Internal Auditing Final Review MC
Which of the following statements regarding audit evidence would be the least appropriate for an internal auditor to make?
"I do not perform procedures that provide persuasive evidence because I must obtain convincing evidence."
According to COSO ERM, which of the following is not an inherent challenge that arises as part of establishing strategy and business objectives?
Ensuring culture is clearly articulated by the board.
Who is responsible for establishing the strategic objectives of an organization?
Executive management.
Who is ultimately responsible for identifying new or emerging key risk areas that should be covered by the organization's governance process?
Executive management.
Which of the following best describes an auditor's responsibility after noting some indicators of fraud?
Expand activities to determine whether an investigation is warranted.
Which of the following is not a potential value driver for implementing ERM?
Financial results will improve in the short run.
What types of business events tend to drive new legislation and guidance?
Fraud or other corporate wrongdoing.
Which of the following is the best source of IT audit guidance within the IPPF?
Global Technology Audit Guides (GTAGs).
Which of the following are business processes? I. Strategic planning. II. Review and write-off of delinquent loans. III. Safeguarding of assets. IV. Remittance of payroll taxes to the respective tax authorities.
I, II, and IV.
Which of the following IT devices can present the most significant risk to the organization?
IT governance controls.
Which of the following is true?
If a control breakdown is identified through continuous auditing, it should be reported to management on a timely basis.
After business risks have been identified, they should be assessed in terms of their inherent:
Impact and likelihood.
The CAE is attempting to expand the coverage of the internal audit function in the area of cybersecurity. The best way to accomplish this goal would be to:
Increased regulatory requirements around IT and controls and the ubiquity of technology.
ABC utility company sells electricity to residential customers and is a member of an industry association that provides guidance to electric utilities, lobbies on behalf of the industry, and facilitates sharing among its members. From ABC's perspective, what type of stakeholder is this industry association?
Influences the company.
Reasonable assurance, as it pertains to internal control, means that:
Inherent limitations of internal control preclude a system of internal control from providing absolute assurance that objectives will be achieved.
Internal audit engagement teams prepare workpapers primarily for the benefit of the:
Internal audit function.
According to the IPPF, internal auditors should possess which of the following skills? I. Internal auditors should understand human relations and be skilled in dealing with people. II. Internal auditors should be able to recognize and evaluate the materiality and significance of deviations from good business practices. III. Internal auditors should be experts on subjects such as economics, commercial law, taxation, finance, and IT. IV. Internal auditors should be skilled in oral and written communication.
Internal auditors should understand human relations and be skilled in dealing with people. Internal auditors should be able to recognize and evaluate the materiality and significance of deviations from good business practices. Internal auditors should be skilled in oral and written communication.
A major upgrade to an important information system would most likely represent a high:
Internal risk factor.
Enterprise risk management:
Involves the identification of events with negative impacts on business objectives.
Competent evidence is best defined as evidence that:
Is persuasive, reasonably free from error and bias, and faithfully represents that which it purports to represent.
One of the challenges of ERM in an organization that has a centralized structure is that:
It may be difficult to raise awareness of the impact of work actions on other employees or work areas.
How does a control manage a specific risk?
It reduces either likelihood or impact or both.
Organizational independence exists if the CAE reports <List A> to some other organizational level than the CEO or similar head of the organization as long as the internal audit activity <List B> without interference:
List A: administratively; List B: controls the scope and performance of work and reporting of results
An internal auditor is concerned that fraud, in the form of payments to fictitious vendors, may exist. Company purchasers, responsible for purchases of specific product lines, have been granted the authority to approve expenditures up to $10,000. Which of the following applications of generalized audit software would be most effective in addressing the auditor's concern?
List all major vendors by product line. Select a sample of major vendors and examine supporting documentation for goods or services received.
Who is responsible for implementing ERM?
Management throughout the organization.
Which of the following is true regarding business process outsourcing?
Management's controls to ensure the outsourcing provider meets contractual performance requirements should be tested by the internal audit function.
The function of the chief risk officer is most effective when he or she:
Monitors risk as part of the ERM team.
Professional skepticism means that internal auditors beginning an assurance engagement should:
Neither assume the auditee is honest nor assume they are dishonest.
Which of the following is true about new and emerging technologies?
New technologies take time for the users to transition and adapt to the new technology, so training is critical.
Which of the following most completely describes the appropriate content of internal audit assurance engagement workpapers?
Objectives, procedures, facts, conclusions, and recommendations.
An internal auditor must weigh the cost of an audit procedure against the persuasiveness of the evidence to be gathered. Observation is one audit procedure that involves cost-benefit tradeoffs. Which of the following statements regarding observation as an audit procedure is/are correct?
Observation is limited because individuals may react differently when being watched. Observation provides evidence about whether certain controls are operating as designed.
Internal auditors often prepare process maps and reference portions of these maps to narrative descriptions of certain activities. This is an appropriate procedure to:
Obtain the understanding necessary to test the process.
