CIA Exam Part 1: Study Unit (2)
The reporting relationship within the organization's management structure that facilitates the day-to-day operations of the internal audit activity is A. Administrative reporting. B. Financial reporting. C. Management reporting. D. Functional reporting.
Answer (A) is correct. Administrative reporting is the reporting relationship within the organization's management structure that facilitates the day-to-day operations of the internal audit activity. Administrative reporting typically includes (1) budgeting and management accounting; (2) human resource administration, including personnel evaluations and compensation; (3) internal communications and information flows; and (4) administration of the organization's internal policies and procedures (PA 1110-1, para. 4).
During a consulting engagement, an internal auditor should exercise due professional care by considering which of the following? Needs and expectations of engagement clients Relative complexity and extent of work needed Cost of the consulting engagement A. 1 and 2. B. 2 and 3. C. 1 and 3. D. 1, 2, and 3.
Answer (D) is correct. The internal auditor must exercise due professional care during a consulting engagement by considering the Needs and expectations of engagement clients, including the nature, timing, and communication of engagement results. Relative complexity and extent of work needed to achieve the engagement's objectives. Cost of the consulting engagement in relation to potential benefits (Impl. Std. 1220.C1).
Independence permits internal auditors to render impartial and unbiased judgments. The best way to achieve independence is through A. Individual knowledge and skills. B. A dual-reporting relationship. C. Supervision within the organization. D. Organizational knowledge and skills.
Answer (B) is correct. Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the CAE has direct and unrestricted access to senior management and the board. This can be achieved through a dual-reporting relationship (Inter. Std. 1100).
The internal audit activity's quality assurance and improvement program is the responsibility of A. External auditors. B. The chief audit executive. C. The board. D. The audit committee.
Answer (B) is correct. The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity (Attr. Std. 1300).
The chief audit executive should develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity and continuously monitors its effectiveness. All of the following are included in a quality program except A. Annual appraisals of individual internal auditors' performance. B. Periodic internal assessment. C. Supervision. D. Periodic external assessments.
Answer (A) is correct. Appraising each internal auditor's work at least annually is properly a function of the human resources program of the internal audit activity.
Which of the following would demonstrate that the internal audit activity is in compliance with IIA practices? A. The chief audit executive determines the form and content of the results communicated. B. The results of external assessments are communicated upon their completion. C. The results of periodic internal assessments are communicated at least twice a year. D. The results of ongoing monitoring are communicated upon their completion.
Answer (B) is correct. "To demonstrate conformance with the Definition of Internal Auditing and the Standards, and application of the Code of Ethics, the results of external and periodic internal assessments are communicated upon completion of such assessments and the results of ongoing monitoring are communicated at least annually. The results include the assessor's or assessment team's evaluation with respect to the degree of conformance" (Inter. Std. 1320).
Freedom from conditions that threaten internal auditors' ability to do unbiased work is A. Control. B. Compliance. C. Independence. D. Avoidance of conflicts of interest.
Answer (C) is correct. Independence is "the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner" (The IIA Glossary).
The CAE bears the responsibility to do which of the following? A. Assess the level of independence of the board. B. Assess the level of knowledge, skills, and competencies of the chief financial officer. C. Foster collective objectivity. D. Foster individual objectivity.
Answer (D) is correct. The CAE must establish policies and procedures to assess the objectivity of individual internal auditors.
The interpretation related to quality assurance given by the Standards is that A. External assessments can provide senior management and the board with independent assurance about the quality of the internal audit activity. B. Appropriate follow-up to an external assessment is the responsibility of the chief audit executive's immediate supervisor. C. The internal audit activity is primarily measured against The IIA's Code of Ethics. D. Supervision is limited to the planning, examination, evaluation, communication, and follow-up process.
Answer (A) is correct. External assessments provide an independent and objective evaluation of the internal audit activity's compliance with the Standards and Code of Ethics.
As a part of a quality program, internal assessment teams most likely will examine which of the following to evaluate the quality of engagement planning and documentation for individual engagements? A. Written engagement work programs. B. Project assignment documentation. C. Weekly status reports. D. The long-range engagement work schedule.
Answer (A) is correct. Internal assessments must include ongoing monitoring of the performance of the internal audit activity and periodic self-assessments or assessments by other persons within the organization with sufficient knowledge of internal auditing practices (Attr. Std. 1311). The processes and tools used in ongoing internal assessments include, among other things, selective peer reviews of working papers by staff not involved in the respective audits (PA 1311-1, para. 1).
Internal auditors may include in their audit report that their activities conform with The IIA Standards. They may use this statement only if A. It is supported by the results of the quality program. B. An independent external assessment of the internal audit activity is conducted annually. C. Senior management or the board is accountable for implementing a quality program. D. External assessments of the internal audit activity are made by external auditors.
Answer (A) is correct. The chief audit executive may state that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing only if the results of the quality assurance and improvement program support this statement (Attr. Std. 1321).
An internal auditor must exercise due professional care in performing engagements. Due professional care includes A. Establishing direct communication between the chief audit executive and the board. B. Evaluating established operating standards and determining whether those standards are adequate. C. Accumulating sufficient information so that the internal auditor can give absolute assurance that irregularities do not exist. D. Establishing suitable criteria of education and experience for filling internal auditing positions.
Answer (B) is correct. In the exercise of due professional care, an internal auditor must, among other things, consider the adequacy and effectiveness of governance, risk management, and control processes (Impl. Std. 1220.A1). Establishing adequate operating standards is a governance process.
Internal auditors are responsible for continuing their education to maintain their proficiency. Which of the following is true regarding the continuing education requirements of the practicing internal auditor? A. Internal auditors are required to obtain 40 hours of continuing professional education each year and a minimum of 120 hours over a 3-year period. B. CIAs have formal requirements that must be met in order to continue as CIAs. C. Attendance, as an officer or committee member, at formal IIA meetings does not meet the criteria of continuing professional development. D. In-house programs meet continuing professional education requirements only if they have been preapproved by The IIA.
Answer (B) is correct. Internal auditors must enhance their knowledge, skills, and other competencies through continuing professional development (Attr. Std. 1230). To maintain the CIA designation, the CIA must commit to a formal program of continuing professional development and report to the Certification Department of The IIA.
Assurance engagements must be performed with proficiency and due professional care. Accordingly, the Standards require internal auditors to Consider the probability of significant noncompliance Perform assurance procedures with due professional care so that all significant risks are identified Weigh the cost of assurance against the benefits A. 1 and 2 only. B. 1 and 3 only. C. 2 and 3 only. D. 1, 2, and 3.
Answer (B) is correct. Internal auditors must exercise due professional care by considering the Extent of work needed to achieve the engagement's objectives Relative complexity, materiality, or significance of matters to which assurance procedures are applied Adequacy and effectiveness of governance, risk management, and control processes Probability of significant errors, fraud, or noncompliance Cost of assurance in relation to potential benefits (Impl. Std. 1220.A1) Assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified (Impl. Std. 1220.A3).
Ordinarily, those conducting internal quality program assessments report to A. The board. B. The chief audit executive. C. Senior management. D. The internal audit staff.
Answer (B) is correct. The CAE establishes a structure for reporting results of internal assessments that maintains appropriate credibility and objectivity. Generally, those assigned responsibility for conducting ongoing and periodic reviews report to the CAE while performing the reviews and communicate results directly to the CAE (PA 1311-1, para. 7).
An individual became head of the internal audit activity of an organization 1 week ago. An engagement client has come to the person complaining vigorously that one of the internal auditors is taking up an excessive amount of client time on an engagement that seems to be lacking a clear purpose. In handling this conflict with a client, the person should consider A. Discounting what is said, but documenting the complaint. B. Whether existing procedures within the internal audit activity provide for proper planning and quality assurance. C. Presenting an immediate defense of the internal auditor based upon currently known facts. D. Promising the client that the internal auditor will finish the work within 1 week.
Answer (B) is correct. The CAE should examine departmental procedures and the conduct of the specific engagement mentioned to ascertain that proper planning and quality assurance procedures are in place and are being followed.
A quality assurance and improvement program of an internal audit activity provides reasonable assurance that internal auditing work is performed in accordance with its charter. Which of the following are designed to provide feedback on the effectiveness of an internal audit activity? Proper supervision Proper training Internal reviews External reviews A. 1, 2, and 3 only. B. 2, 3, and 4 only. C. 1, 3, and 4 only. D. 1, 2, 3, and 4.
Answer (C) is correct. A quality assurance and improvement program is designed to provide reasonable assurance to the various stakeholders of the internal audit activity that it (1) performs in accordance with its charter, (2) operates effectively and efficiently, and (3) is perceived by the stakeholders as adding value and improving operations. These processes include appropriate supervision, periodic internal assessments and ongoing monitoring of quality assurance, and periodic external assessments (PA 1300-1, para. 2).
Due professional care calls for A. Detailed reviews of all transactions related to a particular function. B. Infallibility and extraordinary performance when the system of internal control is known to be weak. C. Consideration of the possibility of material irregularities during every engagement. D. Testing in sufficient detail to give absolute assurance that noncompliance does not exist.
Answer (C) is correct. Due care implies reasonable care and competence, not infallibility or extraordinary performance. Due care requires the internal auditor to conduct examinations and verifications to a reasonable extent, but does not require detailed reviews of all transactions. Accordingly, internal auditors cannot give absolute assurance that noncompliance or irregularities do not exist. Nevertheless, the possibility of material irregularities or noncompliance should be considered whenever an internal auditor undertakes an internal auditing assignment (PA 1220-1, para. 2).
An internal auditor has some suspicion of, but no information about, potential misstatement of financial statements. The internal auditor fails to exercise due professional care by A. Identifying potential ways in which a misstatement could occur and ranking the items for investigation. B. Informing the engagement manager of the suspicions and asking for advice on how to proceed. C. Not testing for possible misstatement because the engagement work program had already been approved by engagement management. D. Expanding the engagement work program, without the engagement client's approval, to address the highest ranked ways in which a misstatement may have occurred.
