Gleim Part 2 Unit 2

An internal auditor is conducting an audit of a contract to build a new branch office. The auditor should consider whether the 1.Materials used in construction meet specified contractual standards. 2.Contractor has established a fraud hotline. 3.Construction is on schedule. A.1 and 2 only. B.1 and 3 only. C.2 and 3 only. D.1, 2, and 3.

1 and 3 only.Answer (B) is correct.The purpose of a contract audit is to determine whether the contractor is performing as specified in the contract. Whether the contractor has a fraud hotline is of no concern to the entity and is beyond the scope of a contract audit.

Which one of the following is not a core principle of total quality management (TQM)? A.A focus on customers and stakeholders. B.Participation and teamwork by everyone in the organization. C.A process focus supported by continuous improvement and learning. D.A focus on technological breakthroughs.

A focus on technological breakthroughs.Answer (D) is correct.The core principles of total quality management (TQM) are emphasis on the customer, continuous improvement, and engaging every employee in the pursuit of total quality.

An operational engagement relating to the production function includes a procedure to compare actual costs with standard costs. The purpose of this engagement procedure is to A.Determine the accuracy of the system used to record actual costs B.Measure the effectiveness of the standard cost system. C.Assess the reasonableness of standard costs. D.Assist management in its evaluation of effectiveness and efficiency.

Assist management in its evaluation of effectiveness and efficiency.Answer (D) is correct.An operational engagement (audit) assesses the efficiency and effectiveness of an organization's operations. A comparison of actual and standard costs addresses efficiency and effectiveness.

Which of the following statements about control self-assessment (CSA) is false? A.CSA is usually an informal and undocumented process. B.In its purest form, CSA integrates business objectives and risks with control processes C.CSA is also known as control/risk self-assessment. D.Most implemented CSA programs share some key features and goals.

CSA is usually an informal and undocumented process.Answer (A) is correct.A methodology encompassing self-assessment surveys and facilitated workshops called CSA is a useful and efficient approach for managers and internal auditors to collaborate in assessing and evaluating control procedures. The process is a formal and documented way of allowing participation by those who are directly involved in the business unit, function, or process.

A sales department has been giving away expensive items in conjunction with new product sales to stimulate demand. The promotion seems successful, but management believes the cost may be too high and has asked for a review by the internal audit activity. Which of the following procedures would be the least useful to determine the effectiveness of the promotion? Comparing product sales during the promotion period with sales during a similar non-promotion period. Comparing the unit cost of the products sold before and during the promotion period. Performing an analysis of marginal revenue and marginal cost for the promotion period, compared to the period before the promotion. Performing a review of the sales department's benchmarks used to determine the success of a promotion.

Comparing the unit cost of the products sold before and during the promotion period.

The balanced scorecard provides an action plan for achieving competitive success by focusing management attention on critical success factors. Which one of the following is not one of the perspectives on the business into which critical success factors are commonly grouped in the balanced scorecard? A.Competitor business strategies. B.Financial performance. C.Internal business processes. D.Employee innovation and learning.

Competitor business strategies.Answer (A) is correct.A typical balanced scorecard classifies critical success factors and measures into one of four perspectives on the business: financial, customer satisfaction, internal business processes, and learning and growth.

Personal information may include 1.Medical status 2.Social status 3.Credit records 4.Disciplinary actions A.1, 2, and 4 only. B.1 only. C.1 and 2 only. D.1, 2, 3, and 4.

1, 2, 3, and 4.Answer (D) is correct.Personal information may include the following: (1) medical status, (2) social status, (3) family relationships, (4) disciplinary actions, (5) name, (6) address, (7) identification numbers, (8) income, (9) financial status, (10) comments, (11) employee files, (12) evaluations, and (13) credit records.

Which of the following are forms of punishment for those who violate an organization's code of conduct? 1. A warning 2. Loss of pay 3. Suspension 4. TerminationA.1 and 2 only.B.1, 3, and 4 only.C.1, 2, and 3 only.D.1, 2, 3, and 4.

1, 2, 3, and 4.Answer (D) is correct.Those who violate the code of conduct should receive punishment appropriate to the offense, such as a warning, loss of pay, suspension, transfer, or termination. Thus, if an employee is found to have committed some illegal act, the organization might have to terminate that employee. This action is consistent with the organization's obligation to use due care not to delegate substantial discretionary authority to individuals whom the organization knew, or should have known through the exercise of due diligence, had a tendency to commit crimes.

An example of an item that would fall under the customer perspective on the balanced scorecard of an airline is A.Customer complaints will decrease by 10%. B.Customers will have to wait no longer than 15 minutes to check their bags. C.90% of the flights will arrive on time. D.Three new in-flight meals will replace existing offerings that are unpopular with customers.

Customer complaints will decrease by 10%.Answer (A) is correct.The customer perspective defines the value proposition that the organization will use in order to satisfy customers and generate more sales to the targeted customer segments. The measures that are selected for the customer perspective should measure customer satisfaction. A decrease in customer complaints indicates that customer satisfaction is increasing.

Which of the following balanced scorecard perspectives examines a company's success in targeted market segments? A.Financial. B.Customer. C.Internal business process. D.Learning and growth.

Customer.Answer (B) is correct.Any critical success factor that addresses some aspect of the target market is included in the customer perspective.

On a balanced scorecard, which is more of an internal process measure than an external-based measure? A.Cycle time. B.Profitability. C.Customer satisfaction. D.Market share.

Cycle time.Answer (A) is correct.Cycle time is the manufacturing time to complete an order. Thus, cycle time is strictly related to internal processes. Profitability is a combination of internal and external considerations. Customer satisfaction and market share are related to how customers perceive a product and how competitors react.

Which of the following is a characteristic of total quality management (TQM)? A.Management by objectives. B.On-the-job training by other workers. C.Quality by final inspection. D.Employee training and empowerment.

Employee training and empowerment.Answer (D) is correct.Employee training and empowerment are essential. Accordingly, continuous improvement should be everyone's primary career objective.

Which of the following is part of the board's role in protecting against privacy threats? Determining whether the use of the information collected is in accordance with its intended use and the laws. Establishing a privacy framework. Identifying the information gathered by the organization that is deemed personal or private. Identifying the methods used to collect information.

Establishing a privacy framework.

Which one of the following statements best describes the definition of critical success factors? A.Financial measures that track a company's competitive performance. B.Financial and nonfinancial aspects of performance that are essential to have a competitive advantage. C.The key nonfinancial performance indicators on a balanced scorecard. D.The aspects of a business that are focused on measuring key costs.

Financial and nonfinancial aspects of performance that are essential to have a competitive advantage.Answer (B) is correct.Critical success factors are specific, measurable financial and nonfinancial elements of a firm's performance that are vital to its competitive advantage.

Which of the following is a key to successful total quality management (TQM)? A.Training quality inspectors. B.Focusing intensely on the customer. C.Creating appropriate hierarchies to increase efficiency. D.Establishing a well-defined quality standard, then focusing on meeting it.

Focusing intensely on the customer.Answer (B) is correct.TQM emphasizes satisfaction of customers, both internal and external. TQM considers the supplier's relationship with the customer, identifies customer needs, and recognizes that everyone in a process is at some time a customer or supplier of someone else, either inside or outside of the organization.

Consider the following categories of performance measures. I.Profitability measures. II.Customer-satisfaction measures. III.Efficiency, quality, and time measures. IV.Innovation measures. A cruise line operates on a national scale in a very competitive marketplace. In view of this information, which measures should the company use in the evaluation of its managers? A.I only. B.I and II. C.II and III. D.I, II, III, and IV.

I, II, III, and IV.Answer (D) is correct.The four categories of performance measures listed embody the four perspectives on the business contained in the classic balanced scorecard. Any company can benefit from generating performance measures in all four perspectives.

A privacy audit focuses on an organization's ability to Achieve its objectives efficiently and effectively. Measure performance and analyze deficiencies. Implement controls for the management of private information. Meet users' needs reliably.

Implement controls for the management of private information.

Which one of the three primary types of CSA programs allows for the chief audit executive (CAE) to synthesize information provided by management with other information to enhance the understanding about controls and to share the knowledge? A.Facilitated approach. B.Self-certification approach. C.Questionnaire approach. D.Auditor-produced analysis.

Self-certification approach.Answer (B) is correct.The form of self-assessment is based on management-produced analyses to produce information about selected business processes, risk management activities, and control procedures. The internal auditor may synthesize this analysis with other information to enhance the understanding about controls and to share the knowledge with managers in business or functional units as part of the organization's CSA program.

Providing assurance that the approved quality structures are in place is the responsibility of the A.Audit committee. B.Production manager. C.Internal audit activity. D.Chief audit executive.

