ACCY 501 Test 2: Internal Audit Flint
B. Best practices for another industry. Answer Explanation Acceptable industry standards, standards developed by professions or associations, standards in law and government regulations, and other sound business practices are usually deemed to be appropriate criteria.
Before an assurance engagement can be performed, the auditor must identify appropriate criteria. The sources of such criteria are least likely to include A. Benchmarks for the leading firms in the industry. B. Best practices for another industry. C. Historical cost information for the processes examined. D. Government regulations for the industry.
C. They are intended to improve the organization's controls. Answer Explanation Consulting services are "advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization's governance, risk management, and control processes without the internal auditor assuming management responsibility" (The IIA Glossary).
Consulting services performed by internal auditors most likely benefit the organization because A. They need not be defined in the internal audit charter. B. The value proposition applies only to assurance services. C. They are intended to improve the organization's controls. D. The constraints of The IIA Code of Ethics do not apply.
B. Preliminary survey. Answer Explanation Engagement planning should include performing, as appropriate, a survey to (1) become familiar with the activities, risks, and controls to identify areas for engagement emphasis and (2) invite client comments and suggestions from engagement clients. Among other things, the survey should include discussions with the engagement client (e.g., interviews with operating personnel) and documenting key control activities (including identifying performance standards).
Data-gathering activities such as interviewing operating personnel, identifying standards to be used to evaluate performance, and assessing risks inherent in a department's operations are typically performed in which phase of an audit engagement? A. Field work. B. Preliminary survey. C. Engagement program development. D. Examination and evaluation of evidence.
D. All of the answers represent an appropriate standard or criterion to support engagement observations, conclusions, and recommendations. Answer Explanation Acceptable industry standards, standards developed by professions or associations, standards in law and government regulations, and other sound business practices are usually deemed to be appropriate criteria.
Developing engagement observations, conclusions, and recommendations involves comparing the condition with the relevant standard or criterion. Which of the following choices best represents an appropriate standard or criterion to support engagement observations, conclusions, and recommendations? A. A quality standard operating procedure (number and date) for the department. B. An internal accounting control principle, cited and copied from a public accounting reference. C. A sound industry practice, based on the internal auditor's knowledge and experience obtained during many engagement assignments within the organization. D. All of the answers represent an appropriate standard or criterion to support engagement observations, conclusions, and recommendations.
A. Resources needed to complete the engagement were considered. Answer Explanation Internal auditors must develop and document a plan for each engagement, including the engagement's objectives, scope, timing, and resource allocations (Perf. Std. 2200).
Documentation required to plan an internal audit engagement includes information that A. Resources needed to complete the engagement were considered. B. Planned engagement work will be completed on a timely basis. C. Intended engagement observations have been clearly identified. D. Internal audit activity resources are efficiently and effectively employed.
D. Highlight the weakness to ensure that procedures to test it are included in the engagement work program. Answer Explanation One purpose of the risk assessment is to highlight areas that should be addressed during the engagement. A potentially major control deficiency is a significant area warranting special emphasis and should be noted to ensure the needed coverage in the engagement work program.
During a preliminary survey of the accounts receivable function, an internal auditor discovered a potentially major control deficiency while preparing a flowchart. What immediate action should the internal auditor take regarding the weakness? A. Perform sufficient testing to determine its cause and effect. B. Report it to the level of management responsible for corrective action. C. Schedule a separate engagement to evaluate that segment of the accounts receivable function. D. Highlight the weakness to ensure that procedures to test it are included in the engagement work program.
A. A need for additional testing to determine related controls and the current exposure to duplicate payments made to suppliers. Answer Explanation One reason for a preliminary survey is to become familiar with the activities, risks, and controls to identify areas for engagement emphasis. Accordingly, this preliminary survey information should prompt the auditor to identify the magnitude of duplicate payments.
During a preliminary survey, an auditor found that several accounts payable vouchers for major suppliers required adjustments for duplicate payment of prior invoices. This would indicate A. A need for additional testing to determine related controls and the current exposure to duplicate payments made to suppliers. B. The possibility of unrecorded liabilities for the amount of the overpayments. C. Insufficient controls in the receiving area to ensure timely notice to the accounts payable area that goods have been received and inspected. D. The existence of a sophisticated accounts payable system that correlates overpayments to open invoices and therefore requires no further audit concern.
B. Review a sample of expense reports for proper approval. Answer Explanation The supervisor has described a control intended to prevent payment of unauthorized travel expenses. The internal auditor's best course of action is to test the control to determine whether it is actually in place and operating effectively. The most reliable information for this purpose is to inspect a sample of the relevant documents. Engagement information is obtained through observation, inquiry, and examination of records. When an internal auditor becomes aware of a policy or procedure through inquiry of employees or reading a written plan, it is best for the internal auditor then to examine records to determine whether the policy or procedure is actually followed in practice.
During an engagement to evaluate travel expenses, the accounting supervisor tells the internal auditor that each expense report is reviewed and approved before costs are reimbursed to the traveler. Which of the following is the best course of action for the internal auditor to take? A. Request the supervisor to put the statement in writing. B. Review a sample of expense reports for proper approval. C. Conserve engagement resources by accepting the statement and redirect work into another area. D. Corroborate this information with the controller.
D. All of the answers are correct. Answer Explanation Internal auditors must incorporate knowledge of risks gained from consulting engagements into their evaluation of the organization's risk management processes (Impl. Std. 2120.C2). Also, during consulting engagements, internal auditors must address risk consistent with the engagement's objectives and be alert to the existence of other significant risks (Impl. Std. 2120.C1). Furthermore, internal auditors must incorporate knowledge of controls gained from consulting engagements into evaluation of the organization's control processes (Impl. Std. 2130.C1).
During consulting engagements, internal auditors A. May gain knowledge of risks that should be included in evaluating organizational risk management. B. Are responsible for significant risks not consistent with the objectives. C. May gain knowledge of controls that should be included in evaluating organizational controls. D. All of the answers are correct.
D. Verify that the amount was received. Answer Explanation Responses to confirmation requests that involve significant differences are investigated by the internal auditor. Others are delegated to organizational employees with a request that explanations be given to the internal auditor. Such differences often arise because of recent cash payments. In that event, the auditor should trace remittances to verify that stated amounts were received.
During the process of confirming receivables as of December 31, Year 1, a positive confirmation was returned indicating the "balance owed as of December 31 was paid on January 9, Year 2." The internal auditor would most likely A. Determine whether any changes in the account occurred between January 1 and January 9, Year 2. B. Determine whether a customary trade discount was taken by the customer. C. Reconfirm the zero balance as of January 10, Year 2. D. Verify that the amount was received.
A. Preliminary survey. Answer Explanation Internal auditors may perform a survey to (1) become familiar with activities, risks, and controls to identify areas for engagement emphasis and (2) invite comments and suggestions from stakeholders.
During which phase of the engagement does the internal auditor identify the objectives and related controls of the activity being examined? A. Preliminary survey. B. Staff selection. C. Work program preparation. D. Final communication of results.
B. Performing a trend analysis of printing supplies expenses for a 2-year period. Answer Explanation A basic premise underlying the application of analytical procedures is that plausible relationships among data may reasonably be expected to exist and continue in the absence of known conditions to the contrary. Thus, performing a trend analysis of printing supplies expenses for a 2-year period should identify an excess use of supplies.
Fact pattern: A purchasing agent acquired items for personal use with the organization's funds. The organization allowed designated employees to purchase a specified amount per day in merchandise under open-ended contracts. Supervisory approval of the purchases was required, but that information was not communicated to the vendor. Instead of reviewing and authorizing each purchase order, supervisors routinely signed the authorization sheet at the end of the month without reviewing any of the supporting documentation. Because purchases of this nature were not subject to normal receiving policies, the dishonest employee picked up the supplies at the vendor's warehouse. All purchases were for items routinely ordered by the organization. During the past year, the employee amassed enough merchandise to start a printing and photography business. Which of the following engagement procedures, performed by the internal auditor, is most likely to detect this fraud? A. Tracing selected canceled checks to the cash payments journal and to the related vendors' invoices. B. Performing a trend analysis of printing supplies expenses for a 2-year period. C. Tracing prices and quantities on selected vendors' invoices to the related purchase orders. D. Recomputing the clerical accuracy of selected vendors' invoices, including discounts and sales taxes.
B. Take a sample of the items on hand and compare the sample items with the underlying documents, such as receiving reports and sales orders, to determine how the goods were handled. Answer Explanation Sampling items on hand and reviewing the related documents assist the internal auditor in understanding the details of the transactions. This procedure should be performed before taking any further action.
Fact pattern: An internal auditor is performing an operational engagement at a division and observes that an unusually large quantity of goods is on hand in the shipping and materials rework areas. The items are labeled as re-ship items. Upon inquiry the internal auditor is told that these are goods that have been returned by customers and have either been repaired and shipped back to the original customer or repaired and shipped out as new products because they are fully warranted. The internal auditor has not yet performed any detailed engagement work. Based on the information given, the most appropriate action for the internal auditor to take is to A. Report the items to divisional management and ask for management's explanation before determining whether to include the observations in an engagement communication. B. Take a sample of the items on hand and compare the sample items with the underlying documents, such as receiving reports and sales orders, to determine how the goods were handled. C. Report the observations but do not perform any additional work without the approval of the chief audit executive because such work is clearly a scope expansion. D. Take an inventory of the goods on hand so the monetary amount can be included in the engagement communications along with the explanation of the problem.
A. Seek agreement with the client about the criteria. Answer Explanation If the criteria established by management to determine whether objectives and goals have been accomplished are inadequate, the internal auditors must work with management to develop appropriate evaluation criteria (Impl. Std. 2210.A3).
Fact pattern: The chief audit executive (CAE) of a mid-sized internal audit activity was concerned that management might outsource the internal auditing function. Thus, the CAE adopted a very aggressive program to promote the internal audit activity within the organization. The CAE planned to present the results to senior management and the board and recommend modification of the internal audit activity's charter after using the new program. The following lists six actions the CAE took to promote a positive image within the organization: 1. Engagement assignments concentrated on efficiency. The engagements focused solely on cost savings, and each engagement communication highlighted potential costs to be saved. Negative observations were omitted. The focus on efficiency was new, but the engagement clients seemed very happy. 2. Drafts of all engagement communications were carefully reviewed with the engagement clients to get their input. Their comments were carefully considered when developing the final engagement communication. 3. The information technology internal auditor participated as part of a development team to review the control procedures to be incorporated into a major computer application under development. 4. Given limited resources, the engagement manager performed a risk assessment to establish engagement work schedule priorities. This was a marked departure from the previous approach of ensuring that all operations are evaluated on at least a 3-year interval. 5. To save time, the CAE no longer required that a standard internal control questionnaire be completed for each engagement. 6. When the internal auditors found that the engagement client had not developed specific criteria or data to evaluate operations, the internal auditors were instructed to perform research, develop specific criteria, review the criteria with the engagement client, and, if acceptable, use them to evaluate the engagement client's operations. If the engagement client disagreed with the criteria, a negotiation took place until acceptable criteria could be agreed upon. The engagement communication commented on the engagement client's operations in conjunction with the agreed-upon criteria. Regarding Action 6, which of the following elements of the action most likely would have rendered it inappropriate if omitted? A. Seek agreement with the client about the criteria. B. Developing a set of criteria to present to the engagement client as a basis for evaluating the engagement client's operations. C. Commenting on the agreed-upon criteria. D. All of the answers are correct.
A. Preliminary survey. Answer Explanation Planning includes performing, if appropriate, a survey to (1) become familiar with the activities, risks, and controls to identify areas for engagement emphasis and (2) invite comments and suggestions from stakeholders. Interviews with stakeholders may be performed as part of the survey to obtain an overall understanding of operations.
Fact pattern: You are an internal auditing supervisor who is reviewing the working papers of a staff internal auditor's overall examination of the firm's sales function. The pages are not numbered or cross-referenced. Furthermore, the working papers were dropped and reassembled at random before they were brought to you. You decide to put the working papers in the proper order according to the Standards. The first stage of this activity is to identify each page as a part of (1) the preliminary survey, (2) the review of the adequacy of control processes, (3) the review for effectiveness of control processes, or (4) the review of results. The second page the supervisor selects documents an interview with a salesperson discussing the overall sales cycle. This page belongs with which activity? A. Preliminary survey. B. Review for adequacy of control processes. C. Review for effectiveness of control processes. D. Review of results.
A. Advertising agency billings. Answer Explanation An advertising agency customarily charges for its costs plus a commission based on those costs. To avoid being overcharged, the organization requires assurance that the agency can justify (document) the costs incurred and that these costs are reasonable. A field review of the agency's books and procedures is the best means of achieving the stated objective.
For an upcoming engagement, an internal auditor's objective is to determine whether costs are both documented and reasonable. This is most likely an engagement involving A. Advertising agency billings. B. Allowance for doubtful accounts. C. Asset disposals. D. Accounts payable.
C. Examining a representative sample of signed checks and determining that the signatures are authorized in the organizational signature book. Answer Explanation Cash disbursements must be properly authorized. The issuance of checks is performed by the treasury function after review of supporting documents, including a payment voucher prepared by the accounts payable department. Proper control procedures require that check-signing responsibility be limited to a few persons whose signatures are kept on file at the banks where the organization has accounts.
For review of an accounting department's bank reconciliation unit, which of the following is an appropriate engagement work program step for the review of canceled checks for authorized signatures? A. Comparing the check date with the first cancellation date. B. Determining that all checks are to be signed by individuals authorized by the board. C. Examining a representative sample of signed checks and determining that the signatures are authorized in the organizational signature book. D. Completing the tests of controls over check signatures in 4 hours.
B. Assurance services. Answer Explanation Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year. Thus, if George provides assurance services for payroll, his objectivity is presumed to be impaired. However, internal auditors may provide consulting services relating to operations for which they had previous responsibilities (Impl. Std. 1130.C1).
George is the new internal auditor for XYZ Corporation. George was in charge of payroll for XYZ just 10 months ago. Performing what services in regard to payroll is considered an impairment of independence or objectivity if performed by George? A. Consulting services. B. Assurance services. C. Assurance or consulting services. D. Neither assurance nor consulting services.
B. Understand management's basis for accepting the risk. Answer Explanation The CAE must communicate information to senior management and the board about, among other things, significant risk and control issues and management's acceptance of risk. When the CAE believes that senior management has accepted an unacceptable risk, the CAE must discuss the matter with senior management. The CAE should (1) understand management's basis for the decision, (2) identify the cause of any disagreement, (3) determine whether management has the authority to accept the risk, and (4) preferably resolve the disagreement. If the CAE and senior management cannot agree, the CAE must inform the board. If possible, the CAE and management should jointly present their positions. The CAE also should consider timely discussion of financial reporting issues with the external auditors.
Gerald Fitz, CAE, believes that the internal controls over cash disbursements need major revisions. He discussed this matter with senior management and was alarmed at their acceptance of this serious risk. The CAE should A. Report the matter to the board immediately. B. Understand management's basis for accepting the risk. C. Determine whether management has the authority to accept the risk. D. Further attempt to resolve the disagreement.
A. Expand audit work prior to the preparation of an engagement final communication. Answer Explanation After identifying the risks, the auditor determines the procedures to be performed and the scope (nature, timing, and extent) of those procedures. If the preliminary evaluation indicates increased control risk, the auditor usually decides to apply additional engagement procedures to reach the engagement objectives.
If an auditor's preliminary evaluation of internal controls results in an observation that controls may be inadequate, the next step is to A. Expand audit work prior to the preparation of an engagement final communication. B. Prepare a flowchart depicting the internal control system. C. Note an exception in the engagement final communication if losses have occurred. D. Implement the desired controls.
A. Sales journal to the shipping documents. Answer Explanation To test the occurrence assertion about sales, the auditor vouches a sample of recorded sales to customer orders and shipping documents. Large and unusual sales should be included in the sample selected for testing. This test is useful for detecting overstatements.
If the objective of an auditor's test of details is to detect the overstatement of sales, the auditor should trace transactions from the A. Sales journal to the shipping documents. B. Shipping documents to the cash receipts journal. C. Cash receipts journal to the customer's purchase orders. D. Customer's purchase orders to the sales journal.
D. The susceptibility of a financial statement assertion to a material misstatement before consideration of related controls. Answer Explanation Control risk and inherent risk are the components of the risk of material misstatement (RMM). The auditor determines the appropriate level of detection risk based on the assessment of RMMs and the acceptable level of audit risk. Inherent risk is the susceptibility of an assertion about a transaction class, account balance, or disclosure that could be material, individually or combined with other misstatements, before consideration of any related controls.
In a financial statement audit, inherent risk is evaluated to help an auditor assess which of the following? A. The internal audit department's objectivity in reporting to the audit committee a material misstatement of a financial statement assertion it detects. B. The risk that the internal control system will not detect a material misstatement of a financial statement assertion. C. The risk that the audit procedures implemented will not detect a material misstatement of a financial statement assertion. D. The susceptibility of a financial statement assertion to a material misstatement before consideration of related controls.
A. Complied with existing fund requirements and performed specified activities. Answer Explanation A fund is a fiscal and accounting organization with a self-balancing set of accounts recording cash and other financial resources. It also records all related liabilities and residual equities and balances and changes in them. These items are segregated for the purpose of carrying on specific activities or attaining certain objectives in accordance with special regulations, restrictions, or limitations. Thus, the primary engagement objective is to determine whether the organization complied with the existing fund requirements and performed the specified activities.
In an engagement to review a not-for-profit organization's special revenue fund, the primary engagement objective is to determine whether the organization A. Complied with existing fund requirements and performed specified activities. B. Managed its resources economically and efficiently. C. Prepared its financial statements in accordance with accounting principles generally accepted in its country. D. Applies the funds in a way that would benefit the greatest number of people.
D. An organization-prepared statement of account showing the details of the customer's account balance. Answer Explanation A confirmation request should contain management's authorization to the confirming party to respond. Also, an external confirmation should be requested by the organization because the receiving party has no relationship with the internal auditor. In confirming the customer's account balance, display of the details of the balance will likely help the customer in reconciling the amount and may increase response rates. The internal auditor, however, will send the request directly to the customer, who will be requested to send the response directly to the internal auditor.
In confirming accounts receivable, an internal auditor decided to confirm customers' account balances rather than individual invoices. Which of the following most likely will be included with the organization confirmation letter? A. An auditor-prepared letter explaining that a nonresponse may cause an inference that the account balance is correct. B. An organization-prepared letter reminding the customer that a nonresponse will cause a second request to be sent. C. An auditor-prepared letter requesting the customer to supply missing and incorrect information directly to the client. D. An organization-prepared statement of account showing the details of the customer's account balance.
B. Rights and obligations. Answer Explanation External confirmations may be designed to test any financial statement assertion. However, a given confirmation request does not test all assertions equally well. For example, if the issue is whether securities are being held in the client's name by an outside agent, the completeness assertion with regard to the investment account is not adequately addressed by a confirmation request. Other agents may be holding securities for the client. Moreover, the agent may be holding other securities not specified in the request. Thus, the request tends to be most effective for testing the existence (whether the assets exist at a given date) assertion and the rights (whether the client has a specified ownership interest in the assets) assertion.
In confirming with an outside agent, such as a financial institution, that the agent is holding investment securities in the client's name, an auditor most likely gathers evidence in support of relevant financial statement assertions about existence or occurrence and A. Valuation and allocation. B. Rights and obligations. C. Completeness. D. Classification and understandability.
C. 1, 2, and 4 only. Answer Explanation Planning for consulting services involves considering what benefits these engagements may offer. According to Implementation Standard 2010.C1, "The chief audit executive should consider accepting proposed consulting engagements based on the engagement's potential to improve management of risk, add value, and improve the organization's operations. Accepted engagements must be included in the plan."
In deciding whether to accept a consulting engagement, the Standards require the CAE to consider the engagement's potential to 1. Add value 2. Improve management of risks 3. Develop internal audit competencies 4. Improve the organization's operations A. 1 only. B. 1 and 2 only. C. 1, 2, and 4 only. D. 1, 2, 3, and 4.
A. Determining the extent to which adequate operating criteria have been established. Answer Explanation Internal auditors must ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished (Impl. Std. 2210.A3).