Answer (C) is correct. Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor (Attr. Std. 1220). Engagement work programs are expected to be modified to reflect changing circumstances. Thus, the internal auditor fails to exercise due professional care by not investigating a suspected misstatement solely because the work program had already been approved.
In exercising due professional care, internal auditors must consider which of the following? The relative complexity, materiality, or significance of matters to which assurance procedures are applied The extent of assurance procedures necessary to ensure that all significant risks will be identified The probability of significant errors, irregularities, or noncompliance A. 1 and 2 only. B. 2 and 3 only. C. 1 and 3 only. D. 1, 2, and 3.
Answer (C) is correct. Internal auditors must exercise due professional care by considering the Extent of work needed to achieve the engagement's objectives Relative complexity, materiality, or significance of matters to which assurance procedures are applied Adequacy and effectiveness of governance, risk management, and control processes Probability of significant errors, fraud, or noncompliance Cost of assurance in relation to potential benefits (Impl. Std. 1220.A1) Assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified (Impl. Std. 1220.A3)
External assessment of an internal audit activity is not likely to evaluate A. Adherence to the internal audit activity's charter. B. Conformance with the Standards. C. Detailed cost-benefit analysis of the internal audit activity. D. The tools and techniques employed by the internal audit activity.
Answer (C) is correct. The external assessment has a broad scope of coverage that includes (1) conformance with The IIA's mandatory guidance and the internal audit activity's charter, plans, policies, procedures, practices, and applicable legislative and regulatory requirements; (2) the expectations of the internal audit activity expressed by the board, senior management, and operational managers; (3) the integration of the internal audit activity into the governance process; (4) the tools and techniques employed by the internal audit activity; (5) the mix of knowledge, experience, and disciplines within the staff, including staff focus on process improvement; and (6) the determination whether the internal audit activity adds value and improves operations (PA 1312-1, para. 10). However, the costs and benefits of internal auditing are neither easily quantifiable nor the subject of an external assessment.
A staff internal auditor performed a portion of an engagement to review an organization's marketing function. In particular, the internal auditor evaluated the function's effective and efficient use of resources to identify 1. Underused facilities 2. Overstaffing or understaffing 3. Nonproductive work 4. Procedures that were not cost justified To test for underused facilities, the internal auditor performed a complete walk-through of all spaces assigned to the marketing function and evaluated the use of both space and capital equipment. The internal auditor analyzed reports on space usage for the last year and concluded that facilities were neither underused nor used at maximum capacity. To test for overstaffing or understaffing, the internal auditor compared current staffing levels with a staffing analysis recently completed by an independent contractor. Because the staffing analysis used work standards and service demands to provide factual and reliable information on staffing requirements, the internal auditor was able to conclude that staffing levels were optimal. To test for nonproductive work, the internal auditor interviewed an employee from each level and, based upon their responses, concluded that no significant amount of nonproductive work was being performed. Thus, the internal auditor concluded that additional engagement work to search for procedures that were not cost-justified would not be necessary. In reference to requirements 3 and 4, due professional care A. Was exercised because the internal auditor applied reasonable care and competence in both areas. B. Was not exercised because the internal auditor failed to apply reasonable care and competence regarding requirement 3. C. Was not exercised because the internal auditor failed to apply reasonable care and competence regarding both requirements 3 and 4. D. Was not exercised because the internal auditor failed to apply reasonable care and competence regarding requirement 4.
Answer (C) is correct. The procedures performed as a basis for concluding that no nonproductive work was accomplished resulted in a failure to identify sufficient, reliable, relevant, and useful information to achieve the engagement's objectives (Perf. Std. 2310). The opinions of individuals whose work was in question lacks reliability. Given that the information regarding area 4 was based on that for area 3, it also is suspect.
An external assessment of an internal audit activity contains an expressed opinion. The opinion applies A. Only to the internal audit activity's conformance with the Standards. B. Only to the effectiveness of the internal auditing coverage. C. Only to the adequacy of internal control. D. To the entire spectrum of assurance and consulting work.
Answer (D) is correct. External assessments of an internal audit activity contain an expressed opinion as to the entire spectrum of assurance and consulting work performed (or that should have been performed under its charter), including (but not limited to) conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards. An external assessment also includes, as appropriate, recommendations for improvement (PA 1312-1, para. 2).
A certified internal auditor performed an assurance engagement to review a department store's cash function. Which of the following actions will be deemed lacking in due professional care? A. Organizational records were reviewed to determine whether all employees who handle cash receipts and disbursements were bonded. B. A flowchart of the entire cash function was developed, but only a sample of transactions was tested. C. The final engagement communication included a well-supported recommendation for the reduction in staff, although it was known that such a reduction would adversely affect morale. D. Because of a highly developed system of internal control over the cash function, the final engagement communication assured senior management that no irregularities existed.
Answer (D) is correct. Internal auditors cannot give absolute assurance that noncompliance or irregularities do not exist (PA 1220-1, para. 2).
Which of the following is only part of an internal audit activity's quality assurance program rather than being included as part of other responsibilities of the chief audit executive (CAE)? A. The CAE provides information about and access to internal audit working papers to the external auditors to enable them to understand and determine the degree to which they may rely on the internal auditors' work. B. Management approves a formal charter establishing the purpose, authority, and responsibility of the internal audit activity. C. Each individual internal auditor's performance is appraised at least annually. D. Supervision of an internal auditor's work is performed throughout each audit engagement.
Answer (D) is correct. The CAE develops and maintains a quality assurance and improvement program (Attr. Std. 1300) that includes ongoing and periodic assessments (PA 1300-1, para. 2). Ongoing monitoring is incorporated into the routine policies and practices used to manage the internal audit activity. Among the processes and tools used in ongoing internal assessments is engagement supervision (PA 1311-1, para. 1).
When is initial use of the conformance phrase by internal auditors appropriate? A. After an internal review completed within the past 5 years. B. After an external review completed within the past 10 years. C. After an internal review completed within the past 10 years. D. After an external review completed within the past 5 years.
Answer (D) is correct. The chief audit executive may state that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing only if the results of the quality assurance and improvement program support this statement (Attr. Std. 1321). The internal audit activity conforms with the Standards when it achieves the outcomes described in the Definition of Internal Auditing, Code of Ethics, and Standards. The results of the quality assurance and improvement program include the results of both internal and external assessments. All internal audit activities will have the results of internal assessments. Internal audit activities in existence for at least 5 years will also have the results of external assessments (Inter. Std. 1321). Thus, to use the phrase, the chief audit executive of an internal audit activity in existence for at least 5 years must have the results of an external assessment within that period.
Which of the following activities is not presumed to impair the objectivity of an internal auditor? Recommending standards of control for a new information system application Drafting procedures for running a new computer application to ensure that proper controls are installed Performing reviews of procedures for a new computer application before it is installed A. 1 only. B. 2 only. C. 3 only. D. 1 and 3.
Answer (D) is correct. The internal auditor's objectivity is not adversely affected when the auditor recommends standards of control for systems or reviews procedures before they are implemented. Designing, installing, or drafting procedures for operating systems is presumed to impair objectivity (PA 1120-1, para. 4).
According to the International Professional Practices Framework, the independence of the internal audit activity is achieved through A. Staffing and supervision. B. Continuing professional development and due professional care. C. Human relations and communications. D. Organizational status and objectivity.
Answer (D) is correct. The organizational status most conducive to this degree of independence is a dual-reporting relationship. Objectivity is an individual attribute of each internal auditor. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others (Inter. Attr. Std. 1100, para. 2).
The internal audit activity collectively must possess or obtain certain competencies, including proficiency in A. Internal audit procedures and techniques. B. Accounting principles and techniques. C. Management principles. D. Marketing techniques.
Answer (A) is correct. Proficiency means the ability to apply knowledge to situations likely to be encountered and to deal with them without extensive recourse to technical research and assistance. Internal auditors must be proficient in applying internal audit standards, procedures, and techniques in performing engagements (PA 1210-1, para. 1).
The organizational level to which the internal audit activity reports A. Must be sufficient to permit the accomplishment of the activity's responsibilities. B. Is best when reporting is only made to the board of directors. C. Requires only the board's annual approval of the engagement work schedule, staffing plan, and financial budget. D. Is guaranteed when the charter specifically defines the activity's independence.
Answer (A) is correct. The CAE must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities (Attr. Std. 1110).
The consultative approach to internal auditing emphasizes A. Imposition of corrective measures. B. Participation with engagement clients to improve methods. C. Fraud investigation. D. Implementation of policies and procedures.
Answer (B) is correct. Consultation with the engagement client not only facilitates the planning and performance of the engagement but is a courtesy that enhances the internal auditor-client relationship. Developing a positive relationship produces a more favorable environment for the engagement effort. Moreover, involving the client in the engagement process is likely to increase acceptance of recommended changes.
An internal auditor who had been supervisor of the accounts payable section should not perform an assurance review of that section A. Because a reasonable period of time in which to establish independence cannot be determined. B. Until at least 1 year has elapsed. C. Until after the next annual review by the external auditors. D. Until it is clear that the new supervisor has assumed the responsibilities.
Answer (B) is correct. Persons transferred to, or temporarily engaged by, the internal audit activity should not be assigned to audit activities they previously performed until at least 1 year has elapsed. Such assignments are presumed to impair objectivity (PA 1130.A1-1, para. 1).
An external quality assessment team was evaluating the independence of an internal audit activity. The internal audit activity performs engagements concerning all of the elements included in its scope. Which of the following reporting responsibilities is most likely to threaten the internal audit activity's independence? Reporting to the A. President. B. Chief financial officer. C. Executive vice president. D. Audit committee.
Answer (B) is correct. The CAE must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities (Attr. Std. 1110). The higher the level to which the internal audit activity reports, the more likely that independence will be assured. Reporting to the chief financial officer limits the influence and independence of the internal audit activity.
All of the following will help the CAE identify the available knowledge, skills, and competencies of the internal audit staff except A. Hiring practices. B. Periodic skills assessment. C. External service provider. D. Staff performance appraisals.
