ACC-590 MC Ch. 4-6 & 10-14
In a risk by process matrix, a process that helps to manage a risk indirectly would be shown to have: a. A key link. b. A secondary link. c. An indirect link. d. No link at all.
b. A secondary link.
An internal auditor selects a sample of sales invoices and matches them to shipping documents. This procedure most directly addresses which of the following assertions? a. All shipments to customers are recorded as receivables. b. All billed sales are for goods shipped to customers. c. All recorded receivables represent goods shipped to customers. d. All shipments to customers are billed.
b. All billed sales are for goods shipped to customers.
Which of the following controls is not likely to be an entity-level control? a. All employees must receive ongoing training to ensure they maintain their competence. b. All cash disbursement transactions must be approved before they are paid. c. All employees must comply with the Code of Ethics and Business Conduct. d. An organizationwide risk assessment is conducted annually.
b. All cash disbursement transactions must be approved before they are paid.
Which of the following symbols in a process map will most likely contain a question? a. Rectangle. b. Diamond. c. Arrow. d. Oval.
b. Diamond.
Which of the following controls is likely to be least relevant when evaluating the design adequacy of a cash collections process? a. Calculating the amount of cash received. b. Documenting the rationale for selecting the bank account into which the deposit will be made. c. Matching the total deposits to the amounts credited to customers' accounts receivable balances. d. Segregating the preparation of deposit slips from the adjustment of customer account balances.
b. Documenting the rationale for selecting the bank account into which the deposit will be made.
Ch. 13 Which of the following is not likely to be an assurance engagement objective? a. Evaluate the design adequacy of the payroll input process. b. Guarantee the accuracy of recorded inventory balances. c. Assess compliance with health and safety laws and regulations. d. Determine the operating effectiveness of fixed asset controls.
b. Guarantee the accuracy of recorded inventory balances.
Ch. 12 The tasks performed during an internal audit assurance engagement should address the following questions: I. What are the reasons for the results? II. How can performance be improved? III. What results are being achieved? The chronological order in which these questions should be addressed is: a. III, I, II. b. I, III, II. c. III, II, I. d. II, III, I.
a. III, I, II.
After business risks have been identified, they should be assessed in terms of their inherent: a. Impact and likelihood. b. Likelihood and probability. c. Significance and severity. d. Significance and control effectiveness.
a. Impact and likelihood.
If all other factors specified in a PPS sampling plan remain constant, changing the specified tolerable misstatement from $200,000 to $100,000 and changing the specified risk of incorrect acceptance from 10 percent to 5 percent would cause the required sample size to: a. Increase. b. Decrease. c. Remain the same. d. Change by 5 percent.
a. Increase.
If all other factors specified in an attribute sampling plan remain constant, changing the expected population deviation rate from 1 percent to 2 percent and changing the tolerable deviation rate from 7 percent to 6 percent would cause the required sample size to: a. Increase. b. Decrease. c. Remain the same. d. Change by 2 percent.
a. Increase.
If an internal auditor's evaluation of internal control design indicates that the controls are designed adequately, the appropriate next step would be to: a. Test the operating effectiveness of the controls. b. Prepare a flowchart depicting the system of internal controls. c. Conclude that residual risk is low. d. Conclude that control risk is high.
a. Test the operating effectiveness of the controls.
Appropriate internal control for a multinational corporation's branch office that has a department responsible for the transfer of money requires that: a. The individual who initiates wire transfers does not reconcile the bank statement. b. The branch manager must receive all wire transfers. c. Foreign currency rates must be computed separately by two different employees. d. Corporate management approves the hiring of employees in this department.
a. The individual who initiates wire transfers does not reconcile the bank statement.
Which of the following statements regarding audit evidence would be the least appropriate for an internal auditor to make? a. "I consider the level of risk involved when deciding the kind of evidence I will gather." b. "I do not perform procedures that provide persuasive evidence because I must obtain convincing evidence." c. "I evaluate both the usefulness of the evidence I can obtain and the cost to obtain it." d. "I am seldom absolutely certain about the conclusions I reach based on the evidence I examine."
b. "I do not perform procedures that provide persuasive evidence because I must obtain convincing evidence."
