CIA Exam Part 1: Study Unit 3

Which of the following is an indicator of possible financial reporting fraud being perpetrated by management of a manufacturer? A. A trend analysis discloses (1) sales increases of 50% and (2) cost of goods sold increases of 25%. B. A cross-sectional analysis of common size statements discloses that (1) the firm's percentage of cost of goods sold to sales is 50% and (2) the industry average percentage of cost of goods sold to sales is 40%. C. A cross-sectional analysis of common size statements discloses that (1) the firm's percentage of cost of goods sold to sales is 40% and (2) the industry average percentage of cost of goods sold to sales is 50%. D. A ratio analysis discloses that cost of goods sold is 50% of sales.

Answer (A) is correct. An increase in sales far out of proportion to the increase in cost of goods sold is an indicator of possible fraud. Increases in sales are usually accompanied by close to proportional increases in cost of goods sold. Examples of situations in which increases in sales can be disproportionately larger than increases in cost of goods sold include (1) operations within the realm of economies of scale (increasing returns to scale) and (2) the introduction of a highly accepted fashion item. Cases in which disproportionately large sales increases indicate fraudulent conduct include (1) collusion by the host firm's sales personnel and the buying firm's purchasing personnel and (2) collusion by members of two departments within the host firm, such as sales and transportation. Because the internal auditor would not know whether the disproportionately large increase in sales is legitimate, the auditor should view this condition as an indicator of possible fraud.

Which of the following best describes an auditor's responsibility after noting some indicators of fraud? A. Expand activities to determine whether an investigation is warranted. B. Report the possibility of fraud to senior management and ask how to proceed. C. Consult with external legal counsel to determine the course of action to be taken. D. Report the matter to the audit committee and request funding for outside specialists to help investigate the possible fraud.

Answer (A) is correct. An internal auditor's responsibilities for detecting fraud include evaluating fraud indicators and deciding whether any additional action is necessary or whether an investigation should be recommended.

Management considers risk appetite for all of the following reasons except A. Increasing the net present value of investments. B. Setting objectives. C. Developing risk management techniques. D. Evaluating strategic options.

Answer (A) is correct. As described in the COSO ERM framework, risk appetite should be considered in Evaluating strategies, Setting related objectives, and Developing risk management methods. Increasing the net present value of investments is an operational objective. It would be determined after consideration of the entity's risk appetite and other strategic factors.

The internal auditors' responsibility regarding fraud includes all of the following except A. Ensuring that fraud will not occur. B. Being aware of activities in which fraud is likely to occur. C. Evaluating the effectiveness of control activities. D. Determining whether the control environment sets the appropriate tone at top.

Answer (A) is correct. Control is the principal means of preventing fraud, and management is responsible for establishing and maintaining internal control. Thus, internal auditors cannot give absolute assurance that noncompliance or fraud does not exist.

Internal auditors have a responsibility for helping to deter fraud. Which of the following best describes how this responsibility is usually met? A. By evaluating the adequacy and effectiveness of controls in light of the potential exposure or risk. B. By assisting in the design of control systems to prevent fraud. C. By testing for fraud in every engagement and following up as appropriate. D. By coordinating with security personnel and law enforcement agencies in the investigation of possible frauds.

Answer (A) is correct. Control is the principal means of preventing fraud. Management is primarily responsible for the establishment and maintenance of control. Internal auditors are primarily responsible for preventing fraud by examining and evaluating the adequacy and effectiveness of control.

The internal audit activity's responsibility for preventing fraud is to A. Evaluate the system of internal control. B. Establish internal control. C. Exercise operating authority over fraud prevention activities. D. Maintain internal control.

Answer (A) is correct. Control is the principal means of preventing fraud. Management, in turn, is primarily responsible for the establishment and maintenance of control. Internal auditors are primarily responsible for preventing fraud by examining and evaluating the adequacy and effectiveness of control.

Red flags are conditions that indicate a higher likelihood of fraud. Which of the following is not considered a red flag? A. Management has delegated the authority to make purchases under a certain value to subordinates. B. An individual has held the same cash-handling job for an extended period without any rotation of duties. C. An individual handling marketable securities is responsible for making the purchases, recording the purchases, and reporting any discrepancies and gains/losses to senior management. D. The assignment of responsibility and accountability in the accounts receivable department is not clear.

Answer (A) is correct. Delegating the authority to make purchases under a certain value to subordinates is an acceptable and common practice intended to limit risk while promoting efficiency. It is not, by itself, considered a red flag.

Components of enterprise risk management (ERM) are integrated with the management process. Which of the following correctly states four of the eight components of ERM according to the COSO's framework? A. Event identification, risk assessment, control activities, and objective setting. B. External environment, information and communication, monitoring, and event identification. C. Objective setting, response to opportunities, risk assessment, and control activities. D. Internal environment, risk responses, monitoring, and risk minimization.

Answer (A) is correct. ERM ensures that (1) a process is established and (2) objectives align with the mission and the risk appetite. Event identification, risk assessment, control activities, and objective setting are components of ERM. Event identification relates to internal and external events affecting the organization. Risk assessment considers likelihood and impact (see the definitions of risk in The IIA Glossary) as a basis for risk management. Control activities are policies and procedures to ensure the effectiveness of risk responses. Objective setting precedes event identification.

Fact Pattern: Randy and John had known each other for many years. They had become best friends in college, where they both majored in accounting. After graduation, Randy took over the family business from his father. His family had been in the grocery business for several generations. When John had difficulty finding a job, Randy offered him a job in the family store. John proved to be a very capable employee. As John demonstrated his abilities, Randy began delegating more and more responsibility to him. After a period of time, John was doing all of the general accounting and authorization functions for checks, cash, inventories, documents, records, and bank reconciliations. (1) John was trusted completely and handled all financial functions. No one checked his work. Randy decided to expand the business and opened several new stores. (2) Randy was always handling the most urgent problem . . . "crisis management" is what his college professors had termed it. John assisted with the problems when his other duties allowed him time. Although successful at work, John had (3) difficulties with personal financial problems. At first, the amounts stolen by John were small. John didn't even worry about making the accounts balance. But John became greedy. "How easy it is to take the money," he said. He felt that he was a critical member of the business team (4) and that he contributed much more to the success of the company than was represented by his salary. "It would take two or three people to replace me," he often thought to himself. As the amounts became larger and larger, (5) he made the books balance. Because of these activities, John was able to purchase an expensive car and take his family on several trips each year. (6) He also joined an expensive country club. Things were changing at home, however. (7) John's family observed that he was often argumentative and at other times very depressed. The fraud continued for 6 years. Each year, the business performed more and more poorly. In the last year, the stores had a substantial net loss. Randy's bank required an audit. John confessed when he thought the auditors had discovered his embezzlements. When discussing frauds, the pressures, opportunities, and rationalizations that cause/allow a perpetrator to commit the fraud are often identified. Symptoms of fraud are also studied. Question: 62 Number 3, "Difficulties with personal financial problems," is an example of a(n) A. Situational pressure. B. Rationalization. C. Opportunity to commit. D. Behavioral symptom.

Answer (A) is correct. Financial difficulties create situational pressures or temptations that may contribute to fraud. These situational pressures result from high personal indebtedness, extravagant lifestyles, gambling problems, etc.

Which of the following describes one of the responsibilities of the internal auditor for the deterrence of fraud in an organization? A. Evaluating the adequacy of controls to prevent fraud. B. Reporting suspected fraud to law enforcement personnel. C. Prosecuting perpetrators of fraud. D. Implementation of systems to discourage fraud.

Answer (A) is correct. Internal auditors are responsible for assisting in the deterrence of fraud by examining and evaluating the adequacy and the effectiveness of controls.