In evaluating the effectiveness and efficiency with which resources are employed, an internal auditor is responsible for A. Determining the extent to which adequate operating criteria have been established. B. Verifying the existence of assets. C. Reviewing the reliability of operating information. D. Verifying the accuracy of asset valuation.
D. Evaluating the adequacy and effectiveness of controls. Answer Explanation Internal auditors may perform a survey to (1) become familiar with activities, risks, and controls to identify areas for engagement emphasis and (2) invite comments and suggestions from stakeholders. A survey is not sufficient for evaluating the adequacy and effectiveness of controls. Evaluation requires testing.
In planning an assurance engagement, a survey could assist with all of the following except A. Obtaining engagement client comments and suggestions on control problems. B. Obtaining preliminary information on controls. C. Identifying areas for engagement emphasis. D. Evaluating the adequacy and effectiveness of controls.
B. Uncertainty of the occurrence of an event that could affect the achievement of objectives. Answer Explanation Risk is the possibility that an event will occur having an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood (The IIA Glossary).
In planning an engagement, the internal auditor establishes objectives to address the risk associated with the activity. Risk is the A. Possibility that the balance or class of transactions and related assertions contains misstatements that could be material to the financial statements. B. Uncertainty of the occurrence of an event that could affect the achievement of objectives. C. Failure to adhere to organizational policies, plans, and procedures or to comply with relevant laws and regulations. D. Failure to accomplish established objectives and goals for operations or programs.
A. Engagement objectives. Answer Explanation The established scope must be sufficient to satisfy the objectives of the engagement (Perf. Std. 2220).
In the planning phase, the scope of an internal audit engagement is defined by the A. Engagement objectives. B. Scheduling and time estimates. C. Preliminary survey. D. Engagement work program.
D. Examining the construction work orders supporting items capitalized during the year. The audit plan for property, plant, and equipment includes verification of additions by vouching them to the original documents. The entries are traced from the journals back to authorizations, vendors' invoices, contracts, deeds, and construction work orders. Inspection of the work order for painting the warehouse should alert the auditor to the capitalization of an expense.
In violation of a company policy, Lowell Company erroneously capitalized the cost of painting its warehouse. The internal auditor examining Lowell's financial statements would most likely detect this error when A. Discussing capitalization policies with Lowell's controller. B. Examining maintenance expense accounts. C. Observing, during the physical inventory observation, that the warehouse had been painted. D. Examining the construction work orders supporting items capitalized during the year.
B. Cost-plus contract. Answer Explanation Cost-plus contracts are ways to cope with uncertainties about costs by setting a price equal to (1) cost plus a fixed amount or (2) cost plus a fixed percentage of cost. A problem is that the contractor may have little incentive for economy and efficiency, a reason for careful review by the internal auditors. These contracts may have provisions for (1) maximum costs, with any savings shared by the parties, or (2) incentives for early completion.
In which of the following arrangements should an internal auditor be most concerned about the lack of an incentive for economy and efficiency? A. Fixed-price contract. B. Cost-plus contract. C. Unit-price contract. D. Source code escrow clause.
B. Include training. Answer Explanation Consulting services are "advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization's governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training" (The IIA Glossary).
Internal audit consulting services A. Involve assuming certain responsibilities for managing risks. B. Include training. C. Exclude investigations and nonaudit roles. D. Add value in ways not necessarily consistent with the definition of internal auditing.
D. All engagements should be under budgetary control. Answer Explanation Project budgets and schedules should be developed for each engagement.
Internal audit engagements require budgeting and staff scheduling. Which of the following is true? A. Budgets are developed for the most important engagements. B. Use of actual engagements as training opportunities is discouraged. C. Time budgets ordinarily are prepared based on supervision requirements. D. All engagements should be under budgetary control.
D. Review of financial statements and related disclosures in conjunction with a potential acquisition. Answer Explanation A due diligence engagement is a service to determine the business justification for a major transaction, such as a business combination, and whether that justification is valid. Thus, the internal auditors and others may be part of a team that reviews the acquiree's operations, controls, financing, or disclosures of financial information.
Internal auditors are often called upon to either perform or assist the external auditor in performing a due diligence review. A due diligence review may be a(n) A. Review of interim financial statements as directed by an underwriting firm. B. Operational audit of a division of an organization to determine if divisional management is complying with laws and regulations. C. Review of operations as requested by the audit committee to determine whether the operations comply with audit committee and organizational policies. D. Review of financial statements and related disclosures in conjunction with a potential acquisition.
A. The organization's recognized losses on derivatives. Answer Explanation In planning the engagement, internal auditors must consider the significant risks and the means by which the potential impact of risk is kept to an acceptable level (Perf. Std. 2201). Risk factors have differing degrees of objectivity. The most objective (least subjective) factors are facts. The organization's losses on derivatives are facts and therefore objective to the extent measurable. Objective information is such that it can be supported by facts or numbers. Subjective information is a judgment and may be interpreted differently by different people.
Internal auditors must make a preliminary assessment of risks when conducting an assurance engagement. This assessment may involve quantitative (objective) and subjective factors. The least subjective factor is A. The organization's recognized losses on derivatives. B. The auditor's assessment of management responses. C. Changes in the auditee's business forecast. D. The evaluation of internal control.
A. Governance, risk management, and control. Answer Explanation The CAE has a duty to provide assurance to senior management and the board about governance, risk management, and control.
Johnny Hagerts, the chief audit executive of Booster, Inc., is having a meeting with senior management about the status of the internal audit. In this meeting, Mr. Hagerts should provide assurance to management about which of the following? A. Governance, risk management, and control. B. Sufficiency of internal audit staff. C. The time schedule of the engagement. D. The frequency and nature of reports.
B. Yes, the examined areas are relevant to the malfunctions. Answer Explanation Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment (Impl. Std. 2210.A1). Internal auditors also may perform a survey to (1) become familiar with the activities, risks, and controls to identify areas for engagement emphasis and (2) invite comments and suggestions from engagement clients. The survey is appropriate as a means to conduct a preliminary assessment because the examined areas are relevant. The auditors also need to corroborate the information before any final assessment.
Levels of production stoppages over the past year at a large laminating business were abnormally high due to machine malfunctions. Would it be appropriate for the internal auditing function to develop a survey examining attitudes toward line operations, rotation of work zones, training, maintenance schedule, etc., for the machine operators to complete? A. Yes, the survey is reliable without corroboration. B. Yes, the examined areas are relevant to the malfunctions. C. No, the examined areas are irrelevant to the malfunctions. D. No, the survey is inappropriate without corroboration.
D. Increase in the assessed control risk. Answer Explanation Audit risk is a function of inherent risk, control risk, and detection risk. The only risk the auditor directly controls is detection risk. Thus, the auditor achieves the desired level of overall audit risk by adjusting detection risk in response to the assessed levels of inherent risk and control risk. Detection risk has an inverse relationship with control risk and inherent risk. If the auditor chooses to increase his or her assessment of control risk or inherent risk, detection risk should be decreased for a given planned audit risk.
On the basis of audit evidence gathered and evaluated, an auditor decides to decrease the level of detection risk from that originally planned. Assuming the same planned audit risk level, the change in the planned detection risk most likely resulted from a(n) A. Decrease in the assessed control risk. B. Increase in materiality levels. C. Decrease in the assessed inherent risk. D. Increase in the assessed control risk.
A. The CAE should generally assign engagement priorities to activities with higher risks. Answer Explanation Audit work schedules are based on, among other things, an assessment of risk and exposures. Prioritizing is needed to make decisions for applying resources. A variety of risk models exist to assist the CAE. Most risk models use risk factors, such as impact, likelihood, materiality, asset liquidity, management competence, quality of and adherence to internal controls, degree of change or stability, timing and results of last audit engagement, complexity, and employee and government relations.
Risk assessment is a systematic process for assessing and integrating professional judgments about probable adverse conditions or events. Which of the following statements reflects the appropriate action for the chief audit executive to take? A. The CAE should generally assign engagement priorities to activities with higher risks. B. The CAE should restrict the number of sources of information used in the risk assessment process. C. Work schedule priorities should be established to lead the CAE in the risk assessment process. D. The risk assessment process should be conducted at least every 3 to 5 years.
C. 1, 2, and 3. Answer Explanation Risk modeling in a consulting service can be accomplished by ranking the engagement's potential to improve management of risks, add value, and improve the organization's operations as identified in Impl. Std. 2010.C1.
Risk modeling in a consulting service can be accomplished by 1. Ranking the engagement's potential to improve management of risks 2. Ranking the engagement's potential to add value 3. Ranking the engagement's potential to improve the organization's operations A. 1 and 2. B. 1 and 3. C. 1, 2, and 3. D. 3 only.
D. All of the answers are correct. Answer Explanation Internal auditors need to be observant of the effectiveness of risk management and control processes during formal consulting engagements. Substantial risk exposures or material control weaknesses are brought to the attention of management. In some situations, the auditor's concerns should also be communicated to senior management or the board. [According to The IIA Glossary, the board includes "a committee or other body to which the governing body has delegated certain functions (e.g., an audit committee)."]
Substantial risk exposures or material control weaknesses discovered during a formal consulting engagement are brought to the attention of management. In some situations, the internal auditor's concerns also are communicated to A. Executive management. B. Audit committee. C. Board of directors. D. All of the answers are correct.
D. Engagement supervision. Answer Explanation Engagements must be properly supervised to ensure objectives are achieved, quality is assured, and staff is developed (Perf. Std. 2340).
The Standards of The IIA apply to assurance services and consulting services performed by the internal audit activity (IAA). Which of the following is addressed only in a performance standard? A. Documentation. B. Planning considerations. C. Engagement objectives. D. Engagement supervision.
A. Extent of engagement procedures performed. Answer Explanation Detection risk is the only one of the three components of audit risk that is subject to the auditor's direct control. The greater the assessed levels of control risk and/or inherent risk, the lower the acceptable level of detection risk. Hence, the relationship between performing engagement procedures and detection risk is inverse.
The acceptable level of detection risk is inversely related to the A. Extent of engagement procedures performed. B. Risk of misapplying auditing procedures. C. Preliminary judgment about materiality levels. D. Risk of failing to discover material misstatements.
B. A reduction of travel time and related travel expense. Answer Explanation The advantages of field offices compared with sending internal auditors from the home office include (1) reduced travel time and expense, (2) improved service in the operating locations served by the field offices, (3) better morale of internal auditors as a result of increased authority, and (4) the possibility of employing persons who do not wish to travel.
The advantage attributed to the establishment of internal auditing field offices for work at foreign locations is best described as A. The possibility of increased objectivity of personnel assigned to a field office. B. A reduction of travel time and related travel expense. C. The increased ease of maintaining uniform organization-wide standards. D. More contact with senior personnel leading to an increase in control.
B. Is adjusted only after approval at a level higher than the engagement supervisor. Answer Explanation Budget adjustments need to be justified and approved at a level higher than the engagement supervisor. Requests for adjustments should include (1) the operational activities to be reviewed, (2) the activities actually being performed, and (3) the employee days or hours attributable to the difference.
The budget for an engagement performed by internal auditors A. Should be approximated using the previous audit of the same activity. B. Is adjusted only after approval at a level higher than the engagement supervisor. C. May be increased or decreased by senior management or the board. D. Includes time budgets monitored by the engagement supervisor to control the project.
B. 3 only. Answer Explanation Any assessment of risk priority and exposure necessarily implies the exercise of professional judgment. Thus, although risk factors may be weighted to determine their relative significance, a ranking based solely on such specific criteria as monetary exposure or control deficiencies is not always indicated.
The chief audit executive for an organization has just completed a risk assessment process, identified the areas with the highest risks, and assigned an engagement priority to each. Which of the following conclusions most logically follow(s) from such a risk assessment? 1. Items should be quantified as to risk in the rank order of quantifiable monetary exposure to the organization. 2. The risk priorities should be in order of major control deficiencies. 3. The risk assessment process, though quantified, is the result of professional judgments about both exposures and probability of occurrences. A. 1 only. B. 3 only. C. 2 and 3 only. D. 1, 2, and 3.
B. The internal audit staff has recently added an individual with expertise in one of the areas. Answer Explanation The CAE's responsibility is to assign competent internal auditors to the appropriate engagements, not to adjust the workplan to the abilities of the staff.
The chief audit executive is preparing the audit work schedule for the next budget year and has limited resources. In deciding whether to schedule the purchasing or the personnel department for an engagement, which of the following is the least important factor? A. Major changes in operations have occurred in one of the departments. B. The internal audit staff has recently added an individual with expertise in one of the areas. C. More opportunities to achieve operating benefits are available in one of the departments than in the other. D. Updated assessed risk is significantly greater in one department than the other.
A. 1 and 3 only. Answer Explanation Audit engagement objectives are broad statements developed by internal auditors that define intended engagement accomplishments. Engagement objectives may be stated in various ways, but it should be clear what assurances the engagement will provide. The engagement objective to evaluate the clarity and transparency of the design of global compensation and benefit systems is intended to provide assurance about efficiency and effectiveness. The engagement objective to assess compliance with applicable requirements for visas and work permits is intended to provide assurance about compliance with laws and regulations.
A United States organization plans to expand operations to Gambia. Which of the following are plausible assurance engagement objectives for an internal audit of the human resources department? 1. Evaluate the clarity and transparency of the design of global compensation and benefit systems. 2. Identify methods of improving communications with assignees, line management, and leadership. 3. Assess compliance with applicable requirements for visas and work permits. 4. Provide consultation to potential assignees and line management on terms and conditions of the internal assignment. A. 1 and 3 only. B. 2 and 4 only. C. 3 and 4 only. D. 1, 2, and 4 only.
C. 1 and 4 only. Answer Explanation It is a best practice for risk assessment to be a dynamic process, changing over time and as new information, business strategies, and risks are identified. Ongoing consultation with members of management and the board is a way for the internal audit activity to obtain such information and stay attuned to organizational developments that may affect existing audit priorities. To accommodate such emerging priorities, the work schedule may need to be altered.
A chief audit executive (CAE) uses a risk assessment model to establish the annual audit plan. Which of the following would be an appropriate action by the CAE? 1. Maintain ongoing dialogue with management and the audit committee 2. Ensure that the schedule of audit priorities remains unchanged 3. Employ only quantitative methods to determine risk weightings 4. Revise the risk assessment and audit priorities as warranted A. 3 only. B. 1 and 2 only. C. 1 and 4 only. D. 3 and 4 only.
C. Risk D, Risk B, Risk C, Risk A. Answer Explanation Risk is the possibility of an event's occurrence that could have an impact on the achievement of objectives. Risk is measured in terms of impact (exposures) and likelihood (probability). Prioritizing is needed to make decisions for applying resources to engagements based on the relative significance of their risk and exposure estimates. The best order of priority listed (highest to lowest) is (1) Risk D (likely-major), (2) Risk B (possible-critical), (3) Risk C (possible-minor), and (4) Risk A (remote-critical). However, it is not entirely clear that Risk D and Risk C should have higher priorities than Risks B and A, respectively. For example, depending on the values assigned to the variables, a possible-critical impact (B) might have a higher priority than a likely-major impact (D).
A chief audit executive is reviewing the following enterprise-wide risk map: Remote: Critical : Risk A Possible: Risk B Likely: Major: Risk D Possible: Minor: Risk C Which of the following is the correct prioritization of risks, considering limited resources in the internal audit activity? A. Risk B, Risk C, Risk A, Risk D. B. Risk A, Risk B, Risk C, Risk D. C. Risk D, Risk B, Risk C, Risk A. D. Risk B, Risk C, Risk D, Risk A.
A. A systematic process for assessing and integrating professional judgment about probable adverse conditions. Answer Explanation The chief audit executive must establish risk-based plans to determine the priorities of the internal audit activity consistent with the organization's goals (Perf. Std. 2010).
A chief audit executive most likely uses risk assessment for audit planning because it provides A. A systematic process for assessing and integrating professional judgment about probable adverse conditions. B. A listing of potentially adverse effects on the organization. C. A list of auditable activities in the organization. D. The probability that an event or action may adversely affect the organization.
D. Benchmarking. Answer Explanation Benchmarking is a primary tool used in quality management. It is a means of helping organizations with productivity management and business process analysis. Benchmarking involves analysis and measurement of key outputs against those of the best organizations. This procedure also involves identifying the underlying key actions and causes that contribute to the performance difference. The benchmark need not be a competitor or even a similar entity. Process (function) benchmarking studies operations of organizations with similar processes regardless of industry. Thus, a comparison to procedures against the check-in process for a major airline is an example of benchmarking.
A manufacturer that wants to improve its staging process compares its procedures against the check-in process for a major airline. Which of the following tools is the manufacturer using? A. Total quality management. B. Statistical process control. C. Economic value added. D. Benchmarking.
A. 1 and 2 only. Answer Explanation Both the presence of item costs set at zero and negative quantities on hand would provide evidence that inventory is understated.
A manufacturer uses a materials requirements planning (MRP) system to track inventory, orders, and raw material requirements. A preliminary audit assessment indicates that the organization's inventory is understated. Using audit software, what conditions should the auditor search for in the MRP database to support this hypothesis? 1. Item cost set at zero 2. Negative quantities on hand 3. Order quantity exceeding requirements 4. Inventory lead times exceeding delivery schedule A. 1 and 2 only. B. 1 and 4 only. C. 2 and 4 only. D. 3 and 4 only.
A. Preliminary survey. Answer Explanation A test from a prior engagement might be reviewed in the preliminary survey as background material. The notes made while evaluating controls are used by the auditor in the current period to identify matters of interest and possible deficiencies.
A page from an internal auditor's workpapers contains notes made in the prior period. They specify which controls are relevant in the current period and which controls will soon be obsolete. The notes relate to A. Preliminary survey. B. Review for adequacy of control processes. C. Review for effectiveness of control processes. D. Review of results.
C. Increase engagement time in functions being centralized. Answer Explanation A major change in organizational structure is a significant risk factor. Of the choices provided, devoting internal audit resources to this engagement best serves the organization.
A service company is currently experiencing a significant downsizing and process reengineering. Its board of directors has redefined the business goals and established initiatives using in-house developed technology to meet these goals. As a result, a more decentralized approach has been adopted to run the business functions by empowering the business branch managers to make decisions and perform functions traditionally done at a higher level. The internal auditing staff is made up of the director, two managers, and five staff auditors, all with financial background. In the past, the primary focus of successful audit activities has been the service branches and the six regional division headquarters that support the branches. These division headquarters are the primary targets for possible elimination. The support functions, such as human resources, accounting, and purchasing, will be brought into the national headquarters, and technology will be enhanced to enable and augment these operations. Assuming that total available resources remain the same, what activities should the internal audit activity perform to best serve the organization? A. Decrease engagement time in systems development. B. Increase engagement time in service branches. C. Increase engagement time in functions being centralized. D. Continue the allocation of engagement time as before.
B. A complex or changing operating environment. Answer Explanation A standard work program is not appropriate for a complex or changing operating environment. The engagement objectives and related procedures may no longer be relevant.
A standard engagement work program is not appropriate for which situation? A. A stable operating environment undergoing only minimal changes. B. A complex or changing operating environment. C. Multiple locations with similar operations. D. Subsequent engagements to provide assurance about inventory performed at same location.
D. Regular analytical review of operating divisions. Answer Explanation Analytical procedures permit evaluations of financial information made by a study and comparison of the relationships among data. The premise is that certain relationships prevail in the absence of known conditions to the contrary. Analytical procedures identify such things as the existence of unusual transactions and events and amounts, ratios, and trends that might indicate matters that have financial statement ramifications. Deviations from expectations should be investigated and the reasons therefore determined.
A subsidiary president terminated a controller and hired a replacement without the required organizational approvals. Sales, cash flow, and profit statistics were then manipulated by the new controller and president via accelerated depreciation and sale of capital assets to obtain larger performance bonuses for the controller and the subsidiary president. An approach that might detect this fraudulent activity is A. Analysis of overall management control for segregation of duties. B. Required exit interviews for all terminated employees. C. Periodic changes of outside public accountants. D. Regular analytical review of operating divisions.
C. Procedures to accomplish engagement objectives. Answer Explanation Work programs are a necessary part of engagement planning. They include the procedures for collecting, analyzing, interpreting, and documenting information during the engagement.
