Completeness check. b. Limit check. c. Validity check. d. Reasonableness check.

c. Validity check.

Determining that engagement objectives have been met is ultimately the responsibility of the: a. Internal auditor. b. Audit committee. c. Internal audit supervisor. d. CAE.

d. CAE.

Which of the following is not normally such a responsibility? a. Aligning investments in IT with business strategies. b. Overseeing changes to IT systems. c. Monitoring IT security procedures. d. Designing IT application-based controls.

d. Designing IT application-based controls.

When discussing integration of IT into audit engagements, which of the following is the most desirable integration of IT into specific engagements? a. Developing and integrating testing of IT controls into process-level audits. b. Developing and performing computer audit software steps into process-level audits. c. Auditing controls around the computer to make sure the computer controls are working effectively. d. Developing and performing computer audit software steps into the process-level audits along with testing of IT controls.

d. Developing and performing computer audit software steps into the process-level audits along with testing of IT controls.

Which is NOT a benefit of user-developed applications (UDAs)? a. Quick to develop and use. b. Readily available and at a low cost. c. More configurable and flexible. d. Easy to control access to.

d. Easy to control access to.

Which of the following statements regarding corporate governance is not correct? a. Corporate control mechanisms include internal and external mechanisms. b. The compensation scheme for management is part of the corporate control mechanisms. c. The dilution of shareholders' wealth resulting from employee stock options or employee stock bonuses is an accounting issue rather than a corporate governance issue. d. The internal audit function of a company has more responsibility than the board for the company's corporate governance.

d. The internal audit function of a company has more responsibility than the board for the company's corporate governance.