CIA PART 2 Unit 1
When determining the number and experience level of an internal audit staff to be assigned to an engagement, the chief audit executive should consider which of the following?Complexity of the engagement.Length of the engagement.Available internal audit activity resources.Lapsed time since the last engagement. 2 and 3 only. 1 and 3 only. 1, 2, 3, and 4. 1 and 2 only.
1 and 3 only. This answer is correct.The complexity of the engagement determines the experience and skills required of the assigned staff. Available resources also are a factor in a staffing decision.
Which of the following parties is (are) primarily responsible for resource management in an internal auditing engagement?The chief audit executiveSenior managementThe board of directors 1 only. 1 and 3. 1 and 2. 2 and 3.
1 only. This answer is correct.The CAE is primarily responsible for the sufficiency and management of resources of the internal audit activity, including communication of needs and status to senior management and the board. These parties must ensure the adequacy of resources.
Which of the following potentially is (are) subject to the internal auditors' evaluations? 1. The human resources function. 2.The purchasing process. 3.The manufacturing and production database system. A.1 only. B.2 only. C.1, 2, and 3. D.None of the answers are correct.
1, 2, and 3.Answer (C) is correct.Internal auditing is an organizationally independent and individually objective assurance and consulting activity that adds value and improves operations. It evaluates and contributes to the improvement of the organization's governance, risk management, and control processes. When performing the assurance function, internal auditing evaluates the adequacy and effectiveness of controls. For example, it evaluates the effectiveness and efficiency of operations and programs.
Coordinating internal and external audit activity can increase efficiency by using which of the following? Similar techniques Similar methods Similar terminology
1, 2, and 3.Answer (D) is correct.It may be efficient for internal and external auditors to use similar techniques, methods, and terminology to coordinate their work effectively and to rely on the work of one another.
Which of the following are responsibilities of the chief audit executive (CAE)? 1Coordinating activities with other providers of assurance and consulting services. 2Understanding the work of external auditors. 3Providing sufficient information to the external auditors to permit them to understand the internal auditors' work.
1, 2, and 3.Answer (D) is correct.Organizations may use the work of external auditors to provide assurance related to activities within the scope of internal auditing. In these cases, the CAE takes the steps necessary to understand the work performed by the external auditors. Moreover, the external auditor may rely on the work of the internal audit activity in performing their work. In this case, the CAE needs to provide sufficient information to enable external auditors to understand the internal auditor's techniques, methods, and terminology to facilitate reliance by external auditors on work performed.
The advantage attributed to the establishment of internal auditing field offices for work at foreign locations is best described as A reduction of travel time and related travel expense. More contact with senior personnel leading to an increase in control. The possibility of increased objectivity of personnel assigned to a field office. The increased ease of maintaining uniform organization-wide standards.
A reduction of travel time and related travel expense. This answer is correct.The advantages of field offices compared with sending internal auditors from the home office include (1) reduced travel time and expense, (2) improved service in the operating locations served by the field offices, (3) better morale of internal auditors as a result of increased authority, and (4) the possibility of employing persons who do not wish to travel.
The key factor in the success of an internal audit activity's human resources program is
A well-developed set of selection criteria.Answer (C) is correct.Internal auditors should be qualified and competent. Because the selection of a superior staff is dependent on the ability to evaluate applicants, selection criteria must be well-developed. Appropriate questions and forms should be prepared in advance to evaluate, among other things, the applicant's technical qualifications, educational background, personal appearance, ability to communicate, maturity, persuasiveness, self-confidence, intelligence, motivation, and potential to contribute to the organization.D.
Policies and procedures must be established to guide the internal audit activity. Which of the following statements is false with respect to this requirement?
All internal audit activities must have a detailed policies and procedures manual.Answer (B) is correct.The form and content of policies and procedures are dependent upon the size and structure of the internal audit activity and the complexity of its work (Inter. Std. 2040). Thus, all internal audit activities are not required to have a detailed policies and procedures manual.
Use of external service providers with expertise in healthcare benefits is appropriate when the internal audit activity is A.Evaluating the organization's estimate of its liability for postretirement benefits, which include healthcare benefits. B.Comparing the cost of the organization's healthcare program with other programs offered in the industry. C.Training its staff to conduct an audit of healthcare costs in a major division of the organization. D.All of the answers are correct.
All of the answers are correct.Answer (D) is correct.The competencies of the internal audit staff should be appropriate for the planned activities. Thus, the chief audit executive addresses resourcing needs, including whether those skills are present. Other ways to meet needs include external service providers, specialized consultants, or other employees of the organization. Thus, external service providers may provide assistance in (1) estimating the liability for postretirement benefits, (2) developing a comparative analysis of healthcare costs, and (3) training the staff to audit healthcare costs.
According to the International Professional Practices Framework, the CAE must ensure that internal audit resources are
Appropriate, sufficient, and effectively deployed.Answer (C) is correct.According to Performance Standard 2030, Resource Management, "The chief audit executive must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan." As stated in the Interpretation of Standard 2030, "Appropriate refers to the mix of knowledge, skills, and other competencies needed to perform the plan. Sufficient refers to the quantity of resources needed to accomplish the plan. Resources are effectively deployed when they are used in a way that optimizes the achievement of the approved plan."
An audit committee of the board of directors of an organization is being established. Which of the following is normally a responsibility of the committee with regard to the internal audit activity?
Approval of the selection and dismissal of the chief audit executive.Answer (A) is correct.Independence is enhanced when the board concurs in the appointment or removal of the CAE. The audit committee is a subcommittee of outside directors who are independent of management. The term "board" includes the audit committee.
