Exam 1
Under The IIA's Code of Ethics, an entity that provides internal auditing services is specifically required to A.Comply with organizational policy. B.Participate in a formal continuing education program. C.Maintain certain predetermined staffing requirements for engagements. D.Comply with the International Standards for the Professional Practice of Internal Auditing.
D The IIA's Code of Ethics applies not only to individuals but also to entities that provide internal auditing services
Which of the following is permissible under The IIA's Code of Ethics? A.Accepting an unexpected gift from an employee whom the internal auditor has praised in a recent engagement communication. B.Using engagement-related information in a decision to buy an ownership interest in the employer organization. C.Not reporting significant observations and recommendations about illegal activity to the board because management has indicated it will address the issue. D.Disclosing confidential, engagement-related information that is potentially damaging to the organization in response to a court order.
D The principle of confidentiality permits the disclosure of confidential information if there is a legal or professional obligation to do so.
An internal auditor assigned to audit a vendor's compliance with product quality standards is the brother of the vendor's controller. The auditor should
Internal auditors are to report to the chief audit executive (CAE) any situations in which an actual or potential impairment to independence or objectivity may reasonably be inferred, or if they have questions about whether a situation constitutes an impairment to objectivity or independence.
The internal audit activity's scope of responsibilities includes A.Evaluating risk. B.Managing risk. C.Controlling risk. D.Eliminating risk
A Managing, controlling, and eliminating risk are responsibilities of management.
T/F Advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization's governance, risk management, and control processes without the internal auditor assuming management responsibility.
True
Which of the following is the common name for Internal Control: Guidance for Directors on the Combined Code? A.CoCo. B.The Turnbull Report. C.COBIT. D.COSO.
Turnbull Report
T/F When selecting appropriate audit staff, the CAE must consider factors such as (1) the complexity of the engagement and (2) the experience level of the auditors.
true
Which of the following activities are included in ERM? 1. Determining risk appetite 2. Identifying potential risks 3. Communicating information on risks consistently and at all levels 4. Providing assurance on the effectiveness of risk management
All
Which of the following items is an example of an inherent limitation in an internal control system? A.Understaffed internal audit functions. B.Ineffective board of directors. C.Segregation of employee duties. D.Human error in decision making.
Answer D is correct. Because of its inherent limitations, internal control can be designed and operated to provide only reasonable assurance that the entity's objectives are met. Thus, (1) human judgment is faulty, (2) controls may fail because of human error, (3) manual or automated controls can be circumvented by collusion, and (4) management may inappropriately override internal control.
Objectivity is an ethical requirement for all persons engaged in the professional practice of internal auditing. One aspect of objectivity requires -Maintenance of an appropriate level of professional expertise. -Refraining from using confidential information for unethical or illegal advantage. -Performance of professional duties in accordance with relevant laws. -Avoidance of conflict of interest.
Avoidance of conflict of interest Commitment to independence from conflicts of economic or professional interest is an aspect of objectivity.
Which of the following actions by an internal auditor would violate The IIA's Code of Ethics? A.Disposal of a small ownership interest in the organization prior to learning of a business downturn. B.Acceptance of airline tickets from an engagement client. C.Disclosure, in an engagement communication, of all material facts relevant to the area reviewed. D.Attendance at an educational program offered by an engagement client to all employees.
B "Internal auditors shall not accept anything that may impair or be presumed to impair their professional judgment."
The Standards consist of three types of Standards. Which Standards apply to the characteristics of providers of internal auditing services? A.Independence Standards. B.Attribute Standards. C.Performance Standards. D.Implementation Standards.
B Attribute Standards describe the characteristics of organizations and parties providing internal auditing services.
Which of the following are considered control environment factors? Detection Risk/Human Resources Policies & Practices A.Yes/Yes B.Yes/No C.No/No D.No/Yes
D
Which of the following is an operating control for a research and development department? A.All research and development costs are charged to expense in accordance with the applicable accounting principles. B.Research and development personnel are hired by the payroll department. C.The research and development budget is properly allocated between new products, product maintenance, and cost reduction programs. D.Research and development expenditures are reviewed by an independent person.
Answer C is correct. Operating controls are those applicable to production and support activities. Because they may lack established criteria or standards, they should be based on management principles and methods. The appropriate allocation of R&D costs to new products, product maintenance, and cost reduction programs is an example. This is in contrast to the expensing of R&D costs, which is required by the rules of external financial reporting.
