CIA Exam 2018 Section 1

A major difference between enterprise risk management and traditional risk management lies in the narrow focus of traditional risk management on: I.Property and liability risks. II.Risks with insurance solutions. III.Risks impacting organizational objectives. A. I and II only B. I and III only C. II and III only D. I,II,and III.

A. I and II only

When using a risk assessment model to develop audit plans,it is essential that the chief audit executive take into account the: A. Results of the last audit. B. Planned visits by the external auditors during the upcoming year. C. Recent or expected changes in management direction and objectives. D. Dates of future board meetings.

C. Recent or expected changes in management direction and objectives.

According to the International Professional Practices Framework,which of the following is the appropriate division of responsibilities for the coordination of internal and external audit efforts? I.Oversight of Work Coordination of Activities Chief audit executive Senior management II.Board Chief audit executive III.Chief financial officer Chief audit executive IV.Board Chief financial officer A. I B. II. C. III. D. IV.

B. II.

A chief audit executive would most likely use risk assessment for audit planning because it provides: A. A systematic process for assessing and integrating professional judgment about probable adverse conditions. B. A listing of potentially adverse effects on the organization. C. A list of auditable activities in the organization. D. The probability that an event or action may adversely affect the organization.

A. A systematic process for assessing and integrating professional judgment about probable adverse conditions.

Which of the following best contributes to the effectiveness of the internal audit activity in an organization? A. Appropriate terms of internal audit scope and responsibility in the charter. B. Appropriate compliance coverage in the annual audit plan. C. Regular review of the audit charter by management. D. Assurance of internal audit objectivity by the board.

A. Appropriate terms of internal audit scope and responsibility in the charter.

Which of the following is the most important limitation on the effectiveness of audit committees? A. Audit committees may be composed of independent directors; however,those directors may have close personal and professional friendships with management. B. Audit committee members are compensated by the organization and thus favor a stockholder view. C. Audit committees devote most of their efforts to external audit concerns and do not pay much attention to internal auditing and the overall control environment. D. Audit committee members do not normally have degrees in the accounting or auditing fields.

A. Audit committees may be composed of independent directors; however,those directors may have close personal and professional friendships with management.

A dental insurance provider has implemented an electronic claim submission process and is concerned that dentists are submitting claims for services that were not provided. Which of the following control procedures would be most effective in preventing this type of fraud? A. Develop a program that identifies procedures performed on an individual which are either in excess of expectations based on the age of the insured or are similar to other procedures recently performed on the individual. B. Require all submitted claims to be followed by a signed statement by the dentist testifying to the fact that the claimed procedures were performed. C. Send confirmations to the dentists requesting them to confirm the exact nature of the claims submitted to the insurance provider. D. Develop an integrated test facility and submit false claims to verify that the system is detecting such claims on a consistent basis.

A. Develop a program that identifies procedures performed on an individual which are either in excess of expectations based on the age of the insured or are similar to other procedures recently performed on the individual.

When reviewing operational risk for a department whose manager adopts a laissez-faire style of leadership,it is most important for the internal auditor to verify that: A. Employee decisions follow department and company guidelines. B. The manager considers employees' input when designing new procedures. C. Employees are empowered to deal with unusual or emergency situations. D. Management has adopted an open-door policy to assist with communication.

A. Employee decisions follow department and company guidelines.

Which of the following best describes the procedures used by the representatives of an organization's stakeholders to provide oversight of the processes administered by management? A. Governance B. Control C. Risk management D. Monitoring

A. Governance

Noncompliance with which of the following would cause a control deficiency related to privacy protection practices? I.An organization's internal privacy policies. II.Financial accounting standards. III.Privacy laws and regulations. IV.The Standards. A. I and III only B. II and IV only C. II,III,and IV only D. I,II,III,and IV.

A. I and III only

When planning the work program for an assurance engagement,an internal auditor should first review the department's business objectives and then: A. Identify risks. B. Review controls. C. Determine scope. D. Evaluate vulnerabilities.

A. Identify risks.

Which statement most accurately describes how criteria are established for use by internal auditors in determining whether goals and objectives have been accomplished? A. Management is responsible for establishing the criteria. B. Internal auditors should use professional standards or government regulations to establish the criteria. C. The industry in which a company operates establishes criteria for each member company through benchmarks and best practices for that industry. D. Appropriate accounting or auditing standards,including international standards,should be used as the criteria.

A. Management is responsible for establishing the criteria.

The chief audit executive (CAE) routinely provides activity reports to the board during quarterly board meetings. Senior management has asked to review the CAE's board presentation before each board meeting so that any issues or questions can be discussed beforehand. The CAEshould: A. Provide the activity reports to senior management as requested and discuss any issues that may require action to be taken. B. Not provide activity reports to senior management because such matters are the sole province of the board. C. Disclose only those matters in the activity reports that pertain to expenditures and financial budgets of the internal audit activity. D. Provide information to senior management that pertains only to completed audit engagements and observations available in published engagement final communications.

A. Provide the activity reports to senior management as requested and discuss any issues that may require action to be taken.

An internal quality assessment of the internal audit activity should provide the chief audit executive with. A. Recommendations for improvement. B. Objectives for internal audit engagements. C. Confirmation of action on past audit recommendations. D. Appraisals of internal audit staff performance.

A. Recommendations for improvement.

In a well-developed management environment,the internal audit activity would. A. Report the results of audit engagements to line management as well as to senior management. B. Conduct regularly scheduled audits of existing systems and initial audits of new computer systems after they have begun operating. C. Interface primarily with senior management,minimizing interactions with line managers who are the subjects of internal audit work. D. Focus on the maintenance of accounting controls (such as segregation of the duties of authorization,recording,and custody) and report results to the audit committee.

A. Report the results of audit engagements to line management as well as to senior management.

The primary reason that a chief audit executive (CAE) reviews external audit management letters and management response is to: A. Select areas to emphasize in future internal audit engagements. B. Check the effectiveness of external audit resources used. C. Ensure that comments in the letter are supported by evidence. D. Verify that there has been no duplication of internal audit work.

A. Select areas to emphasize in future internal audit engagements.

An internal audit activity's work schedule should always provide sufficient information to the audit committee to enable it to determine whether the proposed engagements: A. Support the organization's objectives. B. Include sufficient fraud awareness. C. Will likely result in the detection of any major risk exposures. D. Are likely to detect control deficiencies.

A. Support the organization's objectives.

Which of the following audit findings would have the least impact (either positive or negative) on a department's control environment? A. The department makes long-term investment risk decisions to maximize return on investment. B. The department manager sets and demonstrates a tone of honesty and integrity in all business dealings. C. Many department functions are duplicated or verified by other department employees. D. Deficiencies were found in the appropriate authorization of transactions.

A. The department makes long-term investment risk decisions to maximize return on investment.

Internal auditors who are concerned with potential risks due to the mishandling of records or transactions should take into consideration: A. The type and nature of the activities to be examined. B. Whether employees in key positions of trust are bonded. C. The history of losses suffered by the company. D. The results of prior risk assessments.

A. The type and nature of the activities to be examined.

The audit process used by the internal audit activity of a large wholesale clothing company does not include an engagement letter or project approval document. The most serious consequence of this deficiency in the process is that the: A. Audit schedule may not be optimal from the engagement client's perspective. B. Audit objectives may not be understood by management of the area being audited. C. Audit resources may not be sufficient. D. Audit plan priority may have changed.

B. Audit objectives may not be understood by management of the area being audited.

In order to effectively handle conflict between audit team members,an audit team leader should: A. Avoid addressing the conflict until the leader is sure that there is a problem. B. Be assertive and keep the team members focused on a resolution. C. Ask one of the team members to resolve the issue by being more conciliatory. D. Transfer one of the team members to another assignment.

B. Be assertive and keep the team members focused on a resolution.

In the annual audit of the financial statements of a company with high inherent risk and a very strong control system,the external auditor may be able to allow detection risk to rise because. A. Audit risk has been reduced. B. Control risk has been assessed at a lower level. C. The company's operations are very susceptible to misstatements. D. Whenever inherent risk is high,control risk is disregarded.

B. Control risk has been assessed at a lower level.

Which of the following would be most relevant regarding the internal control environment? A. Assessing controls over computerized applications. B. Documenting the organizational structure. C. Comparing and validating internal performance with external benchmarking. D. Maintaining and reviewing detailed financial records.

B. Documenting the organizational structure.

Which of the following is not an appropriate role of the internal audit activity in governance activities? A. Support the board in enterprise-wide risk assessment. B. Ensure the timely implementation of audit recommendations. C. Monitor compliance with the organization's ethics policies. D. Discuss areas of significant risk.