Answer (C) is correct. External service providers are used when the internal audit staff does not have the necessary knowledge, skills, and competencies to fulfill the responsibilities of the internal audit activity.
The reporting structure that is most likely to allow the internal audit activity to accomplish its responsibilities is to report administratively to the A. Board and functionally to the chief executive officer. B. Controller and functionally to the chief financial officer. C. Chief executive officer and functionally to the board of directors. D. Chief executive officer and functionally to the external auditor.
Answer (C) is correct. Reporting functionally to the board and administratively to the organization's CEO facilitates organizational independence (PA 1110-1, para. 2).
An organization is planning to develop and implement a new computerized purchase order system in one of its manufacturing subsidiaries. The vice president of manufacturing has requested that internal auditors participate on a team consisting of representatives from finance, manufacturing, purchasing, and marketing. This team will be responsible for the implementation effort. Eager to take on this high profile project, the chief audit executive assigns a senior internal auditor to the project to assist "as needed." Assuming the senior internal auditor performed all of the following activities, which one will impair objectivity if the internal auditor is asked to review the purchase order system on a post-engagement basis? A. Helping to identify and define control objectives. B. Testing for compliance with system development standards. C. Evaluate risk exposures of systems and programming standards. D. Drafting operating procedures for the new system.
Answer (D) is correct. An internal auditor's objectivity is not adversely affected when the auditor recommends standards of control for systems or reviews procedures before they are implemented. Designing, installing, drafting procedures for, or operating systems, however, are presumed to impair the internal auditor's objectivity (PA 1120-1, para. 4).
An internal auditor assigned to audit a vendor's compliance with product quality standards is the brother of the vendor's controller. The auditor should A. Accept the assignment but avoid contact with the controller during fieldwork. B. Accept the assignment but disclose the relationship in the engagement final communication. C. Notify the vendor of the potential conflict of interest. D. Notify the chief audit executive of the potential conflict of interest.
Answer (D) is correct. Internal auditors are to report to the chief audit executive (CAE) any situations in which an actual or potential impairment to independence or objectivity may reasonably be inferred, or if they have questions about whether a situation constitutes an impairment to objectivity or independence (PA 1130-1, para. 1).
In which of the following scenarios does the auditor most likely have organizational independence but lack objectivity? A. Reports to the audit client but does not report fully about the reason for corrective action taken. B. Reports to the board and reports fully about corrective action taken. C. Reports to the audit client and reports fully about corrective action taken. D. Reports to the board but does not report fully about the reason for corrective action taken.
Answer (D) is correct. Organizational independence is effectively achieved when the CAE reports functionally to the board (Inter. Attr. Std. 1110). Failing to report fully about the reason for corrective action may imply bias (a loss of objectivity) with regard to the audit client.
Internal auditors must possess the knowledge, skills, and other competencies essential to the performance of their individual responsibilities. Consequently, all internal auditors should be proficient in applying A. Internal auditing standards. B. Quantitative methods. C. Management principles. D. Structured systems analysis.
Answer (A) is correct. All internal auditors should be proficient in applying internal auditing standards, procedures, and techniques required in performing engagements. Proficiency means the ability to apply knowledge to situations likely to be encountered and to deal with them without extensive recourse to technical research and assistance (PA 1210-1, para. 1).
An internal audit activity is currently undergoing its first external quality assurance review since its formation 3 years ago. From interviews, the review team is informed of certain internal auditor activities over the past year. Which of the following activities could affect the quality assurance review team's evaluation of the objectivity of the internal auditors? A. One internal auditor told the review team that, during an engagement to review the payroll function, the payroll manager approached the auditor. The manager indicated the need for an accountant to prepare financial statements for the manager's part-time business. The internal auditor agreed to perform this work for a reduced fee during non-work hours. B. During an engagement to review the construction of a building addition to the organization's headquarters, the vice president of facilities management gave the internal auditor a commemorative mug with the organization's logo. These mugs were distributed to all employees present at the ground-breaking ceremony. C. After reviewing the installation of a data processing system, the internal auditor made recommendations on standards of control. Three months after completion of the engagement, the engagement client requested the internal auditor's review of certain procedures for adequacy. The internal auditor agreed and performed this review. D. An internal auditor's participation was requested on a task force to reduce the organization's inventory losses from theft and shrinkage. This is the first consulting assignment undertaken by the internal audit activity. The internal auditor's role is to advise the task force on appropriate control procedures.
Answer (A) is correct. An internal auditor is not to accept a fee, gift, or entertainment from an employee, client, customer, supplier, or business associate that may create the appearance that the auditor's objectivity has been impaired (PA 1130-1, para. 4).
An internal auditor has recently received an offer from the manager of the marketing department of a weekend's free use of his beachfront condominium. No engagement is currently being conducted in the marketing department, and none is scheduled. The internal auditor A. Should reject the offer and report it to the appropriate supervisor. B. May accept the offer because its value is immaterial. C. May accept the offer because no engagement is being conducted or planned. D. May accept the offer if approved by the appropriate supervisor.
Answer (A) is correct. An internal auditor is not to accept fees, gifts, or entertainment from an employee, client, customer, supplier, or business associate. Accepting a fee or gift may imply that the auditor's objectivity has been impaired. Even though an engagement is not being conducted in the applicable area at that time, a future engagement may result in the appearance of impairment of objectivity. Thus, no consideration should be given to the engagement status as justification for receiving fees or gifts. The receipt of promotional items (such as pens, calendars, or samples) that are available to the general public and have minimal value do not hinder internal auditors' professional judgments (PA 1130-1, para. 4). Impairment of independence or objectivity, in fact or appearance, must be disclosed to appropriate parties (Attr. Std. 1130).
Which of the following most seriously compromises confidence in the internal audit activity? A. Internal auditors frequently draft revised procedures for departments whose procedures have been criticized in an engagement communication. B. The chief audit executive has dual reporting responsibility to the organization's chief executive officer and the board of directors. C. The internal audit activity and the organization's external auditors engage in joint planning of total engagement coverage to avoid duplicating each other's work. D. The internal audit activity is included in the review cycle of the organization's contracts with other organizations before the contracts are executed.
Answer (A) is correct. Confidence in the internal audit activity derives from independence (an attribute of the internal audit activity as a whole), and objectivity (an attribute of individual internal auditors). Because designing, installing, drafting procedures for, or operating systems impairs the objectivity of internal auditors (PA 1120-1, para. 4), such services may create a conflict of interest, a situation in which internal auditors have a competing professional or personal interest. This may create an appearance of impropriety that undermines confidence in the internal audit activity (Inter. Attr. Std. 1120).
The internal audit activity collectively must possess or obtain certain competencies, including an appreciation of A. Internal audit procedures and techniques. B. Accounting principles and techniques. C. Management principles. D. Marketing techniques.
Answer (B) is correct. An appreciation means the ability to recognize the existence of problems or potential problems and to identify the additional research to be undertaken or the assistance to be obtained. Internal auditors must have an appreciation of the fundamentals of business subjects, such as accounting, economics, commercial law, taxation, finance, quantitative methods, information technology, risk management, and fraud (PA 1210-1, para. 1).
Fact Pattern: A staff internal auditor performed a portion of an engagement to review an organization's marketing function. In particular, the internal auditor evaluated the function's effective and efficient use of resources to identify 1. Underused facilities 2. Overstaffing or understaffing 3. Nonproductive work 4. Procedures that were not cost justified To test for underused facilities, the internal auditor performed a complete walk-through of all spaces assigned to the marketing function and evaluated the use of both space and capital equipment. The internal auditor analyzed reports on space usage for the last year and concluded that facilities were neither underused nor used at maximum capacity. To test for overstaffing or understaffing, the internal auditor compared current staffing levels with a staffing analysis recently completed by an independent contractor. Because the staffing analysis used work standards and service demands to provide factual and reliable information on staffing requirements, the internal auditor was able to conclude that staffing levels were optimal. To test for nonproductive work, the internal auditor interviewed an employee from each level and, based upon their responses, concluded that no significant amount of nonproductive work was being performed. Thus, the internal auditor concluded that additional engagement work to search for procedures that were not cost-justified would not be necessary. In reference to requirements 1 and 2, due professional care A. Was exercised because the internal auditor applied reasonable care and competence in both areas. B. Was not exercised because the internal auditor failed to apply reasonable care regarding requirement 2. C. Was not exercised because the internal auditor failed to apply reasonable care regarding requirements 1 and 2. D. Was not exercised because the internal auditor failed to apply reasonable care regarding requirement 1.
Answer (A) is correct. Due professional care implies reasonable care and competence, not infallibility or extraordinary performance. Thus, due professional care requires the internal auditor to conduct examinations and verifications to a reasonable extent. Accordingly, internal auditors cannot give absolute assurance that noncompliance or irregularities do not exist. Nevertheless, the possibility of material irregularities or noncompliance needs to be considered whenever the internal auditor undertakes an internal audit assignment (PA 1220-1, para. 2). Accordingly, the work performed with regard to facilities usage and staffing was adequate and would withstand normal scrutiny.
With regard to the exercise of due professional care, an internal auditor should A. Consider the relative materiality or significance of matters to which assurance procedures are applied. B. Emphasize the potential benefits of an engagement without regard to the cost. C. Consider whether criteria have been established to determine whether goals are achieved, not whether those criteria are adequate. D. Select procedures that are likely to provide absolute assurance that irregularities do not exist.
Answer (A) is correct. Exercising due professional care means applying the care and skill expected of a reasonably prudent and competent internal auditor (Attr. Std. 1220). Internal auditors must exercise due professional care by considering, among other things, the relative complexity, materiality, or significance of matters to which assurance procedures are applied (Impl. Std. 1220.A1).
Independence is freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. Which policy best promotes independence? A. Requiring internal auditors to report to the chief audit executive any conflicts of interest or bias. B. Preventing the internal audit activity from recommending standards of control for systems that it evaluates. C. Allowing engagements concerning sensitive operations to be outsourced. D. Preventing personnel transfers from operating activities to the internal audit activity.
