Internal Audit Exam 1
5. Which of the following statements is not true about business objectives? a. Business objectives represent targets of performance b. Establishing meaningful business objectives is a prerequisite to effective internal controls c. Establishing meaningful business objectives is a key component of the management process d. Business objectives are management's means of employing resources and assigning responsibilities
b. Establishing meaningful business objectives is a prerequisite to effective internal controls
13. What types of business events tend to drive new legislation and guidance? a. Economic downturns b. Fraud or other corporate wrongdoing c. Elections or other political changes d. Economic growth
b. Fraud or other corporate wrongdoing
9. Which of the following types of IPPF guidance require(s) public exposure? I. A new Implementation Guide II. A new standard III. New supplemental guidance for auditing cybersecurity IV. A new definition in the Standards Glossary a. III only b. II and IV c. II, III, and IV d. I, II, III, and IV
b. II and IV
11. A major upgrade to an important information system would most likely represent a high: a. External risk factor b. Internal risk factor c. Other risk factor d. Likelihood of future systems problems
b. Internal risk factor
6. Which of the following circumstances would concern the internal auditor the most? a. A risk in the lower left corner of quadrant I b. A risk in the lower right corner of quadrant II c. A risk in the upper left corner of quadrant III d. A risk in the upper right corner of quadrant IV
c. A risk in the upper left corner of quadrant III
15. Which of the following would be a violation of The IIA's Code of Ethics? a. Internal auditor was subpoenaed in a court case in which a joint venture partner claimed to have been defrauded by the auditor's company. The auditor divulged confidential audit information to the court during testimony. b. During an audit, an internal auditor learned that the company was about to introduce a new product that would revolutionize the industry. Because of the probable success of the new product, the product manager suggested that the internal auditor buy additional stock in the company, which the auditor did. c. An internal auditor's husband inherited 25,000 shares of company stock when his grandfather died. They have held the stock for more than two years. d. An internal auditor works weekends doing tax returns for a friend who owns a small CPA firm
c. An internal auditor's husband inherited 25,000 shares of company stock when his grandfather died. They have held the stock for more than two years.
4. An internal auditor is auditing a division in which the division's chief financial officer is a close, personal friend. The auditor learns that the friend is to be replaced after a series of critical contract negotiations with the Department of Defense. The auditor relays this information to the friend. Which principle of The IIA's Code of Ethics has been violated? a. Integrity b. Objectivity c. Confidentiality d. Privacy
c. Confidentiality
5. Which of the following risk management activities is out of sequence in terms of timing? a. Identify, assess, and prioritize risks b. Develop risk response/treatments c. Determine key organizational objectives d. Monitor the effectiveness of risk responses/treatments
c. Determine key organizational objectives
9. When senior management accepts a level of residual risk that the CAE believes is unacceptable to the organization, the CAE should: a. Report the unacceptable risk level immediately to the chair of the audit committee and the independent outside audit firm partner b. Resign his or her position in the organization c. Discuss the matter with knowledgeable members of senior management and, if not resolved, take it to the audit committee d. Accept senior management's position because it establishes the risk appetite for the organization
c. Discuss the matter with knowledgeable members of senior management and, if not resolved, take it to the audit committee
2. Which of the following are typically governance responsibilities of senior management? I. Delegating its tolerance levels to risk managers II. Monitoring day to day performance of specific risk management activities III. Establishing a governance committee of the board IV. Ensuring that sufficient information is gathered to support reporting to the board a. I and IV b. II and III c. I, II, and IV d. I, II, III, and IV
c. I, II, and IV
7. Which of the following are business processes? I. Strategic planning II. Review and write off of delinquent loans III. Safeguarding of assets IV. Remittance of payroll taxes to the respective tax authorities a. I and III b. II and IV c. I, II, and IV d. I, II, III, and IV
c. I, II, and IV
3. ABC utility company sells electricity to residential customers and is a member of an industry association that provides guidance to electric utilities, lobbies on behalf of the industry, and facilitates sharing among its members. From ABC's perspective, what type of stakeholders is this industry association? a. Directly involved in the operation of the company b. Interested in the success of the company c. Influences the company d. Not a stakeholder
c. Influences the company
15. Enterprise Risk Management: a. Guarantees achievement of business objectives b. Requires establishment of risk and control activities by internal auditors c. Involves the identification of events with negative impacts on business objectives d. Includes selection of best risk response for the organization