B. Ensure the timely implementation of audit recommendations.

Risk assessments can vary in format,but generally include. I.A description of identified risks. II.Tests of audit controls. III.A system of rating risks. IV.Sample size identification. A. I and II only B. I and III only C. I,III,and IV only D. II,III,and IV only

B. I and III only

The chief audit executive for an organization has just completed a risk assessment process,identified the areas with the highest risk,and assigned an audit priority to each. Which of the following statements is true and consistent with the International Professional Practices Framework? I.Items should be ranked in the order of quantifiable dollar exposure to the organization. II.The audit priorities should be in order of major control deficiencies. III.The risk assessment,though quantified,is the result of professional judgments about both exposures and probability of occurrences. A. I only B. III only C. II and III only D. I,II,and III.

B. III only

Which of the following is not true with regard to the internal audit charter? A. It defines the authorities and responsibilities of the internal audit activity. B. It specifies the minimum resources needed for the internal audit activity. C. It provides a basis for evaluating the internal audit activity. D. It should be approved by senior management and the board.

B. It specifies the minimum resources needed for the internal audit activity.

Which of the following is true with respect to the risk assessment process? A. The ethical climate should not be included since this factor cannot be measured quantitatively. B. More than one risk factor may have to be used to ensure that the risk assessment is comprehensive. C. Each risk factor should be given equal weighting in order to reduce the opportunity for bias. D. The risk assessment process should be conducted at least every three years.

B. More than one risk factor may have to be used to ensure that the risk assessment is comprehensive.

Which of the following is a key performance indicator for an internal audit function? A. Audit expenditures compared to financial budgets. B. Percent of required continuing education hours completed. C. Implementation of new audit computer software. D. Frequency of meetings with the board members.

B. Percent of required continuing education hours completed.

The primary role of the internal audit activity in regard to an organization's ethical climate is to: A. Participate as chief ethics officer. B. Periodically assess the ethical climate. C. Utilize surveys to evaluate employee ethics. D. Demonstrate ethical behavior.

B. Periodically assess the ethical climate.

Which of the following controls would most likely prevent the input of an unreasonable number of labor hours into a costing system? A. Recalculation tests during processing. B. Programmed limit tests of input fields. C. Reconciliation of input control totals. D. Consistency checks of data in input fields.

B. Programmed limit tests of input fields.

According to the International Professional Practices Framework,a primary purpose of evaluating the adequacy of an organization's risk management, control, and governance processes is to determine if it: A. Was designed to ensure compliance with policies, plans, procedures, laws, and regulations. B. Provides reasonable assurance that the organization's objectives will be met. C. Mitigates inherent risk. D. Assures the reliability and integrity of information used by management.

B. Provides reasonable assurance that the organization's objectives will be met.

A chief audit executive used risk assessment to prepare the audit work schedule. Which of the following would be the least appropriate reason to modify the schedule? A. Need for coordination of audit activities with the external auditors. B. Request for postponement since the audit would be too complicated. C. Change in the relative risk of auditable activities during the year. D. Budget constraints or expansions.

B. Request for postponement since the audit would be too complicated.

The audit committee has asked the chief audit executive (CAE) to assist in the selection of a new external audit firm. Which of the following is an appropriate action by the CAE? A. The CAE and two managers from the audit staff review the bids and select one firm to meet with the audit committee for the committee's approval. B. The CAE develops a formal set of criteria for the audit committee to use in selecting the external auditor. C. The CAE,chief financial officer,and controller review the bids,interview two firms,and recommend one of the two firms to the audit committee for its approval. D. The CAE declines to participate in the process because providing this assistance would result in compromising the internal audit activity's objectivity.

B. The CAE develops a formal set of criteria for the audit committee to use in selecting the external auditor.

It is important for a chief audit executive to seek formal approval from the board regarding an internal audit charter so that: A. The effectiveness of the internal audit activity can be measured. B. The status of the internal audit activity can be more clearly established. C. There is assurance that all internal audit activities will be completed. D. Improvements can be implemented in internal audit processes.

B. The status of the internal audit activity can be more clearly established.

Which of the following statements regarding organizational governance is not correct? A. An effective internal audit function is one of the four cornerstones of good governance. B. Those performing governance activities are accountable to the customer. C. Accountability is one of the key elements of organizational governance. D. Governance principles and the need for an internal audit function are applicable to governmental and not-for-profit activities.

B. Those performing governance activities are accountable to the customer.

The primary objective of risk-based auditing is to assess the: A. Economy of controls. B. Compliance with controls. C. Adequacy of controls. D. Efficiency of controls.

C. Adequacy of controls

Due to urgent requests from management,a busy internal audit activity finds that it can no longer meet all of its commitments contained in the annual audit plan. The best course of action for the chief audit executive to take would be to: A. Continue with the plan and seek opportunities to adjust priorities and reallocate resources. B. Advise senior management and request that they reconsider these additional requests using more rigorous risk assessment and prioritization factors. C. Advise the board and senior management and request a reassessment of the plan. D. Advise the board immediately and seek their support for additional resources to meet the needs of the plan.

C. Advise the board and senior management and request a reassessment of the plan.

When an external auditor unknowingly fails to modify an opinion on financial statements that are materially misstated,this is an example of: A. An inherent risk. B. A control risk. C. An audit risk. D. A residual risk.

C. An audit risk.

An internal audit activity encounters a scope limitation from senior management that will affect its ability to meet its goals and objectives for a potential engagement client. The nature of the scope limitation should be. A. Noted in the audit work papers, but the engagement should be carried out as scheduled, with any necessary adjustments made based on the scope limitation. B. Communicated to the external auditors so that they can investigate the area in more detail. C. Communicated, preferably in writing, to the board. D. Communicated to management, stating that the limitation will not be accepted because it would impair the audit activity's independence.

C. Communicated, preferably in writing, to the board.

An organization's external auditor has prepared a list of risks and issues and has recommended to senior management that the internal audit activity focus on these items. Senior management has forwarded the list to the chief audit executive (CAE). The CAEshould: A. Incorporate the external auditor's requirements into the internal audit plan. B. Ignore the external auditor's requirements because they are outside of the internal audit activity's planned scope of work. C. Consider the issues raised by the external auditor for possible inclusion in the planned scope of work. D. Report the risks and issues to the audit committee for possible future attention.

C. Consider the issues raised by the external auditor for possible inclusion in the planned scope of work.

To ensure that due professional care has been taken during an audit engagement, an internal auditor should always: A. Ensure that all financial information related to the engagement is included in the audit plan and examined for irregularities. B. Document all audit tests completely. C. Consider the possibility of noncompliance or irregularities at all times during an engagement. D. Notify the audit committee of any noncompliance or irregularity discovered during an engagement.

C. Consider the possibility of noncompliance or irregularities at all times during an engagement.

A daily report which lists unsuccessful attempts to log on to a computer system is A. A. Corrective control. B. Preventive control. C. Detective control. D. Compensating control.

C. Detective control.

According to the Standards,which of the following must an internal auditor take into consideration when performing an assurance engagement of treasury operations? I.The audit committee has requested assurance of the treasury department's compliance with a new policy on the use of financial instruments. II.Treasury management has not instituted any risk management policies. III.Due to the recent sale of a division,the amount of cash and marketable securities managed by the treasury department has increased by 350 percent. IV.The external auditors have indicated some difficulties in obtaining account confirmations. A. I and II only B. I and IV only C. I,II,and III only D. II,III,and IV only

C. I,II,and III only

Reportable audit findings must be: I.Documented by facts. II.Supported by relevant evidence. III.Agreed to by management of the audited area. IV.Convincing enough to compel corrective action. A. I and IV only B. II and III only C. I,II,and IV only D. I,II,III,and IV.

C. I,II,and IV only

According to the International Professional Practices Framework,risk is: I.Defined as the negative effect of events that are expected to occur. II.Measured in terms of consequences. III.Measured in terms of likelihood. A. I only B. I and II only C. II and III only D. I,II,and III.

C. II and III only

Which of the following actions by a chief audit executive is most likely to prevent exaggerated sales reports by division management? I.Hire a new internal auditor who has fraud investigation credentials. II.Assist the controller in developing and monitoring a series of business process indicators which are historically correlated with,but independent of,sales. III.Announce a series of internal audit engagements focusing on compliance with corporate sales-reporting policies. IV.Ask the president and the board to issue a statement of corporate policy stressing the importance of accurate management reporting and the negative consequences of intentional misreporting. A. I and II only B. II and III only C. III and IV only D. I,II,III,and IV.