Answer (A) is correct. Internal auditors are to report to the chief audit executive (CAE) any situation in which (1) an actual or potential impairment of independence or objectivity may reasonably be inferred or (2) they have questions about whether the situation constitutes an impairment of objectivity or independence. If the CAE determines that impairment exists or may be inferred, (s)he needs to reassign the auditor(s) (PA 1130-1, para. 1).
What is the most appropriate preventive measure for staff communication problems with engagement clients? A. Provide staff with sufficient training to enhance communication skills. B. Avoid unnecessary communication with engagement clients. C. Discuss communication problems with staff auditors. D. Meet with engagement clients to resolve communication problems.
Answer (A) is correct. Internal auditors must be skilled in oral and written communications so that they can clearly and effectively convey such matters as engagement objectives, evaluations, conclusions, and recommendations (PA 1210-1, para. 1).
Objectivity is most likely impaired by an internal auditor's A. Continuation on an engagement at a division for which (s)he will soon be responsible as the result of a promotion. B. Reduction of the scope of an engagement due to budget restrictions. C. Participation on a task force that recommends standards for control of a new distribution system. D. Review of a purchasing agent's contract drafts prior to their execution.
Answer (A) is correct. Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest (Attr. Std. 1120). Conflict of interest is a situation in which an internal auditor, who is in a position of trust, has a competing professional or personal interest (Inter. Std. 1120). The internal auditor's promotion may create a bias.
Reasonable assurance should be obtained as to each prospective internal auditor's qualifications and proficiency. Which of the following is the least useful application of this principle? A. Determining that all applicants have an accounting degree. B. Obtaining college transcripts. C. Checking an applicant's references. D. Determining previous job experience.
Answer (A) is correct. Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities (Attr. Std. 1210). Each member of the internal audit activity, however, need not be qualified in all disciplines (PA 1210.A1-1, para. 1).
Internal auditors should be objective. Objectivity A. Requires internal auditors not to subordinate their judgment on audit matters to that of others. B. Is required only in assurance engagements. C. Is freedom from threats to the ability to perform audit work without bias. D. Prohibits internal auditors from providing consulting services relating to operations for which they had previous responsibility.
Answer (A) is correct. Objectivity is "an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others" (The IIA Glossary).
Assessment of a quality assurance and improvement program should include evaluation of all of the following except A. Adequacy of the oversight of the work of external auditors. B. Conformance with the Standards and Code of Ethics. C. Adequacy of the internal audit activity's charter. D. Contribution to the organization's governance processes.
Answer (A) is correct. Oversight of the work of external auditors, including coordination with the internal audit activity, is the responsibility of the board (PA 2050-1, para. 1). It is not within the scope of the process for monitoring and assessing the quality program.
Internal auditors must have the knowledge, skills, and other competencies needed to perform their individual responsibilities. Which of the following properly describes the level of knowledge, skill, or other competency required? Internal auditors must have A. Proficiency in applying internal auditing standards and procedures without extensive recourse to technical research and assistance. B. Proficiency in applying knowledge of accounting and information technology to specific or potential problems. C. An understanding of broad techniques used in supporting and developing engagement observations and the ability to research the proper procedures to be used in any engagement situation. D. A broad appreciation of accounting principles and techniques during engagements involving the financial records and reports of the organization.
Answer (A) is correct. Proficiency means the ability to apply knowledge to situations likely to be encountered and to deal with them without extensive recourse to technical research and assistance. An internal auditor must be proficient in applying internal auditing standards, procedures, and techniques in performing engagements (PA 1210-1, para. 1).
At a minimum, how often should the skills of the internal audit staff be assessed? A. Annually. B. Every 5 years. C. Quarterly. D. Semi-annually.
Answer (A) is correct. The CAE should conduct periodic skills assessments to determine the specific resources available. Assessments should be performed at least annually.
A charter is being drafted for a newly formed internal audit activity. Which of the following best describes an appropriate organizational position to be incorporated into the charter? A. The chief audit executive reports to the chief executive officer but has access to the board. B. The chief audit executive is a member of the board. C. The chief audit executive is a staff officer reporting to the chief financial officer. D. The chief audit executive reports to an administrative vice president.
Answer (A) is correct. The CAE, reporting functionally to the board and administratively to the organization's CEO, facilitates organizational independence (PA 1110-1, para. 2). The CAE must communicate and interact directly with the board (Attr. Std. 1111).
Which of the following actions is required of the CAE and internal auditors themselves in regard to the objectivity of internal auditors? A. Maintain. B. Delegate. C. Enhance. D. Promote.
Answer (A) is correct. The responsibility rests with the CAE and with internal auditors themselves to maintain a sense of objectivity.
A multinational organization has an agreement with a value-added network (VAN) that provides the encoding and communications transfer for the organization's electronic data interchange (EDI) and electronic funds transfer (EFT) transactions. Before transfer of data to the VAN, the organization performs online preprocessing of the transactions. The internal auditor is responsible for assessing preprocessing controls. In addition, the agreement between the organization and the VAN states that the internal auditor is allowed to examine and report on the controls in place at the VAN on an annual basis. The contract specifies that access to the VAN can occur on a surprise basis during the second or third quarter of the fiscal year. This period was chosen so it would not interfere with processing during the VAN's peak transaction periods. This provision was not reviewed with internal auditing. The annual engagement work schedule approved by the board of directors specifies that a full review would be done during the current year. When the internal auditor called to arrange the annual control review during the third quarter, the VAN stated that it could not accommodate the internal auditor because the peak processing period started earlier than normal this year and all VAN personnel were occupied. This scope limitation, along with its potential effect, must be communicated to which one of the following? A. The organization's board of directors. B. The board of directors of the VAN. C. The board of directors of both the organization and the VAN. D. The limitation does not need to be communicated at the board of directors level.
Answer (A) is correct. The scope limitation and its potential effect should be communicated, preferably in writing, to the board. However, the chief audit executive needs to consider whether it is appropriate to inform the board regarding scope limitations that were previously communicated to and accepted by the board (PA 1130-1, para. 3).
During the course of an engagement, an internal auditor makes a preliminary determination that a major division has been inappropriately capitalizing research and development expense. The engagement is not yet completed, and the internal auditor has not documented the problem or determined that it really is a problem. However, the internal auditor is informed that the chief audit executive has received the following communication from the president of the organization: "The controller of Division B informs me that you have discovered a questionable account classification dealing with research and development expense. We are aware of the issue. You are directed to discontinue any further investigation of this matter until informed by me to proceed. Under the confidentiality standard of your profession, I also direct you not to communicate with the outside auditors regarding this issue." Which of the following is an appropriate action for the CAE to take regarding the questionable item? A. Immediately report the communication to The IIA and ask for an ethical interpretation and guidance. B. Inform the president that this scope limitation will need to be reported to the board. C. Continue to investigate the area until all the facts are determined and document all the relevant facts in the engagement records. D. Immediately notify the external auditors of the problem to avoid aiding and abetting a potential crime by the organization.
Answer (B) is correct. A scope limitation along with its potential effect need to be communicated, preferably in writing, to the board (PA 1130-1, para. 3).
Which of the following combinations best illustrates a scope limitation and the appropriate response by the CAE? 1. Nature of Limitation 2. Internal Audit Action A. 1. Engagement client limits scope based upon proprietary information 2. Report only to the controller B. 1. Engagement client will not provide access to records needed for approved work schedule 2. Report to the board C. 1. Engagement client requests that the engagement be delayed for 2 weeks to allow it to close its books 2. Report directly to the CEO and controller D. 1. Engagement client will not allow internal auditor to contact major customers as part of an engagement to evaluate the efficiency of operations 2. No reporting needed because the operational engagement concerns operational efficiency
Answer (B) is correct. A scope limitation is a restriction placed on the internal audit activity that precludes it from accomplishing its objectives and plans. Among other things, a scope limitation may restrict the internal audit activity's access to records, personnel, and physical properties relevant to the performance of engagements (PA 1130-1, para. 2). A scope limitation and its potential effect need to be communicated, preferably in writing, to the board (PA 1130-1, para. 3).
When faced with an imposed scope limitation, the chief audit executive needs to A. Refuse to perform the engagement until the scope limitation is removed. B. Communicate the potential effects of the scope limitation to the board. C. Increase the frequency of engagements concerning the activity in question. D. Assign more experienced personnel to the engagement.
Answer (B) is correct. A scope limitation, along with its potential effect, needs to be communicated, preferably in writing, to the board (PA 1130-1, para. 3)
An appropriate internal auditing role in a feasibility study is to A. Serve on the task force for the preliminary survey. B. Ascertain if the feasibility study addresses cost-benefit relationships. C. Determine the requirements for preparing a manual of specifications. D. Participate in the drafting of recommendations for the computer acquisition and implementation.
Answer (B) is correct. Assessing the adequacy of a feasibility study is properly within the scope of work of internal audit. The other three choices involve internal audit participation in decisions that are properly those of management.
Due professional care implies reasonable care and competence, not infallibility or extraordinary performance. Thus, which of the following is unnecessary? A. The conduct of examinations and verifications to a reasonable extent. B. The conduct of extensive examinations. C. The reasonable assurance that compliance does exist. D. The consideration of the possibility of material irregularities.
Answer (B) is correct. Due professional care implies reasonable care and competence, not infallibility or extraordinary performance. It requires the internal auditor to conduct examinations and verifications to a reasonable extent (PA 1220-1, para. 2).
A professional engineer applied for a position in the internal audit activity of a high technology firm. The engineer became interested in the position after observing several internal auditors while they were performing an engagement in the engineering department. The chief audit executive A. Should not hire the engineer because of the lack of knowledge of internal audit standards. B. May hire the engineer despite the lack of knowledge of internal audit standards. C. Should not hire the engineer because of the lack of knowledge of accounting and taxes. D. May hire the engineer because of the knowledge of internal auditing gained in the previous position.
Answer (B) is correct. Each member of the internal audit activity need not be qualified in all disciplines (PA 1210.A1-1, para. 1).