A restaurant chain has over 680 restaurants. All food orders for each restaurant are required to be entered into an electronic device that records all food orders by food servers and transmits the order to the kitchen for preparation. All food servers are responsible for collecting cash for all their orders and must turn in cash at the end of their shift equal to the sales value of food ordered for their I.D. number. The manager then reconciles the cash received for the day with the computerized record of food orders generated. All differences are investigated immediately by the restaurant. Organizational headquarters has established monitoring controls to determine when an individual restaurant might not be recording all its revenue and transmitting the applicable cash to the corporate headquarters. Which one of the following is the best example of a monitoring control? A. Management prepares a detailed analysis of gross margin per store and investigates any store that shows a significantly lower gross margin. B. All food orders must be entered on the computer, and segregation of duties is maintained between the food servers and the cooks. C. Cash is transmitted to corporate headquarters on a daily basis. D. The restaurant manager reconciles the cash received with the food orders recorded on the computer.

Answer (A) is correct. Monitoring is a process that assesses the quality of internal control over time. It involves assessment by appropriate personnel of the design and operation of controls and the taking of corrective action. Monitoring can be done through ongoing activities or separate evaluations. Ongoing monitoring procedures are built into the normal recurring activities of an entity and include regular management and supervisory activities. Thus, analysis of gross margin data and investigation of significant deviations is a monitoring process.

Which of the following fraudulent entries is most likely to be made to conceal the theft of an asset? A. Debit expenses and credit the asset. B. Debit revenue and credit the asset. C. Debit another asset account and credit the asset. D. Debit the asset and credit another asset account.

Answer (A) is correct. Most fraud perpetrators attempt to conceal their theft by charging it against an expense account. The result is that the recorded asset balance equals the actual amount on hand, and applying procedures to it will not detect the theft.

Which of the following statements is not accurate with regard to soft controls? A. Control self-assessment is not an approach to audit soft controls. B. Soft controls have become more necessary as technology advances have empowered employees. C. The COSO and CoCo models emphasize soft controls. D. The communication of ethical values and the fostering of mutual trust are soft controls in the CoCo model.

Answer (A) is correct. One approach to auditing soft controls is control self-assessment, which is the involvement of management and staff in the assessment of internal controls within their work group.

Which of the following is not a responsibility of the chief audit executive? A. To oversee the establishment, administration, and assessment of the organization's system of risk management processes. B. To coordinate with other internal and external providers of audit and consulting services to ensure proper coverage and minimize duplication. C. To follow up on whether appropriate management actions have been taken on significant reported risks. D. To communicate the internal audit activity's plans and resource requirements to senior management and the board for review and approval.

Answer (A) is correct. Overseeing the establishment, administration, and assessment of the organization's system of risk management processes is the role of senior management, not the CAE (PA 2120-1, para. 2).

In regard to The IIA's Electronic Systems Assurance and Control study, which of the following is not a business assurance objective? A. Recordability. B. Capability. C. Functionality. D. Protectability.

Answer (A) is correct. Recordability is not a business assurance objective.

Which of the following represents the best statement of responsibilities for risk management? Internal Auditing (1) Management (2) Board (3) A. Responsibility for risk 1 Advisory role 2 Oversight role 3 B. Oversight role 1 Responsibility for risk 2 Advisory role 3 C. Responsibility for risk 1 Oversight role 2 Advisory role 3 D. Oversight role 1 Advisory role 2 Responsibility for risk 3

Answer (A) is correct. Risk management is a key responsibility of senior management and the board. To achieve its business objectives, management ensures that sound risk management processes are in place and functioning. Boards have an oversight role to determine that appropriate risk management processes are in place and that these processes are adequate and effective. In this role, they may direct the internal audit activity to assist them by examining, evaluating, reporting, and/or recommending improvements to the adequacy and effectiveness of risk management processes (PA 2120-1, para. 1). Management and the board are responsible for their organization's risk management and control processes. However, internal auditors acting in a consulting role can assist the organization in identifying, evaluating, and implementing risk management methodologies and controls to address those risks (PA 2120-1, para. 2).

Which of the following activities is outside the scope of internal auditing? A. Safeguarding of assets. B. Evaluating risk exposures regarding compliance with policies, procedures, and contracts. C. Ascertaining the extent to which management has established criteria to determine whether objectives have been accomplished. D. Evaluating risk exposures regarding compliance with laws and regulations.

Answer (A) is correct. Safeguarding assets is an operational activity and is therefore beyond the scope of the internal audit activity. However, the internal audit activity evaluates (1) risk exposures and (2) the adequacy and effectiveness of controls related to the organization's governance, operations, and information systems.

Which risk response reflects a change from acceptance to sharing? A. Management purchased insurance on previously uninsured property. B. An insurance policy on a manufacturing plant was not renewed. C. After employees stole numerous inventory items, management implemented mandatory background checks on all employees. D. Management sold a manufacturing plant.

Answer (A) is correct. The categories of risk responses under the COSO ERM model are avoidance, retention (acceptance), reduction, sharing, and exploitation. If management does not insure a building, the response is acceptance. Ordinarily, acceptance is based on a judgment that the cost of another response is excessive. However, once management purchases insurance, the risk is shared with an outside party.

A medium-sized regional firm distributes packaged snack foods to convenience stores. A routine inventory has revealed significant amounts of inventory missing from the delivery trucks. Which of the following suggests a control weakness that may provide an opportunity for fraud? A. Truck drivers are allowed to use the trucks for personal reasons, including taking them home at night, as a benefit of employment. B. Careful counts are made as inventory is loaded on the trucks. C. Access to the warehouse is restricted to a few trusted employees. D. The policy and procedure manual clearly defines allowed and prohibited actions.

Answer (A) is correct. Unrestricted access to the trucks creates opportunities for theft of merchandise by the drivers.

The components of ERM should be present and functioning effectively. What does "present and functioning effectively" mean? No material weaknesses exist. Risk is within the risk appetite. A. 2 only. B. Both 1 and 2. C. Neither 1 nor 2. D. 1 only.

Answer (B) is correct. "Present and functioning effectively" means that (1) no material weaknesses exist, and (2) risk is within the risk appetite.

An internal auditor is investigating the performance of a division with an unusually large increase in sales, gross margin, and profit. Which of the following indicators is least likely to indicate the possibility of sales-related fraud in the division? A. The internal auditor has taken a random sample of sales invoices but cannot locate a shipping document for a number of the sales transactions selected for November and December. B. One of the division's major competitors went out of business during the year. C. There is an unusually large amount of sales returns recorded after year end. D. A significant portion of divisional management's compensation is based on reported divisional profits.

Answer (B) is correct. A decrease in the number of competitors during the year is a potential explanation for the increase in sales and profits.

According to COSO, the position or internal entity that is best suited, as part of the enterprise risk management process, to devise and execute risk procedures for a particular department is A. The audit committee. B. A manager within the department. C. The chief executive officer. D. The internal audit department.

Answer (B) is correct. A manager within a particular department is best suited to devise and execute risk procedures for that department because (s)he generally has the most knowledge and expertise about the individual risks that threaten the department's objectives. Additionally, (s)he will be able to ensure that the procedures are carried out on a day-to-day basis.

When an internal auditor identifies multiple factors that have been linked with possible fraudulent conditions and suspects that fraud has taken place, the auditor should A. Immediately report to senior management and the board. B. Recommend an investigation. C. Extend tests to determine the extent of the fraud. D. Immediately report to the board.

Answer (B) is correct. An internal auditor's responsibilities for detecting fraud include evaluating fraud indicators and deciding whether any additional action is necessary or whether an investigation should be recommended.

The policies and procedures helping to ensure that management directives are executed and actions are taken to address risks to achievement of objectives describes A. Monitoring. B. Control activities. C. Risk assessments. D. Control environments.

Answer (B) is correct. Control activities are the policies and procedures helping to ensure that management directives are executed and actions are taken to address risks to achievement of objectives.