Which of the following statements does not illustrate the concept of inherent business risk? a. Cash is more susceptible to theft than an inventory of sheet metal. b. A broken lock on a security gate allows employees to access a restricted area that they are not authorized to enter. c. Transactions involving complex calculations are more likely to be misstated than transactions involving simple calculations. d. Technological developments might make a particular product obsolete.
b. A broken lock on a security gate allows employees to access a restricted area that they are not authorized to enter.
COSO's Internal Control Framework consists of five internal control components and 17 principles for achieving effective internal control. Which of the following is/are (a) principle(s)? I. The organization demonstrates a commitment to integrity and ethical values. II. Monitoring activities. III. A level of assurance that is supported by generally accepted auditing procedures and judgments. IV. A body of guiding principles that form a template against which organizations can evaluate a multitude of business practices. V. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. a. II only. b. I and V only. c. II and IV only. d. I, II, III, IV, and V.
b. I and V only.
Which of the following is true? a. Continuous monitoring is the CAE's responsibility. b. If a control breakdown is identified through continuous auditing, it should be reported to management on a timely basis. c. Data analytic technologies cannot be used for substantive testing. d. Continuous auditing routines developed by internal auditors should not be shared with management.
b. If a control breakdown is identified through continuous auditing, it should be reported to management on a timely basis.
A major upgrade to an important information system would most likely represent a high: a. External risk factor. b. Internal risk factor. c. Other risk factor. d. Likelihood of future systems problems.
b. Internal risk factor.
Internal auditors often prepare process maps and reference portions of these maps to narrative descriptions of certain activities. This is an appropriate procedure to: a. Determine the ability of the activities to produce reliable information. b. Obtain the understanding necessary to test the process. c. Document that the process meets internal audit standards. d. Determine whether the process meets established management objectives.
b. Obtain the understanding necessary to test the process.
When assessing the risk associated with an activity, an internal auditor should: a. Determine how the risk should best be managed. b. Provide assurance on the management of the risk. c. Update the risk management process based on risk exposures. d. Design controls to mitigate the identified risks.
b. Provide assurance on the management of the risk.
Which of the following represents the most competent evidence that trade receivables actually exist? a. Positive confirmations. b. Sales invoices. c. Receiving reports. d. Bills of lading.
b. Sales invoices.
Which of the following is not an example of a risk-sharing strategy? a. Outsourcing a noncore, high-risk area. b. Selling a nonstrategic business unit. c. Hedging against interest rate fluctuations. d. Buying an insurance policy to protect against adverse weather.
b. Selling a nonstrategic business unit.
An adequate system of internal controls is most likely to detect an irregularity perpetrated by a: a. Group of employees in collusion. b. Single employee. c. Group of managers in collusion. d. Single manager.
b. Single employee.
An effective system of internal controls is most likely to detect a fraud perpetrated by a: a. Group of employees in collusion. b. Single employee. c. Group of managers in collusion. d. Single manager.
b. Single employee.
An internal audit engagement was included in the approved internal audit plan. This is considered a moderately high-risk audit based on the internal audit function's risk model. It is currently on a two-year audit cycle. Which of the following will likely have the greatest impact on the scope and approach of the internal audit engagement? a. The area being audited involves the processing of a high volume of transactions. b. Certain components of the process are outsourced. c. A new system was implemented during the year, which changed how the transactions are processed. d. The total dollars processed in this area are material.
c. A new system was implemented during the year, which changed how the transactions are processed.
Which of the following circumstances would concern the internal auditor the most? a. A risk in the lower left corner of quadrant I. b. A risk in the lower right corner of quadrant II. c. A risk in the upper left corner of quadrant III. d. A risk in the upper right corner of quadrant IV.
c. A risk in the upper left corner of quadrant III.
A performance audit engagement typically involves: a. Review of financial statement information, including the appropriateness of various accounting treatments. b. Tests of compliance with policies, procedures, laws, and regulations. c. Appraisal of the environment and comparison against established criteria. d. Evaluation of organizational and departmental structures, including assessment of process flows.
c. Appraisal of the environment and comparison against established criteria.
Internal audit engagement teams prepare working papers primarily for the benefit of the: a. Auditee. b. Internal audit function. c. Board and senior management. d. Independent outside auditor.
c. Board and senior management.
Which of the following is an appropriate conclusion that can be drawn when the internal auditor identifies an observation from testing controls? a. The process objectives cannot be achieved. b. The area may be vulnerable to fraud. c. Certain risks are not effectively mitigated. d. Overall, the process is not operating effectively.
c. Certain risks are not effectively mitigated.