In some cultures and organizations, managers insist that an internal audit activity is not needed to provide a critical assessment of the organization's operations. This kind of management attitude will most probably have an adverse effect on the internal audit activity's A. Operating budget variance. B. Effectiveness. C. Performance appraisals. D. Policies and procedures.
Answer (B) is correct. In this situation, management is highly averse to analysis or possible criticism of its actions. Consequently, the internal audit activity will most likely not report to an organizational level that will allow it to fulfill its responsibilities (Attr. Std. 1110). Furthermore, engagement communications are unlikely to receive adequate consideration, and appropriate action is unlikely to be taken on engagement recommendations (PA 1110-1, para. 2).
Which of the following activities undertaken by the internal auditor might be in conflict with the standard of independence? A. Risk management consultant. B. Product development team leader. C. Ethics advocate. D. External audit liaison.
Answer (B) is correct. Independence precludes internal auditors from assuming management roles. Product development team leader is a management role.
An internal auditor judged an item to be immaterial when planning an assurance engagement. However, the assurance engagement may still include the item if it is subsequently determined that A. Sufficient staff is available. B. Adverse effects related to the item are likely to occur. C. Related information is reliable. D. Miscellaneous income is affected.
Answer (B) is correct. Internal auditors must exercise due professional care by considering the relative complexity, materiality, or significance of matters to which assurance procedures are applied (Impl. Std. 1220.A1). Materiality judgments are made in the light of all the circumstances and involve qualitative as well as quantitative considerations. Moreover, internal auditors also must consider the interplay of risk with materiality. Consequently, engagement effort may be required for a quantitatively immaterial item if adverse effects are likely to occur, for example, a material contingent liability arising from an illegal payment that is otherwise immaterial.
Internal auditors must be objective in performing their work. Assume that the chief audit executive received an annual bonus as part of that individual's compensation package. The bonus may impair the CAE's objectivity if A. The bonus is administered by the board of directors or its salary administration committee. B. The bonus is based on monetary amounts recovered or recommended future savings as a result of engagements. C. The scope of internal auditing is evaluating control rather than account balances. D. All of the answers are correct.
Answer (B) is correct. Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest (Attr. Std. 1120). Conflict of interest is a situation in which an internal auditor, who is in a position of trust, has a competing professional or personal interest (Inter. Std. 1120). In this case, the CAE's objectivity could be impaired if the bonus, a competing personal interest, is based on monetary amounts recovered or recommended future savings as a result of engagements.
George is the new internal auditor for XYZ Corporation. George was in charge of payroll for XYZ just 10 months ago. Performing what services in regard to payroll is considered an impairment of independence or objectivity if performed by George? A. Consulting services. B. Assurance services. C. Assurance or consulting services. D. Neither assurance nor consulting services.
Answer (B) is correct. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year (PA 1130.A1-1, para. 1). Thus, if George provides assurance services for payroll, his objectivity is presumed to be impaired. However, internal auditors may provide consulting services relating to operations for which they had previous responsibilities (Impl. Std. 1130.C1).
The CAE should report functionally to the board. The board is responsible for which of the following activities? Internal communication and information flows Approval of the internal audit risk assessment and related audit plan Approval of annual compensation and salary adjustments for the CAE A. 1 and 2 only. B. 2 and 3 only. C. 1 and 3 only. D. 1, 2, and 3.
Answer (B) is correct. Organizational independence is effectively achieved when the CAE reports functionally to the board. Examples of functional reporting to the board involve the board Approving the internal audit charter Approving the risk-based internal audit plan Receiving communications from the CAE on the internal audit activity's performance Approving decisions regarding the appointment and removal of the CAE Making appropriate inquiries of management and the CAE to determine whether there are inappropriate scope or resource limitations (Inter. Attr. Std. 1110)
In which of the following situations does an internal auditor potentially lack objectivity? A. An internal auditor reviews the procedures for a new electronic data interchange (EDI) connection to a major customer before it is implemented. B. A former purchasing assistant performs a review of internal controls over purchasing 4 months after being transferred to the internal auditing department. C. An internal auditor recommends standards of control and performance measures for a contract with a service organization for the processing of payroll and employee benefits. D. A payroll accounting employee assists an internal auditor in verifying the physical inventory of small motors.
Answer (B) is correct. Persons transferred to or temporarily engaged by the internal audit activity should not be assigned to audit those activities they previously performed until at least 1 year has elapsed. Such assignments are presumed to impair objectivity (PA 1130.A1-1, para. 1).
Regardless of which reporting relationship the organization chooses, several key actions can help ensure that the reporting lines support and enable the effectiveness and independence of the internal auditing activity. Which key action will not achieve its functional reporting purpose? A. Organizational independence is effectively achieved when the CAE reports functionally to the board (Interpretation of Standard 1110). B. The CAE should meet with the board, with management present, to reinforce the independence of the internal audit activity. C. The board should have the final authority to approve the internal audit risk assessment. D. The board should approve the CAE's performance evaluation.
Answer (B) is correct. Private meetings between the CAE and the board without management present are an essential part of the functional reporting relationship (PA 1110-1, para. 3)
The chief audit executive (CAE) is setting up a team to perform an assurance engagement on the organization's information system security structure. The organization has offices all over the world that rely on the system. The audit team will assess risks, monitor implementation of corrective action, and evaluate controls. Which question does not require an answer when selecting the team to conduct this audit engagement? A. What types of skills are needed on the engagement? B. How many hours are needed to complete the engagement? C. Which auditors have the skills and experience to work on this audit? D. Are specialty skills from outside the internal audit department required?
Answer (B) is correct. Standards 1200 and 1210 cover proficiency. The CAE should ensure that persons assigned to an engagement collectively possess the knowledge, skills, and other competencies required to conduct the engagement properly. If the internal audit activity does not have persons sufficiently proficient in the disciplines required for the engagement, the CAE must obtain competent advice and assistance from experts outside the internal audit activity. Determining the hours needed to complete the engagement is not necessary during the selection of the audit team. This question should be answered during the budgeting phase of planning for the engagement.
An internal auditor most likely will have a conflict of interest by providing an assurance service with regard to a A. Financial activity in which the internal auditor had been a key employee 5 years previously. B. Purchasing activity if a major supplier is owned by the internal auditor's sister-in-law. C. Data processing center for which the internal auditor had performed the service three times previously. D. Computer system for which the internal auditor had been the internal audit activity's representative on the design team.
Answer (B) is correct. The CAE makes staff assignments so that potential and actual conflicts of interest and bias are avoided (PA 1120-1, para. 2). A close relative's involvement with a supplier of an engagement client is an apparent conflict of interest.
Which one of the following is responsible for determining the appropriate levels of education and experience needed for the internal audit staff? A. Human resource manager. B. Chief audit executive. C. Chief executive officer. D. Chief financial officer.
Answer (B) is correct. The CAE must ensure that the internal audit activity is able to fulfill its responsibilities. The CAE must determine the appropriate levels of education and experience needed for the internal audit staff to fulfill that responsibility.
The internal auditors must be able to distinguish carefully between a scope limitation and other limitations. Which of the following is not considered a scope limitation? A. The divisional management of an engagement client has indicated that the division is in the process of converting a major computer system and has indicated that the information systems portion of the planned engagement will have to be postponed until next year. B. The board reviews the engagement work schedule for the year and deletes an engagement that the chief audit executive thought was important to conduct. C. The engagement client has indicated that certain customers cannot be contacted because the organization is in the process of negotiating a long-term contract with the customers and they do not want to upset the customers. D. None of the answers are correct.
Answer (B) is correct. The board's decision to delete an engagement from the annual engagement work schedule is not a scope limitation. The board's approval of the internal audit plan is part of the functional reporting relationship of the internal audit activity to the board (PA 1110-1, para. 3).
Which of the following is responsible for developing and maintaining a quality assurance and improvement program that covers all aspects of the internal audit activity and continuously monitors its effectiveness? A. Senior management. B. Chief audit executive. C. The board of directors. D. Audit committee.
Answer (B) is correct. The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity (Attr. Std.1300).
A treasury department employee transferred to the internal audit activity of the same organization last month. The chief financial officer of the organization has suggested that, because of the employee's significant knowledge in this area, it would be a good idea for the employee to immediately begin an engagement to evaluate the treasury department. In this circumstance, the employee should A. Accept the engagement and begin work immediately. B. Discuss the need for such an engagement with the employee's former superior, the CFO. C. Suggest that the engagement be performed by another member of the internal audit staff. D. Offer to prepare an engagement work program but suggest that interviews with the employee's former co-workers be conducted by other members of the internal audit staff.
Answer (C) is correct. Another internal auditor should be assigned. Persons transferred to or temporarily engaged by the internal audit activity should not be assigned to audit those activities they previously performed until at least 1 year has elapsed. Such assignments are presumed to impair objectivity, and additional consideration should be exercised when supervising the engagement work and communicating engagement results (PA 1130.A1-1, para. 1).
Fact Pattern: A service organization is currently experiencing a significant downsizing and process reengineering. Its board of directors has redefined the business goals and established initiatives using in-house developed technology to meet these goals. As a result, a more decentralized approach has been adopted to run the business functions by empowering the business branch managers to make decisions and perform functions traditionally done at a higher level. The internal auditing staff is made up of the chief audit executive, two managers, and five staff auditors, all with financial background. In the past, the primary focus of successful internal audit activities has been the service branches and the six regional division headquarters that support the branches. These division headquarters are the primary targets for possible elimination. The support functions such as human resources, accounting, and purchasing will be brought into the national headquarters, and technology will be enhanced to enable and augment these operations. Up to this point, the internal audit activity has reported to the chief operating officer. Due to the significant changes, there has been some discussion as to changing this reporting relationship. What would be the best reporting relationship? A. Administratively and functionally to the president. B. Administratively to the president and functionally to the board. C. Administratively to the chief financial officer and functionally to the president. D. Administratively and functionally to the chief operating officer.