Each of the following is a method to evaluate internal controls based on the framework set by the Committee of Sponsoring Organizations (COSO), except A. Evaluating internal control systems that focus first on risk identification of specific losses. B. Distinguishing economy risk from industry risk and enterprise risk. C. Testing to determine whether the controls are operating effectively and have prevented losses in the past. D. Identifying mitigating controls to prevent losses.

Answer (B) is correct. Evaluating internal controls based on the COSO framework does not require distinguishing economic risk from industry risk and enterprise risk. Therefore, it is NOT a method to evaluate internal controls based on the COSO framework.

Which of the following wrongful acts committed by an employee constitutes fraud? A. Harassment. B. Embezzlement. C. Assault. D. Libel.

Answer (B) is correct. Fraud is defined in The IIA Glossary as "any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage." Embezzlement is the intentional appropriation of property entrusted to one's care. The embezzler converts property to his or her own use and conceals the theft.

If an organization has no formal risk management processes, the chief audit executive should A. Establish risk management processes based on industry norms. B. Formally discuss with the directors their obligations for risk management processes. C. Inform regulators that the organization is guilty of an infraction. D. Formulate hypothetical results of possible consequences resulting from risks not being managed.

Answer (B) is correct. In situations where the organization does not have formal risk management processes, the chief audit executive formally discusses with management and the board their obligations to understand, manage, and monitor risks within the organization and the need to satisfy themselves that there are processes operating within the organization, even if informal, that provide the appropriate level of visibility into the key risks and how they are being managed and monitored (PA 2120-1, para. 3).

What is the responsibility of the internal auditor with respect to fraud? A. The internal auditor should have the same ability to detect fraud as a person whose primary responsibility is detecting and investigating fraud. B. The internal auditor should have sufficient knowledge to identify the indicators of fraud but is not expected to be an expert. C. An internal auditor's primary role is to detect and investigate fraud. D. An internal auditor should have sufficient knowledge and training so that (s)he is able to detect fraud.

Answer (B) is correct. Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization. They are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud (Impl. Std. 1210.A2).

The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. With respect to evaluating the adequacy of risk management processes, internal auditors most likely should A. Recognize that organizations should use similar techniques for managing risk. B. Determine that the key objectives of risk management processes are being met. C. Treat the evaluation of risk management processes in the same manner as the risk analysis used to plan engagements. D. Determine the level of risks acceptable to the organization.

Answer (B) is correct. Internal auditors need to obtain sufficient and appropriate evidence to determine that key objectives of the risk management processes are being met to form an opinion on the adequacy of risk management processes (PA 2120-1, para. 8).

Fact Pattern: Randy and John had known each other for many years. They had become best friends in college, where they both majored in accounting. After graduation, Randy took over the family business from his father. His family had been in the grocery business for several generations. When John had difficulty finding a job, Randy offered him a job in the family store. John proved to be a very capable employee. As John demonstrated his abilities, Randy began delegating more and more responsibility to him. After a period of time, John was doing all of the general accounting and authorization functions for checks, cash, inventories, documents, records, and bank reconciliations. (1) John was trusted completely and handled all financial functions. No one checked his work. Randy decided to expand the business and opened several new stores. (2) Randy was always handling the most urgent problem . . . "crisis management" is what his college professors had termed it. John assisted with the problems when his other duties allowed him time. Although successful at work, John had (3) difficulties with personal financial problems. At first, the amounts stolen by John were small. John didn't even worry about making the accounts balance. But John became greedy. "How easy it is to take the money," he said. He felt that he was a critical member of the business team (4) and that he contributed much more to the success of the company than was represented by his salary. "It would take two or three people to replace me," he often thought to himself. As the amounts became larger and larger, (5) he made the books balance. Because of these activities, John was able to purchase an expensive car and take his family on several trips each year. (6) He also joined an expensive country club. Things were changing at home, however. (7) John's family observed that he was often argumentative and at other times very depressed. The fraud continued for 6 years. Each year, the business performed more and more poorly. In the last year, the stores had a substantial net loss. Randy's bank required an audit. John confessed when he thought the auditors had discovered his embezzlements. When discussing frauds, the pressures, opportunities, and rationalizations that cause/allow a perpetrator to commit the fraud are often identified. Symptoms of fraud are also studied. Question: 78 Number 6, "He also joined an expensive country club," is an example of a A. Rationalization. B. Lifestyle symptom. C. Behavioral symptom. D. Physical symptom.

Answer (B) is correct. John was living beyond his means. The change in lifestyle was a symptom that indicated the presence of fraud.

A significant employee fraud took place shortly after an internal auditing engagement. The internal auditor may not have properly fulfilled the responsibility for the prevention of fraud by failing to note and report that A. A system of control that depended upon separation of duties could be circumvented by collusion among three employees. B. There were no written policies describing prohibited activities and the action required whenever violations are discovered. C. Policies, practices, and procedures to monitor activities and safeguard assets were less extensive in low-risk areas than in high-risk areas. D. Divisional employees had not been properly trained to distinguish between bona fide signatures and cleverly forged ones on authorization forms.

Answer (B) is correct. Management is responsible for establishing and maintaining internal control. Thus, management also is responsible for the fraud prevention program. The control environment element of this program includes a code of conduct, ethics policy, or fraud policy to set the appropriate tone at the top. Moreover, organizations should establish effective fraud-related information and communication practices, for example, documentation and dissemination of policies, guidelines, and results.

Management has a role in the maintenance of control. In fact, management sometimes is a control. Which of the following most likely involves managerial functions as a control? A. Maintenance of a quality assurance program. B. Monitoring performance. C. Establishment of an internal audit activity. D. Board approval of the charter of the internal audit activity.

Answer (B) is correct. Monitoring is a component of the internal control. It is a process that assesses the quality of the system's performance over time. It consists of ongoing activities built into normal operations to ensure that they continue to be performed effectively. Supervision and other ordinary management functions, consideration of communications with external parties, and the actions of internal and external auditors are examples.

Which of the following is a factor affecting risk? A. Rapid growth. B. All of the answers are correct. C. New personnel. D. New or revamped information systems.

Answer (B) is correct. New personnel, new or revamped information systems, and rapid growth are all factors that affect risk.

According to COSO, the use of ongoing and separate evaluations to identify and address changes in internal control effectiveness can best be accomplished in which of the following stages of the monitoring-for-change continuum? A. Change management. B. Change identification. C. Control baseline. D. Control revalidation/update.

Answer (B) is correct. Of the four steps in the monitoring-for-change continuum described in the 2009 COSO document Guidance on Monitoring Internal Control Systems, change identification is the one in which separate and ongoing evaluations can best be accomplished.

Which of the following is the common name for Internal Control: Guidance for Directors on the Combined Code? A. CoCo. B. The Turnbull Report. C. COSO. D. COBIT.

Answer (B) is correct. One of the three most recognized internal control frameworks is Internal Control: Guidance for Directors on the Combined Code. It is commonly known as the Turnbull Report and was issued by the Institute of Chartered Accountants in England and Wales.

An internal auditor should be concerned about the possibility of fraud if A. The monthly bank statement reconciliation is performed by the same employee who maintains the perpetual inventory records. B. Cash receipts, net of the amounts used to pay petty cash-type expenditures, are deposited in the bank daily. C. One person, acting alone, has sole access to the petty cash fund (except for a provision for occasional surprise counts by a supervisor or auditor). D. The accounts receivable subsidiary ledger and accounts payable subsidiary ledger are maintained by the same person.

Answer (B) is correct. Paying petty cash expenditures from cash receipts facilitates the unauthorized removal of cash before deposit. All cash receipts should be deposited intact daily. Petty cash expenditures should be handled through an imprest fund.

