IA Exam 2 CIA Questions
87. The requirement that purchases be made from suppliers on an approved vendor list is an example of a: a. Preventive control. b. Detective control. c. Corrective control. d. Monitoring control.
a. Preventive control.
44. What is the appropriate solution to resolve staff communication problems with engagement clients? a. Provide staff with sufficient training to enhance communication skills. b. Avoid unnecessary communication with engagement clients. c. Discuss communication problems with staff auditors. d. Meet with engagement clients to resolve communication problems.
a. Provide staff with sufficient training to enhance communication skills.
33. A standardized internal audit engagement program would not be appropriate for which of the following situations? a. A stable operating environment undergoing only minimal changes. b. A complex or changing operating environment. c. Multiple branches with similar operations. d. Subsequent inventory audit engagements performed at the same location.
b. A complex or changing operating environment.
29. In which of the following situations would an auditor potentially lack objectivity? a. An auditor reviews the procedures for a new electronic data interchange connection to a major customer before it is implemented. b. A former purchasing assistant performs a review of internal controls over purchasing four months after being transferred to the internal audit activity. c. An auditor recommends standards of control and performance measures for a contract with a service organization for the processing of payroll and employee benefits. d. A payroll accounting employee assists an auditor in verifying the physical inventory of small motors.
b. A former purchasing assistant performs a review of internal controls over purchasing four months after being transferred to the internal audit activity.
11. Which of the following factors would be considered the least important in deciding whether existing internal audit resources should be moved from an ongoing compliance audit engagement to a division audit engagement requested by management? a. A financial audit of the division performed by the external auditor a year ago. b. The potential for fraud associated with the ongoing engagement. c. An increase in the level of expenditures experienced by the division for the past year. d. The potential for significant regulatory fines associated with the ongoing engagement
a. A financial audit of the division performed by the external auditor a year ago.
34. Independence permits internal auditors to render the impartial and unbiased judgments essential to the proper conduct of engagements. Which of the following best promotes independence? a. A policy that requires internal auditors to report to the CAE any situations in which a conflict of interest or bias on the part of the individual internal auditor is present or may reasonably be inferred. b. A policy that prevents the internal audit activity from recommending standards of control for systems that it evaluates. c. An organizational policy that allows engagements concerning sensitive operations to be outsourced. d. An organizational policy that prevents personnel transfers from operating activities to the internal audit activity
a. A policy that requires internal auditors to report to the CAE any situations in which a conflict of interest or bias on the part of the individual internal auditor is present or may reasonably be inferred.
10. A CAE would most likely use risk assessment for audit planning because it provides: a. A systematic process for assessing and integrating professional judgment about probable adverse conditions. b. A listing of potentially adverse effects on the organization. c. A list of auditable activities in the organization. d. The probability that an event or action may adversely affect the organization.
a. A systematic process for assessing and integrating professional judgment about probable adverse conditions.
21. Organizational independence exists if the CAE reports <List A> to some other organizational level than the CEO or similar head of the organization as long as the internal audit activity <List B> without interference: List A List B a. Administratively controls the scope and performance of work and reporting of results. b. Administratively approves the internal audit budget and risk-based internal audit plan. c. Functionally controls the scope and performance of work and reporting of results. d. Functionally approves the internal audit budget and risk-based internal audit plan.
a. Administratively controls the scope and performance of work and reporting of results.
39. The auditor-in-charge for a financial audit of a global organization has assigned specific tasks to team members and reserved for himself the responsibility of maintaining contact with the managers of financial departments in eight countries. In reviewing the workpapers of one auditor, the auditor-in-charge notes that some of the work is incomplete. The auditor explains that she is unfamiliar with the accounting practices and software systems used in this country and this has slowed her work considerably. How could the auditor-in-charge have managed this situation in a more efficient, effective manner? a. Align auditor skills and knowledge with area needs before making assignments. b. Allow more time in the schedule for the auditor to become more familiar with local practice and technology. c. Work more closely with the audit client to secure more support for the assigned auditor. d. Build enough slack into the schedule to deal with the types of problems that are likely to occur in a global project.
a. Align auditor skills and knowledge with area needs before making assignments.