Assessments of the work of external auditors may be made by the chief audit executive
As part of the evaluation of the coordination between the internal and external auditors.Answer (D) is correct.The CAE is responsible for regular evaluations of the coordination between internal and external auditors. Such evaluations may also include assessments of the overall efficiency and effectiveness of internal and external audit activities, including aggregate audit cost. The CAE communicates the results of these evaluations to senior management and the board, including relevant comments about the performance of external auditors.
A basic principle of governance is A.Assessment of the governance process by an independent internal audit activity. B.Holding the board, senior management, and the internal audit activity accountable for its effectiveness. C.Exclusive use of external auditors to provide assurance about the governance process. D.Separation of the governance process from promoting an ethical culture in the organization.
Assessment of the governance process by an independent internal audit activity.Answer (A) is correct.The internal audit activity must assess and make appropriate recommendations for improving the governance process (Perf. Std. 2110).
An internal audit activity is often requested to coordinate its work with that of the external auditors. Which of the following activities is most likely to be restricted to the external auditor? Evaluating the adequacy of the organization's overall system of internal controls. Reviewing the system established to ensure compliance with laws, regulations, and contracts. Evaluating the system of controls over cash collections and similar transactions. Attesting to the fairness of presentation of cash position.
Attesting to the fairness of presentation of cash position. This answer is correct.Professional standards place sole responsibility for the attest function on the external auditors. Only the external auditors have the necessary independence to permit the provision of assurance to external parties. Unlike circumstances in which the external auditors use the work of other independent auditors, the responsibility cannot be shared with the internal auditors.
An internal audit activity is often requested to coordinate its work with that of the external auditors. Which of the following activities is most likely to be restricted to the external auditor?
Attesting to the fairness of presentation of cash position.Answer (B) is correct.Professional standards place sole responsibility for the attest function on the external auditors. Only the external auditors have the necessary independence to permit the provision of assurance to external parties. Unlike circumstances in which the external auditors use the work of other independent auditors, the responsibility cannot be shared with the internal auditors.
Audit committees have been identified as a major factor in promoting the independence of both internal and external auditors. Which of the following is the most important limitation on the effectiveness of audit committees?
Audit committees may be composed of independent directors. However, those directors may have close personal and professional friendships with management.Answer (A) is correct.The audit committee is a subcommittee made up of outside directors who are independent of management. Its purpose is to help keep external and internal auditors independent of management and to ensure that the directors are exercising due care. However, if independence is impaired by personal and professional friendships, the effectiveness of the audit committee may be limited.
Any program for selecting and developing the human resources of the internal audit activity will fail unless compensation is adequate at all levels of responsibility. Policies concerning compensation should
Be clearly stated and based on evaluations of position requirements and individual performance.Answer (D) is correct.Internal auditing job descriptions are important because, among other things, they may be used to justify adequate salaries. As part of an overall personnel management and development program, they should be used together with periodic, formal performance appraisals as a basis for compensation adjustments and promotions.
Which of the items below most likely reflects differences between the policies of a relatively large and a relatively small internal audit activity? The policies for the large activity should Be in considerable detail. Contain the authority to carry out engagements. Define the scope of internal auditing. Be specific as to activities to be carried out.
Be in considerable detail. This answer is correct.The form and content of policies and procedures are dependent upon the size and structure of the internal audit activity and the complexity of its work (Inter. Std. 2040). Thus, the policies of a relatively large internal audit activity are likely to be more detailed than those of a relatively small internal audit activity.
Inquiring how an employment candidate handled situations in their past is an example of which interview method?
Behavioral.Answer (A) is correct.Behavioral interviews determine how candidates handled situations in their past. It is based on the belief that past performance is generally indicative of future performance. The behavioral interview is a widely-used interview method and may include questions that ask the candidate to describe a past situation and how it was handled.
In managing internal audit resources, the CAE considers all of the following except
Benchmarking.Answer (A) is correct.Benchmarking is a continuous evaluation of the practices of the best organizations in their class and the adaptation of processes to reflect the best of these practices. It is not used in managing internal audit resources. In managing internal audit resources, the CAE considers succession planning, staff evaluation and development, and other human resource disciplines. The CAE also addresses resourcing needs, including whether those skills are present in the internal audit staff.
Gator Financial Service is considering outsourcing its internal audit activity. Gator Financial Service
Can outsource the services as long as Gator Financial Service continues to have the responsibility for maintaining an effective internal audit activity.Answer (D) is correct.An organization's governing body may decide that an external service provider is the most effective means of obtaining internal audit services. In these cases, Performance Standard 2070 requires that the external audit service provider remind the organization that the responsibility for maintaining an effective internal audit activity lies with the organization.
A typical function of an audit committee is
Choosing the external auditor.Answer (A) is correct.Functions of the audit committee regarding the external auditor include (1) selecting the external auditing firm and negotiating its fee, (2) overseeing and reviewing the work of the external auditor, (3) resolving disputes between the external auditor and management, and (4) reviewing the external auditor's internal control and audit reports.
Internal auditing is an assurance and consulting activity. An example of an assurance service is a(n) A.Advisory engagement. B.Facilitation engagement. C.Training engagement. D.Compliance engagement.
Compliance engagement.Answer (D) is correct.According to The IIA Glossary, an assurance service is "an objective examination of evidence for the purpose of providing an independent assessment of governance, risk management, and control processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements."
When managing the internal audit activity's (IAA's) resources, the chief audit executive (CAE) most likely
Conducts a skills assessment based on needs identified in the audit plan.Answer (C) is correct.The CAE must ensure that internal audit resources are (1) appropriate, (2) sufficient, and (3) effectively deployed to achieve the approved plan (Perf. Std. 2030). The competencies of the internal audit staff should be appropriate for the planned activities. The CAE may conduct a documented skills assessment based on the needs identified in the risk assessment and audit plan.