The requirement that purchases be made from suppliers on an approved vendor list is an example of a A.Corrective control. B.Monitoring control. C.Preventive control. D.Detective control.
Answer C is correct. Preventive controls are actions taken prior to the occurrence of transactions with the intent of stopping errors from occurring. Use of an approved vendor list is a control to prevent the use of unacceptable suppliers.
Senior management has identified the trading of marketable securities as a high-risk activity. In response, a new supervisory position was created. Every evening after the close of business, this supervisor reviews every trade made during the day. After 6 months of trading marketable securities under this system, the quantified risk reported by the internal audit activity is termed A.True risk. B.Managed risk. C.Residual risk. D.Responded risk.
Answer C is correct. Residual risk is the risk remaining after management takes action to alter its severity.
One accountant is responsible for collecting cash receipts from the cashier, recording cash in the accounting system, and depositing cash in the organization's bank account. At which level is control lacking? A.Entity-level management oversight controls. B.Process-level controls. C.Transaction-level controls. D.Entity-level governance controls.
Answer C is correct. Transaction-level controls are designed to achieve transaction objectives and to address risks specific to transactions. Examples include application controls, exception reports, and segregation of duties. Because the same employee is responsible for cash custody and recordkeeping, segregation of duties does not exist.
Which one of the following input controls or edit checks would catch certain types of errors within the payment amount field of a transaction? A.Echo check. B.Check digit. C.Record count. D.Limit check.
Answer D is correct. A limit, reasonableness, or range test determines whether an amount is within a predetermined limit for given information. It can only detect certain errors (i.e., those that exceed the acceptable limit).
According to the COSO ERM framework, which of the following is an essential element of the governance and culture component? A.Information systems. B.Risk responses. C.Reports on risk and culture. D.Human capital
Answer D is correct. A principle within the governance and culture component is that the organization attract, develop, and retain capable individuals.
Which of the following factors affects the control risk of an organization? A.Unusual pressures on management. B.Complex accounts that require expert valuations. C.Potential problems like technological obsolescence. D.Segregation of duties.
Answer D is correct. Control risk is the risk that controls fail to effectively manage controllable risks. A common control is segregation of duties. For example, it separates the responsibilities for authorization of transactions, recording of transactions, and custody of assets. Thus, segregation of duties affects the control risk of an organization.
An auditor is planning an audit of a company's recently implemented electronic data interchange (EDI) system for purchasing and billing. Which of the following controls over the accuracy of raw-material purchases would be least important in this environment? A.Computer system controls. B.Controls contained within the EDI vendor software. C.Adequate audit trails. D.Management review of individual transactions.
Answer D is correct. Management review of individual transactions (a manual control) is less important in an EDI system than automated controls applicable to all transactions.
Today's internal auditor will often encounter a wide range of potential ethical dilemmas, not all of which are explicitly addressed by The IIA's Code of Ethics. If the internal auditor encounters such a dilemma, the internal auditor should always
Apply and uphold the principles embodied in The IIA's Code of Ethics.
Which of the following would be a preventive control? A.Comparing a bank deposit slip with the total cash received as noted on a prelisting sheet prepared in the mail room. B.Reviewing the sequence of prenumbered documents. C.Scanning the general ledger for accounts with unusually high or low balances. D.Approving customer credit prior to shipping merchandise.
Approving customer credit prior to shipping prevents merchandise from being shipped on credit to customers who are likely to default on making future payment.
An accounting association established a code of ethics for all members. What is one of the association's primary purposes of establishing the code of ethics? A.To provide a framework within which accounting policies could be effectively developed and executed. B.To outline criteria for professional behavior to maintain standards of integrity and objectivity. C.To establish standards to follow for effective accounting practice. D.To outline criteria that can be used in conducting interviews of potential new accountants.
B The primary purpose of a code of ethical behavior for a professional organization is to promote an ethical culture among professionals who serve others.
The proper organizational role of internal auditing is to A.Assist the external auditor to reduce external audit fees. B.Serve as the investigative arm of the board. C.Perform studies to assist in the attainment of more efficient operations. D.Serve as an independent, objective assurance and consulting activity that adds value to operations.
D "Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations."
The procedure requiring preparation of a prelisting of incoming cash receipts, with copies of the prelist going to the cashier and to accounting, is an example of which type of control? A.Corrective. B.Directive. C.Detective. D.Preventive.
D A prelisting of cash receipts in the form of checks is a preventive control. One copy of a prelisting will go to accounting for posting to the cash receipts journal, and another is sent to the cashier for reconciliation with checks and currency received. It is intended to deter undesirable events from occurring.