Internal audit activity.Answer (C) is correct.The internal audit activity's role is to provide assurance that the approved quality structures are in place and quality processes are functioning as intended.

According to the modern view, quality A.Emphasizes the detection of products that do not meet standards. B.Is limited to the production of goods and services C.Should be a separate business function. D.Is a value-adding activity.

Is a value-adding activity.Answer (D) is correct.The modern view of quality is the basis for total quality management (TQM). It addresses quality from multiple perspectives, one of which is value, the relation of quality and price.

An organization with an effective regulatory compliance program displays which of the following characteristics? It disciplines those who knew of the misconduct and did not report it, but not those who should have known but did not know. It punishes unethical or illegal activity based on seniority. It thoroughly documents employee discipline. After an offense is detected, the organization takes the necessary steps, short of modifying its program, to prevent further similar offenses.

It thoroughly documents employee discipline.

Under the balanced scorecard concept, employee satisfaction and retention are measures used under which of the following perspectives? A.Customer. B.Internal business. C.Learning and growth. D.Financial.

Learning and growth.Answer (C) is correct.The level of employee satisfaction and retention directly relates to the learning and growth perspective.

A measurement of the reduction in employee turnover is reported in which of the categories of a balanced scorecard? A.Internal. B.Customer. C.Financial. D.Learning, growth, and innovation.

Learning, growth, and innovation.Answer (D) is correct.Employee turnover most likely is included in the learning, growth, and innovation category. These measures are the basis for future success and include people and infrastructure.

The reliability and integrity of all critical information of an organization, regardless of the media in which the information is stored, is the responsibility of A.Shareholders. B.IT department. C.Management. D.All employees.

Management.Answer (C) is correct.Internal auditors determine whether senior management and the board have a clear understanding that information reliability and integrity is a management responsibility. Information reliability and integrity includes accuracy, completeness, and security.

Managerial performance may be measured in many ways. For example, an internal nonfinancial measure is Customer satisfaction. Delivery performance. Manufacturing lead time. Market share.

Manufacturing lead time. This answer is correct.Feedback regarding managerial performance may take the form of financial and nonfinancial measures that may be internally or externally generated. Moreover, different measures have a long-term or short-term emphasis. Examples of internal nonfinancial measures are product quality, new product development time, and manufacturing lead time (cycle time).

Internal auditors need to consider protection of personally identifiable information obtained during an audit. Applicable laws most likely A.Do not establish requirements for an organization to implement privacy controls. B.Permit personal information to be used for any purpose if disclosure of a purpose was made at collection. C.May prohibit recording personal information in engagement records in some cases. D.Require personal information to be encrypted when recorded and stored in digital form.

May prohibit recording personal information in engagement records in some cases.Answer (C) is correct.Accessing, retrieving, reviewing, manipulating, or using personal information in conducting certain engagements may be inappropriate or illegal. If the internal auditor accesses personal information, procedures may be necessary to safeguard this information. For example, the internal auditor may not record personal information in engagement records in some situations.

Under a total quality management (TQM) approach, Quality control is performed by highly trained inspectors at the end of the production process. A large number of suppliers are used in order to obtain the lowest possible prices. Measurement occurs throughout the process, and errors are caught and corrected at the source. Upper management assumes the primary responsibility for the quality of the products and services.

Measurement occurs throughout the process, and errors are caught and corrected at the source.

Which of the following best describes a function of contract auditing? A.Reviewing the adequacy and effectiveness of the controls over hazardous waste. B.Determining whether the business justification for a major transaction is valid. C.Addressing the security of personal information. D.Monitoring and evaluating significant construction contracts.

Monitoring and evaluating significant construction contracts.Answer (D) is correct.Contract audits monitor and evaluate significant construction contracts and operating contracts that involve the provision of services. The usual arrangements are (1) lump-sum (fixed-price), (2) cost-plus, and (3) unit-price contracts.

Using the balanced scorecard approach, an organization evaluates managerial performance based onA. A single ultimate measure of operating results, such as residual income. B.Multiple financial and nonfinancial measures. C.Multiple nonfinancial measures only. D.Multiple financial measures only.

Multiple financial and nonfinancial measures.Answer (B) is correct.The trend in managerial performance evaluation is the balanced scorecard approach. Multiple measures of performance permit a determination as to whether a manager is achieving certain objectives at the expense of others that may be equally or more important. These measures may be financial or nonfinancial and usually include items in four categories: (1) financial; (2) customer; (3) internal business processes; and (4) learning, growth, and innovation.

The aim of which format of the facilitated approach is to decide whether procedures are working effectively? A.Control-based format. B.Objective-based format. C.Process-based format. D.Risk-based format.

Objective-based format.Answer (B) is correct.An objective-based format focuses on the best way to accomplish a business objective. The workshop begins by identifying the procedures presently in place to support the objective and then determines the residual risks remaining. The aim of the workshop is to decide whether the procedures are working effectively and are resulting in residual risks within an acceptable level.C.Process-based format.

Which type of format of control self-assessment (CSA) facilitated approaches focuses on the best way to accomplish the goals of the organization? A.Process-based format. B.Control-based format. C.Risk-based format. D.Objective-based format.

Objective-based format.Answer (D) is correct.An objective-based format focuses on the best way to accomplish a business objective. The workshop begins by identifying the controls presently in place to support the objective and then determines the residual risk remaining.

A determination of cost savings is most likely to be an objective of a(n) Operational engagement. Compliance engagement. Program-results engagement. Financial engagement.

Operational engagement. This answer is correct.An operational engagement (audit) assesses the efficiency and effectiveness of an organization's operations.

Which of the following is a false statement about the relationship between internal auditors and external auditors? Sufficient meetings are scheduled between internal and external auditors to ensure timely and efficient completion of the work. Oversight of the work of external auditors is the responsibility of the chief audit executive. Internal auditors may provide engagement work programs and working papers to external auditors. Internal and external auditors may exchange engagement communications and management letters.

Oversight of the work of external auditors is the responsibility of the chief audit executive. This answer is correct.Oversight of the work of external auditors, including coordination with the internal audit activity, is the responsibility of the board. Coordination of internal and external audit work is the responsibility of the CAE (Perf. Std. 2050).

Which type of engagement attempts to measure the accomplishment and relative success of the undertaking? Privacy engagement. Program-results engagement. Process engagement. Compliance engagement.

Program-results engagement.

The ability to measure effectiveness is a special concern in a A.Process engagement. B.Program-results engagement. C.Functional engagement. D.Compliance audit.

Program-results engagement.Answer (B) is correct.Program-results engagements are intended to obtain information about the costs, outputs, benefits, and effects of a program. They attempt to measure the accomplishment and relative success of the undertaking. Because benefits often cannot be quantified in financial terms, a special concern is the ability to measure effectiveness. Thus, clear definitions of objectives and standards should be provided at the outset of the program.

TQM is the continuous pursuit of quality in every aspect of organizational activities through a number of goals. Which of the following is not one of those goals? A.A philosophy of doing it right the first time. B.Promotion of individual work. C.Employee training and empowerment. D.Improvement of processes.

Promotion of individual work.Answer (B) is correct.TQM is the continuous pursuit of quality in every aspect of organizational activities through (1) a philosophy of doing it right the first time, (2) employee training and empowerment, (3) promotion of teamwork, (4) improvement of processes, and (5) attention to satisfaction of customers, both internal and external.

Which of the three primary approaches of CSA programs should be used if management wants to minimize the time spent and costs incurred in gathering the information? A.Self-certification approach. B.Facilitated approach. C.Auditor-produced analysis. D.Questionnaire approach.

Questionnaire approach.Answer (D) is correct.The questionnaire approach of CSA uses a questionnaire that tends to ask mostly simple "Yes/No" or "Have/Have Not" questions that are carefully written to be understood by the target recipients. They are preferred if the culture in the organization may hinder open, candid discussions in workshop settings or if management desires to minimize the time spent and costs incurred in gathering the information.

A sign of the successful implementation of a balanced scorecard is the presence of cause-and-effect relationship. An example of this success for a hotel is meeting the target of A.Decreasing a customer's check-in time, which causes an increase in the number of implemented employee suggestions. B.Increasing employee training hours, which causes employee compensation to increase. C.Increasing profit, which causes an increase in employee job satisfaction ratings. D.Receiving more 5-star ratings from customers, which causes an increase in profit

Receiving more 5-star ratings from customers, which causes an increase in profit.Answer (D) is correct.The balanced scorecard is an accounting report that connects the firm's critical success factors to measurements of its performance. Key performance indicators are specific, measurable financial and nonfinancial elements of a firm's performance that are vital to its competitive advantage. A typical balanced scorecard has four perspectives: financial, customer satisfaction, internal business processes, and learning and growth.