40. A CAE wants to build the strength of the function in the area of IT business continuity. The best way to accomplish this goal would be to: a. Ask management to include internal audit in debrief sessions after an IT loss of service. b. Provide consulting engagements on appropriate IT contingency plans. c. Conduct a business impact analysis (BIA) for a test function. d. Purchase software systems designed to assess IT risks.
a. Ask management to include internal audit in debrief sessions after an IT loss of service.
84. When conducting risk assessment in engagement planning and management has already created an assessment of risk as part of an enterprise risk management (ERM) framework, internal auditors should do which of the following related to this management assessment? a. Assess its reliability prior to adopting it. b. Adopt it without reservations to avoid duplication of effort. c. Avoid using it because adopting it would hinder independence and objectivity. d. Avoid using it because its objectives differ significantly from that of an audit risk assessment.
a. Assess its reliability prior to adopting it.
34. Audit engagement programs testing internal controls should: a. Be tailored for the audit of each operation. b. Be generalized to fit all situations without regard to departmental lines. c. Be generalized to be usable at various international locations of an organization. d. Reduce costly duplication of effort by ensuring that every aspect of an operation is examine
a. Be tailored for the audit of each operation.
26. Which of the following actions would be a violation of auditor independence a. Continuing on an audit assignment at a division for which the auditor will soon be responsible as the result of a promotion. b. Reducing the scope of an engagement due to budget restrictions. c. Participating on a taskforce that recommends standards of control for a new distribution system. d. Reviewing a purchasing agent's contract drafts before their execution
a. Continuing on an audit assignment at a division for which the auditor will soon be responsible as the result of a promotion.
65. An organization is changing to a quality assurance program that incorporates quality throughout the process. This is very different from its years of dependence on quality control at the end of the process. This type of change is a: a. Cultural change. b. Product change. c. Structural change. d. Organizational change.
a. Cultural change.
56. What is the first step in establishing an effective internal audit performance measurement process? a. Define internal audit effectiveness. b. Interview key internal and external stakeholders. c. Align the internal audit process with performance measurement processes used throughout the organization. d. Propose specific measures of effectiveness and efficiency.
a. Define internal audit effectiveness.
100. Several years ago a senior member in the accounting area developed a software application that automates a simple, yet time-saving task. Over time, the application has been adopted by other users in accounting, and these other users have encouraged the original author to maintain the application, adapting it as needed when new systems are introduced. Which of the following controls for this situation would be most effective and efficient? a. Ensure complete, accurate, and updated documentation of the application. b. Recommend that the application be replaced by a commercially developed product. c. Recommend policy changes that freeze further adoption and work on the software. d. Analyze the application to ensure that it is, in fact, the most efficient solution to the work problem.
a. Ensure complete, accurate, and updated documentation of the application.
19. If the risk-based plan does not allow for adequate review of compliance with all material regulations affecting the company, the internal audit activity should: a. Ensure that the board of directors and senior management are aware of the limitation. b. Include a memo with the audit-planning file listing the reasons for the lack of coverage. c. Document that regulations not included will be reviewed in the subsequent year. d. Decrease the scope of operational and financial audits to make additional audit time available.
a. Ensure that the board of directors and senior management are aware of the limitation.
88. An internal auditor's organization allows programmers to make minor fixes to software applications without performing regression testing to ensure that changes have corrected problems without introducing new ones due to shortages in staff required to perform these procedures. The auditor's review of records shows that some minor fixes in the past have introduced new errors, and some of these resulted in customer complaints. At which level is this control failure occurring? a. Entity-level management-oversight controls. b. Entity-level governance controls. c. Process-level controls. d. Transaction-level controls.
a. Entity-level management-oversight controls.
63. All of the following are true statements as related to organizational governance except for: a. Governance is a set of independent processes and structures within an organization. b. Governance frameworks, models, and requirements vary according to organization type and jurisdiction. c. Effective governance within an organization is impacted by factors such as its size, complexity, and stakeholder structure d. Governance structures are implemented by the board to inform, direct, manage, and monitor the activities of the organization toward achievement of its objectives.
a. Governance is a set of independent processes and structures within an organization.
125. One of the challenges of enterprise risk management (ERM) in an organization that has a centralized structure is that: a. It may be difficult to raise awareness of the impact of work actions on other employees or work areas. b. Employees in these structures are inherently less risk averse. c. Managers have less incentive to implement and monitor controls. d. Effective controls are more difficult to design and consistent application is more difficult to achieve across the organization
a. It may be difficult to raise awareness of the impact of work actions on other employees or work areas.