Answer (B) is correct. The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities (Attr. Std. 1110). The chief audit executive (CAE), reporting functionally to the board and administratively to the organization's chief executive officer, facilitates organizational independence (PA 1110-1, para. 2).
The major reason for the internal auditor's involvement in information systems development is for the internal auditor to A. Gain familiarity with systems for use in subsequent reviews. B. Help assure that systems have adequate control procedures. C. Help minimize the cost and development time for new systems. D. Propose enhancements for subsequent development and implementation.
Answer (B) is correct. The internal audit activity evaluates and improves risk management, control, and governance processes. The internal auditor's objectivity is not adversely affected when the auditor recommends standards of control for systems or reviews procedures before they are implemented. The auditor's objectivity is considered to be impaired if the auditor designs, installs, drafts procedures for, or operates such systems (PA 1120-1, para. 4).
An organization is in the process of establishing its new internal audit activity. The controller has no previous experience with internal auditors. Due to this lack of experience, the controller advised the applicants that the CAE will be reporting to the external auditors. However, the new chief audit executive will have free access to the controller to report anything important. The controller will then convey the CAE's concerns to the board of directors. The internal audit activity will A. Be independent because the CAE has direct access to the board. B. Not be independent because the CAE reports to the external auditors. C. Not be independent because the controller has no experience with internal auditors. D. Not be independent because the organization did not specify that the applicants must be certified internal auditors.
Answer (B) is correct. To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the CAE has direct and unrestricted access to senior management and the board (Inter. Std. 1100). Also, the CAE must communicate and interact directly with the board (Attr. Std. 1111).
When evaluating the independence of an internal audit activity, a quality assurance review team performing an external assessment considers several factors. Which of the following factors has the least amount of influence when judging an internal audit activity's independence? A. Criteria used in making internal auditors' assignments. B. The extent of internal auditor training in communications skills. C. Relationship between engagement records and engagement communications. D. Impartial and unbiased judgments.
Answer (B) is correct. Training in communication relates to the knowledge, skills, and other competencies needed to perform engagements, not to independence.
The internal audit activity encounters a scope limitation from senior management that will affect the activity's ability to meet its goals and objectives for a potential engagement client. The nature of the scope limitation needs to be A. Noted in the engagement working papers, but the engagement should be carried out as scheduled and the scope limitation worked around, if possible. B. Communicated to the external auditors, so they can investigate the area in more detail. C. Communicated, preferably in writing, to the board. D. Communicated to management stating that the limitation will not be accepted because it would impair the internal audit activity's independence.
Answer (C) is correct. A scope limitation, along with its potential effect, needs to be communicated, preferably in writing, to the board (PA 1130-1, para. 3).
Assuming that the internal auditing staff possesses the necessary experience and training, which of the following services is most appropriate for a staff internal auditor to undertake? A. Substitute for the accounts payable supervisor while (s)he is on sick leave. B. Determine the profitability of alternative investment acquisitions and select the best alternative. C. As part of an evaluation team, review vendor accounting software internal controls and rank according to exposures. D. Participate in an internal audit of the accounting department shortly after transferring from the accounting department.
Answer (C) is correct. An internal auditor's objectivity is not impaired when the auditor recommends standards of control for systems or reviews procedures before they are implemented (PA 1120-1, para. 4).
Internal auditing is unique in that its scope often encompasses all areas of an organization. Thus, it is not possible for each internal auditor to possess detailed competence in all areas that might be the subject of engagements. Which of the following competencies must the internal audit activity possess collectively? A. Understanding of taxation and law as it applies to operation of the organization. B. Proficiency in accounting principles. C. Understanding of management principles. D. Proficiency in information technology.
Answer (C) is correct. An understanding is the ability to apply broad knowledge to situations likely to be encountered, to recognize significant deviations, and to be able to carry out the research necessary to arrive at reasonable solutions. The required competencies include an understanding of management principles to recognize and evaluate the materiality and significance of deviations from good business practice.
The internal audit activity collectively must possess or obtain certain competencies, including an understanding of A. Internal audit procedures and techniques. B. Accounting principles and techniques. C. Management principles. D. Marketing techniques.
Answer (C) is correct. An understanding means the ability to apply broad knowledge to situations likely to be encountered, to recognize significant deviations, and to be able to carry out the research necessary to arrive at reasonable solutions. The required competencies include an understanding of management principles to recognize and evaluate the materiality and significance of deviations from good business practice (PA 1210-1, para. 1).
To ensure that due professional care has been taken at all times during an engagement, the internal auditor should always A. Ensure that all financial information related to the audit is included in the audit plan and examined for nonconformance or irregularities. B. Ensure that all audit tests are fully documented. C. Consider the possibility of nonconformance or irregularities at all times during an engagement. D. Communicate any noncompliance or irregularity discovered during an engagement promptly to the audit committee.
Answer (C) is correct. Due professional care implies reasonable care and competence, not infallibility or extraordinary performance. Thus, due professional care requires the internal auditor to conduct examinations and verifications to a reasonable extent. Accordingly, internal auditors cannot give absolute assurance that noncompliance or irregularities do not exist. Nevertheless, the possibility of material irregularities or noncompliance needs to be considered whenever the internal auditor undertakes an internal auditing assignment (PA 1220-1, para. 2). Thus, considering the possibility of nonconformance or material irregularities at all times during an engagement is the only way of demonstrating that due professional care has been taken in an internal audit assignment.
Which of the following statements is true with respect to due professional care? A. An internal auditor should perform detailed tests of all transactions before communicating results. B. An item should not be mentioned in an engagement communication unless the internal auditor is absolutely certain of the item. C. An engagement communication should never be viewed as providing an infallible truth about a subject. D. An internal auditor has no responsibility to recommend improvements.
Answer (C) is correct. Due professional care implies reasonable care and competence, not infallibility or extraordinary performance. Thus, it requires the internal auditor to conduct examinations and verifications to a reasonable extent. Accordingly, internal auditors cannot give absolute assurance that noncompliance or irregularities do not exist (PA 1220-1, para. 2).
An internal audit activity has scheduled an engagement relating to a construction contract. One portion of this engagement will include comparing materials purchased with those specified in the engineering drawings. The internal audit activity does not have anyone on staff with sufficient expertise to complete this procedure. The chief audit executive should A. Delete the engagement from the schedule. B. Perform the entire engagement using current staff. C. Engage an engineering consultant to perform the comparison. D. Accept the contractor's written representations.
Answer (C) is correct. If the internal auditors lack the necessary expertise, external service providers should be employed who can provide the requisite knowledge, skills, and other competencies.
In the course of field work, an internal auditor discovered an empty petty cash imprest fund. The custodian explained that she had borrowed the money for a family emergency. The auditor verified that the custodian replaced the money the next day and did not mention the misuse of petty cash in any engagement communication. Was the auditor's independence or objectivity affected by the failure to communicate this finding? 1. Independence 2. Objectivity A. 1. Yes 2. No B. 1. Yes 2. Yes C. 1. No 2. Yes D. 1. No 2. No
Answer (C) is correct. Independence is an attribute of the internal audit activity as a whole, not of an individual internal auditor. Thus, independence is not compromised by the acts of a single internal auditor. Objectivity is an attribute of each individual auditor. By aiding in the concealment of a defalcation, the auditor compromised his or her objectivity.
A medium-sized publicly owned organization operating in Country X has grown to a size that the governing authority believes warrants the establishment of an internal audit activity. Country X has legislated internal audit requirements for government-owned organizations. The organization changed the bylaws to reflect the establishment of the internal audit activity. The governing authority decided that the chief audit executive (CAE) must be a certified internal auditor and will report directly to the newly established audit committee. Which of the items discussed above will contribute the most to the new CAE's independence?
Answer (C) is correct. Independence is effectively achieved when the CAE reports functionally to the board (Inter. Std. 1110). The audit committee is a subset of the board.
As part of a company-sponsored award program, an internal auditor was offered an award of significant monetary value by a division in recognition of the cost savings that resulted from the auditor's recommendations. According to the International Professional Practices Framework, what is the most appropriate action for the auditor to take? A. Accept the gift because the engagement is already concluded and the report issued. B. Accept the award under the condition that any proceeds go to charity. C. Inform audit management and ask for direction on whether to accept the gift. D. Decline the gift and advise the division manager's superior
Answer (C) is correct. Internal auditors are not to accept fees, gifts, or entertainment from an employee, client, customer, supplier, or business associate that may create the appearance that the auditor's objectivity has been impaired. The status of engagements is not to be considered as justification for receiving fees, gifts, or entertainment. Internal auditors are to report immediately the offer of all material fees or gifts to their supervisors. (PA 1130-1, para. 4).
An internal auditor observes that a receivables clerk has physical access to and control of cash receipts. The auditor worked with the clerk several years before and has a high level of trust in the individual. Accordingly, the auditor notes in the engagement working papers that controls over receipts are adequate. Has the auditor exercised due professional care? A. Yes, reasonable care has been taken. B. No, irregularities were not noted. C. No, alertness to conditions most likely indicative of irregularities was not shown. D. Yes, the engagement working papers were annotated.
Answer (C) is correct. Internal auditors must be alert to those conditions and activities where irregularities are most likely to occur and must identify inadequate controls (PA 1220-1, para. 1). Thus, the internal auditor did not exercise due professional care. Cash has a high degree of inherent risk and should therefore be subject to strict controls. Access to cash and the recordkeeping functions should be separated regardless of the personal qualities of the individuals involved. That the internal auditor trusts the clerk is irrelevant. Management still needs to be aware that internal control over receivables is inadequate.
Which of the following actions is required of the CAE in regard to the objectivity of internal auditors? A. Maximize. B. Prioritize. C. Manage. D. Assess.
Answer (D) is correct. The CAE must establish policies and procedures to assess the objectivity of individual internal auditors.
When hiring entry-level internal auditing staff, which of the following will most likely predict the applicant's success as an internal auditor? A. Grade point average on college accounting courses. B. Ability to fit well socially into a group. C. Ability to organize and express thoughts well. D. Level of detailed knowledge of the organization.