If a department outside of the internal audit activity is responsible for reviewing a function or process, the internal auditors should
Consider the work of the other department when assessing the function or process.Answer (A) is correct.The chief audit executive should share information and coordinate activities with other internal and external providers of relevant assurance and consulting services to ensure proper coverage and minimize duplication of efforts (Perf. Std. 2050). This standard applies not only to external auditors but also to other "providers," such as regulatory bodies (e.g., governmental auditors) and certain of the organization's other subunits (e.g., a health and safety department). Review and testing of the other department's work may reduce necessary audit coverage of the function or process.
Exchange of engagement communications and management letters by internal and external auditors is
Consistent with the coordination responsibilities of the chief audit executive.Answer (A) is correct.Exchange of engagement communications and management letters is properly a component of coordination between internal and external audit.
The chief audit executive plans to meet with the independent external auditor to discuss joint efforts regarding an upcoming external audit of the organization's pension plan. The independent external auditor has performed all external audit work in this area in the past. The CAE's objective is to
Coordinate the external audit so as to fulfill professional responsibilities and not duplicate work of the independent external auditor.Answer (B) is correct.Planned audit activities of internal and external auditors need to be discussed to ensure that audit coverage is coordinated and duplicate efforts are minimized if possible.
To improve their efficiency, internal auditors may rely upon the work of external auditors if it is
Coordinated with internal auditing work.Answer (C) is correct.Organizations may use the work of external auditors to provide assurance related to activities within the scope of internal auditing. Coordination of internal and external audit work is the responsibility of the CAE (Perf. Std. 2050).
The most important reason for the chief audit executive to ensure that the internal audit department has adequate and sufficient resources is to
Demonstrate sufficient capability to meet the audit plan requirements.Answer (B) is correct.The CAE must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan (Perf. Std. 2030).
Which of the following audit committee activities is of the greatest benefit to the internal audit activity? Determine whether scope limitations impede the ability of the internal audit activity to execute its responsibilities. Assurance that the external auditor will rely on the work of the internal audit activity whenever possible. Review and endorsement of all internal auditing engagement communications prior to their release. Review and approval of engagement work programs.
Determine whether scope limitations impede the ability of the internal audit activity to execute its responsibilities. This answer is correct.The CAE should report functionally to the board (audit committee) to achieve organizational independence and allow the internal audit activity to fulfill its responsibilities. Functional reporting to the board typically involves, among other things, making appropriate inquiries of management and the CAE to determine whether audit scope or budgetary limitations impede the ability of the internal audit activity to fulfill its responsibilities.
By comparing job descriptions with the qualifications and duties of the individuals currently holding those jobs, a manager can
Determine whether the organization is appropriately staffed.Answer (B) is correct.A job description summarizes the duties and qualifications required for a job. It is prepared based on a job analysis, which is a systematic procedure for observing work and determining what tasks should be accomplished to achieve organizational goals. By comparing the job description with the actual employees and their qualifications, a manager can determine whether the organization has placed appropriate individuals in jobs best suited to their abilities.
Which of the following is the best source of a chief audit executive's information for planning staffing requirements?
Discussions of internal audit needs with senior management and the board.Answer (A) is correct.The CAE is primarily responsible for the sufficiency and management of resources, including communication of needs and status to senior management and the board. These parties ultimately must ensure the adequacy of resources.
The internal audit activity has recently experienced the departure of two internal auditors who cannot be immediately replaced due to budget constraints. Which of the following is the least desirable option for efficiently completing future engagements, given this reduction in resources? Filling vacancies with personnel from operating departments that are not being audited. Employing information technology in audit planning, sampling, and documentation. Using self-assessment questionnaires to address audit objectives. Eliminating consulting engagements from the engagement work schedule.
Eliminating consulting engagements from the engagement work schedule. This answer is correct.The chief audit executive must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan (Perf. Std. 2030). The audit schedule is reduced as a last resort once all other alternatives have been explored, including the request for additional resources.
The IIA's Three Lines Model states that the roles of an organization's governing body most likely include
Ensuring that organizational objectives align with stakeholders' interests.Answer (C) is correct.Governing body roles include (1) ensuring structures and processes exist for effective governance; (2) ensuring objectives and activities align with stakeholder interests; (3) giving management the responsibility and resources to achieve objectives and compliance with laws, regulations, and ethics; and (4) establishing and overseeing the internal audit function.
A major reason for establishing an internal audit activity is to
Evaluate and improve the effectiveness of control processes.Answer (D) is correct.The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to the evaluation and improvement of the effectiveness of risk management, control, and governance processes (Definition of Internal Auditing).
After using the same public accounting firm for several years, the board of directors retained another public accounting firm to perform the annual financial audit in order to reduce the annual audit fee. The new firm has now proposed a one-time engagement relating to the cost-effectiveness of the various operations of the business. The chief audit executive has been asked to advise management in making a decision on the proposal. An argument can be made that the internal audit activity is better able to perform such an engagement because A.External auditors may not possess the same depth of understanding of the organization as the internal auditors. B.Internal auditors are required to be objective in performing engagements. C.Engagement procedures used by internal auditors are different from those used by external auditors. D.Internal auditors will not be vitally concerned with fraud and waste.
External auditors may not possess the same depth of understanding of the organization as the internal auditors.Answer (A) is correct.Internal auditing evaluates and contributes to the improvement of the organization's governance, risk management, and control processes. Accordingly, its scope of work is far broader than that of the external auditors.
Which of the following is not a true statement about the relationship between internal auditors and external auditors? A. There may be an exchange of engagement communications and management letters. B. There may be periodic meetings between internal and external auditors to discuss matters of mutual interest. C. Internal auditors may provide engagement work programs and working papers to external auditors. D. External auditors must assess the competence and objectivity of internal auditors.
External auditors must assess the competence and objectivity of internal auditors. This answer is correct.The external auditor assesses the objectivity and competence of the internal auditors only if (s)he intends to rely on their work.