82. Under the Three Lines of Defense model, the purpose of the risk management and compliance functions within an organization can include all of the follow except: a. Maintaining effective internal controls. b. Identifying known and emerging risks. c. Providing guidance and training on risk management processes. d. Providing risk management frameworks.
a. Maintaining effective internal controls.
86. Which of the following roles within the risk management framework might properly belong to the internal audit function, depending on the organization? a. Managing and coordinating the risk management process. b. Setting the organization's risk appetite. c. Directing the IT function to implement specific risk controls. d. Championing risk controls even though they may not be cost-effective.
a. Managing and coordinating the risk management process.
81. The Three Lines of Defense model provides an effective way to enhance communications on risk management and control by clarifying essential roles and duties. According to this model, which of the following would be considered the first line of defense? a. Operating management. b. Senior management. c. Risk management function. d. Internal audit activity.
a. Operating management.
36. In selecting an instructional strategy for developing internal audit staff, a CAE should begin by reviewing: a. Organizational objectives. b. Learning content. c. Learners' readiness. d. Budget constraints
a. Organizational objectives.
60. An auditor has been assigned to analyze the effectiveness of a set of rehabilitation programs. The programs have been in operation for 10 years and have not been evaluated. The organization providing the program data asserts that the data are incomplete. The auditor should: a. Perform the analysis anyway, assessing the effects of the incomplete data, but disclaim any assertion regarding data reliability. b. Trace a randomly chosen set of records to source files to assess the accuracy and completeness of the data provided. c. Not perform the analysis. d. Postpone the analysis until data are complete.
a. Perform the analysis anyway, assessing the effects of the incomplete data, but disclaim any assertion regarding data reliability.
10. In a well-developed management environment, the internal audit activity would: a. Report the results of an audit engagement to line management as well as to senior management. b. Conduct initial audits of new computer systems after they have begun operating. c. Interface primarily with senior management, minimizing interactions with line managers who are the subjects of internal audit work. d. Focus primarily on asset management and report results to the audit committee.
a. Report the results of an audit engagement to line management as well as to senior management.
20. Which of the following represents the best governance structure? [Operating management, executive management, internal auditing] a. Responsibility for risk, oversight role, advisory role b. Oversight role, responsibility for risk, advisory role c. Responsibility for risk, advisory role, oversight role d. Oversight role, advisory role, responsibility for risk
a. Responsibility for risk, oversight role, advisory role
94. Which of the following controls would prevent the ordering of quantities in excess of an organization's needs? a. Review of all purchase requisitions by a supervisor in the user department before submitting them to the purchasing department. b. Automatic reorder by the purchasing department when low inventory level is indicated by the system. c. A policy requiring review of the purchase orders before receiving a new shipment. d. A policy requiring agreement of the receiving report and packing slip before storage of new receipts.
a. Review of all purchase requisitions by a supervisor in the user department before submitting them to the purchasing department.
80. According to the Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) enterprise risk management (ERM) model, the internal environment is the basis for all other components of ERM. All of the following are elements of an organization's internal environment except: a. Setting organizational objectives. b. Establishing risk appetite. c. Assigning authority and responsibility. d. Having predominantly independent directors on the board.
a. Setting organizational objectives.
64. In which of the following situations is the internal audit activity most likely to deliver added value to its organization? a. The board supports its verbal commitment to governance, risk management, and control with resources and direction. b. Historically, internal audit has refrained from forming relationships with other functional areas. c. The CAE has been with the organization less than one year but has significant knowledge of new, automated auditing techniques. d. Senior and line management are primarily interested in confirming the strength of existing controls.
a. The board supports its verbal commitment to governance, risk management, and control with resources and direction.
98. Appropriate internal control for a multinational corporation's branch office that has a monetary transfer unit requires that: a. The individual who initiates wire transfers not reconcile the bank statement. b. The branch manager receives all wire transfers. c. Foreign currency rates are computed separately by two different employees. d. Corporate management approves the hiring of monetary transfer unit employees
a. The individual who initiates wire transfers not reconcile the bank statement.