The PCAOB's AS 2201 states that internal controls may be preventive or detective. Which of the following controls is preventive? A.Preparing bank reconciliations. B.Reconciling the accounts receivable subsidiary file with the control account. C.Using batch totals. D.Requiring two persons to open mail.
D Assigning two individuals to open mail is an attempt to prevent misstatement of cash receipts.
An internal auditor who had been supervisor of the accounts payable section should not perform an assurance review of that section A.Because a reasonable period of time in which to establish independence cannot be determined. B.Until after the next annual review by the external auditors. C.Until it is clear that the new supervisor has assumed the responsibilities. D.Until at least 1 year has elapsed.
D Persons transferred to, or temporarily engaged by, the internal audit activity should not be assigned to audit activities they previously performed until at least 1 year has elapsed. Such assignments are presumed to impair objectivity.
Determining whether risk management processes are effective is a judgment resulting from the internal auditor's assessment that 1. Organizational objectives support and align with the organization's mission 2. Significant risks are identified and assessed 3. Appropriate risk responses are selected that align risks with the organization's risk appetite 4. Relevant risk information is captured and communicated in a timely manner across the organization
all
T/F Structured interviews determine how candidates handled past situations
false Behavioral interviews determine how candidates handled past situations. Past performance is generally indicative of future performance.
T/F The skills required of an internal auditor are always apparent in a resume.
false Internal auditors need a diverse set of skills to perform their jobs effectively. These skills are not always apparent in a standard resume.
T/F The vice president of a corporation is eligible to be a member of the audit committee.
false No member of the board may be an employee of the organization except in his or her capacity as a board member.
T/F : Overseeing and reviewing the work of the external auditors is the responsibility of senior management.
false Overseeing and reviewing the work of the external auditors is the responsibility of the audit committee.
T/F The organization does not have the responsibility for maintaining an effective internal audit activity when an external service provider serves as the internal audit activity
false Perf. Std. 2070 states that an external service provider must make the organization aware that the organization has the responsibility for maintaining an effective internal audit activity.
T/F Risk management is a process to identify, assess, manage, and control potential events or situations to provide absolute assurance regarding the achievement of the organization's objectives.
false Risk management is a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives.
T/F The chief executive officer must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan.
false The chief audit executive must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan.
T/F To attain the internal audit activity's necessary degree of independence, each auditor must have direct and unrestricted access to senior management and the board.
false To attain the internal audit activity's necessary degree of independence, the CAE must have direct and unrestricted access to senior management and the board.
T/F The internal audit activity is responsible for activities such as budgeting and internal communication and information flows.
false Management oversees the day-to-day operations of the internal audit activity
T/F The CEO is responsible for management of internal audit resources in a manner that ensures fulfillment of internal audit responsibilities
false The CAE is responsible for management of internal audit resources in a manner that ensures fulfillment of internal audit responsibilities.
T/F An organization's governing body may decide that an external service provider is the most effective means of obtaining internal audit services.
true
T/F Audit resources are considered to be effectively deployed when they are used in a way that optimizes the achievement of the approved plan of the chief audit executive.
true
T/F Compliance is defined as adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements.
true
T/F For internal auditors to be effective, they must build and maintain strong, constructive relationships with managers and other stakeholders within the organization
true
T/F Participative auditing is a collaboration between the internal auditors and management during the process.
true
T/F The CAE is responsible for creating the operating and financial budget for the internal audit activity.
true
T/F The audit committee is responsible for setting the CAE's compensation and negotiating the external auditor's fee.
true
T/F The effects of temporary vacancies and comparison of resources with the audit plan should be discussed with the board periodically.
true
T/F The form and content of policies and procedures are dependent upon the size and structure of the internal audit activity and the complexity of its work.
true
T/F The internal audit activity is guided by the policies and procedures established by the chief audit executive. Their form and content should be appropriate to the size of the internal audit activity.
true
T/F The internal audit activity reports to senior management and the board on the effectiveness of corporate risk management processes, internal control, and risk management frameworks.
true
T/F The most important function of the audit committee is to promote the independence of the internal and external auditors by protecting them from management's influence.
true
Freedom from conditions that threaten internal auditors' ability to do unbiased work is A.Independence. B.Compliance. C.Avoidance of conflicts of interest. D.Control.