C. III and IV only

When a risk assessment process has been used to construct an audit engagement schedule, which of the following should receive attention first? A. The external auditors have requested assistance for their upcoming annual audit. B. A new accounts payable system is currently undergoing testing by the information technology department. C. Management has requested an investigation of possible lapping in receivables. D. The existing accounts payable system has not been audited over the past year.

C. Management has requested an investigation of possible lapping in receivables.

A company has established its environmental audit activity as part of its legal department rather than part of its internal audit activity,which reports to the audit committee. The board has requested that the chief audit executive (CAE) provide an annual opinion on whether environmental risks are being properly addressed. In these circumstances,the CAE should recommend to the audit committee that the internal audit activity: A. Review the recommendations in all environmental audit reports. B. Discuss with the environmental auditors the results of their reviews. C. Periodically carry out a quality assessment of the environmental audit activity. D. Include a review of environmental issues in some internal audit engagements.

C. Periodically carry out a quality assessment of the environmental audit activity.

Continuing Professional Education (CPE) hours for Certified Internal Auditors may be achieved by: A. Attending audit staff meetings. B. Verifying that all completed audit tests are fully documented. C. Publishing an article on the company's internal audit department. D. Obtaining experience on the job.

C. Publishing an article on the company's internal audit department.

Which of the following actions by a chief audit executive would be most effective in preventing fraud? A. Ensure that the board is aware of all fraud that has been identified or reported. B. Train the internal audit staff in identifying fraud indicators. C. Review the adequacy of all policies that describe prohibited activities. D. Submit an annual report to the board on all fraud that has been detected.

C. Review the adequacy of all policies that describe prohibited activities.

Management should be included in the development of the audit plan in order to: A. Provide assurance that past audit recommendations have been properly implemented. B. Select the audit tests that will be used for each engagement. C. Verify that the highest risks are included in the risk-based audit plan. D. Guarantee access to the organization's sites and records for audit work.

C. Verify that the highest risks are included in the risk-based audit plan.

Which of the following factors related to an organization's performance management system would not contribute to the organization's success? A. Performance management is linked to competence and knowledge management. B. Subordinates and superiors have shared responsibility for the performance management process. C. Staff members own the performance management process,thereby ensuring implementation and accountability. D. Performance management is integrated into other organizational processes and human resource processes.

C. Staff members own the performance management process,thereby ensuring implementation and accountability.

A tax consultancy agency retains sensitive personal information regarding its clients. Which of the following is a violation of acceptable privacy practices? A. Copies of printed client information not used by the agency are shredded. B. Employees share client information with coworkers with the permission of the client. C. The agency only releases client information with management's approval. D. The agency advises clients of their privacy rights before they commence business with the agency.

C. The agency only releases client information with management's approval.

What role,if any,should the internal audit activity have in the process of following up on observations and recommendations made by the external auditors? A. The internal audit activity should have no role in this process in order to ensure independence. B. The internal audit activity should become involved only if the chief audit executive has sufficient evidence that the follow-up is not occurring. C. The internal audit activity should review the adequacy and effectiveness of management's follow-up actions. D. The internal audit activity should become involved only if specifically requested by management or the board of directors.

C. The internal audit activity should review the adequacy and effectiveness of management's follow-up actions.

A bank uses a risk analysis matrix to quantify the relative risk of auditable entities. The analysis involves rating auditable entities on risk factors using a scale of 1 to 10,with 10 representing the greatest risk. A partial list of risk factors and the ratings given to three of the bank's departments is provided below: Department Risk Factor A B C Control structure 9 5 7 Nature of assets in department 2 7 9 Dollar value of assets 6 6 8 Complexity of transactions 3 4 8 Which of the following statements regarding risk in the departments is true? A. As compared to departments A and C,department B has a stronger control system to compensate for the greater complexity of the department's transactions and dollar value of its assets. B. The internal audit activity should schedule audits of department B more often than audits of department C because of the relative control strength of department C as compared to department B. C. The nature of department A's control structure may be justified by the nature of the department's assets and the complexity of its transactions. D. The relative ranking of the departments in order of their risk,from greatest to least risk,is: A; C; B.

C. The nature of department A's control structure may be justified by the nature of the department's assets and the complexity of its transactions.

Which of the following is most likely to be an element of an effective compliance program? A. The internal audit activity is assigned responsibility for overseeing the program. B. The program is communicated to employees in a video format on a one-time basis. C. The organization uses monitoring systems designed to detect improper activity. D. The organization obtains as much information as possible when performing background checks on employees.

C. The organization uses monitoring systems designed to detect improper activity.

When performing benchmarking during the planning phase of a performance audit,an internal auditor should: A. Determine the current performance gap. B. Project future performance levels. C. Develop functional action plans. D. Identify comparative organizations.

D. Identify comparative organizations.

The chairperson of an organization's audit committee has obtained a risk management report that identifies significant industry concerns that impact the organization. The chairperson has asked the chief audit executive (CAE) to review these concerns and advise if they are relevant to the organization. How should the CAE respond? A. Accept the engagement but communicate only with the audit committee to protect the confidentiality of the request. B. Decline the engagement because it is outside of the scope of the internal audit charter. C. Decline the engagement because it impairs the internal audit activity's independence. D. Accept the engagement but inform senior management of the request.

D. Accept the engagement but inform senior management of the request.

Which of the following situations allows for the most objectivity on the part of an internal auditor? A. Assessing testing procedures in a new computer system. B. Performing a risk assessment of a new financial instrument. C. Drawing conclusions from a sample of financial transactions. D. Comparing current environmental activities against legislation.

D. Comparing current environmental activities against legislation.

The chief commodity trader for a large energy company learns from a friend that a competitor will likely fail its upcoming regulatory audit and will be forced to temporarily decrease production. If the information is true,the trader has short-term opportunities to make trades that will financially benefit the trader's company and will lead to a substantial increase in the trader's performance bonus. However,if the information is not true,making the trades will significantly increase the company's risk of being caught in a long position. From an ethical perspective,which of the following would be the most appropriate course of action for the trader to take? A. Make the trade because the company and the trader will both benefit. B. Have another trader on staff make the trade in order to avoid a conflict of interest. C. Disclose the information to the risk oversight committee but proceed with the trade to capitalize on the opportunity. D. Defer the decision to management and risk the loss of the trading opportunity

D. Defer the decision to management and risk the loss of the trading opportunity

Which of the following processes should be included in a benchmarking activity? I.Identify key measures. II.Collect data on performances and practices. III.Identify opportunities for improvement. A. IIonly B. I and III only C. II and III only D. I,II,and III.

D. I,II,and III.

Which of the following would be the most effective action for an internal audit activity to take in order to assist in improving an organization's ethical climate? I.Review formal and informal processes within the organization that could promote unethical behavior. II.Conduct surveys of employees,suppliers,and customers regarding ethics. III.Assess the employees' knowledge of and compliance with the organization's code of conduct. A. I only B. I and II only C. II and III only D. I,II,and III.

D. I,II,and III.

When developing the annual audit plan and reviewing risk assessment priorities,a chief audit executive should always identify the: A. Potential recommendations for each auditable activity. B. Persons to whom engagement reports will be communicated. C. Engagement procedures to be used during the engagements. D. Internal audit resources required to achieve the audit plan.

D. Internal audit resources required to achieve the audit plan.

During an audit of financial contracts,an auditor learns that a relative has a substantial loan with the organization. The auditor should: A. Exclude the relative's information from the audited work and proceed with the audit engagement. B. Proceed with the audit engagement but disclose in the engagement final communication that the relative is a customer. C. Immediately withdraw from the audit engagement. D. Notify management and the chief audit executive (CAE) and have the CAE determine whether the auditor should continue with the audit engagement.

D. Notify management and the chief audit executive (CAE) and have the CAE determine whether the auditor should continue with the audit engagement.

In selecting an instructional strategy for developing internal audit staff,a chief audit executive should first review the: A. Department's budget constraints. B. Internal auditors' personal development needs. C. Content of potential training courses. D. Organization's objectives.

D. Organization's objectives.

The percentage of orders that are rush orders and the percentage of returns to total orders are examples of which of the following types of control activities? A. Quality control monitoring. B. Direct functional management. C. Benchmarking. D. Performance indicators.

D. Performance indicators.

The main reason to establish internal controls in an organization is to: A. Encourage compliance with policies and procedures. B. Safeguard the resources of the organization. C. Ensure the accuracy, reliability, and timeliness of information. D. Provide reasonable assurance on the achievement of objectives.

