Internal Audit Exam 2 (Ch7-10,14,15)
Which of the following types of control activities is likely to be least important when evaluating the design adequacy of cash collections process? Select one: a. Approving the deposit of cash receipts into the company's bank account. b. Calculating the amount of cash received. c. Documenting the rationale behind the bank account in which the deposit will be made. d. Matching the total deposits to the amounts credited to customers accounts receivable balances. e. Segregating the preparation of deposit slips from the adjustment of customer account balances.
Documenting the rationale behind the bank account in which the deposit will be made.
Consulting Engagement Working Papers
Focus is on the final product and providing observations and recommendations to management Sufficient documentation should be maintained to support those overall internal audit recommendations
New or Changing Conditions
Internal audit function is often in the position to identify such changes and the need of the service Examples: Management reorganization Department restructuring New product offering Subjected to risk assessment process
Specialists may be needed for consulting engagement
Internal audit service providers Independent outside accountants or tax specialists IT and security specialists Fraud investigators Actuaries, statisticians, and appraisers Engineers, geologists, and environmental specialists Lawyers
Which of the following is an advantage of outsourcing technology?
A minimum level of investment accompanied by the ability to expedite the introduction of new technology.
The Consulting Engagement Process
Plan Perform Communicate
Internal audit reports can be structured to motivate management to correct deficiencies. Which of the following report-writing techniques is most likely to be effective? Select one: a. State the procedural inadequacies and resulting improprieties in specific terms. b. Recommend changes and state the punitive measures that will follow if the recommendations are not implemented. c. List the deficiencies found so as to provide an easy-to-follow checklist. d. Suggest practical improvements to address the identified observations.
Suggest practical improvements to address the identified observations.
Who is ultimately responsible for determining that the objectives for an internal audit engagement have been met?
The CAE
Which of the following is not a responsibility of the CAE? a. To follow up on whether appropriate management actions have been taken on significant reported risks b. To communicate the internal audit function's plans and resource requirements to senior management and the board for review and approval c. To oversee the establishment, administration, and assessment of the organization's system of internal controls and risk management processes d. To establish a risk-based plan to accomplish the objectives of the internal auditing activity consistent with the organization's goals
To oversee the establishment, administration, and assessment of the organization's system of internal controls and risk management processes.
When conducting a consulting engagement to improve the efficiency of a production process, the internal audit team is faced with a scope limitation because several months of the production data has been lost or is incomplete. Faced with this scope limitation, the CAE should: a. Halt the consulting engagement and conduct a separate assurance engagement to determine why the data was not available. b. Discuss the problem with the customer and together evaluate whether the engagement should be continued. c. Complete the analysis without the data but include a scope limitation in the engagement report. d. Report the scope limitation to the independent outside auditors.
b. Discuss the problem with the customer and together evaluate whether the engagement should be continued.
Increasing need for consulting services
be proactive!
The audit committee has requested that the internal audit function assist with the annual risk assessment process. What type of consulting engagement does this assistance represent? a. An assurance engagement. b. A training consulting engagement. c. A facilitative consulting engagement. d. An advisory consulting engagement.
c. A facilitative consulting engagement.
It would be appropriate for the internal audit function to perform which of the following: a. Design controls for a process. b. Develop a new whistleblower policy. c. Review a new IT application before implementation. d. Lead a process reengineering project.
c. Review a new IT application before implementation.
Which of the following would be a typical consulting engagement activity performed by the internal audit function? a. Testing compliance with accounts payable policies and procedures. b. Determining the scope of an engagement to test IT application controls. c. Reviewing and commenting on a draft of a new ethics policy created by the company. d. Testing the design adequacy of controls over the termination of employees.
c. Reviewing and commenting on a draft of a new ethics policy created by the company.
When faced with an imposed scope limitation, the CAE should
communicate the potential effects of the scope limitation to the audit committee of the Board of Directors.
Which of the following best illustrates the use of EDI?
computerized placement of a purchase order from a customer to its supplier
Internal Audit's Risk assessment
cost vs. benefit worth the consulting services?
Which of the following is not likely to be a step during a consulting engagement? a. Understanding the objectives of a process. b. Assessing the risks in a process. c. Flowcharting the key steps in a process. d. Expressing a conclusion on the design adequacy and operating effectiveness of a process.
d. Expressing a conclusion on the design adequacy and operating effectiveness of a process.
While planning an assurance engagement, the IA obtains knowledge about the auditee's operations to, among other things,
develop an understanding of the auditee's objectives, risks and controls.