Answer (C) is correct. Internal auditors must have skills in oral and written communications to clearly and effectively convey such matters as engagement objectives, evaluations, conclusions, and recommendations (PA 1210-1, para. 1).
The internal audit activity is considering hiring a person who has a thorough understanding of internal auditing techniques, accounting, and principles of management but has nonspecialized knowledge of economics and information technology. Hiring the person is most appropriate if A. A professional development program is agreed to in advance of actual hiring. B. A mentor is assigned to ensure completion of an individually designed professional development program. C. Other internal auditors possess sufficient knowledge of economics and information technology. D. The prospective employee could reasonably be expected to gain sufficient knowledge of these competencies in the long run.
Answer (C) is correct. Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities (Attr. Std. 1210). However, each member of the internal audit activity need not be qualified in all disciplines (PA 1210.A1-1, para. 1).
Following an external assessment of the internal audit activity, who is (are) responsible for communicating the results to the board? A. Internal auditors. B. Audit committee. C. Chief audit executive. D. External auditors.
Answer (C) is correct. The chief audit executive must communicate the results of the QAIP to senior management and the board (Attr. Std. 1320).
A chief audit executive (CAE) has been requested by the audit committee to conduct an engagement at a chemical factory as soon as possible. The engagement will include reviews of health, safety, and environmental (HSE) management and processes. The CAE knows that the internal audit activity does not possess the HSE knowledge necessary to conduct such an engagement. The CAE must A. Begin the engagement and incorporate HSE training into next year's planning to prepare for a follow-up engagement. B. Suggest to the audit committee that the factory's own HSE staff conduct the engagement. C. Seek permission from the audit committee to obtain appropriate support from an HSE professional. D. Defer the engagement and tell the audit committee that it will take several months to train internal audit staff for such an engagement.
Answer (C) is correct. The chief audit executive must obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement (Impl. Std. 1210.A1).
A chief audit executive (CAE) for a very small internal audit department has just received a request from management to perform an audit of an extremely complex area in which the CAE and the department have no expertise. The nature of the audit engagement is within the scope of internal audit activities. Management has expressed a desire to have the engagement conducted in the very near future because of the high level of risk involved. Which of the following responses by the CAE would be in violation of the Standards? A. Discuss with management the possibility of outsourcing the audit of this complex area. B. Add an outside consultant to the audit staff to assist in the performance of the audit engagement. C. Accept the audit engagement and begin immediately, since it is a high-risk area. D. Discuss the timeline of the audit engagement with management to determine if sufficient time exists in which to develop appropriate expertise.
Answer (C) is correct. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities (Attr. Std. 1210). The auditors in this situation do not have such expertise. Thus, planning and executing the audit engagement without the appropriate background and skills is a violation of this standard.
The internal audit activity can perform an important role in preventing and detecting significant fraud by being assigned all but which one of the following tasks? A. Review large, abnormal, or unexplained expenditures. B. Review sensitive expenses, such as legal fees, consultant fees, and foreign sales commissions. C. Review every control feature pertaining to petty cash receipts. D. Review contributions by the organization that appear to be unusual.
Answer (C) is correct. The internal auditor must exercise due professional care by considering the relative complexity, materiality, or significance of matters to which assurance procedures are applied. The cost of assurance in relation to its benefits also should be considered (Impl. Std. 1220.A1). Hence, an exhaustive review of petty cash is not an efficient and effective use of limited internal audit resources because it will not prevent or detect significant fraud. The amount of any theft of petty cash will not be substantial.
An activity appropriately performed by the internal audit activity is A. Designing systems of control. B. Drafting procedures for systems of control. C. Reviewing systems of control before implementation. D. Installing systems of control.
Answer (C) is correct. The internal auditor's objectivity is not adversely affected when the auditor recommends standards of control for systems or reviews procedures before they are implemented (PA 1120-1, para. 4).
Periodic internal assessments of the internal audit activity primarily serve the needs of A. The board of directors. B. The internal audit activity's staff. C. The chief audit executive (CAE). D. Senior management.
Answer (C) is correct. Those conducting internal assessments generally should report to the CAE while performing the reviews and communicate directly to the CAE (PA 1311-1, para. 7).
At what minimal required frequency does the chief audit executive report the results of internal assessments in the form of ongoing monitoring to senior management and the board? A. Monthly. B. Quarterly. C. Annually. D. Biennially.
Answer (C) is correct. To demonstrate conformance with the mandatory IIA guidance, the results of external and periodic internal assessments are communicated upon completion of such assessments and the results of ongoing monitoring are communicated at least annually (Inter. Std. 1320).
As part of the process to improve internal auditor-engagement client relations, it is very important to deal with how the internal audit activity is perceived. Certain types of attitudes in the work performed will help create these perceptions. From a management perspective, which attitude is likely to be the most conducive to a positive perception? A. Objective. B. Investigative. C. Interrogatory. D. Consultative.
Answer (D) is correct. A consultative attitude leads to two-way communication. Consultation considers the client's viewpoint, helps to dispel fear and mistrust, and demonstrates the value of internal auditing to the client.
The internal audit activity should be free to audit and report on any activity that also reports to its administrative head if it considers such coverage to be appropriate for its audit plan. Any limitation in scope or reporting of results of these activities needs to be brought to the attention of the A. Chief executive officer. B. Chief financial officer. C. External auditor. D. Board.
Answer (D) is correct. A scope limitation, along with its potential effect needs to be communicated, preferably in writing, to the board (PA 1130-1, para. 3).
The optimal administrative reporting line of the CAE is to A. The audit committee. B. Line management. C. Board of directors. D. CEO or equivalent.
Answer (D) is correct. Administrative reporting is the reporting relationship within the organization's management structure that facilitates the day-to-day operations of the internal audit activity. Administrative reporting typically includes (1) budgeting and management accounting; (2) human resource administration, including personnel evaluations and compensation; (3) internal communications and information flows; and (4) administration of the organization's internal policies and procedures (PA 1110-1, para. 4). Reporting functionally to the board and administratively to the CEO facilitates organizational independence (PA 1110-1, para. 2).
During the performance of an engagement to evaluate a division's controls over purchasing, the chief purchasing agent asked why the internal auditor had requested documents pertaining to transactions with a particular supplier. The internal auditor's proper response is to A. Treat the inquiry as a scope limitation. B. Explain the reasons for the information request to promote cooperation with the engagement client. C. Refuse to explain the information request to preserve the integrity of the engagement process. D. Consider the specific circumstances before deciding whether to disclose the reasons for the information request.
Answer (D) is correct. At times, an internal auditor may be asked by the engagement client or other parties to explain why a document that has been requested is relevant to an engagement. Disclosure or nondisclosure during the engagement of the reasons documents are needed should be determined based on the circumstances. Significant irregularities may dictate a less open environment than would normally contribute to a cooperative engagement. However, that is a judgment that should be made by the chief audit executive in light of the specific circumstances. Moreover, the internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results (Impl. Std. 1110.A1).
A chief audit executive has reviewed credentials, checked references, and interviewed a candidate for a staff position. The CAE concludes that the candidate has a thorough understanding of internal audit techniques, accounting, and finance. However, the candidate has limited knowledge of economics and information technology. Which action is most appropriate? A. Reject the candidate because of the lack of knowledge required by the Standards. B. Offer the candidate a position despite lack of knowledge in certain essential areas. C. Encourage the candidate to obtain additional training in economics and information technology and then reapply. D. Offer the candidate a position if other staff members possess sufficient knowledge in economics and information technology.
Answer (D) is correct. Each member of the internal audit activity need not be qualified in all disciplines (PA 1210.A1-1, para. 1).
A chief audit executive for a large manufacturer is considering revising the internal audit activity's charter with respect to the minimum educational and experience qualifications required. The CAE wants to require all staff auditors to possess specialized training in accounting and a professional auditing certification such as the Certified Internal Auditor or the Chartered Accountant. One of the disadvantages of imposing this requirement is that the policy A. Might negatively affect the internal audit activity's ability to perform quality engagements relating to the organization's financial and accounting systems. B. Does not promote the professionalism of the internal audit activity. C. Would prevent the internal audit activity from using external service providers when it did not have the knowledge, skills, and other competencies required in certain engagements. D. Could limit the range of services that could be performed due to the internal audit activity's narrow expertise and backgrounds.
Answer (D) is correct. Each member of the internal audit activity need not be qualified in all disciplines (PA 1210.A1-1, para. 1). The internal audit activity should have an appropriate balance of experience, training, and skills to permit the performance of a wide range of services. Requiring certain professional certifications could limit the range of services offered by the internal audit activity.
Quality program assessments may be performed internally or externally. A distinguishing feature of an external assessment is its objective to A. Identify tasks that can be performed better. B. Determine whether internal audit services meet professional standards. C. Set forth the recommendations for improvement. D. Provide independent assurance.
Answer (D) is correct. External assessments must be conducted at least once every 5 years by a qualified, independent reviewer or review team from outside the organization (Attr. Std. 1312). Individuals who perform the external assessment are free of any obligation to, or interest in, the organization whose internal audit activity is assessed (PA 1312-1, para. 5).
Use of external service providers with expertise in healthcare benefits is appropriate when the internal audit activity is A. Evaluating the organization's estimate of its liability for postretirement benefits, which include healthcare benefits. B. Comparing the cost of the organization's healthcare program with other programs offered in the industry. C. Training its staff to conduct an audit of healthcare costs in a major division of the organization. D. All of the answers are correct.
Answer (D) is correct. If the internal auditors lack the necessary expertise, external service providers should be employed who can provide the requisite knowledge, skills, and other competencies. Thus, external service providers may provide assistance in (1) estimating the liability for postretirement benefits, (2) developing a comparative analysis of healthcare costs, and (3) training the staff to audit healthcare costs.
Maintaining individual objectivity is most dependent on A. Clearly informing auditee departments and functions of The IIA definition of conflict of interest. B. An annual evaluation by the board. C. An annual evaluation by an external assessment team. D. Internal auditors avoiding conflicts of interest.