D. Provide reasonable assurance on the achievement of objectives.

A quantitative risk assessment model has all of the following advantages except: A. Accommodating a large number of risk factors in the assessment. B. Providing documentation for the chief audit executive,who must defend the long-range audit plan. C. Providing a systematic method of applying weightings to risks and priorities. D. Removing the need for judgment on the part of the chief audit executive.

D. Removing the need for judgment on the part of the chief audit executive.

When developing an effective risk-based plan to determine audit priorities,an internal audit activity should start by: A. Identifying risks to the organization's operations. B. Observing and analyzing controls. C. Prioritizing known risks. D. Reviewing organizational objectives.

D. Reviewing organizational objectives.

A company has entered into a $20,000,000 fixed-price contract with a general contractor for the construction of a new retail outlet. For this contract,which of the following would represent the greatest risk? A. Excessive labor charged to the project. B. Poor physical protection of materials and equipment. C. Failure to complete the project within budget. D. Substitution of inferior materials.

D. Substitution of inferior materials.

Which is the least effective form of risk management? A. Systems-based preventive control. B. People-based preventive control. C. Systems-based detective control. D. People-based detective control.

D. People-based detective control.

Which of the following is not a benefit of using information technology in solving audit problems? A. It helps reduce audit risk. B. It improves the timeliness of the audit engagement. C. It increases audit opportunities. D. It improves the auditor's judgment

D. It improves the auditor's judgment

An objective for an audit of a medical research corporation is to evaluate management's controls to ensure that timely reports are submitted to sponsors of contracted research projects. In planning the audit to achieve this objective,the auditor should begin by: A. Reviewing policies and procedures. B. Interviewing a group of research managers. C. Observing report preparation in a number of laboratories. D. Sending a questionnaire to a sample of research sponsors.

A. Reviewing policies and procedures.

If an internal auditor discloses confidential information in response to a lawsuit,the internal auditor has violated. A. The IIA Code of Ethics. B. The Standards. C. Both the IIA Code of Ethics and the Standards. D. Neither the IIA Code of Ethics nor the Standards.

D. Neither the IIA Code of Ethics nor the Standards.

Which of the following would be the best source of information for a chief audit executive to use in planning future audit staff requirements? A. Discussions of audit needs with executive management and the audit committee. B. Review of audit staff education and training records. C. Review of audit staff size and composition of similar-sized companies in the same industry. D. Interviews with existing audit staff.

A. Discussions of audit needs with executive management and the audit committee.

In a manufacturing organization,all sales prices are determined centrally and are electronically sent to the distribution centers to update their sales price tables. Any pricing deviations must be approved by central headquarters. To determine how this process is functioning,an internal auditor should: A. Document the flow of sales price information,and determine how the table is accessed and updated. B. Develop a flowchart of the sales order process to determine how orders are taken and priced. C. Identify who approves the shipment of goods and how the goods are priced. D. Obtain a copy of the existing flowchart for the computer program to determine how price data are accessed.

A. Document the flow of sales price information,and determine how the table is accessed and updated.

To determine if a new computer system is improving the use of a manufacturer's limited facilities in serving the largest number of customers,an auditor should compare. A. The number of reworked orders and their costs before and after system installation. B. Inventory and materials handling costs before and after system installation. C. The number of orders filled and their cycle times before and after system installation. D. The number of reworked orders and orders filled before and after system installation.

C. The number of orders filled and their cycle times before and after system installation.

Which of the following is an appropriate consideration by the auditor when preparing an engagement program for a human resource audit? A. State the work steps in the form of questions. B. Use standard audit program for HR from previous years. C. Include in the audit program certain audit tests requested by audit client. D. Defer preparation of the audit program after the field work.

C. Include in the audit program certain audit tests requested by audit client.

An organization that outsources much of its internal audit work to an external service provider is planning for an external quality assessment. Which of the following options would accomplish this task and be in conformance with the Standards? A. External industry associate that performed a similar review for a supplier of the organization. B. A team from an independent entity that previously employed the chief audit executive of the organization. C. A team under the direction of the organization's chief audit executive with validation by a former manager of the internal audit activity. D. The same external service provider because of its competency and experience with the organization.

A. External industry associate that performed a similar review for a supplier of the organization.

Fraud is most frequently detected by: A. Following up on tips from employees or citizens. B. Following up on analytical review of high-risk areas. C. Performing periodic reconciliations over cash and other assets. D. Performing unannounced audits or reviews of programs or departments.

A. Following up on tips from employees or citizens.

Which of the following represents the most effective governance structure? I. Operating Executive Internal Management Management Auditing Responsibility for risk Oversight role Advisory role II. Oversight role Responsibility for risk Advisory role III. Responsibility for risk Advisory role Oversight role IV. Oversight role Advisory role Responsibility for risk A. I Only B. II C. III D. IV

A. I Only

A manufacturer uses a materials requirements planning (MRP) system to track inventory,orders,and raw materials requirements. What condition should an auditor search for in the MRP database if a preliminary assessment indicated that inventory is understated? I.Item cost set at zero. II.Negative quantities on hand. III.Order quantity exceeding requirements. IV.Inventory lead times exceeding delivery schedule. A. I and II only B. I and IV only C. II and IV only D. III and IV only

A. I and II only

Which of the following represents the correct order of the risk management process? A. Resource allocation,risk management metrics,risk assessment,post-mortem analysis,effective communication. B. Risk management metrics,resource allocation,risk assessment,effective communication,post-mortem analysis. C. Risk assessment,resource allocation,risk governance and reporting,post-mortem analysis,feedback. D. Resource allocation,risk monitoring,risk assessment,feedback,post-mortem analysis.

C. Risk assessment,resource allocation,risk governance and reporting,post-mortem analysis,feedback.

Senior management at a financial institution has received allegations of fraud at its derivatives trading desk and has asked the internal audit activity to investigate and issue a report concerning the allegations. The internal audit activity has not yet developed sufficient proficiency regarding derivatives trading to conduct a thorough fraud investigation in this area. Which of the following courses of action should the chief audit executive (CAE) take to comply with the Standards? A. Engage the former head of the institution's derivatives trading desk to perform the investigation and submit a report with supporting documentation to the CAE. B. Request that senior management allow a delay of the fraud investigation until the internal audit activity's on-staff certified fraud examiner is able to obtain the appropriate training regarding the analysis of derivatives trading. C. Request that senior management exclude the internal audit activity from the investigation completely and instead contract with an external certified fraud examiner with derivatives experience to perform all aspects of the investigation and subsequent reporting. D. Contract with an external certified fraud examiner with derivatives experience to perform the investigation and subsequent reporting,with the chief audit executive approving the scope of the investigation and evaluating the adequacy of the work performed.

D. Contract with an external certified fraud examiner with derivatives experience to perform the investigation and subsequent reporting,with the chief audit executive approving the scope of the investigation and evaluating the adequacy of the work performed.

In order to provide the most useful information for an organization's risk management decisions,which of the following should be assessed? A. Risk levels for future events based on the degree of uncertainty of those events and their cost of mitigation. B. Inherent and control risks and their impact on the extent of financial misstatements. C. Risk levels of current and future events,their effect on the achievement of the organization's objectives,and their underlying causes. D. Risk levels of current and future events,their impact on the organization's mission,and the potential for the elimination of existing risk factors.

C. Risk levels of current and future events,their effect on the achievement of the organization's objectives,and their underlying causes.

Which of the following corporate travel policies is least likely to be cost-effective? A. Negotiating corporate agreements with hotels,airlines,and car rental firms. B. Tracking credits for canceled airline reservations. C. Selecting the least expensive airline travel available,without regard to total travel time and distance. D. Traveling to facilities in tourist areas during the off-season when possible.

C. Selecting the least expensive airline travel available,without regard to total travel time and distance.

When internal auditors perform consulting services that add value and improve an organization's operations,these services: A. Impair the internal auditors' objectivity with respect to an assurance service involving the same engagement client. B. Would preclude the achievement of assurance from the consulting engagement. C. Should be consistent with the internal audit activity's empowerment reflected in the charter. D. Impose no responsibility to communicate information other than to the engagement client

C. Should be consistent with the internal audit activity's empowerment reflected in the charter.

Which of the following activities most significantly increases the risk that a bank will make poor-quality loans to its customers? A. Borrowers may not sign all required mortgage loan documentation. B. Fees paid by the borrower at the time of the loan may not be deposited in a timely manner. C. The bank's loan documentation may not meet the government's disclosure requirements. D. Loan officers may override the lending criteria established by senior management.

