ACCY 501 Internal Audit Flint Test 1

D. Because of a highly developed system of internal control over the cash function, the final engagement communication assured senior management that no irregularities existed. Answer Explanation Internal auditors cannot give absolute assurance that noncompliance or irregularities do not exist.

A certified internal auditor performed an assurance engagement to review a department store's cash function. Which of the following actions will be deemed lacking in due professional care? A. Organizational records were reviewed to determine whether all employees who handle cash receipts and disbursements were bonded. B. A flowchart of the entire cash function was developed, but only a sample of transactions was tested. C. The final engagement communication included a well-supported recommendation for the reduction in staff, although it was known that such a reduction would adversely affect morale. D. Because of a highly developed system of internal control over the cash function, the final engagement communication assured senior management that no irregularities existed.

B. A flowchart of the cash function was developed, and a sample of transactions was tested. Answer Explanation Sampling is permissible. Detailed reviews of all transactions often are not required or feasible.

A certified internal auditor performed an assurance engagement to review the entity's cash function. Which action indicates the exercise of due professional care? A. The internal auditor reviewed the work records of employees who handle cash but did not determine whether they were bonded. B. A flowchart of the cash function was developed, and a sample of transactions was tested. C. The internal auditor reported that the cash function was overstaffed but did not recommend layoffs or transfers. D. Because of effective internal control over the cash function, the final report stated that no irregularities existed.

C. The length of tenure of the chief audit executive. Answer Explanation The length of the CAE's employment should not be codified in the charter; it is a matter of ongoing judgment for the board.

A charter is one of the more important factors positively affecting the internal audit activity's independence. Which of the following is least likely to be part of the charter? A. Access to records within the organization. B. The scope of internal audit activities. C. The length of tenure of the chief audit executive. D. Access to personnel within the organization.

A. Fully evaluate the comprehensiveness of the code and compliance with it and report the results to the board. Answer Explanation When evaluating a code of conduct, it is important to consider two items: comprehensiveness and compliance. The code should address the ethical issues that the employees are expected to encounter and provide suitable guidance. The internal auditor also must consider the extent to which employees are complying with the standards established.

A code of conduct was developed several years ago and distributed by a large financial institution to all its officers and employees. What is the internal auditor's best approach to providing the board with the highest level of comfort about the code of conduct? A. Fully evaluate the comprehensiveness of the code and compliance with it and report the results to the board. B. Fully evaluate organizational practices for compliance with the code and report to the board. C. Review employee activities for compliance with provisions of the code and report to the board. D. Perform tests on various employee transactions to detect potential violations of the code of conduct.

D. The internal auditor of a company has more responsibility than the board for the company's corporate governance. Answer Explanation Governance is the responsibility of the board. Internal audit's responsibility is to assess governance processes and make appropriate recommendations for improvement.

Which of the following statements regarding corporate governance is not correct? A. Corporate control mechanisms include internal and external mechanisms. B. The compensation scheme for management is part of the corporate control mechanisms. C. The dilution of shareholders' wealth resulting from employee stock options or employee stock bonuses is an accounting issue rather than a corporate governance issue. D. The internal auditor of a company has more responsibility than the board for the company's corporate governance.

B. Releasing information externally without review by designated persons. Answer Explanation To better understand the effects of legal and regulatory requirements and protections, the chief audit executive (CAE) should consult with legal counsel. The organization's policies and procedures may require that specific authorities review and approve business information before external release (IG, Code of Ethics: Confidentiality).

Which of the following violates the confidentiality principle in The IIA's Code of Ethics? A. Making only those disclosures permitted by the organization. B. Releasing information externally without review by designated persons. C. Documenting the rationale for allocating resources to the internal audit activity but not the internal audit plan. D. Assessing the quality assurance and improvement plan.

D. Designing and implementing appropriate controls Answer Explanation The objectivity standard states that internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest (Attr. Std. 1120). Objectivity is presumed to be impaired if the internal audit activity designs, installs, or drafts procedures or systems for which they also evaluate. Accordingly, the internal audit activity's responsibilities should not include designing and implementing controls.

Which of the following would not be an appropriate responsibility for an internal audit activity? A. Reviewing the implementation of organizational policies. B. Assessing management's performance against the achievement of the organization's mission. C. Undertaking research on factors impacting the organization's share price. D. Designing and implementing appropriate controls

C. A rating scale used to show the degree of conformance. Answer Explanation The external assessment report typically includes an assessment for each standard and an overall assessment for each standard series (attribute and performance). These assessments are in addition to the overall conformance results. A rating scale may be used to show the degree of conformance.

A quality assurance and improvement program (QAIP) covers all aspects of the internal audit activity. The conclusion by an assessor of the internal audit activity is most likely to include A. An overall assessment of conformance with attribute but not performance standards. B. The qualifications and independence of the assessment team. C. A rating scale used to show the degree of conformance. D. An assessment only of overall conformance.

C. Focused on the quality of engagements. Answer Explanation Internal assessments include ongoing monitoring and periodic self-assessments. Ongoing monitoring generally emphasizes reviews at the engagement level. It helps the chief audit executive determine whether internal audit processes are delivering quality on an engagement-by-engagement basis. Compared with periodic self-assessments, ongoing monitoring addresses evaluating conformance with the performance standards.

A quality assurance and improvement program (QAIP) for an internal audit activity must include ongoing monitoring A. By an assessor from outside the organization. B. With external validation. C. Focused on the quality of engagements. D. That comprehensively reviews conformance with the Standards.

C. 1, 3, and 4 only. Answer Explanation A quality assurance and improvement program (QAIP) is designed to provide reasonable assurance that the internal audit activity conforms with the Standards and the Code of Ethics. QAIP processes include appropriate supervision, periodic internal assessments and ongoing monitoring of quality assurance, and periodic external assessments

A quality assurance and improvement program of an internal audit activity provides reasonable assurance that internal auditing work is performed in accordance with its charter. Which of the following are designed to provide feedback on the effectiveness of an internal audit activity? 1. Proper supervision 2. Proper training 3. Internal reviews 4. External reviews A. 1, 2, and 3 only. B. 2, 3, and 4 only. C. 1, 3, and 4 only. D. 1, 2, 3, and 4.

A. Each member of the IAA is not required to be qualified in all disciplines. Answer Explanation The CAE must obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement (Implementation Standard 1210.A1). Each member of the IAA need not be qualified in all disciplines. When necessary, the CAE can obtain necessary knowledge, skills, and competencies from external service providers.

A small internal audit activity (IAA) is performing an assurance engagement but lacks the expertise to evaluate certain accounting estimates. Thus, the chief audit executive (CAE) must obtain the necessary knowledge, skills, and other competencies from an external service provider (ESP). The fundamental reason for this decision most likely is that A. Each member of the IAA is not required to be qualified in all disciplines. B. The quality assurance and improvement program (QAIP) failed to report the IAA's lack of expertise. C. The ESP was needed to assume the role of CAE. D. The CAE did not hire sufficiently qualified staff.

B. Integrity. Answer Explanation The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment. Rule of Conduct 1.2 under the integrity principle states, "Internal auditors shall observe the law and make disclosures expected by the law and the profession." Additionally, Rule of Conduct 1.3 states, "Internal auditors shall not knowingly be a party to any illegal activity or engage in acts that are discreditable to the profession of internal auditing or to the organization."

An auditor who observes the law and makes disclosures expected by the law is following The IIA's Code of Ethics principle of A. Responsibility. B. Integrity. C. Competency. D. Objectivity.

B. Whether existing procedures within the internal audit activity provide for proper planning and quality assurance. Answer Explanation The CAE should examine departmental procedures and the conduct of the specific engagement mentioned to ascertain that proper planning and quality assurance procedures are in place and are being followed.

An individual became head of the internal audit activity of an organization 1 week ago. An engagement client has come to the person complaining vigorously that one of the internal auditors is taking up an excessive amount of client time on an engagement that seems to be lacking a clear purpose. In handling this conflict with a client, the person should consider A. Discounting what is said, but documenting the complaint. B. Whether existing procedures within the internal audit activity provide for proper planning and quality assurance. C. Presenting an immediate defense of the internal auditor based upon currently known facts. D. Promising the client that the internal auditor will finish the work within 1 week.