The software that manages the interconnectivity of the system hardware devices is the:
Operating system software.
The risk assessment component of internal control involves the:
Organization's identification and analysis of the risks that threaten the achievement of its objectives.
According to the IPPF, the independence of the internal audit activity is achieved through:
Organizational status and objectivity.
Which flowcharting symbol indicates the start or end of a process?
Oval.
The internal audit function should not:
Oversee the organization's governance and risk management processes.
Companies in industries that are heavily regulated may be subject to audits by the regulator's auditors. While not specifically covered in the Three Lines Model, such auditors would most likely be considered:
Part of the third line.
A production manager of MSM Company ordered excessive raw materials and had them delivered to a side business he operated. The manager falsified receiving reports and approved the invoices for payment. Which of the following procedures would most likely detect this fraud?
Perform ratio and trend analysis. Compare the cost of raw materials purchased with the cost of goods produced.
In which phase(s) of the internal audit engagement can data analytics be used? I. Planning the individual engagement. II. Testing the effectiveness and efficiency of controls. III. Assessing risk to determine which areas of the organization to audit.
Planning the individual engagement. Testing the effectiveness and efficiency of controls. Assessing risk to determine which areas of the organization to audit.
Which of the following external events will most likely impact a defense contractor that relies on large government contracts for its success?
Political event.
Which of the following represents the most persuasive evidence that trade receivables actually exist?
Positive confirmations.
Requiring a user ID and password would be an example of what type of control?
Preventative.
The requirement that purchases be made from suppliers on an approved vendor list is an example of a:
Preventive control.
In assessing organizational risk in a manufacturing organization, which of the following would have the greatest long-range impact on the organization?
Product Quality
Which of the following activities undertaken by the internal auditor might be in conflict with the standard of independence?
Product development team leader.
Workpaper summaries, if prepared, can be used to:
Promote efficient workpaper review by internal audit supervisors.
Which of the following activities are designed to provide feedback on the effectiveness of an internal audit activity? I. Proper supervision. II. Proper training. III. Internal assessments. IV. External assessments
Proper supervision. Internal assessments. External assessments.
When assessing the risk associated with an activity, an internal auditor should:
Provide assurance on the management of the risk.
In developing a new system, change management is extremely important. What are two main reasons to assess change management controls?
Provide consulting engagements on cybersecurity
Which of the following is not an appropriate governance role for an organization's board of directors?
Providing assurance directly to third parties that the organization's governance processes are effective.
Which of the following best exemplifies a control activity referred to as independent verification?
Reconciliation of bank accounts by someone who does not handle cash or record cash transactions.
The control that would most likely ensure that payroll checks are written only for authorized amounts is to:
Require supervisory approval of employee time cards.
The Standards requires the CAE to share information and coordinate activities with other internal and external providers of assurance services. With regard to the independent outside auditor, which of the following would not be an appropriate way for the CAE to meet this requirement?
Requiring the independent outside auditor to have the CAE's approval of their annual audit plan for conducting the financial statement audit.
The purpose of logical security controls is to:
Restrict access to data
A company has recently outsourced its payroll process to a third-party service provider. An audit team was scheduled to audit payroll controls in the annual audit plan prepared prior to the outsourcing. What action should the audit team take, considering the outsourcing decision?
Review the controls over payroll processing in both the company and the third-party service provider.
What is residual risk?
Risk that is not managed
An internal auditor gathered the following accounts receivable trend and ratio analysis information:
Sales returned for credit were overstated in years 2 and 3.
Which of the following is not an example of a risk-sharing strategy?
Selling a nonstrategic business unit.
An effective system of internal controls is most likely to detect a fraud perpetrated by a:
Single employee.
Which of the following is not a role of the internal audit function in best practice governance activities?
Support the board in enterprise-wide risk assessment.
Audit committees are most likely to participate in the approval of:
The appointment of the CAE.
If a risk appears in the bottom right of quadrant II in the above risk control map, it means that:
The controls may be excessive relative to the risk
Appropriate internal control for a multinational corporation's branch office that has a department responsible for the transfer of money requires that:
The individual who initiates wire transfers does not reconcile the bank statement.
The CAE is asked to lead the enterprise risk assessment as part of an organization's implementation of ERM. Which of the following would not be relevant with respect to protecting the internal audit function's independence and the objectivity of its internal auditors?
The internal audit function obtains assistance from an outside consultant in the conduct of the formal risk assessment session.
Which of the following statements regarding corporate governance is not correct?
The internal audit function of a company has more responsibility than the board for the company's corporate governance.
COSO's internal control framework has five internal control components and 17 principles for achieving effective internal control. Which of the following is/are (a) principle(s)? I. The organization demonstrates a commitment to integrity and ethical values. II. Monitoring activities. III. A level of assurance that is supported by generally accepted auditing procedures and judgments. IV. A body of guiding principles that form a template against which organizations can evaluate a multitude of business practices. V. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
The organization demonstrates a commitment to integrity and ethical values. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
Who has primary responsibility for the monitoring component of internal control?
