Exam 1 ACC 590
Which of the following statements regarding audit evidence would be the least appropriate for an internal auditor to make? "I select procedures that will provide both sufficient and appropriate evidence regarding the audit objectives." "I consider the level of risk involved when deciding the type of evidence I will gather." "I corroborate information obtain from management whenever possible." "I am always absolutely certain about the conclusions I reach based on the evidence I examined."
"I am always absolutely certain about the conclusions I reach based on the evidence I examined."
In the case of an efficient system of internal control, in which quadrant would you expect to find the lowest investment in controls? High | 1, 2, 3, or 4? 1 | 2 | ---------- ------------ | 3 | 4 | Low High Inherent Risk ^ Process Significance
3
In 2019,what percent of the S*P 500 companies voluntarily published some form of ESG report? 50% 5% 90% 30%
90%
In which of the following situations does the internal auditor potentially lack objectivity? An auditor recommends standards of control and performance measures for a contract with a service organization for the processing of payroll and employee benefits. An auditor reviews the procedures for a new electronic data interchange (EDI) connection to a major customer before it is implemented. A former purchasing assistant performs a review of internal controls over purchasing seven months after being transferred to the internal auditing department. A payroll accounting employee assists an auditor in verifying the physical inventory of small motors.
A former purchasing assistant performs a review of internal controls over purchasing seven months after being transferred to the internal auditing department.
The Auditing Alliance is: A regulatory agency to oversee EHS audits. One of the standard setting organizations for ESG reporting. A membership organization dedicated to the development, practice and promotion of environmental, health and safety (EHS) auditing A regional auditing firm in the southern U.S.
A membership organization dedicated to the development, practice and promotion of environmental, health and safety (EHS) auditing
Which of the following best describes a preliminary survey? A standardized questionnaire used to obtain an understanding of management objectives. A walk-through of the financial control system to identify risks and the controls that can address those risks. A process used to become familiar with activities and risks to identify areas for engagement emphasis. A statistical sample to review key employee attitudes, skills, and knowledge.
A process used to become familiar with activities and risks to identify areas for engagement emphasis.
Which of the following would be considered a second line of defense in the Three Lines of Defense model? An accounting supervisor conducting a monthly review to ensure all reconciliations were completed properly. A production line supervisor inspecting a sample of finished goods to ensure quality standards are met. A bank's internal audit team conducting an engagement to provide assurance on the compliance of the company's anti-money laundering program. A staff member of the corporate compliance and ethics office conducting a review of employee certifications that they have reviewed the organization's code of ethics.
A staff member of the corporate compliance and ethics office conducting a review of employee certifications that they have reviewed the organization's code of ethics.
Internal auditors use statistical sampling rather than nonstatistical sampling to: Reduce the problems associated with the auditor's judgment concerning the competency of the evidence gathered when nonstatistical sampling is used. Obtain a sample more representative of the population than would be obtained using nonstatistical sampling techniques. Use a smaller sample size. Allow the auditor to quantify, and therefore control, the risk of making an incorrect decision based on sample evidence.
Allow the auditor to quantify, and therefore control, the risk of making an incorrect decision based on sample evidence.
Which of the following would be considered an assurance service? An engagement to review compliance with the EU's new privacy regulations. Reviewing and commenting on a draft of a new work-at-home policy HR is developing. Conducting a training workshop on internal control for new managers. The CAE serves on a committee to select a new external audit firm.
An engagement to review compliance with the EU's new privacy regulations.
Which of the following is true regarding Moody's view in its report Best Practices in Audit Committee Oversight of Internal Audit? Audit committees should meet at least quarterly in a private session with the CAE. If the organization has an enterprise risk management system in place the internal audit function does not need to do its own risk assessment. The internal audit function should not use a rotational staffing model. The audit function should grade (rank) audit reports.
Audit committees should meet at least quarterly in a private session with the CAE. (ok answer) The audit function should grade (rank) audit reports.
Which of the following statements is true of regarding "big data"? Big data does not need to be verified for accuracy. Big data requires a cloud-based data environment. Big data includes both structured and unstructured data. Big data refers to data from sources external to the organization.
Big data includes both structured and unstructured data.
Who is ultimately responsibility for the effectiveness and success of ERM in an organization? Chief Risk Officer Every employee throughout the organization. CEO The Board
CEO
Which of the following is the globally accepted certification for demonstrating internal audit competence? CPA CFE CISA CIA
CIA
The first step in the process of applying data analytics to internal audit is: Cleaning the data Defining the question you want to answer. Analyzing the data. Obtaining the data.
Defining the question you want to answer.