B. Includes analysis of the execution of the internal audit plan. Answer Explanation The QAIP includes ongoing measurements and analyses of performance metrics. Examples are (1) accomplishment of the internal audit plan, (2) cycle time, (3) recommendations accepted, and (4) customer satisfaction.

An internal audit activity's quality assurance and improvement program (QAIP) A. Encompasses all aspects of the internal audit activity's operations except consulting. B. Includes analysis of the execution of the internal audit plan. C. Must have a full external independent assessment every 3 years. D. Should be developed and maintained by the board.

B. The chief audit executive. Answer Explanation The CAE establishes a structure for reporting results of internal assessments that maintains appropriate credibility and objectivity. Generally, those assigned responsibility for conducting ongoing and periodic reviews report to the CAE while performing the reviews and communicate results directly to the CAE.

Ordinarily, those conducting internal quality program assessments report to A. The board. B. The chief audit executive. C. Senior management. D. The internal audit staff.

D. The board. Answer Explanation Organizational independence is effectively achieved when the CAE reports functionally to the board (Inter. Attr. Std. 1110).

The IIA has indicated that to achieve necessary independence, the CAE should report functionally to whom? A. Senior management. B. Shareholders. C. Chief executive officer. D. The board.

C. External service provider. Answer Explanation External service providers are used when the internal audit staff does not have the necessary knowledge, skills, and competencies to fulfill the responsibilities of the internal audit activity.

All of the following will help the CAE identify the available knowledge, skills, and competencies of the internal audit staff except A. Hiring practices. B. Periodic skills assessment. C. External service provider. D. Staff performance appraisals.

A. When the self-assessment has been validated by a qualified, independent, competent, and professional external assessor. Answer Explanation Implementation Guide 1310 states, "External assessments provide an opportunity for an independent assessor or assessment team to conclude as to the internal audit activity's conformance with the Standards and whether internal auditors apply the Code of Ethics and to identify areas for improvement.The CAE is responsible for ensuring that the internal audit activity conducts an external assessment at least once every five years. A self-assessment may be performed in lieu of a full external assessment, provided it is validated by a qualified, independent, competent, and professional external assessor."

According to The IIA's International Professional Practices Framework, when may a self-assessment be performed in lieu of a full external assessment? A. When the self-assessment has been validated by a qualified, independent, competent, and professional external assessor. B. When the internal audit activity has conducted an external assessment within the past two years. C. When ongoing monitoring of the internal audit activity has not identified any weaknesses or areas in need of improvement. D. A self-assessment may not be performed in lieu of a full external assessment of the internal audit activity's conformance with the Standards.

C. Performance Standards Answer Explanation The mandatory guidance portion of the IPPF consists of the Core Principles, Definition of Internal Auditing, the Code of Ethics, Attribute Standards, Performance Standards, and Implementation Standards.

According to The IIA's International Professional Practices Framework, which of the following constitute mandatory guidance for implementing the Standards? A. Development Aids. B. Practice Aids. C. Performance Standards. D. Implementation Guides.

C. Participating in conferences, online and classroom courses, and webinars. Answer Explanation Opportunities for CPD include (1) participating in conferences, seminars, training programs, online courses and webinars, self-study programs, or classroom courses; (2) conducting research projects; (3) volunteering with professional organizations; and (4) pursuing professional certifications.

According to The IIA, continuing professional development (CPD) activities for CIAs may include A. Completion of at least 40 hours of continuing professional education (CPE) annually by nonpractitioners. B. Up to 8 hours of ethics training of which 4 hours are mandatory for nonpracticing CIAs. C. Participating in conferences, online and classroom courses, and webinars. D. Earning an advanced degree in any field.

C. 1 and 2. Answer Explanation Rule of Conduct 2.1 under the objectivity principle states, "Internal auditors shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization." Accordingly, service on the board of the local bank constitutes a conflict of interest and may prejudice the internal auditor's ability to carry out objectively his or her duties regarding potential acquisitions.

An internal auditor for a large regional bank was asked to serve on the board of directors of a local bank. The bank competes in many of the same markets as the regional bank but focuses more on consumer financing than on business financing. In accepting this position, the internal auditor: 1. Violates The IIA's Code of Ethics because serving on the board may be in conflict with the best interests of the internal auditor's employer 2. Violates The IIA's Code of Ethics because the information gained while serving on the board of directors of the local bank may influence recommendations regarding potential acquisitions A. 1 only. B. 2 only. C. 1 and 2. D. Neither 1 nor 2.

A. Not accept the payment because such acceptance is in conflict with the Code of Ethics. Answer Explanation Rule of Conduct 2.2 under the objectivity principle states, "Internal auditors shall not accept anything that may impair or be presumed to impair their professional judgment."

An internal auditor has been assigned to an engagement at a foreign subsidiary. The internal auditor is aware that the social climate of the country is such that "facilitating payments" (bribes) are an accepted part of doing business. The internal auditor has completed the engagement and has found significant weaknesses relating to important controls. The subsidiary's manager offers the internal auditor a substantial "facilitating payment" to omit the observations from the final engagement communication with a provision that the internal auditor could revisit the subsidiary in 6 months to verify that the problem areas have been properly addressed. The internal auditor should A. Not accept the payment because such acceptance is in conflict with the Code of Ethics. B. Not accept the payment, but omit the observations as long as a verification visit is made in 6 months. C. Accept the offer because it is consistent with the ethical concepts of the country in which the subsidiary is doing business. D. Accept the payment because it has the effect of doing the greatest good for the greatest number; the internal auditor is better off, the subsidiary is better off, and the organization is better off because there is strong motivation to correct the deficiencies.

C. Not testing for possible misstatement because the engagement work program had already been approved by engagement management. Answer Explanation Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor (Attr. Std. 1220). Engagement work programs are expected to be modified to reflect changing circumstances. Thus, the internal auditor fails to exercise due professional care by not investigating a suspected misstatement solely because the work program had already been approved.

An internal auditor has some suspicion of, but no information about, potential misstatement of financial statements. The internal auditor fails to exercise due professional care by A. Identifying potential ways in which a misstatement could occur and ranking the items for investigation. B. Informing the engagement manager of the suspicions and asking for advice on how to proceed. C. Not testing for possible misstatement because the engagement work program had already been approved by engagement management. D. Expanding the engagement work program, without the engagement client's approval, to address the highest ranked ways in which a misstatement may have occurred.

D. Yes. The internal auditor was not prudent in the use of information acquired in the course of his or her duties. Answer Explanation Rule of Conduct 3.1 under the confidentiality principle states, "Internal auditors shall be prudent in the use and protection of information acquired in the course of their duties." Rule of Conduct 3.2 states, "Internal auditors shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization." In this case, the decision whether to notify the financial officer of his or her replacement was properly the organization's. Accordingly, the internal auditor was bound not to tell his or her friend.

An internal auditor is performing services in a division in which the chief financial officer is a close personal friend, and the internal auditor learns that the friend is to be replaced after a series of critical labor negotiations. The internal auditor relays this information to the friend. Has a violation of The IIA's Code of Ethics occurred? A. No. The use of the confidential information resulted in no personal gain to the internal auditor. B. No. The internal auditor was just being honest with his or her friend. C. Yes. The internal auditor had a conflict of interest with the organization. D. Yes. The internal auditor was not prudent in the use of information acquired in the course of his or her duties.

B. Adverse effects related to the item are very unlikely to occur. Answer Explanation Internal auditors must exercise due professional care by considering the relative complexity, materiality, or significance of matters to which assurance procedures are applied (Impl. Std. 1220.A1). Materiality judgments are made based on all the circumstances and involve qualitative as well as quantitative considerations. Moreover, internal auditors also must consider the interplay of risk with materiality. Consequently, engagement effort may be reduced for a quantitatively material item if adverse effects are very unlikely to occur, for example, a material contingent liability that is unlikely to require recognition.

An internal auditor judged an item to be material when planning an assurance engagement. However, the assurance engagement may exclude the item if it is subsequently determined that A. Sufficient staff is not available. B. Adverse effects related to the item are very unlikely to occur. C. Related information is unreliable. D. Recurring income is involved.