What is the best description of information technology (IT) assurance? A.Review of controls that focus on an organization's ability to comply with established labor laws and policies. B.Review and testing of IT to assure the integrity of information. C.Determining that year-to-year growth in sales is measurable using accounting methods. D.Reviewing credit policies to determine whether only qualified customers are being granted favorable credit terms.

Review and testing of IT to assure the integrity of information.Answer (B) is correct.IT assurance is the review and testing of IT (for example, computers, technology infrastructure, IT governance, mobile devices, and cloud computing) to assure the integrity of information. Traditionally, IT auditing has been done in separate projects by IT audit specialists, but increasingly it is being integrated into all audits.

Which of the following procedures is the most valuable in an engagement involving the traffic department operations of a large manufacturer? Trace selected items from the weekly demurrage (car detention charge) report to supporting documentation. Obtain written confirmation from the regulatory agencies that all carriers used are properly licensed and bonded. Verify that all bills of lading are prenumbered. Review procedures for selection of routes and carriers.

Review procedures for selection of routes and carriers. This answer is correct.An operational engagement examines the premises and policies for day-to-day activities, as well as the transaction flow that is the concern of the evaluation of controls. Selection of routes and carriers is the chief function of the department, and poor practice may lead to materially excessive shipping costs or serious delays. Hence, an internal auditor conducting an operational engagement should review the procedures for selection of routes and carriers.

An auditor is scheduled to audit payroll controls for an organization that has recently outsourced its information processing to an external service provider (ESP). The ESP's external auditor has issued reports pertaining to the ESP's controls and made it readily available to the internal auditor. What action should the auditor take, considering the outsourcing decision? Review only the organization's controls over data sent to and received from the ESP. Review only the ESP's external auditor. Cancel the engagement because the processing is being performed outside of the organization. Review the control reports and ensure that the ESP's external auditor is credible and reliable.

Review the control reports and ensure that the ESP's external auditor is credible and reliable.

An auditor is scheduled to audit payroll controls for an organization that has recently outsourced its information processing to an external service provider (ESP). What action should the auditor take, considering the outsourcing decision? A.Review the controls over payroll in both the organization and the ESP. B.Review only the organization's controls over data sent to and received from the ESP. C.Review only the controls over payments to the ESP based on the contract. D.Cancel the engagement because the processing is being performed outside of the organization.

Review the controls over payroll in both the organization and the ESP.Answer (A) is correct.Engagements involving third parties may be necessary when vital controls affecting transactions exist outside the organization. One example is the outsourcing of the organization's information processing function to an external service provider (ESP). Although the processing is being performed outside the organization, the ESP is an extension of the organization's information systems. As a result, control risk may be higher because an external organization's controls are part of the organization's controls. Also, the recency of the change and the complexity of communicating between the organization and the ESP increase the risk.

An assurance map represents an organization's risks and assurance activities. It may include specific assurance providers, risk, assurance levels, urgency of issues, and actions to be taken. Which of the following is a true statement about the elements of an assurance map? A.Management provides assurance through the external auditor. B.Risk is determined by considering the inherent risk of an activity. C.The higher the assurance, the less important the issue. D.The level of assurance is determined by the internal control framework used.

Risk is determined by considering the inherent risk of an activity.Answer (B) is correct.In an assurance map, risk is determined by judging (1) the inherent risk of the activity (the risk that internal controls may not prevent or detect noncompliance) and (2) the potential consequences of noncompliance.

Which type of facilitated approach format begins by listing all possible barriers, obstacles, threats, and exposures that might prevent achieving an objective? A.Objective-based format. B.Control-based format. C.Process-based format. D.Risk-based format.

Risk-based format.Answer (D) is correct.A risk-based format focuses on listing the risks to achieving an objective. The workshop begins by listing all possible barriers, obstacles, threats, and exposures that might prevent achieving an objective and, then, examining the control procedures to determine if they are sufficient to manage the key risks. The aim of the workshop is to determine significant residual risks. This format takes the work team through the entire objective-risks-controls formula.

Which of the following activities is outside the scope of internal auditing? A.Evaluating risk exposures regarding compliance with policies, procedures, and contracts. B.Safeguarding of assets. C.Evaluating risk exposures regarding compliance with laws and regulations. D.Ascertaining the extent to which management has established criteria to determine whether objectives have been accomplished.

Safeguarding of assets.Answer (B) is correct.Safeguarding assets is an operational activity and is therefore beyond the scope of the internal audit activity. However, the internal audit activity's assurance function evaluates the adequacy and effectiveness of controls related to the organization's governance, operations, and information systems regarding safeguarding assets (Impl. Std. 2130.A1).

Which of the following is a financial measure of success in a balanced scorecard? A.Market share. B.Sales growth. C.Cycle time. D.Staff morale.

Sales growth.Answer (B) is correct.Sales growth is a financial measure of success under the critical success factor of sales.

Which group is charged with overseeing the establishment, administration, and evaluation of the processes of risk management and control? A.Operating managers. B.Internal auditors. C.External auditors. D.Senior management.

Senior management.Answer (D) is correct.Senior management is charged with overseeing the establishment, administration, and evaluation of the processes of risk management and control. Operating managers' responsibilities include assessment of the risks and controls in their units. Internal and external auditors provide varying degrees of assurance about the state of effectiveness of the risk management and control processes of the organization.

Organizations have multiple external (extended) business relationships (EBRs). They most likely involve A.Suppliers. B.Major customers. C.Regulators. D.Service providers.

Service providers.Answer (D) is correct.EBRs may involve (1) service providers (e.g., for providing internal audit services, processing of payroll, sharing of services, or use of IT services), (2) supply-side partners (e.g., outsourcing of production or R&D), (3) demand-side partners (e.g., licensees or distributors), (4) strategic alliances and joint ventures (e.g., cost-, revenue-, and profit-sharing in media production and development), and (5) intellectual property (IP) partners (e.g., licensing of software).

Which of the following is the most important provision for an internal auditor to recommend for inclusion in a contract for the purchase of a business application system from a small start-up company? Source code escrow clause. Copyright clause. Right-to-audit clause. Limitation-of-liabilities clause.

Source code escrow clause. This answer is correct.A source code escrow clause requires the application source code to be held in escrow by a trusted third party. The third party releases the source code to the purchaser, or licensee, on the occurrence of an event, or events, specified in the clause.

The primary difference between operational engagements and financial engagements is that, in the latter, the internal auditors A.Are not concerned with whether the client entity is generating information in compliance with financial accounting standards. B.Are seeking to help management use resources in the most effective manner possible. C.Can use analytical skills and tools that are not necessary in financial engagements. D.Start with the financial statements of the client entity and work backward to the basic processes involved in producing them.

Start with the financial statements of the client entity and work backward to the basic processes involved in producing them.Answer (D) is correct.A financial engagement starts with financial statements to determine whether financial information was properly recorded and adequately supported. It also assesses whether the financial statement assertions about past performance are fair, accurate, and reliable.

Privacy of space is best defined as freedom from A.Invasion of physical privacy. B.Monitoring of communications. C.Surveillance. D.Disclosure of personal information by others.

Surveillance.Answer (C) is correct.Protection of personal information prevents such negative organizational consequences as legal liability and loss of reputation. The following are various definitions of privacy: (1) personal privacy (physical and psychological), (2) privacy of space (freedom from surveillance), (3) privacy of communication (freedom from monitoring), and (4) privacy of information (collection, use, and disclosure of personal information by others).

Which of the following statements about TQM is false? A.This approach can increase revenues and decrease costs significantly. B.TQM is a comprehensive approach to quality. C.TQM begins with internal suppliers' requirements. D.TQM concepts are applicable to the operations of the internal audit activity itself.

TQM begins with internal suppliers' requirements.Answer (C) is correct.The emergence of the total quality management (TQM) concept is one of the most significant developments in recent years because this approach can increase revenues and decrease costs significantly. TQM is a comprehensive approach to quality. It treats the pursuit of quality as a basic organizational function that is as important as production or marketing. TQM emphasizes the supplier's relationship with the customer. Thus, TQM begins with external customer requirements, identifies internal customer-supplier relationships and requirements, and establishes requirements for external suppliers. TQM concepts also are applicable to the operations of the internal audit activity itself. For example, periodic internal assessments of those operations may include benchmarking of the internal audit activity's practices and performance metrics against relevant best practices of the internal audit profession.

Which statement best describes total quality management (TQM)?A.TQM emphasizes reducing the cost of inspection. B.TQM emphasizes participation by all employees in the decision-making process. C.TQM implementation is quick and easy. D.TQM is the continuous pursuit of quality.

