IA exam 2 fall 2018 version

B. Explain why some internal audit functions limit the amount of resources they devote to consulting services.

Audit Committee has concern about too close of a relationship of IA and operating management. Some IA functions want consulting to be an external process, in order to keep assurance and consulting activities separate.

Observation development form

Inquiry

Observation development form based on info above

Inquiry

Two of our guest speakers spoke about the need for internal audit to take the lead in innovation and applying technology to their work. Both speakers mention several innovations that were being implemented by IA functions. Give two innovations and describe how it can improve internal audit practice.

1. Data analytics 2. Drones

Using the Three Lines of Defense Model identify each "line" and describe the "line's" roles and responsibilities

1st: CTO for Unit - Owns the data/processes risk and controls. Maintains security device, up to date software 2nd: IT Security- oversight of risks, controls and compliance. Design cybersecurity policies, training and testing 3rd: Internal Audit - Independent objective assurance. Provide independent ongoing evaluation of preventative and detective measures

8. Which of the following is an example of "whistleblowing"? A. A clerk in the shipping department reports to an internal auditor that the plant manager has ordered goods to be taken to an offsite storage location and booked as sales just prior to the cutoff date.

A. A clerk in the shipping department reports to an internal auditor that the plant manager has ordered goods to be taken to an offsite storage location and booked as sales just prior to the cutoff date.

12. A medium sized municipality provides 8.5 billion gallons of water per year for 31,000 customers. The water meters are replaced at least every five years to ensure accurate billing. The water department tracks unmetered water to identify water consumption that is not being billed. The department recently issued the following water activity report. Based on the activity reported for leaks repaired in the first quarter, an internal auditor would conclude that: A. Established operating standards are understood and are not being met B. Deviations from the goal should be analyzed and corrected C. The leak repair program is overstaffed D. The leak repair program is understaffed E. The operating standard should be changed

A. Established operating standards are understood and are not being met

Which of the following best describes an auditor's responsibility after noting some indicators of fraud? A. Expand activities to determine whether investigation is warranted B. Consult with external legal counsel to determine the course of action to be taken C. Contact the organization's external auditor for assistance D. Report the matter to the audit committee and request funding for outside specialists to help investigate the possible fraud E. Report the possibility of fraud to senior management and ask how to proceed

A. Expand activities to determine to determine whether an investigation is warranted

Three of the most significant IT risks are confidentiality, integrity and availability. Describe each of these risks and provide an example of each within the context of the University's system of registration for class and recording and reporting grades.

Availability - risk is that information is not availably when needed. Example would be that students could not log on to register during their registration period because the system could not handle the level of activity and denied some students access to the system Systems reliability and information integrity - information is able to be changed in an unauthorized manner or by persons not authorized to change it. Example would be because of glitch in the system facility can enter grades not only for their class but for other classes as well Confidentiality - information is disclosed to unauthorized individuals. Example in making a program change the programmer inadvertently give view access to all students registered for the course so that they could not only see their own grades but the grades of other students in the class

A company has a chief privacy officer (CPO) who develops policies and conducts training to help the company comply with privacy laws and regulations. In addition to the CPO, the function has a staff of four. Two of these staff members cycle to each location to review compliance with record retention policies and to make sure any sensitive data is appropriately secure. This is an example of: A. 1 LOD B. 2nd LOD C. 3rd LOD D an operating control E. A process control

B. 2nd line of defense

9. Which of the following is an element of sampling risk? A. Selecting and audit procedure that is inconsistent with the audit objective B. Concluding that internal controls are not effective when in fact they are effective based on a sample that has multiple cases of control failure C. Failing to perform audit procedures that are required by the sampling plan D. Forgetting to apply the finite correction factor in deterring sample size E. Failing to detect an error on a document that has been inspected by an auditor

B. Concluding that internal controls are not effective when in fact they are effective based on a sample that has multiple cases of control failure