Once an observation is identified by the IA, it may be
included in the final audit report.
Selecting Consulting Engagements to Perform is based on
the magnitude of the associated risk or opportunity
Annual Internal Audit Plan
Areas within the organization that have gone through the risk assessment process and were selected as priorities for the internal audit function
Advisory Consulting Engagement ---advise on
Control design Development of policies and procedures High risk projects (such as system development) Security breaches or business continuity interruptions Certain enterprise risk management activities
What is a methodology encompassing facilitated meetings and surveys that enables internal auditors and managers to collaborate in assessing business risks and evaluating internal controls?
Control self assessment
Requests from Management
Arise from unforeseen events at the time of planning Vie for resources out of the planned internal audit budget Often time sensitive May preempt assurance engagements in the annual internal audit plan May be performed simultaneously with assurance engagement Subjected to internal audit's risk assessment process Examples: Fraud investigations Special projects Hoc committees Reviews of new procedures
Engagement Communication Assurance Services: Recipient:
Auditee Users Format: standardized
Which of the following external risks is least likely to impact the accuracy of financial reporting? Select one: a. The standard setting body in the organization's country issues a new financial accounting standard. b. A recent judicial court case increases the likelihood that pending litigation will result in an unfavorable outcome. c. Changes in standard industry contracts now allow for netting of payables and receivables. d. Competitor pressures cause the organization to pursue new sales channels.
Competitor pressures cause the organization to pursue new sales channels.
A process objective stating "all contracts must be approved by an officer of the company before being consummated" is an example of what type of the four objectives?
Compliance
Which of the following is a factor affecting risk? a. New personnel. b. New or revamped information systems. c. Rapid growth. d. All of the answers are correct
all answers
The difference between physical access control activities and logical access control activities is that:
although physical controls allow a person into a computer facility, logical access controls authorize a person into the computer software
Priorities represents both
assurance and consulting engagements. Subjected to risk assessment process before being added to the internal audit plan
The possibility of someone maliciously shutting down an information systems is most directly an element of:
availability risk
Senior management of an organization has requested that the internal audit function help educate employees about internal control concepts. This work is an example of: a. An assurance engagement. b. A training consulting engagement. c. A facilitative consulting engagement. d. An advisory consulting engagement.
b. A training consulting engagement.
The chief operating officer (COO) has requested that the internal audit function advise her regarding a new incentive plan being developed for sales representatives. Which of the following tasks should the CAE decline with respect to providing advice to the COO? a. Researching and benchmarking incentive plans provided by other companies in the industry. b. Determining the appropriate bonus formula for inclusion in the plan. c. Recommending monitoring procedures so that appropriate amounts are paid under the plan. d. Determining how to best document the support for amounts paid to provide a sufficient audit trail.
b. Determining the appropriate bonus formula for inclusion in the plan.
Which of the following is not a required consideration regarding proficiency and due professional care when choosing to perform a consulting engagement? a. Availability of adequate skills and resources to conduct the engagement. b. Needs and expectations of the engagement customer. c. Cost of the engagement relative to the potential benefits. d. Potential impact on the independent outside auditor's financial statement audit.
d. Potential impact on the independent outside auditor's financial statement audit.
Once an observation is identifies by the internal auditors, the first thing should be done by IAs would be:
documenting in the working papers
An excerpt from an internal audit observation indicates that travel advances exceeds prescribing maximum amounts. Company policy provides travel funds to authorized employees for travel. Advances are not to exceed 45 days of anticipated expenses. Company procedures do not require justification for large travel advances. Employees can, and do, accumulate large unneeded advances. In this audit observation, the element of an audit finding known as "effect" is:
employees accumulate large, unneeded advances
Analytical procedures can be applied during which phases of the an assurance engagement?