TQM is the continuous pursuit of quality.Answer (D) is correct.TQM is the continuous pursuit of quality in every aspect of organizational activities through (1) a philosophy of doing it right the first time, (2) employee training and empowerment, (3) promotion of teamwork, (4) improvement of processes, and (5) attention to satisfaction of customers, both internal and external.

One of the main reasons that implementation of a total quality management program works better through the use of teams is A.Teams are more efficient and help an organization reduce its staffing. B.Employee motivation is always higher for team members than for individual contributors. C.Teams are a natural vehicle for sharing ideas, which leads to process improvement. D.The use of teams eliminates the need for supervision, thereby allowing a company to reduce staffing.

Teams are a natural vehicle for sharing ideas, which leads to process improvement.Answer (C) is correct.TQM promotes teamwork by modifying or eliminating traditional (and rigid) vertical hierarchies and instead forming flexible groups of specialists. Quality circles, cross-functional teams, and self-managed teams are typical formats. Teams are an excellent vehicle for encouraging the sharing of ideas and removing process improvement obstacles.

In which of the following organizational structures does total quality management (TQM) work best? A.Hierarchical. B.Teams of people from the same specialty C.Teams of people from different specialties. D.Specialists working individually.

Teams of people from different specialties.Answer (C) is correct.TQM advocates replacement of the traditional hierarchical structure with teams of people from different specialties. This change follows from TQM's emphasis on empowering employees and teamwork.

Who determines whether the internal audit activity has access to resources sufficient to evaluate the reliability and integrity of information? A.The chief executive officer. B.The chief audit executive. C.The external auditor. D.The chief operating officer.

The chief audit executive.Answer (B) is correct.The chief audit executive determines whether the internal audit activity possesses, or has access to, competent audit resources to evaluate information reliability and integrity and associated risk exposures. This includes both internal and external risk exposures and exposures relating to the organization's relationships with outside entities.

In reviewing a cost-plus construction contract for a new catalog showroom, the internal auditor should be cognizant of the risk that A.The contractor could be charging for the use of equipment not used in the construction. B.Income taxes related to construction equipment depreciation may have been calculated erroneously. C.Contractor cash budgets could have been inappropriately compiled. D.Payroll taxes may have been inappropriately omitted from billings.

The contractor could be charging for the use of equipment not used in the construction.Answer (A) is correct.Under a cost-plus contract, the contractor receives a sum equal to cost plus a fixed amount or a percentage of cost. The disadvantages of this arrangement are that the contractor's incentive for controlling costs is reduced and the opportunity to overstate costs is created. Consequently, internal auditors should be involved in monitoring economy and efficiency not only during the earliest phases of construction but also from the outset of the planning process.

One of the main reasons total quality management (TQM) can be used as a strategic weapon is that A.The cumulative improvement from a company's TQM efforts cannot readily be copied by competitors. B.Introducing new products can lure customers away from competitors. C.Reduced costs associated with better quality can support higher shareholder dividends. D.TQM provides a comprehensive planning process for a business.

The cumulative improvement from a company's TQM efforts cannot readily be copied by competitors.Answer (A) is correct.Because TQM affects every aspect of the organization's activities, it permeates the organizational culture. Thus, the cumulative effect of TQM's continuous improvement process can attract and hold customers and cannot be duplicated by competitors.

An internal auditor is conducting an audit of environmental protection and alarm devices. Which is the most significant objective of such an assignment? To determine whether A.The devices are installed and operating properly. B.The costs of the devices were properly recorded. C.The device specification documents are complete. D.Acquisitions and disposals are properly authorized.

The devices are installed and operating properly.Answer (A) is correct.The objective should be to determine whether the devices are working properly. For this purpose, the internal auditor must observe an actual test of the operation.

Why should an organization use the survey form of control self-assessment (CSA)? A.Few respondents are required to respond. B.Respondents are not widely dispersed. C.No time constraint is involved. D.The organizational culture does not encourage openness.

The organizational culture does not encourage openness.Answer (D) is correct.The many approaches used for CSA processes in organizations reflect differences in industry, geography, structure, organizational culture, degree of employee empowerment, dominant management style, and the manner of formulating strategies and policies. The survey form of CSA uses a questionnaire that tends to ask mostly simple "Yes or No" questions that are carefully written to be understood by the target recipients. Surveys often are used if the desired respondents are too numerous or widely dispersed to participate in a workshop. They also are preferred (1) when the culture of the organization may hinder open, candid discussions in workshop settings or (2) if management wants to minimize the time spent and costs incurred in gathering information.

An internal audit plan should include a review of the organization's compliance program and its procedures, including reviews to determine all but which of the following? A.The effectiveness of written materials. B.The receipt of communications by employees. C.The appropriate handling of detected violations. D.The performance of full background checks on employees and new hires.

The performance of full background checks on employees and new hires.Answer (D) is correct.The audit plan should include a review of the compliance program and its procedures. The review should determine whether (1) written materials are effective, (2) communications have been received by employees, (3) detected violations have been appropriately handled, (4) discipline has been even-handed, (5) whistleblowers have been protected, and (6) the compliance unit has fulfilled its responsibilities. The auditors should review the compliance program to determine whether it can be improved and should solicit employee input. Moreover, organizations should screen applicants for employment at all levels and inquire as to past criminal convictions, taking care not to infringe upon employees' and applicants' privacy rights. However, a review of the performance of full background checks is not included in an audit plan as part of the review of an organization's compliance program.

Total quality management (TQM) in a manufacturing environment is best exemplified by Designing the product to minimize defects. Performing inspections to isolate defects as early as possible. Identifying and reworking production defects before sale. Making machine adjustments periodically to reduce defects.

Designing the product to minimize defects. This answer is correct.Total quality management emphasizes quality as a basic organizational function. TQM is the continuous pursuit of quality in every aspect of organizational activities. One of the basic tenets of TQM is doing it right the first time. Thus, errors should be caught and corrected at the source, and quality should be built in (designed in) from the start.

Which of the following does the internal auditor of a contracting company not have to review as thoroughly in a lump-sum contract?A.Progressive payments. B.Adjustments to labor costs. C.Work completed in accordance with the contract. D.Incentives associated with the contract.

Work completed in accordance with the contract.Answer (C) is correct.The internal auditor usually has little to evaluate when the work is performed in accordance with the contract. Further, the internal auditor may lack the technical expertise to know if the contract is being completed according to the terms.

Two examples of the learning and innovation measures of a balanced scorecard are A.Employee promotion rate and number of environmental incidents. B.Employee training hours and product defect rates. C.Number of employee suggestions and finished products per day per employee. D.Employee turnover rate and number of internal process improvements.

Employee turnover rate and number of internal process improvements.Answer (D) is correct.Learning and growth (innovation) critical success factors may include the development of new products, promptness of their introduction, human resource development, morale, and the competence of the work force. Both employee turnover rates and the number of internal process improvements are appropriate measures.

Briar Co. signed a government construction contract providing for a formula price of actual cost plus 10%. In addition, Briar was to receive one-half of any savings resulting from the formula price's being less than the target price of $2.2 million. Briar's actual costs incurred were $1,920,000. How much should Briar receive from the contract?A.$2,060,000 B.$2,112,000 C.$2,156,000 D.$2,200,000

$2,156,000Answer (C) is correct.The formula price is 110% of actual cost, or $2,112,000 ($1,920,000 × 110%), a savings of $88,000 on the $2,200,000 target price. Accordingly, the amount received should be $2,156,000 {$2,112,000 + [($2,200,000 - $2,112,000) × 50%]}.

An organization should use due care not to delegate substantial discretionary authority to individuals the organization knows have a propensity to engage in illegal activities. Which of the following are steps an organization can take to ensure that such individuals are detected?Screening of applicants for employment at all levels for evidence of past wrongdoing, especially past criminal convictions within the company's industry.Asking professionals about any history of discipline in front of licensing boards.Performing background checks without permission on employees' or applicants' credit reports to ensure that they are financially sound and are unlikely to commit theft or fraud. 1 and 2 only. 3 only. 1, 2, and 3. 1 only.

1 and 2 only. This answer is correct.As part of the exercise of due care, an organization can take a number of steps to protect itself against individuals who have a tendency to engage in illegal activities. For instance, an organization can screen applicants for employment at all levels for evidence of past wrongdoing, especially wrongdoing within the organization's industry. Furthermore, it may inquire as to past criminal convictions, and professionals may be asked about any history of discipline in front of licensing boards. Care should be taken, however, to ensure that the organization does not infringe upon employees' and applicants' privacy rights under applicable laws. Many jurisdictions have laws limiting the amount of information an organization may obtain in performing background checks on employees.