Independence
According to The IIA's International Professional Practices Framework, which of the following constitute mandatory guidance for implementing the Standards? development aids practice aids implementation guides performance standards
Performance standards The mandatory guidance portion of the IPPF consists of the Core Principles, Definition of Internal Auditing, the Code of Ethics, Attribute Standards, Performance Standards, and Implementation Standards.
The chief audit executive (CAE) has been appointed to a committee to evaluate the appointment of the external auditors. The engagement partner for the external accounting firm wants the CAE to join her for a week of hunting at her private lodge. The CAE should
Refuse on the grounds of conflict of interest.
The internal auditor who works in enterprise risk management (ERM) may perform each of the following activities except A. Auditing ERM. B.Setting the risk appetite of the organization. C.Identifying improvement opportunities. D.Evaluating the design of the overall entity.
Setting the risk appetite of the organization.
IIA's Code of Ethics core principle of integrity
"Internal auditors (1.1) shall perform their work with honesty, diligence, and responsibility, and (1.4) shall respect and contribute to the legitimate and ethical objectives of the organization."
Controls may be classified according to the function they are intended to perform, for example, as detective, preventive, or directive. Which of the following is a directive control? A.Requiring all members of the internal audit activity to be CIAs. B.Recording every transaction on the day it occurs. C.Monthly bank statement reconciliations. D.Dual signatures on all disbursements over a specific amount
A
Which of the following represents the best statement of responsibilities for risk management? Internal Auditing/Management/Board A.Responsibility for risk/Advisory role/Oversight role B.Responsibility for risk/Oversight role/Advisory role C.Oversight role/Advisory role/Responsibility for risk D.Oversight role/Responsibility for risk/Advisory role
A
An internal auditor often faces special problems when performing an engagement at a foreign subsidiary. Which of the following statements is false with respect to the conduct of international engagements? A.The IIA Standards do not apply outside of the United States. B.It is preferable to have multilingual internal auditors conduct engagements at branches in foreign nations. C.There may be justification for having different organizational policies in force in foreign branches. D.The internal auditor should determine whether managers are in compliance with local laws.
A Pronouncements by The IIA have no geographic limits. Compliance with the concepts in the Standards is essential for the responsibilities of internal auditors to be met, regardless of the national environment.
A major reason for establishing an internal audit activity is to A.Evaluate and improve the effectiveness of control processes. B.Safeguard resources entrusted to the organization. C.Relieve overburdened management of the responsibility for establishing effective controls. D.Ensure the reliability and integrity of financial and operational information
A The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to the evaluation and improvement of the effectiveness of risk management, control, and governance processes (Definition of Internal Auditing).
A charter is being drafted for a newly formed internal audit activity. Which of the following best describes an appropriate organizational position to be incorporated into the charter?
The CAE, reporting functionally to the board and administratively to the organization's CEO, facilitates organizational independence. The CAE must communicate and interact directly with the board (Attr. Std. 1111).
One objective of IT general controls is to A.Ensure that processing results are complete, accurate, and properly distributed. B.Ensure the integrity of program and data files and of computer operations. C.Design controls based on the management functions of planning, organizing, directing, and controlling. D.Give primary consideration to authorization, validation, and error notification.
The most common IT general controls are (1) logical access controls over infrastructure, applications, and data; (2) system development life cycle controls; (3) program change management controls; (4) physical security controls over the data center; and (5) system and data backup and recovery controls.
Risk management
a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives.
Which of the following is an example of a detective control? A.The manager is given a check log reconciliation at the close of each business day. B.The staff accountant was warned about printing a check prior to receiving authorization. C.Checks are pre-numbered and kept in a locked cabinet. D.The accounting department has a procedure for voiding and issuing replacement checks.
Answer A is correct. Providing the manager with a check log reconciliation at the close of each business day is a detective control. Examples of detective controls include physical counts, reconciliations, reviews and comparisons, exception reports, and security cameras.
Which of the following is not a component of the CoCo model? A.Risk assessment. B.Capability. C.Monitoring and learning. D.Commitment.
Answer A is correct. The four components are commitment, capability, monitoring and learning, and purpose.
Which of the following components are supporting aspects of the COSO ERM framework? A.Governance and culture; information, communication, and reporting. B.Governance and culture; review and revision. C.Performance; review and revision. D.Strategy and objective-setting; performance.
Answer A is correct.The supporting aspect components of the COSO ERM framework are (1) governance and culture and (2) information, communication, and reporting.