engagement planning and engagement performance phases
Internal auditors obtain an understanding of controls and perform tests of controls to
evaluate the design adequacy and operating effectiveness of the controls
Internal audit function: Assurance Service
familiar with most (all) areas of organization aware of the changes occurring in these areas in a unique position to advise management about how to deal effectively with these changes
The software that manages the interconnectivity of the system hardware devices is
operating system software
The primary purpose of issuing an interim report during an internal audit is to
provide auditee management the opportunity to act on certain observations immediately
Recommendations should be included in final audit communications to:
provide management with options for addressing audit observations
The primary reason for having a formal audit engagement communication is to:
record observations and recommended courses of action
A formal engagement communication must
report significant observations
During a review of purchasing operations, an internal auditor found that procedures in use did not agree with stated company procedures. However, audit test revealed that the procedures used represented an increase in efficiency and a decrease in processing time, without a discernible decrease in control. The internal auditor should:
report the change and suggest that the change in procedures be documented
The purpose of logical security controls is to:
restrict access to data
A comprehensive plan to deal with business interruptions will provide for all but which of the following? a. Segregation of duties. b. Alternative site facilities. c. Business impact assessments. d. Procedures for restoring utility services
segregation of duties
Consulting Services: Less parties involved
structure is less complex
If an IAs evaluation of internal control design indicates that the controls are designed adequately, the appropriate next step would be to:
test the operating effectiveness of the controls.
When evaluating the independence of an internal audit activity, a quality assurance review team performing an external assessment considers several factors. Which of the following factors has the least amount of influence when judging an internal audit activity's independence? Select one: a. Relationship between engagement records and engagement communications. b. Impartial and unbiased judgments. c. Criteria used in making internal auditors' assignments. d. The extent of internal auditor training in communications skills.
the extent of internal auditor training in communication skills.
Which of the following would not be considered a primary objective of a closing or exit conference? Select one: a. To resolve conflicts b. To discuss the engagement observations and recommendations c. To identify concerns for future audit engagements d. To identify management's actions and responses to the engagement observations and recommendations
to identify concerns for future audit engagement
IAs perform both assurance engagements and consulting engagement. Which of the following would be classified as a consulting engagement? a. Assisting the independent outside auditor during the financial statement audit engagement. b. Assessing the design adequacy of the organization's entity-level monitoring activities. c. Facilitating senior management's assessment of risk threatening the organization. d. Directly assessing the organization's compliance with laws and regulations.
Facilitating senior management's assessment of risk threatening the organization.
Skills and Experience Required for consulting engagement:
Facilitation and collaboration Broad business experience Specific subject matter expertise Interpersonal skills Analytical thinking in a dynamic environment Information processing Communication (quick and accurate, by presentation or writing)
Sourcing for consulting engagement
Financial reporting Technology Treasury/cash management Fraud examination Engineering and environmental compliance Regulatory compliance
Performing the Advisory Consulting Engagement
Gather and evaluate evidence Must be documented Examples of procedures may be performed: Understanding management issues related to the area under review Gathering information Performing analytical procedures Reviewing documentation Using computer-assisted audit techniques Understanding key risks Understanding controls which to improve? Evaluating efficiency of existing controls Formulate advice
Which of the following is not likely to be an assurance engagement objective? Select one: a. Evaluate the design adequacy of the payroll input process b. Guarantee the accuracy of recorded inventory balances c. Assess compliance with health and safety laws and regulations d. Determine the operating effectiveness of fixed asset control
Guarantee the accuracy of recorded inventory balances
Which of the following does the CAE need to consider when determining the extent of follow-up required? I. Significance of the reported observation. II. Past experience with the manager charged with the corrective action. III. Degree of effort and cost needed for the corrective action. IV. The experience of the internal audit staff.
I & III
Which of the following activities is NOT presumed to impair the objectivity of an internal auditor? I. Recommending standards of control for a new information system application II. Drafting procedures for running a new computer application to ensure that proper controls are installed III. Performing reviews of procedures for a new computer application before it is installed
I & III. Recommending standards of control & Performing reviews of procedures.
Which of the following activities is not presumed to impair the objectivity of an internal auditor? I. Recommending standards of control for a new information system application. II. Drafting procedures for running a new computer application to ensure that proper controls are installed. III. Performing reviews of procedures for a new computer application before it is installed.
