Exam 2 Internal Audit

Which of the following is NOT a fictitious revenue scheme? a. Matching expenses to revenues. b. Premature revenue recognition. c. Conditional sales. d. Channel stuffing.

a. Matching expenses to revenues.

In a risk by process matrix, a process that helps to manage a risk indirectly would be shown to have: a. A key link. b. A secondary link. c. An indirect link. d. No link at all.

b. A secondary link.

Which of the following symbols in a process map will most likely contain a question? a. Rectangle. b. Diamond. c. Arrow. d. Oval.

b. Diamond.

Which of the following best illustrates the use of EDI? a. purchasing merchandise from a company internet site b. computerized placement of a purchase order from a customer to its supplier c. transfer of data from a desktop computer to a database server. d. withdrawing cash from an ATM

b. computerized placement of a purchase order from a customer to its supplier

What fraud schemes were reported to be most common in the ACFE's 2020 Report to the Nations? a. Corruption. b. Fraudulent billing. c. Misappropriation of assets by employees. d. Inappropriately reporting revenues in published financial results.

c. Misappropriation of assets by employees.

Which of these does the Cressey fraud triangle not include as one of its vertices? a. Pressure. b. Opportunity. c. Rationalization. d. Fraudster personality.

d. Fraudster personality.

Which of the following is an example of misappropriation of assets? a. A small amount of petty cash is stolen. b. A journal entry is modified to improve reported financial results. c. A foreign official is bribed by the chief operating officer (COO) to facilitate approval of a new product. d. A duplicate bill is sent to a customer in hopes that they will pay it twice.

a. A small amount of petty cash is stolen.

The possibility of someone maliciously shutting down an information system is most directly an element of: a. Availability risk. b. Access risk. c. Confidentiality risk. d. Deployment risk.

a. Availability risk.

Which of the following IT devices can present the most significant risk to the organization? a. BYOD. b. Servers within the enterprise that are controlled by the centralized technical support. c. Laptops that are bought by the organization. d. Printers attached to the network.

a. BYOD.

Which of the following is not a technique to conceal inventory shrinkage? a. Counting and valuing physical inventory at the end of each year. b. Writing off inventory after physical inventory counts. c. Understating the value of physical inventory counts. d. Altering the yearly physical inventory counts.

a. Counting and valuing physical inventory at the end of each year.

After business risks have been identified, they should be assessed in terms of their inherent: a. Impact and likelihood. b. Likelihood and probability. c. Significance and severity. d. Significance and control effectiveness.

a. Impact and likelihood.

In developing a new system, change management is extremely important. What are two main reasons to assess change management controls? a. Increased regulatory requirements around IT and controls and the ubiquity of technology. b. Increased organizational and internal audit expense budgets. c. Reduce IT employees performing IT management and increase focus on IT project management. d. Increase internal security and limit segregation of duties.

a. Increased regulatory requirements around IT and controls and the ubiquity of technology.

The requirement that purchases be made from suppliers on an approved vendor list is an example of a: a. Preventive control. b. Detective control. c. Compensating control. d. Monitoring control.

a. Preventive control.

Which of the following best exemplifies a control activity referred to as independent verification? a. Reconciliation of bank accounts by someone who does not handle cash or record cash transactions. b. Identification badges and security codes used to restrict entry to the production facility. c. Accounting records and documents that provide a trail of sales and cash receipt transactions. d. Separating the physical custody of inventory from inventory accounting.

a. Reconciliation of bank accounts by someone who does not handle cash or record cash transactions.

The purpose of logical security controls is to: a. Restrict access to data. b. Limit access to hardware. c. Record processing results. d. Ensure complete and accurate processing of data.

a. Restrict access to data.

Which of the following is a valid statement about the detection of fraud? a. The combined frequency of tips and accidents in discovering fraud exceeds the combined frequency of internal and external audits. b. Law enforcement plays a significant role in the detection of white collar (economic) crimes. c. Internal controls, when properly designed, are almost bullet proof in terms of preventing fraud. d. For the purposes of understanding how fraud is discovered, whistleblower hotlines are the only method proven to detect fraud.

a. The combined frequency of tips and accidents in discovering fraud exceeds the combined frequency of internal and external audits.

Appropriate internal control for a multinational corporation's branch office that has a department responsible for the transfer of money requires that: a. The individual who initiates wire transfers does not reconcile the bank statement. b. The branch manager must receive all wire transfers. c. Foreign currency rates must be computed separately by two different employees. d. Corporate management approves the hiring of employees in this department.

a. The individual who initiates wire transfers does not reconcile the bank statement.