Which of the following is not typically a barrier to internal auditors using data analytics in achieving the engagement objective? a. Knowing what data exists and where to find it. b. Poorly defining the scope of the intended use of data analytics. c. Data analytic software is limited by the number of records it can process. d. The effort required to cleanse and prepare data for import to the data analytic tool.
c. Data analytic software is limited by the number of records it can process.
Which of the following auditee-prepared documents will likely be of greatest assistance to the internal auditors in their assessment of process design adequacy? a. Policies and procedures manual. b. Organization charts and job descriptions. c. Detailed flowcharts depicting the flow of the process. d. Narrative memoranda listing key tasks for portions of the process.
c. Detailed flowcharts depicting the flow of the process.
Which of the following risk management activities is out of sequence in terms of timing? a. Identify, assess, and prioritize risks. b. Develop risk responses/treatments. c. Determine key organizational objectives. d. Monitor the effectiveness of risk responses/treatments.
c. Determine key organizational objectives.
An internal auditor plans to conduct an audit of the adequacy of controls over investments in new financial instruments. Which of the following would not be required as part of such an engagement? a. Determine whether policies exist that describe the risks the treasurer may take and the types of instruments in which the treasurer may invest. b. Determine the extent of management oversight over investments in sophisticated instruments. c. Determine whether the treasurer is getting higher or lower rates of return on investments than treasurers in comparable organizations. d. Determine the nature of monitoring activities related to the investment portfolio.
c. Determine whether the treasurer is getting higher or lower rates of return on investments than treasurers in comparable organizations.
When senior management accepts a level of residual risk that the CAE believes is unacceptable to the organization, the CAE should: a. Report the unacceptable risk level immediately to the chair of the audit committee and the independent outside audit firm partner. b. Resign his or her position in the organization. c. Discuss the matter with knowledgeable members of senior management and, if not resolved, take it to the audit committee. d. Accept senior management's position because it establishes the risk appetite for the organization.
c. Discuss the matter with knowledgeable members of senior management and, if not resolved, take it to the audit committee.
Reasonable assurance, as it pertains to internal control, means that: a. The objectives of internal control vary depending on the method of data processing used. b. A well-designed system of internal controls will prevent or detect all errors and fraud. c. Inherent limitations of internal control preclude a system of internal control from providing absolute assurance that objectives will be achieved. d. Management cannot override controls, and employees cannot circumvent controls through collusion.
c. Inherent limitations of internal control preclude a system of internal control from providing absolute assurance that objectives will be achieved.
Your audit objective is to determine that purchases of office supplies have been properly authorized. If purchases of office supplies are made through the purchasing department, which of the following procedures is most appropriate? a. Vouch purchase orders to approved purchase requisitions. b. Trace approved purchase requisitions to purchase orders. c. Inspect purchase requisitions for proper approval. d. Vouch receiving reports to approved purchase orders.
c. Inspect purchase requisitions for proper approval.
Enterprise risk management: a. Guarantees achievement of business objectives. b. Requires establishment of risk and control activities by internal auditors. c. Involves the identification of events with negative impacts on business objectives. d. Includes selection of best risk response for the organization.
c. Involves the identification of events with negative impacts on business objectives.
How does a control manage a specific risk? a. It reduces the likelihood of the event giving rise to the risk. b. It reduces the impact of the event giving rise to the risk. c. It reduces either likelihood or impact or both. d. It prevents the occurrence of the event.
c. It reduces either likelihood or impact or both.
The control that would most likely ensure that payroll checks are written only for authorized amounts is to: a. Conduct periodic floor verification of employees on the payroll. b. Require the return of undelivered checks to the cashier. c. Require supervisory approval of employee time cards. d. Periodically witness the distribution of payroll checks.
c. Require supervisory approval of employee time cards.
What is residual risk? a. Impact of risk. b. Risk that is under control. c. Risk that is not managed. d. Underlying risk in the environment.
c. Risk that is not managed.
Who has primary responsibility for the monitoring component of internal control? a. The organization's independent outside auditor. b. The organization's internal audit function. c. The organization's management. d. The organization's board of directors.
c. The organization's management.