59. Internal auditors may report that their activities are conducted in accordance with the Standards only if: a. They demonstrate compliance with the Standards. b. An independent external assessment of the internal audit activity is conducted annually. c. Senior management or the board is accountable for implementing a quality program. d. External assessments of the internal audit activity are made by the external auditors
a. They demonstrate compliance with the Standards.
3. Which of the following is the best reason for the CAE to consider the strategic plan in developing a risk-based plan? a. To ensure that the internal audit plan supports the overall business objectives. b. To ensure that the internal audit plan will be approved by senior management. c. To make recommendations to improve the strategic plan. d. To emphasize the importance of the internal audit activity.
a. To ensure that the internal audit plan supports the overall business objectives.
24. A scope limitation is a restriction placed upon the internal audit activity that precludes it from accomplishing its objectives and plans. When faced with a proposed scope limitation, the CAE should: a. Refuse to perform the engagement until the scope limitation is removed. b. Communicate the limitation and its potential effect, preferably in writing to the board. c. Increase the frequency of engagements concerning the activity in question. d. Assign more experienced personnel to the engagement.
b. Communicate the limitation and its potential effect, preferably in writing to the board.
20. When faced with an imposed scope limitation, a CAE should: a. Delay the engagement until the scope limitation is removed. b. Communicate the potential effects of the scope limitation to the board. c. Increase the frequency of auditing the activity in question. d. Assign more experienced personnel to the engagement
b. Communicate the potential effects of the scope limitation to the board.
6. Which of the following is not a role of the internal audit activity in best practice governance activities? a. Support the board in enterprise wide risk assessment. b. Ensure the timely implementation of audit recommendations. c. Monitor compliance with the corporate code of conduct. d. Discuss areas of significant risks.
b. Ensure the timely implementation of audit recommendations.
85. According to the Standards, what is the role of internal audit as it relates to risk management? a. Determine the risk appetite of the organization. b. Evaluate the effectiveness of the risk management process. c. Communicate relevant risk information to the appropriate people within the organization. d. Identify and assess significant risks within the organization.
b. Evaluate the effectiveness of the risk management process.
47. An internal auditor should exercise due professional care in performing assurance engagements. Due professional care includes: a. Establishing direct communication between the CAE and the board of directors. b. Evaluating established operating standards and determining whether those standards are acceptable and being met. c. Accumulating sufficient information so that the internal auditor can give absolute assurance that irregularities do not exist d. Establishing suitable criteria of education and experience for filling internal audit positions.
b. Evaluating established operating standards and determining whether those standards are acceptable and being met.
23. To promote a positive image within an organization, a CAE planned to conduct assurance engagements that highlighted potential cost savings. Negative observations were to be omitted from the engagement's final communications. Which action taken by the CAE would be considered a violation of the Standards? I. The focus of the audit engagements was changed without modifying the charter or consulting the audit committee. II. Negative observations were omitted from the engagement final communications. III. Costs savings recommendations were highlighted in the engagement final communications. a. I only. b. I and II only. c. I and III only. d. II and III only.
b. I and II only.
43. Which of the following is true? a. Continuous monitoring is the CAE's responsibility. b. If a control breakdown is identified through continuous auditing, it should be reported to management timely. c. Data analytics technologies cannot be used for substantive testing. d. Continuous auditing routines developed by internal auditors should not be shared with management.
b. If a control breakdown is identified through continuous auditing, it should be reported to management timely.
7. Which of the following is not true with regard to the internal audit charter? a. It defines the authorities and responsibilities for the internal audit activity. b. It specifies the minimum resources needed for the internal audit activity. c. It provides a basis for evaluating the internal audit activity. d. It should be approved by senior management and the board.
b. It specifies the minimum resources needed for the internal audit activity.
76. Nationalism, expropriation, and terrorism are best categorized as examples of: a. Economic risk. b. Political risk. c. Operational risk. d. Environmental risk.
b. Political risk.
16. When assessing the risk associated with an activity, an internal auditor should: a. Determine how the risk should best be managed. b. Provide assurance on the management of the risk. c. Update the risk management process based on risk exposures. d. Design controls to mitigate the identified risks.
b. Provide assurance on the management of the risk.