If a risk appears in the middle of quadrant IV in the above risk control map, it means that: a. There is an appropriate balance between risk and control. b. The controls may be excessive relative to the risk. c. The controls may be inadequate relative to the risk. d. There is not enough information to make a judgment.

a. There is an appropriate balance between risk and control.

Which of the following is NOT an example of a fraud prevention program element? a. Background investigations of new employees. b. Exit interviews of departing employees. c. Establishing authority limits related to purchasing commitments. d. Analyzing cash disbursements to determine whether any duplicate payments have been made.

b. Exit interviews of departing employees.

Which of the following is the best source of IT audit guidance within the IPPF? a. Control Objectives for Information and Related Technologies (COBIT). b. Global Technology Audit Guides (GTAGs). c. National Institute of Standards and Technology (NIST). d. Information Technology Infrastructure Library (ITIL).

b. Global Technology Audit Guides (GTAGs)

COSO's internal control framework has five internal control components and 17 principles for achieving effective internal control. Which of the following is/are (a) principle(s)? I. The organization demonstrates a commitment to integrity and ethical values. II. Monitoring activities. III. A level of assurance that is supported by generally accepted auditing procedures and judgments. IV. A body of guiding principles that form a template against which organizations can evaluate a multitude of business practices. V. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. a. II only. b. I and V only. c. II and IV only. d. I, II, III, IV, and V.

b. I and V only.

Which of the following are business processes? I. Strategic planning. II. Review and write-off of delinquent loans. III. Safeguarding of assets. IV. Remittance of payroll taxes to the respective tax authorities. a. I and III. b. II and IV. c. I, II, and IV. d. I, II, III, and IV.

b. II and IV. (strategic planning is a governance process)

After anonymous tips/complaints and pure accident as a source of fraud discovery, the next highest source according to the 2020 ACFE Report to the Nations survey was: a. External auditors. b. Internal auditors. c. Vendors. d. Customers.

b. Internal auditors.

A major upgrade to an important information system would most likely represent a high: a. External risk factor. b. Internal risk factor. c. Other risk factor. d. Likelihood of future systems problems.

b. Internal risk factor.

Which of the following is true about new and emerging technologies? a. New technologies have security login controls built into them. b. New technologies take time for the users to transition and adapt to the new technology, so training is critical. c. New technologies always come from large multinational companies. d. New technologies often have new and some innovative controls embedded in them.

b. New technologies take time for the users to transition and adapt to the new technology, so training is critical.

Internal auditors often prepare process maps and reference portions of these maps to narrative descriptions of certain activities. This is an appropriate procedure to: a. Determine the ability of the activities to produce reliable information. b. Obtain the understanding necessary to test the process. c. Document that the process meets internal audit standards. d. Determine whether the process meets established management objectives.

b. Obtain the understanding necessary to test the process.

When assessing the risk associated with an activity, an internal auditor should: a. Determine how the risk should best be managed. b. Provide assurance on the management of the risk. c. Update the risk management process based on risk exposures. d. Design controls to mitigate the identified risks.

b. Provide assurance on the management of the risk.

An effective system of internal controls is most likely to detect a fraud perpetrated by a: a. Group of employees in collusion. b. Single employee. c. Group of managers in collusion. d. Single manager.

b. Single employee.

If a risk appears in the bottom right of quadrant II in the above risk control map, it means that: a. There is an appropriate balance between risk and control. b. The controls may be excessive relative to the risk. c. The controls may be inadequate relative to the risk. d. There is not enough information to make a judgment.

b. The controls may be excessive relative to the risk.

What is a business process? a. How management plans to achieve the organization's objectives. b. The set of connected activities linked with each other for the purpose of achieving an objective or goal. c. A group of interacting, interrelated, or interdependent elements forming a complex whole. d. A finite endeavor (having specific start and completion dates) undertaken to create a unique product or service that brings about beneficial change or added value.

b. The set of connected activities linked with each other for the purpose of achieving an objective or goal.

An internet firewall is designed to provide protection against: a. Data mistakes. b. Unauthorized access from external sources. c. Lightning strikes and power surges. d. Arson.

b. Unauthorized access from external sources.

Which of the following is not one of the top 10 technology risks facing organizations? a. Cybersecurity. b. Use of older technology. c. IT governance. d. Mobile computing.

b. Use of older technology.