7. Internal audit reports can be structured to motivate management to correct deficiencies. Which of the following report-writing techniques is most likely to be effective? A. Point out the procedural inadequacies and resulting improprieties in specific terms. B. Suggest practice improvements to the currently used procedures after indicating the audit finding C. Recommend changes and state the punitive measures that will follow after if the recommendations are not implemented. D. List the deficiencies found so as to provide easy to follow checklist E. Direct the corrective action to be taken

B. Suggest practice improvements to the currently used procedures after indicating the audit finding

The Institute of Internal Auditors defines internal auditing as an objective assurance and consulting activity. A. Compare and contrast assurance and consulting services

Both consulting and assurance are services that IA can provide that add value. Attribute and performance standards apply to both types of internal audit services. Fundamental difference is that assurance involves 3 parties and consulting is between the internal auditor and the client. Because of the need to protect the interests of the 3rd party user several things differ about the engagements. Consulting is client driven and assurance is risk driven

In a report an internal auditor writes, "nothing has come to our attention which indicated the system of internal controls is ineffective." This is an example of: A. A declination of opinion B. A positive assurance opinion C. A negative assurance opinion D. A qualified opinion E. A clean opinion

C. A negative assurance opinion

How should an organization handle a anonymous accusation from an employee that a supervisor in the organization has manipulated time reports? a. Assign an internal audit staff member to review the time reports for the past 6 months in the supervisor's area b. Make a record of the accusation, but do nothing, as anonymous accusations are rarely true c. Make an assessment of the facts against pre-established criteria for determining whether to investigate or not d. Turn the issue over to the human resource department as anonymous accusations typically come from HR problems e. Engage an outside attorney to conduct an investigation of the allegation and prepare a report for the audit committee

C. Make an assessment of the facts against pre-established criteria for determining whether to investigate or not

Audit report content and format may vary; but according to The International Standards of Professional Practice of Internal Auditing which of the following is a necessary element? A. Status of findings from prior reports B. The audit's views about the engagement's conclusions C. Statement of what was covered in the engagement D. Documentation of previous oral communications with area management E. Related activities not examined in the engagement

C. Statement of what was covered in the engagement

When an internal auditor is conducting a fraud investigation there are several legal hazards the auditor must consider. Describe each of the hazards below and indicate how the internal auditor might mitigate the risk of each: Compounding a felony False Imprisonment

Compounding a Felony -- This can occur when the company makes a deal with the person (employee) committing the wrong doing. That they will not prosecute if the person says, pays back the loss, and resigns. Only the state can punish or forgive. Company cannot lawfully margin for restitution by telling employee no prosecution will take place. IA should not offer any details for information or make representations about not prosecuting. False imprisonment -- Can occur if the internal audit uses unreasonable restraint of the wrong doer's (employee's) freedom of movement. To avoid accusation, have two people present during interview and do not seat so as to block the rooms exists.

Pro Card E. Assume that your sample size you took was 75 and that you found 2 errors. Evaluate these results and indicate what, if any, further action is necessary.

Conclude that reconciliation process of control is working effectively (i.e. at least 90% of the time) with 95% confidence.

11.Which of the following is/are barriers to internal auditors using data analytics in achieving engagement objective? I. Knowing what data exists and where to find it II. Poorly defining the scope of the intended use of data analytics III. Data analytic software is limited the number of records it can process IV. The effort required to cleanse and prepare data for import to the data analytic tool

D. I, II, and IV only

10. An audit of an organization's claims department determined that a largee number of duplicate payments had been issued due to problems in the claims processing system. During the exit conference, the vice president of the claims department informed the auditors that attempts to recover the duplicate payments would be initiated immediately and that the claims processing system would be enhanced within 6 months to correct the problems. Based on this response, the CAE should: D. Monitor the status of corrective action and schedule a follow-up engagement when appropriate. Schedule a follow-up engagement within six months to assess the status of corrective action.

D. Monitor the status of corrective action and schedule a follow-up engagement when appropriate. (Schedule a follow-up engagement within six months to assess the status of corrective action.)