30. When assessing the risk associated with an activity, an internal auditor should: a. Determine how the risk should best be managed. b. Provide assurance on the management of the risk. c. Update the risk management process based on risk exposures. d. Design controls to mitigate the identified risks
b. Provide assurance on the management of the risk.
103. An adequate system of internal controls is most likely to detect an irregularity perpetrated by a: a. Group of employees in collusion. b. Single employee. c. Group of managers in collusion. d. Single manager
b. Single employee.
13. Who has primary responsibility for providing information to the audit committee on the professional and organizational benefits of coordinating internal audit assurance and consulting activities with other assurance and consulting activities? a. The external auditor. b. The CAE. c. The CEO. d. Each assurance and consulting function
b. The CAE.
57. Ordinarily, those conducting internal quality program assessments should report to: a. The board. b. The CAE. c. Senior management. d. The external auditors.
b. The CAE.
9. In deciding whether to schedule the purchasing department or the personnel department for an audit engagement, which of the following would be the least important factor? a. There have been major changes in operations in one of the departments. b. The audit staff has recently added an individual with expertise in one of the areas. c. There are more opportunities to achieve operating benefits in one of the departments than in the other. d. The potential for loss is significantly greater in one department than in the other.
b. The audit staff has recently added an individual with expertise in one of the areas.
58. According to the Standards, which of the following statements is correct regarding communication of quality assurance and improvement programs? a. The CAE determines the form and content of results communicated without seeking input from senior management or the board. b. The results of external assessments are communicated upon their completion. c. The results of periodic internal assessments are communicated at least monthly. d. The results of ongoing monitoring are communicated upon their completion.
b. The results of external assessments are communicated upon their completion.
124. When determining staffing to be assigned to an audit, the internal audit director should consider all of the following except: a. Training needs of internal auditors. b. Time since the last audit of the area. c. Available audit staff. d. Complexity of the audit assignment.
b. Time since the last audit of the area.
38. A CAE for a very small internal audit department has just received a request from management to perform an audit of an extremely complex area in which the CAE and the department have no expertise. The nature of the audit engagement is within the scope of internal audit activities. Management has expressed a desire to have the engagement conducted in the very near future because of the high level of risk involved. Which of the following responses by the CAE would be in violation of the Standards? a. Discuss with management the possibility of outsourcing the audit of this complex area. b. Add an outside consultant to the audit staff to assist in the performance of the audit engagement. c. Accept the audit engagement and begin immediately because it is a high-risk area. d. Discuss the timeline of the audit engagement with management to determine if there is sufficient time to develop appropriate expertise.
c. Accept the audit engagement and begin immediately because it is a high-risk area.
41. A CAE plans to make changes that may be perceived negatively by the audit staff. The best way to reduce resistance would be to: a. Develop the new approach fully before presenting it to the audit staff. b. Ask the CEO to approve the changes and have the CEO attend the departmental staff meeting when they are presented. c. Approach the staff with the general idea and involve them in the development of the changes. d. Get the internal audit activity's clients to support the changes
c. Approach the staff with the general idea and involve them in the development of the changes.
72. Which of the following represents the best risk assessment technique? a. Assessment of the risk levels for future events based on the extent of uncertainty of those events and their impact on achievement of long-term organizational goals. b. Assessment of inherent and control risks and their impact on the extent of financial misstatements. c. Assessment of the risk levels of current and future events, their effect on achievement of the organization's objectives, and their underlying causes. d. Assessment of the risk levels of current and future events, their impact on the organization's mission, and the potential for elimination of existing or possible risk factors
c. Assessment of the risk levels of current and future events, their effect on achievement of the organization's objectives, and their underlying causes.
45. To ensure that due professional care has been taken at all times during an engagement, the internal auditor should always: a. Ensure that all financial information related to the audit is included in the audit plan and examined for nonconformance or irregularities. b. Ensure that all audit tests are fully documented. c. Consider the possibility of nonconformance or irregularities at all times during an engagement. d. Communicate any noncompliance or irregularity discovered during an engagement promptly to the audit committee.
c. Consider the possibility of nonconformance or irregularities at all times during an engagement.
48. Due professional care calls for: a. Detailed review of all transactions related to a particular function. b. Infallibility and extraordinary performance when the system of internal control is known to be weak. c. Consideration of the possibility of material irregularities during every engagement. d. Testing in sufficient detail to give absolute assurance that noncompliance does not exist.
c. Consideration of the possibility of material irregularities during every engagement.