Which of the following is true regarding entity-level controls? Entity-level controls can be classified as either governance controls or management-oversight controls In terms of the 5 elements in the COSO model, entity-level controls occur only as part of the control environment. Process-level controls can mitigate weaknesses in entity-level controls. Entity-level controls are preventive rather than detective.
Entity-level controls can be classified as either governance controls or management-oversight controls
ESG stands for
Environmental Social Governance
According to the IIA Standards, what is the role of internal audit as it relates to risk management? Communicate relevant risk information to appropriate people i the organization. Determine the risk appetite of the organization Evaluate the effectiveness of the risk management process. Identify and manage significant risk within the organization.
Evaluate the effectiveness of the risk management process.
In addition to the International Standards for the Professional Practice of Internal Auditing, some internal audit departments follow other standards in conducting their work, either because of regulatory requirements or by choice. When these other standards are inconsistent with the IIA Standards, what should the audit department do? Follow the other standards Follow the standard that is most restrictive. Follow the standard that is least restrictive. Follow IIA Standards.
Follow the standard that is most restrictive.
The first step in an internal audit is for the auditor to: Evaluate the function's financial statements. Evaluate the function's internal control system. Identify the engagement's objective. Determine relevant facts and conditions of the process or area under audit.
Identify the engagement's objective.
Which of the following is true? (Multiple answers possible.) If internal auditors choose to select a sample, they are responsible for applying methods to assure that the sample selected represents the whole population and/or time period to which the results will be generalized. Analytical procedures are used to compare information against expectations, based on an independent (i.e., unbiased) source. Internal auditors should identify the root cause rather than assigning it to management. Internal auditors should identify the root cause rather than assigning it to management. When conducting a root cause analysis, internal auditors must exercise due professional care by considering effort in relation to the potential benefits.
If internal auditors choose to select a sample, they are responsible for applying methods to assure that the sample selected represents the whole population and/or time period to which the results will be generalized. Analytical procedures are used to compare information against expectations, based on an independent (i.e., unbiased) source. Internal auditors should identify the root cause rather than assigning it to management. When conducting a root cause analysis, internal auditors must exercise due professional care by considering effort in relation to the potential benefits.
Which of the following risks are associated with big data? (Multiple answers possible.) Immature data governance practices. Hardware failure. Insufficient data security. Poor data quality
Immature data governance practices. Insufficient data security. Poor data quality
Reasonable assurance for internal control means that: A well-designed system of internal controls will prevent or detect all errors and fraud. Inherent limitations of internal control preclude a system of internal control from providing absolute assurance that objectives will be achieved. The objectives of internal control vary depending on the method of data processing used. Management cannot override controls.
Inherent limitations of internal control preclude a system of internal control from providing absolute assurance that objectives will be achieved.
In which of the following would an auditor most likely use attribute sampling? Determining whether the year-end inventory balance is overstated. Choosing inventory items to test count. Selecting fixed asset additions for inspection. Inspecting employee travel reimbursement requests for manager's approval.
Inspecting employee travel reimbursement requests for manager's approval.
Which of the following statements regarding the distinctions between internal and external audit is true?
Internal auditors concentrate on the reliability of the accounting data input and subsequent systems processing; external auditors concentrate on the validity of the accounting data output and the underlying supporting evidence.
The COSO Internal Control Framework consists of five Internal Control Components and 17 Principles for achieving effective internal control. Which of the following is an internal control component? Process Level Controls. Monitoring Activities. Segregation of Duties. Commitment to Integrity and Ethical Value.
Monitoring Activities.
Which flowchart symbol indicates the start or end of a process? Oval with straight edges Diamond Curved bottom rectangle Small circle
Oval with straight edges
TeamMate Analytic has Over 180 data analytic tools. 40 data analytic tools. 4 data analytic tools. 28 data analytic tools.
Over 180 data analytic tools.
in applying sampling, the group of items about which the auditor wants to estimate some characteristic is called the: Attribute of interest Sampling unit Population Sample
Population
Requiring that employees change their passwords every three months is an example of a: Compensating control. Monitoring control. Detective control. Preventive control.
Preventive control.
An engagement work program for a comprehensive assurance engagement to evaluate a purchasing function should include: A statement of the engagement objectives for the operation under review with agreement by the engagement client. Procedures to accomplish engagement objectives. A focus on risks affecting the financial statements as opposed to controls. Procedures arranged by relative priority based upon perceived risk.
Procedures to accomplish engagement objectives.
The purpose of the Code of Ethics is to
Promote an ethical culture in the internal auditing profession.