The achieved upper deviation limit is 7 percent and the risk of assessing control risk too low is 5 percent. How should the internal auditor interpret this attribute sampling outcome? a. There is a 7 percent chance that the deviation rate in the population is less than or equal to 5 percent. b. There is a 5 percent chance that the deviation rate in the population is less than 7 percent. c. There is a 5 percent chance that the deviation rate in the population exceeds 7 percent. d. There is a 95 percent chance that the deviation rate in the population equals 7 percent.
c. There is a 5 percent chance that the deviation rate in the population exceeds 7 percent.
Ch. 6 Which of the following best describes an internal auditor's purpose in reviewing the organization's existing governance, risk management, and control processes? a. To help determine the nature, timing, and extent of tests necessary to achieve engagement objectives. b. To ensure that weaknesses in the internal control system are corrected. c. To provide reasonable assurance that the processes will enable the organization's objectives and goals to be met efficiently and economically. d. To determine whether the processes ensure that the accounting records are correct and that financial statements are fairly stated.
c. To provide reasonable assurance that the processes will enable the organization's objectives and goals to be met efficiently and economically.
An organization tracks a website hosting anonymous blogs about its industry. Recently, anonymous posts have focused on potential legislation that could have a dramatic effect on this industry. Which of the following may create the greatest risk if this organization makes business decisions based on the information contained on this website? a. Appropriateness of the information. b. Timeliness of the information. c. Accessibility of the information. d. Accuracy and reliability of the information.
d. Accuracy and reliability of the information.
If an internal auditor identifies an exception while testing, which of the following may be appropriate? a. Test additional items to determine whether the exception is an isolated occurrence or indicative of a control deficiency. b. Gain an understanding of the root cause, that is, the reason the exception occurred. c. Draft an observation for the audit report. d. All of the above.
d. All of the above.
Ch. 11 In which phase(s) of the internal audit engagement can data analytics be used? I. Planning the individual engagement. II. Testing effectiveness and efficiency of controls. III. Assessing risk to determine which areas of the organization to audit. a. I only. b. II only. c. I and III only. d. I, II, and III.
d. I, II, and III.
For which of the following would an internal auditor most likely use attribute sampling? a. Determining whether the year-end inventory balance is overstated. b. Selecting fixed asset additions to inspect. c. Choosing inventory items to test count. d. Inspecting employee time cards for proper approval.
d. Inspecting employee time cards for proper approval.
Who is responsible for implementing ERM? a. The chief financial officer. b. The chief audit executive. c. The chief compliance officer. d. Management throughout the organization.
d. Management throughout the organization.
Which of the following is true regarding business process outsourcing? a. Outsourcing a core, high-risk business process reduces the overall operational risk. b. Outsourced processes should not be included in the internal audit universe. c. The independent outside auditor is required to review all significant outsourced business processes. d. Management's controls to ensure the outsourcing provider meets contractual performance requirements should be tested by the internal audit function.
d. Management's controls to ensure the outsourcing provider meets contractual performance requirements should be tested by the internal audit function.
The function of the chief risk officer is most effective when he or she: a. Manages risk as a member of senior management. b. Shares the management of risk with line management. c. Shares the management of risk with the CAE. d. Monitors risk as part of the ERM team.
d. Monitors risk as part of the ERM team.
Analytical procedures can be applied during which phase(s) of an assurance engagement? a. Plan phase. b. Perform phase. c. Communicate phase. d. Plan and perform phases.
d. Plan and perform phases.
Ch. 5 In assessing organizational risk in a manufacturing organization, which of the following would have the greatest long-range impact on the organization? a. Advertising budget. b. Production scheduling. c. Inventory policy. d. Product quality.
d. Product quality.
A company has recently outsourced its payroll process to a third-party service provider. An audit team was scheduled to audit payroll controls in the annual audit plan prepared prior to the outsourcing. What action should the audit team take, considering the outsourcing decision? a. Cancel the engagement, because the processing is being performed outside the organization. b. Review only the controls over payments to the third-party provider based on the contract. c. Review only the company's controls over data sent to and received from the third-party service provider. d. Review the controls over payroll processing in both the company and the third-party service provider.
d. Review the controls over payroll processing in both the company and the third-party service provider.
An internal auditor should consider the qualitative aspects of deviations found in a sample in addition to evaluating the number of deviations. For which of the following situations should the internal auditor be most concerned? a. There were fewer deviations in the sample than expected. b. The deviations found are similar in nature to those found during the last audit of the area. c. The deviations found appear to have been caused by an employee's misunderstanding of instructions. d. The deviations found may have been caused intentionally.
d. The deviations found may have been caused intentionally.