B. Purchasing activity if a major supplier is owned by the internal auditor's sister-in-law. Answer Explanation The CAE makes staff assignments so that potential and actual conflicts of interest and bias are avoided. A close relative's involvement with a supplier of an engagement client is an apparent conflict of interest.

An internal auditor most likely will have a conflict of interest by providing an assurance service with regard to a A. Financial activity in which the internal auditor had been a key employee 5 years previously. B. Purchasing activity if a major supplier is owned by the internal auditor's sister-in-law. C. Data processing center for which the internal auditor had performed the service three times previously. D. Computer system for which the internal auditor had been the internal audit activity's representative on the design team.

A. No, reasonable care was not taken. Answer Explanation Internal auditors must consider the probability of significant errors, fraud, or noncompliance. Thus, the internal auditor did not exercise due professional care. Access to the recordkeeping functions by the new receivables clerk is not in itself an irregularity, especially if the clerk has no access to cash. Moreover, the facts do not indicate that the extent of the internal auditor's work sufficed to achieve the engagement's objectives.

An internal auditor observes that a new receivables clerk has access to accounting records. Accordingly, the auditor notes in the engagement working papers that controls over receipts are inadequate. Has the auditor exercised due professional care? A. No, reasonable care was not taken. B. Yes, irregularities were noted. C. Yes, alertness to conditions most likely indicative of irregularities was shown. D. Yes, the engagement working papers were annotated.

A. The IIA Standards do not apply outside of the United States. Answer Explanation Pronouncements by The IIA have no geographic limits. Compliance with the concepts in the Standards is essential for the responsibilities of internal auditors to be met, regardless of the national environment.

An internal auditor often faces special problems when performing an engagement at a foreign subsidiary. Which of the following statements is false with respect to the conduct of international engagements? A. The IIA Standards do not apply outside of the United States. B. The internal auditor should determine whether managers are in compliance with local laws. C. There may be justification for having different organizational policies in force in foreign branches. D. It is preferable to have multilingual internal auditors conduct engagements at branches in foreign nations.

C. Integrity. Answer Explanation Certain behaviors may be discreditable to the internal auditing profession under Rule of Conduct 1.3 (Integrity). They include the use of the CIA designation or other credentials after they have expired or been revoked.

An internal auditor who uses the CIA designation after it has expired most likely is engaging in an act discreditable under which principle of The IIA's Code of Ethics? A. Confidentiality. B. Competency. C. Integrity. D. Objectivity.

D. Drafting operating procedures for the new system. Answer Explanation An internal auditor's objectivity is not impaired when the auditor recommends standards of control for systems or reviews procedures before they are implemented. Designing, installing, or drafting procedures for information systems, however, are presumed to impair the internal auditor's objectivity. Such services may create a conflict of interest, a situation in which internal auditors have a competing professional or personal interest. This may create an appearance of impropriety that undermines confidence in the internal audit activity (Inter. Attr. Std. 1120).

An organization is planning to develop and implement a new computerized purchase order system in one of its manufacturing subsidiaries. The vice president of manufacturing has requested that internal auditors participate on a team consisting of representatives from finance, manufacturing, purchasing, and marketing. This team will be responsible for the implementation effort. Eager to take on this high profile project, the chief audit executive assigns a senior internal auditor to the project to assist "as needed." Assuming the senior internal auditor performed all of the following activities, which one will impair objectivity if the internal auditor is asked to review the purchase order system on a post-engagement basis? A. Helping to identify and define control objectives. B. Testing for compliance with system development standards. C. Evaluate risk exposures of systems and programming standards. D. Drafting operating procedures for the new system.

C. As part of an evaluation team, review vendor accounting software internal controls and rank according to exposures. Answer Explanation An internal auditor's objectivity is not impaired when the auditor recommends standards of control for systems or reviews procedures before they are implemented.

Assuming that the internal auditing staff possesses the necessary experience and training, which of the following services is most appropriate for a staff internal auditor to undertake? A. Substitute for the accounts payable supervisor while (s)he is on sick leave. B. Determine the profitability of alternative investment acquisitions and select the best alternative. C. As part of an evaluation team, review vendor accounting software internal controls and rank according to exposures. D. Participate in an internal audit of the accounting department shortly after transferring from the accounting department.

C. Annually. Answer Explanation To demonstrate conformance with the mandatory IIA guidance, the results of external and periodic internal assessments are communicated upon completion of such assessments and the results of ongoing monitoring are communicated at least annually (Inter. Std. 1320).

At what minimal required frequency does the chief audit executive report the results of internal assessments in the form of ongoing monitoring to senior management and the board? A. Monthly. B. Quarterly. C. Annually. D. Biennially.

A. Clear, enforced lines of responsibility and accountability. Answer Explanation Albert, Bradley, and Chris are responsible for different departments. This practice is therefore most closely related to the governance principle of clear, enforced lines of responsibility.

Attentive, Inc., has three managers: Albert, Bradley, and Chris. Albert is in charge of the accounting department. His duties involve the daily audit and producing the year-end financial statements. Bradley is in charge of production. His duties involve ensuring that production stays on schedule and that waste is minimized. Chris is in charge of support staff. His duties include ensuring that the workplace remains clean. This practice is most closely related to which of the following governance principles? A. Clear, enforced lines of responsibility and accountability. B. An independent and objective board with sufficient expertise, experience, authority, and resources to conduct independent inquiries. C. Reinforcement of an ethical culture, including employee feedback without fear of retaliation. D. Clear definition and implementation of risk management policies and processes.

B. The internal audit activity informs the board that it has implemented an organization-wide employee ethics program. Answer Explanation The design and implementation of governance processes are the responsibility of the board and management.

CIA1 Question 4.1.26 Which of the following is a situation in which an internal auditor's role conflicts with the independence attribute of the internal audit activity? A. The internal audit activity recommends a new whistleblower program for the organization. B. The internal audit activity informs the board that it has implemented an organization-wide employee ethics program. C. The board requests that the internal auditors assess whether the organization is complying with the code of conduct. D. The CEO informs the board of recommendations made by the internal audit activity regarding the organization's compliance with the code of conduct.

A. A description in the audit committee's charter of its oversight duties. Answer Explanation Conformance with Attribute Standard 1110, Organizational Independence, may be demonstrated, among other ways, through (1) a description in the internal audit charter and the audit committee charter of the audit committee's oversight duties, (2) the chief audit executive's job description and performance evaluation that include reporting relationships and supervisory oversight, and (3) an internal audit policy manual that (a) addresses policies on independence and board communication requirements or (b) includes an organization chart with reporting responsibilities.

Conformance with Attribute Standard 1110, Organizational Independence, regarding the position of the internal audit activity (IAA) is best demonstrated by A. A description in the audit committee's charter of its oversight duties. B. A human resources departmental operations manual on internal audit reporting relationships. C. An internal audit charter providing for functional reporting to senior management. D. An internal audit policy manual providing for an annual meeting with the board and the supervising manager.

D. Approval of engagement workpapers by the chief audit executive indicating a balanced assessment. Answer Explanation Conformance with the objectivity principle is demonstrated by engagement workpapers that have been approved by the CAE or a designated engagement supervisor. They may be evidence that internal auditors have conducted a balanced assessment.

Conformance with the objectivity principle most likely is demonstrated by A. Seeking approval of disclosures from legal counsel. B. Providing opportunities for mentoring. C. A quality assurance and improvement program. D. Approval of engagement workpapers by the chief audit executive indicating a balanced assessment.

A. Verification that the recommendations have been implemented may be communicated to the board by following up separately through the next internal assessment. Answer Explanation During an external assessment, the assessor may provide recommendations to address (a) areas that were not in conformance with the Standards and (b) opportunities for improvement. Verification that recommendations identified during the external assessment have been implemented is communicated to the board either (a) as part of the internal audit activity's monitoring of progress or (b) by following up separately through the next QAIP internal assessment.

Corrective action plans may result from an assessor's recommendations made during an external assessment of the internal audit activity. Which of the following is true? A. Verification that the recommendations have been implemented may be communicated to the board by following up separately through the next internal assessment. B. Corrective action plans consist of a comprehensive self-assessment process that emulates the full external assessment process and is validated by an external assessor. C. Indicating that the internal audit activity conforms with the Standards is appropriate only if supported by the implementation of corrective action plans. D. The corrective action plans are included in the organization's internal audit charter.