c. Involves the identification of events with negative impacts on business objectives
15. How does a control manage a specific risk? a. It reduces the likelihood of the event giving rise to the risk b. It reduces the impact of the event giving rise to the risk c. It reduces either likelihood or impact or both d. It prevents the occurrence of the event
c. It reduces either likelihood or impact or both
14. Which flowcharting symbol indicates the start or end of a process? a. Arrow b. Diamond c. Oval d. Rectangle
c. Oval
6. The internal audit function should not: a. Assess the organizations governance and risk management processes b. Provide advice about how to improve the organizations governance and risk management processes c. Oversee the organizations governance and risk management processes d. Coordinate its governance and risk management related activities with those of the independent outside auditor
c. Oversee the organizations governance and risk management processes
10. Companies in industries that are heavily regulated may be subject to audits by the regulators auditors. While not specifically covered in the Three Lines of Defense model, such auditors would most likely be considered: a. Part of the first line of defense b. Part of the second line of defense c. Part of the third line of defense d. Not a line of defense
c. Part of the third line of defense
2. Which of the following external events will most likely impact a defense contractor that relies on large government contracts for its success? a. Economic event b. Natural Environment event c. Political event d. Social event
c. Political event
12. Internal auditors must have competent interpersonal skills. Which of the following does not represent an attribute of interpersonal skills? a. Communication b. Leadership c. Project Management d. Team capabilities
c. Project Management
1. Which of the following is not an appropriate governance role for an organization's board of directors? a. Evaluating and approving strategic objectives b. Influencing the organizations risk taking philosophy c. Providing assurance directly to third parties that the organizations governance processes are effective d. Establishing broad boundaries of conduct, outside of which the organization should not operate
c. Providing assurance directly to third parties that the organizations governance processes are effective
8. Which of the following is recommended guidance within the IPPF? a. The Definition of Internal Auditing b. The Standards c. Supplemental guidance d. None of the above
c. Supplemental guidance
11. Which of the following is a framework that can help individual internal auditors and internal audit functions assess their current competency levels and identify areas for improvement? a. Internal Control - Integrated Framework b. International Professional Practices Framework c. The Global Internal Auditor Competency Framework d. Enterprise Risk Management Framework
c. The Global Internal Auditor Competency Framework
11. Which of the following is a Core Principle for the Professional Practice of Internal Auditing? a. Maintain confidentiality b. Promote an ethical culture in the internal audit profession c. Develop consistency in internal audit practices d. Is appropriately positioned and adequately resourced
d. Is appropriately positioned and adequately resourced
6. Who is responsible for implementing ERM? a. The chief financial officer b. The chief audit executive c. The chief compliance officer d. Management throughout the organization
d. Management throughout the organization
1. According to COSO ERM, which of the following is not an inherent challenge that arises as part of establishing strategy and business objectives? a. Ensuring culture is clearly articulated by the board b. Possibility of strategy not aligning c. Implications from the strategy chosen d. Risk to achieving the strategy
a. Ensuring culture is clearly articulated by the board
7. Which of the following is not a potential value driver for implementing ERM? a. Financial results will improve in the short run b. There will be fewer surprises from year to year c. There will be better information available to make risk decisions d. An organization's risk appetite can be aligned with strategic planning
a. Financial results will improve in the short run
9. After business risks have been identified, they should be assessed in terms of their inherent: a. Impact and likelihood b. Likelihood and probability c. Significance and severity d. Significance and control effectiveness
a. Impact and likelihood
13. One of the challenges of ERM in an organization that has a centralized structure is that: a. It may be difficult to raise awareness of the impact of work actions on other employees or work areas b. Employees in these structures are inherently less risk averse c. Managers have less incentive to implement and monitor controls d. Effective controls are more difficult to design, and consistent application is more difficult to achieve across the organization
a. It may be difficult to raise awareness of the impact of work actions on other employees or work areas
6. Within the context of internal auditing, assurance services are best defined as: a. Objective examinations of evidence for the purpose of providing independent assessments b. Advisory services intended to add value and improve an organizations operation c. Professional activities that measure and communicate financial and business data d. Objective evaluations of compliance with policies, plans, procedures, laws, and regulations.