Which of the following is not an appropriate governance role for an organization's board of directors? Evaluate and approve strategic objectives. Provide assurance directly to third parties that the organization's governance processes are effective. Establishing boundaries of conduct, outside of which the organization should not operate. Setting the organization's risk-taking philosophy.
Provide assurance directly to third parties that the organization's governance processes are effective.
Which of the following are business processes? (possible multiple answers) Remittance of payroll taxes to the respective tax authorities. Safe guarding of assets Strategic planning Review and write-off of a delinquent loan
Remittance of payroll taxes to the respective tax authorities. Strategic planning Review and write-off of a delinquent loan
The IIA's Code of Ethics is composed of 4 Principles and 12:
Rules
Who is ultimately responsible for identifying new or emerging key risk areas that should be covered by the organization's governance process? Senior management. The board of directors. Risk owners. The internal audit function.
Senior management.
ABC Company's new CFO has asked the company's CAE to meet with her to discuss the role of the internal audit function. That CAE should inform the CFO that the overall responsibility of internal audit is to:
Serve as an independent assurance and consulting activity designed to add value and improve the company's operations.
Which of the following is/are a role of the internal audit function in best practice governance activities? (Multiple answer question.) Support the board in enterprise wide risk assessment. Monitor compliance with the corporate code of conduct. Discuss areas of significant risks. Ensure the timely implementation of audit recommendations.
Support the board in enterprise wide risk assessment. Monitor compliance with the corporate code of conduct. Discuss areas of significant risks.
If an internal auditor's evaluation of internal control design indicates that the controls are designed adequately, the appropriate next step would be to: Conclude that control risk is high. Conclude that residual risk is low. Prepare a flowchart depicting the system of internal controls. Test the operating effectiveness of the control.
Test the operating effectiveness of the control.
The internal audit function's quality assurance and improvement program is the responsibility of The external auditors The CAE The CEO The audit committee
The CAE
To determine to whom the CAE needs to send the final results of an audit engagement, one would consult: The Performance Standards: Consulting Services Implementation Standards. The Attribute Standards: Consulting Services Implementation Standards. The Attribute Standards: Assurance Services Implementation Standards. The Performance Standards: Assurance Services Implementation Standards.
The Performance Standards: Assurance Services Implementation Standards.
Which of the following components of the IPPF are mandatory? (Multiple answers possible) Practice Guides Implementation Guides The Standards Core Principles The Code of Ethics
The Standards Core Principles The Code of Ethics
Which of the following is true regarding internal audit's participation in standing and special committees of the organization (for example, the IT governance committee or the strategic planning committee)? The audit committee should guide the extent of internal audit's participation Internal audit should not participate in such committees. Internal audit should be a voting member of such committees. Internal audit's role on committees should be clearly delineated in the internal audit charter.
The audit committee should guide the extent of internal audit's participation Internal audit's role on committees should be clearly delineated in the internal audit charter.
The COSO, Enterprise Risk Management: Aligning Risk with Strategy and Performance, defines enterprise risk management as: A process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives. The culture, capabilities, and practices, integrated with strategy and execution that organizations rely on to manage risk in creating, preserving, and realizing value. A coordinated set of activities and methods that is used to direct an organization and to control the many risks that can affect its ability to achieve objectives. The process conducted by management to understand and deal with uncertainties that could affect the organization's ability to achieve its objectives.
The culture, capabilities, and practices, integrated with strategy and execution that organizations rely on to manage risk in creating, preserving, and realizing value.
COSO defines risk as: The likelihood that controls will not prevent or detect an error on a timely basis. The possibility that an event will occur and adversely affect the achievement of an objective. The probability that there is a material error in the financial statements after the audit. The amount of uncertainty inherent in a process prior to instillation of controls.
The possibility that an event will occur and adversely affect the achievement of an objective.
Which of the following statements is true regarding the "three lines mode"? Only the third line can provide assurance regarding the organization's management of risks. Internal controls are typically second line responsibilities. The first and second line roles may be blended or separate. Risk ownership is primarily a second line function.
The first and second line roles may be blended or separate.
Which of the following does Moody's advocate as a "best practice" for internal auditing in its report Best Practices in Audit Committee Oversight of Internal Audit? The internal audit function should not rank/grade audit reports because this can alienate the audit team from the rest of the organization and undermine collegiality. The internal audit function should rely on the organizations ERM system to determine its risk-based audit plan. Outsource internal audit activity to 3rd party service providers to increase audit objectivity. The internal audit function should be based on a holistic view as to the nature and significant risks facing the organization.
The internal audit function should be based on a holistic view as to the nature and significant risks facing the organization.
