CIA Test Bank II

According to the Professional Practices Framework, which of the following is part of the minimum requirements for an engagement final communication? I. Background information. II. Purpose of the engagement. III. Engagement scope. IV. Results of the engagement. V. Summaries. a. I, II, and III only. b. I, III, and V only. c. II, III, and IV only. d. II, IV, and V only.

.C. II, III, IV. Correct. Practice Advisory 2410-1.1 states that engagement final communications should contain, at a minimum, the purpose, scope, and results of the engagement. I, V. Incorrect. Background information and summaries are not required elements of an engagement final communication.

Use the following information to answer questions 21 through 23. A medium-sized municipality provides 8.5 billion gallons of water per year for 31,000 customers. The water meters are replaced at least every five years to ensure accurate billing. The water department tracks unmetered water to identify water consumption that is not being billed. The department recently issued the following water activity report: Month 1: Meters replaced 475 Leaks Reported 100 Leaks repaired 100 Unmetered water 2% Month 2 Meters replaced 400 Leaks Reported 100 Leaks repaired 100 Unmetered water 6% Meter 3 Meters replaced 360 Leaks Reported 85 Leaks repaired 85 Unmetered water 2% Actual 1st Quarter Meters replaced 1235 Leaks Reported 285 Leaks repaired 285 Unmetered water 4% 1st quarter goal Meters replaced 1,425 Leaks Reported - Leaks repaired 100% Unmetered water 2% 21. Based on the activity reported for the meter replacement program, an internal auditor would conclude that: a. Established operating standards are understood and are being met. b. Any corrective action needed has probably been taken during the quarter. c. Deviations from the goal should be analyzed and corrected. d. Meters should be changed every three years. 22. Based on the activity reported for leaks repaired in the first quarter, an internal auditor would conclude that: a. Established operating standards are understood and are being met. b. Deviations from the goal should be analyzed and corrective action should be taken. c. The operating standard should be changed. d. The leak-repair program is overstaffed. 23. Based on the activity reported for the unmetered water, an internal auditor would conclude that: a. Established operating standards are understood and are being met. b. Further audit investigation of unmetered water is not warranted. c. Deviations from the goal were probably not corrected. d. The operating

21. c. Correct. The goal has not been met and corrective action is needed. According to Practice Advisory 2100-1.1, internal auditors are involved in evaluating and improving the effectiveness of control. Determining whether deviations from operating standards are identified, analyzed, and communicated to those responsible for corrective action is one way of accomplishing this function. a. Incorrect. The actual number of meters replaced is less than the goal; therefore, the goal is not being met. b. Incorrect. Corrective action has apparently not been taken since actual replacements did not meet the goal. d. Incorrect. This cannot be determined from the information given. 22. a. Correct. The same number of reported leaks are being repaired. The established goal is being met. Implementation Standard 2120.A3 states that internal auditors should review operations and programs to ascertain the extent to which results are consistent with established goals and objectives to determine whether operations and programs are being implemented or performed as intended. b. Incorrect. There are no deviations from the goal. c. Incorrect. The operating standard should not be changed since there is no problem meeting the standard and the standard cannot be higher than the number of leaks reported. d. Incorrect. Staffing cannot be evaluated based on the information provided. 23. b. Correct. Practice Advisory 2320-1.3 states that analytical auditing procedures assist internal auditors in identifying conditions, which may require subsequent engagement procedures. Since month three is at standard, the deviation in month two was probably corrected so further audit work is not warranted. a. Incorrect. The actual unmetered water percentage is greater than the goal; therefore, the goal was not met. c. Incorrect. The deviation in month two was apparently corrected. d. Incorrect. There is no evidence that the operating standard is inappropriate

A manufacturer uses a materials requirements planning (MRP) system to track inventory, orders, and raw material requirements. A preliminary audit assessment indicates that the organization's inventory is understated. Using audit software, what conditions should the auditor search for in the MRP database to support this hypothesis? I. Item cost set at zero. II. Negative quantities on hand. III. Order quantity exceeding requirements. IV. Inventory lead times exceeding delivery schedule. a. I and II only. b. I and IV only. c. II and IV only. d. III and IV only.

A. I and II I. Correct. If there is no dollar value in the database for existing inventory, this would cause inventory to be understated. II. Correct. Inadequate edit checks or uncontrolled borrow/paybacks could cause negative quantities on hand. This would cause inventory to be understated. III. Incorrect. If the amount ordered exceeds requirements, this would cause an increase in inventory, but by itself would not cause inventory to be understated or overstated. IV. Incorrect. This would have no impact on the valuation of inventory.

When using a rational decision-making process, the next step after definition of the problem is: a. Developing alternative solutions. b. Identifying acceptable levels of risk. c. Recognizing the gap between reality and expectations. d. Confirming hypotheses.

B. Correct. The rational decision-making process involves: • Recognizing the gap between reality and expectations ("c"). • Defining the problem (given in the stem). • Evaluating the level of acceptable risk associated with a particular decision ("b"). • Searching for and evaluating solutions to the problem ("a"). • Choosing a solution. • Implementing the solution and measuring results.

A specific objective of an audit of a company's expenditure cycle is to determine if all goods paid for have been received and charged to the correct account. This objective would address which of the following primary objectives identified in the Standards? I. Reliability and integrity of financial and operational information. II. Compliance with laws, regulations, and contracts. III. Effectiveness and efficiency of operations. IV. Safeguarding of assets. a. I and II only. b. I and IV only. c. I, II, and IV only. d. II, III, and IV only.

B. I and IV only I. Correct. According to Implementation Standard 2110.A2: "The internal audit activity should evaluate risk exposures relating to the organization's governance, operations, and information systems regarding the: • Reliability and integrity of financial and operational information. • Effectiveness and efficiency of operations. • Safeguarding of assets. • Compliance with laws, regulations, and contracts." The specific engagement objective of determining if goods are charged to the appropriate account would address the objective regarding the reliability and integrity of information. IV. Correct. The specific engagement objective of determining if all goods paid for have been received would address the objective regarding safeguarding of assets. II. Incorrect. The specific engagement objective described does not address compliance. III. Incorrect. The specific engagement objective described may address effectiveness of operations but does not address efficiency.

If electronic funds transfer (EFT) is used to pay vendor invoices, which of the following computer-assisted audit procedures would an auditor use to determine if any payments were made twice? I. Identification of EFT transactions to the same vendor for the same dollar amount. II. Extraction of EFT transactions with unauthorized vendor codes. III. Testing of EFT transactions for reasonableness. IV. Searching for EFT transactions with duplicate purchase order numbers. a. I and II only. b. I and IV only. c. II and III only. d. III and IV only.

B. I, IV. Correct. These tests can identify duplicate payments. II, III. Incorrect. Selection of transactions with unauthorized vendor codes and testing of transactions for reasonableness do not identify duplicate payments.

Which of the following procedures would be appropriate for testing whether cost overruns on a construction project were caused by the contractor improperly accounting for costs related to contract change orders? I. Verify that the contractor has not charged change orders with costs that have already been billed to the original contract. II. Determine if the contractor has billed for original contract work that was canceled as a result of change orders. III. Verify that the change orders were properly approved by management. a. I only. b. III only. c. I and II only. d. I and III only.

C. I and II only I. Correct. This addresses the propriety of costs as a result of the change orders. II. Correct. This addresses the accuracy of costs resulting from the change orders. III. Incorrect. This procedure tests whether the company agreed to the work done by the contractor but does not test whether the contractor properly accounted for the costs related to the work

Which of the following represents appropriate evidence of supervisory review of engagement workpapers? I. A supervisor's initials on each workpaper. II. An engagement workpaper review checklist. III. A memorandum specifying the nature, extent, and results of the supervisory review of workpapers. IV. Performance appraisals that assess the quality of workpapers prepared by auditors. a. II and IV only. b. I, II, and III only. c. I, III, and IV only. d. I, II, III, and IV.

C. I, II, III. Correct. The Professional Practices Framework specifies that I, II, and III are acceptable approaches for documenting supervisory review of engagement workpapers. IV. Incorrect. Although performance appraisals might mention reviews of workpapers, they do not represent sufficient evidence of review.

Which of the following statements are correct regarding audit engagement workpaper documentation for a fraud investigation? I. All incriminating evidence should be included in the workpapers. II. All important testimonial evidence should be reviewed to ensure that it provides sufficient basis for the conclusions reached. III. If interviews are held with a suspected perpetrator, written transcripts or statements should be included in the workpapers. a. I only. b. II only. c. II and III only. d. I, II, and III.

D. I, II, III. Correct. All workpapers should contain pertinent information to support observations and recommendations.

Which of the following represents the most competent evidence that trade receivables actually exist? a. Positive confirmations. b. Sales invoices. c. Receiving reports. d. Bills of lading.

a. Correct. A confirmation from a customer is the most reliable evidence that a receivable exists. b. Incorrect. An invoice is not particularly reliable because it is not developed external to the company and does not consider subsequent payment. c. Incorrect. This is not evidence of a receivable. d. Incorrect. This is not as reliable as a confirmation, and it does not confirm the continued existence of the receivable.

Systems development audit engagements include reviews at various points to ensure that development is properly controlled and managed. The reviews should include all of the following except: a. Conducting a technical feasibility study on the available hardware, software, and technical resources. b. Examining the level of user involvement at each stage of implementation. c. Verifying the use of controls and quality assurance techniques for program development, conversion, and testing. d. Determining if system, user, and operations documentation conforms to formal standards.

a. Correct. A feasibility study should be conducted in the systems analysis stage. b. Incorrect. The involvement of users in the development process at various points is important. c. Incorrect. This ensures the quality in the development process at various points. d. Incorrect. Without good documentation, an information system may be difficult, if not impossible, to operate, maintain, or use.