Internal auditors should have knowledge about factors (red flags) that have proven to be associated with management fraud. Which of the following factors have generally not been associated with management fraud? A. A domineering management. B. Regular comparison of actual results with budgets. C. Generous performance-based reward systems. D. A management preoccupation with increased financial performance.

Answer (B) is correct. Regular comparison of actual results to budgets provides feedback and is a normal and necessary part of the control loop. Ineffective control is an indicator of possible fraud.

An organization's directors, management, external auditors, and internal auditors all play important roles in creating a proper control environment. Senior management is primarily responsible for A. Ensuring that external and internal auditors adequately monitor the control environment. B. Establishing a proper organizational culture and specifying a system of internal control. C. Implementing and monitoring controls designed by the board of directors. D. Designing and operating a control system that provides reasonable assurance that established objectives and goals will be achieved.

Answer (B) is correct. Senior management is primarily responsible for establishing a proper organizational culture and specifying a system of internal control.

Fact Pattern: Randy and John had known each other for many years. They had become best friends in college, where they both majored in accounting. After graduation, Randy took over the family business from his father. His family had been in the grocery business for several generations. When John had difficulty finding a job, Randy offered him a job in the family store. John proved to be a very capable employee. As John demonstrated his abilities, Randy began delegating more and more responsibility to him. After a period of time, John was doing all of the general accounting and authorization functions for checks, cash, inventories, documents, records, and bank reconciliations. (1) John was trusted completely and handled all financial functions. No one checked his work. Randy decided to expand the business and opened several new stores. (2) Randy was always handling the most urgent problem . . . "crisis management" is what his college professors had termed it. John assisted with the problems when his other duties allowed him time. Although successful at work, John had (3) difficulties with personal financial problems. At first, the amounts stolen by John were small. John didn't even worry about making the accounts balance. But John became greedy. "How easy it is to take the money," he said. He felt that he was a critical member of the business team (4) and that he contributed much more to the success of the company than was represented by his salary. "It would take two or three people to replace me," he often thought to himself. As the amounts became larger and larger, (5) he made the books balance. Because of these activities, John was able to purchase an expensive car and take his family on several trips each year. (6) He also joined an expensive country club. Things were changing at home, however. (7) John's family observed that he was often argumentative and at other times very depressed. The fraud continued for 6 years. Each year, the business performed more and more poorly. In the last year, the stores had a substantial net loss. Randy's bank required an audit. John confessed when he thought the auditors had discovered his embezzlements. When discussing frauds, the pressures, opportunities, and rationalizations that cause/allow a perpetrator to commit the fraud are often identified. Symptoms of fraud are also studied. Question: 52 Number 5, "he made the books balance," is an example of a(n) A. Physical symptom. B. Document symptom. C. Lifestyle symptom. D. Analytical symptom.

Answer (B) is correct. Tampering with the company's books is a document symptom. In other words, the indicator of fraud consists of the changes in actual company records.

Which of the following control models is fully incorporated into the broader integrated framework of enterprise risk management (ERM)? A. Electronic Systems Assurance and Control. B. COSO. C. COBIT. D. CoCo.

Answer (B) is correct. The Committee of Sponsoring Organizations of the Treadway Commission published Enterprise Risk Management - Integrated Framework. This document describes a model that incorporates the earlier COSO internal control framework while extending it to the broader area of enterprise risk management.

Which of the following members of an organization has ultimate ownership responsibility of the enterprise risk management, provides leadership and direction to senior managers, and monitors the entity's overall risk activities in relation to its risk appetite? A. Chief financial officer. B. Chief executive officer. C. Chief risk officer. D. Internal auditors.

Answer (B) is correct. The chief executive officer (CEO) sets the tone at the top of the organization and has ultimate responsibility for ownership of the ERM. The CEO will influence the composition and conduct of the board, provide leadership and direction to senior managers, and monitor the entity's overall risk activities in relation to its risk appetite. If any problems arise with the organization's risk appetite, the CEO will also take any measures to adjust the alignment to better suit the organization.

Fact Pattern: The internal audit activity has been assigned to perform an engagement involving a division. Based on background review, the internal auditor knows the following about management policies: Organizational policy is to rapidly promote divisional managers who show significant success. Thus, successful managers rarely stay at a division for more than 3 years. A significant portion of division management's compensation comes in the form of bonuses based on the division's profitability. The division was identified by senior management as a turnaround opportunity. The division is growing but is not scheduled for a full audit by the external auditors this year. The division has been growing about 7% per year for the past 3 years and uses a standard cost system. During the preliminary review, the internal auditor notes the following changes in financial data compared with the prior year: Sales have increased by 10%. Cost of goods sold has increased by 2%. Inventory has increased by 15%. Divisional net profit has increased by 8%. Which of the following items might alert the internal auditor to the possibility of fraud in the division? A. Sales have increased by 10%. B. A significant portion of management's compensation is directly tied to reported net profit of the division. C. All of the answers are correct. D. The division is not scheduled for an external audit this year.

Answer (B) is correct. The internal auditor's responsibilities for detecting fraud include having sufficient knowledge of fraud to be able to identify indicators that fraud may have been committed. This knowledge includes the characteristics of fraud, the techniques used to commit fraud, and the types of frauds associated with the activities reviewed. For example, performance may be distorted because promotion and compensation (e.g., bonuses) are tied to profitability.

According to COSO, which of the following is the most effective method to transmit a message of ethical behavior throughout an organization? A. Strengthening internal audit's ability to deter and report improper behavior. B. Demonstrating appropriate behavior by example. C. Removing pressures to meet unrealistic targets, particularly for short-term results. D. Specifying the competence levels for every job in an organization and translating those levels to requisite knowledge and skills.

Answer (B) is correct. Through words and actions, management communicates its attitude toward integrity and ethical values. In this way, management sets the tone at the top. Demonstrating appropriate behavior by example is the most effective method to transmit a message of ethical behavior throughout an organization.

In the risk management process, management's view of the internal audit activity's role is likely to be determined by all of the following factors except A. Local conditions and customs of the country. B. Preferences of the independent auditor. C. Organizational culture. D. Ability of the internal audit staff.

Answer (B) is correct. Ultimately, the role of internal auditing in the risk management process is determined by senior management and the board. Their view on internal auditing's role is likely to be determined by factors such as the culture of the organization, ability of the internal audit staff, and local conditions and customs (PA 2120-1, para. 5).

Which term best reflects the attitude and actions of the board and management regarding the significance of control within the organization? A. Control activities. B. Risk assessment. C. Control environment. D. Monitoring.

Answer (C) is correct. A control environment reflects the attitude and actions of the board and management regarding the significance of control within the organization.

Internal control can provide only reasonable assurance that the organization's objectives will be met efficiently and effectively. One factor limiting the likelihood of achieving those objectives is that A. The internal auditor's primary responsibility is the detection of fraud. B. Management monitors performance. C. The cost of internal control should not exceed its benefits. D. The board is active and independent.

Answer (C) is correct. A limiting factor is that the cost of internal control should not exceed its expected benefits. Thus, the potential loss associated with any exposure or risk is weighed against the cost to control it. Although the cost-benefit relationship is a primary criterion that should be considered in designing and implementing internal control, the precise measurement of costs and benefits usually is not possible.

An internal auditor suspects that a mailroom clerk is embezzling funds. In exercising due professional care, the internal auditor should A. Reassign the clerk to another department. B. Institute stricter controls over mailroom operations. C. Evaluate fraud indicators and decide whether further action is necessary. D. Confront the clerk with the auditor's suspicions.

Answer (C) is correct. An internal auditor's responsibilities for detecting fraud include evaluating fraud indicators and deciding whether any additional action is necessary or whether an investigation should be recommended.