15. To improve audit efficiency, internal auditors can rely upon the work of external auditors that is: a. Performed after the internal audit engagement. b. Primarily concerned with operational objectives and activities. c. Coordinated with the internal audit activity. d. Conducted in accordance with The IIA's Code of Ethics.
c. Coordinated with the internal audit activity.
26. An internal auditor plans to conduct an audit of the adequacy of controls over investments in new financial instruments. Which of the following would not be required as part of such an engagement? a. Determine if policies exist that describe the risks the treasurer may take and the types of instruments in which the treasurer may make investments. b. Determine the extent of management oversight over investments in sophisticated instruments. c. Determine whether the treasurer is getting higher or lower rates of return on investments than are treasurers in comparable organizations. d. Determine the nature of controls established by the treasurer to monitor the risks in the investments.
c. Determine whether the treasurer is getting higher or lower rates of return on investments than are treasurers in comparable organizations.
46. An internal auditor has some suspicion, but no evidence, of potential misstatement of financial statements. The internal auditor has failed to exercise due professional care if (s)he: a. Identified potential ways in which a misstatement could occur and ranked the items for investigation. b. Informed the engagement manager of the suspicions and asked for advice on how to proceed. c. Did not test for possible misstatement because the engagement work program had already been approved by engagement management. d. Expanded the engagement work program, without the engagement client's approval, to address the highest ranked ways in which a misstatement may have occurred.
c. Did not test for possible misstatement because the engagement work program had already been approved by engagement management.
43. The internal audit activity has scheduled an engagement relating to a construction contract. One portion of this engagement will include comparing materials purchased with those specified in the engineering drawings. The internal audit activity does not have anyone on staff with sufficient expertise to complete this procedure. The CAE should: a. Delete the engagement from the schedule. b. Perform the entire engagement using current staff. c. Engage an engineering consultant to perform the comparison. d. Accept the contractor's written representations.
c. Engage an engineering consultant to perform the comparison.
4. A CAE uses a risk assessment model to establish a risk-based plan. Which of the following would be an appropriate action by the CAE? I. Maintain ongoing dialogue with management and the audit committee. II. Ensure that the schedule of audit priorities remains unchanged. III. Employ only quantitative methods to determine risk weightings. IV. Revise the risk assessment and audit priorities as warranted. a. III only. b. I and II only. c. I and IV only. d. III and IV only
c. I and IV only.
71. Enterprise risk management: a. Guarantees achievement of organizational objectives. b. Requires establishment of risk and control activities by internal auditors. c. Involves the identification of events with negative impacts on organizational objectives. d. Includes selection of the best risk response for the organization.
c. Involves the identification of events with negative impacts on organizational objectives.
18. During a review of contracts, a CAE suspects that a supplier was given an unfair advantage in bidding on a contract. After learning that the CEO of the company is a member of the supplier's board of directors, how should the CAE proceed? a. Submit a draft report to senior management, excluding the CEO. b. Contact the organization's external auditors for assistance. c. Obtain supporting documentation and present the finding to the chairperson of the audit committee. d. Immediately notify the board of directors.
c. Obtain supporting documentation and present the finding to the chairperson of the audit committee.
93. The control that would most likely ensure that payroll checks are written only for authorized amounts is to: a. Conduct periodic floor verification of employees on the payroll. b. Require the return of undelivered checks to the cashier. c. Require supervisory approval of employee timecards. d. Periodically witness the distribution of payroll checks.
c. Require supervisory approval of employee timecards.
74. A CAE is reviewing the following enterprise-wide risk map: [Impact Likelihood: (Risk)] Critical Remote: Risk A Critical Possible: Risk B Minor Possible: Risk C Major Likely: Risk D Which of the following is the correct prioritization of risks considering limited resources in the internal audit activity? a. Risk B, Risk C, Risk A, Risk D. b. Risk A, Risk B, Risk C, Risk D. c. Risk D, Risk B, Risk C, Risk A. d. Risk B, Risk C, Risk D, Risk A
c. Risk D, Risk B, Risk C, Risk A.