Which of the following would be permissible under the IIA Code of Ethics? a. In response to a subpoena, an auditor appeared in a court of law and disclosed confidential, audit-related information that could potentially damage the auditor's organization. b. An auditor used audit-related information in a decision to buy stock issued by the employer corporation. c. After praising an employee in a recent audit engagement communication, an auditor accepted a gift from the employee. d. An auditor did not report significant observations about illegal activity to the board because management indicated that it would resolve the issue.

a. Correct. Auditors must exhibit loyalty to the organization, but must not be a party to any illegal activity. Thus, auditors must comply with legal subpoenas. b. Incorrect. Rule of Conduct 3.2 prohibits auditors from using audit information for personal gain. c. Incorrect. Rule of Conduct 2.2 prohibits auditors form accepting anything which might be presumed to impair the auditor's professional judgment. d. Incorrect. Rule of Conduct 1.3 prohibits auditors from knowingly being a party to any illegal or improper activity. Practice Advisory 1210.A2-1.10 states that significant observations of illegal activity should be reported to the audit committee.

A flowchart of process activities and controls may provide: a. Information on where fraud could occur. b. Information on the extent of a past fraud. c. An indication of where fraud has occurred in a process. d. No information related to fraud prevention.

a. Correct. By indicating control weaknesses, flowcharts show where fraud may occur. b. Incorrect. Flowcharts do not provide any evidence of the extent of fraud. c. Incorrect. Other procedures would be needed to detect where fraud has occurred. d. Incorrect. Flowcharts provide evidence of where fraud can occur. Flowcharts therefore help in prevention.

Workpaper summaries, if prepared, can be used to: a. Promote efficient workpaper review by internal audit supervisors. b. Replace the detailed workpaper files for permanent retention. c. Serve as an engagement final communication to senior management. d. Document the full development of engagement observations and recommendations.

a. Correct. By tying groups of workpapers together, summaries provide an orderly and logical flow and facilitate supervisory review. b. Incorrect. Summaries are part of the workpaper file, not a replacement. c. Incorrect. Senior management is either given the entire report or provided with an executive summary or digest of the report contents. Workpaper summaries would not be appropriate for senior management. d. Incorrect. Engagement observations are developed using the attributes of an observation. See Practice Advisory 2410-1.6 and 7.

Recommendations should be included in audit reports in order to: a. Provide management with options for addressing audit findings. b. Ensure that problems are resolved in the manner suggested by the auditor. c. Minimize the amount of time required to correct audit findings. d. Guarantee that audit findings are addressed, regardless of cost.

a. Correct. Recommendations represent options that are available to management. b. Incorrect. Problems must be resolved in the manner deemed appropriate by management, not the auditor. c. Incorrect. Providing recommendations may enable management to reduce the costs/time of addressing audit findings, but there is no guarantee of this. d. Incorrect. See answer "c".

An organization wants to improve on its performance measures for a new business line. Which type of benchmarking is most likely to provide information useful for this purpose? a. Functional. b. Competitive. c. Generic. d. Internal.

a. Correct. Comparison against organizations that perform related functions within the same technological area provides information on what is being achieved elsewhere in the new business line. b. Incorrect. Comparison against the best competitors focuses on performance in related organizations as a whole and likely includes some activities unrelated to the new business line. c. Incorrect. Comparison of processes that are virtually the same regardless of industry (such as document processing) would not be as helpful as comparison of processes that are similar in function. d. Incorrect. Comparison against the best within the same organization may be misleading, as it does not provide information on what is being accomplished outside the organization in the new business line.

Competent evidence is best defined as evidence which: a. Is reasonably free from error and bias and faithfully represents that which it purports to represent. b. Is obtained by observing people, property, and events. c. Is supplementary to other evidence already gathered and which tends to strengthen or confirm it. d. Proves an intermediate fact, or group of facts, from which still other facts can be inferred.

a. Correct. Competent evidence is reliable evidence and the best attainable through the use of appropriate audit techniques. b. Incorrect. This is the definition of physical evidence. All physical evidence is not necessarily competent; in fact, the quality of competence is more often associated with documentary evidence. c. Incorrect. This is the definition of corroborative evidence. While corroborative evidence may be competent, much competent evidence is primary rather than supplementary. d. Incorrect. This is the definition of circumstantial evidence. Circumstantial evidence is not necessarily competent evidence.

An auditor is scheduled to audit payroll controls for a company that has recently outsourced its processing to an information service bureau. What action should the auditor take, considering the outsourcing decision? a. Review the controls over payroll in both the company and the service bureau. b. Review only the company's controls over data sent to and received from the service bureau. c. Review only the controls over payments to the service bureau based on the contract. d. Cancel the engagement, because the processing is being performed outside of the organization.

a. Correct. Controls at the service bureau and the user organization are both important to the controls of the overall payroll function. b. Incorrect. The internal controls at the information service bureau and the user organization interact with each other, so both must be reviewed. c. Incorrect. This would change the scope of the engagement. d. Incorrect. Though the processing is being performed outside the organization, the external information service bureau is an extension of the organization's information systems. In fact, the risk may be higher since an external organization controls part of the internal control environment. Also, the recent change increases the company's risk, as does the complexity of communicating between the organization and the service bureau.

The use of an analytical review to verify the correctness of various operating expenses would not be a preferred approach if: a. An auditor notes strong indicators of a specific fraud involving these accounts. b. Operations are relatively stable and have not changed much over the past year. c. An auditor would like to identify large, unusual, or non-recurring transactions during the year. d. Operating expenses vary in relation to other operating expenses, but not in relation to revenue.

a. Correct. If the auditor already suspects fraud, a more directed audit approach would be appropriate. b. Incorrect. Relatively stable operating data is a good scenario for using analytical review. c. Incorrect. Analytical review would be useful in identifying whether large, non-recurring, or unusual transactions occurred. d. Incorrect. Analytical review only needs to have accounts related to other accounts or other independent data. It does not require that they be related to revenue.

An auditor reviewing an organization's plan for developing a performance scorecard. Which of the following potential performance measures should the auditor recommend excluding from the performance scorecard? a. Product innovation. b. Market share. c. Customer satisfaction. d. Employee development.

a. Correct. Innovations in the production of goods or services do not typically lend themselves to ongoing performance measurement. b. Incorrect. Key results in market share track changes to the organization's competitive position. c. Incorrect. Key results in customer satisfaction help predict future sales. d. Incorrect. Key results in employee development help predict the ability to attract and retain good employees.

When conducting audit follow-up of a finding related to cash management routines, which of the following does not need to be considered? a. Inherent risk has been eliminated as a result of resolution of the condition. b. The steps being taken are resolving the condition disclosed by the finding. c. Controls have been implemented to deter or detect a recurrence of the finding. d. Benefits have accrued to the entity as a result of resolving the condition.

a. Correct. It is appropriate to assess whether steps being taken are resolving the condition, appropriate controls have been implemented, and benefits have accrued to the entity. It is not necessary, however, to ensure that inherent risk has been eliminated. (This could only be accomplished by eliminating the use of cash, which is unrealistic.)

Which of the following factors is least essential to a successful control self-assessment workshop? a. Voting technology. b. Facilitation training. c. Prior planning. d. Group dynamics.

a. Correct. Manual forms of recording views and giving group feedback are effective; voting technology can increase the efficiency, but it is not essential to success. b. Incorrect. Control self-assessment (CSA) requires facilitation skills. c. Incorrect. CSA requires careful planning. d. Incorrect. CSA facilitators need to understand and manage group dynamics.

Reviewing an edit listing of payroll changes processed during each payroll cycle would most likely reveal: a. Undetected errors in the payroll rates of new employees. b. Inaccurate payroll deductions. c. Labor hours charged to the wrong account in the cost reporting system. d. A failure to offer employees an opportunity to contribute to their pension plan.

a. Correct. Only a category such as new employee would generate a payroll change. b. Incorrect. The computer calculates this. It is not a change and would not be on the list. c. Incorrect. This data should come from the time reporting system (time card or time sheet). It is not a payroll change. d. Incorrect. This is not applicable to a listing of payroll changes.

Senior management of an entity has requested that the internal audit activity provide ongoing internal control training for all managerial personnel. This is best addressed by: a. A formal consulting engagement agreement. b. An informal consulting engagement agreement. c. A special consulting engagement agreement. d. An emergency consulting engagement agreement.

a. Correct. Such training should be planned and is of a continuous nature. It should be subject to a consulting agreement that is formal and written to ensure that the needs and expectations of those that will be trained are recognized and satisfied. b. Incorrect. This type of agreement applies more to routine tasks. c. Incorrect. This type of agreement applies more to occasional, one time special arrangements. d. Incorrect. This type of agreement applies more to unplanned engagements.

A hospital is evaluating the purchase of software to integrate a new cost accounting system with its existing financial accounting system. Which of the following describes the most effective way for the internal audit activity to be involved in the procurement process? a. The internal audit activity evaluates whether performance specifications are consistent with the hospital's needs. b. The internal audit activity evaluates whether the application design meets internal development and documentation standards. c. The internal audit activity determines whether the prototyped model is validated and reviewed with users before production use begins. d. The internal audit activity has no involvement since the system has already been developed externally.

a. Correct. The internal audit activity should be involved to ensure the existence of performance specifications consistent with the hospital's needs because incomplete or erroneous specifications may result in the acquisition of unusable software or unenforceable contract terms with the software vendor. b. Incorrect. The internal audit activity cannot ensure that the application design meets internal development and documentation standards because an external group with different standards has already developed the system. c. Incorrect. There is no prototype in procurement of proprietary software. d. Incorrect. For externally developed systems, the only omitted or abbreviated systems development life cycle step is programming of the actual system. All other phases remain, even if they are modified.