Documentary evidence is one of the principal types of corroborating information used by an internal auditor. Which one of the following examples of documentary evidence generally is considered the most reliable? a. A vendor's invoice obtained from the accounts payable department. b. A credit memorandum prepared by the credit manager. c. A receiving report obtained from the receiving department. d. A copy of a sales invoice prepared by the sales department.
a. A vendor's invoice obtained from the accounts payable department.
The primary reason for an internal auditor to use statistical sampling rather than nonstatistical sampling is to: a. Allow the auditor to quantify, and therefore control, the risk of making an incorrect decision based on sample evidence. b. Obtain a smaller sample than would be required if nonstatistical sampling were used. c. Reduce the problems associated with the auditor's judgment concerning the competency of the evidence gathered when nonstatistical sampling is used. d. Obtain a sample more representative of the population than would be obtained if nonstatistical sampling techniques were used.
a. Allow the auditor to quantify, and therefore control, the risk of making an incorrect decision based on sample evidence.
Comprehensive risk assessment involves analysis of both causes and effects. Which of the following statements concerning the analysis of causes and effects is false? a. Analyzing the causes and effects of a particular risk should only be performed after the internal auditor has first obtained evidence that a problem has occurred. b. Analyzing the causes and effects of a particular risk provides insights about how to best manage the risk. c. Analyzing the effects of a particular risk provides insights about the relative size of the risk and the relative importance of the business objective threatened by the risk. d. Analyzing the root causes of a particular risk helps the internal auditor formulate recommendations for reducing the risk to an acceptable level.
a. Analyzing the causes and effects of a particular risk should only be performed after the internal auditor has first obtained evidence that a problem has occurred.
Internal auditors sometimes express opinions in addition to stating observations in their reports. Due professional care requires that internal audit opinions be: a. Based on sufficient appropriate evidence. b. Limited to the effectiveness of internal controls. c. Expressed only when requested by management or the audit committee. d. Based on experience and free from errors in judgment.
a. Based on sufficient appropriate evidence.
An internal auditor is testing cash disbursement transactions. Internal control policies require every check request to be accompanied by an approved voucher (that is, a package of documents evidencing that a good or service has been received and invoiced by the vendor). The voucher approval is based on a three-way matching of a purchase order, receiving report, and vendor's invoice. To determine whether checks have proper support, the internal auditor should begin her testing procedures by selecting items from the population of: a. Check copies. b. Purchase orders. c. Receiving reports. d. Approved vouchers.
a. Check copies.
Which of the following is an element of sampling risk as opposed to an element of nonsampling risk? a. Determining a sample size that is too small. b. Performing an inappropriate audit procedure. c. Failing to detect a control deviation. d. Forgetting to perform a specified audit procedure.
a. Determining a sample size that is too small.
When using a rational decision-making process, the next step after defining the problem is: a. Developing alternative solutions. b. Identifying acceptable levels of risk. c. Recognizing the gap between reality and expectations. d. Confirming hypotheses.
a. Developing alternative solutions.
Ch. 4 According to COSO ERM, which of the following is not an inherent challenge that arises as part of establishing strategy and business objectives? a. Ensuring culture is clearly articulated by the board. b. Possibility of strategy not aligning. c. Implications from the strategy chosen. d. Risk to achieving the strategy.
a. Ensuring culture is clearly articulated by the board.
Which of the following is not a potential value driver for implementing ERM? a. Financial results will improve in the short run. b. There will be fewer surprises from year to year. c. There will be better information available to make risk decisions. d. An organization's risk appetite can be aligned with strategic planning.
a. Financial results will improve in the short run.
Competent evidence is best defined as evidence that: a. Is reasonably free from error and bias and faithfully represents that which it purports to represent. b. Is obtained by observing people, property, and events. c. Is supplementary to other evidence already gathered and that tends to strengthen or confirm it. d. Proves an intermediate fact, or group of facts, from which still other facts can be inferred.
a. Is reasonably free from error and bias and faithfully represents that which it purports to represent.
One of the challenges of ERM in an organization that has a centralized structure is that: a. It may be difficult to raise awareness of the impact of work actions on other employees or work areas. b. Employees in these structures are inherently less risk averse. c. Managers have less incentive to implement and monitor controls. d. Effective controls are more difficult to design, and consistent application is more difficult to achieve across the organization.
a. It may be difficult to raise awareness of the impact of work actions on other employees or work areas.