a. Objective examinations of evidence for the purpose of providing independent assessments
3. An internal auditor provides income tax services during the tax season. For which of the following activities would the auditor most likely be considered in violation of The IIA's Code of Ethics? a. Preparing, for a fee, a division manager's personal tax returns b. Appearing on a local radio show to discuss retirement planning and tax issues c. Receiving a stipend for teaching an evening tax class at a local junior college d. Working on weekends for a friend who has a small CPA firm
a. Preparing, for a fee, a division manager's personal tax returns
14. Which of the following represents the best governance structure Operating Management/Executive Management/Internal Auditing a. Responsibility for risk/Oversight role/Advisory role b. Oversight role/Responsibility for risk/Advisory role c. Responsibility for risk/Advisory role/Oversight role d. Oversight role/Advisory role/Responsibility for risk
a. Responsibility for risk/Oversight role/Advisory role
4. AVF Company's new CFO has asked the company's CAE to meet with him to discuss the role of the internal audit function. The CAE should inform the CFO that the overall responsibility of internal audit is to: a. Serve as an independent assurance and consulting activity designed to add value and improve the company's operations b. Assess the company's methods for safeguarding its assets, as appropriate, verify the existence of the assets c. Review the integrity of financial and operating information and the methods used to accumulate and report information d. Determine whether the company's system of internal controls provides reasonable assurance that information is effectively and efficiently communicated to management.
a. Serve as an independent assurance and consulting activity designed to add value and improve the company's operations
3. Independent outside auditors provide financial reporting assurance services primarily for: a. The benefit of third parties b. Management c. Board of directors d. The CEO
a. The benefit of third parties
4. Who is responsible for establishing the strategic objectives of an organization? a. The board of directors b. Senior Management c. Consensus among all levels of management d. The board and senior management jointly
a. The board of directors
5. If a risk appears in the middle of quadrant IV in the above risk control map, it means that: a. There is an appropriate balance between risk and control b. The controls may be excessive relative to the risk c. The controls may be inadequate relative to risk d. There is not enough information to make a judgement
a. There is an appropriate balance between risk and control
10. Which of the following is one of the 5 Cs essential to success as an Internal Auditor? a. Courage b. Consistency c. Collaboration d. Candidness
a. Courage
7. Which of the following would not be considered a first line of defense in the Three Lines of Defense model? a. A divisional controller conducts a peer review of compliance with financial control standards b. An accounts payable clerk reviews supporting documents before processing an invoice for payment c. An accounting supervisor conducts a monthly review to ensure all reconciliations were completed properly d. A production line worker inspects finished goods to ensure the company's quality standards are met
a. A divisional controller conducts a peer review of compliance with financial control standards
8. Which of the following would be considered a first line of defense in the Three Lines of Defense model? a. An accounts payable supervisor conducting a weekly review to ensure all payments were issued by the required payment date b. A divisional compliance and ethics officer conducting a review of employee training records to ensure that all the marketing and sales staff have completed the required FCPA training c. The external audit team observes the counting of inventory on December 31 d. An internal audit team conducting an engagement to provide assurance on the company's Sarbanes Oxley compliance with internal controls over financial reporting
a. An accounts payable supervisor conducting a weekly review to ensure all payments were issued by the required payment date
9. Which of the following would be considered a second line of defense in the Three Lines of Defense model? a. An accounts payable supervisor conducting a weekly review to ensure all payments were issued by the required payment date b. A divisional compliance and ethics officer conducting a review of employee training records to ensure that all the marketing and sales staff have completed the required FCPA training c. A shift supervisor inspecting a sample of finished goods to ensure quality standards are met. d. An internal audit team conducting an engagement to provide assurance on the company's Sarbanes Oxley compliance with internal controls over financial reporting
b. A divisional compliance and ethics officer conducting a review of employee training records to ensure that all the marketing and sales staff have completed the required FCPA training