A work program for a comprehensive assurance engagement to evaluate a purchasing function should include A. Procedures arranged by relative priority based upon perceived risk. B. A statement of the engagement objectives for the operation under review with agreement by the engagement client. C. Procedures to accomplish engagement objectives. D. A focus on risks affecting the financial statements as opposed to controls.
A. Provide the report to senior management as requested and discuss any issues that may require action to be taken. Answer Explanation The frequency and content of reporting are determined collaboratively by the chief audit executive, senior management, and the board. The frequency and content of reporting depends on the importance of the information to be communicated and the urgency of the related actions to be taken by senior management and/or the board (Inter. Std. 2060).
The chief audit executive routinely reports to the board as part of the board meeting agenda each quarter. Senior management has asked to review this presentation before each board meeting so that any issues or questions can be discussed beforehand. The CAE needs to A. Provide the report to senior management as requested and discuss any issues that may require action to be taken. B. Withhold disclosure of the report to senior management because such matters are the sole province of the board. C. Disclose to the board only those matters in the report that pertain to expenditures and financial budgets of the internal audit activity. D. Provide information to senior management that pertains only to completed engagements and observations available in published engagement communications.
A. Budgetary control of the engagement. Answer Explanation All engagements should be under budgetary control. However, engagement resource allocation is not based on evaluation of budgetary control. Standard 2230: Engagement Resource Allocation states, "Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources."
According to the Standards, internal auditors determine appropriate and sufficient resources to achieve engagement objectives based on an evaluation of all of the following except A. Budgetary control of the engagement. B. Complexity of each engagement. C. Time constraints for each engagement. D. Available resources for each engagement.
B. Increase the assessment of control risk and increase the extent of substantive tests. Answer Explanation When an auditor discovers significant deficiencies, the risk is higher that internal control will not timely prevent, or detect and correct, a material misstatement that could occur in an assertion. This discovery increases the assessment of the risks of material misstatement. The result is less reliance on tests of controls and more reliance on substantive procedures.
After testing a client's internal control activities, an auditor discovers a number of significant deficiencies in the operation of a client's internal controls. Under these circumstances, the auditor most likely would A. Issue a disclaimer of opinion about the internal controls as part of the auditor's report. B. Increase the assessment of control risk and increase the extent of substantive tests. C. Issue a qualified opinion of this finding as part of the auditor's report. D. Withdraw from the audit because the internal controls are ineffective.
C. The internal audit charter should be amended. Answer Explanation The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter (Attr. Std. 1000). The nature of consulting services must be defined in the internal audit charter (Impl. Std. 1000.C1).
After the chief audit executive receives approval from the board to offer consulting services, what should be done? A. The CAE should begin performing consulting services. B. The CAE should get approval from the internal auditors. C. The internal audit charter should be amended. D. The board should develop appropriate policies and procedures for conducting such engagements.
D. Management cooperation with audit activities. Answer Explanation Management cooperation with audit activities is not a measure or expectation but rather a condition. A condition is the factual evidence that the internal auditor found in the course of the examination.
All of the following are acceptable criteria on which an internal audit may be based except A. Policies and procedures. B. Standards or guidelines. C. Control frameworks. D. Management cooperation with audit activities.
C. Describe the extent to which the internal audit activity has completed its approved audit plan. Answer Explanation According to Perf. Std. 2060, the CAE must report the internal audit activity's performance relative to its plan. An annual summary report ordinarily includes such performance results.
An annual summary report of completed engagement work submitted to senior management and the board by the chief audit executive should A. Discuss the administrative condition of the internal audit activity. B. Inform management of the scope of proposed work for the following year. C. Describe the extent to which the internal audit activity has completed its approved audit plan. D. Emphasize the number of deficiency observations discovered by the internal auditors.
D. Planning for the internal audit activity. Answer Explanation The audit plan should include the activities to be performed, when they will be performed, and the estimated time required, considering the scope of the engagement work planned and the nature and extent of related work performed by others. This plan permits determination of staffing plans and financial budgets and is a basis for the presentation of reports.
An approved audit plan for the internal audit activity is an essential part of A. Scheduling support for the external audit. B. Establishing standards for employee performance. C. Providing senior management with information about the quality of the internal audit activity's performance. D. Planning for the internal audit activity.
A. An analysis of quality control documents. Answer Explanation Internal auditors may perform a survey to (1) become familiar with activities, risks, and controls to identify areas for engagement emphasis and (2) invite comments and suggestions from stakeholders. An analysis of quality control documents is a part of field work, which follows the survey.
An assurance engagement in the quality control department is being planned. Which of the following is least likely to be used in the preparation of a preliminary survey questionnaire? A. An analysis of quality control documents. B. The permanent engagement file. C. The prior engagement communications. D. Management's charter for the quality control department.
C. Review all journal entries that transferred costs from capital projects accounts to inventory accounts. Answer Explanation Some transfers from capital projects accounts to inventory may be legitimate, for example, because materials previously transferred from inventory were unused. However, the transfer of expenditures actually incurred for capital projects back to inventory misstates both accounts and undermines the budget process. Accordingly, the auditors should review all journal entries that transferred costs from capital to inventory accounts.
An audit found that the cost of some material installed on capital projects had been transferred to the inventory account because the capital budget had been exceeded. Which of the following would be an appropriate technique for the internal audit activity to use to monitor this situation? A. Identify variances between amounts capitalized each month and the capital budget. B. Analyze a sample of capital transactions each quarter to detect instances in which installed material was transferred to inventory. C. Review all journal entries that transferred costs from capital projects accounts to inventory accounts. D. Compare inventory receipts with debits to the inventory account and investigate discrepancies.
A. A computer report identifying unusual entries to the suspense account. Answer Explanation Because the employee transferred the loan amount to a suspense account, a computer system programmed to report unusual entries should expose the fraudulent loan at the earliest date.
An employee of an insurer processed a fraudulent policy loan application for an amount less than the established level requiring supervisory review. The employee then obtained the check and cashed it by forging the endorsement. To prevent the loan's appearance on a subsequent policyholder statement, the loan amount was transferred to a "suspense" account. Which of the following should expose this situation at the earliest date? A. A computer report identifying unusual entries to the suspense account. B. The use of prenumbered checks that are periodically accounted for. C. An annual engagement performed by the internal audit activity. D. Regular reconciliation of the "suspense" account performed by an independent employee.
C. Select a sample of accounts payable from the accounts payable listing and verify the supporting receiving reports, purchase orders, and invoices Answer Explanation The assertion being tested here is completeness: Are all legitimate liabilities recorded as such? Thus, the auditor's procedures must address whether all accounts payable that should have been recorded were recorded. Vouching a sample of payables, which by definition have already been recorded, to supporting documentation will not accomplish this.
An engagement objective is to determine if a company's accounts payable contain all outstanding liabilities. Which of the following audit procedures would not be relevant for this objective? A. Examine supporting documentation of subsequent (after-period) cash disbursements and verify period of liability. B. Send confirmations, including zero-balance accounts, to vendors with whom the company normally does business. C. Select a sample of accounts payable from the accounts payable listing and verify the supporting receiving reports, purchase orders, and invoices. D. Trace receiving reports issued before the period end to the related vendor invoices and accounts payable listing.
D. Observing the physical distribution of paychecks. Answer Explanation Most organizations large enough to have an internal audit activity do not physically distribute paychecks on a regular basis. Moreover, observing the physical distribution of paychecks is usually regarded as an extended procedure most applicable to fraud engagements.
An engagement to review payroll is least likely to include A. Tests of computations for gross and net wages. B. Comparison of payroll costs to budget. C. Tracing a sample of employee names to employment records in the personnel department. D. Observing the physical distribution of paychecks.
C. Determine the adequacy of the risk management and control systems for the management of capital facilities. Answer Explanation "In planning the engagement, internal auditors must consider: The strategies and objectives of the activity being reviewed and the means by which the activity controls its performance. The significant risks to the activity's objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level. The adequacy and effectiveness of the activity's governance, risk management, and control processes compared to a relevant framework or model. The opportunities for making significant improvements to the activity's governance, risk management, and control processes" (Perf. Std. 2201).
An external consultant is developing methods for the management of a city's capital facilities. An appropriate scope of an engagement to evaluate the consultant's product is to A. Review the consultant's contract to determine its propriety. B. Establish the parameters of the value of the items being managed and controlled. C. Determine the adequacy of the risk management and control systems for the management of capital facilities. D. Review the handling of idle equipment.
B. 1 and 3 only. Answer Explanation Engagement objectives are broad statements developed by internal auditors that define intended engagement accomplishments. For a compliance engagement, they might include evaluating compliance with residency policy and assessing the employee complaint response process.
An internal audit function is charged with evaluating the compliance of the organization's human resources function with applicable laws, regulations, and internal policies. Which objective(s) is (are) appropriate for this engagement plan? 1. Evaluate compliance with residency policy. 2. Ensure that applicant pools are representative of the population. 3. Assess the process used for responding to employee complaints. 4. Question recently hired employees to assess compliance with interviewing standards. A. 1 and 2 only. B. 1 and 3 only. C. 3 only. D. 3 and 4 only.
C. Engagement work program. Answer Explanation Internal auditors must develop and document work programs that achieve the engagement objectives (Perf. Std. 2240). The work program states the objectives of the engagement; identifies technical requirements, objectives, risks, processes, and transactions that are to be examined; states the nature, extent, and timing of testing required; documents the internal auditor's procedures for collecting, analyzing, interpreting, and documenting information during the engagement; and is modified, as appropriate, during the engagement with the approval of the chief audit executive (CAE) or his or her designee. Before work programs are developed, the internal auditor should review background information (e.g., organizational objectives and goals) and, if appropriate, conduct a survey. The survey involves becoming familiar with activities, risks, and controls to identify areas for engagement emphasis and inviting comments and suggestions from engagement clients.
An internal auditing supervisor reviewed the system of controls and the organizational objective of the purchasing department. What facet of engagement planning was the supervisor developing? A. Internal auditing policy manual. B. Engagement work schedule. C. Engagement work program. D. Internal auditing budget.
D. Expenditures for property and equipment have not been charged to expense. Answer Explanation The internal auditor should vouch significant debits from the repairs and maintenance expense account to determine whether any should have been capitalized.
An internal auditor analyzes repairs and maintenance accounts primarily to obtain evidence in support of the classification assertion that all A. Noncapitalizable expenditures for repairs and maintenance have been recorded in the proper period. B. Expenditures for property and equipment have been recorded in the proper period. C. Noncapitalizable expenditures for repairs and maintenance have been properly charged to expense. D. Expenditures for property and equipment have not been charged to expense.
C. 3, 1, 2. Answer Explanation When expanding the reporting to other parties, the auditor takes the following steps until satisfied with the resolution of the matter: Determine what direction is provided in the agreement concerning the consulting engagement and related communications. Attempt to persuade those receiving or requesting the service to expand voluntarily the communication to the appropriate parties. Determine what guidance is provided in the internal audit charter or audit activity's policies and procedures concerning consulting communications. Determine what guidance is provided in the organization's code of conduct, code of ethics, and other relative policies, administrative directives, or procedures. Determine what guidance is provided by The IIA's Standards and Code of Ethics, other standards or codes applicable to the auditor, and any legal or regulatory requirements that relate to the matter under consideration.
An internal auditor concludes that the results of a consulting engagement should be communicated beyond those who received or requested the services. The auditor follows a series of steps until satisfied with the resolution. In what order will the auditor perform the following steps? 1. Attempt to convince those receiving or requesting the service to expand voluntarily the communication to the appropriate parties. 2. Determine what guidance is provided in the organization's code of conduct, code of ethics, and other relevant policies, administrative directives, or procedures. 3. Determine what direction is provided in the agreement concerning the consulting engagement and related communications. A. 2, 1, 3. B. 1, 2, 3. C. 3, 1, 2. D. 1, 3, 2.
C. Consider the engagement to be terminated with no communication of results needed because the engagement client has already agreed to take constructive action. Answer Explanation The apparently constructive action by the auditee may be a delaying tactic intended to conceal more serious problems after the internal auditor has identified significant engagement issues. Moreover, no basis is given for not pursuing the engagement. The internal auditor always considers the risk associated with the potential observations as a basis for determining the need for more immediate attention.
An internal auditor conducts a preliminary survey and identifies a number of significant engagement issues and reasons for pursuing them in more depth. The engagement client informally communicates concurrence with the preliminary survey results and asks that the internal auditor not report on the areas of significant concern until the client has an opportunity to respond to the problem areas. Which of the following engagement responses is not appropriate? A. Keep the engagement on schedule and discuss with management the need for completing the engagement on a timely basis. B. Consider the risk involved in the areas involved, and, if the risk is high, proceed with the engagement. C. Consider the engagement to be terminated with no communication of results needed because the engagement client has already agreed to take constructive action. D. Work with the engagement client to keep the engagement on schedule and address the significant issues in more depth, as well as the client's responses, during the course of the engagement.
D. Use the bank's policy as the audit criteria and determine whether formal adoption should be recommended in the engagement final communication. Answer Explanation "Adequate criteria are needed to evaluate governance, risk management, and controls. . . . If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must identify appropriate evaluation criteria through discussion with management and/or the board" (Impl. Std. 2210.A3). The facts do not indicate that the bank's policy is inadequate. Thus, the internal auditor should use the bank's policy as the audit criteria for the review of compliance with corporate policy. Furthermore, in accordance with the internal audit activity's responsibility to improve governance, risk management, and control, the internal auditor also should determine whether formal adoption of the bank's policy should be recommended in the engagement final communication.
An internal auditor has been asked to review the treasury department's compliance with corporate policy related to the use of forward trading to manage currency valuation risk. The auditor finds no related policies in the corporate policy manual but does discover that the department is following a policy developed by the company's bank. Which of the following would be the most appropriate response from the auditor? A. Withdraw from the audit engagement, because there is nothing to audit due to the lack of a corporate policy. B. Perform no further audit work and report the lack of a corporate policy as an audit observation. C. Postpone the audit engagement until a corporate policy can be established. D. Use the bank's policy as the audit criteria and determine whether formal adoption should be recommended in the engagement final communication.
B. Establish initial engagement objectives. Answer Explanation For an unplanned engagement, the first procedure is to develop the work program. Once the work program is completed, the auditor performs surveys and establishes initial engagement objectives.
An internal auditor has just completed a survey to become familiar with the organization's payroll operations as part of an unplanned engagement. Which of the following most likely is performed next? A. Assign internal audit personnel. B. Establish initial engagement objectives. C. Write the engagement work program. D. Conduct field work.
A. Inspection of documents. Answer Explanation The purchase order should be inspected for information about supervisory review to ensure that vendors used are from approved vendor lists.
An internal auditor has set an engagement objective of ascertaining compliance with a city ordinance forbidding city purchasing from vendors affiliated with elected city officials. Which of the following engagement techniques will best meet this objective? A. Inspection of documents. B. Observation. C. Inquiry. D. Analytical review.
B. Comparing cash receipt lists with the receipts journal and bank deposit slips. Answer Explanation Comparing cash receipt lists with the receipts journal and bank deposit slips is an appropriate engagement procedure relevant to the objective of safeguarding cash receipts. But it does not provide evidence of accuracy.
An internal auditor is considering whether the amount of cash is accurately recorded on the financial statements. All of the following are appropriate engagement procedures for the objective except A. Examining bank reconciliations and confirming bank balances. B. Comparing cash receipt lists with the receipts journal and bank deposit slips. C. Verifying cutoff of receipts and disbursements. D. Adding totals of reconciliations and comparing with cash account balances.
D. Substantive testing. Answer Explanation An internal auditor who knows that internal control is ineffective and that exposure to the risk of fraud is great should change the nature, timing, and extent of substantive testing. Substantive testing consists of analytical procedures and tests of details and balances.
An internal auditor is more likely to detect duplicate vendor payments in a high exposure environment with certain internal control weaknesses by using which of the following procedures? A. Trend analysis. B. Monetary validity. C. Proportional analysis. D. Substantive testing.
B. June 1, Year 2. Answer Explanation Independence and objectivity may be impaired if assurance services are provided within 1 year after a formal consulting engagement. Steps can be taken to minimize the effects of impairment by assigning different auditors to perform each of the services, establishing independent management and supervision, defining separate accountability for the results of the projects, and disclosing the presumed impairment.
An internal auditor performed a formal consulting engagement for XYZ Corporation on June 1, Year 1. When is the earliest time the auditor can perform assurance services for XYZ Corporation and be considered independent and objective? A. January 1, Year 2. B. June 1, Year 2. C. July 1, Year 1. D. June 2, Year 1.
B. Vendors' invoices. Answer Explanation Vendors' invoices are the billing documents received by the organization. They describe the items purchased, the amounts due, and the payment terms. The internal auditor should trace these invoices to the related receiving reports.
An internal auditor performs a test to determine whether all merchandise for which the organization was billed was received. The population for this test consists of all A. Merchandise received. B. Vendors' invoices. C. Canceled checks. D. Receiving reports.
C. Identification of obsolete or damaged merchandise to evaluate allowance (reserve) for obsolescence. Answer Explanation One way to discover damaged or obsolete merchandise is to observe the organization's physical inventory count and inspect the merchandise during the inventory process. The internal auditor should check for dusty packages, rusted metal, physical damage to the merchandise, etc. The internal auditor may also need to consult a specialist regarding the quality or condition of merchandise.
An internal auditor's observation of physical inventories at the main plant at year end provides direct evidence to support which of the following objectives? A. Accuracy of the priced-out inventory. B. Evaluation of lower of cost or market test. C. Identification of obsolete or damaged merchandise to evaluate allowance (reserve) for obsolescence. D. Determination of goods on consignment at another location.
A. Examine individual trades to determine whether the trades violate the authorization limit for the manager. Answer Explanation The monetary amount involved would not reveal whether the transaction was speculative.
An investment portfolio manager has the authority to use financial derivatives to hedge transactions but is not supposed to take speculative positions. However, the manager launches a scheme that includes (1) taking a position larger than required by the hedge, (2) putting the speculative gains in a suspense account, and (3) transferring the funds to a nonexistent broker and from there to a personal account. Which of the following engagement procedures is least effective in detecting this fraud? A. Examine individual trades to determine whether the trades violate the authorization limit for the manager. B. Sample individual trades and determine the exact matching of a hedge. Schedule and investigate all differences. C. Sample all debits to the suspense account and examine their disposition. D. Sample fund transfers to brokers and determine if the brokers are on the organization's authorized list for transactions.
A. An evaluation of the merit of lawsuits currently filed against the acquiree. Answer Explanation An evaluation of the merit of lawsuits requires legal expertise.
An organization is considering purchasing a small toxic waste disposal business. The internal auditors are part of the team doing a due diligence review for the acquisition. The scope of the internal auditors' work will most likely not include A. An evaluation of the merit of lawsuits currently filed against the acquiree. B. A review of the acquiree's procedures for acceptance of waste material and comparison with legal requirements. C. Analysis of the acquiree's compliance with, and disclosure of, loan covenants. D. Assessment of the efficiency of the operations of the acquiree.
C. Consider using external resources to supplement the needed knowledge, skills, and other competencies and complete the assignment. Answer Explanation In determining the resources needed to perform the engagement, the CAE must consider the knowledge, skills, and other competencies of the internal audit staff when selecting internal auditors for the engagement. The CAE considers the use of external resources when additional knowledge and competencies are required.
As a particular engagement is being planned in a high-risk area, the chief audit executive determines that the available staff does not have the requisite skills to perform the assignment. The best course of action consistent with engagement planning principles is to A. Not perform the engagement because the requisite skills are not available. B. Use the engagement as a training opportunity and let the internal auditors learn as the engagement is performed. C. Consider using external resources to supplement the needed knowledge, skills, and other competencies and complete the assignment. D. Perform the engagement but limit the scope in light of the skill deficiency.
D. Determine to whom engagement results will be communicated. Answer Explanation The CAE determines how, when, and to whom engagement results will be communicated.
As part of planning an engagement, the internal auditor in charge does all of the following except A. Determine the period covered. B. Conduct meetings with management responsible for the activity under review. C. Distribute reports from meetings with management. D. Determine to whom engagement results will be communicated.