Which of the following is not typically a key element of flowcharts or narrative memoranda? a. Overall process objectives. b. Key inputs to the process. c. Key outputs from the process. d. Key risks and controls.
a. Overall process objectives.
The requirement that purchases be made from suppliers on an approved vendor list is an example of a: a. Preventive control. b. Detective control. c. Compensating control. d. Monitoring control.
a. Preventive control.
Workpaper summaries, if prepared, can be used to: a. Promote efficient workpaper review by internal audit supervisors. b. Replace the detailed workpaper files for permanent retention. c. Serve as an engagement final communication to senior management. d. Document the full development of engagement observations and recommendations.
a. Promote efficient workpaper review by internal audit supervisors.
Which of the following best exemplifies a control activity referred to as independent verification? a. Reconciliation of bank accounts by someone who does not handle cash or record cash transactions. b. Identification badges and security codes used to restrict entry to the production facility. c. Accounting records and documents that provide a trail of sales and cash receipt transactions. d. Separating the physical custody of inventory from inventory accounting.
a. Reconciliation of bank accounts by someone who does not handle cash or record cash transactions.
Which of the following statements best describes an internal audit function's responsibility for assurance engagement follow-up activities? a. The internal audit function should determine that corrective action has been taken and is achieving the desired results, or that senior management has assumed the risk associated with not taking corrective action on reported observations. b. The internal audit function should determine whether management has initiated corrective action but has no responsibility to determine whether the corrective action is achieving the desired results. That determination is management's responsibility. c. The CAE is responsible for scheduling audit follow-up activities only if asked to do so by senior management or the audit committee. Otherwise, such activities are discretionary. d. Audit follow-up activities are not necessary if the auditee has agreed in writing to implement the internal audit function's recommendations.
a. The internal audit function should determine that corrective action has been taken and is achieving the desired results, or that senior management has assumed the risk associated with not taking corrective action on reported observations.
If a risk appears in the middle of quadrant IV in the above risk control map, it means that: a. There is an appropriate balance between risk and control. b. The controls may be excessive relative to the risk. c. The controls may be inadequate relative to the risk. d. There is not enough information to make a judgment.
a. There is an appropriate balance between risk and control.
A production manager of MSM Company ordered excessive raw materials and had them delivered to a side business he operated. The manager falsified receiving reports and approved the invoices for payment. Which of the following procedures would most likely detect this fraud? a. Vouch cash disbursements to receiving reports and invoices. b. Confirm the amounts of raw materials purchased, purchase prices, and dates of shipment with vendors. c. Perform ratio and trend analysis. Compare the cost of raw materials purchased with the cost of goods produced. d. Observe the receiving dock and count materials received. Compare the counts with receiving reports completed by receiving personnel.
a. Vouch cash disbursements to receiving reports and invoices.
An internal auditor determines that the process is not designed adequately to reduce the underlying risks to an acceptable level. Which of the following should the internal auditor do next? a. Write the audit report. There's no reason to test the operating effectiveness of controls that are not designed adequately. b. Test compensating controls in other (adjacent) processes to see if the impact of the design inadequacy is reduced to an acceptable level. c. Test the existing key controls anyway to prove that, despite the design inadequacy, the process is still meeting the process objectives. d. Postpone the engagement until the design inadequacy has been rectified.
b. Test compensating controls in other (adjacent) processes to see if the impact of the design inadequacy is reduced to an acceptable level.
In deciding whether to schedule the purchasing or the personnel department for an audit engagement, which of the following would be the least important factor? a. There have been major changes in operations in one of the departments. b. The audit staff has recently added an individual with expertise in one of the areas. c. There are more opportunities to achieve operating benefits in one of the departments than in the other. d. The potential for loss is significantly greater in one department than in the other.
b. The audit staff has recently added an individual with expertise in one of the areas.
If a risk appears in the bottom right of quadrant II in the above risk control map, it means that: a. There is an appropriate balance between risk and control. b. The controls may be excessive relative to the risk. c. The controls may be inadequate relative to the risk. d. There is not enough information to make a judgment.
b. The controls may be excessive relative to the risk.