An ombudsperson is most effective when the individual 1. Is located on-site. 2. Reports to the chief compliance officer or the board of directors. 3. Is located off-site. 4. Reports to no one, thus ensuring a whistleblower's secrecy. A.2 only. B.1 and 2 only. C.1 and 4 only. D.3 and 4 only.

1 and 2 only.Answer (B) is correct.Use of an ombudsperson is more effective if the ombudsperson is located on-site, reports directly to the chief compliance officer or the board of directors, keeps the names of whistleblowers secret, provides guidance to whistleblowers, and undertakes follow-up review to ensure that retaliation has not occurred. An ombudsperson must report to someone at a high level in the organization who is empowered to initiate a change in organization policies based on the ombudsperson's findings; thus, reporting to no one is not an option. In addition, an ombudsperson's location on-site promotes employee confidence in the ombudsperson.

Control self-assessment is a process that involves employees in assessing the adequacy of controls and identifying opportunities for improvement within an organization. Which of the following are reasons to involve employees in this process? 1. Employees become more motivated to do their jobs right. 2.Employees are objective about their jobs. 3.Employees can provide an independent assessment of internal controls. 4.Managers want feedback from their employees. A.1 and 2. B.3 and 4. C.1 and 4. D.2 and 4.

1 and 4.Answer (C) is correct.Participation by employees has a positive effect on motivation because it tends to increase commitment to the job and results in greater personal satisfaction. Moreover, full employee participation requires two-way communication and therefore encourages feedback from employees

The element(s) of a control self-assessment (CSA) performed using one of the facilitated team workshop approaches include(s) Treating participating employees as process owners. Taking a simple yes/no survey of employees regarding risks and controls. Interviewing employees separately in the field. 2 only. 1 only. 2 and 3. 1, 2, and 3.

1 only. This answer is correct.According to The IIA, an element of CSA is the gathering of a group of people into a same-time/same-place meeting, typically involving a facilitation seating arrangement (U-shaped table) and a meeting facilitator. The participants are 'process owners', i.e., management and staff who are involved with the particular issues under examination, who know them best, and who are critical to the implementation of appropriate process controls.

Which of the following are approaches to a control self-assessment (CSA) program? 1.Facilitation 2.Cost-benefit 3.Survey 4.Self-certification A.1 and 2. B.1 and 3. C.1, 2, and 4. D.1, 3, and 4.

1, 3, and 4.Answer (D) is correct.The three primary approaches of CSA programs are (1) facilitation, (2) survey, and (3) self-certification.

The chief executive officer wants to know whether the purchasing function is properly meeting its charge to "conform to all laws at all costs." Which of the following types of engagements addresses this request? A.An operational engagement relating to the purchasing function. B.A financial engagement relating to the purchasing department. C.A compliance engagement relating to the purchasing function. D.A full-scope engagement relating to the manufacturing operation.

A compliance engagement relating to the purchasing function.Answer (C) is correct.A compliance engagement is a review of both financial and operating controls to assess conformance with established standards. It tests adherence to management's policies, procedures, and plans designed to ensure certain actions.

Discipline of employees may be limited by all of the following except A.Whistleblower laws. B.A requirement to report certain employee violations to a governmental entity. C.Union contracts. D.Exceptions to the employee-at-will doctrine.

A requirement to report certain employee violations to a governmental entity.Answer (B) is correct.Termination or other discipline of employees may be limited by (1) whistleblower laws; (2) exceptions to the employee-at-will doctrine (the right of an employer to fire an employee for any reason); (3) employee or union contracts; and (4) employer responsibilities with regard to discrimination, wrongful discharge, and requirements to act in good faith. However, a governmental requirement that an entity report certain employee violations is not itself a limitation on the employer's power to discipline employees.

A performance audit engagement typically involves A.Review of financial statement information, including the appropriateness of various accounting treatments. B.Tests of compliance with policies, procedures, laws, and regulations. C.A strategic analysis of the organization's key components that are essential to the organization's success. D.An evaluation of the board of directors' role in the operations of the organization.

A strategic analysis of the organization's key components that are essential to the organization's success.Answer (C) is correct.Performance audit engagements involve review of the business and control environment and key performance indicators against set criteria using balanced scorecards, SWOT analysis, and management control evaluation. A balanced scorecard is an evaluation of company performance against established criteria. SWOT analysis appraises the business and potentially the control environment.

Which of the following criteria would be most useful to a sales department manager in evaluating the performance of the manager's customer-service group? A.The customer is always right. B.Customer complaints should be processed promptly. C.Employees should maintain a positive attitude when dealing with customers. D.All customer inquiries should be answered within 7 days of receipt.

All customer inquiries should be answered within 7 days of receipt.Answer (D) is correct.A criterion that requires all customer inquiries to be answered within 7 days of receipt permits accurate measurement of performance. The quantitative and specific nature of the appraisal using this standard avoids the vagueness, subjectivity, and personal bias that may afflict other forms of personnel evaluations.

Control self-assessment (CSA) is a method for examining and evaluating the organization's system of control, which includes Risk analysis. Self-assessment approaches. Traditional internal auditing concepts. All of the answers are correct.

All of the answers are correct.

A program-results engagement A.Obtains information about the costs of the program. B.Attempts to measure the accomplishment and success of the program. C.Concerns the ability to measure the effectiveness of the program. D.All of the answers are correct.

All of the answers are correct.Answer (D) is correct.A program-results engagement is intended to obtain information about the costs, outputs, benefits, and effects of the program. It attempts to measure the accomplishment and relative success of the undertaking. Because benefits often cannot be quantified in financial terms, a special concern is the ability to measure effectiveness.

Assurance services involve an internal auditor's A.Appraisal of the efficiency of a function. B.Assessment of conformance with laws. C.Expression of opinions or conclusions. D.All of the answers are correct.

All of the answers are correct.Answer (D) is correct.According to the Introduction to the Standards, "Assurance services involve the internal auditor's objective assessment of evidence to provide opinions or conclusions regarding an entity, operation, function, process, system, or other subject matters." For example, assurance services may be financial, compliance, or operational. Financial assurance provides analysis of the economic activity of an entity as measured and reported by accounting methods. Compliance assurance is the review of financial and operating controls to assess conformance with established laws, standards, regulations, policies, plans, procedures, contracts, and other requirements. Operational assurance is the review of a function or process to appraise the efficiency and economy of operations and the effectiveness with which those functions achieve their objectives.

When evaluating management of the organization's privacy framework, the internal auditor considers A.The applicable laws relating to privacy. B.Conferring with in-house legal counsel. C.Conferring with information technology specialists. D.All of the answers are correct.

All of the answers are correct.Answer (D) is correct.In an evaluation of the privacy framework, the internal auditor considers the following: The various laws, regulations, and policies relating to privacy in the jurisdictions where the organization operates. Conferring with in-house legal counsel to determine the exact nature of laws, regulations, and other standards and practices applicable to the organization and the countries where it operates. Conferring with information technology specialists to determine that information security and data protection controls are in place and regularly reviewed and assessed for appropriateness. The level or maturity of privacy practices.

Which forms of control self-assessment assume that managers and members of work teams possess an understanding of risk and control concepts and use those concepts in communications? A.The self-certification approach. B.The self-certification approach and facilitated approach. C.The self-certification approach and questionnaire approach. D.All self-assessment programs.

All self-assessment programs.Answer (D) is correct.All self-assessment programs assume that managers and members of the work teams possess an understanding of risk and control concepts and using those concepts in communications. For training sessions, to facilitate the orderly flow of workshop discussions and as a check on the completeness of the overall process, organizations often use a control framework, such as the COSO (Committee of Sponsoring Organizations) and CoCo (Canadian Criteria of Control Board) models.

A program-results engagement is most likely to be performed on A.An activity not part of normal operations. B.The purchasing and receiving departments. C.Safety practices and scrap handling. D.Distribution of services and materials.

An activity not part of normal operations.Answer (A) is correct.A program is a funded activity not part of the normal, continuing operations of the organization, such as an expansion or a new information system.

Employees have the most confidence in a hotline monitored by which of the following? A.An expert from the legal department, backed by a nonretaliation policy. B.An in-house representative, backed by a retaliation policy. C.An on-site ombudsperson, backed by a nonretaliation policy. D.An off-site attorney who can better protect attorney-client privilege.

An on-site ombudsperson, backed by a nonretaliation policy.Answer (C) is correct.Although an attorney monitoring the hotline is better able to protect attorney-client and work-product privileges, one study observed that employees have little confidence in hotlines answered by the legal department or by an outside service. The same study showed that employees have even less confidence in write-in reports or an off-site ombudsperson, but have the most confidence in hotlines answered by an in-house representative (or an on-site ombudsperson) and backed by a nonretaliation policy.