Which of the following would be the most appropriate starting point for a compliance evaluation of software licensing requirements for an organization with more than 15,000 computer workstations? a. Determine if software installation is controlled centrally or distributed throughout the organization. b. Determine what software packages have been installed on the organization's computers and the number of each package installed. c. Determine how many copies of each software package have been purchased by the organization. d. Determine what mechanisms have been installed for monitoring software usage.

a. Correct. The logical starting point is to determine the point(s) of control. Evidence of license compliance can then be assessed. b. Incorrect. Before taking this step, an auditor would first determine if installation is controlled centrally because this would affect how the auditor would ascertain information on the installed software. c. Incorrect. This would help an auditor determine if software was legitimately purchased but the auditor would still need to start by determining where the software is installed, and answer "a" would be a more useful starting point. d. Incorrect. Monitoring usage would not be as important as determining installation processes when evaluating license compliance.

Which of the following examples of audit evidence is the most persuasive? a. Real estate deeds, which were properly recorded with a government agency. b. Canceled checks written by the treasurer and returned from a bank. c. Time cards for employees, which are stored by a manager. d. Vendor invoices filed by the accounting department.

a. Correct. This information is generated by external parties and does not pass through the operations of the audited area and therefore has the greatest evidentiary weight. b. Incorrect. This is considered internal-external information, which is initiated by the audited area and is subject to distortion. c. Incorrect. This is considered internal information, generated by the audited area, which is subject to distortion. d. Incorrect. This is considered external-internal information. Although it is initiated externally, it is maintained by the audited area and can therefore be distorted.

Which of the following would not be considered a condition that indicates a higher likelihood of fraud? a. Management has delegated the authority to make purchases under a certain dollar limit to subordinates. b. An individual has held the same cashhandling job for an extended period without any rotation of duties. c. An individual handling marketable securities is responsible for making the purchases, recording the purchases, and reporting any discrepancies and gains or losses to senior management. d. The assignment of responsibility and accountability in the accounts receivable department is not clear.

a. Correct. This is an acceptable control procedure which is aimed at limiting risk while promoting efficiency. It is not, by itself, considered a condition that indicates a higher likelihood of fraud. b. Incorrect. Lack of rotation of duties or cross-training for sensitive jobs is an identified red flag. c. Incorrect. This would be an example of an inappropriate segregation of duties, which is an identified red flag. d. Incorrect. This is an identified red flag.

Which of the following statements best describes the internal audit function's responsibility for follow-up activities related to a previous engagement? a. Internal auditors should determine if corrective action has been taken and is achieving the desired results or if management has assumed the risk of not taking the corrective action. b. Internal auditors should determine if management has initiated corrective action, but they have no responsibility to determine if the action is achieving the desired results. That determination is management's responsibility. c. The chief audit executive is responsible for scheduling follow-up activities only if directed to do so by senior management or the audit committee. Otherwise, followup is entirely discretionary. d. None of the above.

a. Correct. This is stated in Practice Advisory 2500.A1-1. b. Incorrect. This contradicts answer "a" and Practice Advisory 2500.A1-1. c. Incorrect. Implementation Standard 2500.A1 states that follow-up action should take place. It is not dependent on directives of either management or the audit committee. d. Incorrect. See answer "a".

Which of the following best describes an auditor's responsibility after noting some indicators of fraud? a. Expand activities to determine whether an investigation is warranted. b. Report the possibility of fraud to senior management and ask how to proceed. c. Consult with external legal counsel to determine the course of action to be taken. d. Report the matter to the audit committee and request funding for outside specialists to help investigate the possible fraud.

a. Correct. This is the appropriate action according to Practice Advisory 1210.A2-1.13. b. Incorrect. The auditor should first expand work to determine the existence of fraud before reporting the matter to senior management. At this point, the auditor only has suspicions of fraud, given the red flags. More work should be performed before consulting with management, external legal counsel, or the audit committee. c. Incorrect. See answer "b". d. Incorrect. See answer "b".

bank internal auditor wishes to determine whether all loans are supported by sufficient collateral, properly aged regarding current payments, and accurately categorized as current or noncurrent. The best audit procedure to accomplish these objectives would be to: a. Use generalized audit software to read the total loan file, age the file by last payment due, and extract a statistical sample stratified by the current and aged population. Examine each loan selected for proper collateralization and aging. b. Select a block sample of all loans in excess of a specified dollar limit and determine if they are current and properly categorized. For each loan approved, verify aging and categorization. c. Select a discovery sample of all loan applications to determine whether each application contains a statement of collateral. d. Select a sample of payments made on the loan portfolio and trace them to loans to see if the payments are properly applied. For each loan identified, examine the loan application to determine that the loan has proper collateralization.

a. Correct. This is the best procedure because it takes a sample from the total loan file and tests to determine that the loan is properly categorized as well as properly collateralized and aged. b. Incorrect. This sample only deals with large dollar items and does not test for proper collateralization. c. Incorrect. This is an inefficient audit procedure because it samples from loan applications, not loans approved. d. Incorrect. This would be an ineffective procedure because it is based only on loans for which payments are currently being made. It does not include loans that should have been categorized differently because payments are not being made.

If a financial institution overstated revenue by charging too much of each loan payment to interest income and too little to repayment of principal, which of the following audit procedures would be least likely to detect the error? a. Performing an analytical review by comparing interest income this period as a percentage of the loan portfolio with the interest income percentage for the prior period. b. Using an integrated test facility (ITF) and submitting interest payments for various loans in the ITF portfolio to determine if they are recorded correctly. c. Using test data and submitting interest payments for various loans in the test portfolio to determine if they are recorded correctly. d. Using generalized audit software to select a random sample of loan payments made during the period, calculating the correct posting amounts, and tracing the postings that were made to the various accounts.

a. Correct. This would be the least effective procedure because: (1) it provides only a comparison with the past period and that past period may have been suffering from the same problem; and (2) it is a global test. b. Incorrect. Using an integrated test facility (ITF) would be a very good procedure here because the concern is whether the interest rate calculation is made correctly. c. Incorrect. Test data would be very effective because it provides a direct test of the interest rate calculation. d. Incorrect. This would be the most effective procedure because the auditor is taking a detailed sample of actual transactions.

A transportation department maintains its vehicle inventory and maintenance records in a database. Which of the following audit procedures is most appropriate for evaluating the accuracy of the database information? a. Verify a sample of the records extracted from the database with supporting documentation. b. Submit batches of test transactions through the current system and verify with expected results. c. Simulate normal processing by using test programs. d. Use program tracing to show how, and in what sequence, program instructions are processed in the system.

a. Correct. Verifying is the most often used technique in testing the accuracy of information maintained by a system, whether manual or automated. b. Incorrect. Testing the program will not test the accuracy of data in the database. c. Incorrect. Simulating normal processing would test the program but not the accuracy of data. d. Incorrect. Tracing would require that additional coding be inserted into the database system programs.

While testing a division's compliance with company affirmative-action policies, an auditor found that: (1) Five percent of the employees are from minority groups. (2) No one from a minority group has been hired in the past year. The most appropriate conclusion for the auditor to reach is that: a. Insufficient evidence exists of compliance with affirmative-action policies. b. The division is violating the company's policies. c. The company's policies cannot be audited and hence cannot be enforced. d. With five percent of its employees from minority groups, the division is effectively complying.

a. Correct. Without knowledge of guidelines for compliance, a reasonable conclusion cannot be reached. b. Incorrect. The fact that no minority has been hired this year is irrelevant without knowing the total hires for the period. c. Incorrect. An affirmative-action policy is clearly auditable. d. Incorrect. This conclusion cannot be reached without knowledge of the actual company policy.

Which phrase best describes a control-based control self-assessment process? a. Evaluating, updating, and streamlining selected control processes. b. Examining how well controls are working in managing key risks. c. Analyzing the gap between control design and control frameworks. d. Determining the cost-effectiveness of controls.

b. Correct. A control-based approach concentrates on how well controls are working to manage risks. The key risks and controls are generally identified before the workshop. a. Incorrect. This phrase best describes a process-based approach, although control processes are not the only processes reviewed in this approach. c. Incorrect. While control design could be compared to control frameworks in a control-based approach, this does not adequately describe the process. A control-based process is more likely to examine the gap between control design and control effectiveness in managing risks. d. Incorrect. Cost-effectiveness could be discussed in a control-based control self-assessment workshop, but it is not the primary focus of this process.

As used in the verification of an accounts payable schedule, which of the following is best described as an analytical test? a. Comparing the items on the schedule with the accounts payable ledger or unpaid voucher file. b. Comparing the balance on the schedule with the balances of prior years. c. Comparing confirmations received from selected creditors with the accounts payable ledger. d. Examining vendors' invoices in support of selected items on the schedule.

b. Correct. Analytical tests include comparisons with budgeted amounts, past operations, and similar operations. The rest are "detailed tests".