D. Loan officers may override the lending criteria established by senior management.

Which of the following would provide the most reliable information on the risk associated with an auditable activity? A. Event scenarios with regression analysis. B. Past audit findings and instances of management failures. C. Consequences and economic predictability of loss. D. Management assessment and corroboration by the internal audit activity.

D. Management assessment and corroboration by the internal audit activity.

Which of the following statements regarding segregation of duties is true? A. When evaluating an organization's policy on segregation of duties,employee competence does not need to be considered. B. An organizational chart provides an accurate definition of segregation of duties. C. A restrictive segregation-of-duties policy can help improve an organization's communication. D. Policies on segregation of duties in information systems must recognize the difference between logical and physical access to assets.

D. Policies on segregation of duties in information systems must recognize the difference between logical and physical access to assets.

Internal auditors exercise judgment about the type and amount of information to be collected. The primary purpose of this judgment is to: A. Eliminate the risk of drawing incorrect conclusions. B. Minimize the cost of the audit engagement. C. Comply with the Standards. D. Provide a sound basis for audit observations and recommendations.

D. Provide a sound basis for audit observations and recommendations.

Auditors 1,2,and 3 work out of various offices. Each must be assigned to one,and only one,of three audit locations (A,B,or C). The cost of sending each auditor to each location is listed below: Audit Locations Auditor 1 A B C Auditor 2 $200 $300 $400 Auditor 3 $400 $300 $600 Auditor 4 $200 $200 $500 The minimum cost with which this assignment can be accomplished is: A. $800 B. $900 C. $1,000 D. $1,100

B. $900

A code of business conduct provides? A. A fraud avoidance plan that does not explicitly describe punishments for violations. B. A passive method of fraud deterrence. C. A program to anonymously report irregularities to authorities. D. An alternative to "tone at the top" programs.

B. A passive method of fraud deterrence.

Which source of audit evidence would provide the least value in flowcharting an organization's purchasing process? A. An interview with the purchasing supervisor. B. A review of a sample of purchase orders which were completed during the last month. C. A review of the purchasing policies and procedures manual. D. A walk-through of the process with a member of the purchasing staff.

B. A review of a sample of purchase orders which were completed during the last month.

The chief audit executive should periodically report the internal audit activity's purpose,authority,responsibility,and performance,as well as significant risk exposures and control issues,to which of the following? I. Board of directors. II.Senior management. III.Shareholders. IV.External auditors. A. IIonly B. I and II only C. I,II,and III only D. I,III,and IV only

B. I and II only

To promote a positive image within an organization,a chief audit executive (CAE) adjusted the audit plan to focus on assurance engagements that highlighted potential costs to be saved. Negative observations were to be omitted from engagement final communications. Which action taken by the CAE would be considered a violation of the Standards? I.The focus of the audit function was changed without modifying the audit charter or notifying the audit committee. II.Negative observations were omitted from the engagement final communications. III.Cost savings and recommendations were highlighted in the engagement final communications. A. IIonly B. I and II only C. I and III only D. I,II,and III.

B. I and II only

In order to exercise due professional care as defined in the International Professional Practices Framework,an internal auditor should: I.Consider the probability of significant noncompliance in each audit engagement. II.Perform assurance procedures with sufficient care to ensure that all risks are identified. III.Weigh the cost of assurance against the benefits. A. I and II only B. I and III only C. II and III only D. I,II,and III.

B. I and III only

Which of the following lists the audit activities in the order in which they would generally be completed during a preliminary survey? I. Write detailed audit procedures. II.Identify client objectives,goals,and standards. III.Identify risks and controls intended to prevent associated losses. IV.Determine relevant engagement objectives. A. II,I,IV,III. B. II,III,IV,I. C. III,IV,II,I. D. II,IV,I,III.

B. II,III,IV,I.

In publicly held companies,management often requires the internal audit activity's involvement with quarterly financial statements that are made public and used internally. Which of the following is generally not a reason for such involvement? A. Management may be concerned about its reputation in the financial markets. B. Management may be concerned about potential penalties that could occur if quarterly financial statements are misstated. C. The Standards state that internal auditors should be involved with reviewing quarterly financial statements. D. Management may perceive that having quarterly financial information examined by the internal auditors enhances its value for internal decision making.

C. The Standards state that internal auditors should be involved with reviewing quarterly financial statements.

Which of the following characteristics could indicate high risk? A. Management decisions are made by a committee of mid to higher level management personnel. B. The company is not in a rapidly growing industry. C. The company's profitability is lower than the industry norm. D. Management turnover has been very low.

C. The company's profitability is lower than the industry norm.

Which of the following measurements could an auditor use in an audit of the efficiency of a motor vehicle inspection facility? A. The total number of cars approved. B. The ratio of cars rejected to total cars inspected. C. The number of cars inspected per inspection agent. D. The average amount of fees collected per cashier.

C. The number of cars inspected per inspection agent.

Inadequate risk assessment would have the strongest negative impact in which of the following phases of an audit engagement? A. Determining the scope. B. Reviewing internal controls. C. Testing. D. Evaluating findings

A. Determining the scope.

Which of the following risk assessment tools would best facilitate the matching of controls to risks? A. Control matrix. B. Internal control questionnaire. C. Control flowchart. D. Program evaluation and review technique (PERT) analysis.

A. Control matrix.

The chief audit executive's responsibility regarding control processes includes: A. Assisting senior management and the audit committee in the development of an annual assessment about internal control. B. Overseeing the establishment of internal control processes. C. Maintaining the organization's governance processes. D. Ensuring that the internal audit activity assesses all control processes annually.

A. Assisting senior management and the audit committee in the development of an annual assessment about internal control.

Management has requested that an internal auditor serve as member of a task force that will review current receivables practices and make recommendations to improve processes. Which of the following is the most appropriate response by the internal auditor? A. Accept the assignment provided that such consulting services are defined in the charter. B. Decline the assignment because participation on task forces will impair the auditor's objectivity in future audit engagements. C. Accept the assignment if the auditor believes that it will not impair objectivity in future audit engagements. D. Do not accept the assignment because the assignment is not part of an approved audit plan.

A. Accept the assignment provided that such consulting services are defined in the charter.

Which of the following best describes how the increased use of computerization may impact an auditor's assessment of the risk of fraud? A. Access to assets may be available to information systems personnel as well as to computer users. B. Computer controls are generally less effective than human review. C. Overrides of key controls may require less collaboration. D. Audit trails are less effective.

A. Access to assets may be available to information systems personnel as well as to computer users.

An audit of the quality control department is being planned. Which of the following would least likely be used in the preparation of a preliminary survey questionnaire? A. An analysis of quality control documents. B. The permanent audit file. C. The prior audit report. D. Management's charter for the quality control department.

A. An analysis of quality control documents.

The primary reason that a bank would maintain a separate compliance function is to: A. Better manage perceived high risks. B. Strengthen controls over the bank's investments. C. Ensure the independence of line and senior management. D. Better respond to shareholder expectations

A. Better manage perceived high risks.

Which of the following would be most effective in determining if the percentage of medication orders containing errors improved after a hospital installed a computerized medication-tracking system? A. Compare the proportion of erroneous medication orders before and after system installation for similar periods. B. Compare the number of errors before and after system installation for similar periods. C. Compare,after adjusting for the number of patients,the proportion of erroneous medication orders before and after system installation. D. Compare,after adjusting for the number of patients,the number of errors before and after system installation for similar periods.

A. Compare the proportion of erroneous medication orders before and after system installation for similar periods.

To assure that the technical proficiency of internal auditors is appropriate for the audit engagements to be performed,a chief audit executive should: A. Consider the scope of work and level of responsibility when establishing criteria for education and experience in filling internal auditing positions. B. Ensure that each newly hired auditor is qualified in all of the disciplines needed to accomplish the department's audit mission. C. Oversee a training program that matches the actual training provided with the interests of individual auditors. D. Require all of the audit staff to pursue a minimum number of continuing professional education hours each year.

A. Consider the scope of work and level of responsibility when establishing criteria for education and experience in filling internal auditing positions.

During the planning phase of an audit of suspected overbilling on contracts for security services,an auditor should perform all of the following except: A. Interviewing an official of the security services company to determine the cause of recent increases in billings for services. B. Interviewing the manager who requested the audit engagement. C. Obtaining a copy of the contract between the two organizations. D. Preparing an engagement program.

A. Interviewing an official of the security services company to determine the cause of recent increases in billings for services.