75. What is residual risk? a. Impact of risk. b. Risk that is under control. c. Risk that is not managed. d. Underlying risk in the environment.
c. Risk that is not managed.
96. A control likely to prevent purchasing agents from favoring specific suppliers is: a. Requiring management's review of a monthly report of the total spent by each buyer. b. Requiring buyers to adhere to detailed material specifications. c. Rotating buyer assignments periodically. d. Monitoring the number of orders placed by each buyer
c. Rotating buyer assignments periodically.
16. A CAE has been requested by the audit committee to conduct an engagement at a chemical factory as soon as possible. The engagement will include reviews of health, safety, and environmental (HSE) management and processes. The CAE knows that the internal audit activity does not possess the HSE knowledge necessary to conduct such an engagement. The CAE should: a. Begin the engagement and incorporate HSE training into next year's planning to prepare for a follow-up engagement. b. Suggest to the audit committee that the factory's own HSE staff conduct the engagement. c. Seek permission from the audit committee to obtain appropriate support from an HSE professional. d. Defer the engagement and tell the audit committee that it will take several months to train internal audit staff for such an engagement.
c. Seek permission from the audit committee to obtain appropriate support from an HSE professional.
62. An organization's management perceives the need to make significant changes. Which of the following factors is management least likely to be able to change? a. The organization's members. b. The organization's structure. c. The organization's environment. d. The organization's technology.
c. The organization's environment.
8. Which of the following is not a responsibility of the CAE? a. To communicate the internal audit activity's plans and resource requirements to senior management and the board for review and approval. b. To coordinate with other internal and external providers of audit and consulting services to ensure proper coverage and minimize duplication. c. To oversee the establishment, administration, and assessment of the organization's system of risk management processes. d. To follow up on whether appropriate management actions have been taken on significant reported risks.
c. To oversee the establishment, administration, and assessment of the organization's system of risk management processes.
83. Which of the following best describes an internal auditor's purpose in reviewing the organization's existing governance, risk management, and control processes? a. To help determine the nature, timing, and extent of tests necessary to achieve engagement objectives. b. To ensure that weaknesses in the internal control system are corrected. c. To provide reasonable assurance that the processes will enable the organization's objectives and goals to be met efficiently and economically. d. To determine whether the processes ensure that the accounting records are correct and that financial statements are fairly stated.
c. To provide reasonable assurance that the processes will enable the organization's objectives and goals to be met efficiently and economically.
25. The call center of an organization has requested that the internal audit department review procedures and controls during the implementation of a new process. The CAE should: a. Not accept the engagement because recommending controls would impair future objectivity regarding this operation. b. Not accept the engagement because internal audit activities are presumed to have expertise regarding accounting controls, not process controls. c. Accept the engagement but indicate to management that, because recommending controls impairs independence, future engagements in the area will be impaired. d. Accept the engagement because individual objectivity will not be impaired.
d. Accept the engagement because individual objectivity will not be impaired.
89. A password is an example of: a. A physical control. b. An edit control. c. A digital control. d. An access control.
d. An access control.
49. A certified internal auditor performed an assurance engagement to review a department store's cash function. Which of the following actions would be deemed lacking in due professional care? a. Organizational records were reviewed to determine whether all employees who handle cash receipts and disbursements were bonded. b. A flowchart of the entire cash function was developed, but only a sample of transactions was tested. c. The final engagement communication included a well-supported recommendation for the reduction in staff, although it was known that such a reduction would adversely affect morale. d. Because of a highly developed system of internal control over the cash function, the final engagement communication assured senior management that no irregularities existed.
d. Because of a highly developed system of internal control over the cash function, the final engagement communication assured senior management that no irregularities existed.
122. Determining that engagement objectives have been met is ultimately the responsibility of the: a. Internal auditor. b. Audit committee. c. Internal audit supervisor. d. CAE
d. CAE
82. The foundational component of the COSO internal control framework that permeates all areas of an organization and influences the way individuals approach internal control is: a. Information and communication. b. Monitoring. c. Control activities. d. Control environment.
d. Control environment.
61. The internal audit activity should contribute to the organization's governance process by evaluating the processes through which: I. Ethics and values are promoted. II. Effective organizational performance management and accountability are ensured. III. Risk and control information is communicated. IV. Activities of the external and internal auditors and management are coordinated. a. I only. b. IV only. c. II and III only. d. I, II, III, and IV.
d. I, II, III, and IV.