An internal auditor who suspects fraud should A. Determine that a loss has been incurred. B. Interview those who have been involved in the control of assets. C. Recommend an investigation if appropriate. D. Identify the employees who could be implicated in the case.

Answer (C) is correct. An internal auditor's responsibilities for detecting fraud include evaluating fraud indicators and deciding whether any additional action is necessary or whether an investigation should be recommended.

An internal auditor's field work uncovers a series of transactions that indicate a possible embezzlement. Which of the following actions should the chief audit executive take? A. Discuss the case with the board. B. Review the finding with the suspect's fellow workers to see whether the workers can furnish additional evidence. C. Decide whether to recommend an investigation. D. Confront the suspected embezzler to determine that the facts are correct.

Answer (C) is correct. An internal auditor's responsibilities for detecting fraud include evaluating fraud indicators and deciding whether any additional action is necessary or whether an investigation should be recommended.

An internal auditor plans to conduct an audit of the adequacy of controls over investments in new financial instruments. Which of the following would not be required as part of such an engagement? A. Determine if policies exist which describe the risks the chief financial officer may take and the types of instruments in which the chief financial officer may make investments. B. Determine the nature of controls established by the chief financial officer to monitor the risks in the investments. C. Determine whether the chief financial officer is getting higher or lower rates of return on investments than are chief financial officers in comparable organizations. D. Determine the extent of management oversight over investments in sophisticated instruments.

Answer (C) is correct. For this particular engagement, the auditor does not need to develop a comparison of investment returns with those of other organizations. In fact, some financial investment scandals show that such comparisons can be highly misleading because high returns were due to taking on a high level of risk. Also, this determination does not test the adequacy of the controls.

One factor that distinguishes fraud from other employee crimes is that fraud involves A. Personal gain for the perpetrator. B. Collusion with a party outside the organization. C. Intentional deception. D. Malicious motives.

Answer (C) is correct. Fraud is defined in The IIA Glossary as "any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force."

Fact Pattern: An international nonprofit organization finances medical research. The majority of its revenue and support comes from fundraising activities, investments, and specific grants from an initial sponsoring corporation. The organization has been in operation over 15 years and has a small internal audit department. The organization has just finished a major fundraising drive that raised US $500 million for the current fiscal period. The following are selected data from recent financial statements (US dollar figures in millions): Current Year (1) Past Year (2) Revenue US $500 (1) US $425 (2) Investments (average balances) 210 (1) 185 (2) Medical research grants made 418 (1) 325 (2) Investment income 16 (1) 20 (2) Administrative expense 10 (1) 6 (2) Auditors must always be alert for the possibility of fraud. Assume the controls over each risk listed below are marginal. Which of the following possible frauds or misuses of organization assets should be considered the area of greatest risk? A. The payroll clerk has added ghost employees. B. Purchases of supplies are made from fictitious vendors. C. Grants are made to organizations that might be associated with the president or are not for purposes dictated in the organization's charter. D. The president is using company travel and entertainment funds for activities that might be considered questionable.

Answer (C) is correct. Grants represent 83.6% (US $418 ÷ $500) of current revenue. Consequently, fraudulent grants constitute a much greater risk exposure than any of the other items listed.

A company implements an enterprise resource planning application to help improve its financial and operational reporting while gaining other efficiencies related to sales and inventory management. For the implementation, the company hires an individual specializing in preparing the company for the changes through documenting new policies and procedures and developing new training. This is an example of A. Segregation of duties. B. An economic event. C. Change management. D. A social event.

Answer (C) is correct. Hiring a specialized individual to help with the transition into a new enterprise resource planning application is a way to help manage the change. Thus, this is an example of change management.

Internal auditing is responsible for assisting in the prevention of fraud by A. Establishing the organization's governance, operations, and information systems concerning compliance with laws, regulations, and contracts. B. Informing the appropriate authorities within the organization and recommending whatever investigation is considered necessary in the circumstances when wrongdoing is suspected. C. Examining and evaluating the adequacy and the effectiveness of control, commensurate with the extent of the potential exposure or risk in the various segments of the organization's operations. D. Determining whether operating standards are acceptable and are being met.

Answer (C) is correct. Internal auditors are responsible for assisting in the prevention of fraud by examining and evaluating the adequacy and the effectiveness of controls.

Which of the following items is one of the eight components of COSO's ERM framework? A. Compliance. B. Operations. C. Monitoring. D. Reporting.

Answer (C) is correct. One of the components of ERM is monitoring. Monitoring assesses the quality of the system's performance over time. It involves ongoing management evaluations or separate evaluations of the full ERM process.

Fact Pattern: Randy and John had known each other for many years. They had become best friends in college, where they both majored in accounting. After graduation, Randy took over the family business from his father. His family had been in the grocery business for several generations. When John had difficulty finding a job, Randy offered him a job in the family store. John proved to be a very capable employee. As John demonstrated his abilities, Randy began delegating more and more responsibility to him. After a period of time, John was doing all of the general accounting and authorization functions for checks, cash, inventories, documents, records, and bank reconciliations. (1) John was trusted completely and handled all financial functions. No one checked his work. Randy decided to expand the business and opened several new stores. (2) Randy was always handling the most urgent problem . . . "crisis management" is what his college professors had termed it. John assisted with the problems when his other duties allowed him time. Although successful at work, John had (3) difficulties with personal financial problems. At first, the amounts stolen by John were small. John didn't even worry about making the accounts balance. But John became greedy. "How easy it is to take the money," he said. He felt that he was a critical member of the business team (4) and that he contributed much more to the success of the company than was represented by his salary. "It would take two or three people to replace me," he often thought to himself. As the amounts became larger and larger, (5) he made the books balance. Because of these activities, John was able to purchase an expensive car and take his family on several trips each year. (6) He also joined an expensive country club. Things were changing at home, however. (7) John's family observed that he was often argumentative and at other times very depressed. The fraud continued for 6 years. Each year, the business performed more and more poorly. In the last year, the stores had a substantial net loss. Randy's bank required an audit. John confessed when he thought the auditors had discovered his embezzlements. When discussing frauds, the pressures, opportunities, and rationalizations that cause/allow a perpetrator to commit the fraud are often identified. Symptoms of fraud are also studied. Question: 36 Number 4, "and that he contributed much more . . .," is an example of a A. Behavioral symptom. B. Situational pressure. C. Rationalization. D. Physical symptom.

Answer (C) is correct. Rationalization occurs when a person attributes his or her actions to rational and creditable motives without analysis of one's true and especially unconscious motives. Feeling that one is not being paid as much as one is worth is a common rationalization for low-level fraud.

Which of the following is not a component of the CoCo model? A. Commitment. B. Monitoring and learning. C. Risk assessment. D. Capability.

Answer (C) is correct. Risk assessment is not one of the four components of the CoCo model. The four components are commitment, capability, monitoring and learning, and purpose.

Many organizations use electronic funds transfer to pay their suppliers instead of issuing checks. Regarding the risks associated with issuing checks, which of the following risk management techniques does this represent? A. Transferring. B. Controlling. C. Avoiding. D. Accepting.

Answer (C) is correct. Risk responses may include avoidance, acceptance, sharing, and reduction. By eliminating checks, the organization avoids all risk associated with them.

Fact Pattern: Bank management suspects that a bank loan officer frequently made loans to fictitious entities, disbursed loan proceeds to personally established accounts, and then let the loans go into default. Some pertinent facts about the loan officer include A high standard of living, explained as the result of sound investments and not taking vacations; An expensive personal car obtained through business contacts; Gasoline and repair bills submitted for a car assigned by the bank that are higher than the organization's average (mileage logs were submitted on a quarterly basis); and Marked annoyance with questions from internal auditors. Question: 41 In this situation, typical indicators of the suspected fraud include all of the following except A. Explaining a high standard of living as the result of investments. B. Becoming easily annoyed with auditor inquiries about questionable loans. C. Submitting gasoline and repair bills that are higher than company average. D. Not taking an annual vacation.