Answer (D) is correct. Internal auditors should be aware of the possibility of new conflicts of interest that may arise owing to changes in personal circumstances or the particular auditees to which an auditor may be assigned.
Reengineering is the thorough analysis, fundamental rethinking, and complete redesign of essential business processes. The intended result is a dramatic improvement in service, quality, speed, and cost. An internal auditor's involvement in reengineering should include all of the following except A. Determining whether the process has senior management's support. B. Recommending areas for consideration. C. Developing audit plans for the new system. D. Directing the implementation of the redesigned process.
Answer (D) is correct. Internal auditors should not become directly involved in the implementation of the redesign process. This involvement would impair their independence and objectivity. Staff assignments of internal auditors should be rotated periodically whenever it is practicable to do so.
In some organizations, internal audit functions are outsourced. Management in a large organization should recognize that the external auditor may have an advantage, compared with the internal auditor, because of the external auditor's A. Familiarity with the organization. Its annual audits provide an in-depth knowledge of the organization. B. Size. It can hire experienced, knowledgeable, and certified staff. C. Size. It is able to offer continuous availability of staff unaffected by other priorities. D. Structure. It may more easily accommodate engagement requirements in distant locations.
Answer (D) is correct. Large organizations that are geographically dispersed may find outsourcing internal audit functions to external auditors to be effective. A major public accounting firm ordinarily has operations that are national or worldwide in scope.
Which of the following statements is an appropriate reason for the internal audit activity not to participate in the systems development process? A. Recommendations prior to implementation will affect independence, and the internal auditors will not be able to perform an objective evaluation after the system is implemented. B. Participation will delay implementation of the project. C. Participation will cause the internal auditors to be labeled as partial owners of the application, and they will then have to share the blame for any problems that remain in the system. D. None of the answers are correct.
Answer (D) is correct. Objectivity is not adversely affected when the internal auditors recommend standards of control for systems or review procedures before they are implemented. Designing, installing, drafting procedures for, or operating systems is presumed to impair objectivity (PA 1120-1, para. 4).
The IIA has indicated that to achieve necessary independence, the CAE should report functionally to whom? A. Senior management. B. Shareholders. C. Chief executive officer. D. The board.
Answer (D) is correct. Organizational independence is effectively achieved when the CAE reports functionally to the board (Inter. Attr. Std. 1110).
The board is most likely to participate in approving A. Staff promotions and salary increases. B. Engagement communication observations, conclusions, and recommendations. C. Engagement work programs. D. Appointment of the chief audit executive.
Answer (D) is correct. Organizational independence is effectively achieved when the CAE reports functionally to the board. Examples of functional reporting to the board involve the board Approving the internal audit charter Approving the risk-based internal audit plan Receiving communications from the CAE on the internal audit activity's performance Approving decisions regarding the appointment and removal of the CAE Making appropriate inquiries of management and the CAE to determine whether there are inappropriate scope or resource limitations (Inter. Attr. Std. 1110)
If the internal audit activity of a nonpublic company does not have the skills to perform a particular task, an external service provider (ESP) could be brought in from The organization's external audit firm An external consulting firm The engagement client A college or university A. 1 and 2 only. B. 2 and 4 only. C. 1, 2, and 3 only. D. 1, 2, and 4 only.
Answer (D) is correct. Qualified ESPs may be recruited from many sources. However, an ESP associated with the engagement client is unacceptable because the person would not be independent or objective. Nonpublic companies are encouraged to follow the Sarbanes-Oxley Act's prohibition on outsourcing internal audit tasks to the firm's external auditor. However, there are circumstances in which nonpublic companies can use the external auditor for internal audit work.
The Standards require that internal auditors possess which of the following skills? Internal auditors should understand human relations and be skilled in dealing with people. Internal auditors should be able to recognize and evaluate the materiality and significance of deviations from good business practices. Internal auditors should be experts on subjects such as economics, commercial law, taxation, finance, and information technology. Internal auditors should be skilled in oral and written communication. A. 2 only. B. 1 and 3 only. C. 3 and 4 only. D. 1, 2, and 4 only.
Answer (D) is correct. Skills required by the Standards for internal auditors include Skills in dealing with people, understanding human relations, and maintaining satisfactory relationships with engagement clients. Skills in oral and written communications to clearly and effectively convey such matters as engagement objectives, evaluations, conclusions, and recommendations. An understanding of management principles to recognize and evaluate the materiality and significance of deviations from good business practices. An appreciation of (not expertise in) of the fundamentals of business subjects such as accounting, economics, commercial law, taxation, finance, quantitative methods, information technology, risk management, and fraud (PA 1210-1, para. 1).
Assessing individual objectivity of internal auditors is the responsibility of A. The chief executive officer. B. The board. C. The audit committee. D. The chief audit executive.
Answer (D) is correct. The CAE must establish policies and procedures to assess the objectivity of individual internal auditors.
The CAE bears the responsibility to do which of the following? A. Encourage the objectivity of the board. B. Encourage the objectivity of the CEO. C. Foster an attitude of professional skepticism among members of the board. D. Maintain individual objectivity.
Answer (D) is correct. The CAE must establish policies and procedures to assess the objectivity of individual internal auditors.
An internal auditor's objectivity could be compromised in all of the following situations except A. A conflict of interest. B. An engagement client's familiarity with the internal auditor due to lack of rotation in assignments. C. The internal auditor's assumption of operational duties on a temporary basis. D. Reliance on an outside service provider when appropriate.
Answer (D) is correct. The CAE must obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement (Impl. Std. 1210.A1). Consulting an outside service provider is therefore appropriate in these circumstances.
Prior to implementation, management has requested the internal audit activity to perform an engagement to recommend procedures and policies for improving management control over the telephone marketing operations of a major division. The chief audit executive should A. Not accept the engagement because recommending controls would impair future objectivity regarding this operation. B. Not accept the engagement because internal audit activities are presumed to have expertise regarding accounting controls, not marketing controls. C. Accept the engagement, but indicate to management that, because recommending controls impairs independence, future engagements in the area will be impaired. D. Accept the engagement because objectivity will not be impaired.
Answer (D) is correct. The CAE should accept the engagement. Recommending standards of control for systems or reviewing procedures prior to implementation does not impair objectivity (PA 1120-1, para. 4).
Which of the following facts, by themselves, could contribute to a lack of independence of the internal audit activity? The CEO accused the new auditor of not operating "in the best interests of the organization." The majority of audit committee members come from within the organization. The internal audit activity's charter has not been approved by the board. A. 1 only. B. 2 only. C. 2 and 3 only. D. 1, 2, and 3.
Answer (D) is correct. The CEO's statement suggests that the internal audit activity lacks the support of senior management and the board. Furthermore, the lack of outside audit committee members may contribute to a loss of independence. The board's failure to approve the charter may have the same effect. The charter enhances the independence of the internal audit activity. By specifying the purpose, authority, and responsibility of the internal audit activity, it establishes the position of internal audit in the organization, including the nature of the chief audit executive's functional reporting relationship with the board (Inter. Std. 1000).
The internal audit activity collectively must possess or obtain certain competencies, excluding A. Proficiency in applying internal audit standards. B. An understanding of management principles. C. The ability to maintain good interpersonal relations. D. The ability to conduct training sessions in quantitative methods.
Answer (D) is correct. The ability to conduct training sessions in specific areas is not among the required competencies.
A formal document (charter) approved by the board that defines the internal audit activity's purpose, authority, and responsibility enhances its A. Exercise of due professional care. B. Proficiency. C. Relationship with management. D. Independence.
Answer (D) is correct. The charter establishes the internal audit activity's position within the organization, including the nature of the chief audit executive's functional reporting relationship with the board (Inter. Attr. Std. 1000). To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the CAE has direct and unrestricted access to senior management and the board (Inter. Attr. Std. 1100).
Your organization has selected you to develop an internal audit activity. Your approach will most likely be to hire A. Internal auditors, each of whom possesses all the skills required to handle all engagements. B. Inexperienced personnel and train them the way the organization wants them trained. C. Degreed accountants because most internal audit work is accounting related. D. Internal auditors who collectively have the knowledge and skills needed to perform the responsibilities of the internal audit activity.
Answer (D) is correct. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities (Attr. Std. 1210).
When the engagement was assigned, management asked the internal auditor to evaluate the appropriateness of using self-insurance to minimize risk to the organization. Given the scope of the engagement requested by management, should the internal auditor engage an actuarial consultant to assist in the engagement if these skills do not exist on staff? A. No. The internal audit activity is skilled in assessing controls, and the insurance control concepts are not distinctly different from other control concepts. B. No. It is a normal internal auditor function to assess risk; this engagement is therefore not unique. C. Yes. An actuary is essential to determine whether the healthcare costs are reasonable. D. Yes. The actuary has skills not usually found among internal auditors to identify and quantify self-insurance risks.
Answer (D) is correct. The internal audit activity may use external service providers or internal sources that are qualified in disciplines such as accounting, auditing, economics, finance, statistics, information technology, engineering, taxation, law, environmental affairs, and other areas as needed to meet the internal audit activity's responsibilities (PA 1210.A1-1, para. 1). Thus, unless the internal audit activity has an employee with actuarial skills, an actuarial consultant should be hired to assess self-insurance risks.
Maintaining individual objectivity of internal auditors is the responsibility of A. The chairperson of the board of directors. B. The chairperson of the audit committee. C. The external assessment team. D. The chief audit executive.
Answer (D) is correct. The responsibility rests with the CAE and with internal auditors themselves to maintain a sense of objectivity.
To avoid being the apparent cause of conflict between an organization's senior management and the board, the chief audit executive should A. Communicate all engagement results to both senior management and the board. B. Strengthen the independence of the internal audit activity through organizational position. C. Discuss all reports to senior management with the board first. D. Request board approval of policies that include internal audit activity relationships with the board.
Answer (D) is correct. To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the chief audit executive has direct and unrestricted access to senior management and the board. This can be achieved through a dual-reporting relationship (Inter. Std. 1100).