A. Joint engagements with external service providers. Answer Explanation Outsourcing alternatives include (1) partial or total external sourcing on an ongoing basis and (2) cosourcing for a specific engagement or on an ongoing basis. Cosourcing is performance by internal audit staff of joint engagements with external service providers (Position Paper, The Role of Internal Auditing in Resourcing the Internal Audit Activity).

Cosourcing of the functions of the internal audit activity (IAA) involves A. Joint engagements with external service providers. B. Performance of engagements by two or more external service providers. C. External outsourcing of all the IAA's functions for one engagement. D. Ongoing outsourcing of some IAA functions.

A. Establishing and maintaining an organizational culture. Answer Explanation Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that goals and objectives will be achieved. Management periodically reviews its objectives and goals and modifies its processes to accommodate changes in internal and external conditions. Management also establishes and maintains an organizational culture, including an ethical climate that fosters control.

Directors, management, external auditors, and internal auditors all play important roles in creating proper control processes. Senior management is primarily responsible for A. Establishing and maintaining an organizational culture. B. Reviewing the reliability and integrity of financial and operational information. C. Ensuring that external and internal auditors oversee the administration of the system of risk management and control processes. D. Implementing and monitoring controls designed by the board of directors.

C. Consideration of the possibility of material irregularities during every engagement. Answer Explanation Due care implies reasonable care and competence, not infallibility or extraordinary performance. Due care requires the internal auditor to conduct examinations and verifications to a reasonable extent, but does not require detailed reviews of all transactions. Accordingly, internal auditors cannot give absolute assurance that noncompliance or irregularities do not exist. Nevertheless, the possibility of material irregularities or noncompliance should be considered whenever an internal auditor undertakes an internal auditing assignment.

Due professional care calls for A. Detailed reviews of all transactions related to a particular function. B. Infallibility and extraordinary performance when the system of internal control is known to be weak. C. Consideration of the possibility of material irregularities during every engagement. D. Testing in sufficient detail to give absolute assurance that noncompliance does not exist

B. The conduct of extensive examinations. Answer Explanation Due professional care implies reasonable care and competence, not infallibility or extraordinary performance. It requires the internal auditor to conduct examinations and verifications to a reasonable extent.

Due professional care implies reasonable care and competence, not infallibility or extraordinary performance. Thus, which of the following is unnecessary? A. The conduct of examinations and verifications to a reasonable extent. B. The conduct of extensive examinations. C. The reasonable assurance that compliance does exist. D. The consideration of the possibility of material irregularities.

D. The internal audit activity's charter. Answer Explanation The charter establishes the internal audit activity's position within the organization, including the nature of the chief audit executive's functional reporting relationship with the board; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities (Inter. Std. 1000). Thus, the charter prescribes the internal audit activity's relationships with other units within the organization and with those outside.

During an engagement to evaluate the organization's accounts payable function, an internal auditor plans to confirm balances with suppliers. What is the source of authority for such contacts with units outside the organization? A. Internal audit activity policies and procedures. B. The Standards. C. The Code of Ethics. D. The internal audit activity's charter.

B. Inform the president that this scope limitation will need to be reported to the board. Answer Explanation A scope limitation, along with its potential effect, needs to be communicated to the board.

During the course of an engagement, an internal auditor makes a preliminary determination that a major division has been inappropriately capitalizing research and development expense. The engagement is not yet completed, and the internal auditor has not documented the problem or determined that it really is a problem. However, the internal auditor is informed that the chief audit executive has received the following communication from the president of the organization: "The controller of Division B informs me that you have discovered a questionable account classification dealing with research and development expense. We are aware of the issue. You are directed to discontinue any further investigation of this matter until informed by me to proceed. Under the confidentiality standard of your profession, I also direct you not to communicate with the outside auditors regarding this issue." Which of the following is an appropriate action for the CAE to take regarding the questionable item? A. Immediately report the communication to The IIA and ask for an ethical interpretation and guidance. B. Inform the president that this scope limitation will need to be reported to the board. C. Continue to investigate the area until all the facts are determined and document all the relevant facts in the engagement records. D. Immediately notify the external auditors of the problem to avoid aiding and abetting a potential crime by the organization.

C. Detailed cost-benefit analysis of the internal audit activity. Answer Explanation The external assessment has a broad scope of coverage that includes (1) conformance with the Code of Ethics and the Standards evaluated by review of the internal audit activity's charter, plans, policies, procedures, practices, and applicable legislative and regulatory requirements; (2) the expectations of the internal audit activity expressed by the board, senior management, and operational managers; and (3) the efficiency and effectiveness of the internal audit activity (IG 1312). However, the costs and benefits of internal auditing are neither easily quantifiable nor the subject of an external assessment.

External assessment of an internal audit activity is not likely to evaluate A. Adherence to the internal audit activity's charter. B. Conformance with the Standards. C. Detailed cost-benefit analysis of the internal audit activity. D. The internal audit staff's expertise.

C. Independence. Answer Explanation Independence is "the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner" (The IIA Glossary).

Freedom from conditions that threaten internal auditors' ability to do unbiased work is A. Control. B. Compliance. C. Independence. D. Avoidance of conflicts of interest.

C. Is conducted by an external assessor or assessment team. Answer Explanation A full external assessment is conducted by a qualified independent external assessor or assessment team. The team should consist of competent professionals and be led by an experienced and professional project team leader.

Full external assessment of the internal audit activity's conformance with the Standards and Code of Ethics A. Is a self-assessment with external validation. B. Requires onsite validation by an independent, external assessor. C. Is conducted by an external assessor or assessment team. D. Should be incorporated into the internal audit activity's routine policies and practices.

A. Evaluate their design, implementation, and effectiveness. Answer Explanation The internal audit activity must evaluate the design, implementation, and effectiveness of the organizations ethics-related objectives, programs, and activities.

In an assurance engagement, what is the internal auditor's responsibility for evaluating ethics-related activities? A. Evaluate their design, implementation, and effectiveness. B. Evaluate only the design of ethics-related activities. C. Review employee activities for compliance with provisions of the code. D. Perform tests on various employee transactions.

B. Effectiveness. Answer Explanation In this situation, management is highly averse to analysis or possible criticism of its actions. Consequently, the internal audit activity will most likely not report to an organizational level that will allow it to fulfill its responsibilities (Attr. Std. 1110). Furthermore, engagement communications are unlikely to receive adequate consideration, and appropriate action is unlikely to be taken on engagement recommendations.

In some cultures and organizations, managers insist that an internal audit activity is not needed to provide a critical assessment of the organization's operations. This kind of management attitude will most probably have an adverse effect on the internal audit activity's A. Operating budget variance. B. Effectiveness. C. Performance appraisals. D. Policies and procedures.

B. Are responsible for day-to-day operations. Answer Explanation Risk owners are managers responsible for specific day-to-day operations. Senior managers determine who will be risk owners.

In the governance structure, risk owners A. Are senior managers. B. Are responsible for day-to-day operations. C. Identify stakeholders and unacceptable outcomes. D. Carry out board directives.

D. An independent assessment team identifies areas for improvement. Answer Explanation According to Implementation Guide 1310, "Internal assessments consist of ongoing monitoring and periodic self-assessments . . . , which evaluate the internal audit activity's conformance with the mandatory elements of the IPPF, the quality and supervision of audit work performed, the adequacy of internal audit policies and procedures, the value the internal audit activity adds to the organization, and the establishment and achievement of key performance indicators." External assessments provide an opportunity for an independent assessment team to identify areas for improvement for the internal audit activity.

Internal assessments of the internal audit activity consist of all of the following except A. Evaluation of conformance with the mandatory elements of the IPPF. B. Evaluation of the establishment and achievement of key performance indicators. C. Evaluation of the quality and supervision of the audit work performed. D. An independent assessment team identifies areas for improvement.

A. It is supported by the results of the quality program. Answer Explanation The chief audit executive may state that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing only if the results of the quality assurance and improvement program support this statement (Attr. Std. 1321).