Which of the following techniques could be used to estimate the standard deviation for a sampling plan? a. Ratio estimation. b. Pilot sample. c. Regression. d. Discovery sampling.

b. Correct. Auditors use a pilot sample to estimate the standard deviation in a population. This enables the auditor to estimate the confidence interval that would be achieved by the sample, and therefore helps the auditor decide how large of a sample to select. a. Incorrect. Ratio estimation is a type of variables sampling plan. It is not a technique for estimating standard deviation. c. Incorrect. Auditors use regression to project balances of accounts or other populations. d. Incorrect. Discovery sampling is a type of sampling plan, not a technique for estimating standard deviation.

Compared to a vertical flowchart, which of the following is true of a horizontal flowchart? a. It provides more room for written descriptions that parallel the symbols. b. It brings into sharper focus the assignment of duties and independent checks on performance. c. It is usually longer. d. It does not cross departmental lines.

b. Correct. By emphasizing the flow of processing between departments and/or people, it more clearly shows any inappropriate separation of duties and lack of independent checks on performance. a. Incorrect. A vertical flowchart is usually designed to provide for written descriptions. c. Incorrect. It is usually shorter because space for written descriptions is not usually provided. d. Incorrect. It follows a transaction from its inception to filing, regardless of departmental lines.

An organization provides credit cards to selected employees for business use. The credit card company provides a computer file of all transactions by employees of the organization. An auditor plans to use generalized audit software to select relevant transactions for testing. Which of the following would not be readily identified using generalized audit software? a. High-dollar transactions. b. Fraudulent transactions. c. Transactions for specific cardholders. d. Suppliers used by each cardholder.

b. Correct. It is highly unlikely that the accounts payable system would contain sufficient evidence of fraudulent transactions. Generalized audit software could be used to explore red flags but it would not particularly identify them. a. Incorrect. Generalized audit software could be used to search for unusual transactions, such as those exceeding a specific dollar amount. c. Incorrect. Transaction data could be filtered using generalized audit software. d. Incorrect. Suppliers used by cardholders could be summarized using generalized audit software.

A chief audit executive (CAE) suspects that several employees have used desktop computers for personal gain. In conducting an investigation, the primary reason that the CAE chose to engage a forensic information systems auditor rather than using the organization's information systems auditor is that a forensic information systems auditor would possess: a. Knowledge of the computing system that would enable a more comprehensive assessment of the computer use and abuse. b. Knowledge of what constitutes evidence acceptable in a court of law. c. Superior analytical skills that would facilitate the identification of computer abuse. d. Superior documentation and organization skills that would facilitate in the presentation of findings to senior management and the board.

b. Correct. The distinguishing characteristic of forensic auditing is the knowledge needed to testify as an expert witness in a court of law. Although a forensic auditor may possess the other attributes listed, the organization's information systems auditor may also possess these skills or knowledge elements. a. Incorrect. The organization's information systems auditor would probably have more knowledge of the organization's computing systems. c. Incorrect. A forensic auditor would not necessarily have analytical or organizational skills that are superior to those of the organization's auditor. d. Incorrect. See answer "c".

An internal auditor who encounters an ethical dilemma not explicitly addressed by the IIA Code of Ethics should always: a. Seek counsel from an independent attorney to determine the personal consequences of potential actions. b. Take action consistent with the principles embodied in the IIA Code of Ethics. c. Seek the counsel of the audit committee before deciding on an action. d. Act consistently with the employing organization's code of ethics even if such action would not be consistent with the IIA Code of Ethics.

b. Correct. This is consistent with the concepts embodied in the IIA Code of Ethics. a. Incorrect. The auditor must act consistently with the spirit embodied in the IIA Code of Ethics. It would not be practical to seek the advice of legal counsel for all ethical decisions. Ethics is a moral and professional concept, not just a legal. c. Incorrect. It would not be practical to seek the audit committee's advice for all potential dilemmas. Further, the advice might not be consistent with the profession's standards. d. Incorrect. If the company's standards are not consistent with, or as high as, the profession's standards, the professional internal auditor should abide by the standards of the profession.

An audit of an organization's claims department determined that a large number of duplicate payments had been issued due to problems in the claims processing system. During the exit conference, the vice president of the claims department informed the auditors that attempts to recover the duplicate payments would be initiated immediately and that the claims processing system would be enhanced within six months to correct the problems. Based on this response, the chief audit executive should: a. Adjust the scope of the next regularly scheduled audit of the claims department to assess controls within the claims processing system. b. Monitor the status of corrective action and schedule a follow-up engagement when appropriate. c. Schedule a follow-up engagement within six months to assess the status of corrective action. d. Discuss the findings with the audit committee and ask the committee to determine the appropriate follow-up action.

b. Correct. The internal audit activity should monitor the status of the corrective action. A follow-up engagement should be scheduled when changes to the claims processing system have been sufficiently completed to allow for testing of adequacy and effectiveness. a. Incorrect. Because the finding is significant, the internal audit activity should not wait until the next regularly scheduled audit to assess the status of corrective action. c. Incorrect. Although management indicated that the corrections should be completed within six months, this may not be the case. As a result, the internal audit activity should monitor the status of corrective action and schedule a follow-up engagement when it is appropriate. d. Incorrect. Although the findings should be discussed with the audit committee because of their significance, the scope and timing of a follow-up engagement should be determined by the chief audit executive based on available information

The following X-bar chart is an example of the output from a computer application used by a health insurance company to monitor physician bill amounts for various surgical procedures: The data plotted on the chart represents: a. Random variation. b. Abnormal variation. c. Normal variation. d. Cyclic variation

b. Correct. The model on which the mean, upper, and lower limits are based excludes the persistent exceeding of the upper control limit. Investigation is required. a. Incorrect. In the latter instances, there is a definite pattern of increase. This pattern of increase exceeds the upper control limit persistently. c. Incorrect. The upper limit is consistently exceeded. According to the planning model, such occurrences are abnormal. d. Incorrect. Portions of the chart appear cyclic, but a significant characteristic is the abnormality exceeding the upper control limit.

Which of the following procedures would provide the best evidence of the effectiveness of a credit-granting function? a. Observe the process. b. Review the trend in receivables write-offs. c. Ask the credit manager about the effectiveness of the function. d. Check for evidence of credit approval on a sample of customer orders.

b. Correct. The purpose of the credit-granting function is to minimize write-offs while at the same time accepting sales likely to result in collection. Reviewing the trend in write-offs will provide some insight concerning the minimization of write-offs. a. Incorrect. Observation will provide evidence on whether the credit personnel are following the procedures while being observed. However, since they know they are being watched, they will probably do what they believe they should do, not what they normally do. c. Incorrect. Responses from the credit manager will lack objectivity, a key attribute of competent evidence. d. Incorrect. The credit limits may be set too high or not properly revised periodically. The existence of approval will not detect these problems.

A sales department has been giving away expensive items in conjunction with new product sales to stimulate demand. The promotion seems successful, but management believes the cost may be too high and has asked for a review by the internal audit activity. Which of the following procedures would be the least useful to determine the effectiveness of the promotion? a. Comparing product sales during the promotion period with sales during a similar non-promotion period. b. Comparing the unit cost of the products sold before and during the promotion period. c. Performing an analysis of marginal revenue and marginal cost for the promotion period, compared to the period before the promotion. d. Performing a review of the sales department's benchmarks used to determine the success of a promotion.

b. Correct. There is no indication that cost of the products sold has changed. The challenge is to address the effectiveness of the promotion. a. Incorrect. This comparison would help highlight the effectiveness of the promotion in increasing sales. c. Incorrect. This is the key analysis as it would show the extent of additional revenue versus cost. d. Incorrect. This would be helpful because the sales department may have useful information on new customers and repeat purchases.

Data-gathering activities such as interviewing operating personnel, identifying standards to be used to evaluate performance, and assessing risks inherent in a department's operations are typically performed in which phase of an audit engagement? a. Fieldwork. b. Preliminary survey. c. Engagement program development. d. Examination and evaluation of evidence.

b. Correct. These activities are normally accomplished during the preliminary survey phase. a. Incorrect. The activities described must be performed before the fieldwork can be undertaken. c. Incorrect. The activities described must be performed before the engagement program can be developed. d. Incorrect. The activities described must be performed before the evidence can be examined or evaluated.

Which of the following is most likely to be considered an indication of possible fraud? a. The replacement of the management team after a hostile takeover. b. Rapid turnover of the organization's financial executives. c. Rapid expansion into new markets. d. A government audit of the organization's tax returns.

b. Correct. This is considered a red flag that indicates possible fraud.

The most common motivation for management fraud is the existence of: a. Vices, such as a gambling habit. b. Job dissatisfaction. c. Financial pressures on the organization. d. The challenge of committing the perfect crime.

c. Correct. Management fraud benefits organizations rather than individuals, so the existence of financial pressures is the most common motivation. Management perpetrators attempt to make their financial statements appear more attractive because of the financial pressures of restrictive loan covenants, a poor cash position, loss of significant customers, etc.

An auditor uncovers a plan to overstate inventory and thereby increase reported profits for a division. The auditor has substantial evidence that the divisional manager was aware of and approved the plan to overstate inventory. There is also some evidence that the manager may have been responsible for the implementation of the plan. The auditor should: a. Continue to conduct interviews with subordinates until a definite case is made, and then report the case to the audit committee. b. Inform senior management and the audit committee of the findings and discuss possible further investigation. c. Inform the divisional manager of the auditor's suspicions and obtain the manager's explanation of the findings before pursuing the matter further. d. Document the case thoroughly and report the suspicions to the external auditor for further review.

b. Correct. This is the correct answer according to Practice Advisory 1210.A2-1.6. a. Incorrect. The auditor has sufficient evidence to bring the matter to the attention of management and let them decide the method of further investigation. c. Incorrect. There is no need to inform divisional management of the audit suspicions. It would be appropriate to interview divisional management, but primarily for data gathering purposes. d. Incorrect. The auditor's responsibility is for reporting inside the organization.