According to The IIA's Three Lines Model,
First line roles include support functions.Answer (B) is correct.First line roles (e.g., risk management) most directly relate to delivery of products or services to clients. They include support functions (e.g., human resources). Thus, first line roles include "front office" and "back office" activities.
The audit committee strengthens the control processes of an organization by
Following up on recommendations made by the chief audit executive.Answer (C) is correct.Among the audit committee's functions are ensuring that engagement results are given due consideration and overseeing appropriate corrective action for deficiencies noted by the internal audit activity, which includes following up on recommendations by the CAE.
Written policies and procedures relative to managing the internal audit activity should Ensure compliance with its performance standards. Give consideration to its structure and the complexity of the work performed. Prescribe the format and distribution of engagement communications and the classification of observations. Result in consistent job performance.
Give consideration to its structure and the complexity of the work performed. This answer is correct.The form and content of policies and procedures are dependent upon the size and structure of the internal audit activity and the complexity of its work (Inter. Std. 2040).
Written policies and procedures relative to managing the internal audit activity should
Give consideration to its structure and the complexity of the work performed.Answer (B) is correct.The form and content of policies and procedures are dependent upon the size and structure of the internal audit activity and the complexity of its work (Inter. Std. 2040).
What is the most accurate term for the procedures used by the board to oversee activities performed to achieve organizational objectives?A.Governance.B.Control.C.Risk management.D.Monitoring.
Governance. Answer (A) is correct.Governance is the "combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives" (The IIA Glossary).
Several members of an organization's senior management have questioned whether the internal audit activity should report to the newly established quality audit function as part of the total quality management process within the organization. The chief audit executive (CAE) has reviewed the quality audit standards and the programs that the quality audit manager has proposed. The CAE's response to senior management should include which of the following?
Identifying appropriate liaison activities with the quality audit function to ensure coordination of audit schedules and overall audit responsibilities.Answer (D) is correct.The CAE should share information, coordinate activities, and consider relying upon the work of other internal and external assurance and consulting providers to ensure proper coverage and minimize duplication of efforts (Perf. Std. 2050). The quality audit function is an internal assurance and consulting provider. Thus, whether reporting administratively to the quality audit function or to senior management, the CAE should identify appropriate liaison activities with the quality audit function to ensure coordination of audit schedules and overall audit responsibilities.
Which of the following actions is an appropriate response by organizations wishing to improve the public's perception of their financial reporting?
Increased adoption of audit committees composed of outside directors.Answer (A) is correct.The audit committee consists of outside directors who are independent of management. Its purpose is to help keep external and internal auditors independent of management and to assure that the directors are exercising due care. This committee (1) selects the external auditors; (2) reviews their overall audit plan; (3) examines the results of external and internal auditing engagements; (4) meets regularly with the CAE; and (5) reviews the internal audit activity's engagement work schedule, staffing plan, and financial budget. These functions should increase public confidence that financial statements are fairly presented.
According to the International Professional Practices Framework, the internal audit activity is effectively managed when
Its individual members conform with the Code of Ethics and the Standards.Answer (B) is correct.According to the Interpretation of Standard 2000, the internal audit activity is effectively managed whenIt achieves the purpose and responsibility included in the internal audit charter.It conforms with the Standards.Its individual members conform with the Code of Ethics and the Standards.It considers trends and emerging issues that could impact the organization. The internal audit activity adds value to the organization and its stakeholders when it considers strategies, objectives, and risks; strives to offer ways to enhance governance, risk management, and control processes; and objectively provides relevant assurance.
The capabilities of individual staff members are key features in the effectiveness of an internal audit activity. What is the primary consideration used when staffing an internal audit activity?
Job descriptions.Answer (B) is correct.The competencies of the internal audit staff should be appropriate for the planned activities. A job description summarizes the duties and qualifications required for a job. Properly formulated job descriptions provide a basis for identifying job qualifications (including training and experience). Hence, they facilitate recruiting human resources with the necessary attributes.
When determining the number and experience level of an internal audit staff to be assigned to an engagement, the chief audit executive should consider all of the following except the A.Complexity of the engagement B.Available internal audit activity resources .C.Training needs of internal auditors .D.Lapsed time since the last engagement.
Lapsed time since the last engagement.Answer (D) is correct.Lapsed time since the last engagement is a factor affecting engagement scheduling, not staffing.
An organization's oversight of and responsibility for an outsourced internal audit activity (IAA) is most likely demonstrated by
Maintaining a quality program.Answer (B) is correct.An organization's oversight of and responsibility for an outsourced IAA is demonstrated through the quality assurance and improvement program (QAIP). It assesses conformance with the Code of Ethics and the Standards (Inter. Std. 2070). The QAIP should include (1) ongoing monitoring, (2) periodic self-assessments, and (3) external assessments.
Although all the current members of an internal audit activity have good records of performance, the manager is not sure if any of the members are ready to assume a management role. Which of the following is an advantage of bringing in an outsider rather than promoting from within?
Management training costs are reduced when a qualified outsider is hired.Answer (A) is correct.Hiring an experienced manager reduces management training costs because the person has already been trained.
In addressing internal audit resource needs for a complex engagement, the CAE may include all of the following except
Members of the audit committee.Answer (B) is correct.Resources must be effectively deployed by assigning qualified auditors and developing an appropriate resourcing approach and organizational structure. Additionally, resources need to be sufficient for audit activities to be performed in accordance with the expectations of senior management and the board. Members of the audit committee may not be employees of the organization except in their capacity as a board member. Therefore, an audit committee member should not be included in addressing internal audit resource needs. The CAE may meet these needs through external service providers, specialized consultants, or other employees of the organization.
The internal audit activity is responsible for implementing 1. Risk management 2. Governance 3. Control 3 only. None of the answers are correct. 1 only. 2 only.