Internal auditors may include in their audit report that their activities conform with The IIA Standards. They may use this statement only if A. It is supported by the results of the quality program. B. An independent external assessment of the internal audit activity is conducted annually. C. Senior management or the board is accountable for implementing a quality program. D. External assessments of the internal audit activity are made by external auditors.

A. Requires internal auditors not to subordinate their judgment on audit matters to that of others. Answer Explanation Objectivity is "an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others" (Inter. Attr. Std. 1100).

Internal auditors should be objective. Objectivity A. Requires internal auditors not to subordinate their judgment on audit matters to that of others. B. Is required only in assurance engagements. C. Is freedom from threats to the ability to perform audit work without bias. D. Prohibits internal auditors from providing consulting services relating to operations for which they had previous responsibility.

A. Proper resourcing of engagements. Answer Explanation The CAE may demonstrate a culture supportive of competency and the continual improvement of proficiency, effectiveness, and quality through evidence that engagements have been properly resourced and supervised (IG, Code of Ethics: Competency).

Internal auditors' conformance with the competency principle most likely is demonstrated by A. Proper resourcing of engagements. B. Documenting disclosures approved by legal counsel. C. Retaining authorizations of all disclosures. D. Prudence in using and protecting information.

D. Internal auditors avoiding conflicts of interest. Answer Explanation Internal auditors should be aware of the possibility of new conflicts of interest that may arise owing to changes in personal circumstances or the particular auditees to which an auditor may be assigned.

Maintaining individual objectivity is most dependent on A. Clearly informing auditee departments and functions of The IIA definition of conflict of interest. B. An annual evaluation by the board. C. An annual evaluation by an external assessment team. D. Internal auditors avoiding conflicts of interest.

A. Assessments by senior internal auditors or certified internal auditors. Answer Explanation Internal assessments include periodic self-assessments that ordinarily provide a more comprehensive review of the Standards and the internal audit activity. They are generally conducted by those with extensive internal auditing experience (e.g., senior internal auditors or certified internal auditors).

Periodic self-assessments are a component of a quality assurance and improvement program (QAIP) for an internal audit activity. They most likely include A. Assessments by senior internal auditors or certified internal auditors. B. Daily review of functions incorporated into routine policies used to manage the internal audit activity. C. Continuous activities such as engagement planning and supervision. D. Validation by a qualified, independent assessor.

A. Senior management and the board. Answer Explanation The chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board. Disclosures should include the qualifications and independence of the assessor(s) or assessment team, including potential conflicts of interest.

Potential conflicts of interest with the quality assurance assessment team should be disclosed to A. Senior management and the board. B. Internal audit staff. C. Internal audit activity. D. Chief audit executive.

D. Determining who will be risk owners. Answer Explanation Senior management determines (1) where specific risks are to be managed, (2) who will be risk owners (managers responsible for specific day-to-day risks), and (3) how specific risks will be managed.

Senior management is primarily responsible for A. Implementing and monitoring controls designed by the board of directors. B. Ensuring that external auditors oversee risk management and control processes. C. Evaluating the controls over the reliability and integrity of financial and operational information. D. Determining who will be risk owners.

D. Maintain individual objectivity. Answer Explanation The CAE must establish policies and procedures to assess the objectivity of individual internal auditors.

The CAE bears the responsibility to do which of the following? A. Encourage the objectivity of the board. B. Encourage the objectivity of the CEO. C. Foster an attitude of professional skepticism among members of the board. D. Maintain individual objectivity.

B. Conducting periodic skills assessments to make sure each member of the internal audit activity is qualified in all disciplines. Answer Explanation The CAE should conduct periodic skills assessments to determine the specific resources available. Standard 1210 states, "The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities." The internal audit as a whole, not each auditor individually, must be proficient in all necessary competencies.

The CAE must ensure that the internal audit activity is able to fulfill its responsibilities. All of the following are appropriate in achieving this objective except A. Identifying the available knowledge, skills, and competencies of the current internal auditing staff. B. Conducting periodic skills assessments to make sure each member of the internal audit activity is qualified in all disciplines. C. Engaging external service providers on an ongoing basis to complete parts of the engagement. D. Identifying an internal auditor's education, previous experience, and specialized areas of knowledge during the hiring process.

D. Board and senior management. Answer Explanation Impairments of the internal audit activity's independence and objectivity should be communicated to the board and senior management.

The internal audit activity should be free to audit and report on any activity that also reports to its administrative head if it considers such coverage to be appropriate for its audit plan. Any limitation in scope or reporting of results of these activities should be brought to the attention of the A. Chief executive officer. B. Chief financial officer. C. External auditor. D. Board and senior management.

A. Principles that are relevant to the profession and practice of internal auditing. Answer Explanation The IIA's Code of Ethics includes two essential components: (1) Principles that are relevant to the profession and practice of internal auditing and (2) Rules of Conduct that describe behavior norms expected of internal auditors. A code of ethics is necessary and appropriate for the profession of internal auditing.

The IIA's Code of Ethics extends beyond the Definition of Internal Auditing to include two essential components. Which item below is one of these components? A. Principles that are relevant to the profession and practice of internal auditing. B. Activities that provide the organization with assurance and consulting services. C. Provision of quality criteria for evaluating the internal audit function's performance. D. Government of the responsibilities, attitudes, and actions of the organization's internal audit activity.

B. Person responsible for the internal audit function. Answer Explanation The CAE is a person in a senior position responsible for effectively managing the internal audit activity in accordance with the internal audit charter and the mandatory elements of the IPPF (The IIA Glossary).

The chief audit executive (CAE) is best defined as the A. Inspector general. B. Person responsible for the internal audit function. C. Outside provider of internal audit services. D. Person responsible for overseeing the contract with the outside provider of internal audit services.

B. Discuss the issue with management and take appropriate action to ensure that the external auditors are informed. Answer Explanation All material facts known by the internal auditors should be disclosed (Rule of Conduct 2.3). The CAE should share information and coordinate activities with other internal and external providers of relevant assurance and consulting services (Perf. Std. 2050).

The chief audit executive is aware of a material inventory shortage caused by internal control deficiencies at one manufacturing plant. The shortage and related causes are of sufficient magnitude to affect the external auditor's report. Based on The IIA's Code of Ethics, what is the CAE's most appropriate course of action? A. Say nothing; guard against interfering with the independence of the B. Discuss the issue with management and take appropriate action to ensure that the external auditors are informed. C. Inform the external auditors of the possibility of a shortage but allow them to make an independent assessment of the amount. D. Communicate the shortages to the board and allow them to communicate it to the external auditor.

C. Collecting data for internal use beyond that needed for the engagement. Answer Explanation To protect proprietary information, policies and procedures may require internal auditors to take precautions even when handling information internally. An example is (1) collecting only the data required to perform the assigned engagement and (2) using this information only for the engagement's intended purposes (IG, Code of Ethics: Confidentiality).

The confidentiality principle in The IIA's Code of Ethics is violated by A. Participating in an activity that conflicts with the organization's interests. B. Maintaining documentation of skills self-assessments. C. Collecting data for internal use beyond that needed for the engagement. D. Failing to establish an active quality assurance program.

C. Review every control feature pertaining to petty cash receipts. Answer Explanation The internal auditor must exercise due professional care by considering the relative complexity, materiality, or significance of matters to which assurance procedures are applied. The cost of assurance in relation to its benefits also should be considered (Impl. Std. 1220.A1). Hence, an exhaustive review of petty cash is not an efficient and effective use of limited internal audit resources because it will not prevent or detect significant fraud. The amount of any theft of petty cash will not be substantial.

The internal audit activity can perform an important role in preventing and detecting significant fraud by being assigned all but which one of the following tasks? A. Review large, abnormal, or unexplained expenditures. B. Review sensitive expenses, such as legal fees, consultant fees, and foreign sales commissions. C. Review every control feature pertaining to petty cash receipts. D. Review contributions by the organization that appear to be unusual.

D. The ability to conduct training sessions in quantitative methods. Answer Explanation The ability to conduct training sessions in specific areas is not among the required competencies.

The internal audit activity collectively must possess or obtain certain competencies, excluding A. Knowledge of the IPPF. B. Knowledge of cost accounting concepts. C. The ability to assess relevant basic macroeconomic factors. D. The ability to conduct training sessions in quantitative methods.