Which of the following types of companies would most likely need the strongest anti-fraud controls? a. A manufacturer of popular athletic shoes. b. A grocery store. c. A bank. d. An internet-based electronics retailer.

c. A bank.

Which of the following circumstances would concern the internal auditor the most? a. A risk in the lower left corner of quadrant I. b. A risk in the lower right corner of quadrant II. c. A risk in the upper left corner of quadrant III. d. A risk in the upper right corner of quadrant IV.

c. A risk in the upper left corner of quadrant III.

How should an organization handle an anonymous accusation from an employee that a supervisor in the organization has manipulated time reports? a. Assign a staff internal auditor to review all time reports for the past six months in the supervisor's area. b. Make a record of the accusation but do nothing, as anonymous accusations are typically not true. c. Assess the facts provided by the anonymous party against pre-established criteria to determine whether a formal investigation is warranted. d. Turn the issue over to the HR department because this type of anonymous accusation is usually just a human resource issue.

c. Assess the facts provided by the anonymous party against pre-established criteria to determine whether a formal investigation is warranted.

The internal audit function's responsibilities with respect to fraud are limited to: a. The organization's operational and compliance activities, only because financial reporting matters are the responsibility of the independent outside auditor. b. Monitoring any calls received through the organization's whistleblower hotline but not necessarily conducting a follow-up investigation. c. Being aware of fraud indicators, including those relating to financial reporting fraud, but not necessarily possessing the expertise of a fraud investigation specialist. d. Ensuring that all employees have received adequate fraud awareness training.

c. Being aware of fraud indicators, including those relating to financial reporting fraud, but not necessarily possessing the expertise of a fraud investigation specialist.

Which of the following statement(s) regarding an internal audit function's continuous auditing responsibilities is/are true? I. The internal audit function is responsible for assessing the effectiveness of management's continuous monitoring activities. II. In areas of the organization in which management has implemented effective monitoring activities, the internal audit function can conduct less stringent continuous assessments of risks and controls. a. Only statement I is true. b. Only statement II is true. c. Both statements I and II are true. d. Neither statement I nor statement II is true.

c. Both statements I and II are true.

The CAE is attempting to expand the coverage of the internal audit function in the area of cybersecurity. The best way to accomplish this goal would be to: a. Ask management to include internal auditors when debriefing after a cybersecurity incident. b. Provide consulting engagements on cybersecurity. c. Conduct training for internal auditors on cybersecurity. d. Purchase software to detect cybersecurity incidents.

c. Conduct training for internal auditors on cybersecurity.

An internal auditor plans to conduct an audit of the adequacy of controls over investments in new financial instruments. Which of the following would not be required as part of such an engagement? a. Determine whether policies exist that describe the risks the treasurer may take and the types of instruments in which the treasurer may invest. b. Determine the extent of management oversight over investments in sophisticated instruments. c. Determine whether the treasurer is getting higher or lower rates of return on investments than treasurers in comparable organizations. d. Determine the nature of monitoring activities related to the investment portfolio.

c. Determine whether the treasurer is getting higher or lower rates of return on investments than treasurers in comparable organizations.

Which of the following is not an IT technical control? a. System software controls. b. Application-based controls. c. IT governance controls. d. System development controls.

c. IT governance controls.

Reasonable assurance, as it pertains to internal control, means that: a. The objectives of internal control vary depending on the method of data processing used. b. A well-designed system of internal controls will prevent or detect all errors and fraud. c. Inherent limitations of internal control preclude a system of internal control from providing absolute assurance that objectives will be achieved. d. Management cannot override controls, and employees cannot circumvent controls through collusion.

c. Inherent limitations of internal control preclude a system of internal control from providing absolute assurance that objectives will be achieved.

How does a control manage a specific risk? a. It reduces the likelihood of the event giving rise to the risk. b. It reduces the impact of the event giving rise to the risk. c. It reduces either likelihood or impact or both. d. It prevents the occurrence of the event.

c. It reduces either likelihood or impact or both.

The software that manages the interconnectivity of the system hardware devices is the: a. Application software. b. Utility software. c. Operating system software. d. Database management system software.

c. Operating system software.

The risk assessment component of internal control involves the: a. Independent outside auditor's assessment of residual risk. b. Internal audit function's assessment of control deficiencies. c. Organization's identification and analysis of the risks that threaten the achievement of its objectives. d. Organization's monitoring of financial information for potential material misstatements.

c. Organization's identification and analysis of the risks that threaten the achievement of its objectives.