According to the Standards,the organizational status of the internal audit activity: A. Must be sufficient to permit the accomplishment of its audit responsibilities. B. Is best when the reporting relationship is direct to the board of directors. C. Requires the board's annual approval of the audit schedules,plans,and budgets. D. Is guaranteed when the charter specifically defines its independence.

A. Must be sufficient to permit the accomplishment of its audit responsibilities.

Which of the following describes a control weakness? A. Purchasing procedures are well designed and are followed unless otherwise directed by the purchasing supervisor. B. Pre-numbered blank purchase orders are secured within the purchasing department. C. Normal operational purchases fall in the range from $500 to $1,000 with two signatures required for purchases over $1,000. D. The purchasing agent invests in a publicly traded mutual fund that lists the stock of one of the company's suppliers in its portfolio.

A. Purchasing procedures are well designed and are followed unless otherwise directed by the purchasing supervisor.

If an engagement client's operating standards are vague and thus subject to interpretation,the auditor should: A. Seek agreement with the client as to the standards to be used to measure operating performance. B. Determine best practices in the area and use them as the standard. C. Interpret the standards in their strictest sense because standards are otherwise only minimum measures of acceptance. D. Omit any comments on standards and the client's performance in

A. Seek agreement with the client as to the standards to be used to measure operating performance.

An internal auditor plans to use an analytical review to verify the correctness of various operating expenses in a division. The use of an analytical review as a verification technique would not be a preferred approach if. A. The auditor notes strong indicators of a specific fraud involving this account. B. The company has relatively stable operations which have not changed much over the past year. C. The auditor would like to identify large,unusual,or non-recurring transactions during the year. D. The operating expenses vary in relation to other operating expenses,but not in relation to revenue.

A. The auditor notes strong indicators of a specific fraud involving this account.

Which of the following would not be a factor for senior management to consider when determining the internal audit activity's role in an organization's risk management process? A. The extent to which the internal audit activity is outsourced. B. The maturity level of risk management practices in the organization. C. The competency of the internal auditors in risk management. D. The nature of the business and the environment in which the organization operates.

A. The extent to which the internal audit activity is outsourced.

Which of the following would be the least desirable criteria against which to judge current operations of a company's treasury function? A. The operations of the treasury function as documented during the last audit engagement. B. Company policies and procedures delegating authority and assigning responsibilities. C. Finance textbook illustrations of generally accepted good treasury function practices. D. Codification of best practices of the treasury function in relevant industries.

A. The operations of the treasury function as documented during the last audit engagement.

An audit to test the system of controls over the purchase,distribution,and use of radioactive material is being conducted at a company's plants. The process is well documented,and employees in the safety department are very familiar with the department's procedures. Since the purchasing and facilities departments are involved in the process,the auditor is considering reviewing their radioactive material-handling procedures as well. The auditor should: A. Have confidence in the rigorous and detailed safety department procedures,since that department has the main responsibility for radiation safety,and should not use audit time to review other departments. B. Adjust the engagement schedule and budget,if needed,and interview the appropriate individuals in the purchasing and facilities departments to ascertain whether additional control sexist that complement those identified within the safety department. C. Test the controls identified within the safety department; if results are unfavorable,the auditor should consider whether to involve the other departments. D. Defer questions regarding purchasing,facilities,and other departments until audit projects can be scheduled for those departments.

B. Adjust the engagement schedule and budget,if needed,and interview the appropriate individuals in the purchasing and facilities departments to ascertain whether additional control sexist that complement those identified within the safety department.

Which of the following best describes the most important criteria when assigning responsibility for specific tasks required in an audit engagement? A. Auditors must be given assignments based primarily upon their years of experience. B. All auditors assigned an audit task must have the knowledge and skills necessary to complete the task satisfactorily. C. Tasks must be assigned to the audit team member who is most qualified to perform them. D. All audit team members must have the skills necessary to satisfactorily complete any task that will be required in the audit engagement.

B. All auditors assigned an audit task must have the knowledge and skills necessary to complete the task satisfactorily.

Which of the following is an example of sharing risk? A. An organization redesigned a business process to change the risk pattern. B. An organization outsourced a portion of its services to a third-party service provider. C. An organization sold an unprofitable business unit to its competitor. D. In order to spread total risk,an organization used multiple vendors for critical materials.

B. An organization outsourced a portion of its services to a third-party service provider.

The top three sales representatives for a company consistently include non-allowable charges on their expense reports. Line management is reluctant to deny reimbursement of the charges for fear of losing the sales representatives. This situation has the greatest negative impact on which of the following internal control components? A. Monitoring. B. Control environment. C. Information and communication. D. Control activities.

B. Control environment.

Which of the following is not an appropriate role for internal auditors after a disaster occurs? A. Monitor the effectiveness of the recovery and control of operations. B. Correct deficiencies of the entity's business continuity plan. C. Recommend future improvements to the entity's business continuity plan. D. Assist in the identification of lessons learned from the disaster and the recovery operations.

B. Correct deficiencies of the entity's business continuity plan.

Which of the following is an appropriate role for the board in governance? A. Preparing written organizational policies that relate to compliance with laws,regulations,ethics,and conflicts of interest. B. Ensuring that financial statements are understandable,transparent,and reliable. C. Assisting the internal audit activity in performing annual reviews of governance. D. Working with the organization's attorneys to develop a strategy regarding current litigation,pending litigation,or regulatory proceedings governance.

B. Ensuring that financial statements are understandable,transparent,and reliable.

Which of the following steps would not be included in a program of selecting and developing human resources for an internal audit department? A. Scheduling periodic meetings with individual auditors,during which the chief audit executive provides counsel regarding each auditor's performance and professional career development. B. Establishing an internal review team to assess the auditors' and audit department's compliance with standards,level of audit effectiveness,and compliance with departmental policy. C. Developing specific job descriptions for audit staff,audit managers,and other auditing positions. D. Establishing in-house training programs and requiring continuing education for audit staff.

B. Establishing an internal review team to assess the auditors' and audit department's compliance with standards,level of audit effectiveness,and compliance with departmental policy.

Which of the following best describes the underlying premise of the COSO enterprise risk management framework? A. Management should set objectives before assessing risk. B. Every entity exists to provide value for its stakeholders. C. Policies are established to ensure that risk responses are performed effectively. D. Enterprise risk management can minimize the impact and likelihood of unanticipated events.

B. Every entity exists to provide value for its stakeholders.

Which of the following is not an appropriate type of coordination between the internal audit activity and regulatory auditors? A. Regulatory auditors share their perspective on risk management,control,and governance with the internal auditors. B. Internal auditors perform fieldwork at the direction of the regulatory auditors. C. Internal auditors review copies of regulatory reports in planning related internal engagements. D. Regulatory and internal auditors exchange information about planned activities.

B. Internal auditors perform fieldwork at the direction of the regulatory auditors.

In advance of a preliminary survey,a chief audit executive sends a memorandum and questionnaire to the supervisors of the department to be audited. What is the most likely result of that procedure? A. It creates apprehension about the audit engagement. B. It involves the engagement client's supervisory personnel in the audit. C. It is an uneconomical approach to obtaining information. D. It is only useful for audits of distant locations.

B. It involves the engagement client's supervisory personnel in the audit.

Organizations that use a highly structured command-and-control management approach are at greater risk of: A. Delayed response due to the inability to reach consensus among decision makers. B. Negative consequences that result from lower-level staff's unwillingness to confront errors by superiors. C. Erosion of staff morale due to perceptions of ineffective leadership. D. Waste and abuse of organizational resources resulting from management override of controls.

B. Negative consequences that result from lower-level staff's unwillingness to confront errors by superiors.

Which of the following components influences the risk consciousness of an organization's people and is the basis for all other components of enterprise risk management? A. Objective setting. B. Information and Communication. C. Risk Assessment. D. Internal Environment.

D. Internal Environment

Which of the following is a role of the board of directors in the governance process? A. Conduct periodic assessments of the organization's governance systems. B. Obtain assurance concerning the effectiveness of the organization's governance systems. C. Implement an effective system of internal controls to support the organization's governance systems. D. Review and approve operational goals and objectives.

B. Obtain assurance concerning the effectiveness of the organization's governance systems.

A bakery chain has a statistical model that can be used to predict daily sales at individual stores based on a direct relationship to the cost of ingredients used and an inverse relationship to rainy days. What conditions would an auditor look for as an indicator of employee theft of food from a specific store? A. On a rainy day,total sales are greater than expected when compared to the cost of ingredients used. B. On a sunny day,total sales are less than expected when compared to the cost of ingredients used. C. Both total sales and cost of ingredients used are greater than expected. D. Both total sales and cost of ingredients used are less than expected.