None of the answers are correct. This answer is correct.The internal audit activity is responsible for evaluating and contributing to the improvement of governance, risk management, and control processes. But management is responsible for implementing those processes.
Fact Pattern: You are the chief audit executive of a parent organization that has foreign subsidiaries. Independent external audits performed for the parent are not conducted by the same firm that conducts the foreign subsidiary audits. Because the internal audit activity occasionally provides direct assistance to both external firms, you have copies of audit programs and selected working papers produced by each firm. The foreign subsidiary's auditors would like to rely on some of the work performed by the parent organization's audit firm, but they need to review the working papers first. They have asked you for copies of the working papers of the parent organization's audit firm. What is the most appropriate response to the foreign subsidiary's auditors?
Notify the parent's auditors of the situation and request that they either provide the working papers or authorize you to do so.Answer (B) is correct.Organizations may use the work of external auditors to provide assurance related to activities within the scope of internal auditing. In these cases, the CAE takes the steps necessary to understand the work performed by the external auditors, including access to the external auditors' programs and working papers. Internal auditors are responsible for respecting the confidentiality of those programs and working papers.
A chief audit executive (CAE) has reviewed credentials, checked references, and interviewed a candidate for a staff position. The CAE concludes that the candidate has a thorough understanding of internal audit techniques, accounting, and finance. However, the candidate has limited knowledge of economics and information technology. Which action is most appropriate?
Offer the candidate a position if other staff members possess sufficient knowledge in economics and information technology.Answer (D) is correct.The internal audit activity collectively must have or obtain the knowledge, skills, and other competencies needed to perform its responsibilities. Each member of the internal audit activity need not be qualified in all disciplines.
Which of the following is a possible statutory limitation on audit committees?
One member must be a financial expert.Answer (B) is correct.The audit committee is a subset of the board of directors. However, not every member of the board is necessarily qualified to serve on the audit committee. Some statutes have imposed the following significant restrictions on the membership of the audit committee: (1) no member may be an employee of the organization except in his or her capacity as a board member and (2) at least one member must be a financial expert. Many stock exchanges require that all listed organizations have an audit committee.
An audit committee should be designed to enhance the independence of both the internal and external auditing functions and to insulate these functions from undue management pressures. Using this criterion, audit committees should be composed of Only members from the relevant outside regulatory agencies. Only external members of the board of directors or its equivalent. Members from all important constituencies, specifically including representatives from banking, labor, regulatory agencies, shareholders, and officers. A rotating subcommittee of the board of directors or its equivalent.
Only external members of the board of directors or its equivalent. This answer is correct.The audit committee of the board of directors should be composed entirely of outside directors. Outside directors are members of the board who are independent of internal management. Because the primary purpose of the audit committee is to promote the independence of the internal and external auditors from management, an audit committee composed of inside directors would be ineffective.
Controls should be designed to provide reasonable assurance that
Organizational objectives will be achieved economically and efficiently.Answer (A) is correct.A control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives will be achieved (The IIA Glossary). Thus, control by management is the result of proper planning, organizing, and directing.
In selecting an instructional strategy for developing internal audit staff, a chief audit executive begins by reviewing
Organizational objectives.Answer (A) is correct.The chief audit executive must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan (Perf. Std. 2030). The approved plan must be consistent with the goals of the organization.
Which of the following is a false statement about the relationship between internal auditors and external auditors?
Oversight of the work of external auditors is the responsibility of the chief audit executive.Answer (A) is correct.Oversight of the work of external auditors, including coordination with the internal audit activity, is the responsibility of the board. Coordination of internal and external audit work is the responsibility of the CAE (Perf. Std. 2050).
A manufacturer has been expanding rapidly and is considering adding a new production line. Employees are currently working double shifts and receiving large amounts of overtime pay. Demand for all of the organization's products is currently high, but management worries about demand fluctuations with changes in the economy and technological developments by competitors. Management is concerned with such issues as whether it is efficiently using its resources, whether it is expanding too rapidly or not rapidly enough, whether employee morale is decreasing, and whether future expansion should be financed internally or through debt. Of the following management requests, which is within the normal scope of work of the internal audit activity as stated in the Standards?
Perform an independent evaluation of management's planning process as a basis for making recommendations.Answer (A) is correct.Internal auditing is an organizationally independent and individually objective assurance and consulting activity that adds value and improves operations. It evaluates and contributes to the improvement of the organization's governance, risk management, and control processes. Thus, evaluating the planning process is within the broad scope of work of internal auditing.
The chief audit executive (CAE) is best defined as the
Person responsible for the internal audit function.Answer (B) is correct.The CAE is a person in a senior position responsible for effectively managing the internal audit activity (IAA) in accordance with the internal audit charter and the mandatory elements of the IPPF (The IIA Glossary). The CAE must effectively manage the IAA to ensure it adds value to the organization (Inter. Std. 2000).
Control by management is the result of Authorizing and monitoring performance and comparing actual performance with planned performance. Determining efficiency and economy of operations, including whether objectives have been met. Planning, organizing, and directing of organizational activities. Ascertaining needs, identifying alternative courses of action, setting standards for measuring performance, and comparing outcomes with predetermined standards.
Planning, organizing, and directing of organizational activities. This answer is correct.A control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives will be achieved (The IIA Glossary). Thus, control by management is the result of proper planning, organizing, and directing.
Which of the following is most essential for guiding the internal audit staff?
Policies and procedures.Answer (D) is correct.The chief audit executive must establish policies and procedures to guide the internal audit activity (Perf. Std. 2040).
The audit committee may serve several important purposes, some of which directly benefit the internal audit activity. The most significant benefit provided by the audit committee to the internal audit activity is
Protecting the independence of the internal audit activity from undue management influence.Answer (A) is correct.The audit committee is a subcommittee of the board of directors composed of outside directors who are independent of corporate management. Its purpose is to help keep external and internal auditors independent of management and to ensure that the directors are exercising due care. This committee often selects the external auditors, reviews their overall audit plan, and examines the results of external and internal audits.