The chief executive officer wants to know whether the purchasing function is properly meeting its charge to "purchase the right materials at the right time in the right quantities." Which of the following types of engagements addresses this request? A.A financial engagement relating to the purchasing department. B.An operational engagement relating to the purchasing function. C.A compliance engagement relating to the purchasing function. D.A full-scope engagement relating to the manufacturing operation.

An operational engagement relating to the purchasing function.Answer (B) is correct.An operational engagement (audit) assesses the efficiency and effectiveness of an organization's operations.

Which organization is least likely to have a good compliance environment? A.An international organization that creates a global compliance program that reflects local conditions, laws, and regulations .B.An organization that creates an organizational chart, identifying personnel who are responsible for implementing compliance programs. C.An organization whose code of conduct provides guidance to employees on relevant issues. D.An organization that rewards employees for charging travel hours to take advantage of the tax benefits.

An organization that rewards employees for charging travel hours to take advantage of the tax benefits.Answer (D) is correct.An organization using reward systems that attach financial incentives to apparently unethical or illegal behavior can expect a poor compliance environment. For instance, an organization rewarding employees for charging travel hours makes itself vulnerable to fraud. Employees may charge false travel hours to receive additional rewards. Thus, the tax benefit of such an incentive may be negated by fraudulent employee practices. A good compliance environment is created when an organizationDevelops a written, straightforward business code of conduct that clearly identifies prohibited activities, provides guidance to employees on relevant issues, and decreases the risk that employees will engage in unethical or illegal behavior.Creates an organizational chart identifying board members, senior officers, a senior compliance officer, and department personnel who are responsible for implementing compliance programs.Creates a compliance program on a global basis, not just for selective geographic locations, to reflect appropriate local conditions, laws, and regulations.

If a company is customer-centered, its customers are defined as A.Only people external to the company who have purchased something from the company. B.Only people internal to the company who directly use its product. C.Anyone external to the company and those internal who rely on its product to get their job done. D.Everybody external to the company who is currently doing, or may in the future do, business with the company.

Anyone external to the company and those internal who rely on its product to get their job done.Answer (C) is correct.One of the principles of TQM is customer orientation, whether the customer is internal or external. An internal customer is a member of the organization who relies on another member's work to accomplish his or her task.

A performance audit engagement typically involves Review of financial statement information, including the appropriateness of various accounting treatments. Tests of compliance with policies, procedures, laws, and regulations. Evaluation of organizational and departmental structures, including assessments of process flows. Appraisal of the business and control environment and comparison against established criteria.

Appraisal of the business and control environment and comparison against established criteria. This answer is correct.Performance audit engagements involve review of the business and control environment and key performance indicators against set criteria using balanced scorecards, SWOT analysis, and management control evaluation. A balanced scorecard is an evaluation of performance against established criteria. SWOT analysis appraises the business and potentially the control environment.

The primary difference between operational engagements and financial engagements is that, in the former, the internal auditors A.Are not concerned with whether the client entity is generating information in compliance with financial accounting standards. B.Are seeking to help management use resources in the most effective manner possible. C.Start with the financial statements of the client entity and work backward to the basic processes involved in producing them. D.Can use analytical skills and tools that are not necessary in financial engagements.

Are seeking to help management use resources in the most effective manner possible.Answer (B) is correct.The primary objective of a financial engagement is to express an opinion on the fairness of the financial statements. Operational engagements evaluate accomplishment of established objectives and goals for operations or programs and economical and efficient use of resources.

During an operational engagement, the internal auditors compare the current staffing of a department with established industry standards to A.Identify bogus employees on the department's payroll. B.Assess the current performance of the department and make appropriate recommendations for improvement. C.Evaluate the adequacy of the established internal controls for the department. D.Determine whether the department has complied with all laws and regulations governing its personnel.

Assess the current performance of the department and make appropriate recommendations for improvement.Answer (B) is correct.An operational engagement (audit) assesses the efficiency and effectiveness of an organization's operations.

Which of the following types of performance measures integrates financial performance, internal operations, learning and growth, and customer satisfaction? A.Total productivity. B.Financial ratio analysis. C.Balanced scorecard. D.Benchmarking.

Balanced scorecard.Answer (C) is correct.A typical balanced scorecard classifies objectives into one of four perspectives: financial, customer satisfaction, internal business processes, and learning and growth.

Fact Pattern:A certified internal auditor is the chief audit executive for a large city and is planning the engagement work schedule for the next year. The city has a number of different funds, some that are restricted in use by government grants and some that require compliance reports to the government. One of the programs for which the city has received a grant is job retraining and placement. The grant specifies certain conditions a participant in the program must meet to be eligible for the funding. The internal auditors randomly select participants in the job retraining program for the past year to verify that they had met all the eligibility requirements. This type of engagement is concerned with Program results. Economy and efficiency. Compliance. Operational effectiveness.

Compliance

Internal audit engagements vary in their degree of objectivity. Of the following, which is likely to be the most objective? A.Compliance engagement relating to an organization's overtime policy. B.Operational engagement relating to the personnel function's hiring and firing procedures. C.Performance engagement relating to the marketing department. D.Financial control engagement relating to payroll procedures.

Compliance engagement relating to an organization's overtime policy.Answer (A) is correct.A compliance engagement relating to overtime policy is likely to be the most objective. It determines whether actual operations conform to specific management policies and procedures, which are likely to be well defined and documented. For example, determining whether overtime was properly paid requires less judgment than whether a control is properly designed.

Compliance programs most directly assist organizations by doing which of the following? 1.Developing a plan for business continuity management. 2.Determining director and officer liability. 3.Planning for disaster recovery. A.1 only. B.2 only. C.1 and 2 only. D.1, 2, and 3.

Compliance programs most directly assist organizations by doing which of the following? Developing a plan for business continuity management. Determining director and officer liability. Planning for disaster recovery. A.1 only.B.2 only.C.1 and 2 only.D.1, 2, and 3.

An organization establishes compliance standards and procedures and develops a written business code of conduct to be followed by its employees. Which of the following is true concerning business codes of conduct and the compliance standards? A.Compliance standards should be straightforward and reasonably capable of reducing the prospect of criminal conduct. B.The compliance standards should be codified in the charter of the audit committee. C.Companies with international operations should institute various compliance programs, based on selective geographic locations, that reflect appropriate local regulations. D.In order to prevent future legal liability, the code should consist of legal terms and definitions.

Compliance standards should be straightforward and reasonably capable of reducing the prospect of criminal conduct.Answer (A) is correct.The code of conduct should clearly identify prohibited activities, making compliance standards reasonably capable of reducing the prospect of criminal conduct (i.e., discouraging intentional employee violations). In addition, codes that are straightforward and fair tend to decrease the risk that employees will engage in unethical or illegal behavior.

Which of the following is typical for a firm implementing a system of total quality management (TQM)? A.Consolidating all horizontal business functions. B.Limiting quality management to quality management staff, engineers, and production departments. C.Conducting a quality audit. D.Preparing a gap analysis to determine customer and supplier requirements.

Conducting a quality audit.Answer (C) is correct.A quality audit should be conducted to evaluate the process for gathering information to develop a strategic quality improvement plan. It also may identify the best improvement opportunities and the organization's strengths and weaknesses relative to benchmarked competitors.

With regard to providing an assurance service for the organization's privacy framework, the internal audit activity (IAA) assesses the adequacy of risk identification and controls. The IAA also A.Considers practices in relevant jurisdictions. B.Confirms to the board that information security is the IAA's responsibility. C.Performs a consulting engagement to provide advice on information security protocols. D.Devises and implements controls.

Considers practices in relevant jurisdictions.Answer (A) is correct.The IAA assesses the adequacy of (1) management's risk identification and (2) the controls that reduce those risks. Moreover, the IAA evaluates the privacy framework, identifies significant risks, and makes recommendations. It also considers (1) laws, regulations, and practices in relevant jurisdictions; (2) the advice of legal counsel; and (3) the security efforts of IT specialists.

In which format of the facilitated approach does the facilitator identify the key controls before the beginning of the workshop?A.Control-based format. B.Objective-based format. C.Risk-based format. D.Process-based format.

Control-based format.Answer (A) is correct.A control-based format focuses on how well the controls in place are working. Unlike the approach in the objective-based and risk-based formats, the facilitator identifies the key risks and controls before the beginning of the workshop. During the workshop, the work team assesses how well the controls mitigate risks and promote the achievement of objectives. The aim of the workshop is to produce an analysis of the gap between how controls are working and how well management expects those controls to work.