10. In a risk by process matrix, a process that helps to manage a risk indirectly would be shown to have: a. A key link b. A secondary link c. An indirect link d. No link at all
b. A secondary link
14. Which of the following is the premier certification sponsored by the IIA? a. Certification in Control Self Assessment b. Certified Internal Auditor c. Certification in Risk Management Assessment d. Certified Information Systems Auditor
b. Certified Internal Auditor
13. While planning an internal audit, the internal auditor obtains knowledge about the auditee to, among other things: a. Develop an attitude of professional skepticism about management's assertions b. Develop an understanding of the auditee's objectives and risks c. Make constructive suggestions to management concerning internal control improvements d. Evaluate whether misstatements in the auditee's performance reports should be communicated to senior management and the audit committee
b. Develop an understanding of the auditee's objectives and risks
8. Which of the following symbols in a process map will most likely contain a question? a. Rectangle b. Diamond c. Arrow d. Oval
b. Diamond
11. Which of the following is not a role of the internal audit function in best practice governance activities? a. Support the board in enterprise wide risk assessment b. Ensure the timely implementation of audit recommendations c. Monitor compliance with the corporate code of conduct d. Discuss areas of significant risks
b. Ensure the timely implementation of audit recommendations
1. A primary purpose of the Standards is to: a. Promote coordination of internal and external audit efforts b. Establish a basis for evaluating internal audit performance c. Develop consistency in internal audit practices d. Provide a codification of existing practices
b. Establish a basis for evaluating internal audit performance
10. Which of the following are required of the internal audit function per the Standards? a. Evaluate the effectiveness of the internal audit committee annually b. Issue an overall opinion on the adequacy of the organization's system of internal controls annually c. Obtain an annual representation from management acknowledging management's responsibility for the design and implementation of internal controls to prevent illegal acts. d. Assess whether the IT governance of the organization sustains and supports the organization's strategies and objectives.
b. Issue an overall opinion on the adequacy of the organization's system of internal controls annually
2. Internal auditors often prepare process maps and reference portions of these maps to narrative descriptions of certain activities. This is an appropriate procedure to: a. Determine the ability of the activities to produce reliable information b. Obtain the understanding necessary to test the process c. Document that the process meets internal audit standards d. Determine whether the process meets established management objectives
b. Obtain the understanding necessary to test the process
12. According to the Standards, how is the independence of the internal audit function achieved? a. Staffing and supervision b. Organizational status and objectivity c. Human relations and communications d. Quality assurance and internal review
b. Organizational status and objectivity
12. When assessing the risk associated with an activity, an internal auditor should: a. Determine how the risk should best be managed b. Provide assurance on the management of the risk c. Update the risk management process based on risk exposures d. Design controls to mitigate the identified risks
b. Provide assurance on the management of the risk
3. Which of the following is not an example of a risk sharing strategy? a. Outsourcing a noncore, high risk area b. Selling a nonstrategic business unit c. Hedging against interest rate fluctuations d. Buying an insurance policy to protect against adverse weather
b. Selling a nonstrategic business unit
5. Who is ultimately responsible for identifying new or emerging key risk areas that should be covered by the organizations governance process? a. The board of directors b. Senior management c. Risk owners d. The internal audit function
b. Senior management
4. If a risk appears in the bottom right of quadrant II in the above risk control map, it means that: a. There is an appropriate balance between risk and control b. The controls may be excessive relative to risk c. The controls may be inadequate relative to the risk d. There is not enough information to make a judgement
b. The controls may be excessive relative to risk
8. According to the Standards, which of the following must the internal audit manager think about when considering appropriate due care while planning an assurance engagement? a. The opportunity to cross train internal audit staff b. The cost of assurance in relationship to potential benefits c. Job openings in the area that may be of interest to internal auditors assigned to the engagement d. The potential to deliver consulting services to the auditee