An organization requires mutual respect among all employees. Making false, defamatory, or malicious statements about another employee is strictly prohibited. This policy is an example of controls at which level? A.Transaction-level controls. B.Entity-level governance controls. C.Process-level controls. D.Entity-level management oversight controls.
Answer B is correct. Entity-level governance controls are established by the board of directors at the highest level (governance level).
An organization's directors, management, external auditors, and internal auditors all play important roles in creating a proper control environment. Senior management is primarily responsible for A.Ensuring that external and internal auditors adequately monitor the control environment. B.Establishing a proper organizational culture and specifying a system of internal control. C.Designing and operating a control system that provides reasonable assurance that established objectives and goals will be achieved. D.Implementing and monitoring controls designed by the board of directors.
Answer B is correct. Senior management is primarily responsible for establishing a proper organizational culture and specifying a system of internal control.
Which of the following input controls are based on the logic that processing efficiency is greatly increased when files are sorted on some designated field? A.Format checks. B.Sequence checks.Answer B is correct.Sequence checks are based on the logic that processing efficiency is greatly increased when files are sorted on some designated field. If the system discovers a record out of order, it may indicate that the files were not properly prepared for processing. C.Range checks. D.Validity checks.
Answer B is correct. Sequence checks are based on the logic that processing efficiency is greatly increased when files are sorted on some designated field. If the system discovers a record out of order, it may indicate that the files were not properly prepared for processing.
The company maintains a fund to pay for repairs to warehouse equipment. Which risk response strategy is the company using? A.Risk sharing. B.Risk retention. C.Risk avoidance. D.Risk reduction.
Answer B is correct.Risk retention accepts the risk of an activity and is synonymous with self-insurance. The company accepts the risk of equipment repairs by using a form of self-insurance (a company fund) to pay for repairs.
For an enterprise wide risk management program to be most effective, it should be led by which of the following? A.The chief audit executive. B.A management committee. C.A centralized coordinator. D.Audit committee members.
Answer C is correct. An enterprise risk management (ERM) program is most effective when led by a centralized coordinator, such as a risk officer. This person facilitates ERM by working with other managers in establishing effective risk management in their areas of responsibility.
A customer intended to order 100 units of product Z96014, but incorrectly ordered nonexistent product Z96015. Which of the following controls most likely would detect this error? A.Check digit verification. B.Redundant data check. C.Hash total. D.Record count.
Answer A is correct. Check digit verification is used to identify incorrect identification numbers. The digit is generated by applying an algorithm to the ID number. During input, the check digit is recomputed by applying the same algorithm to the entered ID number.
According to the COSO ERM framework, which of the following is not a characteristic of business objectives? A.Dynamic. B.Observable. C.Measurable. D.Specific.
Answer A is correct. According to the COSO ERM framework, business objectives are (1) specific, (2) measurable, (3) observable, and (4) obtainable. Business contexts may be characterized as dynamic, complex, or unpredictable. A dynamic business context means new, emerging, and changing risks can appear at any time.
When ERM is effective regarding all of the objectives, the board and management have reasonable assurance that 1. Reporting is reliable 2. Compliance is achieved 3. The extent of achievement of strategic and operations objectives is known
All
An internal auditor plans to conduct an audit of the adequacy of controls over investments in new financial instruments. Which of the following would not be required as part of such an engagement? A.Determine if policies exist which describe the risks the chief financial officer may take and the types of instruments in which the chief financial officer may make investments. B.Determine the nature of controls established by the chief financial officer to monitor the risks in the investments. C.Determine whether the chief financial officer is getting higher or lower rates of return on investments than are chief financial officers in comparable organizations. D.Determine the extent of management oversight over investments in sophisticated instruments.
C
An employee steals money from his company's bank deposits, then makes up for the stolen cash with cash from the next day's deposits. If there is not enough cash the next day, the employee has to wait another day to make up for the deposit. And the cycle continues. This can go undetected for months. Which of the following controls could the organization implement as a preventive control to address this situation? A.Daily, the accounting staff at the organization's main office reconcile the amount deposited with the cash register tape from the day's sales. B.Weekly, a manager at the main office checks deposit validation dates received from the bank with the sales deposit records. C.Deposit slips and deposit bags have sequential numbers. The manager is required to write the deposit bag number on the deposit slip. The reason for any voided deposit slips or bags is to be documented. D.The accounting supervisor is notified when the checking account amount drops below a certain level.
C When numbered deposit slips and deposit bags are used, any missing or voided numbers need to be explained. Additionally, recording the deposit bag number on the deposit slip deters the employee from taking cash from or changing the deposit.