The organization's management.
What is a business process?
The set of connected activities linked with each other for the purpose of achieving an objective or goal.
If a risk appears in the middle of quadrant IV in the above risk control map, it means that:
There is an appropriate balance between risk and control.
Audit evidence is generally considered sufficient when:
There is enough of it to support well-founded conclusions.
Which of the following is the best reason for the CAE to consider the organization's strategic plan in developing the annual internal audit plan?
To ensure that the internal audit plan supports the overall business objectives.
Which of the following is not a responsibility of the CAE?
To oversee the establishment, administration, and assessment of the organization's system of internal controls and risk management processes.
Which of the following best describes an internal auditor's purpose in reviewing the organization's existing governance, risk management, and control processes?
To provide reasonable assurance that the processes will enable the organization's objectives and goals to be met efficiently and economically.
An internet firewall is designed to provide protection against:
Unauthorized access from external sources.
Which of the following is not one of the top 10 technology risks facing organizations?
Use of older technology.
If a sales transaction record was rejected during input because the customer account number entered was not listed in the customer master file, the error was most likely detected by a:
Validity check.
Your audit objective is to determine whether purchases of office supplies have been properly authorized. If purchases of office supplies are made through the purchasing department, which of the following procedures is most appropriate?
Vouch purchase orders to approved purchase requisitions.
In a risk by process matrix, a process that helps to manage a risk indirectly would be shown to have:
A secondary link.
Documentary evidence is one of the principal types of corroborating information used by an internal auditor. Which one of the following examples of documentary evidence generally is considered the most reliable?
A vendor's invoice obtained from the accounts payable department.
An internal auditor plans to conduct an audit of the adequacy of controls over investments in new financial instruments. Which of the following would not be required as part of such an engagement?
Determine whether the treasurer is getting higher or lower rates of return on investments than treasurers in comparable organizations.
Which of the following symbols in a process map will most likely contain a question?
Diamond.
When senior management accepts a level of residual risk that the CAE believes is unacceptable to the organization, the CAE should:
Discuss the matter with knowledgeable members of senior management and, if not resolved, take it to the audit committee.
An internal audit engagement was included in the approved internal audit plan. This is considered a moderately high-risk audit based on the internal audit function's risk model. It is currently on a two-year audit cycle. Which of the following will likely have the greatest impact on the scope and approach of the internal audit engagement?
A new system was implemented during the year, which changed how the transactions are processed.
Which of the following circumstances would concern the internal auditor the most?
A risk in the upper left corner of quadrant III
Which of the following would be considered a second line role in the Three Lines Model?
A divisional compliance and ethics officer conducting a review of employee training records to ensure that all marketing and sales staff have completed the required FCPA training.
Which of the following would not be considered a first line role in the Three Lines Model?
A divisional controller conducts a peer review of compliance with financial control standards.
Senior management has requested that the internal audit function perform an operational review of the telephone marketing operations of a major division and recommend procedures and policies for improving management control over the operation. The internal audit function should:
Accept the audit engagement because independence would not be impaired.
An organization tracks a website hosting anonymous blogs about its industry. Recently, anonymous posts have focused on potential legislation that could have a dramatic effect on this industry. Which of the following may create the greatest risk if this organization makes business decisions based on the information contained on this website?
Accuracy and reliability of the information.
The Standards requires policies and procedures to guide the internal audit staff. Which of the following statements is false with respect to this requirement?
All internal audit functions should have a detailed policies and procedures manual.
Which of the following would be considered a first line role in the Three Lines Model?
An accounts payable supervisor conducting a weekly review to ensure all payments were issued by the required payment date.
The possibility of someone maliciously shutting down an information system is most directly an element of:
Availability risk.
Which of the following is not an IT technical control?
BYOD
Per the Standards, internal audit functions must establish:
Both internal and external quality assurance and improvement program assessments.
Which of the following statement(s) regarding an internal audit function's continuous auditing responsibilities is/are true? I. The internal audit function is responsible for assessing the effectiveness of management's continuous monitoring activities. II. In areas of the organization in which management has implemented effective monitoring activities, the internal audit function can conduct less stringent continuous assessments of risks and controls.
Both statements I and II are true.
Determining that engagement objectives have been met is ultimately the responsibility of the:
CAE
Who is ultimately responsible for determining that the objectives for an internal audit engagement have been met?
CAE
Which of the following are typically governance responsibilities of executive management? I. Delegating its tolerance levels to lower-level managers. II. Monitoring day-to-day performance of specific risk management activities. III. Establishing a governance committee of the board. IV. Ensuring that sufficient information is gathered to support reporting to the board.
Delegating its tolerance levels to lower-level managers. Ensuring that sufficient information is gathered to support reporting to the board.
An organization's IT governance committee has several important responsibilities. Which of the following is not normally such a responsibility?
Designing IT application-based controls.
Which of the following risk management activities is out of sequence in terms of timing?
Determine key organizational objectives.