Answer (C) is correct. Submitting gasoline and repair bills that are higher than average is not correlated with making fraudulent loans. These factors are not controllable by the loan officer, so they cannot be indicators of unusual activity by him or her.

Which of the following is most likely to be performed in the control activities component of internal control? A. Information processing. B. Assessing fraud risks. C. Segregation of duties. D. Ongoing evaluations.

Answer (C) is correct. The COSO model describes control activities as policies and procedures that help ensure that management directives are carried out. They are intended to ensure that necessary actions are taken to address risks to achieve the entity's objectives. Control activities have various objectives and are applied at various organizational and functional levels. They may be preventative or detective, and segregation of duties is usually present.

Which of the following is a true statement about the COSO report on internal control? A. Control frameworks should be well defined and inflexible. B. Internal control is not management's responsibility. C. Internal control is not limited to accounting controls. D. Internal control is restricted to financial reporting.

Answer (C) is correct. The Internal Control -- Integrated Framework, also known as COSO Framework, report by COSO made the following declarations: Internal control is defined broadly. It is not limited to accounting controls or financial reporting. While accounting and financial reports are important issues, there are other important aspects of the business, such as resources protection; operational efficiency and effectiveness; and compliance with rules, regulations, and organization policies. These factors affect financial reporting. Internal control is management's responsibility. The participation of all persons within an organization is required if it is to be effective. The control framework is tied to the business objectives and is flexible enough to be adaptable.

Which of the following are included in the control environment described in the COSO internal control framework? A. Risk assessment, assignment of responsibility, and human resource practices. B. Organizational structure, management philosophy, and planning. C. Integrity and ethical values, assignment of authority, and human resource policies. D. Competence of personnel, backup facilities, laws, and regulations.

Answer (C) is correct. The control environment is a set of standards, processes, and structures that includes Integrity and ethical values Commitment to competence Board of directors or audit committee Management's philosophy and operating style Organizational structure Assignment of authority and responsibility Human resource policies and practices

Which of the following is closely related to traditional risk management instead of enterprise risk management (ERM)? A. Achieving financial goals. B. Organization-level view of risk. C. Emphasis on specific functions. D. Rapid response to opportunities.

Answer (C) is correct. The enterprise risk management approach set forth by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) attempts to approach an organization as a whole instead of focusing on any specific area or risk.

The COSO model for internal control lists five specific areas encompassed by the control environment component. Which of the following are elements of the control environment? A. Integrity and ethical values. B. Organizational structure. C. All of the answers are correct. D. Assignment of authority and responsibility.

Answer (C) is correct. The five principles that relate to the control environment are The organization demonstrates a commitment to integrity and ethical values; The board demonstrates independence from management and exercises oversight for internal control; Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities; The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives; and The organization holds individuals accountable for their internal control responsibilities in pursuit of objectives.

Which of the following threatens the independence of an internal auditor who had participated in the initial establishment of a risk management process? A. Recommending controls to address the risks identified. B. Evaluating the adequacy and effectiveness of management's risk processes. C. Assuming management's responsibility for the identified risks. D. Developing assessments and reports on the risk management process.

Answer (C) is correct. The internal audit activity's role in the risk management process may include managing and coordinating the risk management process. However, assuming management's responsibility for the risk management process is a potential threat to the internal audit activity's independence. It requires a full discussion and board approval (PA 2120-1, para. 5).

An engagement had been scheduled by the chief audit executive to address unusual inventory shortages revealed in the annual physical inventory process at a large consumer goods warehouse operation. A cycle count program had been installed in the storeroom at the beginning of the year in place of the disruptive process of counting one entire product line at the end of each month. The cycle count program appeared effective because only nine minor adjustments had been made for the entire year on the several thousand different products located in the storeroom. The storeroom supervisor explained that each of the 15 stockroom personnel selected one item each day for cycle count based on how efficiently the item could be counted. The opportunity for control-related problems including fraud has been increased in the stockroom because A. A cycle count program has been installed in place of a less efficient program. B. Only nine minor adjustments have been recorded as a result of the cycle count process. C. Items for cycle count are selected by stockroom personnel. D. Stockroom personnel record cycle count information.

Answer (C) is correct. The opportunity for fraud has been increased because stockroom personnel select the items for cycle count (poor internal control). Selection of items should be based on relative values or the relationship of an item to the total volume of transactions. Moreover, personnel who do not have custodial or recordkeeping responsibilities should control the counts.

Internal auditors have been advised to consider red flags to determine whether management is involved in a fraud. Which of the following does not represent a difficulty in using the red flags as fraud indicators? A. Red flag information is not gathered as a normal part of an engagement. B. Many common red flags are also associated with situations in which no fraud exists. C. The red flags literature is not well enough established to have a positive impact on internal auditing. D. Some red flags are difficult to quantify or to evaluate.

Answer (C) is correct. The state of red flags literature is an aid, not a difficulty, in internal auditing. It is well established and will be refined in the future as research is done.

An unexpected decrease in which of the following ratios could indicate that fictitious inventory has been recorded? A. Price-earnings. B. Current. C. Total asset turnover. D. Average collection period.

Answer (C) is correct. The total asset turnover ratio equals sales divided by total assets. An increase in reported inventory will increase total assets and decrease the ratio.

A company's new time clock process requires hourly employees to select an identification number and then choose the clock-in or clock-out button. A video camera captures an image of the employee using the system. Which of the following exposures can the new system be expected to change the least? A. Recording of other employees' hours. B. Inaccurate accounting of employees' hours. C. Errors in employees' overtime computation. D. Fraudulent reporting of employees' own hours.

Answer (C) is correct. This internal control process is responsible for verifying that the correct employee enters the proper amount of time (s)he worked. This function is not responsible for applying pay rates to the amount of hours worked and therefore would not change any errors in overtime computations.

Fact Pattern: Randy and John had known each other for many years. They had become best friends in college, where they both majored in accounting. After graduation, Randy took over the family business from his father. His family had been in the grocery business for several generations. When John had difficulty finding a job, Randy offered him a job in the family store. John proved to be a very capable employee. As John demonstrated his abilities, Randy began delegating more and more responsibility to him. After a period of time, John was doing all of the general accounting and authorization functions for checks, cash, inventories, documents, records, and bank reconciliations. (1) John was trusted completely and handled all financial functions. No one checked his work. Randy decided to expand the business and opened several new stores. (2) Randy was always handling the most urgent problem . . . "crisis management" is what his college professors had termed it. John assisted with the problems when his other duties allowed him time. Although successful at work, John had (3) difficulties with personal financial problems. At first, the amounts stolen by John were small. John didn't even worry about making the accounts balance. But John became greedy. "How easy it is to take the money," he said. He felt that he was a critical member of the business team (4) and that he contributed much more to the success of the company than was represented by his salary. "It would take two or three people to replace me," he often thought to himself. As the amounts became larger and larger, (5) he made the books balance. Because of these activities, John was able to purchase an expensive car and take his family on several trips each year. (6) He also joined an expensive country club. Things were changing at home, however. (7) John's family observed that he was often argumentative and at other times very depressed. The fraud continued for 6 years. Each year, the business performed more and more poorly. In the last year, the stores had a substantial net loss. Randy's bank required an audit. John confessed when he thought the auditors had discovered his embezzlements. When discussing frauds, the pressures, opportunities, and rationalizations that cause/allow a perpetrator to commit the fraud are often identified. Symptoms of fraud are also studied. Question: 25 Number 2, "Randy was always handling the most urgent . . .," is an example of a(n) A. Rationalization. B. Situational pressure. C. Opportunity to commit. D. Analytical symptom.