What computer-assisted audit technique would an auditor use to identify a fictitious or terminated employee? a. Parallel simulation of payroll calculations. b. Exception testing for payroll deductions. c. Recalculations of net pay. d. Tagging and tracing of payroll tax-rate changes.

b. Correct. This type of computer-assisted audit technique (CAAT) program can identify employees who have no deductions. This is important because fictitious or terminated employees will generally not have any deductions. a. Incorrect. In a parallel simulation, data that were processed by the engagement client's system are reprocessed through the auditor's program to determine if the output obtained matches the output generated by the client's system. This technique might identify problems with the client's processing but would not identify a fictitious or terminated employee. c. Incorrect. A CAAT program can recalculate amounts such as gross pay, net pay, taxes and other deductions, and accumulated or used leave times. These recalculations can help determine if the payroll program is operating correctly or if employee files have been altered, but would not identify a fictitious or terminated employee. d. Incorrect. In this type of CAAT program, certain actual transactions are "tagged," and as they proceed through the system, a data file is created that traces the processing through the system and permits an auditor to subsequently review that processing. This would not, however, identify a fictitious or terminated employee.

An organization uses electronic data interchange and on-line systems rather than paper-based documents for purchase orders, receiving reports, and invoices. Which of the following audit procedures would an auditor use to determine if invoices are paid only for goods received and at approved prices? a. Select a statistical sample of major vendors and trace the amounts paid to specific invoices. b. Use generalized audit software to select a sample of payments and match purchase orders, invoices, and receiving reports stored on the computer using a common reference. c. Select a monetary-unit sample of accounts payable and confirm the amounts directly with the vendors. d. Use generalized audit software to identify all receipts for a particular day and trace the receiving reports to checks issued.

b. Correct. This would help the auditor determine that all three pieces of data were most likely matched before payment. a. Incorrect. This procedure only provides data on whether payments agree with invoices. It does not provide data on whether the invoiced amounts are correct. c. Incorrect. As with answer "a", this only provides data on whether payments agree with invoices. It does not provide data on whether the goods were actually received. d. Incorrect. This provides data only on one day. While it matches items received with those paid, it does not provide data on whether the billings were correct.

A company's accounts receivable turnover rate decreased from 7.3 to 4.3 over the last three years. What is the most likely cause for the decrease? a. An increase in the discount offered for early payment. b. A more liberal credit policy. c. A change in net payment due from 30 to 25 days. d. Increased cash sales.

b. Correct. With a liberal credit policy, customers would be taking longer to pay (365/4.3 compared to 365/7.3). a. Incorrect. This should have the opposite effect. c. Incorrect. This should have the opposite effect. d. Incorrect. This is irrelevant, since cash sales will have no impact.

Sales representatives for a manufacturing company are reimbursed for 100 percent of their cellular telephone bills. Cellular telephone costs vary significantly from representative to representative and from month to month, complicating the budgeting and forecasting processes. Management has requested that the internal auditors develop a method for controlling these costs. Which of the following would most appropriately be included in the scope of the consulting project? a. Control self-assessment involving sales representatives. b. Benchmarking with other cellular telephone users. c. Business process review of procurement and payables routines. d. Performance measurement and design of the budgeting and forecasting processes.

c. Correct. A business process review (BPR) assesses the performance of administrative and financial processes, such as within procurement and payables. BPR considers process effectiveness and efficiency, including the presence of appropriate controls, to mitigate business risk. Because the objective is to control cellular phone costs, BPR is the appropriate tool to use in this area. a. Incorrect. Neither control self-assessment nor performance measurement will address management's objective of controlling costs. b. Incorrect. Although benchmarking may have some applicability, it is not the most appropriate tool. d. Incorrect. See answer "a".

A consulting activity appropriately performed by the internal audit function is: a. Designing systems of control. b. Drafting procedures for systems of control. c. Reviewing systems of control before implementation. d. Installing systems of control.

c. Correct. According to Practice Advisory 1130.A1-1.4, reviewing systems, even before implementation, is an activity appropriately performed by the internal audit function and does not impair objectivity. a. Incorrect. Designing systems is presumed to impair audit objectivity. b. Incorrect. Drafting procedures for systems is presumed to impair independence. d. Incorrect. Installing systems of controls is presumed to impair independence.

An auditor is conducting a survey of perceptions and beliefs of employees concerning an organization's health-care plan. The best approach to selecting a sample would be to: a. Focus on people who are likely to respond so that a larger sample can be obtained. b. Focus on managers and supervisors because they can also reflect the opinions of the people in their departments. c. Use stratified sampling where the strata are defined by marital and family status, age, and salaried or hourly status. d. Use monetary-unit sampling according to employee salaries.

c. Correct. Because different employees probably have different situations, needs, and experiences, stratified sampling would best ensure that a representative sample would result. a. Incorrect. This convenience sample is likely to emphasize people with lots of available time at the expense of key employees who are too busy with company work to respond. b. Incorrect. Managers and supervisors often do not have the same needs and perceptions as their subordinates and also may misperceive their views. d. Incorrect. This approach would produce a disproportionate number of highly paid employees who may not have the same needs as lower-paid employees.

In conducting an audit of an organization's disaster recovery capability, which of the following would an auditor consider to be the most serious weakness? a. Tests utilize recovery scripts. b. Hot-site contracts are two years old. c. Backup media are stored on-site. d. Only a few systems are tested annually.

c. Correct. Failure to store backup media off-site is a very serious control weakness. a. Incorrect. Use of scripts is a common practice to sequence events. b. Incorrect. Recovery contracts are not updated that frequently. d. Incorrect. Generally, the limited test-time window will only permit testing a few systems.

Questions used to interrogate individuals suspected of fraud should: a. Adhere to a predetermined order. b. Cover more than one subject or topic. c. Move from the general to the specific. d. Direct the individual to a desired answer.

c. Correct. General information should be obtained first before details are sought. a. Incorrect. The interviewee's answer may suggest a follow-up question that should be asked before asking the next planned question. b. Incorrect. This may be confusing for the respondent. d. Incorrect. The interrogator should avoid leading questions, that is, questions that suggest an answer.

Which of the following would not be considered a primary objective of a closing or exit conference? a. To resolve conflicts. b. To discuss the engagement observations and recommendations. c. To identify concerns for future audit engagements. d. To identify management's actions and responses to the engagement observations and recommendations.

c. Correct. Identifying concerns for future engagements is not a primary objective of the exit conference. a. Incorrect. Resolving conflicts is an objective of the exit conference. b. Incorrect. Discussing the engagement observations in order to reach agreement on the facts is an objective of the exit conference. d. Incorrect. Determining management's action plan and responses is an objective of the exit conference.

As part of a manufacturing company's environmental, health, and safety (EHS) selfinspection program, inspections are conducted by a member of the EHS staff and the operational manager for a given work area or building. If a deficiency cannot be immediately corrected, the EHS staff member enters it into a tracking database that is accessible to all departments via a local area network. The EHS manager uses the database to provide senior management with quarterly activity reports regarding corrective action. During review of the self-inspection program, an auditor notes that the operational manager enters the closure information and affirms that corrective action is complete. What change in the control system would compensate for this potential conflict of interest? a. No additional control is needed because the quarterly report is reviewed by senior management, providing adequate oversight in this situation. b. No additional control is needed because those implementing a corrective action are in the best position to evaluate the adequacy and completion of that action. c. After closure is entered into the system, review by the EHS staff member of the original inspection team should be required in order to verify closure. d. The EHS department secretary should be responsible for entering all information in the tracking system based on memos from the operational manager.

c. Correct. If there is a step in the process at which someone independent of the area being inspected can evaluate the adequacy and completeness of corrective action, the potential for closure fraud is minimized. a. Incorrect. Although senior management can use the report to question why certain corrective actions may be behind schedule, they have no way of knowing whether the corrective actions shown as complete were actually completed. b. Incorrect. While the operational managers may in fact be the most knowledgeable about the corrective action, independent verification is preferable. d. Incorrect. There is nothing inappropriate about the environmental, health, and safety staff entering the initial inspection results. Having the secretary enter closure data does not improve controls since there is still no independent review. It is also less efficient and timely than having the data entered directly in the field.

An auditor for a major retail company suspects that inventory fraud is occurring at three stores that have high cost of goods sold. Which of the following audit activities would provide the most persuasive evidence that fraud is occurring? a. Use an integrated test facility (ITF) to compare individual sales transactions with test transactions submitted through the ITF. Investigate all differences. b. Interview the three individual store managers to determine if their explanations about the observed differences are the same, and then compare their explanations to that of the section manager. c. Schedule a surprise inventory audit to include a physical inventory. Investigate areas of inventory shrinkage. d. Select a sample of individual store prices and compare them with the sales entered on the cash register for the same items.

c. Correct. If this type of fraud were occurring, it would result in inventory shrinkage. The surprise inventory count would be an effective audit technique. a. Incorrect. The ITF only provides evidence on the correctness of computer processing. It would not be relevant to the hypothesized rationale for the operating data. b. Incorrect. Interviews provide a weak form of evidence and would be better if the auditor first has substantive documentary evidence. d. Incorrect. The problem would be with inventory shrinkage, not with whether items are appropriately keyed in or scanned in at the cash register

When conducting a performance appraisal of an internal auditor who has been a belowaverage performer, it is not appropriate to: a. Notify the internal auditor of the upcoming appraisal several days in advance. b. Use objective, impartial language. c. Use generalizations. d. Document the appraisal.

c. Correct. It is not appropriate to use generalizations when giving a performance appraisal to a below-average performer. Rather, the evaluator must cite specific information and be prepared a. Incorrect. In a performance appraisal of a below-average performer, it is appropriate and advisable to notify the employee of the upcoming appraisal, use objective language, and document the appraisal. b. Incorrect. See answer "a". to support assertions with evidence. d. Incorrect. See answer "a".