A. Work is assigned to each manager based on risk and skill analysis. Answer Explanation Due professional care requires work assignments to be proportional to the complexities of the engagement and must ensure that the technical proficiency and educational background of the personnel assigned are appropriate. A skill analysis of tasks to be performed is therefore necessary. Furthermore, matters to be considered in establishing audit work schedule priorities include, among many other factors, an assessment of risk and exposures.
At a meeting with engagement managers, the chief audit executive is allocating the engagement work schedule for next year's plan. Which of the following methods will ensure that each manager receives an appropriate share of both the work schedule and internal audit activity resources? A. Work is assigned to each manager based on risk and skill analysis. B. Each of the managers selects the individual assignments desired, based on preferences for the area and the management personnel involved. C. Each manager chooses assignment preferences based on the total staff hours that are currently available to each manager. D. The full list of scheduled engagements is published for the staff, and work assignments are made based on career interests and travel requirements.
A. Cash has a greater inherent risk than an inventory of coal because it is more susceptible to theft. Answer Explanation Inherent risk is the susceptibility of an assertion about a transaction class, account balance, or disclosure that could be material, individually or combined with other misstatements, before consideration of any related controls. Some assertions and related balances or classes of transactions have greater inherent risk. Thus, cash has a greater inherent risk than less liquid assets.
Audit risk at the assertion level consists of inherent risk, control risk, and detection risk. Which of the following statements is true? A. Cash has a greater inherent risk than an inventory of coal because it is more susceptible to theft. B. The risk that material misstatement will not be timely prevented or detected by internal control can be reduced to zero by effective controls. C. Detection risk is a function of the efficiency of an auditing procedure. D. The existing levels of inherent risk, control risk, and detection risk can be changed at the discretion of the auditor.
D. Using a subjective group consensus to assess personnel competence is appropriate. Answer Explanation The risk assessment incorporates information from a variety of sources, such as discussions with the board and management and with internal audit management and staff. Thus, seeking the consensus of experienced internal audit managers regarding personnel matters is appropriate. This method tends to eliminate the extreme judgments that might be made by a single evaluator.
The chief audit executive set up a computerized spreadsheet to facilitate the risk assessment process involving a number of different divisions in the organization. The spreadsheet included the following factors: Pressure on divisional management to meet profit goals Complexity of operations Competence of divisional personnel The monetary amount of subjectively influenced accounts in the division, such as accounts in which management's judgment can affect the expense, e.g., postretirement benefits The CAE used a group meeting of internal audit managers to reach a consensus on the competence of divisional personnel. Other factors were assessed as high, medium, or low by either the CAE or an internal audit manager who had performed an engagement at the division. The CAE assigned a weight ranging from 0.5 to 1.0 to each factor and then computed a composite risk score. Which statement is true? A. The risk analysis is not appropriate because it mixes both quantitative and qualitative factors, thereby making expected value calculations impossible. B. Assessing factors at discrete levels such as high, medium, and low is inappropriate for the risk assessment process because the ratings are not quantifiable. C. The weighting is subjective and should have been determined through a process such as multiple-regression analysis. D. Using a subjective group consensus to assess personnel competence is appropriate.
C. Payment had been made for routine inventory items without a purchase order or receiving report. Answer Explanation Payment vouchers for merchandise should be supported by (1) a properly authorized purchase requisition, (2) a purchase order executing the transaction, (3) a receiving report indicating all goods ordered have been received in good condition, and (4) a vendor invoice confirming the amount owed. Lack of such support for cash payments suggests a high risk of fraud.
The chief audit executive was reviewing recent reports that had recommended additional engagements because of risk exposures to the organization. Which of the following represents the greatest risk and should be the next assignment? A. Three prenumbered receiving reports were missing. B. There were several purchase orders issued without purchase requisitions. C. Payment had been made for routine inventory items without a purchase order or receiving report. D. Several times cash receipts had been held over an extra day before depositing.
A. Probability of significant noncompliance. Answer Explanation Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing assurance engagement objectives (Impl. Std. 2210.A2).
The established scope of the engagement must be sufficient to satisfy the objectives of the engagement. When developing the objectives of the engagement, the internal auditor considers the A. Probability of significant noncompliance. B. Information included in the engagement work program. C. Results of engagement procedures. D. Resources required.
C. Measurability criteria and targeted dates of completion are not provided. Answer Explanation The goals of the internal audit activity should be capable of accomplishment within given operating plans and budgets and should be measurable to the extent possible. They should be accompanied by measurement criteria and targeted dates of accomplishment.
The internal audit activity of a large organization has established its operating plan and budget for the coming year. The operating plan is restricted to the following categories: a prioritized listing of all engagements, staffing, a detailed expense budget, and the commencement date of each engagement. Which of the following best describes the major deficiency of this operating plan? A. Requests by management for special projects are not considered. B. Opportunities to achieve operating benefits are ignored. C. Measurability criteria and targeted dates of completion are not provided. D. Knowledge, skills, and other competencies required to perform work are ignored.
B. The cost of the engagement. Answer Explanation Internal auditors must exercise due professional care with consideration of but not limited to the cost of assurance in relation to potential benefits; the extent of work needed to achieve the engagement objectives; and adequacy and effectiveness of governance, risk management, and control processes. The cost of the engagement is generally considered prior to the development of the audit plan and is not a factor to consider when developing the audit plan.
The internal audit activity's audit plan is based on all of the following except A. The audit universe. B. The cost of the engagement. C. Input from senior management and the board. D. Assessed risk and exposures.
D. Try to persuade management to include the additional objectives in the consulting engagement. Answer Explanation In planning formal consulting engagements, internal auditors design objectives to meet the appropriate needs of management officials receiving these services. In the case of special requests by management, internal auditors may consider the following actions if they believe that the objectives that should be pursued go beyond those requested by management: (1) persuade management to include the additional objectives in the consulting engagement; or (2) document that the objectives were not pursued, disclose that observation in the final communication of consulting engagement results, and include the objectives in a separate and subsequent assurance engagement.
The internal auditor for ABC Corporation has received a special request from management. The internal auditor believes that the objectives that should be pursued go beyond those requested by management. What should the internal auditor do? A. Refuse to accept the engagement unless management can be persuaded to include the additional objectives in the consulting engagement. B. Include the objectives that are necessary in the current consulting engagement and inform management in the final communication of the engagement results. C. Document the fact that the objectives were not pursued and disclose that observation to the audit committee in a formal report. D. Try to persuade management to include the additional objectives in the consulting engagement.
C. Draw preliminary conclusions about internal control. Answer Explanation Internal auditors gain an understanding of the design of the engagement client's internal controls. The auditors then draw conclusions about whether internal controls are designed adequately to achieve management's control objectives.
The internal auditor has gained an understanding of the design of an engagement client's internal controls. The most appropriate next step is to A. Test controls to determine whether they are functioning as designed. B. Halt the engagement and issue a report about inadequate controls. C. Draw preliminary conclusions about internal control. D. Contact the engagement client's direct supervisor to recommend that the head of the department or function under audit is transferred or terminated.
A. The extent to which management judgments are required in an area could serve as a risk factor in assisting the internal auditor in making a comparative risk analysis. Answer Explanation Among the common factors used in risk models for establishing the priority of engagements is management competence. Hence, the internal auditor could appropriately consider the extent of management competence, which includes judgment, as a risk factor.
The internal auditor is considering making a risk analysis as a basis for determining the areas of the organization where engagements should be performed. Which one of the following statements is true regarding risk analysis? A. The extent to which management judgments are required in an area could serve as a risk factor in assisting the internal auditor in making a comparative risk analysis. B. The highest risk assessment should always be assigned to the area with the largest potential loss. C. The highest risk assessment should always be assigned to the area with highest probability of occurrence. D. Risk analysis must be reduced to quantitative terms in order to provide meaningful comparisons across an organization.
D. Paid claims from the claims (cash) disbursement file and vouch to documentary information about authorization and other supporting documentation. Answer Explanation The internal auditor is interested in whether the actual claims paid are properly supported. The most appropriate population from which to sample is the claims paid file. The sample would then be vouched to the supporting documents to test for proper authorization.
The internal auditor wishes to test the assertion that all claims paid by a medical insurer contain proper authorization and documentation, including but not limited to the validity of the claim from an approved physician and an indication that the claim complies with the claimant's policy. The most appropriate engagement procedure is to select a sample of A. All policyholders and examine all claims for the sampled items during the year to determine whether the claims were handled properly. B. Claims filed and trace to documentary information about authorization and other supporting documentation. C. Claims denied and determine that all claims denied were appropriate. The claims denied file is much smaller and the internal auditor can obtain greater coverage with the sample size. D. Paid claims from the claims (cash) disbursement file and vouch to documentary information about authorization and other supporting documentation.
C. Benchmark. Answer Explanation Benchmarking is an ongoing process that requires quantitative and qualitative measurement of the difference between the performance of an activity and the performance by the benchmark.
The management of a company would do which of the following to compare and contrast its financial information to published information reflecting optimal amounts? A. Budget. B. Forecast. C. Benchmark. D. Utilize best practices.
C. Analysis of repair parts charged to maintenance to review the reasonableness of the number of items replaced. Answer Explanation A basic premise underlying the application of analytical procedures is that plausible relationships among data may reasonably be expected to exist and continue in the absence of known conditions to the contrary. Thus, an analysis of repair parts charged to maintenance would quantify the excessive number of items and raise a red flag that abuse may be occurring.
The manager of a production line has the authority to order and receive replacement parts for all machinery that requires periodic maintenance. The internal auditor received an anonymous tip that the manager ordered substantially more parts than were necessary from a family member in the parts supply business. The unneeded parts were never delivered. Instead, the manager processed receiving documents and charged the parts to machinery maintenance accounts. The payments for the undelivered parts were sent to the supplier, and the money was divided between the manager and the family member. Which of the following tests would best assist the auditor in deciding whether to investigate this anonymous tip further? A. Comparison of the current quarter's maintenance expense with prior-period activity. B. Physical inventory testing of replacement parts for existence and valuation. C. Analysis of repair parts charged to maintenance to review the reasonableness of the number of items replaced. D. Review of a test sample of parts invoices for proper authorization and receipt.
A. Discuss these observations with management of the internal audit activity to determine whether further work would be an efficient use of internal auditing resources at this time. Answer Explanation A preliminary survey allows the internal auditor to (1) become familiar with activities, risks, and controls to identify areas for engagement emphasis and (2) invite comments and suggestions from stakeholders. In this case, additional planning is necessary to modify the engagement for the difficult circumstances discovered during the preliminary survey and to address the responsibilities of the internal audit activity.
The preliminary survey indicates that severe staff reductions at the engagement location have resulted in extensive amounts of overtime among accounting staff. Department members are visibly stressed and very vocal about the effects of the cutbacks. Accounting payrolls are nearly equal to prior years, and many key controls, such as segregation of duties, are no longer in place. The accounting supervisor now performs all operations within the cash receipts and posting process and has no time to review and approve transactions generated by the remaining members of the department. Journal entries for the last 6 months since the staff reductions show increasing numbers of prior-month adjustments and corrections, including revenues, cost of sales, and accruals that had been misstated or forgotten during month-end closing activity. The internal auditor should A. Discuss these observations with management of the internal audit activity to determine whether further work would be an efficient use of internal auditing resources at this time. B. Proceed with the scheduled engagement but add personnel based on the expected number of observations and anticipated lack of assistance from local accounting management. C. Research temporary help agencies and evaluate the cost and benefit of outsourcing needed services. D. Suspend further engagement work and issue the final communication of results because the conclusions are obvious.
D. Detection risk. Answer Explanation Detection risk is the risk that the procedures performed by the auditor to reduce audit risk to an acceptable level will not detect a material misstatement. It is a function of the effectiveness of an audit procedure and its application by the auditor.
The risk that an auditor's procedures will lead to the conclusion that a material misstatement does not exist in an account balance when, in fact, such misstatement does exist is A. Audit risk. B. Inherent risk. C. Control risk. D. Detection risk.
A. Confirmation. Confirmations obtain evidence as a direct, written response to the auditor from a third party. Confirmations are used to verify the amount of or physical existence of an item. Obsolescence is a question of value, not physical existence.
To identify the amount of obsolete inventory that may exist in an organization, an internal auditor probably should collect information using all of the following procedures except A. Confirmation. B. Scanning. C. Recomputation. D. Analytical review.
A. Consists of all possible audits. Answer Explanation In developing the internal audit activity's audit plan, many CAEs find it useful to first develop or update the audit universe. The audit universe is a list of all the possible audits that could be performed.
Updating the audit universe is useful in developing the internal audit plan. The audit universe A. Consists of all possible audits. B. Reflects only past organizational strategies. C. May not overlap with the organization's strategic plan. D. Is typically updated every 5 years.
D. All of the answers are correct. Answer Explanation The competencies of the internal audit staff should be appropriate for the planned activities. Thus, the chief audit executive addresses resourcing needs, including whether those skills are present. Other ways to meet needs include external service providers, specialized consultants, or other employees of the organization. Thus, external service providers may provide assistance in (1) estimating the liability for postretirement benefits, (2) developing a comparative analysis of healthcare costs, and (3) training the staff to audit healthcare costs.
Use of external service providers with expertise in healthcare benefits is appropriate when the internal audit activity is A. Evaluating the organization's estimate of its liability for postretirement benefits, which include healthcare benefits. B. Comparing the cost of the organization's healthcare program with other programs offered in the industry. C. Training its staff to conduct an audit of healthcare costs in a major division of the organization. D. All of the answers are correct.
C. Benchmarking. Answer Explanation Benchmarking involves analysis and measurement of key outputs against those of the best organizations. Benchmarking also identifies the underlying key actions and causes that contribute to the performance difference.
What is the process by which products and services of a business entity are measured and evaluated relative to the best possible levels of performance? A. Measuring the performance gap. B. Standard measurement. C. Benchmarking. D. Variance management.
B. To ensure adequate coverage of areas with the greatest exposure to risks. Answer Explanation The purpose of establishing an internal audit plan is to ensure adequate coverage of areas with the greatest exposure to risks. The internal audit activity must prioritize to make decisions for applying resources. An internal audit plan normally focuses on (1) unacceptable current risks requiring management action, (2) control systems on which the organization is most reliant, (3) areas where the difference between inherent risk and residual risk is great, and (4) areas where inherent risk is very high.
What is the purpose of establishing an internal audit plan? A. To update the audit universe. B. To ensure adequate coverage of areas with the greatest exposure to risks. C. To identify areas of audits with lower risks. D. To identify, document, and analyze the means by which management mitigates the risks.
A. The staff internal auditor's desire for training in the area. Answer Explanation Engagement resource allocation is based on evaluation of (1) the number and experience of staff; (2) the knowledge, skills, and competencies of the staff; (3) training needs; and (4) whether external resources are required. If available staff do not have the requisite skills to perform the engagement, internal auditors should consider using external resources. But a staff internal auditor's desire for specific training is necessarily secondary to carrying out the responsibilities of the internal audit activity with regard to proper staffing.
When assigning individual staff members to actual engagements, internal auditing managers are faced with a number of important considerations related to needs, abilities, and skills. Which of the following is the least appropriate criterion for assigning a staff internal auditor to a specific engagement? A. The staff internal auditor's desire for training in the area. B. The complexity of the engagement. C. The experience level of the internal auditor. D. Special skills possessed by the staff internal auditor.
C. Substitution. Answer Explanation Simultaneous verification of cash and cash equivalents, such as negotiable securities, is common practice to avoid the possibility of conversion of negotiable assets to cash to conceal a cash shortage. The internal auditor should control and verify all liquid assets at one time.
When counting cash on hand, the internal auditor must exercise control over all cash and other negotiable assets to prevent A. Theft. B. Irregular endorsement. C. Substitution. D. Deposits in transit.
B. 2 only. Answer Explanation During planning, the chief audit executive must identify and consider the expectations of senior management, the board, and other stakeholders for internal audit opinions and other conclusions (Impl. Std. 2010.A2).
When developing the internal audit plan, the chief audit executive must consider the following expectations of 1. Department managers 2. Stakeholders 3. Human resource managers A. 1 only. B. 2 only. C. 3 only. D. 2 and 3.
B. Occurrence Answer Explanation A voucher signifies a liability. Its issuance is recorded in the voucher register after comparison of the vendor's invoice with the purchase requisition, purchase order, and receiving report. The direction of testing is an important consideration in addressing the RMMs. Selecting a sample of recorded entries in the voucher register to vouch to the supporting documentation provides evidence that the transactions occurred.
When performing procedures to test assertions about purchases, an auditor vouches a sample of entries in the voucher register to the supporting documents. Which relevant assertion would this procedure most likely support? A. Completeness. B. Occurrence. C. Valuation and allocation. D. Classification.
B. 2 only. Answer Explanation The annual risk-based audit plan should integrate the risk analysis with input from senior management and the board (audit committee). It reflects consideration of the organization's risk management framework and risk appetite levels set by management.
Which of the following actions by the internal audit activity is (are) appropriate in response to a risk assessment? 1. Although input of senior management and the board should be obtained, the chief audit executive does not need to consider it when developing the internal audit activity's plan of engagements. 2. The high-risk areas should be integrated into an audit plan along with the high-priority requests of management and the audit committee. 3. The risk analysis should be used in determining an audit plan. Thus, it should be performed only on an annual basis. A. 1 only. B. 2 only. C. 1 and 3 only. D. 1 and 2 only.
D. A process used to become familiar with activities and risks to identify areas for engagement emphasis. Answer Explanation Internal auditors may perform a survey to (1) become familiar with the activities, risks, and controls to identify areas for engagement emphasis and (2) invite comments and suggestions from stakeholders.
Which of the following best describes a preliminary survey? A. A standardized questionnaire used to obtain an understanding of management objectives. B. A statistical sample of key employee attitudes, skills, and knowledge. C. A "walk-through" of the financial control system to identify risks and the controls that can address those risks. D. A process used to become familiar with activities and risks to identify areas for engagement emphasis.
C. Accounts receivable represent valid sales. Answer Explanation The process described is vouching. It begins with amounts recorded in the ledger and tracks backwards to the source documents. The purpose is to detect fictitious sales and ensure that each claimed sale is properly supported.
Which of the following engagement objectives will be accomplished by tracing a sample of accounts receivable debit entries to customer invoices and related shipping documents? A. Sales are properly recorded. B. Sales are billed at the correct prices. C. Accounts receivable represent valid sales. D. Customer credit is approved.
C. The objectives of the activity, the significant risks, and the control system. Answer Explanation According to Perf. Std. 2201, Planning Considerations, the factors internal auditors must consider when planning an audit of an activity include (1) the strategies and objectives of the activity; (2) the significant risks to objectives, resources, and operations; and (3) the means by which the activity is managing those risks (governance, risk management, and control processes).
Which of the following factors should an internal auditor consider when planning an audit of an activity? A. The objectives of the activity, the number of employees involved, and the control system. B. The qualifications of management, the significant risks, and the control system. C. The objectives of the activity, the significant risks, and the control system. D. The number of employees involved, the control system, and the recommendations of external auditors.
D. The bottom-up revision of the way the organization carries out a particular business process. Answer Explanation Business process reengineering (BPR) is the complete, bottom-up revision of the way an organization carries out a particular business process. Organizations undertaking BPR totally rethink how a particular business function should be carried out, without regard to how it is currently performed.
Which of the following is a characteristic of business process reengineering? A. Gradual, incremental streamlining of existing procedures. B. The movement of manual processes to computers. C. A change in the nature of the business itself. D. The bottom-up revision of the way the organization carries out a particular business process.
A. The risk that a material misstatement will not be prevented or detected on a timely basis by the client's internal controls. Answer Explanation The risk of material misstatement of relevant assertions consists of the following: (1) inherent risk is the susceptibility of a relevant assertion to material misstatement in the absence of related controls, and (2) control risk is the risk that internal control will not timely prevent, or detect and correct, basis a material misstatement that could occur in a relevant assertion.
Which of the following is a definition of control risk? A. The risk that a material misstatement will not be prevented or detected on a timely basis by the client's internal controls. B. The risk that the auditor will not detect a material misstatement. C. The risk that the auditor's assessment of internal controls will be at less than the maximum level. D. The susceptibility of material misstatement assuming there are no related internal control policies or procedures.