Answer (C) is correct. When a manager continually handles the most pressing issues of a company, an opportunity for the manager to commit fraud is created. The lack of long-range planning creates a potential for fraud because organizational objectives may have been replaced with individual initiatives.

Each of the following statements is correct regarding the existence and implementation of codes of conduct except A. The codes of conduct are periodically acknowledged by all employees. B. The codes of conduct are comprehensive, addressing conflicts of interest, illegal or other improper payments, anticompetitive guidelines, and insider trading. C. The codes of conduct must be in writing and displayed in public areas, such as a break room. D. Employees understand what behavior is acceptable or unacceptable and know what to do if they encounter improper behavior.

Answer (C) is correct. While it may be beneficial to have a code of conduct in writing, the code does not need to be displayed in all public areas. It should, however, be accessible to employees should they need to refer to it.

Internal auditors need to determine the extent to which management has established adequate control criteria. For this purpose, which of the following actions may be appropriate? Determining whether objectives have been accomplished Using management's adequate control criteria in their evaluation Working with management to develop appropriate control evaluation criteria A. 1 only. B. 2 only. C. 1 and 2 only. D. 1, 2, and 3.

Answer (D) is correct. "Adequate criteria are needed to evaluate controls. Internal auditors must ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must work with management to develop appropriate evaluation criteria" (Impl. Std. 2210.A3).

Which of the following is the control component that reflects the attitude and actions of the board and management regarding the significance of control within the organization? A. Risk assessment. B. Monitoring. C. Control activities. D. Control environment.

Answer (D) is correct. According to the COSO model for internal control, the control environment reflects the attitude and actions of the board and management regarding the significance of control within the organization.

After noting some red flags, an internal auditor has an increased awareness that fraud may be present. Which of the following best describes the internal auditor's responsibility? A. Report the matter to the audit committee and request funding for outside service providers to help investigate the possible fraud. B. Consult with external legal counsel to determine the course of action to be taken, including the approval of the proposed engagement work program to make sure it is acceptable on legal grounds. C. Report the possibility of fraud to senior management and the board and ask them how they would like to proceed. D. Expand activities to determine whether an investigation is warranted.

Answer (D) is correct. An internal auditor's responsibilities for detecting fraud include evaluating fraud indicators and deciding whether any additional action is necessary or whether an investigation should be recommended.

Internal auditors are more likely to detect fraud by developing/strengthening their ability to A. Develop internal controls to prevent the occurrence of fraud. B. Document computerized operating system programs. C. Interrogate fraud perpetrators to discover why the fraud was committed. D. Recognize and question changes that occur in organizations.

Answer (D) is correct. An internal auditor's responsibilities for detecting fraud include evaluating fraud indicators and deciding whether any additional action is necessary or whether an investigation should be recommended.

Fact Pattern: When an internal auditor followed up on a significant increase in maintenance supplies during the past year, a purchasing agent explained to the internal auditor that the primary reason for the increase was painting services and supplies. The internal auditor found a blanket purchase order without the normal bid or quote documentation. The blanket purchase order had been signed by the general manager and named the general manager's father as the sole contractor for painting services on the organization's projects. The auditor also found a number of large invoices, authorized for payment by the general manager, that showed the general manager's father as the person who signed for the receipt of the material at the supplier. Question: 63 What is the common indicator of fraud recognized by the internal auditor in this scenario? A. The purchasing agent is selecting the contractor on the basis of a blanket purchase order. B. Paint and supplies are being purchased for a contractor. C. Invoices are being authorized for payment by the general manager. D. Analytical procedures revealed an extraordinary increase in account balances.

Answer (D) is correct. Analytical procedures are commonly performed by internal auditors to assess information collected in an engagement. The assessment results from comparing information with expectations identified or developed by the internal auditor. Thus, an extraordinary increase in an account balance should be detected and investigated as the result of applying analytical methods.

The Enterprise Risk Management - Integrated Framework of the committee of sponsoring organizations (COSO) is best defined as a A. Serial process in which one component affects only the next component. B. Process that replaces the COSO internal control framework. C. Process that takes a control-based approach to an organization. D. Process effected by an entity's board of directors, management, and other personnel.

Answer (D) is correct. Enterprise risk management is defined as a process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise. It is designed to identify potential events that may affect the entity and manage risk to be within its risk appetite in order to provide reasonable assurance regarding the achievement of entity objectives.

Which of the following is most likely to be considered an indication of possible fraud? A. The replacement of the management team after a hostile takeover. B. A government audit of the organization's tax returns. C. Rapid expansion into new markets. D. Rapid turnover of the organization's financial executives.

Answer (D) is correct. Even the most effective internal control can sometimes be circumvented, perhaps by collusion of two or more employees. Thus, an auditor must be sensitive to certain conditions that might indicate the existence of fraud, including high personnel turnover. In the case of financial executives, high turnover may suggest a pattern of inflation of profits to obtain bonuses or other benefits, to secure advantages in the marketplace, or to conceal incompetence or rash actions.

Fact Pattern: When an internal auditor followed up on a significant increase in maintenance supplies during the past year, a purchasing agent explained to the internal auditor that the primary reason for the increase was painting services and supplies. The internal auditor found a blanket purchase order without the normal bid or quote documentation. The blanket purchase order had been signed by the general manager and named the general manager's father as the sole contractor for painting services on the organization's projects. The auditor also found a number of large invoices, authorized for payment by the general manager, that showed the general manager's father as the person who signed for the receipt of the material at the supplier. Question: 57 Which is not a symptom of fraud as described in this situation? A. Routine controls are suspended for certain transactions. B. Purchased material is not received by authorized organizational personnel. C. Purchased material is not delivered to a central location on the organization's premises. D. The use of blanket purchase orders.

Answer (D) is correct. Fraud is characterized by intentional deception and can be perpetrated for the benefit or to the detriment of the organization. The use of blanket purchase orders is a normal business practice.

A key feature that distinguishes fraud from other types of crime or impropriety is that fraud always involves the A. Deceitful wrongdoing of management-level personnel. B. Unlawful conversion of property that is lawfully in the custody of the perpetrator. C. Violent or forceful taking of property. D. False representation or concealment of a material fact.

Answer (D) is correct. Fraud is defined in The IIA Glossary as "any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force."

Inherent risk is A. Risk response risk. B. A potential event that will adversely affect the organization. C. The risk after management takes action to reduce the impact or likelihood of an adverse event. D. The risk when management has not taken action to reduce the impact or likelihood of an adverse event.

Answer (D) is correct. Inherent risk is the risk when management has not taken action to reduce the impact or likelihood of an adverse event. Thus, it is risk in the absence of a risk response.

What is residual risk? A. Impact of risk. B. Risk that is under control. C. Underlying risk in the environment. D. Risk that is not managed.

Answer (D) is correct. Residual risk is the risk remaining after management takes action to reduce the impact and likelihood of an adverse event. Such action includes control activities in responding to a risk.

Which of the following is the most accurate term for a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives? A. The internal audit activity. B. Control process. C. Consulting service. D. Risk management.

Answer (D) is correct. Risk management is "a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives" (The IIA Glossary).

Company management completes event identification and analyzes the risks. The company wishes to assess its risk after management's response to the risk. According to COSO, which of the following types of risk does this situation represent? A. Detection risk. B. Inherent risk. C. Event risk. D. Residual risk.

Answer (D) is correct. Risk that remains even after management's initial response is residual risk.

Enterprise risk management A. Requires establishment of risk and control activities by internal auditors. B. Guarantees achievement of organizational objectives. C. Includes selection of the best risk response for the organization. D. Involves the identification of events with negative impacts on organizational objectives.

Answer (D) is correct. The COSO document, Enterprise Risk Management - Integrated Framework, defines enterprise risk management (ERM) as "a process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives." The emphasis is on (1) the objectives of a specific entity and (2) establishing a means for evaluating the effectiveness of ERM.