A. The use of the International Professional Practices Framework. Answer Explanation The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities (Attr. Std. 1210). The emphasis of internal auditors' technical expertise is on (1) the IPPF; (2) governance, risk, and control; and (3) business acumen. For example, the internal audit staff and managers should demonstrate the appropriate use and interpretation of the IPPF (Competency Framework).

The internal audit activity collectively must possess or obtain certain competencies. Internal audit staff should be competent in A. The use of the International Professional Practices Framework. B. Finance. C. General management principles. D. Marketing.

A. Maintain. Answer Explanation The responsibility rests with the CAE and with internal auditors themselves to maintain a sense of objectivity.

Which of the following actions is required of the CAE and internal auditors themselves in regard to the objectivity of internal auditors? A. Maintain. B. Delegate. C. Assess. D. Define.

B. The board reviews the engagement work schedule for the year and deletes an engagement that the chief audit executive thought was important to conduct. Answer Explanation The board's decision to delete an engagement from the annual engagement work schedule is not a scope limitation. The board's approval of the internal audit plan is part of the functional reporting relationship of the internal audit activity to the board.

The internal auditors must be able to distinguish carefully between a scope limitation and other limitations. Which of the following is not considered a scope limitation? A. The divisional management of an engagement client has indicated that the division is in the process of converting a major computer system and has indicated that the information systems portion of the planned engagement will have to be postponed until next year. B. The board reviews the engagement work schedule for the year and deletes an engagement that the chief audit executive thought was important to conduct. C. The engagement client has indicated that certain customers cannot be contacted because the organization is in the process of negotiating a long-term contract with the customers and they do not want to upset the customers. D. None of the answers are correct.

B. The board inquires about whether the IAA is subject to inappropriate resource limitations. Answer Explanation Organizational independence is effectively achieved when the CAE reports functionally to the board. Examples of functional reporting to the board include inquiries by the board of management and the CAE to determine whether any inappropriate scope or resource limitations exist.

The organizational independence of the internal audit activity (IAA) is most effectively achieved when A. The chief audit executive (CAE) reports functionally to the CEO. B. The board inquires about whether the IAA is subject to inappropriate resource limitations. C. A member of senior management approves the appointment of the chief audit executive. D. The chief audit executive reports administratively to the audit committee.

A. Such a review does not fall within the authority granted in the internal audit charter. Answer Explanation The internal audit activity's purpose, authority, and responsibility are specifically granted in the form of a written charter approved by the board.

The transportation department of a publicly held company has asked the internal audit activity to review the design specifications for a proposed new warehouse and repair facility. The best reason for the internal audit activity to decline the request is A. Such a review does not fall within the authority granted in the internal audit charter. B. The CEO and the head of the transportation department are neighbors and belong to the same social clubs. C. The internal audit activity performed a thorough review of the transportation department the previous year. D. The transportation department's budget is immaterial to the organization's total budget.

A. Inform the external auditors of the misstatement. Answer Explanation Rule of Conduct 2.3 under the objectivity principle states, "Internal auditors shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review." Additionally, the CAE should share information and coordinate activities with the external auditors (Perf. Std. 2050).

Through an engagement performed at the credit department, the chief audit executive (CAE) became aware of a material misstatement of the year-end accounts receivable balance. The external auditors have completed their engagement without detecting the misstatement. What should the CAE do in this situation? A. Inform the external auditors of the misstatement. B. Report the misstatement to management when the external auditors present a report. C. Exclude the misstatement from the final engagement communication because the external auditors are responsible for expressing an opinion on the financial statements. D. Perform additional engagement procedures on accounts receivable balances to benefit the external auditors.

B. Communicate with the board about the internal audit activity's performance. Answer Explanation Organizational independence is effectively achieved when the CAE reports functionally to the board. Examples of functional reporting to the board involve the board receiving communications from the CAE about the internal audit activity's performance relative to its plan and other matters (Interpretation of Standard 1110).

To achieve the effective organizational independence of the internal audit activity, the chief audit executive (CAE) most likely should A. Submit the internal audit budget to a senior manager. B. Communicate with the board about the internal audit activity's performance. C. Inquire of the board about resource limitations. D. Be appointed or removed by the CEO.

B. 2 hours. Answer Explanation Practicing and nonpracticing CIAs must complete 40 hours and 20 hours, respectively, of CPE annually, including at least 2 hours of ethics training.

What is the minimum amount of annual ethics training required for practicing and nonpracticing CIAs? A. 1 hour. B. 2 hours. C. 3 hours. D. 4 hours.

D. After an external review completed within the past 5 years. Answer Explanation The chief audit executive may state that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing only if the results of the quality assurance and improvement program support this statement (Attr. Std. 1321). The internal audit activity conforms with mandatory guidance when it achieves the outcomes described in the Code of Ethics and the Standards. The results of the quality assurance and improvement program include the results of both internal and external assessments. All internal audit activities will have the results of internal assessments. Internal audit activities in existence for at least 5 years will also have the results of external assessments (Inter. Std. 1321; Attr. Std. 1312). Thus, to use the phrase, the chief audit executive of an internal audit activity in existence for at least 5 years must have the results of an external assessment within that period.

When is initial use of the conformance phrase by internal auditors appropriate? A. After an internal review completed within the past 5 years. B. After an external review completed within the past 10 years. C. After an internal review completed within the past 10 years. D. After an external review completed within the past 5 years.

B. The CAE should meet with the board, with management present, to reinforce the independence of the internal audit activity. Answer Explanation Private meetings between the CAE and the board without management present are an essential part of the functional reporting relationship.

Which action is not consistent with functional reporting? A. Organizational independence is effectively achieved when the CAE reports functionally to the board. B. The CAE should meet with the board, with management present, to reinforce the independence of the internal audit activity. C. The board should have the final authority to approve the internal audit risk assessment. D. The board should approve the CAE's performance evaluation.

D. The CAE refuses to provide information about organizational operations to his father, who is a part owner. Answer Explanation Rule of Conduct 3.1 under the confidentiality principle states, "Internal auditors shall be prudent in the use and protection of information acquired in the course of their duties." Additionally, Rule of Conduct 3.2 states, "Internal auditors shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization." Thus, such use of information by the CAE might be illegal under insider trading rules.

Which of the following actions taken by a chief audit executive (CAE) could be considered professionally ethical under The IIA's Code of Ethics? A. The CAE decides to delay an engagement at a branch so that his nephew, the branch manager, will have time to "clean things up." B. To save organizational resources, the CAE cancels all staff training for the next 2 years on the basis that all staff are too new to benefit from training. C. To save organizational resources, the CAE limits procedures at foreign branches to confirmations from branch managers that no major personnel changes have occurred. D. The CAE refuses to provide information about organizational operations to his father, who is a part owner.

D. 1 and 3. Answer Explanation The internal auditor's objectivity is not impaired when the auditor recommends standards of control for systems or reviews procedures before they are implemented. Designing, installing, or drafting procedures for information systems is presumed to impair objectivity because of the conflict of professional interests.

Which of the following activities is not presumed to impair the objectivity of an internal auditor? 1. Recommending standards of control for a new information system application 2. Drafting procedures for running a new computer application to ensure that proper controls are installed 3. Performing reviews of procedures for a new computer application before it is installed A. 1 only. B. 2 only. C. 3 only. D. 1 and 3.

C. Periodic self-assessments and ongoing monitoring. Answer Explanation Internal assessments must include (1) ongoing monitoring of the performance of the internal audit activity and (2) periodic self-assessments or assessments by other persons within the organization with sufficient knowledge of internal audit practices. The interrelated parts of internal assessments provide an effective structure for the internal audit activity to continuously assess its conformance with the Standards and whether internal auditors apply the Code of Ethics.

Which of the following are the interrelated parts of internal assessments as part of a quality assurance and improvement program (QAIP) of an internal audit activity? A. Ongoing monitoring and self-assessment with independent external validation. B. Periodic self-assessments and adequate supervision. C. Periodic self-assessments and ongoing monitoring. D. Self-assessment with independent external validation and adequate supervision.