When assessing the risk associated with an activity, an internal auditor should Determine how the risk should best be managed. Design controls to mitigate the identified risks. Update the risk management process based on risk exposures. Provide assurance on the management of the risk.
Provide assurance on the management of the risk. This answer is correct.The internal audit activity must evaluate and contribute to the improvement of processes using a systematic, disciplined, and risk-based approach. Assurance service is an objective of evidence examination to provide an independent assessment.
Fact Pattern: You are the chief audit executive of a parent organization that has foreign subsidiaries. Independent external audits performed for the parent are not conducted by the same firm that conducts the foreign subsidiary audits. Because the internal audit activity occasionally provides direct assistance to both external firms, you have copies of audit programs and selected working papers produced by each firm. The foreign subsidiary's external audit firm wants to rely on an audit of a function at the parent organization. The audit was conducted by the internal audit activity. To place reliance on the work performed, the foreign subsidiary's auditors have requested copies of the working papers. What is the most appropriate response to the foreign subsidiary's auditors?
Provide copies of the working papers.Answer (A) is correct.Coordination involves access to each other's work programs, working papers, and reports (IG 2050). Access is provided to external auditors for them to be satisfied as to the acceptability, for external audit purposes, of relying on the internal auditors' work.
Which of the following items would not be an appropriate staffing issue?
Providing a competitive selection of employee benefits.Answer (B) is correct.Internal auditors must have the knowledge, skills, and other competencies to perform their responsibilities. For example, they (1) might use the competency framework for self-assessment and (2) should demonstrate proficiency by obtaining professional certifications and qualifications (IG 1210, Proficiency). But a professional development program for internal auditors does not address employee compensation.
Internal auditing has planned an engagement to evaluate the effectiveness of the quality assurance function as it affects the receipt of goods, the transfer of the goods into production, and the scrap costs related to defective items. The engagement client argues that such an engagement is not within the scope of the internal audit activity and should come under the purview of the quality assurance department only. What is the most appropriate response?
Refer to the internal audit activity's charter and the approved engagement plan that includes the area designated for evaluation in the current time period.Answer (A) is correct.The written charter, approved by the board, defines the scope of internal audit activities (Inter. Std. 1000). The risk-based plan of engagements is established after consultation with senior management and the board and is adjusted for changes in the organization (Inter. Std. 2010).
To avoid creating conflict between the chief executive officer (CEO) and the audit committee, the chief audit executive (CAE) should Submit copies of all engagement communications to the CEO and audit committee. Discuss all pending engagement communications to the CEO with the audit committee. Request board establishment of policies covering the internal audit activity's relationships with the audit committee. Strengthen independence through organizational status.
Request board establishment of policies covering the internal audit activity's relationships with the audit committee. This answer is correct.Independence is not sufficient to prevent conflict unless reporting relationships are well defined.
To avoid creating conflict between the chief executive officer (CEO) and the audit committee, the chief audit executive (CAE) should
Request board establishment of policies covering the internal audit activity's relationships with the audit committee.Answer (D) is correct.Independence is not sufficient to prevent conflict unless reporting relationships are well defined.
The chief audit executive for a large decentralized organization has developed a manual containing comprehensive detailed written procedures as a guide for the decentralized engagement work groups, each of which has 20 to 30 internal auditors. The organization recently acquired a small organization that has an internal audit activity consisting of a supervisor and two staff personnel. Which of the following actions is the most practical in providing administrative guidance for this new internal audit activity?
Select key procedures from the manual and use informal supervisory direction for other engagement management issues.Answer (A) is correct.Orientation to acquaint the acquired organization's staff with the established environment should be through exposure to selected key procedures from the formal manual. The form and content of policies and procedures are dependent upon the size and structure of the internal audit activity and the complexity of its work (Inter. Std. 2040). Thus, a small internal audit activity may be managed informally, for example, through daily close supervision and written memoranda.
The proper organizational role of internal auditing is to
Serve as an independent, objective assurance and consulting activity that adds value to operations.Answer (D) is correct.The Definition of Internal Auditing states, in part, "Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations."
All of the following are true regarding the process and methods of coordinating assurance activities except
Sharing results with other providers violates the coordinating services agreement.Answer (D) is correct.The CAE should share information, coordinate activities, and consider relying upon the work of other internal and external assurance and consulting service providers to ensure proper coverage and minimize duplication of efforts (Perf. Std. 2050). Coordinating activities include (1) simultaneity of the nature, extent, and timing of scheduled work; (2) mutual understanding of methods and vocabulary; (3) the parties' access to each other's programs, workpapers, and communications of results; (4) reliance on others' work to avoid overlap; and (5) meeting to adjust the timing of scheduled work given results to date.
In most cases, an internal audit activity should document policies and procedures to ensure the consistency and quality of its work. The exception to this principle is directly related to Departmentation. Authority. Size of the internal audit activity. Division of labor.
Size of the internal audit activity. This answer is correct.The form and content of policies and procedures are dependent upon the size and structure of the internal audit activity and the complexity of its work (Inter. Std. 2040). Thus, all internal audit activities are not required to have a detailed policies and procedures manual.
Which of the following statements most accurately reflects the chief audit executive's responsibilities for internal audit resources? The CAE is responsible for evaluating the detailed summary of audit resources presented by management to the board. The CAE is responsible for ensuring that audit coverage is based on the periodic skills assessment. The CAE is not responsible for such human resource functions as evaluation and development. The CAE is responsible for communicating resource needs to the board but has no explicit responsibility for administering the organization's compensation program.