The COSO framework treats internal control as a process designed to provide reasonable assurance regarding the achievement of objectives related to A. Reliability of financial reporting. B. Compliance with applicable laws and regulations. C. Effectiveness and efficiency of operations. D. All of the answers are correct.

Answer (D) is correct. The COSO framework treats internal control as a process designed to provide reasonable assurance regarding the achievement of objectives related to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations.

The policies and procedures helping to ensure that management directives are executed and actions are taken to address risks to achievement of objectives are best described as A. Control environments. B. Risk assessments. C. Monitoring activities. D. Control activities.

Answer (D) is correct. The COSO model for internal control describes control activities as the policies and procedures helping to ensure that management directives are executed and actions are taken to address risks to achievement of objectives.

Under the COSO's ERM framework, which of the following most accurately describes risk management responsibilities? A. The board provides assurance about the effectiveness of ERM. B. The internal audit activity has an oversight role. C. The chief audit executive should serve as chief risk officer. D. In practice, management has primary responsibility.

Answer (D) is correct. The board has overall responsibility. However, in practice, the board delegates responsibility for ERM to senior management, which should ensure that sound processes are in place and functioning.

The board's expectations of the internal audit activity regarding the risk management process are A. Noted in the work programs for formal consulting engagements. B. Included in the business continuity plan. C. Reviewed by the internal auditors immediately following a disaster. D. Codified in the charters of the internal audit activity and the board.

Answer (D) is correct. The chief audit executive (CAE) is to obtain an understanding of senior management's and the board's expectations of the internal audit activity in the organization's risk management process. This understanding is then codified in the charters of the internal audit activity and the board (PA 2120-1, para. 4).

Which of the following statements is correct regarding corporate compensation systems and related bonuses? A bonus system should be considered part of the control environment of an organization and should be considered in formulating a report on internal control. Compensation systems are not part of an organization's control system and should not be reported as such. An audit of an organization's compensation system should be performed independently of an audit of the control system over other functions that impact corporate bonuses. A. 3 only. B. 2 only. C. 2 and 3 only. D. 1 only.

Answer (D) is correct. The control environment includes, among other things, the element of human resource policies and practices. Thus, hiring, orientation, training, evaluation, counseling, promotion, compensation, and remedial actions must be considered by management.

The following are facts about a subsidiary: The subsidiary has been in business for several years and enjoyed good profit margins although the general economy was in a recession, which affected competitors. The working capital ratio has declined from a healthy 3:1 to 0.9:1. Turnover for the last several years has included three controllers, two supervisors of accounts receivable, four payables supervisors, and numerous staff in other financial positions. Purchasing policy requires three bids. However, the supervisor of purchasing at the subsidiary has instituted a policy of sole-source procurement to reduce the number of suppliers. When conducting a financial audit of the subsidiary, the internal auditor should A. Consider 3 to be normal turnover, but be concerned about 2 and 4 as warning signals of fraud. B. Most likely not detect 1, 2, or 3. C. Ignore 2 since the economy had a downturn during this period.

Answer (D) is correct. The fact that the organization has reported high profits when competitors have not may indicate a material misstatement in the financial statements. Insufficient working capital may indicate such problems as overexpansion, decreases in revenues, transfers of funds to other organizations, insufficient credit, and excessive expenditures. The internal auditor should be alert for the diversion of funds for personal use through such methods as unrecorded sales and falsified expenditures. Rapid turnover in financial positions may signify existing problems with which the individuals feel uncomfortable but that they do not want to disclose. Accountability for funds and other resources should be determined upon termination of employment. Use of sole-source procurement does not encourage competition to ensure that the organization is obtaining the required materials or equipment at the best price. Sole-source procurement, if not adequately justified, indicates potential favoritism or kickbacks.

Which of the following are elements of the control environment? A. Organizational structure. B. Assignment of authority and responsibility. C. Integrity and ethical values. D. All of the answers are correct.

Answer (D) is correct. The five principles that relate to the control environment are The organization demonstrates a commitment to integrity and ethical values; The board demonstrates independence from management and exercises oversight for internal control; Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities; The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives; and The organization holds individuals accountable for their internal control responsibilities in pursuit of objectives.

When assessing the risk associated with an activity, an internal auditor should A. Design controls to mitigate the identified risks. B. Update the risk management process based on risk exposures. C. Determine how the risk should best be managed. D. Provide assurance on the management of the risk.

Answer (D) is correct. The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach (Perf. Std. 2100). Assurance services involve the internal auditor's objective assessment of management's risk management activities and the degree to which they are effective.

Internal auditors should review the means of physically safeguarding assets from losses arising from A. Underusage of physical facilities. B. Procedures that are not cost justified. C. Misapplication of accounting principles. D. Exposure to the elements.

Answer (D) is correct. The internal audit activity must evaluate risk exposures relating to governance, operations, and information systems regarding the safeguarding of assets (Impl. Std. 2120.A1). For example, internal auditors evaluate risk exposure arising from theft, fire, improper or illegal activities, and exposure to the elements.

Risk management is the responsibility of management. The role of the internal audit activity in the risk management process may include which of the following? Monitoring activities. Evaluating the risk management process as part of the engagement plan. Participating on oversight committees, monitoring of activities, and status reporting. Managing and coordinating the process. A. 1 only. B. 1, 2, and 3 only. C. 2 only. D. 1, 2, 3, and 4.

Answer (D) is correct. The internal audit activity's role in the risk management process of an organization can change over time and may include responsibilities along a continuum that extends from (1) no role; (2) auditing the risk management process as part of the internal audit plan; (3) active, continuous support and involvement in the risk management process, such as participation on oversight committees, monitoring activities, and status reporting; and (4) managing and coordinating the risk management process (PA 2120-1, para. 4).

When the executive management of an organization decided to form a team to investigate the adoption of an activity-based costing (ABC) system, an internal auditor was assigned to the team. The best reason for including an internal auditor is the internal auditor's knowledge of A. Information processing procedures. B. Current product cost structures. C. Activities and cost drivers. D. Risk management processes.

Answer (D) is correct. The internal audit activity's scope of work extends to evaluating the organization's risk management processes. The internal audit activity should assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems.

According to COSO, which of the following components of enterprise risk management addresses an entity's integrity and ethical values? A. Risk assessment. B. Control activities. C. Information and communication. D. Internal environment.

Answer (D) is correct. The internal environment component sets the tone of the entity. It reflects the entity's (1) risk management philosophy, (2) risk appetite, (3) integrity, (4) ethical values, and (5) overall environment.

Limitations of enterprise risk management (ERM) may arise from A. Faulty human judgment. B. Collusion. C. Cost-benefit considerations. D. All of the answers are correct.

Answer (D) is correct. The limitations of ERM are the same as those for control in general. They arise from the possibility of (1) faulty human judgment, (2) cost-benefit considerations, (3) simple errors or mistakes, (4) collusion, and (5) management override.

Fact Pattern: Bank management suspects that a bank loan officer frequently made loans to fictitious entities, disbursed loan proceeds to personally established accounts, and then let the loans go into default. Some pertinent facts about the loan officer include A high standard of living, explained as the result of sound investments and not taking vacations; An expensive personal car obtained through business contacts; Gasoline and repair bills submitted for a car assigned by the bank that are higher than the organization's average (mileage logs were submitted on a quarterly basis); and Marked annoyance with questions from internal auditors. Question: 97 The most appropriate trend analysis to indicate this potential fraud is A. Automobile operating expenses by loan officer. B. Total monetary volume of loans by loan officer. C. Accumulation of unpaid vacation days. D. Loan default rates by loan officer.

Answer (D) is correct. Trend analysis would detect an unexplained increase in the default rate caused by bogus loans.