B. On a sunny day,total sales are less than expected when compared to the cost of ingredients used.

In developing an appropriate work program for an audit engagement,the most important factor for an audit supervisor to consider is the: A. Availability of records and data. B. Potential impact of risks. C. Audit personnel's knowledge and experience. D. Time required to complete the engagement.

B. Potential impact of risks.

In developing an appropriate work program for an audit engagement,the most important factor for an audit supervisor to consider is the: A. Availability of records and data. B. Potential impact of risks. C. Capabilities of audit personnel. D. Time required to complete the engagement.

B. Potential impact of risks.

An internal auditor is reviewing a new automated human resources system. The system contains a table of pay rates which are matched to the employee job classifications. The best control to ensure that the table is updated correctly for only valid pay changes would be to: A. Limit access to the data table to management and line supervisors who have the authority to determine pay rates. B. Require a supervisor in the department,who does not have the ability to change the table,to compare the changes to a signed management authorization. C. Ensure that adequate edit and reasonableness checks are built into the automated system. D. Require that all pay changes be signed by the employee to verify that the change goes to a bona fide employee.

B. Require a supervisor in the department,who does not have the ability to change the table,to compare the changes to a signed management authorization.

During a payroll audit of a large organization,an auditor noted that the assistant personnel director is responsible for many aspects of the computerized payroll system,including adding new employees in the system; entering direct-deposit information for employees; approving and entering all payroll changes; and providing training for system users. After discussions with the director of personnel,the auditor concluded that the director was not comfortable dealing with information technology issues and felt obliged to support all actions taken by the assistant director. The auditor should: A. Continue to follow the engagement program because the engagement scope and objectives have already been discussed with management. B. Review the engagement program to ensure testing of direct deposits to employee bank accounts is adequately covered. C. Recommend to the chief audit executive that a fraud investigation be started. D. Test a sample of payroll changes to ensure that they were approved by the assistant director before being processed.

B. Review the engagement program to ensure testing of direct deposits to employee bank accounts is adequately covered.

Which of the following procedures would provide the best evidence of the effectiveness of a credit-granting function? A. Observe the process. B. Review the trend in receivables write-offs. C. Ask the credit manager about the effectiveness of the function. D. Check for evidence of credit approval on a sample of customer orders.

B. Review the trend in receivables write-offs.

An auditor plans to analyze customer satisfaction,including. (1) customer complaints recorded by the customer service department during the last three months; (2) merchandise returned in the last three months; and (3) responses to a survey of customers who made purchases in the last three months. Which of the following statements regarding this audit approach is correct? A. Although useful,such an analysis does not address any risk factors. B. The survey would not consider customers who did not make purchases in the last three months. C. Steps 1 and 2 of the analysis are not necessary or cost-effective if the customer survey is comprehensive. D. Analysis of three months' activity would not evaluate customer satisfaction.

B. The survey would not consider customers who did not make purchases in the last three months.

If earnings on financial statements for internal use only have been manipulated in the past,an internal auditor is likely to focus on which of the following? A. The proper accrual of payables at the end of the interim period. B. The timing of revenue recognition and the valuation of inventories. C. Whether accounting estimates are reasonable given past actual results. D. Whether there have been changes in accounting principles that materially affect the financial statements.

B. The timing of revenue recognition and the valuation of inventories.

An employee who recently transferred into the internal audit activity has been assigned to audit the accounts payable system. Which function, if previously performed by the auditor, would represent a conflict of interest? A. Monitoring the allowance for doubtful accounts. B. Writing procedures for the handling of duplicate payments. C. Signing timekeeping cards for subordinates. D. Reviewing shipping documents for accuracy.

B. Writing procedures for the handling of duplicate payments.

An auditor is using audit software to check inventory accuracy. Which of the following would be an indicator of poor input edit controls? A. Negative quantities on hand. B. Total dollar values of zero for some parts. C. Alpha characters in the field for order lead time. D. Reorder levels set too high.

C. Alpha characters in the field for order lead time.

In order to ensure that the internal auditors have the objectivity required by the Standards,the chief audit executive should: A. Demonstrate willingness to include in engagement final communications all matters believed to be important. B. Require all auditors to sign statements attesting to their independent mental attitudes and honest belief in their work product. C. Carefully assign personnel to individual audit engagements and require auditors to disclose all conflicts of interest. D. Appraise each auditor's performance on each audit assignment.

C. Carefully assign personnel to individual audit engagements and require auditors to disclose all conflicts of interest.

To identify those components of a telecommunications system that present the greatest risk,an internal auditor should first: A. Review the open systems interconnect network model. B. Identify the network operating costs. C. Determine the business purpose of the network. D. Map the network software and hardware products into their respective layers.

C. Determine the business purpose of the network.

After several years in the engineering department,an engineer was transferred to the internal audit department. One month later,the new auditor was assigned to an assurance engagement for the engineering department. When the auditor's former engineering supervisor suggested a change in the sample selection method,the auditor consulted with the audit supervisor. They determined that the suggested method would not be as representative and that the original selection method should be used. In this situation,the auditor: A. Maintained an independent mental attitude and is therefore objective. B. Has subordinated professional judgment,and objectivity is therefore impaired. C. Does not have objectivity since the auditor recently transferred from the engineering department. D. Does not have independent organizational status since the auditor recently transferred from the engineering department.

C. Does not have objectivity since the auditor recently transferred from the engineering department.

Which of the following is not an appropriate control related to sales in a manufacturing company? A. Customers' orders are recorded promptly. B. Goods shipped are matched with valid customer orders. C. Goods returned are inspected for damage by the sales department and then entered into inventory. D. Credit department approval is required for credit sales transactions.

C. Goods returned are inspected for damage by the sales department and then entered into inventory.

A charitable organization provides substantial grants for important medical research. Assuming marginal controls are in place,which of the following possible frauds or misuses of organization assets should be considered the area of greatest risk? A. Senior executives are using company travel and entertainment funds for activities that might be considered questionable. B. Purchases of office supplies are made from fictitious vendors. C. Grants are made to organizations associated with senior executives. D. A payroll clerk has added a fictitious employee.

C. Grants are made to organizations associated with senior executives.

Human resources and payroll are separate departments. Which of the following combinations would provide the best segregation of duties? A. Human resources personnel add employees,payroll personnel process hours,and human resources personnel deliver paychecks to employees. B. Human resources personnel add employees,review and submit payroll hours to the payroll department for processing,and deliver paychecks to employees. C. Human resources personnel add employees,and payroll personnel process hours and enter employee bank account numbers. Paychecks are automatically deposited in the employee's bank account. D. Payroll personnel add employees and enter employee bank account numbers but process hours only as approved by the human resources department. Paychecks are automatically deposited in the employee's bank account.

C. Human resources personnel add employees,and payroll personnel process hours and enter employee bank account numbers. Paychecks are automatically deposited in the employee's bank account.

A manufacturing firm uses hazardous materials in the production of its products. An audit of the firm's processes related to hazardous materials should include. I.Recommending an environmental management system as part of policies and procedures. II.Verifying the existence of tracking records for these materials from creation to destruction. III.Using consultants to avoid self-incrimination of the firm in the event illegalities were detected in an environmental audit. IV.Evaluating the cost provided for in an environmental liability accrual account. A. IIonly B. III and IV only C. I,II,and IV only D. I,III,and IV only

C. I,II,and IV only

Which of the following would be a violation of the IIA Code of Ethics? A. Reporting information that could be damaging to the organization,at the request of a court of law. B. Including an issue in the final audit report after management has resolved the issue. C. Participating in an audit engagement for which the auditor does not have the necessary experience or training. D. Accepting a gift that is a commercial advertisement available to the public.

C. Participating in an audit engagement for which the auditor does not have the necessary experience or training.

Which of the following is a benefit from reduced testing during a particular phase of an audit engagement? A. The size of the internal audit activity can be reduced. B. There is less concern about assessing inherent risk. C. The level of planned audit risk is lowered. D. Additional audit hours are available for pursuing other engagement objectives.

D. Additional audit hours are available for pursuing other engagement objectives.

Regarding an organization's decision to retain an external audit firm,the chief audit executive (CAE) should: A. Work with the organization's chief financial officer to evaluate the external auditor's performance and together make the decision. B. Not be involved in this decision process as it would compromise the CAE's objectivity. C. Evaluate the external auditor's performance and retain the external auditor if quality and cost criteria are met. D. Assist the audit committee by facilitating the development of an appropriate evaluation process.