The CAE is responsible for communicating resource needs to the board but has no explicit responsibility for administering the organization's compensation program. This answer is correct.The CAE must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan. This includes the effective communication of resource needs and reporting of status to senior management and the board. Responsibility for administering the organization's compensation program normally resides in the human resources (personnel) area.
Which of the following statements about the chief audit executive's responsibilities for internal audit resources is most accurate?
The CAE is responsible for the effective deployment of resources to achieve the approved audit plan.Answer (C) is correct.The CAE must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved audit plan. This responsibility includes the effective communication of resource needs and reporting of status to senior management and the board.
Which of the following statements is false regarding the administration of the internal audit activity?
The audit committee is responsible for creating the operating and financial budget for the internal audit function.Answer (C) is correct.Budgeting is included in the administrative activities of the internal audit activity. The CAE, not the audit committee, is responsible for creating the operating and financial budget for the internal audit function. Generally, the CAE, audit managers, and the internal audit activity work together to develop the budget annually. The budget is then submitted to management and the board for their review and approval.
Which of the following features of a large manufacturer's organizational structure is a control weakness?
The audit committee of the board consists of the chief executive officer, the chief financial officer, and a major shareholder.Answer (C) is correct.The audit committee has a control function because of its oversight of internal as well as external auditing. It should be made up of directors who are independent of management. The authority and independence of the audit committee strengthen the position of the internal audit activity.
Johnny Hagert, Chief Audit Executive, is determining the sufficiency of his resource allocation. Mr. Hagert must consider all of the following except Consequences of not completing the engagement on time. Communication received from management and the board. The audit universe. Knowledge of the internal audit staff.
The audit universe. This answer is correct.Sufficiency relates to the quantity of resources needed to accomplish the approved audit plan. However, the resource allocation applies to the approved audit plan, not to the universe of all possible audits within the organization.
Which of the following statements is true regarding coordination of internal and external auditing efforts?
The chief audit executive should determine that appropriate follow-up and corrective action was taken by management when required regarding matters discussed in the external auditor's management letter.Answer (C) is correct.Internal auditors need access to the external auditors' presentation materials and management letters. Matters discussed in presentation materials and included in management letters need to be understood by the CAE and used as input to internal auditors in planning the areas to emphasize in future internal audit work. After review of management letters and initiation of any needed corrective action by appropriate members of senior management and the board, the CAE should ensure that appropriate follow-up and corrective actions have been taken.
Internal audit resources should be appropriate, sufficient, and effectively deployed. Consequently, The chief audit executive should perform a periodic skills assessment. Only members of the internal audit staff should perform internal audit activities. The chief audit executive ultimately must ensure the adequacy of resources. Resource planning should be limited to expected activities.
The chief audit executive should perform a periodic skills assessment. This answer is correct.The skills, technical knowledge, and capabilities of the internal audit staff should be appropriate for the planned work. Thus, the chief audit executive should perform a periodic skills assessment based on the needs identified in the risk assessment and the audit plan.
Internal audit resources should be appropriate, sufficient, and effectively deployed. Consequently,
The chief audit executive should perform a periodic skills assessment.Answer (B) is correct.The skills, technical knowledge, and capabilities of the internal audit staff should be appropriate for the planned work. Thus, the chief audit executive should perform a periodic skills assessment based on the needs identified in the risk assessment and the audit plan.
Which of the following is responsible for coordination of internal and external audit work? The board. External auditors. Internal auditors. The chief audit executive.
The chief audit executive. This answer is correct.Oversight of the work of external auditors, including coordination with the internal audit activity, is the responsibility of the board. Coordination of internal and external audit work is the responsibility of the chief audit executive (CAE). The CAE obtains the support of the board to coordinate audit work effectively.
Coordination of internal and external auditing can reduce the overall costs. Who is responsible for actual coordination of internal and external auditing efforts?
The chief audit executive.Answer (A) is correct.Coordination of internal and external audit work is the responsibility of the CAE. The CAE obtains the support of the board to coordinate audit work effectively.
Which of the following is responsible for coordination of internal and external audit work?
The chief audit executive.Answer (B) is correct.Oversight of the work of external auditors, including coordination with the internal audit activity, is the responsibility of the board. Coordination of internal and external audit work is the responsibility of the chief audit executive (CAE). The CAE obtains the support of the board to coordinate audit work effectively.
Who has primary responsibility for providing information to the board on the professional and organizational benefits of coordinating internal audit activities with those of other providers of similar services?
The chief audit executive.Answer (B) is correct.The chief audit executive should share information and coordinate activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimize duplication of efforts (Perf. Std. 2050). The CAE also must periodically report to the board and senior management on the internal audit activity's purpose, authority, responsibility, and performance (Perf. Std. 2000).
Which of the following statements regarding the external auditor is true?
The external auditor's work is overseen and reviewed by the audit committee.Answer (C) is correct.The most important function of the audit committee is to promote the independence of the internal and external auditors by protecting them from management's influence. The audit committee (1) selects the external auditing firm and negotiates its fee, (2) oversees and reviews the work of the external auditor, (3) resolves disputes between the external auditor and management, and (4) reviews the external auditor's internal control and audit reports.
What is the reason the CAE must have direct and unrestricted access to the board?
The internal audit activity needs to achieve organizational independence.Answer (B) is correct.The CAE must have direct and unrestricted access to senior management and the board for the internal audit activity to achieve organizational independence. The CAE should report functionally to the board. The IIA defines a board, in part, as "[t]he highest level governing body . . . charged with the responsibility to direct and/or oversee the organization's activities and hold senior management accountable."
Which of the following items is least likely to be considered when determining the strategy for assessing governance, risk management, and control?