5. An internal auditor has set an engagement objective of determining whether mailroom staff is fully used. Which of the following engagement techniques will best meet this objective? a. Inquiry of the mailroom staff b. Inquiry of the managers overseeing the mailroom c. Inspection of documents d. Observation e. Analytical review

D. Observation

1. Which of the following most completely describes the appropriate content of a work paper? A. Audit objectives, procedures, and conclusions B. Purpose, criteria, condition, effects, and recommendations C. Audit subject, purpose, sampling information, and analysis D.Purpose, procedures, facts and conclusions/recommendations E. Date, client, title, preparer's and reviewer's initials

D. Purpose, procedures, facts, and conclusions/recommendations

The COO has requested the internal audit group advise her regarding the new incentive plan being developed for sales representatives. Which of the following tasks should the CAE decline with respect to providing advice to the COO? A. Determining how to best document the support for amounts paid to provide a sufficient audit trail. B. Researching and benchmarking incentive plans provided by other companies in the industry. C. Identify what new risks the incentive plan introduces to the organization D. Recommending monitoring procedures so that appropriate amounts are paid out under the plan E. Determining the appropriate bonus formula for inclusion in the plan.

E. Determining the appropriate bonus formula for inclusion in the plan

Internal auditors may provide consulting services that add value and improve an organization's operations. The performance of these services: A. Precludes generation of assurance from the consulting engagement B. Imposes no responsibility to communicate information other than to the consulting client C. Is based on area's priority in the audit activity's assessment of the audit universe. D. Impairs internal auditors objectivity with respect to an assurance service involving the same engagement client E. Should be consistent with a type of consulting activity authorized in the internal audit charter.

E. Should be consistent with a type of consulting activity authorized in the internal audit charter

What are two ways in which potential consulting engagements are identified for internal audit to undertake?

Engagements are proposed during the annual risk assessment process and, if identified as high priority, included in the annual internal audit plan Specific engagements are requested by management

Identify three of the seven elements and describe how an organization might implement each of the three elements you have identified.

First, you must create policies and procedures for your compliance and ethics program. It must be outlined and detailed, usually created by higher up management Second, you must have a chief compliance officer, or someone to report to in case of compliance or ethical issues. An effective compliance program needs a reportable figure Thirdly, you need a regular review of policies and procedures. Continued oversight, additional and evolution of the compliance program is key. Also, needs to allow for audit monitoring

Assume you took a random sample of 90 and found 3 errors. State your conclusion in proper form.

From the table, we conclude with 90% confidence that the error rate is less than 8% and that the control is effective (CUPL<TER, 7.3%<8%)

Which of the following statements about the differences between the assurance and the consulting roles of the IA are correct? I. IA's involvement in a consulting engagement is generally at the request of management II. During consulting engagements the auditor is able to implement improvements in ERM III. During consulting engagements IA only recommends improvements, management is free to accept or reject the IA's proposals IV. Online assurance activities, consulting does not have to be defined in the IA charter

I and III only

7. An internal audit department has been requested to perform an audit to determine whether the organization was in compliance with a particular set of laws and regulations. The audit did not reveal any issues of noncompliance but did reveal that the organization did not have an established system to ensure compliance with the applicable laws and regulations. The auditor's responsibility is to: I. Report that no significant compliance issues were noted II. Report that the organization has a significant risk exposure because management has not established a system to ensure compliance III. Meet with management to determine what corrective action will be taken IV. Refer the matter to the organization's outside legal counsel for their consideration

I, II, and III only

Which of the following would typically be part of the agenda for an opening meeting? I. Discussion of business objectives, risks and key processes II. Review of the audit process and timeline III. Review of audit objectives and scope IV. Presentation by audit of how they have addressed findings from the last audit

I, II, and III only

Which of the following should an internal auditor consider before taking his or her concerns outside the organization? I. The risk and consequences involved in the area of concern are serious II. The probability that the organization's existing management and governance mechanisms cannot or will not address the risk III. The potential reward for reporting wrongdoing to authorities IV. That the concerns are supported by substantial credible evidence

I, II, and IV only

12. Which of the following are acceptable approaches for considering fraud while conducting internal audit activities? I. Auditing managements controls over fraud II. Designing and implementing the organization's anti-fraud program III. Auditing to detect likely fraud by testing high risk processes, with the intention of looking for indicators of fraud, within the organization and with external business relationships IV. Considering fraud as part of every audit

I, III, and IV only

How does the unprecedented business and regulatory changes we are experiencing impact what will be effective internal auditing in the future?