A. To add value and improve an organization's operations. Answer Explanation The Definition of Internal Auditing states, in part, "Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations."

Which of the following best describes the purpose of the internal audit activity? A. To add value and improve an organization's operations. B. To assist management with the design and implementation of risk management and control systems. C. To examine and evaluate an organization's accounting system as a service to management. D. To monitor the organization's internal control system for the external auditors.

B. Nature of Limitation: Engagement client will not provide access to records needed for approved work schedule Internal Audit Action: Report to the board Answer Explanation A scope limitation is a restriction placed on the internal audit activity that precludes it from accomplishing its objectives and plans. Among other things, a scope limitation may restrict the internal audit activity's access to records, personnel, and physical properties relevant to the performance of engagements. A scope limitation and its potential effect need to be communicated to the board.

Which of the following combinations best illustrates a scope limitation and the appropriate response by the CAE? Nature of Internal Limitation & Audit Action: A. Nature of Limitation: Engagement client limits scope based upon proprietary information Internal Audit Action: Report only to the controller B. Nature of Limitation: Engagement client will not provide access to records needed for approved work schedule Internal Audit Action: Report to the board C. Nature of Limitation: Engagement client requests that the engagement be delayed for 2 weeks to allow it to close its books Internal Audit Action: Report directly to the CEO and controller D. Nature of Limitation: Engagement client will not allow internal auditor to contact major customers as part of an engagement to evaluate the efficiency of operations Internal Audit Action: No reporting needed because the operational engagement concerns operational efficiency

D. Functional reporting to the audit committee. Answer Explanation The internal audit activity's organizational independence is effectively achieved when it reports functionally to the board (Intr. Std. 1110) and administratively to senior management (IG 1110). The "'board' in the Standards may refer to a committee or another body to which the governing body has delegated certain functions (e.g., an audit committee)" (The IIA Glossary). Thus, reporting functionally to the audit committee is the optimal reporting line to enhance the internal audit activity's independence.

Which of the following describes the chief audit executive's optimal reporting line to enhance the independence of the internal audit activity? A. Functional and administrative reporting to the president of the organization. B. Administrative reporting to the board. C. Administrative reporting to the chief financial officer. D. Functional reporting to the audit committee.

D. Objectivity. Answer Explanation The principles of The IIA's Code of Ethics are integrity, objectivity, confidentiality, and competency. Objectivity is a commitment to providing stakeholders with unbiased information. Another facet of objectivity is avoidance of conflicts of economic or professional interest.

Which of the following is a principle of The IIA's Code of Ethics? A. Due professional care. B. Independence. C. The public interest. D. Objectivity.

C. Disclosure of the organization's trade secrets to a family member. The disclosure of the information resulted in no personal gain to the internal auditor or the family member. Answer Explanation Disclosure of the organization's trade secrets violates Rule of Conduct 3.2 under the confidentiality principle which states, "Internal auditors shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization." The internal auditor also violated Rule of Conduct 3.1 which states, "Internal auditors shall be prudent in the use and protection of information acquired in the course of their duties." Although there was no personal gain for the internal auditor or the family member, the internal auditor still violated the confidentiality principle.

Which of the following is a violation of The IIA's Code of Ethics principle of confidentiality? A. Confidential information of the organization was released in response to a court order received by the organization. B. During an engagement, the audit supervisor found that a control deficiency caused by management override created exposure to material risks. He reported the matter to the audit committee. C. Disclosure of the organization's trade secrets to a family member. The disclosure of the information resulted in no personal gain to the internal auditor or the family member. D. A loan officer at the local bank requested financial statements for the past two years. The CFO approved the request.

D. Access to records, personnel, and physical properties relevant to the performance of engagements. Answer Explanation According to the Interpretation of Standard 1000, "[t]he internal audit charter establishes the internal audit activity's position within the organization, including the nature of the chief audit executive's functional reporting relationship with the board; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities."

Which of the following is an element of authority that should be included in the internal audit activity's charter? A. Access to the external auditors' engagement records. B. Samples of the types of disclosures that should be made to the audit committee. C. Identification of the organizational units in which engagements are to be performed. D. Access to records, personnel, and physical properties relevant to the performance of engagements.

B. The CAE seeks approval to report functionally to the board. Answer Explanation The CAE may be asked to assume additional roles and responsibilities outside of internal auditing, such as responsibility for compliance or risk management activities. These roles and responsibilities may impair, or appear to impair, the organizational independence of the internal audit activity or the individual objectivity of the internal auditor. Safeguards are those oversight activities, often undertaken by the board, to address these potential impairments, and may include such activities as periodically evaluating reporting lines and responsibilities and developing alternative processes to obtain assurance related to the areas of additional responsibility. Functional reporting to the board with its approval of the CAE's hiring and compensation, the internal audit charter and audit plan, budget, and resources safeguards organizational independence.

Which of the following is most likely to address the risks of potential impairments of independence or objectivity when the chief audit executive (CAE) undertakes major responsibilities in the compliance department? A. The compliance department provides training to familiarize the CAE with compliance activities. B. The CAE seeks approval to report functionally to the board. C. The CAE oversees the assurance engagements performed on the compliance function. D. The CAE reports administratively to the board to ensure reporting lines and responsibilities are evaluated by the board.

B. It specifies the minimum resources needed for the internal audit activity. Answer Explanation The charter formally defines the purpose, authority, and responsibility of the internal audit activity. Resource requirements are based on risk-based plans that are consistent with organizational objectives; they are not an appropriate topic to codify in the internal audit charter.

Which of the following is not true with regard to the internal audit charter? A. It defines the authorities and responsibilities for the internal audit activity. B. It specifies the minimum resources needed for the internal audit activity. C. It provides a basis for evaluating the internal audit activity. D. It should be approved by the board.

D. Supervision of an internal auditor's work is performed throughout each audit engagement. Answer Explanation The CAE develops and maintains a quality assurance and improvement program (Attr. Std. 1300) that includes (1) external assessments and (2) ongoing and periodic internal assessments. Ongoing monitoring is incorporated into the routine policies and practices used to manage the internal audit activity. Among the processes used in ongoing internal assessments is engagement planning and supervision (IG 1311).

Which of the following is only part of an internal audit activity's quality assurance program rather than being included as part of other responsibilities of the chief audit executive (CAE)? A. The CAE provides information about and access to internal audit working papers to the external auditors to enable them to understand and determine the degree to which they may rely on the internal auditors' work. B. Management approves a formal charter establishing the purpose, authority, and responsibility of the internal audit activity. C. Each individual internal auditor's performance is appraised at least annually. D. Supervision of an internal auditor's work is performed throughout each audit engagement.

D. The chief audit executive must disclose the nonconformance and the impact to senior management and the board Answer Explanation Attribute Standard 1322, Disclosure on Nonconformance, states, "When nonconformance with the Code of Ethics or the Standards impacts the overall scope or operation of the internal audit activity, the chief audit executive must disclose the nonconformance and the impact to senior management and the board." Nonconformance of this type refers to the overall internal audit activity and not to specific engagements.

Which of the following is the appropriate response when nonconformance with the Code of Ethics or the Standards impacts the overall scope or operation of the internal audit activity? A. External assessments of the organization's quality assurance and improvement program must be performed annually. B. The internal audit activity must reinforce expectations outlined in the audit plan. C. Senior management must reevaluate the qualifications and independence of the assessor(s). D. The chief audit executive must disclose the nonconformance and the impact to senior management and the board

D. A control system that had been recommended by the internal audit staff during the previous engagement was found to be defective. The internal auditor reported the defective function as an engagement client failure. Answer Explanation An internal auditor is ethically obligated to disclose all material facts known to him or her. In this case, the internal auditor knew that the internal audit staff had recommended a control system that was defective. The internal auditor also reported this defect as the client's failure. By not reporting that the internal audit staff had recommended the system, the internal auditor violated Rule of Conduct 2.3. It requires an internal auditor to report all material facts known to him or her that if not disclosed may distort the report of activities under review.