I & III. recommending standards of controls & Performing reviews of procedures
The tasks performed during an internal audit assurance engagement should address the following questions: I. What are the reasons for the results? II. How can performance be improved? III. What results are being achieved? The chronological order in which these questions should be addressed is:
III, I, II
Engagement Purpose Services: to provide
Independent assessments
Blended Engagements
Internal audit engagements that incorporate elements of both Consulting services Assurance services Communicate the outcome separately Scope and purpose are different
Educational Consulting Engagement Benchmarking
Intracompany: internal areas vs. other comparable areas Intercompany: org. vs. other similar organization Company vs. industry average or industry best practices
Which of the following does NOT represent a key element of the IIAs quality assurance programs? a. Monitoring risk mitigation b. Implementing quality programs c. Communicating results d. Continuous improvement
Monitoring risk mitigation
Which of the following is not typically a key element of process maps or narrative memorandum? Select one: a. Overall process objectives b. Key inputs to the process c. Key processing steps involved in the process d. Key outputs from the process e. Key risks and control activities
Overall process objectives
Which of the following auditee-prepared documents will likely be of greatest assistance to the internal auditor in their assessment of design adequacy? Select one: a. Policies and procedures manual b. Organization charts and job descriptions c. Process maps depicting the flow of the process d. Narrative memorandum listing key tasks for portions of the process
Process maps depicting the flow of the process
The International Standards for the Professional Practice of Internal Auditing require the chief audit executive to share information and coordinate activities with other internal and external providers of assurance services. With regard to the external auditor which of the following would not be an appropriate way for the chief audit executive to meet this requirement?
Requiring the external auditor to have the chief audit executive's approval of their annual audit plan for conducting the financial statement audit
Facilitative Consulting Engagement ---facilitate:
Risk assessment process Management's control self-assessment (CSA) Task force charged with redesigning controls and procedures for a new or significantly changed area As liaison between management and outside 3rd parties (i.e., auditors, gov. agencies, vendors, contractors, etc.) on control issues Discussion on a postmortem of a major systems or process interruption
Educational Consulting Engagement --- Training on
Risk management Internal control
Which of the following is LEAST likely to be placed on the agenda for discussion at a pre-engagement meeting as one of assurance engagement planning activities? Select one: a. Sampling plan and key criteria. b. Objectives/purposes and scope of the engagement. c. Records and client personnel needed. d. Expected starting and completion dates.
Sampling plan and key criteria.
Application of Standards The different sets of Implementation Standards for each
Structure differences
An internal auditor determines that the process is not designed adequately to reduce the underlying risks to an acceptable level. Which of the following should the internal auditor do next? Select one: a. Write the audit report, there's no reason to test the operating effectiveness of control activities that are not designed adequately b. Tests compensating control activities in other (adjacent) processes to see if the impact of the design inadequacy is mitigated to an acceptable level. c. Test the existing key control activities anyway to prove that, despite the design inadequacy, the process is still meeting the process objectives. d. Postpone the engagement until design inadequacy has been rectified.
Tests compensating control activities in other (adjacent) processes to see if the impact of the design inadequacy is mitigated to an acceptable level.
Which of the following statements best describes an internal audit function's responsibility for assurance engagement follow-up activities? Select one: a. The internal audit function should determine whether management has initiated corrective action but has no responsibility to determine whether the corrective action is achieving the desired results. That determination is management's responsibility. b. The CAE is responsible for scheduling audit follow-up activities only if asked to do so by senior management or the audit committee. Otherwise, such activities are discretionary. c. The internal audit function should determine that corrective action has been taken and is achieving the desired results, or that senior management has assumed the risk associated with not taking corrective action on reported observations. d. Audit follow-up activities are not necessary if the auditee has agreed in writing to implement the internal audit function's recommendations.
The IAF should determine that corrective action has been taken and is achieving the desired results, or that senior management has assumed the risk associated with not taking corrective action on reported observations.
Engagement Parties Assurance Services:
The auditee ( directly involved with the subject matter) The internal audit function ( making the independent assessment) The user ( relying on the independent assessment)
Engagement Parties Consulting Services:
The engagement customer (advice seeker and receiver) The internal audit function (advice provider)
The Difference Between Assurance and Consulting Services
The number of parties involved in the engagement The application of The Institute of the Standards The purpose of the engagement Communication of the results of the engagement
Reported internal audit observations emerge by a process of comparing "what should be" with"what is." In determining "what should be" during an audit of company's treasury function, which of the following would be the LEAST desirable criterion against which to judge current operations? Select one: a. Performance standards established by senior management. b. Company policies and procedures delegating authority and assigning responsibilities. c. The operations of the treasury function as documented during the last audit. d. Best practices of the treasury function in relevant industries.
The operations of the treasury function as documented during the last audit.
Which of the following groups risk tolerance levels are least important when conducting an assurance engagement? Select one: a. The audit committee or other board governance committees. b. Senior management. c. Process-level management. d. The internal audit function. e. Vendors and customers
Vendors and customers
During an assurance engagement planning, an internal auditor found that several accounts payable vouchers for major suppliers required adjustments for duplicate payment of prior invoices. This would indicate
a need for additional testing to determine related controls and the current exposure to duplicate payments made to suppliers.