C. The payroll department's relative risk and exposure are greater. Answer Explanation The CAE must establish risk-based plans to determine the priorities of the internal audit activity consistent with the organization's goals (Perf. Std. 2010). Audit work schedules are based on, among other factors, an assessment of risk and exposures.
Which of the following is a valid reason for an internal auditing engagement involving a payroll department to receive priority over a purchasing department engagement? A. The director of the payroll department requested that the payroll department engagement be performed first. B. The purchasing department engagement will require more time to perform. C. The payroll department's relative risk and exposure are greater. D. The purchasing department recently restructured its major operations.
C. Reference checks of prospective employees are being performed. Answer Explanation An effective personnel function is necessary for hiring, training, and monitoring human resources. One purpose of this function is to recruit, select, hire, train, supervise, and evaluate individuals who are suitable in light of job requirements, job descriptions, and job specifications (the abilities needed for particular jobs). In a review of this function, an appropriate objective is to determine whether the selection process is being properly performed. Thus, a potential employee's references should be checked to determine whether (s)he is truthful and has the desired qualifications.
Which of the following is an appropriate objective in an engagement to review a personnel department? Determining whether A. Hourly employees are being paid only for hours actually worked as indicated by time cards or similar reports. B. An equitable training program exists that provides all employees with approximately the same amount of training each year. C. Reference checks of prospective employees are being performed. D. Recruitment is being delegated to the various departments that have personnel needs.
B. Reviewing the internal audit activity's engagement work schedule submitted by the chief audit executive. Answer Explanation The CAE must communicate the internal audit activity's plans and resource requirements, including significant interim changes, to senior management and the board for review and approval (Perf. Std. 2020).
Which of the following is an appropriate responsibility of the board? A. Performing a review of the procurement function of the organization. B. Reviewing the internal audit activity's engagement work schedule submitted by the chief audit executive. C. Reviewing the engagement records of the public accounting firm to determine the firm's competence. D. Recommending the assignment of specific internal audit staff members for specific engagements.
B. To determine whether inventory stocks are sufficient to meet projected sales. Answer Explanation An engagement objective is a broad statement developed by internal auditors to define intended engagement accomplishments (The IIA Glossary). Determining whether inventory stocks are sufficient to meet projected sales is an engagement objective because it defines an audit accomplishment, not an engagement procedure. A procedure is designed to gather information that corroborates and documents conclusions about objectives.
Which of the following is an appropriate statement of an engagement objective? A. To observe the physical inventory count. B. To determine whether inventory stocks are sufficient to meet projected sales. C. To search for the existence of obsolete inventory by computing inventory turnover by product line. D. To include information about stockouts in the final engagement communication.
B. Ethical culture. Answer Explanation The COSO and CoCo models emphasize soft controls. For example, the communication of ethical values and the fostering of mutual trust are soft controls in the CoCo model. In the COSO model, soft controls are part of the control environment. An example is the tone at the top that communicates the directors' and management's attitude towards organizational integrity and other ethical values. Soft controls should be distinguished from hard controls, such as compliance with specific policies and procedures imposed upon employees from above.
Which of the following is an example of a soft control? A. Passwords. B. Ethical culture. C. Segregation of duties. D. Authorization signatures.
B. Redesigning the production line to speed up production. Answer Explanation One approach to business process mapping is reengineering. It involves process innovation and core process redesign. Instead of improving existing procedures, it finds new ways of doing things. Redesigning the production line is an example of this.
Which of the following is an example of business process reengineering? A. Adding a new machine to the existing production line to speed up production. B. Redesigning the production line to speed up production. C. Repairing a machine on the process line to speed up production. D. Updating the computer systems involved on the production line to speed up production.
C. Sampling plan and key criteria. Answer Explanation Possible objectives and scope for the engagement, the client personnel to whom the auditors need access, and the expected start and completion dates for the engagement are all appropriate matters for discussion at a pre-engagement meeting. The sampling plan cannot be drafted until risk is assessed and the engagement objectives are set.
Which of the following is least likely to be placed on the agenda for discussion at a pre-engagement meeting? A. Objectives and scope of the engagement. B. Client personnel needed. C. Sampling plan and key criteria. D. Expected starting and completion dates.
A. The chief audit executive consults with external auditors. Answer Explanation The audit plan must be logically related to identified risks of the organization. These risks relate to strategic and operational goals. Making this connection between identified risks and how they relate to goals is a requirement of risk-based audit planning. Accordingly, the CAE must establish a risk-based plan that sets priorities. But the Standards only require the CAE to consult with the board and senior management (Interpretation of Standard 2010, Implementation Standard 2010.A1).
Which of the following is not a requirement of risk-based audit planning? A. The chief audit executive consults with external auditors. B. The risk-based plan considers the organization's strategies and objectives. C. The risk-based plan is adjusted for changes in the organization's business. D. To determine the priorities of the internal audit activity, a risk-based plan must be established.
B. Run background checks on unauthorized vendors. Answer Explanation Engagement objectives are "broad statements developed by internal auditors that define intended engagement accomplishments" (The IIA Glossary). Thus, engagement objectives may be stated in various ways, but it should be clear what assurance is provided. Running background checks is an engagement procedure, not an engagement objective. The related objective is to determine whether vendors are authorized in accordance with management criteria.
Which of the following is not an engagement objective related to the purchasing function? A. Determine whether purchases eligible for competitive bids are properly reviewed and authorized. B. Run background checks on unauthorized vendors. C. Determine whether receiving reports are independently verified. D. Determine whether goods received are properly reflected in purchasing records.
A. Determine customer satisfaction with shareholder communications. Answer Explanation According to The IIA Glossary, engagement objectives are broad statements developed by internal auditors that define intended engagement accomplishments. Also, an assurance service provides an independent assessment of governance, risk management, and control processes. But an evaluation of customer satisfaction is provided by a consulting service.
Which of the following is not likely to be an assurance engagement objective related to auditing governance activities? A. Determine customer satisfaction with shareholder communications. B. Determine the operating effectiveness of the whistleblower process. C. Evaluate the design adequacy of board education and training. D. Assess compliance with ethics policies.
A. To ensure that the internal audit plan supports the overall business objectives. Answer Explanation The chief audit executive must establish risk-based plans to determine the priorities of the internal audit activity consistent with the organization's goals (Perf. Std. 2010). Including the strategic plan in the audit universe ensures that it reflects the overall business objectives stated in the strategic plan.
Which of the following is the best reason for the chief audit executive to consider the strategic plan in developing the annual audit plan? A. To ensure that the internal audit plan supports the overall business objectives. B. To ensure that the internal audit plan will be approved by senior management. C. To make recommendations to improve the strategic plan. D. To emphasize the importance of the internal audit function.
D. Benchmarking is accomplished by comparing an organization's performance to that of the best-performing organizations. Answer Explanation Benchmarking is one of the primary tools used in the implementation of a total quality management approach. It is a means of helping organizations with productivity management and business process review. It is therefore a source of consulting engagements for the internal auditors. Benchmarking is a continuous evaluation of the practices of the best organizations in their class and the adaptation of processes to reflect the best of these practices. It entails analysis and measurement of key outputs against those of the best organizations. This procedure also involves identifying the underlying key actions and causes that contribute to the performance difference. Benchmarking is an ongoing process that entails quantitative and qualitative measurement of the difference between the organization's performance of an activity and the performance by the best in the world. The benchmark organization need not be a competitor.
Which of the following is true of benchmarking? A. Benchmarking is typically accomplished by comparing an organization's performance with the performance of its closest competitors. B. Benchmarking can be performed by using only qualitative comparisons. C. Benchmarking is normally limited to manufacturing operations and production processes. D. Benchmarking is accomplished by comparing an organization's performance to that of the best-performing organizations.
B. To determine that employees are assigned to work situations equivalent to their training and skill level. Answer Explanation Internal auditors should appraise the economy and efficiency with which resources are employed. Assignment of employees to tasks not commensurate with their skills may result in excess labor costs (when more skilled and more highly paid workers perform jobs for which they are overqualified) or in poor performance (when underqualified labor is used).
Which of the following possible engagement objectives would lead to a test of the efficiency of an organization's use of labor resources? A. To determine that all employees are paid in accordance with union wages. B. To determine that employees are assigned to work situations equivalent to their training and skill level. C. To determine that the quality of performance by labor meets organizational standards. D. To determine that only authorized employees are paid.
B. Review the trend in receivables write-offs. Answer Explanation The purpose of the credit-granting function is to minimize write-offs while accepting sales likely to result in collection. Trend (time-series) analysis is an analytical procedure that relies on experience, i.e., the change in a variable over time. Thus, reviewing the trend in write-offs will provide some insight concerning the minimization of write-offs.
Which of the following procedures would provide the best evidence of the effectiveness of a credit-granting function? A. Observe the process. B. Review the trend in receivables write-offs. C. Ask the credit manager about the effectiveness of the function. D. Check for evidence of credit approval on a sample of customer orders.
B. 2 only. Answer Explanation The high-risk areas should be integrated into an audit work schedule along with the high-priority requests of senior management and the audit committee.
Which of the following represent(s) appropriate internal audit action in response to the risk assessment process? 1. The low-risk areas may be delegated to the external auditor, but the high-risk areas should be performed by the internal audit activity. 2. The high-risk areas should be integrated into an audit work schedule along with the high-priority requests of senior management and the audit committee. 3. The risk analysis should be used in determining an annual audit work schedule. Thus, the risk analysis should be performed only on an annual basis. A. 1 only. B. 2 only. C. 3 only. D. 1 and 3 only.
C. Additional safety regulations enacted by the government have caused a strain on the organization's resources. Answer Explanation External risk factors arise from outside the organization. Examples of external risks include competitor actions, suppliers, industry issues, and employee and government relations. Examples of internal risk factors include quality and adherence to controls, timing and results of last engagement, materiality, asset liquidity, and management competence.
Which of the following represents an external risk factor? A. The organization's CEO unexpectedly became ill and had to resign. The chairman of the board of directors stepped into the vacant role until a new CEO could be found. B. Constant repairs to outdated equipment used in the manufacturing process cost three times more than the amount budgeted. C. Additional safety regulations enacted by the government have caused a strain on the organization's resources. D. Weak controls over cash accounts have resulted in employee theft.
D. Time budgets should normally be prepared in terms of hours or days. Answer Explanation A budget is a plan that contains a quantitative statement of expected results. It may be defined as a quantified program. All engagement projects and other assignments must be kept under budgetary control. Time budgets for engagement projects are usually prepared in employee-hours or employee-days.
Which of the following statements is true with respect to a time budget for an internal audit engagement? A. Requests for time budget adjustments should be approved by the audit committee. B. Time budgets should be strictly adhered to, regardless of circumstances. C. Time budgets should be used for financial audits, but not for operational audits. D. Time budgets should normally be prepared in terms of hours or days.
C. The amounts of trading and the potential risks associated with the derivatives trading are not material to the overall organization. Answer Explanation The chief audit executive (CAE) must report periodically to senior management and the board significant risk and control issues, including fraud risks, governance issues, and other matters that require the attention of senior management or the board (Perf. Std. 2060). Thus, the CAE is not required to report immaterial risk and control issues.
Which of the following statements, if true, would justify a chief audit executive's decision not to report certain control concerns regarding derivatives trading in a report to the audit committee? A. Management plans to initiate corrective action. B. The board has a separate committee to make recommendations on trading issues. C. The amounts of trading and the potential risks associated with the derivatives trading are not material to the overall organization. D. Derivatives are complex, and the auditor should rely on management's analysis of the extent of the problem.
C. Detection. Answer Explanation Detection risk is the risk that procedures performed to reduce audit risk to an acceptably low level will not detect a material misstatement. It relates to the nature, timing, and extent of audit procedures and is therefore the auditor's risk. For example, performing an audit procedure at an interim date instead of year-end increases detection risk because of the need to cover the interim period.
Which of the following types of risk increases when an auditor performs substantive analytical audit procedures for financial statement accounts at an interim date? A. Inherent. B. Control. C. Detection. D. Sampling.
C. Detection. Answer Explanation Audit risk consists of (1) the risks of material misstatement (inherent risk combined with control risk) and (2) detection risk. The RMMs are the entity's risks, and detection risk is the auditor's risk. Detection risk is the risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a material misstatement. It is a function of the effectiveness of an audit procedure and its application by the auditor. Detection risk is the only component of audit risk that can be changed at the auditor's discretion. An auditor who performs procedures at an interim date should cover the remaining period. The longer the remaining period, the greater the detection risk resulting from performing procedures at an interim date.
Which of the following types of risks most likely would increase if accounts receivable are confirmed 3 months before year end? A. Inherent. B. Control. C. Detection. D. Business.
C. Internal auditors keep senior management and the board informed about how audit resources are being deployed. Answer Explanation Internal auditors disclose to management, the board, or other governing body of the organization the nature, extent, and overall results of formal consulting engagements along with other reports of internal audit activities. Internal auditors keep senior management and the board informed about how audit resources are being deployed. Neither detail reports of these consulting engagements nor the specific results and recommendations are required to be communicated.
Which statement about consulting engagements is true? A. Documentation requirements applicable to assurance engagements apply to consulting engagements. B. The internal audit activity may assume management responsibility to the extent agreed upon with the client. C. Internal auditors keep senior management and the board informed about how audit resources are being deployed. D. Work programs for formal consulting engagements address policies and issues related to ownership of consulting engagement records to protect the organization and avoid any potential misunderstandings.
C. Verification. Answer Explanation Verification is a broad term for the process of determining the validity of provided information.
Which technique is most appropriate for testing the quality of the preliminary survey of payment vouchers described in an internal control questionnaire? A. Analysis. B. Evaluation. C. Verification. D. Observation.
B. Risks associated with the activities to be reviewed. Answer Explanation Internal auditors establish engagement objectives to address the risks associated with the activity under review. For planned engagements, the objectives proceed and align to those initially identified during the risk assessment process from which the internal audit plan is derived.
While planning an engagement, an internal auditor establishes engagement objectives to describe what is to be accomplished. Which of the following is a key issue to consider in developing engagement objectives? A. The qualifications of the internal auditing staff selected for the engagement. B. Risks associated with the activities to be reviewed. C. Recommendations of the engagement client's employees. D. The recipients of the final engagement communication.
A. Senior management and the board. Answer Explanation According to Perf. Std. 2020, senior management and the board review and approve the internal audit plan.
Who reviews and approves a summary of the internal audit plan? A. Senior management and the board. B. The audit committee and the board. C. Senior management only. D. The chief audit executive (CAE) only.
A. Considers practices in relevant jurisdictions. Answer Explanation The IAA assesses the adequacy of (1) management's risk identification and (2) the controls that reduce those risks. Moreover, the IAA evaluates the privacy framework, identifies significant risks, and makes recommendations. It also considers (1) laws, regulations, and practices in relevant jurisdictions; (2) the advice of legal counsel; and (3) the security efforts of IT specialists.
With regard to providing an assurance service for the organization's privacy framework, the internal audit activity assesses the adequacy of risk identification and controls. The internal audit activity also A. Considers practices in relevant jurisdictions. B. Confirms to the board that information security is the IAA's responsibility. C. Performs a consulting engagement to provide advice on information security protocols. D. Devises and implements controls.
C. Coordinated with internal auditing work. Answer Explanation Organizations may use the work of external auditors to provide assurance related to activities within the scope of internal auditing. Coordination of internal and external audit work is the responsibility of the CAE (Perf. Std. 2050).
To improve their efficiency, internal auditors may rely upon the work of external auditors if it is A. Performed after the internal auditing work. B. Primarily concerned with operational objectives and activities. C. Coordinated with internal auditing work. D. Conducted in accordance with the Code of Ethics.
B. Safeguarding of assets. Answer Explanation Safeguarding assets is an operational activity and is therefore beyond the scope of the internal audit activity. However, the internal audit activity's assurance function evaluates the adequacy and effectiveness of controls related to the organization's governance, operations, and information systems regarding safeguarding assets (Impl. Std. 2130.A1).
Which of the following activities is outside the scope of internal auditing? A. Evaluating risk exposures regarding compliance with policies, procedures, and contracts. B. Safeguarding of assets. C. Evaluating risk exposures regarding compliance with laws and regulations. D. Ascertaining the extent to which management has established criteria to determine whether objectives have been accomplished.
B. Determine that the budget was reviewed and approved by supervisory personnel within the granting agency. Answer Explanation The activities of the granting agency are not relevant to a compliance engagement relating to the city's use of the grant funds. The internal auditors are responsible only for determining whether the city is in compliance with the requirements of the grant.
A certified internal auditor is the chief audit executive for a large city and is planning the engagement work schedule for the next year. The city has a number of different funds, some that are restricted in use by government grants and some that require compliance reports to the government. One of the programs for which the city has received a grant is job retraining and placement. The grant specifies certain conditions a participant in the program must meet to be eligible for the funding. The chief audit executive plans an engagement to verify that the job retraining program complies with applicable grant provisions. One of the provisions is that the city adopt a budget for the program and subsequently follow procedures to ensure that the budget is adhered to and that only allowable costs are charged to the program. In performing an engagement concerning compliance with this provision, the internal auditors should perform all of the following procedures except A. Determine that the budget was reviewed and approved by supervisory personnel within the city. B. Determine that the budget was reviewed and approved by supervisory personnel within the granting agency. C. Select a sample of expenditures to determine that the expenditures are (1) properly classified as to type, (2) appropriate to the program, and (3) designed to meet the program's objectives. D. Compare actual results with budgeted results and determine the reason for deviations. Determine if such deviations have been approved by appropriate officials.
A. Credit memoranda being improperly recorded. Answer Explanation Sales returns and allowances require the crediting of accounts receivable. The recording of unauthorized credit memoranda is one explanation for the discrepancy if sales and cash receipts are properly recorded.
A company has computerized sales and cash receipts journals. The computer programs for these journals have been properly debugged. The auditor discovered that the total of the accounts receivable subsidiary accounts differs materially from the accounts receivable control account. This discrepancy could indicate A. Credit memoranda being improperly recorded. B. Lapping of receivables. C. Receivables not being properly aged. D. Statements being intercepted prior to mailing.
D. Operational engagement. Answer Explanation An operational engagement (audit) assesses the efficiency and effectiveness of an organization's operations. For example, a process (functional) engagement is a type of operational engagement. A typical process is purchasing, for which cost savings is likely to be an objective.
A determination of cost savings is most likely to be an objective of a(n) A. Program-results engagement. B. Financial engagement. C. Compliance engagement. D. Operational engagement.
C. Appraisal of the business and control environment and comparison against established criteria. Answer Explanation Performance audit engagements involve review of the business and control environment and key performance indicators against set criteria using balanced scorecards, SWOT analysis, and management control evaluation. A balanced scorecard is an evaluation of performance against established criteria. SWOT analysis appraises the business and potentially the control environment.
A performance audit engagement typically involves A. Review of financial statement information, including the appropriateness of various accounting treatments. B. Tests of compliance with policies, procedures, laws, and regulations. C. Appraisal of the business and control environment and comparison against established criteria. D. Evaluation of organizational and departmental structures, including assessments of process flows.
A. An activity not part of normal operations. Answer Explanation A program is a funded activity not part of the normal, continuing operations of the organization, such as an expansion or a new information system.
A program-results engagement is most likely to be performed on A. An activity not part of normal operations. B. The purchasing and receiving departments. C. Safety practices and scrap handling. D. Distribution of services and materials.
B. Comparing the unit cost of the products sold before and during the promotion period. Answer Explanation The facts do not indicate that the cost of the products sold has changed. Moreover, this procedure does not consider the revenue effects of the promotion. The challenge is to address the overall effectiveness of the promotion.
A sales department has been giving away expensive items in conjunction with new product sales to stimulate demand. The promotion seems successful, but management believes the cost may be too high and has asked for a review by the internal audit activity. Which of the following procedures would be the least useful to determine the effectiveness of the promotion? A. Comparing product sales during the promotion period with sales during a similar non-promotion period. B. Comparing the unit cost of the products sold before and during the promotion period. C. Performing an analysis of marginal revenue and marginal cost for the promotion period, compared to the period before the promotion. D. Performing a review of the sales department's benchmarks used to determine the success of a promotion.