The members of the audit committee.Answer (D) is correct.The members of the audit committee, an operating committee of the board of directors, is least likely to be considered when determining the strategy for assessing governance, risk management, and control. These three processes are closely related. Ordinarily, the board is responsible for guiding governance processes, and senior management is responsible for leading risk management and control processes. The CAE typically considers (1) the maturity of these processes, (2) the seniority of the persons responsible, and (3) the organizational culture when determining the strategy for assessing governance, risk management, and control.
Which of the following is not an appropriate member of an audit committee?
The organization's vice president of operations.Answer (D) is correct.The audit committee consists of outside directors who are independent of management. Its purpose is to help keep external and internal auditors independent of management and to assure that the directors are exercising due care. The organization's vice president is not an outside director. The vice president of the local bank used by the organization, an academic specializing in business administration, and a retired executive of a firm that had been associated with the organization are all external parties who are usually independent of the organization's internal operations.
An organization has outsourced its internal audit activity (IAA) to an external service provider. Consequently,
The provider must remind the organization of its ultimate responsibility.Answer (C) is correct.When an external service provider serves as the IAA, the provider must make the organization aware that the organization has the responsibility for maintaining an effective IAA (Perf. Std. 2070). Oversight of and responsibility for the IAA therefore must not be outsourced.
Criteria the CAE may consider in determining whether to rely on the work of another service provider include all of the following except
The reasonableness of audit fees.Answer (D) is correct.In determining whether to rely on the work of another service provider, the CAE may considerThe objectivity, independence, competency, and due professional care of the provider relating to the relevant assurance or consulting service;The scope, objectives, and results of the service provider's work to evaluate the degree of reliance;Assessing the service provider's findings to determine whether they are reasonable and meet the information criteria in the Standards; andThe incremental effort required to obtain sufficient, reliable, relevant, and useful information as a basis for the degree of planned reliance.
Numerous environmental laws and regulations have recently changed. Senior management has asked the chief audit executive to perform an environmental audit to be completed as soon as possible. The internal audit activity currently is performing an operational audit. As a result, the chief audit executive must make difficult decisions about resource allocation. Which of the following is the least significant issue in determining whether to reallocate audit resources?
The results from the prior financial audits.Answer (D) is correct.When determining resource allocation under time constraints, the auditor must consider all relevant factors. Relevant factors include (1) information about both the ongoing and new engagement; (2) the consequences of not completing either engagement in a timely manner; and (3) the knowledge, skills, and competencies of the internal audit staff. Information about other unrelated engagements, such as prior financial audits, is irrelevant.
Staff members of the internal audit activity should be assigned to engagements and training projects that will enable them to develop their potential. Which of the following should be the most important consideration in making assignments that will allow staff members to develop properly?
The skills and experience levels of individual auditors.Answer (A) is correct.The program for selecting and developing the human resources of the internal audit activity should provide for written job descriptions for each level of the staff, selection of qualified and competent individuals, training and continuing educational opportunities, performance appraisals at least annually, and counsel on performance and professional development. Obviously, work assignments inconsistent with an internal auditor's abilities will defeat the purposes of human resources development.
When assigning individual staff members to actual engagements, internal auditing managers are faced with a number of important considerations related to needs, abilities, and skills. Which of the following is the least appropriate criterion for assigning a staff internal auditor to a specific engagement? The staff internal auditor's desire for training in the area. The experience level of the internal auditor. The complexity of the engagement. Special skills possessed by the staff internal auditor.
The staff internal auditor's desire for training in the area. This answer is correct.A staff internal auditor's desire for specific training is necessarily secondary to carrying out the responsibilities of the internal audit activity with regard to proper staffing.
According to the International Professional Practices Framework, internal audit resources are effectively deployed when
They are used in a way that optimizes the achievement of the approved plan.Answer (D) is correct.According to the Interpretation of Standard 2030, "Resources are effectively deployed when they are used in a way that optimizes the achievement of the approved plan." The CAE is primarily responsible for the sufficiency and management of resources, including communication of needs and status to senior management and the board. Resources are effectively deployed by assigning qualified auditors and developing an appropriate resourcing approach and organizational structure.
In most organizations, the rapidly expanding scope of internal auditing responsibilities requires continual training. What is the main purpose of such a training program?
To achieve both individual and organizational goals.Answer (D) is correct.By being informed and up to date, internal auditors are better prepared to reach their personal goals. In addition, internal audit responsibilities are more readily discharged by auditors having the required knowledge, skills, and other competencies.
The internal audit activity (IAA) is effectively managed when
Trends and emerging issues are considered.Answer (C) is correct.The IAA is effectively managed when (1) it achieves the purpose and responsibility included in the internal audit charter, (2) it conforms with the Standards, (3) its individual members conform with the Code of Ethics and the Standards, and (4) it considers trends and emerging issues that could affect the organization (Inter. Std. 2000).
Which of the following, though not appropriate for use with a large internal audit activity, is an acceptable approach for managing a small internal audit activity?
Using only daily, close supervision and written memoranda.Answer (C) is correct.Formal administrative and technical audit manuals may not be needed by all internal audit entities. A small internal audit activity may be managed informally. Its audit staff may be directed and controlled through daily, close supervision and written memoranda. In a large internal audit activity, more formal and comprehensive policies and procedures are essential to guide the internal audit staff in the execution of the internal audit plan.
When are governance, risk management, and control processes considered adequate?
When management has planned and designed them to provide reasonable assurance of achieving the organization's objectives efficiently and economically.Answer (A) is correct.Governance, risk management, and control processes are adequate if management has planned and designed the processes to provide reasonable assurance of achieving the organization's objectives efficiently and economically. Reasonable assurance is provided if the most cost-effective measures are taken in the design and implementation of controls to reduce risks and restrict expected deviations to a tolerable level. Efficient performance accomplishes objectives in an accurate, timely, and economical fashion while economical performance accomplishes objectives with minimal use of resources (i.e., cost) proportionate to the risk exposure.