Engagement Purpose Consulting Services: to provide
Advisory Education Facilitation Insights
Types of Consulting Services
Advisory Training Facilitative
An organization's IT governance committee has several important responsibilities. Which of the following is NOT normally such a responsibility? a. Overseeing changes to IT systems. b. Monitoring IT security procedures. c. Designing IT application-based controls. d. Aligning investments in IT with business strategies.
Designing IT application-based controls.
Communicating the Advisory Consulting Engagement
Determine nature and form of communications with customer Vet advice with engagement customer Conduct interim and preliminary engagement communications Develop final engagement communication Distribute final engagement communications Perform monitoring and follow-up, if appropriate
Which of the following is the best reason for the CAE to consider the organizations strategic plan in developing the annual audit plan?
To ensure that the IA plan supports the overall business objectives
Assurance Services: More parties involved
The Standard is more stringent and numerous
Senior management has requested that the internal audit function perform an operational review of the telephone marketing operations of a major division and recommend procedures and policies for improving management control over the operation. The internal audit function should: accept? not accept? why?
accept the engagement because independence would not be impaired
Internal audit function's expertise: Risk & Control
add value by providing insights through its consulting activities. assist the organization in keeping abreast of emerging risks Example: initiating discussions that explore the increased risk in areas that are particularly affected by an economic downturn
Which of the following is an appropriate conclusion that can be drawn when the internal auditor identifies an observation from testing control activities? a. The process objectives cannot be achieved. b. The area may be vulnerable to fraud. c. Overall, the process is not operating effectively. d. Certain risks are not effectively mitigated.
Certain risks are not effectively mitigated.
Which of the following control is not likely to be an entity-level control? Select one: a. All employees must receive ongoing training to ensure they maintain their competence. b. All cash disbursement transactions must be approved before they are paid. c. All employees must comply with the Code of Ethics and Business Conduct. d. An organization-wide risk assessment is conducted annually.
All cash disbursement transactions must be approved before they are paid.
If an IA identifies an exception while testing, which of the following may be appropriate? a. Test additional items to determine whether the exception is an isolated occurrence or indicative of a control deficiency. b. Gain an understanding of the root cause, that is, the reason the exception occurred. c. Draft an observation for the audit report. d. All of the above.
All of the answers
Comprehensive risk assessment involves analysis of both causes and effects. Which of the following statements concerning the analysis of causes and effects is FALSE? Select one: a. Analyzing the causes and effects of a particular risk provides insights about how to best manage the risk. b. Analyzing the effects of a particular risk provides insights about the relative size of the risk and the relative importance of the business objective threatened by the risk. c. Analyzing the causes and effects of a particular risk should only be performed after the internal auditor has first obtained evidence that a problem has occurred. d. Analyzing the root causes of a particular risk helps the internal auditor formulate recommendations for reducing the risk to an acceptable level.
Analyzing the causes and effects of a particular risk should only be performed after the internal auditor has first obtained evidence that a problem has occurred.
Sources of consulting engagements:
Annual internal audit plan— Engagements are proposed during the annual risk assessment process and included in the annual internal audit plan if identified as high-priority Requested by management New or changing conditions Warrants internal audit's attention
Engagement Communication Consulting Services:
Based on scope and purpose of the engagement
CAEs can lay the foundation for partnering with other areas by:
Building relationship with other depart. Increasing internal auditors' subject matter expertise through: Training Rotating internal auditors into other business units Hiring associates from other business units into the internal audit function Obtaining buy-in from the audit committee and senior management by communicating the benefits of increasing consulting services
Planning the Advisory Consulting Engagement
Determine: engagement objectives and scope Obtain: final approval of objectives and scope from customer Understand: environment and relevant business processes Understand: relevant risks (if appropriate) Understand: relevant controls (if appropriate) Evaluate: control design (if appropriate) Determine: engagement approach Designed to achieve the advisory consulting engagement objectives Determine: nature, timing, and extend of evidence needed Procedures required to obtain the evidence Allocate resources Experience, expertise, external resources, staff development
Educational Consulting Engagement - Postmortem analysis
Determining lessons learned from completed project
When conducting a consulting engagement to improve the efficiency and quality of a production process, the audit team is faced with a scope limitation because several months of the production data have been lost or are incomplete. Faced with this scope limitation, the CAE should:
Discuss the problem with the customer and together evaluate whether the engagement should be continued