Which of the following describes the most appropriate action to be taken concerning a repeated observation of violations of company policy pertaining to competitive bidding? a. The engagement final communication should note that this same condition had been reported in the prior engagement. b. During the exit interview, management should be made aware that the violation has not been corrected. c. The chief audit executive should determine whether management or the board has assumed the risk of not taking corrective action. d. The chief audit executive should determine whether this condition should be reported to the external auditor and any regulatory agency.

c. Correct. Management may decide to assume the risk of not correcting a reported condition because of the cost or other considerations. a. Incorrect. This action is insufficient; see answer "c". b. Incorrect. This action is insufficient; see answer "c". d. Incorrect. This action would be inappropriate; see answer "c".

A performance audit engagement typically involves: a. Review of financial statement information, including the appropriateness of various accounting treatments. b. Tests of compliance with policies, procedures, laws, and regulations. c. Appraisal of the environment and comparison against established criteria. d. Evaluation of organizational and departmental structures, including assessments of process flows.

c. Correct. Performance audit engagements involve review of performance against set criteria. a. Incorrect. Financial audit engagements involve review of financial information. b. Incorrect. Compliance audit engagements involve examining control procedures and there compliance. d. Incorrect. Operational audit engagements involve reviewing organizational and departmental structures.

As part of a preliminary survey of the purchasing function, an auditor read the department's policies and procedures manual. The auditor concluded that the manual described the processing steps well and contained an appropriate internal control design. The next engagement objective was to determine the operating effectiveness of internal controls. Which procedure would be most appropriate in meeting this objective? a. Prepare a flowchart. b. Prepare a system narrative. c. Perform a test of controls. d. Perform a substantive test.

c. Correct. Tests of controls, also known as compliance tests, help an auditor determine whether controls are being followed and are effective. For instance, a policy may require that all large transactions be approved by a manager. As a test of controls, the auditor may sample large transactions and review whether manager approval was obtained and whether the proposed transaction meets all the criteria that the manager was supposed to verify. a. Incorrect. Flowcharts are most appropriate for studying internal control design. The audit objective is whether the controls are in place and effective, which indicates the need for a test of controls. b. Incorrect. System narratives are most appropriate for studying internal control design. The audit objective is whether the controls are in place and effective, which indicates the need for a test of controls. d. Incorrect. Substantive tests are tests to determine whether an objective has been achieved and do not necessarily test internal controls.

What does the following scattergram suggest? Y= Sales Revenue X= Training Costs a. Sales revenue is inversely related to training costs. b. The training program is not effective. c. Training costs do not affect sales revenue. d. Several data points are incorrectly plotted.

c. Correct. The scattergram suggests that training costs and sales revenue are not related. a. Incorrect. The scattergram does not show a relationship between training costs and sales revenue. b. Incorrect. The scattergram does not yield information about the effectiveness of the training program. d. Incorrect. There is nothing to indicate an incorrect data point in this graph.

The standard error of a sample reflects: a. The projected population error based on errors in the sample. b. The average rate of error in the sample. c. The degree of variation in sample items. d. The error in the population that the auditor can accept.

c. Correct. The standard error is a function of the standard deviation, which is a measurement of the average variation from the mean of the sample. The standard error is used to compute precision and the confidence interval. The larger the standard error, the wider the interval. a. Incorrect. The standard error is not a projection of error in the population. b. Incorrect. The standard error is not a measurement of the errors in the sample. d. Incorrect. The amount of error that the auditor would be willing to accept (the tolerable error) is the auditor's decision; it is not the result of a statistical calculation. The amount of tolerable error has no effect on the standard error.

Which of the following most completely describes the appropriate content of engagement workpapers? a. Objectives, procedures, and conclusions. b. Purpose, criteria, techniques, and conclusions. c. Objectives, procedures, facts, conclusions, and recommendations. d. Subject, purpose, sampling information, and analysis.

c. Correct. This is the most complete of the choices. a. Incorrect. This answer is incomplete because it ignores facts (evidence) and recommendations. b. Incorrect. This answer is incomplete because it ignores evidence and recommendations. d. Incorrect. This answer is incomplete because it ignores evidence, objectives, conclusions, and recommendations.

An engagement objective is to determine if a company's accounts payable contain all outstanding liabilities. Which of the following audit procedures would not be relevant for this objective? a. Examine supporting documentation of subsequent (after-period) cash disbursements and verify period of liability. b. Send confirmations, including zero balance accounts, to vendors with whom the company normally does business. c. Select a sample of accounts payable from the accounts payable listing and verify the supporting receiving reports, purchase orders, and invoices. d. Trace receiving reports issued before the period end to the related vendor invoices and accounts payable listing.

c. Correct. This procedure provides no evidence pertaining to unrecorded liabilities. a. Incorrect. This procedure is designed to identify payments for liabilities not included in the prior period, but paid in the subsequent period. b. Incorrect. This procedure is designed to identify amounts not included in the accounts payable. Zero balance accounts should be verified as part of the process. d. Incorrect. Tracing receiving reports from before the period end to invoices and the payables listing is designed to assure that these shipments are included in the payables.

During a review of purchasing operations, an auditor found that procedures in use did not agree with stated company procedures. However, audit tests revealed that the procedures in use represented an increase in efficiency and a decrease in processing time, without a discernible decrease in control. The auditor should: a. Report the lack of adherence to documented procedures as an operational deficiency. b. Develop a flowchart of the new procedures and include it in the report to management. c. Report the change and suggest that the change in procedures be documented. d. Suspend the completion of the engagement until the engagement client documents the new procedures.

c. Correct. This represents a change in process that should be brought to the attention of management and documented. a. Incorrect. The procedures do not represent a deficiency since efficiency has improved without diminishing control. b. Incorrect. A flowchart is not the best form of documentation because it does not address efficiency. d. Incorrect. The engagement should be completed.

An audit found that the cost of some material installed on capital projects had been transferred to the inventory account because the capital budget had been exceeded. Which of the following would be an appropriate technique for the internal audit activity to use to monitor this situation? a. Identify variances between amounts capitalized each month and the capital budget. b. Analyze a sample of capital transactions each quarter to detect instances in which installed material was transferred to inventory. c. Review all journal entries that transferred costs from capital to inventory accounts. d. Compare inventory receipts with debits to the inventory account and investigate discrepancies.

c. Correct. This would focus on the problem of inappropriate transfers. a. Incorrect. Variances would not identify costs transferred to inventory. b. Incorrect. This would sample from all capital transactions while answer "c" would more specifically address all transfers. d. Incorrect. There would be no inventory receipts for the transfers, so beginning with inventory receipts would not be an effective method to monitor this situation.

Which of the following should be reviewed before designing any system elements in a top-down approach to new systems development? a. Types of processing systems used by competitors. b. Computer equipment needed by the system. c. Information needs of managers for planning and control. d. Controls in place over the current system.

c. Correct. Users' information needs and objectives should be primary. a. Incorrect. Competitors' processing may be irrelevant or totally unknown. b. Incorrect. Emphasis should first be on the purposes and needs of the new system, not on equipment. d. Incorrect. Controls related to the old (current) system may be irrelevant or unimportant.

Variability of the dollar amount of individual items in a population affects sample size in which of the following sampling plans? a. Attributes sampling. b. Dollar-unit sampling. c. Mean-per-unit sampling. d. Discovery sampling.

c. Correct. Variability affects the standard deviation. The larger the standard deviation, the larger the sample size that is required to achieve a specified level of precision and confidence. d. Incorrect. The objective of discovery samp a. Incorrect. Attributes sampling is not used for tests of dollar amounts and therefore variability of dollar amounts is not an issue in determining sample size. b. Incorrect. Dollar-unit sampling neutralizes variability by defining the sampling unit as an individual dollar. ling is to select items until at least one item is selected with a particular characteristic, such as evidence of fraud.

When interviewing an individual suspected of a fraud, the interviewer should: a. Ensure the suspect's supervisor is present during the interview. b. Lock the door to ensure no one will interrupt the interview. c. Pay attention to the wording choices of the suspect. d. Ask if the suspect committed the fraud.

c. Correct. Wording choices, such as shifts in the use of pronouns and verbs, may indicate areas of dishonesty or fabrication. a. Incorrect. The interviewee may be less likely to confess or provide other useful information if the supervisor is present. b. Incorrect. The interview should take place in a room that allows privacy, but there should be no physical barriers, including a locked door, to prevent the suspect from leaving if he or she wishes. d. Incorrect. During an admission-seeking interview, the interviewer should appear confident that the suspect committed the fraud. Therefore, the interviewer should ask how, not if, the interviewee committed the fraud.