B. 1 and 4 only. Answer Explanation Determining whether all goods paid for have been received addresses safeguarding of assets. Determining whether the correct accounts have been charged addresses the reliability and integrity of financial information.
A specific objective of an audit of a company's expenditure cycle is to determine whether all goods paid for have been received and charged to the correct account. This objective addresses which of the following primary objectives identified in the Standards? 1. Reliability and integrity of financial and operational information. 2. Compliance with laws, regulations, policies, procedures, and contracts. 3. Effectiveness and efficiency of operations and programs. 4. Safeguarding of assets. A. 1 and 2 only. B. 1 and 4 only. C. 1, 2, and 4 only. D. 2, 3, and 4 only.
D. They are used in a way that optimizes the achievement of the approved plan. Answer Explanation According to the Interpretation of Standard 2030, "Resources are effectively deployed when they are used in a way that optimizes the achievement of the approved plan." The CAE is primarily responsible for the sufficiency and management of resources, including communication of needs and status to senior management and the board. Resources are effectively deployed by assigning qualified auditors and developing an appropriate resourcing approach and organizational structure.
According to the International Professional Practices Framework, internal audit resources are effectively deployed when A. The internal audit staff has the necessary attributes for the planned activities. B. The resources needed to accomplish the plan are adequate. C. There are more opportunities to achieve operating benefits for the engagement client. D. They are used in a way that optimizes the achievement of the approved plan.
B. Its individual members conform with the Code of Ethics and the Standards. Answer Explanation According to the Interpretation of Standard 2000, the internal audit activity is effectively managed when It achieves the purpose and responsibility included in the internal audit charter. It conforms with the Standards. Its individual members conform with the Code of Ethics and the Standards. It considers trends and emerging issues that could impact the organization. The internal audit activity adds value to the organization and its stakeholders when it considers strategies, objectives, and risks; strives to offer ways to enhance governance, risk management, and control processes; and objectively provides relevant assurance.
According to the International Professional Practices Framework, the internal audit activity is effectively managed when A. Policies on responsibilities of the internal audit activity are included in the organization's operations manual. B. Its individual members conform with the Code of Ethics and the Standards. C. Management oversees the day-to-day operations of the internal audit activity. D. It has the skill set and knowledge to help the organization achieve its objectives.
A. External auditors may not possess the same depth of understanding of the organization as the internal auditors. Answer Explanation Internal auditing evaluates and contributes to the improvement of the organization's governance, risk management, and control processes. Accordingly, its scope of work is far broader than that of the external auditors.
After using the same public accounting firm for several years, the board of directors retained another public accounting firm to perform the annual financial audit in order to reduce the annual audit fee. The new firm has now proposed a one-time engagement relating to the cost-effectiveness of the various operations of the business. The chief audit executive has been asked to advise management in making a decision on the proposal. An argument can be made that the internal audit activity is better able to perform such an engagement because A. External auditors may not possess the same depth of understanding of the organization as the internal auditors. B. Internal auditors are required to be objective in performing engagements. C. Engagement procedures used by internal auditors are different from those used by external auditors. D. Internal auditors will not be vitally concerned with fraud and waste.
D. Sharing results with other providers violates the coordinating services agreement. Answer Explanation The CAE should share information, coordinate activities, and consider relying upon the work of other internal and external assurance and consulting service providers to ensure proper coverage and minimize duplication of efforts (Perf. Std. 2050). Coordinating activities include (1) simultaneity of the nature, extent, and timing of scheduled work; (2) mutual understanding of methods and vocabulary; (3) the parties' access to each other's programs, workpapers, and communications of results; (4) reliance on others' work to avoid overlap; and (5) meeting to adjust the timing of scheduled work given results to date.
All of the following are true regarding the process and methods of coordinating assurance activities except A. Assurance mapping connects significant risk categories and sources of assurance. B. In the combined assurance model, the internal audit activity coordinates with compliance activities. C. The formality of assurance activity coordination may vary with the size of the entity and any regulatory requirements. D. Sharing results with other providers violates the coordinating services agreement.
C. Periodically flushing sinks and floor drains with a large volume of clean water to ensure pollutants are sufficiently diluted. Answer Explanation Periodic dilution may not always prevent the release of pollutants that exceed the discharge limits. In the pollution prevention hierarchy used in pollution prevention audits, release without treatment is the least desirable option.
All of the following would be part of a factory's control system to prevent release of wastewater that does not meet discharge standards except A. Performing chemical analysis of the water, prior to discharge, for components specified in the permit. B. Specifying (by policy, training, and advisory signs) which substances may be disposed of via sinks and floor drains within the factory. C. Periodically flushing sinks and floor drains with a large volume of clean water to ensure pollutants are sufficiently diluted. D. Establishing a preventive maintenance program for the factory's pretreatment system.
A. Management training costs are reduced when a qualified outsider is hired. Answer Explanation Hiring an experienced manager reduces management training costs because the person has already been trained.
Although all the current members of an internal audit activity have good records of performance, the manager is not sure if any of the members are ready to assume a management role. Which of the following is an advantage of bringing in an outsider rather than promoting from within? A. Management training costs are reduced when a qualified outsider is hired. B. The manager can be sure that the new position will be filled by a competent employee. C. Bringing in an outsider is a less expensive alternative than promoting from within. D. The "modeling" effect is strengthened by bringing in a new role model.
A. Independence and authority are already in place. Answer Explanation The chief audit executive (CAE) evaluates the organizational placement and independence of the environmental audit function to ensure that significant matters resulting from serious risks to the enterprise are reported up the chain of command to the board. The CAE also facilitates the reporting of significant EHS risk and control issues to the board. Thus, an advantage of conducting environmental audits under the direction of the internal audit activity is its position in the organization. The internal audit activity has an established place in the organization and normally has a broad scope of work permitting ready assimilation of the new function. Moreover, the CAE is responsible to an individual in the organization with sufficient authority to promote independence and to ensure broad audit coverage, adequate consideration of engagement communications, and appropriate action on engagement recommendations.
An advantage of conducting environmental audits under the direction of the internal audit activity is that A. Independence and authority are already in place. B. Technical expertise is more readily available. C. The financial aspects are de-emphasized. D. Internal auditing work products are confidential.
D. Only external members of the board of directors or its equivalent. Answer Explanation The audit committee of the board of directors should be composed entirely of outside directors. Outside directors are members of the board who are independent of internal management. Because the primary purpose of the audit committee is to promote the independence of the internal and external auditors from management, an audit committee composed of inside directors would be ineffective.
An audit committee should be designed to enhance the independence of both the internal and external auditing functions and to insulate these functions from undue management pressures. Using this criterion, audit committees should be composed of A. A rotating subcommittee of the board of directors or its equivalent. B. Only members from the relevant outside regulatory agencies. C. Members from all important constituencies, specifically including representatives from banking, labor, regulatory agencies, shareholders, and officers. D. Only external members of the board of directors or its equivalent.
C. Customer satisfaction. Answer Explanation The balanced scorecard approach uses multiple measures of performance to determine whether a manager is achieving certain objectives at the expense of others that may be equally or more important. For example, an improvement in product innovation at the expense of customer satisfaction would be apparent using this approach. The scorecard is a goal congruence tool that informs managers about the nonfinancial factors that top management believes to be important. Measures may be financial or nonfinancial, internal or external, and short term or long term. A typical scorecard includes measures in four categories: (1) financial; (2) customer; (3) internal; and (4) learning, growth, and innovation. Key results in customer satisfaction help predict future sales. The effect of diverting funds from the customer service department can be analyzed by reviewing any changes affecting customer satisfaction on the performance scorecard.
An auditor is conducting a performance audit to provide assurance on an organization's balanced scorecard. The organization's main objective is to increase market share by 7% in the coming year. Management diverted 5% of the operating budget from the customer service department to the research and development department to increase product innovation. Management had predicted that increased product innovation would increase market share. However, market share did not increase substantially in the first quarter. Which measure should the auditor review as a result of the failure to increase market share? A. Product innovation. B. Market share. C. Customer satisfaction. D. Employee development.
C. Review the control reports and ensure that the ESP's external auditor is credible and reliable. Answer Explanation Engagements involving third parties may be necessary when vital controls affecting transactions exist outside the organization. One example is the outsourcing of the organization's information processing function to an ESP. Although the processing is being performed outside the organization, the ESP is an extension of the organization's information systems. As a result, control risk may be higher because an external organization's controls are part of the organization's controls. The added control risk can be mitigated by the issuance of control reports (e.g., Service Organization Control reports). These reports must be reviewed for accuracy by the internal auditor. Additionally, the ESP's external auditor should be evaluated for reliability and credibility to satisfy relying on the report.
An auditor is scheduled to audit payroll controls for an organization that has recently outsourced its information processing to an external service provider (ESP). The ESP's external auditor has issued reports pertaining to the ESP's controls and made it readily available to the internal auditor. What action should the auditor take, considering the outsourcing decision? A. Review only the ESP's external auditor. B. Review only the organization's controls over data sent to and received from the ESP. C. Review the control reports and ensure that the ESP's external auditor is credible and reliable. D. Cancel the engagement because the processing is being performed outside of the organization.
A. Note the control weakness and perform additional procedures to help determine its potential effects. Answer Explanation The most appropriate actions for the auditor are to design field work to detect possible instances of noncompliance and to recommend additional training for the EHS staff.
An internal auditor discovers during an engagement involving the entity's environmental, health, and safety (EHS) department that department personnel are poorly informed about legal issues resulting from discharging waste into municipal water sources. The EHS function is small. Which of the following is the best course of action for the auditor to take? A. Note the control weakness and perform additional procedures to help determine its potential effects. B. Arrange for a training session for the EHS staff with experts in the field of wastewater legal issues. C. Immediately narrow the scope of the engagement to examine wastewater discharge. D. Report possible violations to the relevant regulatory authority.
B. 1 and 3 only. Answer Explanation The purpose of a contract audit is to determine whether the contractor is performing as specified in the contract. Whether the contractor has a fraud hotline is of no concern to the entity and is beyond the scope of a contract audit.
An internal auditor is conducting an audit of a contract to build a new branch office. The auditor should consider whether the 1. Materials used in construction meet specified contractual standards. 2. Contractor has established a fraud hotline. 3. Construction is on schedule. A. 1 and 2 only. B. 1 and 3 only. C. 2 and 3 only. D. 1, 2, and 3.
A. The potential for future liability may outweigh any advantages achieved by obtaining the property. Answer Explanation The internal auditors should conduct a transactional audit prior to the acquisition of property. A current landowner may be held responsible for environmental contamination by previous owners. Thus, a buyer (or lender) can attempt to identify and quantify a problem, determine its extent, and estimate the potential liability and cost of cleanup. This information can then be reflected in the terms of the transaction.
An organization is considering purchasing a commercial property. Because of the location of the property and the known recent history of activities on the property, management has asked the internal audit activity, in cooperation with legal counsel, to provide a preliminary identification of any environmental liability. The strongest reason supporting management's decision to request such an investigation is A. The potential for future liability may outweigh any advantages achieved by obtaining the property. B. Management will be able to pay a lower price for the property if environmental contamination can be identified. C. The current owner would be required by law to clean up all identified contamination before the sale is closed. D. Regulatory agencies require a purchaser to identify and disclose all actual and potential instances of contamination.
C. 1 and 2 only. Answer Explanation As part of the exercise of due care, an organization can take a number of steps to protect itself against individuals who have a tendency to engage in illegal activities. For instance, an organization can screen applicants for employment at all levels for evidence of past wrongdoing, especially wrongdoing within the organization's industry. Furthermore, it may inquire as to past criminal convictions, and professionals may be asked about any history of discipline in front of licensing boards. Care should be taken, however, to ensure that the organization does not infringe upon employees' and applicants' privacy rights under applicable laws. Many jurisdictions have laws limiting the amount of information an organization may obtain in performing background checks on employees.
An organization should use due care not to delegate substantial discretionary authority to individuals the organization knows have a propensity to engage in illegal activities. Which of the following are steps an organization can take to ensure that such individuals are detected? 1. Screening of applicants for employment at all levels for evidence of past wrongdoing, especially past criminal convictions within the company's industry. 2. Asking professionals about any history of discipline in front of licensing boards. 3. Performing background checks without permission on employees' or applicants' credit reports to ensure that they are financially sound and are unlikely to commit theft or fraud. A. 1 only. B. 3 only. C. 1 and 2 only. D. 1, 2, and 3.
B. Divisional managers are likely to maximize the measures in the performance evaluation model. Answer Explanation Effective management control requires performance measurement and feedback. This process affects allocation of resources to organizational subunits. It also affects decisions about managers' compensation, advancement, and future assignments. Furthermore, evaluating their performance serves to motivate managers to optimize the measures in the performance evaluation model. However, that model may be inconsistent with the organization's model for managerial decision making.
An organization's managerial decision-making model for capital budgeting is based on the net present value of discounted cash flows. The same organization's managerial performance evaluation model is based on annual divisional return on investment. Which of the following is true? A. Divisional managers are likely to maximize the measures in the decision-making model. B. Divisional managers are likely to maximize the measures in the performance evaluation model. C. The manager has an incentive to accept a project with a positive net present value that initially has a negative effect on net income. D. The use of models with different criteria promotes goal congruence.
C. After closure is entered into the system, review by the EHS staff member of the original inspection team should be required in order to verify closure. Answer Explanation Someone independent of the operational area that was inspected should evaluate the adequacy and completeness of corrective action. This independent verification minimizes the potential for closure fraud by the operational manager.
As part of a manufacturing company's environmental, health, and safety (EHS) self-inspection program, inspections are conducted by a member of the EHS staff and the operational manager for a given work area or building. If a deficiency cannot be immediately corrected, the EHS staff member enters it into a tracking database that is accessible to all departments via a local area network. The EHS manager uses the database to provide senior management with quarterly activity reports regarding corrective action. During review of the self-inspection program, an auditor notes that the operational manager enters the closure information and affirms that corrective action is complete. What change in the control system would compensate for this potential conflict of interest? A. No additional control is needed because the quarterly report is reviewed by senior management, providing adequate oversight in this situation. B. No additional control is needed because those implementing a corrective action are in the best position to evaluate the adequacy and completion of that action. C. After closure is entered into the system, review by the EHS staff member of the original inspection team should be required in order to verify closure. D. The EHS department secretary should be responsible for entering all information into the tracking system based on memos from the operational manager.
C. 2, 1, 3. Answer Explanation Prior to offering consulting services, the chief audit executive confirms that the board understands and approves the concept of providing consulting services. Once approved, the internal audit charter is amended to include authority and responsibilities for consulting activities. The internal audit activity then develops appropriate policies and procedures for conducting such engagements.
Before internal auditors begin to offer consulting services to an organization, a number of things need to happen within the organization. What is the order in which the following items should be performed? 1. The internal audit charter is amended to include authority and responsibilities for consulting activities. 2. The CAE confirms that the board understands and approves the concept of providing consulting services. 3. The internal audit activity develops appropriate policies and procedures for conducting such engagements. A. 1, 2, 3. B. 2, 3, 1. C. 2, 1, 3. D. 3, 2, 1.
C. $2,156,000 Answer Explanation The formula price is 110% of actual cost, or $2,112,000 ($1,920,000 × 110%), a savings of $88,000 on the $2,200,000 target price. Accordingly, the amount received should be $2,156,000 {$2,112,000 + [($2,200,000 - $2,112,000) × 50%]}.
Briar Co. signed a government construction contract providing for a formula price of actual cost plus 10%. In addition, Briar was to receive one-half of any savings resulting from the formula price's being less than the target price of $2.2 million. Briar's actual costs incurred were $1,920,000. How much should Briar receive from the contract? A. $2,060,000 B. $2,112,000 C. $2,156,000 D. $2,200,000
B. 2 only. Answer Explanation Compliance is "adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements" (The IIA Glossary). Such programs assist organizations in preventing inadvertent employee violations, detecting illegal activities, and discouraging intentional employee violations. They also can help (1) prove insurance claims, (2) determine director and officer liability, (3) create or enhance corporate identity, and (4) decide the appropriateness of punitive damages. However, developing a plan for business continuity management and planning for disaster recovery are operational activities not performed during a compliance program.
Compliance programs most directly assist organizations by doing which of the following? 1. Developing a plan for business continuity management. 2. Determining director and officer liability. 3. Planning for disaster recovery. A. 1 only. B. 2 only. C. 1 and 2 only. D. 1, 2, and 3.
D. All of the answers are correct. Answer Explanation Control self-assessment combines traditional auditing concepts, risk analysis, and self-assessment approaches. All three types of information are used while performing this type of assessment.
Control self-assessment (CSA) is a method for examining and evaluating the organization's system of control, which includes A. Risk analysis. B. Self-assessment approaches. C. Traditional internal auditing concepts. D. All of the answers are correct.
A. Operations are performed efficiently. Answer Explanation The purpose of control processes is to support the organization in the management of risks and the achievement of its established and communicated objectives. The control processes are expected to ensure, among other things, that operations are performed efficiently and achieve established results.
Controls should be designed to ensure that A. Operations are performed efficiently. B. Management's plans have not been circumvented by worker collusion. C. The internal audit activity's guidance and oversight of management's performance is accomplished economically and efficiently. D. Management's planning, organizing, and directing processes are properly evaluated.
A. Organizational objectives will be achieved economically and efficiently. Answer Explanation A control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives will be achieved (The IIA Glossary). Thus, control by management is the result of proper planning, organizing, and directing.
Controls should be designed to provide reasonable assurance that A. Organizational objectives will be achieved economically and efficiently. B. Management's plans have not been circumvented by worker collusion. C. The internal audit activity's guidance and oversight of management's performance is accomplished economically and efficiently. D. Management's planning, organizing, and directing processes are properly evaluated.
C. An on-site ombudsperson, backed by a nonretaliation policy. Answer Explanation Although an attorney monitoring the hotline is better able to protect attorney-client and work-product privileges, one study observed that employees have little confidence in hotlines answered by the legal department or by an outside service. The same study showed that employees have even less confidence in write-in reports or an off-site ombudsperson, but have the most confidence in hotlines answered by an in-house representative (or an on-site ombudsperson) and backed by a nonretaliation policy.
Employees have the most confidence in a hotline monitored by which of the following? A. An expert from the legal department, backed by a nonretaliation policy. B. An in-house representative, backed by a retaliation policy. C. An on-site ombudsperson, backed by a nonretaliation policy. D. An off-site attorney who can better protect attorney-client privilege.
D. Discuss the matter with the board and make inquiries as to the nature of the requirements and the board's objectives for the engagement. Answer Explanation Discussing the matter with the board would not be helpful. The members are not likely to know the applicable laws and regulations. The board's oversight activities do not provide specific expertise needed to help the internal auditors understand the applicable laws and regulations.
Fact pattern: A certified internal auditor is the chief audit executive for a large city and is planning the engagement work schedule for the next year. The city has a number of different funds, some that are restricted in use by government grants and some that require compliance reports to the government. One of the programs for which the city has received a grant is job retraining and placement. The grant specifies certain conditions a participant in the program must meet to be eligible for the funding. The internal auditors must determine the applicable laws and regulations. Which of the following procedures is the least effective in learning about the applicable laws and regulations? A. Make inquiries of the city's chief financial officer, legal counsel, or grant administrators. B. Review prior-year working papers and inquire of officials as to changes. C. Review applicable grant agreements. D. Discuss the matter with the board and make inquiries as to the nature of the requirements and the board's objectives for the engagement.
D. No. Internal auditors are not required to fill out internal control questionnaires on every engagement. Answer Explanation The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement (Perf. Std. 2130). However, internal auditors are not required to fill out standard internal control questionnaires. The information documented in questionnaires may be found in other working papers, such as flowcharts, checklists, and narratives.