95. Which of the following observations by an auditor is most likely to indicate the existence of control weaknesses over safeguarding of assets? I. A service department location is not well suited to allow for adequate service to other units. II. Employees hired for sensitive positions are not subjected to background checks. III. Managers do not have access to reports that profile overall performance in relation to other benchmarked organizations. IV. Management has not taken corrective action to resolve past engagement observations related to inventory controls. a. I and II only. b. I and IV only. c. II and III only. d. II and IV only.
d. II and IV only.
9. The function of internal auditing, as related to internal financial reports, would be to: a. Ensure compliance with reporting procedures. b. Review the expenditure items and match each item with the expenses incurred. c. Determine if there are any employees expending funds without authorization. d. Identify inadequate controls that increase the likelihood of unauthorized expenditures.
d. Identify inadequate controls that increase the likelihood of unauthorized expenditures.
32. A written charter approved by the board that formally defines the internal audit activity's purpose, authority, and responsibility enhances its: a. Exercise of due professional care. b. Proficiency. c. Relationship with management. d. Independence.
d. Independence.
70. The function of the chief risk officer (CRO) is most effective when he or she: a. Manages risk as a member of senior management. b. Shares the management of risk with line management. c. Shares the management of risk with the CAE. d. Monitors risk as part of the enterprise risk management team.
d. Monitors risk as part of the enterprise risk management team.
17. Upon obtaining factual documentation of unethical business conduct by the vice president, to whom the CAE reports, the CAE should: a. Conduct an investigation to determine the extent of the vice president's involvement in the unethical acts. b. Confront the vice president with the facts before proceeding. c. Schedule an audit of the business function involved. d. Report the facts to executive management and the audit committee.
d. Report the facts to executive management and the audit committee.
33. To avoid creating conflict between the CEO and the audit committee, the CAE should: a. Submit copies of all engagement communications to the CEO and audit committee. b. Strengthen independence through organizational status. c. Discuss all pending engagement communications with the CEO and the audit committee. d. Request board establishment of policies covering the internal audit activity's relationship with the audit committee.
d. Request board establishment of policies covering the internal audit activity's relationship with the audit committee.
55. Which of the following is part of an internal audit activity's quality assurance and improvement program, rather than being included as part of the CAE's other responsibilities? a. The CAE provides information about and access to internal audit workpapers to the external auditors to help them understand and determine the degree to which they may rely on the internal auditors' work. b. Management approves a formal charter establishing the purpose, authority, and responsibility of the internal audit activity. c. Each individual internal auditor's performance is appraised at least annually. d. Supervision of an internal auditor's work is performed throughout each audit engagement.
d. Supervision of an internal auditor's work is performed throughout each audit engagement.
20. Audit committees are most likely to participate in the approval of: a. Audit staff promotions and salary increases. b. The internal audit report observations and recommendations. c. Audit work schedules. d. The appointment of the CAE.
d. The appointment of the CAE.
22. The independence of the internal audit department may be impaired in which of the following situations? a. The CAE reports functionally to the board of directors. b. The internal audit department has unrestricted access to information, people, and records throughout the organization. c. The CAE has an established reporting relationship with the audit committee. d. The internal audit department has responsibility for the organization's risk and compliance areas.
d. The internal audit department has responsibility for the organization's risk and compliance areas.
90. The marketing department for a major retailer assigns separate product managers for each product line. Product managers are responsible for ordering products and determining retail pricing. Each product manager's purchasing budget is set by the marketing manager. Products are delivered to a central distribution center where goods are segregated for distribution to the company's 52 department stores. Because receipts are recorded at the distribution center, the company does not maintain a receiving function at each store. Product managers are evaluated on a combination of sales and gross profit generated from their product lines. Many products are seasonal and individual store managers can require that seasonal products be removed to make space for the next season's products. Which of the following is a control deficiency in this situation? a. The store manager can require items to be removed, thus affecting the potential performance evaluation of individual product managers. b. The product manager negotiates the purchase price and sets the selling price. c. Evaluating product managers by total gross profit generated by product line will lead to dysfunctional behavior. d. There is no receiving function located at individual stores.
d. There is no receiving function located at individual stores.