Which of the following is not an advantage of sending an internal control questionnaire prior to an audit engagement? a. The engagement client can use the questionnaire for self-evaluation prior to the auditor's visit. b. The questionnaire will help the engagement client understand the scope of the engagement. c. Preparing the questionnaire will help the auditor plan the scope of the engagement and organize the information to be gathered. d. The engagement client will respond only to the questions asked, without volunteering additional information.

d. Correct. Additional information is useful to the auditor. a. Incorrect. Answering the questionnaire will help the engagement client identify areas where procedures are weak or not properly documented. b. Incorrect. The questionnaire will communicate the areas that the auditor plans to evaluate. c. Incorrect. The auditor could use the preparation of the questionnaire to organize the information to be gathered.

The primary reason for having written formal audit reports is to: a. Provide an opportunity for engagement client response. b. Document the corrective actions required of senior management. c. Provide a formal means by which the external auditor assesses potential reliance on the internal audit activity. d. Record observations and recommended courses of action.

d. Correct. Audit reports should present the purpose, scope, and results of an engagement. a. Incorrect. An engagement client should have an opportunity to respond before the report is written. b. Incorrect. Internal auditors make recommendations; they do not submit requirements. c. Incorrect. Where appropriate, external auditors would review workpapers to accomplish this end.

A production manager ordered excessive raw materials for delivery to a separate company owned by the manager. The manager falsified receiving documents and approved the invoices for payment. Which of the following audit procedures would most likely detect this fraud? a. Select a sample of cash disbursements and compare purchase orders, receiving reports, invoices, and check copies. b. Select a sample of cash disbursements and confirm the amount purchased, purchase price, and date of shipment with the vendors. c. Observe the receiving dock and count materials received; compare the counts to receiving reports completed by receiving personnel. d. Perform analytical tests, comparing production, materials purchased, and raw materials inventory levels; investigate differences.

d. Correct. Because materials are shipped and used in another business, the analytic comparisons would show an unexplained increase in materials used. a. Incorrect. Because documents are falsified, all supporting documents would match for each cash disbursement. b. Incorrect. Vendors would confirm all transactions, because all have been made. c. Incorrect. Since fraudulent orders are shipped to another location, the receiving dock procedures would appear correct.

An internal audit team is performing a due diligence audit to assess plans for a potential merger/acquisition. Which of the following would be the least valid reason for a company to merge with or acquire another company? a. To diversify risk. b. To respond to government policy. c. To reduce labor costs. d. To increase stock prices.

d. Correct. Increasing stock prices is not a frequent reason for a company to merge with or acquire another company because this effect could be achieved through other methods that directly benefit company performance. a. Incorrect. Diversifying risk is a frequent reason for a company to merge with or acquire another company. b. Incorrect. Responding to government policy is a frequent reason for a company to merge with or acquire another company. c. Incorrect. Reducing labor costs is a frequent reason for a company to merge with or acquire another company.

Which of the following is the best approach for obtaining feedback from engagement clients on the quality of internal audit work? a. Ask questions during the exit interviews and send copies of the documented responses to the clients. b. Call engagement clients after the exit interviews and send copies of the documented responses to the clients. c. Distribute questionnaires to selected engagement clients shortly before preparing the internal audit annual activity report. d. Provide questionnaires to engagement clients at the beginning of each engagement and request that the clients complete and return them after the engagements.

d. Correct. It is best practice to provide the questionnaire to the customer at the beginning of an engagement, either routinely or periodically, to complete after the engagement. The quality measures being used by the internal audit activity and the internal auditor are then clearly understood by the customer, and specific requirements and expectations can be noted by the internal auditor before the engagement begins. The customer can then assess the quality of the internal audit work during the engagement, and complete the questionnaire after the engagement. This also encourages a continuous process of monitoring quality and feedback by the customer throughout the engagement. a. Incorrect. Requests for feedback from customers is best achieved by the customer completing a questionnaire designed for the purpose. Such questionnaires facilitate the development of useful quality performance measures and trends. b. Incorrect. See answer "a". c. Incorrect. The questionnaire should be given to the customer at the beginning of the engagement for completion after the engagement. Distributing questionnaires long after the engagement is completed would be less useful because the information will not be fresh in the customer's mind.

Determination of cost savings is most likely to be an objective of: a. Program audit engagements. b. Financial audit engagements. c. Compliance audit engagements. d. Operational audit engagements.

d. Correct. Operational auditing is most likely to address a determination of cost savings by focusing on economy and efficiency. a. Incorrect. Program audit engagements address accomplishment of program objectives. b. Incorrect. Financial auditing addresses accuracy of financial records. c. Incorrect. Compliance auditing addresses compliance with requirements, including legal and regulatory requirements.

Which of the following would be least useful in predicting the amount of uncollectible accounts for an organization? a. Published economic indices indicating a general business downturn. b. Dollar amounts of accounts actually written off by the organization for each of the past six months. c. Total monthly sales for each of the past six months. d. Written forecasts from the credit manager regarding expected future cash collections.

d. Correct. Opinion evidence does not have as much validity as factual evidence. In addition, the source of the evidence may have a bias, which should be considered by the internal auditor when evaluating the validity of this data. a. Incorrect. Although these statistics might not be quite as relevant as some of the other choices of data sets, the data would have great validity, having been compiled and published by an independent source. b. Incorrect. The dollar amounts in this group of data would be objective and valid, representing the actual experiences of the organization. c. Incorrect. These amounts would include cash as well as credit sales, and the inclusion of the cash sales would reduce the relevance of these data to the model. However, these dollar amounts in this group of data also represent the actual experiences of the organization and thus have a high degree of validity.

The following represents accounts receivable information for a corporation for a three-year period: Year 1: Net AR as % of TA - 23.4% AR Turnover - 6.98 Year 2: 27.3% 6.05 Year 3: 30.8% 5.21 All of the following are plausible explanations for these changes except: a. Fictitious sales may have been recorded. b. Credit and collection procedures have become ineffective. c. Allowance for bad debts is understated. d. Sales returns for credit have been overstated.

d. Correct. Overstated sales returns for credit would not be a plausible answer since they would understate (not overstate) accounts receivable. This would result in especially lower (not higher) net accounts receivable balances as a percentage of total assets a. Incorrect. Fictitious sales would be a plausible answer since they would generate additional uncollectible accounts receivable that are not necessarily being reflected in the allowance for bad debts. b. Incorrect. Ineffective credit and collection procedures would be a plausible answer since they could contribute to increases in uncollectible accounts receivable that are not necessarily being reflected in the allowance for bad debts. c. Incorrect. An understated allowance for bad debts would be a plausible answer since it would contribute to overstatements in net accounts receivable and decreases in the accounts receivable turnover ratio.

An auditor is considering developing a questionnaire to research employee attitudes toward control procedures. Which of the following represents the least important criteria in designing the questionnaire? a. Questions should be worded to ensure a valid interpretation by the respondents. b. Questions should be reliably worded so that they measure what was intended to be measured. c. The length of the questionnaire should be minimized in order to increase the response rate. d. Questions should be worded such that a "No" answer indicates a problem.

d. Correct. Questions can be multiple-choice, fill-in-the-blank, essay, Likert scales, etc. a. Incorrect. Validity and reliability of each question is extremely important. b. Incorrect. See answer "a". c. Incorrect. When questionnaires are too long, people tend not to complete them.

Which of the following is true of benchmarking? a. It is typically accomplished by comparing an organization's performance with the performance of its closest competitors. b. It can be performed using either qualitative or quantitative comparisons. c. It is normally limited to manufacturing operations and production processes. d. It is accomplished by comparing an organization's performance to that of the best-performing organizations.

d. Correct. See answer "a". a. Incorrect. Benchmarking involves a comparison against industry leaders or "world-class" operations. Benchmarking either uses industry-wide figures (to protect the confidentiality of information provided by participating organizations) or figures from cooperating organizations. b. Incorrect. Benchmarking requires measurements, which involve quantitative comparisons. c. Incorrect. Benchmarking can be applied to all of the functional areas in a company. In fact, because manufacturing often tends to be industry-specific whereas things like processing an order or paying an invoice are not, there is a greater opportunity to improve by learning from global leaders.

A follow-up review found that a significant internal control weakness had not been corrected. The chief audit executive (CAE) discussed this matter with senior management and was informed of management's willingness to accept the risk. The CAE should: a. Do nothing further because management is responsible for deciding the appropriate action to be taken in response to reported engagement observations and recommendations. b. Initiate a fraud investigation to determine if employees had taken advantage of the internal control weakness. c. Inform senior management that the weakness must be corrected and schedule another follow-up review. d. Assess the reasons that senior management decided to accept the risk and inform the board of senior management's decision.

d. Correct. Senior management may decide to accept the risk due to cost or other considerations. The chief audit executive needs to assess senior management's rationale and then inform the board of management's decision.

Which of the following situations is most likely to be the subject of a written interim report to the engagement client? a. Seventy percent of the planned audit work has been completed with no significant adverse observations. b. The auditors have decided to substitute survey procedures for some of the planned detailed review of certain records. c. The engagement program has been expanded because of indications of possible fraud. d. Open burning at a subsidiary plant poses a prospective violation of pollution regulations.

d. Correct. Such a situation would require immediate attention. a. Incorrect. There is no need for earlier consideration in this situation. b. Incorrect. Changes in auditor methodology are not of particular importance to the engagement client. c. Incorrect. Indications of possible fraud would not be communicated to the engagement client.