Management relies on IA to provide assurance on the effectiveness of internal controls an company processes, while also providing support to a diverse array of risk management and business process improvements. Because of how recent developments in technology are affecting the way business is operationalized, stakeholders also expect IA to cope with the volatility. It is further expected to elevate its profile to have the ability to identify, anticipate, assess and address emerging risks coming out of business changes; transform IA function to provide improved strategic value to stakeholders; provide cost efficiencies to the business, anticipate change and risk rather than looking backward.

Define cyber security

Measures taken to protect a computer or computer system (as on the internet) against unauthorized access or attack

Describe the role of the "closing" (exit) conference in the audit process? What general objectives does this meeting have?

Meets with audit and go over findings + one of the objectives below: The primary objective of the closing conference is to ensure quality of audit report. Other objectives include: obtaining audit response, sell audit findings and recommendations to audit, develop good relations with audit, develop professionalism of audit staff members

What role does whistleblowing play in establishing an ethical culture in an organization?

Members of the organization need to be encouraged to speak up regarding misconduct in the organization and not fear retaliation.

What role does "whistleblowing" play in establishing an ethical culture in an organization?

Members of the organization need to be encouraged to speak up regarding misconduct in the organization and not fear retaliation. They should be encouraged to report to use internal mechanism for reporting and be willing to go around the chain of commend. In an organization with a good ethical culture, this should be handled without the person needing to go outside the organization.

Name two sources of cyber threats

Nation-states, cybercriminals, hacktivists, insider and service providers

Explain the difference between positive and negative assurance. Which provides the greatest level of assurance?

Positive assurance: In providing positive assurance, the auditor takes a definite position, which may be binary in nature; for example, the internal controls are or are not effective in the situation or that risks are or not being effectively managed. Negative assurance: A statement that nothing came to the auditor's attention about a particular objective; such as, the effectiveness of a system of internal control, adequacy of a risk management process, or on any other specific matter. The internal auditor takes no responsibility for the sufficiency of the audit scope and procedures to find all significant concerns or issues. Positive assurance, provides the greatest level of assurance.

Pro-Card B. If you want to take a statistical approach, describe a sampling plan you could use to do statistical sampling.

Randomly select 30 pro-card accounts, for each account randomly select a month to look at for the reconciliation.

Pro-Card. A. Describe a judgement (non-statistical) sampling approach you could take to perform this test.

Take the 5 largest volume accounts and examine the reconciliation for the most recent month

How are consulting engagements addressed in the annual internal audit plan?

The internal audit plan is created on an annual basis and included those areas within the organization that have gone though the risk assessment process and were selected as priorities for the internal audit function. Although consulting engagements are often identified after the internal audit plan has been crated, they usually are still subjected to the internal audit function's risk assessment process before being added to the internal audit plan.

Section VII. To test this control, identify the population from which you should select a sample to test this control

The time period you are covering in your audit (i.e. 11/1/2017-3/15/2017)

For a given sample unit in this population, what would be an "error"?

There is no initial on the papers

What is the board's role in the organization's ethics and compliance program?

To be knowledgable about the ethics and compliance program and to provide reasonable oversight.

Define whistleblowing

To make known any harmful information to a government agency or other authority that is wholly outside of the organization

What is internal audit's role in the organization's ethics and compliance program?

To provide assurance to the board and management that the ethics and compliance program is effective. Risk of noncompliance is with in an acceptable level.

Identify two specific types of consulting services an internal audit function might provide and describe how each can "add value" to the organization.