An internal auditor gathered the following accounts receivable trend and ratio analysis information: Which of the following is the least reasonable explanation for the changes observed by the auditor? a. Fictitious sales may have been recorded in years 2 and 3. b. The effectiveness of credit and collection procedures deteriorated over the three-year period. c. Sales returned for credit were overstated in years 2 and 3. d. The allowance for bad debts was understated in years 2 and 3.
b. The effectiveness of credit and collection procedures deteriorated over the three-year period.
What is a business process? a. How management plans to achieve the organization's objectives. b. The set of connected activities linked with each other for the purpose of achieving an objective or goal. c. A group of interacting, interrelated, or interdependent elements forming a complex whole. d. A finite endeavor (having specific start and completion dates) undertaken to create a unique product or service that brings about beneficial change or added value.
b. The set of connected activities linked with each other for the purpose of achieving an objective or goal.
Audit evidence is generally considered sufficient when: a. It is appropriate. b. There is enough of it to support well-founded conclusions. c. It is relevant, reliable, and free from bias. d. It has been obtained via random sampling.
b. There is enough of it to support well-founded conclusions.
Internal auditors obtain an understanding of controls and perform tests of controls to: a. Detect material misstatements in account balances. b. Reduce control risk to an acceptable level. c. Evaluate the design adequacy and operating effectiveness of the controls. d. Assess the inherent risks associated with transactions.
c. Evaluate the design adequacy and operating effectiveness of the controls.
Internal auditors perform both assurance engagements and consulting engagements. Which of the following would be classified as a consulting engagement? a. Directly assessing the organization's compliance with laws and regulations. b. Assessing the design adequacy of the organization's entity-level monitoring activities. c. Facilitating senior management's assessment of risks threatening the organization. d. Assisting the independent outside auditor during the financial statement audit engagement.
c. Facilitating senior management's assessment of risks threatening the organization.
An internal auditor must weigh the cost of an audit procedure against the persuasiveness of the evidence to be gathered. Observation is one audit procedure that involves cost-benefit tradeoffs. Which of the following statements regarding observation as an audit procedure is/are correct? I.Observation is limited because individuals may react differently when being watched. II.Observation is more effective for testing completeness than it is for testing existence. III. Observation provides evidence about whether certain controls are operating as designed. a. I only. b. II only. c. I and III. d. I, II, and III.
c. I and III.
Which of the following is/are barriers to widespread use of data analytics by internal audit functions? I. The scope of the intended use of data analytics is not well defined. II. The amount of time required to clean and prepare data for analysis. III. The extensive programing skills required to perform data analytics. IV. Not understanding the data to be analyzed (its source, context, use, and meaning). a. II and III only. b. I and IV only. c. I, II, and IV only. d. I, II, III, and IV.
c. I, II, and IV only.
Which of the following are business processes? I. Strategic planning. II. Review and write-off of delinquent loans. III. Safeguarding of assets. IV. Remittance of payroll taxes to the respective tax authorities. a. I and III. b. II and IV. c. I, II, and IV. d. I, II, III, and IV.
c. I, II, and IV.
An internal auditor is concerned that fraud, in the form of payments to fictitious vendors, may exist. Company purchasers, responsible for purchases of specific product lines, have been granted the authority to approve expenditures up to $10,000. Which of the following applications of generalized audit software would be most effective in addressing the auditor's concern? a. List all purchases over $10,000 to determine whether they were properly approved. b. Take a random sample of all expenditures under $10,000 to determine whether they were properly approved. c. List all major vendors by product line. Select a sample of major vendors and examine supporting documentation for goods or services received. d. List all major vendors by product line. Select a sample of major vendors and send negative confirmations to validate that they actually provided goods or services.
c. List all major vendors by product line. Select a sample of major vendors and examine supporting documentation for goods or services received.
Ch. 10 Professional skepticism means that internal auditors beginning an assurance engagement should: a. Assume client personnel are dishonest until they gather evidence that clearly indicates otherwise. b. Assume client personnel are honest until they gather evidence that clearly indicates otherwise. c. Neither assume client personnel are honest nor assume they are dishonest. d. Assume that internal controls are designed inadequately and/or operating ineffectively.
c. Neither assume client personnel are honest nor assume they are dishonest.
Which of the following most completely describes the appropriate content of internal audit assurance engagement working papers? a. Objectives, procedures, and conclusions. b. Purpose, criteria, techniques, and conclusions. c. Objectives, procedures, facts, conclusions, and recommendations. d. Subject, purpose, sampling information, and analysis.
c. Objectives, procedures, facts, conclusions, and recommendations.