Which of the following items is a violation by an internal auditor of The IIA's Code of Ethics? A. Certain facts recorded in the internal auditor's working papers that helped to support the basic allegations made by the internal auditor regarding a case of fraud were not included in the final engagement communication. B. Information in the internal auditor's working papers that proved a criminal act was included in the internal auditor's draft communication. The comments were later removed by internal audit management. C. To keep the engagement effort within the budgeted time, the internal auditor was directed to and did curtail testing in an area that looked suspicious and later was proved to contain massive irregularities. D. A control system that had been recommended by the internal audit staff during the previous engagement was found to be defective. The internal auditor reported the defective function as an engagement client failure.

C. The strategy for maintaining a culture consistent with legal responsibilities. Answer Explanation Codes of conduct and vision statements are issued to state The organization's values and objectives; The behavior expected; and The strategies for maintaining a culture consistent with legal, ethical, and societal responsibilities.

Which of the following most likely should be stated in an entity's vision statement? A. Personnel policies. B. The strategic plan. C. The strategy for maintaining a culture consistent with legal responsibilities. D. Principles of internal control.

D. During an engagement, an internal auditor learned that the organization was about to introduce a new product that would revolutionize the industry. Because of the probable success of the new product, the product manager suggested that the internal auditor buy an additional interest in the organization, which the internal auditor did. Answer Explanation Rule of Conduct 3.2 under the confidentiality principle states, "Internal auditors shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization."

Which of the following situations is a violation of The IIA's Code of Ethics? A. An internal auditor was ordered to testify in a court case in which a merger partner claimed to have been defrauded by the internal auditor's organization. The internal auditor divulged confidential information to the court. B. An internal auditor for a manufacturer of office products recently completed an engagement to evaluate the marketing function. Based on this experience, the internal auditor spent several hours one Saturday working as a paid consultant to a hospital in the local area that intended to conduct an engagement to evaluate its marketing function. C. An internal auditor gave a speech at a local IIA chapter meeting outlining the contents of a program the internal auditor had developed for engagements relating to electronic data interchange (EDI) connections. Several internal auditors from major competitors were in the audience. D. During an engagement, an internal auditor learned that the organization was about to introduce a new product that would revolutionize the industry. Because of the probable success of the new product, the product manager suggested that the internal auditor buy an additional interest in the organization, which the internal auditor did.

B. Governance does not largely depend on organizational culture for effectiveness. Answer Explanation Governance practices reflect the organization's unique culture and largely depend on it for effectiveness.

Which of the following statements about organizational culture is false? A. The organizational culture sets the values, objectives, and strategies of the organization. B. Governance does not largely depend on organizational culture for effectiveness. C. Organizational culture defines roles and behaviors. D. The culture influences compliance with corporate social responsibilities.

C. Internal auditors shall engage only in those services for which they have the necessary knowledge, skills, and experience. Answer Explanation Rule of Conduct for competency 4.1 states, "Internal auditors shall engage only in those services for which they have the necessary knowledge, skills, and experience."

Which of the following statements is part of The IIA Rules of Conduct for competency? A. Internal auditors shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review. B. Internal auditors shall respect and contribute to the legitimate and ethical objectives of the organization. C. Internal auditors shall engage only in those services for which they have the necessary knowledge, skills, and experience. D. Internal auditors shall be prudent in the use and protection of information acquired in the course of their duties.

A. The CAE may assume responsibilities in risk management, provided that safeguards are in place to address the risks of impairments to independence or objectivity. Answer Explanation Attribute Standard 1112, Chief Audit Executive Roles Beyond Internal Auditing, states, "Where the chief audit executive has or is expected to have roles and/or responsibilities that fall outside of internal auditing, safeguards must be in place to limit impairments to independence or objectivity." According to Interpretation of Standard 1112, "The chief audit executive may be asked to take on additional roles and responsibilities outside of internal auditing, such as responsibility for compliance or risk management activities."

Which of the following statements is true regarding the responsibilities of the chief audit executive (CAE)? A. The CAE may assume responsibilities in risk management, provided that safeguards are in place to address the risks of impairments to independence or objectivity. B. Independence is safeguarded if the CAE's supervisor has functional responsibilities other than internal audit, and the CAE performs an audit within the supervisor's functional responsibility. C. The CAE should not have responsibilities outside of internal auditing because of the potential impairments of independence or objectivity. D. If the CAE assumes responsibility for the compliance function and performs an audit for the compliance area that is under the CAE's oversight, the likelihood of impaired independence is reduced.

C. Outsourcing for the oversight of and responsibility for the internal audit activity. Answer Explanation An organization may outsource none, some, or all of the functions of the internal audit activity. However, oversight of and responsibility for the internal audit activity must not be outsourced. As stated in Implementation Standard 1210.A1, "The chief audit executive must obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement."

Which of the following would not be permissible when outsourcing internal audit functions? A. Cosourcing with external service providers for a specific engagement. B. Outsourcing when internal auditors lack the knowledge or skills needed to perform all or part of the engagement. C. Outsourcing for the oversight of and responsibility for the internal audit activity. D. Total external outsourcing on an ongoing basis where services are performed in accordance with the Standards.

B. The organization has downsized and has a very lean staff. The board has recently approved the deferral of all continuing education for the next 12 months due to the staff's workload. Answer Explanation The IIA's Rules of Conduct for competency state, "Internal auditors shall engage only in those services for which they have the necessary knowledge, skills, and experience, shall perform internal audit services in accordance with the International Standards for the Professional Practice of Internal Auditing and shall continually improve their proficiency and the effectiveness and quality of their services." The deferral of completing continued education, even though approved by the board, violates The IIA's Code of Ethics Rule of Conduct for competency.

Which of the following would violate The IIA's Code of Ethics principle of competency? A. Bob recently completed continuing education courses in restaurant accounting and has been assigned to audit one of the organization's steakhouses next month. B. The organization has downsized and has a very lean staff. The board has recently approved the deferral of all continuing education for the next 12 months due to the staff's workload. C. Carrie was recently promoted to supervise the audit of food and beverage accounting for the organization's banquet facilities. Carrie has audited several areas of the organization, including 6 months of shadowing audit supervisors in the hospitality area. D. The audit committee hired a new CAE to perform financial due diligence on a chain of hotels that the company is considering purchasing. The new CAE has extensive knowledge and years of experience in the hotel industry.

A. Risk assessment of the internal audit activity. Answer Explanation A risk assessment is not appropriate for inclusion in the internal audit charter.

Which one of the following is not included in the internal audit charter? A. Risk assessment of the internal audit activity. B. Responsibility of the internal audit activity. C. Purpose of the internal audit activity. D. Authority of the internal audit activity.

A. Sufficient, reliable, relevant, and useful information lends credibility to the opinion. Answer Explanation Engagements must be performed with proficiency and due professional care (Attr. Std. 1200), and the engagement results must be communicated (Perf. Std. 2400). Engagement results include observations, conclusions, opinions, recommendations, and action plans. If internal auditors expressed opinions or otherwise communicated engagement results without substantive investigation and compliance with the Standards, such communications would be meaningless. The Standards are therefore incorporated by reference into The IIA's Code of Ethics by Rule of Conduct 4.2. Thus, internal auditors must identify sufficient, reliable, relevant, and useful information to achieve the engagement's objectives (Perf. Std. 2310).

Why does The IIA's Code of Ethics in Rule of Conduct 4.2 require that due professional care be used in obtaining information to support an engagement opinion? A. Sufficient, reliable, relevant, and useful information lends credibility to the opinion. B. To preclude any conflict of interest. C. To require honesty in performing work. D. If internal auditors were permitted to communicate engagement results without obtaining sufficient information, they would be in a position to accept fees or gifts from engagement clients.

A. Consider the relative materiality or significance of matters to which assurance procedures are applied. Answer Explanation Exercising due professional care means applying the care and skill expected of a reasonably prudent and competent internal auditor (Attr. Std. 1220). Internal auditors must exercise due professional care by considering, among other things, the relative complexity, materiality, or significance of matters to which assurance procedures are applied (Impl. Std. 1220.A1).

With regard to the exercise of due professional care, an internal auditor should A. Consider the relative materiality or significance of matters to which assurance procedures are applied. B. Emphasize the potential benefits of an engagement without regard to the cost. C. Consider whether criteria have been established to determine whether goals are achieved, not whether those criteria are adequate. D. Select procedures that are likely to provide absolute assurance that irregularities do not exist.