b. The cost of assurance in relationship to potential benefits
3. What is a business process? a. How management plans to achieve the organization's objectives b. The set of connected activities linked with each other for the purpose of achieving an objective or goal c. A group of interacting, interrelated, or interdependent elements forming a complex whole d. A finite endeavor (having specific start and completion dates) undertaken to create a unique product or service that brings about beneficial change or added value
b. The set of connected activities linked with each other for the purpose of achieving an objective or goal
8. Which of the following is the best reason for the CAE to consider the organizations strategic plan in developing the annual internal audit plan? a. To emphasize the importance of the internal audit function to the organization b. To ensure that the internal audit plan will be approved by senior management c. To make recommendations to improve the strategic plan d. To ensure that the internal audit plan supports the overall business objectives
b. To ensure that the internal audit plan will be approved by senior management
9. The Internal Audit Foundation exists to help audit leaders, practitioners, students, and academics experience continuous growth in their careers to propel them to become: a. Strong assurance providers b. Trusted advisors c. Independent Outside auditors d. CAEs
b. Trusted advisors
11. An internal audit engagement was included in the approved internal audit plan. This is considered a moderately high risk audit based on the internal audit function's risk model. It is currently on a two year audit cycle. Which of the following will likely have the greatest impact on the scope and approach of the internal audit engagement? a. The area being audited involves the processing of a high volume of transactions b. Certain components of the process are outsourced c. A new system was implemented during the year, which changed how the transactions are processed d. The total dollars processed in this area are material
c. A new system was implemented during the year, which changed how the transactions are processed
5. The IIA's Standards require internal auditors to exercise due professional care while conducting assurance engagements. Which of the following is not something an internal auditor is required to consider in determining what constitutes the exercise of due care in an assurance engagement of treasury operations? a. The audit committee has requested assurance on the treasury function's compliance with a new policy on use of financial instruments b. Treasury management has not instituted any risk management policies c. The independent outside auditors have requested to see the engagement report and working papers d. The treasury function just completed implementation of a new real time investment tracking system
c. The independent outside auditors have requested to see the engagement report and working papers
6. In which of the following situations does the internal auditor potentially lack objectivity? a. A payroll accounting employee assists an internal auditor in verifying the physical inventory of small motors b. An internal auditor discusses a significant issue with the vice president to whom the auditee reports prior to drafting the audit report c. An internal auditor recommends standards of control and performance measures for a contract with a service organization for the processing of payroll and employee benefits d. A former purchasing assistant performs a review of internal controls over purchasing four months after being transferred to the internal audit function
d. A former purchasing assistant performs a review of internal controls over purchasing four months after being transferred to the internal audit function
4. An organization tracks a website hosting anonymous blogs about its industry. Recently, anonymous posts have focused on potential legislation that could have a dramatic effect on this industry. Which of the following may create the greatest risk if this organization makes business decisions based on the information contained on this website? a. Appropriateness of the information b. Timeliness of the information c. Accessibility of the information d. Accuracy and reliability of the information
d. Accuracy and reliability of the information
1. Which of the following are components of the definition of internal auditing? a. Independence and Objectivity b. A systematic and disciplined approach c. Helping the organization accomplish its objectives d. All of the above
d. All of the above
15. Which of the following is the ultimate position of a career internal auditor? a. CEO b. CFO c. CRO d. CAE
d. CAE
14. In addition to the Standards, some internal audit departments follow other standards in conducting their work, either because of regulatory requirements or by choice. When these other standards are inconsistent with IIA Standards, what should the audit department do? a. Follow IIA Standards b. Follow the other standards c. Follow the standard that is least restrictive d. Follow the standard that is most restrictive