Which flowcharting symbol indicates the start or end of a process? a. Arrow. b. Diamond c. Oval. d. Rectangle.

c. Oval.

Requiring a user ID and password would be an example of what type of control? a. Detective. b. Corrective. c. Preventative. d. Reactive.

c. Preventative.

The control that would most likely ensure that payroll checks are written only for authorized amounts is to: a. Conduct periodic floor verification of employees on the payroll. b. Require the return of undelivered checks to the cashier. c. Require supervisory approval of employee time cards. d. Periodically witness the distribution of payroll checks.

c. Require supervisory approval of employee time cards.

What is residual risk? a. Impact of risk. b. Risk that is under control. c. Risk that is not managed. d. Underlying risk in the environment.

c. Risk that is not managed.

Who has primary responsibility for the monitoring component of internal control? a. The organization's independent outside auditor. b. The organization's internal audit function. c. The organization's management. d. The organization's board of directors.

c. The organization's management.

Which of the following best describes an internal auditor's purpose in reviewing the organization's existing governance, risk management, and control processes? a. To help determine the nature, timing, and extent of tests necessary to achieve engagement objectives. b. To ensure that weaknesses in the internal control system are corrected. c. To provide reasonable assurance that the processes will enable the organization's objectives and goals to be met efficiently and economically. d. To determine whether the processes ensure that the accounting records are correct and that financial statements are fairly stated.

c. To provide reasonable assurance that the processes will enable the organization's objectives and goals to be met efficiently and economically.

If a sales transaction record was rejected during input because the customer account number entered was not listed in the customer master file, the error was most likely detected by a: a. Completeness check. b. Limit check. c. Validity check. d. Reasonableness check.

c. Validity check.

Determining that engagement objectives have been met is ultimately the responsibility of the: a. Internal auditor. b. Audit committee. c. Internal audit supervisor. d. CAE.

d. CAE.

Which of the following is NOT a major classification of the types of financial statement fraud? a. Fictitious revenues. b. Improper disclosures. c. Concealed liabilities. d. Channel stuffing.

d. Channel stuffing.

An organization's IT governance committee has several important responsibilities. Which of the following is NOT normally such a responsibility? a. Aligning investments in IT with business strategies. b. Overseeing changes to IT systems. c. Monitoring IT security procedures. d. Designing IT application-based controls.

d. Designing IT application-based controls.

Which of the following is not a typical "rationalization" of a fraud perpetrator? a. It's in the organization's best interest. b. The company owes me because I'm underpaid. c. I want to get back at my boss (revenge). d. I'm smarter than the rest of them.

d. I'm smarter than the rest of them.

Which of the following is NOT something all levels of employees should do? a. Understand their role within the internal control framework. b. Have a basic understanding of fraud and be aware of the red flags. c. Report suspicions of incidences of fraud. d. Investigate suspicious activities that they believe may be fraudulent.

d. Investigate suspicious activities that they believe may be fraudulent.

Which of the following is true regarding business process outsourcing? a. Outsourcing a core, high-risk business process reduces the overall operational risk. b. Outsourced processes should not be included in the internal audit universe. c. The independent outside auditor is required to review all significant outsourced business processes. d. Management's controls to ensure the outsourcing provider meets contractual performance requirements should be tested by the internal audit function.

d. Management's controls to ensure the outsourcing provider meets contractual performance requirements should be tested by the internal audit function.

In assessing organizational risk in a manufacturing organization, which of the following would have the greatest long-range impact on the organization? a. Advertising budget. b. Production scheduling. c. Inventory policy. d. Product quality.

d. Product quality.

A company has recently outsourced its payroll process to a third-party service provider. An audit team was scheduled to audit payroll controls in the annual audit plan prepared prior to the outsourcing. What action should the audit team take, considering the outsourcing decision? a. Cancel the engagement, because the processing is being performed outside the organization. b. Review only the controls over payments to the third-party provider based on the contract. c. Review only the company's controls over data sent to and received from the third-party service provider. d. Review the controls over payroll processing in both the company and the third-party service provider.

d. Review the controls over payroll processing in both the company and the third-party service provider.

What is the best way to prevent and detect conflicts of interest? a. An effective control environment, including an ethical tone at the top. b. Segregation of duties. c. Bank reconciliations. d. Transparent and full disclosure.

d. Transparent and full disclosure.