In which of the following arrangements should an internal auditor be most concerned about the lack of an incentive for economy and efficiency? A.Fixed-price contract. B.Cost-plus contract. C.Unit-price contract. D.Source code escrow clause.

Cost-plus contract.Answer (B) is correct.Cost-plus contracts are ways to cope with uncertainties about costs by setting a price equal to (1) cost plus a fixed amount or (2) cost plus a fixed percentage of cost. A problem is that the contractor may have little incentive for economy and efficiency, a reason for careful review by the internal auditors. These contracts may have provisions for (1) maximum costs, with any savings shared by the parties, or (2) incentives for early completion.

An engagement to evaluate a transportation department is being conducted. Review procedures include an analysis of "rush shipment" requests. The engagement objective in this case is the A.Financial settlement of the rush shipment. B.Transportation arrangements to be used for rush shipments. C.Determination of the need for rush shipment services. D.Handling of claims for undelivered rush shipment goods.

Determination of the need for rush shipment services.Answer (C) is correct.An internal auditor concerned with the efficiency and effectiveness of the transportation function should inquire about the entity's procedures for addressing the appropriate means of moving items from one location to another. Because rush shipment methods tend to be more expensive than the alternatives, the internal auditor should examine the authorization procedures and criteria for such treatment and the possibilities for reducing or eliminating the need.

A financial engagement relating to the production function includes a procedure to compare recorded costs with actual costs. The purpose of this engagement procedure is to A.Determine the accuracy of the system used to record actual costs. B.Measure the effectiveness of the standard cost system. C.Assess the reasonableness of actual costs. D.Assist management in its evaluation of effectiveness and efficiency.

Determine the accuracy of the system used to record actual costs.Answer (A) is correct.A financial engagement procedure includes looking at the past to determine whether financial information (e.g., recorded costs) was properly and adequately supported (i.e., whether recorded costs equal actual costs).

Fact Pattern: A certified internal auditor is the chief audit executive for a large city and is planning the engagement work schedule for the next year. The city has a number of different funds, some that are restricted in use by government grants and some that require compliance reports to the government. One of the programs for which the city has received a grant is job retraining and placement. The grant specifies certain conditions a participant in the program must meet to be eligible for the funding. The internal auditors must determine the applicable laws and regulations. Which of the following procedures is the least effective in learning about the applicable laws and regulations? A.Make inquiries of the city's chief financial officer, legal counsel, or grant administrators. B.Review prior-year working papers and inquire of officials as to changes. C.Review applicable grant agreements. D.Discuss the matter with the board and make inquiries as to the nature of the requirements and the board's objectives for the engagement.

Discuss the matter with the board and make inquiries as to the nature of the requirements and the board's objectives for the engagement.Answer (D) is correct.Discussing the matter with the board would not be helpful. The members are not likely to know the applicable laws and regulations. The board's oversight activities do not provide specific expertise needed to help the internal auditors understand the applicable laws and regulations.

An organization's managerial decision-making model for capital budgeting is based on the net present value of discounted cash flows. The same organization's managerial performance evaluation model is based on annual divisional return on investment. Which of the following is true? The use of models with different criteria promotes goal congruence. The manager has an incentive to accept a project with a positive net present value that initially has a negative effect on net income. Divisional managers are likely to maximize the measures in the performance evaluation model. Divisional managers are likely to maximize the measures in the decision-making model.

Divisional managers are likely to maximize the measures in the performance evaluation model. This answer is correct.Effective management control requires performance measurement and feedback. This process affects allocation of resources to organizational subunits. It also affects decisions about managers' compensation, advancement, and future assignments. Furthermore, evaluating their performance serves to motivate managers to optimize the measures in the performance evaluation model. However, that model may be inconsistent with the organization's model for managerial decision making.

Which statement best describes the emphasis of total quality management (TQM)? A.Reducing the cost of inspection. B.Implementing better statistical quality control techniques. C.Doing each job right the first time. D.Encouraging cross-functional teamwork.

Doing each job right the first time.Answer (C) is correct.The basic principles of TQM include (1) doing each job right the first time, (2) being customer-oriented, (3) committing the organizational culture to continuous improvement, and (4) promoting teamwork and employee empowerment.

Which phrase best describes the control-based approach of the control self-assessment process? A.Evaluating, updating, and streamlining selected control processes. B.Examining how well controls are working in managing key risks. C.Analyzing the gap between control design and control frameworks. D.Determining the cost-effectiveness of controls.

Examining how well controls are working in managing key risks.Answer (B) is correct.A control-based format focuses on how well the controls in place are working. This format is different than the others because the facilitator identifies the key risks and controls before the beginning of the workshop. During the workshop, the work team assesses how well the controls mitigate risks and promote the achievement of objectives. The aim of the workshop is to produce an analysis of the gap between how controls are working and how well management expects those controls to work.

Of the three primary approaches of CSA programs, which one is designed to gather information from work teams representing different levels in the business unit or function? A.Auditor-produced analysis. B.Facilitated approach. C.Questionnaire approach. D.Self-certification approach.

Facilitated approach.Answer (B) is correct.The three primary forms of CSA programs are the facilitated approach, the questionnaire approach, and the self-certification approach. The facilitated approach gathers information from work teams representing different levels in the business unit or function. The format of the approach may be based on objectives, risks, controls, or processes.

Focusing on customers, promoting innovation, learning new philosophies, driving out fear, and providing extensive training are all elements of a major change in organizations. These elements are aimed primarily at A.Copying leading organizations to better compete with them. B.Focusing on the total quality of products and services. C.Being efficient and effective at the same time, in order to indirectly affect profits. D.Managing costs of products and services better, in order to become the low-cost provider.

Focusing on the total quality of products and services.Answer (B) is correct.TQM is a comprehensive approach to quality. It treats the pursuit of quality as a basic organizational function that is as important as production or marketing. TQM is the continuous pursuit of quality in every aspect of organizational activities through (1) a philosophy of doing it right the first time; (2) employee training and empowerment; (3) promotion of teamwork; (4) improvement of processes; and (5) attention to satisfaction of customers, both internal and external. TQM emphasizes the supplier's relationship with the customer, identifies customer needs, and recognizes that everyone in a process is at some time a customer or supplier of someone else, either inside or outside of the organization.

Fact Pattern: The management and employees of a large household goods moving company decided to adopt total quality management (TQM) and continuous improvement (CI). The company believes that if it became nationally known as adhering to TQM and CI, one result would be an increase in the company's profits and market share. The primary reason for adopting TQM was to achieve A.Greater customer satisfaction. B.Reduced delivery time. C.Reduced delivery charges. D.Greater employee participation.

Greater customer satisfaction.Answer (A) is correct.TQM is an integrated system that anticipates, meets, and exceeds customers' needs, wants, and expectations.

Senior management has requested a compliance audit of the organization's employee benefits package. Which of the following is considered the primary engagement objective by both the chief audit executive and senior management? A.The level of organizational contributions is adequate to meet the program's demands. B.Individual programs are operating in accordance with contractual requirements and government regulations. C.Participation levels support continuation of individual programs. D.Benefit payments, when appropriate, are accurate and timely.

Individual programs are operating in accordance with contractual requirements and government regulations.Answer (B) is correct.The internal audit activity evaluates risk exposures related to governance, operations, and information systems regarding, among other things, compliance with laws, regulations, and contracts. Based on the risk assessment, the internal audit activity evaluates the adequacy and effectiveness of controls encompassing governance, operations, and information systems. This evaluation should include, among other things, compliance with laws, regulations, and contracts (Impl. Stds. 2110.A2 and 2120.A1). Operation in accordance with contracts and regulations takes precedence over all other objectives because it relates to the most basic aspects of the programs

Which of the following is one of the four perspectives of a balanced scorecard? A.Just in time. B.Innovation. C.Benchmarking. D.Activity-based costing.

Innovation.Answer (B) is correct.The balanced scorecard is an accounting report that connects the firm's critical success factors determined in a strategic analysis with measures of its performance. The critical success factors (and appropriate measures thereof) are assigned to four perspectives on the business: financial, customer, internal business processes, and learning and growth. Innovation is a facet of the learning and growth perspective.

Which outcome can be derived from self-assessment methodologies? A.Formal, hard controls are more easily identified and evaluated. B.Management will become involved in and knowledgeable about the self-assessment process by serving as facilitators, scribes, and reporters for the work teams. C.Auditors' responsibility for the risk management and control processes of the organization will be reinforced. D.People are motivated to take ownership of the control processes in their units and corrective actions taken by work teams are often more effective and timely.