Fact pattern: The chief audit executive (CAE) of a mid-sized internal audit activity was concerned that management might outsource the internal auditing function. Thus, the CAE adopted a very aggressive program to promote the internal audit activity within the organization. The CAE planned to present the results to senior management and the board and recommend modification of the internal audit activity's charter after using the new program. The following lists six actions the CAE took to promote a positive image within the organization: 1. Engagement assignments concentrated on efficiency. The engagements focused solely on cost savings, and each engagement communication highlighted potential costs to be saved. Negative observations were omitted. The focus on efficiency was new, but the engagement clients seemed very happy. 2. Drafts of all engagement communications were carefully reviewed with the engagement clients to get their input. Their comments were carefully considered when developing the final engagement communication. 3. The information technology internal auditor participated as part of a development team to review the control procedures to be incorporated into a major computer application under development. 4. Given limited resources, the engagement manager performed a risk assessment to establish engagement work schedule priorities. This was a marked departure from the previous approach of ensuring that all operations are evaluated on at least a 3-year interval. 5. To save time, the CAE no longer required that a standard internal control questionnaire be completed for each engagement. 6. When the internal auditors found that the engagement client had not developed specific criteria or data to evaluate operations, the internal auditors were instructed to perform research, develop specific criteria, review the criteria with the engagement client, and, if acceptable, use them to evaluate the engagement client's operations. If the engagement client disagreed with the criteria, a negotiation took place until acceptable criteria could be agreed upon. The engagement communication commented on the engagement client's operations in conjunction with the agreed-upon criteria. Is Action 5 inappropriate? A. Yes. Internal control should be evaluated on every engagement, but the internal control questionnaire is not the mandated approach to evaluate the controls. B. No. Internal auditors may omit necessary procedures if there is a time constraint. It is a matter of professional judgment. C. Yes. Internal control should be evaluated on every engagement, and the internal control questionnaire is the most efficient method to do so. D. No. Internal auditors are not required to fill out internal control questionnaires on every engagement.
C. Review for effectiveness of control processes. Answer Explanation Internal auditors are charged with evaluating the adequacy and effectiveness of controls in responding to risks within the organization's governance, operations, and information systems (Impl. Std. 2130.A1). Effectiveness is present if management directs processes so as to provide reasonable assurance that objectives and goals will be achieved.
Fact pattern: You are an internal auditing supervisor who is reviewing the working papers of a staff internal auditor's overall examination of the firm's sales function. The pages are not numbered or cross-referenced. Furthermore, the working papers were dropped and reassembled at random before they were brought to you. You decide to put the working papers in the proper order according to the Standards. The first stage of this activity is to identify each page as a part of the preliminary survey, the review of the adequacy of control processes, the review for effectiveness of control processes, or the review of results. The first page the supervisor selects documents a test of controls performed during the course of the engagement. This page belongs with which activity? A. Preliminary survey. B. Review for adequacy of control processes. C. Review for effectiveness of control processes. D. Review of results.
B. Notify the parent's auditors of the situation and request that they either provide the working papers or authorize you to do so. Answer Explanation Organizations may use the work of external auditors to provide assurance related to activities within the scope of internal auditing. In these cases, the CAE takes the steps necessary to understand the work performed by the external auditors, including access to the external auditors' programs and working papers. Internal auditors are responsible for respecting the confidentiality of those programs and working papers.
Fact pattern: You are the chief audit executive of a parent organization that has foreign subsidiaries. Independent external audits performed for the parent are not conducted by the same firm that conducts the foreign subsidiary audits. Because the internal audit activity occasionally provides direct assistance to both external firms, you have copies of audit programs and selected working papers produced by each firm. The foreign subsidiary's auditors would like to rely on some of the work performed by the parent organization's audit firm, but they need to review the working papers first. They have asked you for copies of the working papers of the parent organization's audit firm. What is the most appropriate response to the foreign subsidiary's auditors? A. Provide copies of the working papers without notifying the parent's audit firm. B. Notify the parent's auditors of the situation and request that they either provide the working papers or authorize you to do so. C. Provide copies of the working papers and notify the parent's audit firm that you have done so. D. Refuse to provide the working papers under any circumstances.
A. Provide copies of the working papers. Answer Explanation Coordination involves access to each other's work programs, working papers, and reports (IG 2050). Access is provided to external auditors for them to be satisfied as to the acceptability, for external audit purposes, of relying on the internal auditors' work.
Fact pattern: You are the chief audit executive of a parent organization that has foreign subsidiaries. Independent external audits performed for the parent are not conducted by the same firm that conducts the foreign subsidiary audits. Because the internal audit activity occasionally provides direct assistance to both external firms, you have copies of audit programs and selected working papers produced by each firm. The foreign subsidiary's external audit firm wants to rely on an audit of a function at the parent organization. The audit was conducted by the internal audit activity. To place reliance on the work performed, the foreign subsidiary's auditors have requested copies of the working papers. What is the most appropriate response to the foreign subsidiary's auditors? A. Provide copies of the working papers. B. Ask the parent's audit firm if it is appropriate to release the working papers. C. Ask the board for permission to release the working papers. D. Refuse to provide the working papers under any circumstances.
A. Consider the work of the other department when assessing the function or process. Answer Explanation The chief audit executive should share information and coordinate activities with other internal and external providers of relevant assurance and consulting services to ensure proper coverage and minimize duplication of efforts (Perf. Std. 2050). This standard applies not only to external auditors but also to other "providers," such as regulatory bodies (e.g., governmental auditors) and certain of the organization's other subunits (e.g., a health and safety department). Review and testing of the other department's work may reduce necessary audit coverage of the function or process.
If a department outside of the internal audit activity is responsible for reviewing a function or process, the internal auditors should A. Consider the work of the other department when assessing the function or process. B. Ignore the work of the other department and proceed with an independent audit. C. Reduce the scope of the audit since the work has already been performed by the other department. D. Yield the responsibility for assessing the function or process to the other department.
B. Members of the audit committee. Answer Explanation Resources must be effectively deployed by assigning qualified auditors and developing an appropriate resourcing approach and organizational structure. Additionally, resources need to be sufficient for audit activities to be performed in accordance with the expectations of senior management and the board. Members of the audit committee may not be employees of the organization except in their capacity as a board member. Therefore, an audit committee member should not be included in addressing internal audit resource needs. The CAE may meet these needs through external service providers, specialized consultants, or other employees of the organization.
In addressing internal audit resource needs for a complex engagement, the CAE may include all of the following except A. Other employees of the organization. B. Members of the audit committee. C. Specialized consultants. D. External service providers.
A. Benchmarking. Answer Explanation Benchmarking is a continuous evaluation of the practices of the best organizations in their class and the adaptation of processes to reflect the best of these practices. It is not used in managing internal audit resources. In managing internal audit resources, the CAE considers succession planning, staff evaluation and development, and other human resource disciplines. The CAE also addresses resourcing needs, including whether those skills are present in the internal audit staff.
In managing internal audit resources, the CAE considers all of the following except A. Benchmarking. B. Succession planning. C. Staff evaluation and development. D. Resourcing needs.
D. To achieve both individual and organizational goals. Answer Explanation By being informed and up to date, internal auditors are better prepared to reach their personal goals. In addition, internal audit responsibilities are more readily discharged by auditors having the required knowledge, skills, and other competencies.
In most organizations, the rapidly expanding scope of internal auditing responsibilities requires continual training. What is the main purpose of such a training program? A. To comply with continuing education requirements of professional organizations. B. To use slack periods in engagement scheduling. C. To help individuals to achieve personal career goals. D. To achieve both individual and organizational goals.
A. Organizational objectives. Answer Explanation The chief audit executive must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan (Perf. Std. 2030). The approved plan must be consistent with the goals of the organization.
In selecting an instructional strategy for developing internal audit staff, a chief audit executive begins by reviewing A. Organizational objectives. B. Learning content. C. Learners' readiness. D. Budget constraints.
D. 2 only. Answer Explanation An internal auditor is first and foremost an internal auditor. Thus, in the performance of all services, the internal auditor is guided by The IIA's Code of Ethics and the Standards.
Which of the following is the proper way for an internal auditor to resolve conflict? 1. By the guidelines set out in the organization's code of conduct 2. By the guidelines set out in The IIA's Code of Ethics 3. The procedures designated by the CAE A. 1 and 2. B. 3 only. C. 1, 2, and 3. D. 2 only.
D. Follow both The IIA Standards and any additional governmental standards. Answer Explanation Rule of Conduct 4.2 of The IIA Code of Ethics states, "Internal auditors shall perform internal auditing services in accordance with the International Standards for the Professional Practice of Internal Auditing." Furthermore, an internal auditor is legally obligated to adhere to governmental standards when performing governmental grant compliance audits.
In some countries, governmental units have established audit standards. For example, in the United States, the Government Accountability Office has developed standards for the conduct of governmental audits, particularly those that relate to compliance with government grants. In performing governmental grant compliance audits, the auditor should A. Be guided only by the governmental standards. B. Be guided only by The IIA Standards because they are more encompassing. C. Be guided by the more general standards that have been issued by the public accounting profession. D. Follow both The IIA Standards and any additional governmental standards.
B. The chief audit executive should perform a periodic skills assessment. Answer Explanation The skills, technical knowledge, and capabilities of the internal audit staff should be appropriate for the planned work. Thus, the chief audit executive should perform a periodic skills assessment based on the needs identified in the risk assessment and the audit plan.
Internal audit resources should be appropriate, sufficient, and effectively deployed. Consequently, A. Resource planning should be limited to expected activities. B. The chief audit executive should perform a periodic skills assessment. C. Only members of the internal audit staff should perform internal audit activities. D. The chief audit executive ultimately must ensure the adequacy of resources.
B. Determine whether environmental issues are considered as part of economic decisions. Answer Explanation An organization subject to environmental laws and regulations having a significant effect on its operations should establish an environmental management system. One feature of this system is environmental auditing, which includes reviewing the adequacy and effectiveness of the controls over hazardous waste. It also extends to review of the reasonableness of contingent liabilities accrued for environmental remediation.
Internal auditors are increasingly called on to perform audits related to an organization's environmental stewardship. Which of the following does not describe the objectives of a type of environmental audit? A. Determine whether environmental management systems are in place and operating properly to manage future environmental risks. B. Determine whether environmental issues are considered as part of economic decisions. C. Determine whether the organization's current actions are in compliance with existing laws. D. Determine whether the organization is focusing efforts on ensuring that its products are environmentally friendly, and confirm that product and chemical restrictions are met.
C. May prohibit recording personal information in engagement records in some cases. Answer Explanation Accessing, retrieving, reviewing, manipulating, or using personal information in conducting certain engagements may be inappropriate or illegal. If the internal auditor accesses personal information, procedures may be necessary to safeguard this information. For example, the internal auditor may not record personal information in engagement records in some situations.
Internal auditors need to consider protection of personally identifiable information obtained during an audit. Applicable laws most likely A. Do not establish requirements for an organization to implement privacy controls. B. Permit personal information to be used for any purpose if disclosure of a purpose was made at collection. C. May prohibit recording personal information in engagement records in some cases. D. Require personal information to be encrypted when recorded and stored in digital form.
A. Conduct site assessments at all waste-producing facilities. Answer Explanation Site assessment is a procedure, not an objective.
Management is evaluating the need for an environmental audit program. Which one of the following should not be included as an overall program objective? A. Conduct site assessments at all waste-producing facilities. B. Verify organizational compliance with all environmental laws. C. Evaluate waste minimization opportunities. D. Ensure management systems are adequate to minimize future environmental risks.
B. 4, 2, 1, 3, and 5. Answer Explanation The first step in the pollution prevention hierarchy is to determine whether production processes yield materials that can be sold as separate products. The second step is source reduction, for example, by reengineering processes. The third step is recycling and reuse. Step four is conservation of energy. Step five is treatment and disposal. The release of pollutants into the environment is not a viable alternative.
Management is exploring different ways of reducing or preventing pollution in manufacturing operations. The objective of a pollution prevention audit is to identify opportunities to minimize waste and eliminate pollution at the source. In what order should the following opportunities to reduce waste be considered? 1. Recycling and reuse 2. Elimination at the source 3. Energy conservation 4. Recovery as a usable product 5. Treatment A. 5, 2, 4, 1, and 3. B. 4, 2, 1, 3, and 5. C. 1, 3, 4, 2, and 5. D. 3, 4, 2, 5, and 1.
D. The results from the prior financial audits. Answer Explanation When determining resource allocation under time constraints, the auditor must consider all relevant factors. Relevant factors include (1) information about both the ongoing and new engagement; (2) the consequences of not completing either engagement in a timely manner; and (3) the knowledge, skills, and competencies of the internal audit staff. Information about other unrelated engagements, such as prior financial audits, is irrelevant.
Numerous environmental laws and regulations have recently changed. Senior management has asked the chief audit executive to perform an environmental audit to be completed as soon as possible. The internal audit activity currently is performing an operational audit. As a result, the chief audit executive must make difficult decisions about resource allocation. Which of the following is the least significant issue in determining whether to reallocate audit resources? A. The potential fraud discovered during the operational audit. B. Potential cost to the organization for noncompliance with the new environmental laws and regulations. C. The knowledge, skills, and competencies of the internal audit staff. D. The results from the prior financial audits.
A. The cumulative improvement from a company's TQM efforts cannot readily be copied by competitors. Answer Explanation Because TQM affects every aspect of the organization's activities, it permeates the organizational culture. Thus, the cumulative effect of TQM's continuous improvement process can attract and hold customers and cannot be duplicated by competitors.
One of the main reasons total quality management (TQM) can be used as a strategic weapon is that A. The cumulative improvement from a company's TQM efforts cannot readily be copied by competitors. B. Introducing new products can lure customers away from competitors. C. Reduced costs associated with better quality can support higher shareholder dividends. D. TQM provides a comprehensive planning process for a business.
D. Service providers. Answer Explanation EBRs may involve (1) service providers (e.g., for providing internal audit services, processing of payroll, sharing of services, or use of IT services), (2) supply-side partners (e.g., outsourcing of production or R&D), (3) demand-side partners (e.g., licensees or distributors), (4) strategic alliances and joint ventures (e.g., cost-, revenue-, and profit-sharing in media production and development), and (5) intellectual property (IP) partners (e.g., licensing of software).
Organizations have multiple external (extended) business relationships (EBRs). They most likely involve A. Suppliers. B. Major customers. C. Regulators. D. Service providers.
B. All internal audit activities must have a detailed policies and procedures manual. Answer Explanation The form and content of policies and procedures are dependent upon the size and structure of the internal audit activity and the complexity of its work (Inter. Std. 2040). Thus, all internal audit activities are not required to have a detailed policies and procedures manual.
Policies and procedures must be established to guide the internal audit activity. Which of the following statements is false with respect to this requirement? A. The form and content of written policies and procedures depend on the size of the internal audit activity. B. All internal audit activities must have a detailed policies and procedures manual. C. Formal administrative and technical manuals may not be needed by all internal audit activities. D. A small internal audit activity may be managed informally through close supervision and memoranda.
C. Surveillance. Answer Explanation Protection of personal information prevents such negative organizational consequences as legal liability and loss of reputation. The following are various definitions of privacy: (1) personal privacy (physical and psychological), (2) privacy of space (freedom from surveillance), (3) privacy of communication (freedom from monitoring), and (4) privacy of information (collection, use, and disclosure of personal information by others).
Privacy of space is best defined as freedom from A. Invasion of physical privacy. B. Monitoring of communications. C. Surveillance. D. Disclosure of personal information by others.
D. Identifying appropriate liaison activities with the quality audit function to ensure coordination of audit schedules and overall audit responsibilities. Answer Explanation The CAE should share information, coordinate activities, and consider relying upon the work of other internal and external assurance and consulting providers to ensure proper coverage and minimize duplication of efforts (Perf. Std. 2050). The quality audit function is an internal assurance and consulting provider. Thus, whether reporting administratively to the quality audit function or to senior management, the CAE should identify appropriate liaison activities with the quality audit function to ensure coordination of audit schedules and overall audit responsibilities.
Several members of an organization's senior management have questioned whether the internal audit activity should report to the newly established quality audit function as part of the total quality management process within the organization. The chief audit executive (CAE) has reviewed the quality audit standards and the programs that the quality audit manager has proposed. The CAE's response to senior management should include which of the following? A. Changing the applicable standards for internal auditing within the organization to provide compliance with quality audit standards. B. Changing the qualification requirements for new staff members to include quality audit experience. C. Estimating departmental cost savings that would result from the elimination of the internal audit activity. D. Identifying appropriate liaison activities with the quality audit function to ensure coordination of audit schedules and overall audit responsibilities.
A. The skills and experience levels of individual auditors. Answer Explanation The program for selecting and developing the human resources of the internal audit activity should provide for written job descriptions for each level of the staff, selection of qualified and competent individuals, training and continuing educational opportunities, performance appraisals at least annually, and counsel on performance and professional development. Obviously, work assignments inconsistent with an internal auditor's abilities will defeat the purposes of human resources development.
Staff members of the internal audit activity should be assigned to engagements and training projects that will enable them to develop their potential. Which of the following should be the most important consideration in making assignments that will allow staff members to develop properly? A. The skills and experience levels of individual auditors. B. Specific training requirements imposed by the Standards. C. The importance of giving all staff members extensive supervisory experience. D. Special interests of individual staff members.
C. Ensuring that organizational objectives align with stakeholders' interests. Answer Explanation Governing body roles include (1) ensuring structures and processes exist for effective governance; (2) ensuring objectives and activities align with stakeholder interests; (3) giving management the responsibility and resources to achieve objectives and compliance with laws, regulations, and ethics; and (4) establishing and overseeing the internal audit function.
The IIA's Three Lines Model states that the roles of an organization's governing body most likely include A. Assisting with risk management. B. Delivering products to clients. C. Ensuring that organizational objectives align with stakeholders' interests. D. Providing assurance and advice that instills confidence and clarity.
C. Following up on recommendations made by the chief audit executive. Answer Explanation Among the audit committee's functions are ensuring that engagement results are given due consideration and overseeing appropriate corrective action for deficiencies noted by the internal audit activity, which includes following up on recommendations by the CAE.
The audit committee strengthens the control processes of an organization by A. Assigning the internal audit activity responsibility for interaction with governmental agencies. B. Using the chief audit executive as a major resource in selecting the external auditors. C. Following up on recommendations made by the chief audit executive. D. Approving internal audit activity policies.
B. Person responsible for the internal audit function. Answer Explanation The CAE is a person in a senior position responsible for effectively managing the internal audit activity (IAA) in accordance with the internal audit charter and the mandatory elements of the IPPF (The IIA Glossary). The CAE must effectively manage the IAA to ensure it adds value to the organization (Inter. Std. 2000).
The chief audit executive (CAE) is best defined as the A. Inspector general. B. Person responsible for the internal audit function. C. Outside provider of internal audit services. D. Person responsible for overseeing the contract with the outside provider of internal audit services.
A. Select key procedures from the manual and use informal supervisory direction for other engagement Answer Explanation Orientation to acquaint the acquired organization's staff with the established environment should be through exposure to selected key procedures from the formal manual. The form and content of policies and procedures are dependent upon the size and structure of the internal audit activity and the complexity of its work (Inter. Std. 2040). Thus, a small internal audit activity may be managed informally, for example, through daily close supervision and written memoranda.
The chief audit executive for a large decentralized organization has developed a manual containing comprehensive detailed written procedures as a guide for the decentralized engagement work groups, each of which has 20 to 30 internal auditors. The organization recently acquired a small organization that has an internal audit activity consisting of a supervisor and two staff personnel. Which of the following actions is the most practical in providing administrative guidance for this new internal audit activity? A. Select key procedures from the manual and use informal supervisory direction for other engagement management issues. B. Use informal supervisory direction for engagement management issues. C. Use the already developed manual. D. Adopt the administrative procedures being followed by the internal auditors of the acquired organization.
A. Communicating to senior management and the board an annual judgment about internal control. Answer Explanation The CAE's report on the organization's control processes is normally presented once a year to senior management and the board.
The chief audit executive's (CAE) responsibility for assessing and reporting on control processes includes A. Communicating to senior management and the board an annual judgment about internal control. B. Overseeing the establishment of internal control processes. C. Maintaining the organization's governance processes. D. Arriving at a single assessment based solely on the work of the internal audit activity.
A. 1 only. Answer Explanation According to The IIA, an element of CSA is the gathering of a group of people into a same-time/same-place meeting, typically involving a facilitation seating arrangement (U-shaped table) and a meeting facilitator. The participants are 'process owners', i.e., management and staff who are involved with the particular issues under examination, who know them best, and who are critical to the implementation of appropriate process controls.