During an operational audit engagement, an auditor compared the inventory turnover rate of a subsidiary with established industry standards in order to: a. Evaluate the accuracy of internal financial reports. b. Test controls designed to safeguard assets. c. Determine compliance with corporate procedures regarding inventory levels. d. Assess performance and indicate where additional audit work may be needed.

d. Correct. Such an analytical procedure will provide an indication of the efficiency and effectiveness of the subsidiary's management of the inventory. a. Incorrect. Comparison with industry standards will not test the accuracy of internal reporting. b. Incorrect. Comparison with industry standards will not test the controls designed to safeguard the inventory. c. Incorrect. Comparison with industry standards will not test compliance.

If an internal auditor is interviewing three individuals, one of whom is suspected of committing a fraud, which of the following is the least effective approach? a. Ask each individual to prepare a written statement explaining his or her actions. b. Take the role of one seeking the truth. c. Listen carefully to what each interviewee has to say. d. Attempt to get the suspected individual to confess.

d. Correct. The auditor should avoid creating the impression of seeking a confession or a conviction. a. Incorrect. This is a good interviewing technique to use during a fraud investigation. b. Incorrect. See answer "a". c. Incorrect. See answer "a".

One of the audit objectives for a manufacturing company is to verify that all rework is reviewed by the production engineer. Which of the following audit procedures would provide the best evidence for meeting this objective? a. Trace a sample of entries in the rework log to remedial action taken. b. Trace a sample of rework orders to entries in the rework log. c. Trace a sample of entries in the review log to rework orders. d. Trace a sample of rework orders to entries in the review log.

d. Correct. The best evidence of all work performed is the set of rework order forms and the best evidence of what was reviewed are the entries in the review log. To determine whether all rework was reviewed, the auditor needs to start with the population of all the rework that was performed (that is, rework order forms) and trace to evidence that it was reviewed (that is, review log). a. Incorrect. This procedure only considers the rework jobs that require remedial action. Not all rework orders reviewed by the engineer will require remedial action. b. Incorrect. This test would be useful for verifying that all rework is recorded in the rework log but provides no evidence that the work was reviewed. c. Incorrect. Since this procedure begins with only rework jobs that were reviewed, it would not be useful in finding jobs that were not reviewed.

An audit committee is concerned that management is not addressing all internal audit observations and recommendations. What should the audit committee do to address this situation? a. Require managers to provide detailed action plans with specific dates for addressing audit observations and recommendations. b. Require all managers to confirm when they have taken action. c. Require the chief executive officer to report why action has not been taken. d. Require the chief audit executive to establish procedures to monitor progress.

d. Correct. The chief audit executive is responsible for establishing appropriate procedures for monitoring the progress by management on all internal audit observations and recommendations. This responsibility should be written into its charter by the audit committee, and progress should be reported at each audit committee meeting. a. Incorrect. Management are responsible for ensuring action on all internal audit observations and recommendations, but some actions may take time to complete and it is not practical to expect that all will be resolved when an audit committee meets. b. Incorrect. See answer "a". c. Incorrect. See answer "a".

Which sampling plan requires no additional sampling once the first error is found? a. Stratified sampling. b. Attributes sampling. c. Stop-or-go sampling. d. Discovery sampling

d. Correct. The objective of discovery sampling is to provide a specified level of assurance that a sample will show at least one example of an attribute if the rate of occurrence of that attribute within the population is at or above a specified limit. The audit decision is made once the first error is observed. a. Incorrect. Stratified sampling is a variables sampling procedure. Its primary objective is to estimate a particular population value using the results of a sample. It is not concerned with errors in the population and, therefore, would not stop when the first error is encountered. b. Incorrect. Attributes sampling results in an estimate of the rate of occurrence of some characteristic in a population. The sample size is determined to estimate this rate with the desired level of assurance; therefore, the entire sample size is required, regardless of when the first error occurs. c. Incorrect. Stop-or-go sampling is a sequential sampling procedure where the next step is determined by the results of the previous step. However, once a step is initiated, it is carried out until it is completed. For example, assume that an internal auditor takes a sample, evaluates the results, and determines additional sample items are required. Each phase of the sample is conducted without reference to when the first error is observed.

An important difference between a statistical and a judgmental sample is that with a statistical sample: a. No judgment is required because everything is computed according to a formula. b. A smaller sample can be used. c. More accurate results are obtained. d. Population estimates with measurable reliability can be made.

d. Correct. The only way to have measured reliability (stated in terms of confidence intervals) is to use a statistical sample. a. Incorrect. Judgment is needed for confidence levels and sample unit definition. b. Incorrect. A statistical sample may result in either a smaller or larger sample. c. Incorrect. There is no way to determine which method would produce greater accuracy.

To be sufficient, audit evidence should be: a. Well-documented and cross-referenced in the workpapers. b. Based on references that are considered reliable. c. Directly related to the engagement observation and include all of the elements of an engagement observation. d. Convincing enough for a prudent person to reach the same conclusion as the auditor.

d. Correct. This is one of the qualities of sufficiency of evidence. a. Incorrect. This is a mechanical aspect of evidence; it has no specific relationship to any of the characteristics of evidence. b. Incorrect. This is a quality of competence of evidence. c. Incorrect. This is a quality of relevance of evidence.

An audit of accounts payable found that the individuals responsible for maintaining the vendor master file could also enter vendor invoices into the accounts payable system. During the exit conference, management agreed to correct this problem. When performing a follow-up engagement of accounts payable, the auditor should expect to find that management had: a. Transferred the individuals who maintained the vendor master file to another department to ensure responsibilities were appropriately segregated. b. Compared the vendor and employee master files to determine if any unauthorized vendors had been added to the vendor master file. c. Modified the access control system to prevent employees from both entering invoices and approving payments. d. Modified the accounts payable system to prevent individuals who maintained the vendor master file from entering invoices.

d. Correct. This is the only option that will correct the deficiency identified during the audit. a. Incorrect. Transferring the employees is not necessary and would not resolve the control problem. b. Incorrect. This may help detect prior problems but it does not create a control to address future problems. c. Incorrect. This would not address the problem because it does not involve the vendor master file.

Internal auditors often flowchart a control system and reference the flowchart to narrative descriptions of certain activities. This is an appropriate procedure to: a. Determine whether the system meets established management objectives. b. Document that the system meets international auditing requirements. c. Determine whether the system can be relied upon to produce accurate information. d. Gain the understanding necessary to test the effectiveness of the system.

d. Correct. This is why flowcharting keyed to a narrative is employed by auditors. a. Incorrect. A more direct test would be needed to accomplish this. b. Incorrect. International auditing standards do not require the use of flowcharts. c. Incorrect. A more direct test would be needed to accomplish this.

Which of the following analytical review procedures should an auditor use to determine if a change in investment income during the current year was due to changes in investment strategy, changes in portfolio mix, or other factors? a. Simple linear regression of investment income changes over the past five years to determine the nature of the changes. b. Ratio analysis of changes in the investment portfolio on a monthly basis. c. Trend analysis of changes in investment income as a percentage of total assets and of investment assets over the past five years. d. Multiple regression analysis using independent variables related to the nature of the investment portfolio and market conditions.

d. Correct. This would be the best approach because it allows the auditor to capture information on the potential causes of the change in investment income. a. Incorrect. Simple linear regression would be useful, but not as insightful as multiple regression analysis (for example, partition stocks into high volatility and low volatility, as measured by market Beta). b. Incorrect. Ratio analysis provides some insight, but it is only designed to provide data on the relative composition of interest-bearing instruments versus stock investments. More information can be gathered through multiple regression. c. Incorrect. Trend analysis only verifies that a change has taken place and shows the broad nature of the change. It does not provide insight on the causes of the change in investment income.

Which of the following control procedures would be the least effective in preventing frauds in which purchase orders are issued to fictitious vendors? a. Require that all purchases be made from an authorized vendor list maintained independently of the individual placing the purchase order. b. Require that only preapproved vendors be paid for purchases, based on actual production. c. Require contracts with all major vendors from whom production components are purchased. d. Require that total purchases from all vendors for a month not exceed the total budgeted purchases for that month.

d. Correct. This would be the least effective because it controls the total amount of expenditures, but does not control where the purchase orders are placed or whether there is receipt of goods for the items purchased. a. Incorrect. This would be an effective procedure because it would prevent the addition of a fictitious company to the authorized vendor list. b. Incorrect. This would be effective because a vendor would not be paid if parts were not used in actual production. c. Incorrect. This would also be effective because it would ensure that all vendors are authorized.

Which of the following would indicate that fraud may be taking place in a marketing department? a. There is no documentation for some fairly large expenditures made to a new vendor. b. A manager appears to be living a lifestyle that is in excess of what could be provided by a marketing manager's salary. c. The control environment can best be described as "very loose." However, this attitude is justified by management on the grounds that it is needed for creativity. d. All of the above.

d. Correct. Unsupported transactions, lavish lifestyles, and weak control environments are all considered fraud symptoms that should heighten the auditor's awareness of potential fraud. a. Incorrect. This is considered a potential fraud symptom, but so are the other items. b. Incorrect. See answer "a". c. Incorrect. See answer "a".

Upon obtaining factual documentation of unethical business conduct by the vice president to whom the chief audit executive (CAE) reports, the CAE should: a. Conduct an investigation to determine the extent of the vice president's involvement in the unethical acts. b. Confront the vice president with the facts before proceeding. c. Schedule an audit of the business function involved. d. Report the facts to the chief executive officer and the audit committee.

d. Correct. Upon the discovery of fraud or unethical conduct, the chief audit executive should inform executive management and the audit committee. a. Incorrect. This is a management decision. b. Incorrect. This is a management responsibility. c. Incorrect. The chief audit executive should report the violation to senior management or the board before scheduling any audit activity.