The risk assessment component of internal control involves the: a. Independent outside auditor's assessment of residual risk. b. Internal audit function's assessment of control deficiencies. c. Organization's identification and analysis of the risks that threaten the achievement of its objectives. d. Organization's monitoring of financial information for potential material misstatements.
c. Organization's identification and analysis of the risks that threaten the achievement of its objectives.
Which flowcharting symbol indicates the start or end of a process? a. Arrow. b. Diamond c. Oval. d. Rectangle.
c. Oval.
Which of the following external events will most likely impact a defense contractor that relies on large government contracts for its success? a. Economic event. b. Natural environment event. c. Political event. d. Social event.
c. Political event.
Which of the following is the most significant to the internal audit client in providing information related to the future direction and actions that can improve the operation of the organization? a. Descriptive. b. Diagnostic. c. Predictive. d. Prescriptive.
c. Predictive.
Determining that engagement objectives have been met is ultimately the responsibility of the: a. Internal auditor. b. Audit committee. c. Internal audit supervisor. d. CAE.
d. CAE.
Which of the following external risks is least likely to impact the accuracy of financial reporting? a. The standard-setting body in the organization's country issues a new financial accounting standard. b. A recent judicial court case increases the likelihood that pending litigation will result in an unfavorable outcome. c. Changes in standard industry contracts now allow for netting of payables and receivables. d. Competitor pressures cause the organization to pursue new sales channels.
d. Competitor pressures cause the organization to pursue new sales channels.
A process objective stating "All contracts must be approved by an officer of the company before being consummated" is an example of what type of objective? a. Strategic. b. Operations. c. Reporting. d. Compliance.
d. Compliance.
While planning an assurance engagement, the internal auditor obtains knowledge about the auditee's operations to, among other things: a. Develop an attitude of professional skepticism concerning management's assertions. b. Make constructive suggestions to management regarding internal control improvements. c. Evaluate whether misstatements in the auditee's performance reports should be communicated to senior management and the audit committee. d. Develop an understanding of the auditee's objectives, risks, and controls.
d. Develop an understanding of the auditee's objectives, risks, and controls.
The CAE is asked to lead the enterprise risk assessment as part of an organization's implementation of ERM. Which of the following would not be relevant with respect to protecting the internal audit function's independence and the objectivity of its internal auditors? a. A cross-section of management is involved in assessing the impact and likelihood of each risk. b. Risk owners are assigned responsibility for each key risk. c. A member of senior management presents the results of the risk assessment to the board and communicates that it represents the organization's risk profile. d. The internal audit function obtains assistance from an outside consultant in the conduct of the formal risk assessment session.
d. The internal audit function obtains assistance from an outside consultant in the conduct of the formal risk assessment session.
Reportable internal audit observations emerge by a process of comparing "what should be" with "what is." In determining "what should be" during an audit of a company's treasury function, which of the following would be the least desirable criterion against which to judge current operations? a. Best practices of the treasury function in relevant industries. b. Company policies and procedures delegating authority and assigning responsibilities. c. Performance standards established by senior management. d. The operations of the treasury function as documented during the last audit.
d. The operations of the treasury function as documented during the last audit.
Which of the following is the best reason for the CAE to consider the organization's strategic plan in developing the annual internal audit plan? a. To emphasize the importance of the internal audit function to the organization. b. To ensure that the internal audit plan will be approved by senior management. c. To make recommendations to improve the strategic plan. d. To ensure that the internal audit plan supports the overall business objectives.
d. To ensure that the internal audit plan supports the overall business objectives.
An internal auditor wants to test customers' accounts receivable balances for overstatement on a sample basis. Which of the following would be the least valid reason for deciding to use PPS sampling rather than classical variables sampling? a. PPS sampling is generally thought to be easier to use than classical variables sampling. b. The internal auditor expects to find no misstatements and PPS sampling typically requires a smaller sample size than classical variables sampling in this situation. c. PPS sampling automatically stratifies the population. d. Using PPS sampling eliminates the need for professional judgment in determining the appropriate sample size and evaluating the sample results.
d. Using PPS sampling eliminates the need for professional judgment in determining the appropriate sample size and evaluating the sample results.
Which of the following groups' risk tolerance levels are least relevant when conducting an assurance engagement? a. Senior management. b. Process-level management. c. The internal audit function. d. Vendors and customers.
d. Vendors and customers.