Training session of internal control -- improves internal control and risk management process Control self-assessment -- improves internal control

Briefly describe how you could use the following techniques to select your sample units - assume your sample size is 90. Simple random sample Haphazard selection

Use a random number generator to generate 90 random numbers between the start and the ending number. Visit three receiving departments and pull 30 receiving reports from each location's clerk's file

Pro-Card C. Why would you want to use a statistical approach rather than a judgmental approach?

You are able to quantify the sampling risk

The chief compliance officer accepts a CAE position for a newly created internal audit activity. Three months later the new CCO asks the CAE to provide advice regarding an update of the compliance policy. What should the CAE do? a. Decline the consulting engagement b. Accept the consulting engagement, but remind the new CCO that the CAE had worked in the area c. Accept the consulting engagement, but have the external auditor review the CAE's advice d. Accept the consulting engagement, but have the senior internal auditor perform the work under the CAE's review e. Decline the consulting engagement, but have lunch with the COO to offer your advice off the record

b. Accept the consulting engagement, but remind the new COO that the CAE had worked in the area

The manager of a production line has the authority to order and receive replacement parts for all machinery that requires periodic maintenance. The internal auditor received an anonymous tip that the manager ordered substantially more parts than were necessary from a family member in the parts supply business. The unneeded parts were never delivered. Instead, the manager processed receiving documents and charged the parts to machinery maintenance accounts. The payments for the undelivered parts were sent to the supplier, and the money was divided between the manager and the family member. Which of the following internal controls would have most likely prevented this fraud from occurring? a. Analysis of repair parts charged to maintenance to review the reasonableness of the number of items replaced. b. Comparison of the current quarter's maintenance expense with prior-period activity. c. Physical inventory testing of replacement parts for existing valuation d. Review of a test sample of parts invoices for proper authorization and receipt e. Check to see if there have been other reports about this manager, if none, do not investigate further has the report was anonymous

a. Analysis of repair parts charged to maintenance to review the reasonableness of the number of items replaced.

10. An audit of an organization's claims department determined that a large number of duplicate payments had been issued due to problems in the claims processing system. During the exit conference, the vice president of the claims department informed the auditors that attempts to recover the duplicate payments would be initiated immediately and that the claims processing system would be enhanced within six months to correct the problems. Based on this response, the CAE should: a. Monitor the status of corrective action and schedule a follow up engagement when appropriate b. Not include the finding in the audit report as the issue is being addressed c. Schedule a follow up engagement within six months to assess the status of corrective action d. Discuss the findings with the audit committee and ask the committee to determine the appropriate follow up action e. Adjust the scope of the next regulatory scheduled audit of the claims department to assess the controls within the claims processing system

a. Monitor the status of corrective action and schedule a follow up engagement when appropriate

Which of the following situations is most likely to be the subject of a written interim report to the engagement client? a. Open burning at a subsidiary plant poses a prospective violation of pollution regulations b. Seventy percent of the planned audit work has been completed with no significant adverse observations c. The engagement program has been expanded because of indications of possible fraud d. One of the employees has suggested to the auditor a process change that could decrease processing time by 5% e. The auditors have decided to substitute survey procedures for some of the planned detailed review of certain records

a. Open burning at a subsidiary plant poses a prospective violation of pollution regulations

Policies that classify information and set access rights and usage restrictions are examples of: a. End user controls b. IT governance controls c. IT application controls d. Output controls e. Processing controls

b. IT governance controls

1. Recommendations should be included in audit reports to: a. Ensure that the problems are resolved in a manner acceptable to the internal auditor b. Provide management with options for addressing audit findings c. Minimize the amount of time required to correct audit findings d. Establish the internal audit's credibility e. Guarantee that audit findings are addressed, regardless of cost

b. Provide management with options for addressing audit findings

9. An internal auditor is testing purchase orders to detect possible instances of fraudulent activity by an employee. Believing the occurrence rate of fraudulent purchases to be quite low, the auditor would like to specify the probability of observing at least one irregularity if it is true the rate of fraud is greater than expected. The appropriate sampling technique for this situation is: a. Block sampling b. Dollar-unit sampling c. Discovery sampling d. Acceptance sampling e. Stop or go sampling