d. Follow the standard that is most restrictive
2. Which of the following are "mandatory guidance" in The IIA's IPPF? I. Implementation Guides II. The Code of Ethics III. The Definition of Internal Auditing IV. The Standards a. I, II, and IV b. II and IV c. II, III, and IV d. I, II, III, and IV
d. I, II, III, and IV
7. Which of the following is/are components of the standards? I. Statements II. Interpretations III. Glossary a. I only b. I and II c. I and III d. I, II, and III
d. I, II, and III
12. Which of the following is true regarding business process outsourcing? a. Outsourcing a core, high risk business process reduces the overall operational risk b. Outsourced processes should not be included in the internal audit universe c. The independent outside auditor is required to review all significant outsourced business processes d. Management's controls to ensure the outsourcing provider meets contractual performance requirements should be tested by the internal audit function
d. Management's controls to ensure the outsourcing provider meets contractual performance requirements should be tested by the internal audit function
14. The function of the chief risk officer is most effective when he or she: a. Manages risk as a member of senior management b. Share the management of risk with line management c. Shares the management of risk with the CAE d. Monitors risk as part of the ERM team
d. Monitors risk as part of the ERM team
1. In assessing organizational risk in a manufacturing organization, which of the following would have the greatest long range impact on the organization? a. Advertising budget b. Production scheduling c. Inventory policy d. Product quality
d. Product quality
13. A company has recently outsourced its payroll process to a third party service provider. An audit team was scheduled to audit payroll controls in the annual audit plan prepared prior to the outsourcing. What action should the audit team take, considering the outsourcing decision? a. Cancel the engagement, because the processing is being performed outside the organization b. Review only the controls over payments to the third party provider based on the contract c. Review only the company's controls over data sent to and received from the third party service provider d. Review the controls over payroll processing in both the company and the third party service provider
d. Review the controls over payroll processing in both the company and the third party service provider
13. To determine what needs to be done regarding follow up on an assurance engagement the internal audit staff just completed, one would consult: a. The Attribute Standards: Assurance Services Implementation Standards b. The Performance Standards: Consulting Services Implementation Standards c. The Attribute Standards: Consulting Services Implementation Standards d. The Performance Standards: Assurance Services Implementation Standard
d. The Performance Standards: Assurance Services Implementation Standard
7. Which of the following is mandatory guidance within the IPPF? a. Implementation guidance b. Supplemental guidance c. The value proposition d. The core principles
d. The core principles
10. The CAE is asked to lead the enterprise risk assessment as part of an organizations implementation of ERM. Which of the following would not be relevant with respect to protecting the internal audit functions independence and the objectivity of its internal auditors? a. A cross section of management is involved in assessing the impact and likelihood of each risk b. Risk owners are assigned responsibility for each key risk c. A member of senior management presents the results of the risk assessment to the board and communicates that it represents the organization's risk profile d. The internal audit function obtains assistance from an outside consultant in the conduct of the formal risk assessment section
d. The internal audit function obtains assistance from an outside consultant in the conduct of the formal risk assessment section
12. Which of the following statements regarding corporate governance is not correct? a. Corporate control mechanisms include internal and external mechanisms b. The compensation scheme for management is part of the corporate control mechanism c. The dilution of shareholders' wealth resulting from employee stock options or employee stock bonuses is an accounting issue rather than a corporate governance issue d. The internal audit function of a company has more responsibility than the board for the company's corporate governance
d. The internal audit function of a company has more responsibility than the board for the company's corporate governance
2. Assurance, Insight, and Objectivity comprise: a. The mission of internal auditing b. The three lines of defense model c. The objectives of internal auditing d. The value of proposition
d. The value proposition