D. Assist the audit committee by facilitating the development of an appropriate evaluation process.

An organization's accounts payable function improved its internal controls significantly after it received an unsatisfactory audit report. When planning a follow-up audit of the function,what level of detection risk should be expected if the audit and sampling procedures used are unchanged from the prior audit? A. Detection risk is lower because control risk is lower. B. Detection risk is lower because control risk is higher. C. Detection risk is higher because control risk is lower. D. Detection risk is unchanged although control risk is lower.

D. Detection risk is unchanged although control risk is lower.

At the beginning of fieldwork in an audit of investments,an internal auditor noted that the interest rate had declined significantly since the engagement work program was created. The auditor should: A. Proceed with the existing program since this was the original scope of work that was approved. B. Modify the audit program and proceed with the engagement. C. Consult with management to verify the interest rate change and proceed with the engagement. D. Determine the effect of the interest rate change and whether the program should be modified.

D. Determine the effect of the interest rate change and whether the program should be modified.

Overall audit efficiency is enhanced between the internal and external audit functions when: A. Internal audit coverage is reduced to avoid potential conflicts of interest. B. Audits of the same department are conducted at different times. C. The internal audit department reviews functions or departments prior to the external audit. D. External audit scope is reduced based on the internal audit department's activities.

D. External audit scope is reduced based on the internal audit department's activities.

It would be appropriate for an internal audit activity to use consultants with expertise in health-care benefits when the internal audit activity is: I. Conducting an audit of the organization's estimate of its liability for post retirement benefits,which include health care benefits. II.Comparing the cost of the organization's health care program with that of other programs offered in the industry. III.Training its staff to conduct an audit of health care costs in a major division of the organization. A. I only B. I and III only C. II and III only D. I,II,and III.

D. I,II,and III.

Which of the following should be incorporated in a risk management policy? I.Boundaries and limit structures. II.Requirements for reporting risk. III.Risk authorities. A. I and II only B. I and III only C. II and III only D. I,II,and III.

D. I,II,and III.

According to the International Professional Practices Framework,internal auditors should possess which of the following competencies? I.Proficiency in applying internal auditing standards,procedures,and techniques. II.Proficiency in accounting principles and techniques. III.An understanding of management principles. IV.An understanding of the fundamentals of economics,commercial law,taxation,finance,and quantitative methods. A. I only B. II only C. I and III only D. I,III,and IV only

D. I,III,and IV only

A high-volume retailer of consumer goods has used point-of-sale data to record sales and update inventory records for several years. When price changes are scheduled,corporate headquarters downloads a price change file to a computer server system at each store. Each store's assistant manager is responsible for checking the server for downloads and running the program that updates the store's price file at the authorized price update time. In comparison with having headquarters initiate the price update centrally,this approach to price updating will most likely: A. Decrease the risk that customers will be undercharged consistently for sales items. B. Decrease the risk that item prices will sometimes be inaccurate. C. Increase the risk that customers will be undercharged consistently for sales items. D. Increase the risk that item prices will sometimes be inaccurate.

D. Increase the risk that item prices will sometimes be inaccurate.

Two individuals are being considered for an audit team that is to perform a highly technical review. Which of the following situations would preclude selection of the individual for the audit due to an objectivity concern? I. Person A is a member of the internal audit staff and has the required technical skills. Person A participated in a controls review of the system to be audited when it was being developed. II.Person B is a technical specialist who understands the audit area but is not a member of the internal audit staff. Although person B has personal credibility in the information systems department to be audited,person B works for another department in the organization. A. I only B. II only C. Both I and II. D. Neither I nor II

D. Neither I nor II

In order to save time,an audit manager no longer required that a standard internal control questionnaire be completed for each audit engagement. Does this represent a violation of the Standards? A. Yes,because internal control should be evaluated on every engagement and the internal www.CertificationKing.com 7 IIA IIA-CIA-Part1 : Practice Test control questionnaire is the mandated approach to evaluate controls. B. Yes,because internal control should be evaluated on every engagement and the internal control questionnaire is the most efficient method to do so. C. No,because auditors may omit necessary procedures if there is a time constraint,based on audit judgment. D. No,because auditors are not required to complete internal control questionnaires on every engagement.

D. No, because auditors are not required to complete internal control questionnaires on every engagement.

Which of the following actions would be considered a violation of the Standards? I.Drafts of engagement communications were reviewed with the audit client to obtain input. The client's comments were considered when developing the engagement final communication. II.An auditor participated as part of a development team to review the control procedures to be incorporated into a major computer application under development. III.Given limited resources,the chief audit executive performed a risk analysis to determine which functions to audit. A. IIonly B. I and III only C. I,II,and III. D. None of the above.

D. None of the above.

Which of the following internal control weaknesses would an auditor most likely detect while reviewing a flowchart that depicts the purchasing function of an organization? A. Purchasing policies have not been updated. B. The organization is not taking advantage of quantity discounts available from its suppliers. C. Payments for goods received have not been authorized at the appropriate level. D. Payments to suppliers are made before goods are received.

D. Payments to suppliers are made before goods are received.

Which of the following audit activities is within the scope of assurance activities as stated in the International Professional Practices Framework? A. Review a make-or-buy decision and report a recommendation to management for approval. B. Participate in negotiations for a corporate acquisition. C. Assess financing alternatives for a new generator. D. Perform an evaluation of management's planning process.

D. Perform an evaluation of management's planning process.

Which of the following would be the most useful in developing an annual audit plan? A. General purpose audit software. B. Voting software and hardware. C. Flowcharting and data capture software. D. Risk assessment software

D. Risk assessment software

Which of the following factors affects the control risk of a company? A. Potential problems like technological obsolescence. B. Unusual pressures on management. C. Complex accounts that require expert valuations. D. Segregation of duties.

D. Segregation of duties.

In an assurance engagement of treasury operations,an internal auditor is required to consider all of the following issues except: A. The audit committee has requested assurance on the treasury department's compliance with a new policy on the use of financial instruments. B. Treasury management has not instituted any risk management policies. C. Due to the recent sale of a division,the amount of cash and marketable securities managed by the treasury department has increased by 350 percent. D. The external auditors have indicated some difficulties in obtaining account confirmations.

D. The external auditors have indicated some difficulties in obtaining account confirmations.

An internal auditor is assigned to conduct an audit of security for a local area network (LAN) in the finance department of the organization. Investment decisions,including the use of hedging strategies and financial derivatives,use data and financial models which run on the LAN. The LAN is also used to download data from the mainframe to assist in decisions. Which of the following should be considered outside the scope of this security audit engagement? A. Investigation of the physical security over access to the components of the LAN. B. The ability of the LAN application to identify data items at the field or record level and implement user access security at that level. C. Interviews with users to determine their assessment of the level of security in the system and the vulnerability of the system to compromise. D. The level of security of other LANs in the company which also utilize sensitive data.

D. The level of security of other LANs in the company which also utilize sensitive data.

An auditor for a large wholesaler is evaluating the controls over the approval and oversight of credit sales. Which of the following procedures would be a control weakness? A. The credit department is responsible for approving shipments to all customers. B. The finance committee of the board of directors periodically reviews credit standards. C. Customers who fail to meet credit requirements must pay cash for shipments upon delivery. D. The sales department is responsible for determining the credit ratings of customers.

D. The sales department is responsible for determining the credit ratings of customers.

An organization has a policy requiring two signatures on all checks written for amounts in excess of $10,000. When evaluating controls over disbursements,an auditor would conclude that a greater risk exists if. A. The auditor located two checks for $9,000 each that contained one authorized signature. B. The $10,000 was an immaterial amount to the organization and very few cash disbursements required an amount in excess of $10,000. C. The director of accounting was not one of the authorized signers. D. There were several instances in which successively numbered checks for amounts between $5,000 and $10,000 were made payable to the same vendor.

D. There were several instances in which successively numbered checks for amounts between $5,000 and $10,000 were made payable to the same vendor.

An organization has developed a large database that tracks employees,employee benefits,payroll deductions,job classifications,and other similar information. In order to test whether data currently within the automated system are correct,an auditor should: A. Use test data and determine whether all the data entered are captured correctly in the updated database. B. Select a sample of data to be entered for a few days and trace the data to the updated database to determine the correctness of the updates. C. Use generalized audit software to provide a printout of all employees with invalid job descriptions. Investigate the causes of the problems. D. Use generalized audit software to select a sample of employees from the database. Verify the data fields.

D. Use generalized audit software to select a sample of employees from the database. Verify the data fields.