c. Discovery sampling

Which of the following statements is correct regarding the performance of consulting activities by internal auditors? a. Consulting activities are simply an extension of the auditor's current work in providing recommendations. b. Consulting engagements that have a high potential cost savings should be undertaken before undertaking an assurance engagement identified by the annual risk assessment as high risk but without expected cost savings c. In consulting activities the nature and scope of services are agreed upon with the client rather than determined by the auditor d. Consulting activity, by definition, impair the independence of the auditor and therefore should only be performed on areas the internal audit department does not plan to audit in the future e. Consulting is a more proactive approach where the auditor takes the lead in analyzing problems, decides the best course of action, and implements solutions with assistance from management.

c. In consulting activities the nature and scope of services are agreed upon with the client rather than determined by the auditor

Which of the following is one of the seven elements that need to be present for an organization to have an effective compliance program? a. The organization use the COSO Framework for the design of its internal control system b. The org has an audit committee c. The CEO and CFO must sign the org's Code of Ethical Conduct d. Standards are consistently enforced through appropriate discipline, including discipline of individuals responsible for failure to detect offense e. The org has a person appointed as General Counsel for the org

d. Standards are consistently enforced through appropriate discipline, including discipline of individuals responsible for failure to detect offense

To be sufficient, audit evidence should be: a. Directly related to the engagement observation and include all of the elements of an audit finding b. Obtained from a random sample c. Obtained from a credible source d. Well-documented and cross-referenced in the work papers e. Convincing enough for a prudent person to reach the same conclusion as the auditor

e. Convincing enough for a prudent person to reach the same conclusion as the auditor

A medium sized municipality provides 8.5 billion gallons of water per year for 31,000 customers. The water meters are replaced at least every 5 years to ensure accurate billing. The water department tracks unmetered water to identify water consumption that is not being billed. The department recently issued the following water activity report. Based on the activity reported for the meter replacement program, an internal auditor would conclude that: a. Established operating standards are understood and are being met b. Meters should be changed every 3 years c. Any corrective action needed has probably been taken during the quarter d. The operating standard should be changed e. Deviations from the goal should be analyzed and corrected

e. Deviations from the goal should be analyzed and corrected

1. Which of the following statements is true regarding engagement work papers? a. Copies of all documents examined should be included in the work papers b. Workpapers should be retained for five years c. Using prior work papers can help the auditor avoid gffffover-auditing? d. Workpapers must be paper documents e. Each work paper should be signed and dated by the internal auditor performing the work

e. Each work paper should be signed and dated by the internal auditor performing the work

Which of the following is true regarding entity-level controls? a. In terms of the 5 elements in the COSO model, entity level controls occur only as part of the control environment b. Entity level controls are those controls set by the organization's governing body c. Process-level controls can mitigate weaknesses in the entity level controls d. Entity level controls are preventive rather than detective e. Entity level controls operate across an entire entity

e. Entity level controls operate across an entire entity

Which of the following is a requirement of The International Standards for the Professional Practice of Internal Auditing? a. To evaluate annually the effectiveness of the audit committee b. To obtain an annual representation from management acknowledging management's responsibility for the design and implementation of internal controls to prevent illegal acts c. To issue annually an overall opinion on the adequacy of internal controls in the organization d. To certify that all errors or irregularities in the accounting records discovered within the fiscal year have been reported to the external auditors e. To assess whether the information technology governance of the organization sustains and supports the organization's strategies and objectives

e. To assess whether the IT governance of the organization sustains and supports the organization's strategies and objectives

Assume that you want to be 95% confident that the clerks correctly completed the monthly reconciliation of the Pro Card account 90% of the time. From previous work, you have an expectation that this is done correctly 97% of the time. What is the initial sample size you would plan for the audit test?

n=61

You set the confidence level at 90% and a tolerable deviation rate of 8%. From audits in other divisions, you expect a deviation rate of 3% for this type of control. What is the initial sample size you would use for this test?

n=65