People are motivated to take ownership of the control processes in their units and corrective actions taken by work teams are often more effective and timely.Answer (D) is correct.One of the possible outcomes that may be derived from self-assessment methodologies is that people are motivated to take ownership of the control processes in their units and corrective actions taken by work teams are often more effective and timely.

The internal auditors' ultimate responsibility for information security includes Identifying technical aspects, risks, processes, and transactions to be examined. Documenting engagement procedures. Determining the scope and degree of testing to achieve engagement objectives. Periodically assessing information security practices.

Periodically assessing information security practices. This answer is correct.Internal auditors should periodically assess the organization's information security practices and recommend, as appropriate, enhancements to, or implementation of, new controls and safeguards. Following an assessment, an assurance report should be provided to the board. Such assessments can either be conducted as separate stand-alone engagements or as multiple engagements integrated into other audits or engagements conducted as part of the approved audit plan.

Freedom from monitoring best defines A.Personal privacy. B.Privacy of space. C.Privacy of communication. D.Privacy of information.

Privacy of communication.Answer (C) is correct.Privacy may encompass (1) personal privacy (physical and psychological), (2) privacy of space (freedom from surveillance), (3) privacy of communication (freedom from monitoring), and (4) privacy of information (collection, use, and disclosure of personal information by others).

Which type of engagement focuses on operations and how effectively and efficiently the organizational units affected will cooperate? A.Program-results engagement. B.Process engagement. C.Privacy engagement. D.Compliance engagement.

Process engagement.Answer (B) is correct.Process engagements tend to be challenging because of their scope and the need to deal with subunits that may have conflicting objectives.

Which type of internal audit engagement most likely may be difficult because of the conflicting objectives of organizational units?A.Performance audit. B.A program-results engagement. C.Compliance audit. D.Process engagement.

Process engagement.Answer (D) is correct.These engagements tend to be challenging because of their scope and the need to deal with organizational units that may have conflicting objectives.

An operational engagement communication that concerns the scrap disposal function in a manufacturer should address A.The efficiency and effectiveness of the scrap disposal function and include any observations requiring corrective action. B.Whether the scrap material inventory is reported as a current asset. C.Whether the physical inventory count of the scrap material equals the recorded amount. D.Whether the scrap material inventory is valued at the lower of cost or market.

The efficiency and effectiveness of the scrap disposal function and include any observations requiring corrective action.Answer (A) is correct.An operational engagement (audit) assesses the efficiency and effectiveness of an organization's operations. Thus, an engagement communication should inform management about the efficiency and effectiveness of the given operations and should discuss observations requiring corrective action.

Which of the following is an effective tool for uncovering unethical or illegal activity in an organization? A.The screening of applicants. B.The ethics interview. C.The background check. D.The ethics questionnaire.

The ethics questionnaire.Answer (D) is correct.An effective tool for uncovering unethical or illegal activity is the ethics questionnaire. Each employee of the organization should receive a questionnaire that asks whether the employee is aware of kickbacks, bribes, or other wrongdoing.

The organization is evaluating whether it should implement total quality management (TQM). Which of the following would least likely be a supporting factor for its decision? A.Quality of the product is of paramount consideration for management. B.The improvement of quality will be achieved mainly through the reworking of defective goods. C.The supplier's relationship with the customer will be emphasized. D.The organization strives for continuous quality improvement and innovation in products and services.

The improvement of quality will be achieved mainly through the reworking of defective goods.Answer (B) is correct.The traditional view of quality focuses on the detection of defective or rejected products. TQM (1) focuses its attention on satisfying both internal and external customers, (2) believes that quality is a value-added activity performed throughout all processes, and (3) is the continuous pursuit of quality in every aspect of organizational activities. Therefore, improving quality mainly through the reworking of defective goods demonstrates the traditional view of quality, and therefore is not a supporting factor for TQM.

After reviewing the prior year's internal audit recommendations, senior management has decided to adopt a control self-assessment (CSA) program using a questionnaire approach. The survey consists of descriptions of, and questions about, key controls. What is the effect on the next audit of adopting this CSA program? Audit tests will be substantially eliminated. The internal auditors need to verify that the controls are in place and working as intended. The CSA survey must be controlled by the internal audit activity. The internal audit activity will receive the results directly.

The internal auditors need to verify that the controls are in place and working as intended.

In reviewing a unit-price construction contract for a new catalog showroom, the internal auditor should be cognizant of the risk that A.The contractor could be charging for the use of equipment not used in the construction. B.Income taxes related to construction equipment depreciation may have been calculated erroneously. C.The man-hours used to complete the project are overstated. D.Payroll taxes may have been inappropriately omitted from billings.

The man-hours used to complete the project are overstated.Answer (C) is correct.Under unit-price contracts, the price of the project is determined using a measure of work. The disadvantage of this arrangement is that the contractor may be tempted to overstate the measure of work used to compute the cost of the project. In this case, the measure of work could be man-hours needed to complete the project. Consequently, internal auditors should be involved in monitoring economy and efficiency not only during the earliest phases of construction but also from the beginning of the planning process.

Fact Pattern: The legislative auditing bureau of a country is required to perform compliance engagements involving organizations that are issued defense contracts on a cost-plus basis. Contracts are clearly written to define acceptable costs, including developmental research cost and appropriate overhead rates. During the past year, the government has engaged in extensive outsourcing of its activities. The outsourcing included contracts to run cafeterias, provide janitorial services, manage computer operations and systems development, and provide engineering of construction projects. The contracts were modeled after those used for years in the defense industry. The legislative internal auditors are being called upon to expand their efforts to include compliance engagements involving these contracts. Upon initial investigation of these outsourced areas, the internal auditor found many areas in which the outsourced management has apparently expanded its authority and responsibility. For example, the contractor that manages computer operations has developed a highly sophisticated security program that may represent the most advanced information security in the industry. The internal auditor reviews the contract and sees reference only to providing appropriate levels of computing security. The internal auditor suspects that the governmental agency may be incurring developmental costs that the outsourcer may use for competitive advantage in marketing services to other organizations. Management has asked the internal auditor to recommend monitoring controls that management could establish to provide timely oversight of the information systems contract. Which of the following is the least effective monitoring control? A.Require monthly internal reports summarizing overhead rates used in billings. B.Require monthly reports by the outsourcer of total costs billed and services rendered. C.Use internal auditors to investigate the appropriateness of costs, as part of a yearly engagement to evaluate the outsourcer. D.Randomly investigate selected cost accounts throughout the year to determine that all the expenses are properly charged to the governmental unit.

Use internal auditors to investigate the appropriateness of costs, as part of a yearly engagement to evaluate the outsourcer.Answer (C) is correct.A yearly engagement to evaluate the outsourcer pertains to compliance, not monitoring. This control procedure is not timely because it occurs only once a year and does not provide prompt feedback for corrective action.

Under a total quality management (TQM) approach, A.Value-added activities are performed in all processes under constant management supervision. B.Quality control is performed by highly trained inspectors at the end of the production process. C.Management assumes responsibility for all processes in the system. D.A large number of suppliers are used in order to obtain the lowest possible prices.

Value-added activities are performed in all processes under constant management supervision.Answer (A) is correct.Total quality management emphasizes quality as a basic organizational function. TQM is the continuous pursuit of quality in every aspect of organizational activities. One of the basic tenets of TQM is doing it right the first time. Thus, errors should be caught and corrected at the source.

Which of the following factors is least essential to a successful control self-assessment (CSA) workshop? A.Voting technology. B.Facilitation training. C.Prior planning. D.Group dynamics.

Voting technology.Answer (A) is correct.Elements of CSA include front-end planning, preliminary audit work, a structured agenda, and reporting and development of action plans. Furthermore, according to The IIA, an element of CSA is the gathering of a group of people into a same-time/same-place meeting, typically involving a facilitation seating arrangement (U-shaped table) and a meeting facilitator. The participants are 'process owners', i.e., management and staff who are involved with the particular issues under examination, who know them best, and who are critical to the implementation of appropriate process controls. Optional elements include the presence of a scribe to take an online transcription of the session and electronic voting technology to enable participants to voice their perceptions of the issues anonymously. Voting technology can increase efficiency, but it is not essential to success. Manual forms of recording views and giving group feedback are also effective.

Which of the following is not a role of the internal audit activity in performing assurance services? A.Assessing information systems security risks. B.Working with information system users and system security personnel to implement controls. C.Monitoring the implementation of corrective action. D.Evaluating security controls.

Working with information system users and system security personnel to implement controls.Answer (B) is correct.The role of the internal audit activity with respect to assurance services is to assess information systems security risks, monitor the implementation of corrective action, and evaluate security controls. The internal audit activity may also function in a consulting capacity by identifying security issues and by working with users of information systems and with systems security personnel to devise and implement controls.