Which of the following is true regarding "big data"? CDEs refers to control of data environments The most common dimensions of big data management are volume, variety, and velocity. Big data refers to data generated within the organization. Organization must use cloud computing to take advantage of big data.
The most common dimensions of big data management are volume, variety, and velocity.
Residual risk is best defined as: The amount of risk an organization is willing to accept in pursuit of its business objectives. The risks that remains after management executes its risk responses. The risk that material error exists in the financial statements after the audit. The internal and external risks that exist assuming there are no internal controls in place.
The risks that remains after management executes its risk responses.
What is a business process? How management plans to achieve the organization's objectives. A finite endeavor (having specific start and completion dates) undertaken to create a unique product or service which brings about beneficial change or added value. The set of connected activities linked with each other for the purpose of achieving an objective or goal. A group of interacting, interrelated, or interdependent elements forming a complex whole.
The set of connected activities linked with each other for the purpose of achieving an objective or goal.
Which of the following is true of audit workpapers? (Multiple answers possible.) The supervisory review of workpapers is typically used to develop internal audit staff. Workpapers contain sufficient and relevant information that would enable another internal auditor to reach the same conclusions as those reached by the internal auditors who conducted the engagement. The identity of the preparer(s) of the workpaper is a necessary part. The content, organization, and format of workpapers should be consistent across all internal audit functions.
The supervisory review of workpapers is typically used to develop internal audit staff. Workpapers contain sufficient and relevant information that would enable another internal auditor to reach the same conclusions as those reached by the internal auditors who conducted the engagement. The identity of the preparer(s) of the workpaper is a necessary part.
Audit evidence is generally considered sufficient when: It is from a creditable source. It pertains to the audit objective. There is enough to support well-founded conclusions. It has been obtained from a random sample.
There is enough to support well-founded conclusions.
Which of the following is true regarding work papers? (Multiple answer possible.) Tick-marks are notations used in workpapers to denote that an audit procedure has been performed. Correct! The work program should be developed and documented in such a way that it ensures all members of the engagement team understand what they need to do and which tasks remain to be performed Correct! Workpapers should clearly state , the purpose, source of information, and conclusion. The planning phase of the engagement does not require workpaper documentation as not testing is involved..
Tick-marks are notations used in workpapers to denote that an audit procedure has been performed. The work program should be developed and documented in such a way that it ensures all members of the engagement team understand what they need to do and which tasks remain to be performed Workpapers should clearly state , the purpose, source of information, and conclusion.
Which of the following is an appropriate statement of an audit engagement objective? To recommend to management that safety stock levels be lowered. To determine whether inventory stocks are sufficient to meet projected sales. To include information about stock outs in the engagement's final communication. To search for the existence of obsolete inventory by computing inventory turnover by product line.
To determine whether inventory stocks are sufficient to meet projected sales.
Which of the following is a requirement of The International Standards for the Professional Practice of Internal Auditing? To issue annually an overall opinion on the adequacy of internal controls in the organization To establish objectives for each engagement. To evaluate annually the effectiveness of the audit committee. To obtain an annual representation from management acknowledging management's responsibility for the design and implementation of internal controls to prevent illegal act.
To establish objectives for each engagement.
Which of the following best describes the most important objective of an internal audit charter? To establish the purpose, authority, and responsibility of the internal auditing department. To provide new members of the audit staff with a clear indication of their job duties. To establish the audit committee's role in overseeing the internal audit department. To help establish criteria by which the work of each audit team may be evaluated.
To establish the purpose, authority, and responsibility of the internal auditing department.
Which of the following is not an appropriate statement of an audit objective for an assurance engagement of accounts payable To determine whether operating expenses are appropriate and authorized. To recommend that the accounts payable processing be outsourced. To assess whether the expense report submission, approval and payment process controls are effective and efficient. To evaluate whether assurance that expense payments are made accurately and timely.
To recommend that the accounts payable processing be outsourced.
Which of the following is not an appropriate statement of an audit objective for an assurance engagement of accounts payable. To determine whether operating expenses are appropriate and authorized. To assess whether the expense report submission, approval and payment process controls are effective and efficient. To evaluate whether assurance that expense payments are made accurately and timely. To recommend that the accounts payable processing be outsourced.
To recommend that the accounts payable processing be outsourced.
In Mr. Cahill's response to student questions he state he believed that after Covid-10 remote audits: Will definitely be here to stay but not replace traditional audits completely. Will go away after Covid-19 as they are not nearly as effective.. Will replace the traditional in-person audit. Will require the Standards be changed if they are to continue.
Will definitely be here to stay but not replace traditional audits completely.