The element(s) of a control self-assessment (CSA) performed using one of the facilitated team workshop approaches include(s) 1. Treating participating employees as process owners. 2. Taking a simple yes/no survey of employees regarding risks and controls. 3. Interviewing employees separately in the field. A. 1 only. B. 2 only. C. 2 and 3. D. 1, 2, and 3.
C. Trends and emerging issues are considered. Answer Explanation The IAA is effectively managed when (1) it achieves the purpose and responsibility included in the internal audit charter, (2) it conforms with the Standards, (3) its individual members conform with the Code of Ethics and the Standards, and (4) it considers trends and emerging issues that could affect the organization (Inter. Std. 2000).
The internal audit activity (IAA) is effectively managed when A. Senior management creates its operating budget. B. The organization's human resources department hires the IAA's associates. C. Trends and emerging issues are considered. D. The board establishes policies and procedures for the IAA.
C. Eliminating consulting engagements from the engagement work schedule. Answer Explanation The chief audit executive must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan (Perf. Std. 2030). The audit schedule is reduced as a last resort once all other alternatives have been explored, including the request for additional resources.
The internal audit activity has recently experienced the departure of two internal auditors who cannot be immediately replaced due to budget constraints. Which of the following is the least desirable option for efficiently completing future engagements, given this reduction in resources? A. Using self-assessment questionnaires to address audit objectives. B. Employing information technology in audit planning, sampling, and documentation. C. Eliminating consulting engagements from the engagement work schedule. D. Filling vacancies with personnel from operating departments that are not being audited.
C. Periodically assessing information security practices. Answer Explanation Internal auditors should periodically assess the organization's information security practices and recommend, as appropriate, enhancements to, or implementation of, new controls and safeguards. Following an assessment, an assurance report should be provided to the board. Such assessments can either be conducted as separate stand-alone engagements or as multiple engagements integrated into other audits or engagements conducted as part of the approved audit plan.
The internal auditors' ultimate responsibility for information security includes A. Identifying technical aspects, risks, processes, and transactions to be examined. B. Determining the scope and degree of testing to achieve engagement objectives. C. Periodically assessing information security practices. D. Documenting engagement procedures.
C. A well-developed set of selection criteria. Answer Explanation Internal auditors should be qualified and competent. Because the selection of a superior staff is dependent on the ability to evaluate applicants, selection criteria must be well-developed. Appropriate questions and forms should be prepared in advance to evaluate, among other things, the applicant's technical qualifications, educational background, personal appearance, ability to communicate, maturity, persuasiveness, self-confidence, intelligence, motivation, and potential to contribute to the organization.
The key factor in the success of an internal audit activity's human resources program is A. An informal program for developing and counseling staff. B. A compensation plan based on years of experience. C. A well-developed set of selection criteria. D. A program for recognizing the special interests of individual staff members.
D. Start with the financial statements of the client entity and work backward to the basic processes involved in producing them. Answer Explanation A financial engagement starts with financial statements to determine whether financial information was properly recorded and adequately supported. It also assesses whether the financial statement assertions about past performance are fair, accurate, and reliable.
The primary difference between operational engagements and financial engagements is that, in the latter, the internal auditors A. Are not concerned with whether the client entity is generating information in compliance with financial accounting standards. B. Are seeking to help management use resources in the most effective manner possible. C. Can use analytical skills and tools that are not necessary in financial engagements. D. Start with the financial statements of the client entity and work backward to the basic processes involved in producing them.
C. Management. Answer Explanation Internal auditors determine whether senior management and the board have a clear understanding that information reliability and integrity is a management responsibility. Information reliability and integrity includes accuracy, completeness, and security.
The reliability and integrity of all critical information of an organization, regardless of the media in which the information is stored, is the responsibility of A. Shareholders. B. IT department. C. Management. D. All employees.
B. Multiple financial and nonfinancial measures. Answer Explanation The trend in managerial performance evaluation is the balanced scorecard approach. Multiple measures of performance permit a determination as to whether a manager is achieving certain objectives at the expense of others that may be equally or more important. These measures may be financial or nonfinancial and usually include items with four perspectives: (1) financial; (2) customer satisfaction; (3) internal business processes; and (4) learning and growth.
Using a balanced scorecard, an organization evaluates managerial performance based on A. A single ultimate measure of operating results, such as residual income. B. Multiple financial and nonfinancial measures. C. Multiple nonfinancial measures only. D. Multiple financial measures only.
A. Governance. Answer Explanation Governance is the "combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives" (The IIA Glossary).
What is the most accurate term for the procedures used by the board to oversee activities performed to achieve organizational objectives? A. Governance. B. Control. C. Risk management. D. Monitoring.
A. Meet with the regulator before and after the inspection to provide relevant information or receive advice on necessary compliance. Answer Explanation The internal audit activity must evaluate, among other things, operational risk exposures and related controls regarding compliance with laws and regulations (Impl. Stds. 2120.A1 and 2130.A1). Thus, the CAE has an interest in gathering information for compliance audits and in determining whether the organizational response has been appropriate. Moreover, cooperation is part of an appropriate response.The CAE should not attempt to mislead or influence the regulator in any way. To make the process easier for all parties involved, however, the CAE may provide any relevant information before the inspection. Afterward, the CAE may confer with the regulator to discuss compliance issues.
What is the role of a chief audit executive (CAE) with regard to an inspection by a regulator? A. Meet with the regulator before and after the inspection to provide relevant information or receive advice on necessary compliance. B. Meet with the regulator after the inspection to dispute any negative findings about compliance. C. Tour the facility with the regulator to ensure that no problems are uncovered. D. Meet with specific managers to protect proprietary information.
A. When management has planned and designed them to provide reasonable assurance of achieving the organization's objectives efficiently and economically. Answer Explanation Governance, risk management, and control processes are adequate if management has planned and designed the processes to provide reasonable assurance of achieving the organization's objectives efficiently and economically. Reasonable assurance is provided if the most cost-effective measures are taken in the design and implementation of controls to reduce risks and restrict expected deviations to a tolerable level. Efficient performance accomplishes objectives in an accurate, timely, and economical fashion while economical performance accomplishes objectives with minimal use of resources (i.e., cost) proportionate to the risk exposure.
When are governance, risk management, and control processes considered adequate? A. When management has planned and designed them to provide reasonable assurance of achieving the organization's objectives efficiently and economically. B. When management has planned and designed them to provide absolute assurance of achieving the organization's objectives efficiently and economically. C. When the internal audit activity has planned and designed them to provide reasonable assurance of achieving the organization's objectives efficiently and economically. D. When the company is profitable.
D. 1, 2, and 3. Answer Explanation Organizations may use the work of external auditors to provide assurance related to activities within the scope of internal auditing. In these cases, the CAE takes the steps necessary to understand the work performed by the external auditors. Moreover, the external auditor may rely on the work of the internal audit activity in performing their work. In this case, the CAE needs to provide sufficient information to enable external auditors to understand the internal auditor's techniques, methods, and terminology to facilitate reliance by external auditors on work performed.
Which of the following are responsibilities of the chief audit executive (CAE)? 1. Coordinating activities with other providers of assurance and consulting services. 2. Understanding the work of external auditors. 3. Providing sufficient information to the external auditors to permit them to understand the internal auditors' work. A. 1 and 2 only. B. 2 and 3 only. C. 1 and 3 only. D. 1, 2, and 3.
B. Assess the risk of misrepresentation. Answer Explanation The internal auditor's initial responsibility when discovering errors is to assess the risk of misrepresentation. Only errors having a material effect on the financial statements must be reported to the client and audit committee.
Which of the following best describes an internal auditor's initial responsibility regarding errors uncovered during a financial statement audit? A. Report the material errors. B. Assess the risk of misrepresentation. C. Discuss the situation with the engagement client. D. Inform the audit committee.
D. All customer inquiries should be answered within 7 days of receipt. Answer Explanation A criterion that requires all customer inquiries to be answered within 7 days of receipt permits accurate measurement of performance. The quantitative and specific nature of the appraisal using this standard avoids the vagueness, subjectivity, and personal bias that may afflict other forms of personnel evaluations.
Which of the following criteria would be most useful to a sales department manager in evaluating the performance of the manager's customer-service group? A. The customer is always right. B. Customer complaints should be processed promptly. C. Employees should maintain a positive attitude when dealing with customers. D. All customer inquiries should be answered within 7 days of receipt.
A. Oversight of the work of external auditors is the responsibility of the chief audit executive. Answer Explanation Oversight of the work of external auditors, including coordination with the internal audit activity, is the responsibility of the board. Coordination of internal and external audit work is the responsibility of the CAE (Perf. Std. 2050).
Which of the following is a false statement about the relationship between internal auditors and external auditors? A. Oversight of the work of external auditors is the responsibility of the chief audit executive. B. Sufficient meetings are scheduled between internal and external auditors to ensure timely and efficient completion of the work. C. Internal and external auditors may exchange engagement communications and management letters. D. Internal auditors may provide engagement work programs and working papers to external auditors.
B. Focusing intensely on the customer. Answer Explanation TQM emphasizes satisfaction of customers, both internal and external. TQM considers the supplier's relationship with the customer, identifies customer needs, and recognizes that everyone in a process is at some time a customer or supplier of someone else, either inside or outside of the organization.
Which of the following is a key to successful total quality management (TQM)? A. Training quality inspectors. B. Focusing intensely on the customer. C. Creating appropriate hierarchies to increase efficiency. D. Establishing a well-defined quality standard, then focusing on meeting it.
D. The ethics questionnaire. Answer Explanation An effective tool for uncovering unethical or illegal activity is the ethics questionnaire. Each employee of the organization should receive a questionnaire that asks whether the employee is aware of kickbacks, bribes, or other wrongdoing.
Which of the following is an effective tool for uncovering unethical or illegal activity in an organization? A. The screening of applicants. B. The ethics interview. C. The background check. D. The ethics questionnaire.
D. Policies and procedures. Answer Explanation The chief audit executive must establish policies and procedures to guide the internal audit activity (Perf. Std. 2040).
Which of the following is most essential for guiding the internal audit staff? A. Quality program assessments. B. Position descriptions. C. Performance appraisals. D. Policies and procedures.
D. The organization's vice president of operations. Answer Explanation The audit committee consists of outside directors who are independent of management. Its purpose is to help keep external and internal auditors independent of management and to assure that the directors are exercising due care. The organization's vice president is not an outside director. The vice president of the local bank used by the organization, an academic specializing in business administration, and a retired executive of a firm that had been associated with the organization are all external parties who are usually independent of the organization's internal operations.
Which of the following is not an appropriate member of an audit committee? A. The vice president of the local bank used by the organization. B. An academic specializing in business administration. C. A retired executive of a firm that had been associated with the organization. D. The organization's vice president of operations.
A. Perform walkthroughs of all processes that contain identified environmental risks. Answer Explanation Performing a walkthrough is a procedure, not an objective.
Which of the following is not an objective of an environmental audit program? A. Perform walkthroughs of all processes that contain identified environmental risks. B. Verify organizational compliance with all environmental laws. C. Review the reasonableness and likelihood of contingent liabilities accrued for environmental remediation. D. Ensure management systems are adequate to minimize future environmental risks.
A. Establishing a privacy framework. Answer Explanation The board is ultimately accountable for ensuring that the principal risks of the organization have been identified, and the appropriate control processes have been implemented to mitigate those risks. This includes establishing the necessary privacy framework for the organization and monitoring its implementation.
Which of the following is part of the board's role in protecting against privacy threats? A. Establishing a privacy framework. B. Identifying the information gathered by the organization that is deemed personal or private. C. Identifying the methods used to collect information. D. Determining whether the use of the information collected is in accordance with its intended use and the laws.
C. The CAE should evaluate whether the environmental auditors are conforming to recognized professional auditing standards and a recognized code of ethics. Answer Explanation This is a proper interaction between the environmental audit function and the internal audit function.
Which of the following is true about the interaction of the internal audit function and the environmental audit function? A. If the environmental audit function reports to someone other than the CAE, the CAE should not offer to review the audit plan since (s)he was not consulted to do so. B. It is not advantageous for the internal audit function to conduct environmental audits since it is too busy with its current responsibilities. C. The CAE should evaluate whether the environmental auditors are conforming to recognized professional auditing standards and a recognized code of ethics. D. The CAE should not evaluate the organizational placement and independence of the environmental audit function since the internal function has no control over a separate environmental audit function.
C. Both the assurance and consulting activities add value to the organization. Answer Explanation Both the assurance and consulting activities add value to the organization.
Which of the following is true about the principle of value proposition to an organization? A. The internal audit function does not add value to an organization. B. Only the consulting activities of the internal audit function provide value. C. Both the assurance and consulting activities add value to the organization. D. Only the assurance activities of the internal audit function add value to the organization.
C. 1, 2, and 3. Answer Explanation Internal auditing is an organizationally independent and individually objective assurance and consulting activity that adds value and improves operations. It evaluates and contributes to the improvement of the organization's governance, risk management, and control processes. When performing the assurance function, internal auditing evaluates the adequacy and effectiveness of controls. For example, it evaluates the effectiveness and efficiency of operations and programs.
Which of the following potentially is (are) subject to the internal auditors' evaluations? 1. The human resources function. 2. The purchasing process. 3. The manufacturing and production database system. A. 1 only. B. 2 only. C. 1, 2, and 3. D. None of the answers are correct.
A. Term: Privacy of space Example: Freedom from surveillance Answer Explanation Risks associated with the privacy of information encompass personal privacy (physical and psychological), privacy of space (freedom from surveillance), privacy of communication (freedom from monitoring), and privacy of information (collection, use, and disclosure of personal information by others).
Which of the following privacy terms is matched with an accurate example of the term? A. Term: Privacy of space Example: Freedom from surveillance B. Term: Privacy of information Example: Freedom from monitoring C. Term: Personal privacy Example: Freedom from monitoring D. Term: Privacy of communication Example: Freedom from surveillance
B. Review procedures for selection of routes and carriers. Answer Explanation An operational engagement examines the premises and policies for day-to-day activities, as well as the transaction flow that is the concern of the evaluation of controls. Selection of routes and carriers is the chief function of the department, and poor practice may lead to materially excessive shipping costs or serious delays. Hence, an internal auditor conducting an operational engagement should review the procedures for selection of routes and carriers.
Which of the following procedures is the most valuable in an engagement involving the traffic department operations of a large manufacturer? A. Obtain written confirmation from the regulatory agencies that all carriers used are properly licensed and bonded. B. Review procedures for selection of routes and carriers. C. Trace selected items from the weekly demurrage (car detention charge) report to supporting documentation. D. Verify that all bills of lading are prenumbered.
A. CSA is usually an informal and undocumented process. Answer Explanation A methodology encompassing self-assessment surveys and facilitated workshops called CSA is a useful and efficient approach for managers and internal auditors to collaborate in assessing and evaluating control procedures. The process is a formal and documented way of allowing participation by those who are directly involved in the business unit, function, or process.
Which of the following statements about control self-assessment (CSA) is false? A. CSA is usually an informal and undocumented process. B. In its purest form, CSA integrates business objectives and risks with control processes. C. CSA is also known as control/risk self-assessment. D. Most implemented CSA programs share some key features and goals.
C. The CAE is responsible for the effective deployment of resources to achieve the approved audit plan. Answer Explanation The CAE must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved audit plan. This responsibility includes the effective communication of resource needs and reporting of status to senior management and the board.
Which of the following statements about the chief audit executive's responsibilities for internal audit resources is most accurate? A. The CAE is responsible for ensuring that audit coverage is based on the skills of the internal audit activity. B. The CAE is responsible for presenting a detailed summary of audit resources to management. C. The CAE is responsible for the effective deployment of resources to achieve the approved audit plan. D. The CAE is responsible for administering the organization's compensation program.
A. Internal auditors should determine that senior management and the board, audit committee, or other governing body have a clear understanding that information reliability and integrity is the responsibility of the internal audit activity. Answer Explanation Internal auditors determine whether senior management and the board have a clear understanding that information reliability and integrity is a management responsibility. This responsibility includes all critical information of the organization, regardless of how the information is stored.
Which of the following statements is false with respect to information security? A. Internal auditors should determine that senior management and the board, audit committee, or other governing body have a clear understanding that information reliability and integrity is the responsibility of the internal audit activity. B. The chief audit executive should determine that the internal audit activity possesses, or has access to, competent auditing resources to evaluate information security and associated risk exposures. C. Internal auditors should periodically assess the organization's information security practices and recommend, as appropriate, enhancements to, or implementation of, new controls and safeguards. D. Internal auditors should assess the effectiveness of preventive, detective, and mitigative measures against past attacks, as deemed appropriate, and future attempts or incidents deemed likely to occur.
C. The chief audit executive should determine that appropriate follow-up and corrective action was taken by management when required regarding matters discussed in the external auditor's management letter. Answer Explanation Internal auditors need access to the external auditors' presentation materials and management letters. Matters discussed in presentation materials and included in management letters need to be understood by the CAE and used as input to internal auditors in planning the areas to emphasize in future internal audit work. After review of management letters and initiation of any needed corrective action by appropriate members of senior management and the board, the CAE should ensure that appropriate follow-up and corrective actions have been taken.
Which of the following statements is true regarding coordination of internal and external auditing efforts? A. The chief audit executive should not give information about illegal acts to an external auditor because external auditors may be required to report the matter to the board or regulatory agencies. B. Ownership and the confidentiality of the external auditor's working papers prohibit their review by internal auditors. C. The chief audit executive should determine that appropriate follow-up and corrective action was taken by management when required regarding matters discussed in the external auditor's management letter. D. If internal auditors provide assistance to the external auditors in connection with the annual audit, such assistance is not subject to the Standards.
D. The CAE is responsible for communicating resource needs to the board but has no explicit responsibility for administering the organization's compensation program. Answer Explanation The CAE must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan. This includes the effective communication of resource needs and reporting of status to senior management and the board. Responsibility for administering the organization's compensation program normally resides in the human resources (personnel) area.
Which of the following statements most accurately reflects the chief audit executive's responsibilities for internal audit resources? A. The CAE is responsible for ensuring that audit coverage is based on the periodic skills assessment. B. The CAE is responsible for evaluating the detailed summary of audit resources presented by management to the board. C. The CAE is not responsible for such human resource functions as evaluation and development. D. The CAE is responsible for communicating resource needs to the board but has no explicit responsibility for administering the organization's compensation program.
C. The external auditor's work is overseen and reviewed by the audit committee. Answer Explanation The most important function of the audit committee is to promote the independence of the internal and external auditors by protecting them from management's influence. The audit committee (1) selects the external auditing firm and negotiates its fee, (2) oversees and reviews the work of the external auditor, (3) resolves disputes between the external auditor and management, and (4) reviews the external auditor's internal control and audit reports.
Which of the following statements regarding the external auditor is true? A. Disputes between the external auditor and management are resolved through an arbitrator. B. Review of the external auditor's internal control and audit reports during each engagement is done by a different accounting firm. C. The external auditor's work is overseen and reviewed by the audit committee. D. Negotiation of the external auditor's fee is the responsibility of the corporate officers.
D. A focus on technological breakthroughs. Answer Explanation The core principles of total quality management (TQM) are emphasis on the customer, continuous improvement, and engaging every employee in the pursuit of total quality.
Which one of the following is not a core principle of total quality management (TQM)? A. A focus on customers and stakeholders. B. Participation and teamwork by everyone in the organization. C. A process focus supported by continuous improvement and learning. D. A focus on technological breakthroughs.
B. Process engagement. Answer Explanation Process engagements tend to be challenging because of their scope and the need to deal with subunits that may have conflicting objectives.
Which type of engagement focuses on operations and how effectively and efficiently the organizational units affected will cooperate? A. Program-results engagement. B. Process engagement. C. Privacy engagement. D. Compliance engagement.
D. Risk-based format. Answer Explanation A risk-based format focuses on listing the risks to achieving an objective. The workshop begins by listing all possible barriers, obstacles, threats, and exposures that might prevent achieving an objective and, then, examining the control procedures to determine if they are sufficient to manage the key risks. The aim of the workshop is to determine significant residual risks. This format takes the work team through the entire objective-risks-controls formula.
Which type of facilitated approach format begins by listing all possible barriers, obstacles, threats, and exposures that might prevent achieving an objective? A. Objective-based format. B. Control-based format. C. Process-based format. D. Risk-based format.