Internal 2 SU4
A chief audit executive (CAE) uses a risk assessment model to establish the annual audit plan. Which of the following would be an appropriate action by the CAE? 1. Maintain ongoing dialogue with management and the audit committee 2. Ensure that the schedule of audit priorities remains unchanged 3. Employ only quantitative methods to determine risk weightings 4. Revise the risk assessment and audit priorities as warranted
1 and 4 only.
Which of the following comments is (are) true regarding the assessment of risk associated with two projects that are competing for limited internal audit resources? 1. Industry knowledge should be used to identify the project with the higher priority. 2. Activities with higher financial budgets always should be considered higher risk than those with lower financial budgets. 3. Activities that are requested by the board always should be considered higher risk than those requested by management. 4. Senior management's evaluations of the risk associated with each project must be considered.
1 and 4 only.
Risk modeling in a consulting service can be accomplished by 1. Ranking the engagement's potential to improve management of risks 2. Ranking the engagement's potential to add value 3. Ranking the engagement's potential to improve the organization's operations
1, 2, and 3.
In deciding whether to accept a consulting engagement, the Standards require the CAE to consider the engagement's potential to 1. Add value 2. Improve management of risks 3. Develop internal audit competencies 4. Improve the organization's operations
1, 2, and 4 only.
The work of the internal audit activity includes evaluating and contributing to the improvement of risk management systems. Risk is: 1. The negative effect of events certain to occur 2. Measured in terms of impact 3. Measured in terms of likelihood
2 and 3 only.
Fact Pattern: During the planning phase, a chief audit executive (CAE) is evaluating four audit engagements based on the following factors: the engagement's ability to reduce risk to the organization, the engagement's ability to save the organization money, and the extent of change in the area since the last engagement. The CAE has scored the engagements for each factor from low to high, assigned points, and calculated an overall ranking. The results are shown below with the points in parentheses: Which audit engagements should the CAE pursue if all factors are weighed equally?
2 and 4 only.
When developing the internal audit plan, the chief audit executive must consider the following expectations of: 1. Department managers 2. Stakeholders 3. Human resource managers
2 only.
Which of the following actions by the internal audit activity is (are) appropriate in response to a risk assessment? 1. Although input of senior management and the board should be obtained, the chief audit executive does not need to consider it when developing the internal audit activity's plan of engagements. 2. The high-risk areas should be integrated into an audit plan along with the high-priority requests of management and the audit committee. 3. The risk analysis should be used in determining an audit plan. Thus, it should be performed only on an annual basis.
2 only.
Which of the following represent(s) appropriate internal audit action in response to the risk assessment process? 1. The low-risk areas may be delegated to the external auditor, but the high-risk areas should be performed by the internal audit activity. 2. The high-risk areas should be integrated into an audit work schedule along with the high-priority requests of senior management and the audit committee. 3. The risk analysis should be used in determining an annual audit work schedule. Thus, the risk analysis should be performed only on an annual basis.
2 only.
Fact Pattern: During the planning phase, a chief audit executive (CAE) is evaluating four audit engagements based on the following factors: the engagement's ability to reduce risk to the organization, the engagement's ability to save the organization money, and the extent of change in the area since the last engagement. The CAE has scored the engagements for each factor from low to high, assigned points, and calculated an overall ranking. The results are shown below with the points in parentheses: If the organization has asked the CAE to consider the cost savings factor to be twice as important as any other factor, which engagements should the CAE pursue?
3 and 4 only.
The chief audit executive for an organization has just completed a risk assessment process, identified the areas with the highest risks, and assigned an engagement priority to each. Which of the following conclusions most logically follow(s) from such a risk assessment? 1. Items should be quantified as to risk in the rank order of quantifiable monetary exposure to the organization. 2. The risk priorities should be in order of major control deficiencies. 3. The risk assessment process, though quantified, is the result of professional judgments about both exposures and probability of occurrences.
3 only.
Which of the following comments is (are) true regarding the assessment of risk associated with two projects that are competing for limited internal audit resources? 1. Activities that are requested by the board always should be considered higher risk than those requested by management. 2. Activities with higher financial budgets always should be considered higher risk than those with lower financial budgets. 3. Risk always should be measured by the potential monetary or other adverse exposure to the organization.
3 only.
Which of the following represent(s) appropriate internal audit action in response to the risk assessment process? 1. The high-priority requests of senior management and the audit committee should be given little weight with regard to the audit work schedule. 2. Engagements for the low-risk areas may be delegated to the external auditor, but engagements for the high-risk areas should be performed by the internal audit activity. 3. The chief audit executive should develop a risk-based plan, making adjustments as necessary in response to organizational changes. 4. The risk analysis should be used in determining an annual audit work schedule. Thus, the risk analysis should be performed only on an annual basis.
3 only.
A chief audit executive most likely uses risk assessment for audit planning because it provides
A systematic process for assessing and integrating professional judgment about probable adverse conditions.
Which of the following audit risk components may be assessed in nonquantitative terms?
Control Risk: Yes Detection Risk: Yes Inherent Risk: Yes
The internal audit activity's plan of engagements is based on which of the following?
Risk Assessment: Undertaken at least annually Input of: The board and senior management
A chief audit executive is reviewing the following enterprise-wide risk map: Which of the following is the correct prioritization of risks, considering limited resources in the internal audit activity?
Risk D, Risk B, Risk C, Risk A.
Which of the following statements is false regarding risk assessment as the term is used in internal auditing?
Risk assessment is a judgmental process of assigning monetary amounts to the perceived level of risk found in an activity being evaluated. These amounts allow a chief audit executive to select the engagement clients most likely to result in identifiable savings.
Who reviews and approves a summary of the internal audit plan?
Senior management and the board.
A chief audit executive may use risk analysis in preparing work schedules. Which of the following is not considered in performing a risk analysis?
Skills available on the internal audit staff.
The chief audit executive develops a risk-based plan after updating the audit universe. The item least likely to be part of the audit universe is
The minutes from the last board of directors meeting.
An organization has no formal risk management framework. In developing a risk-based plan to determine the priorities of the internal audit activity, the chief audit executive (CAE) should
Consult with senior management and the board and use the best judgment of risks.
During discussions with senior management, the chief audit executive identified several strategic business issues to consider in preparing the annual audit work schedule. Which of the following does not represent a strategic issue for this purpose?
A monthly budgeting process will be implemented.
Which of the following factors is considered the least important in deciding whether existing internal audit resources should be moved from an ongoing compliance engagement to a divisional-level engagement requested by management?
A financial audit of the division performed by the external auditor a year ago.
Which of the following is a valid reason for an internal auditing engagement involving a payroll department to receive priority over a purchasing department engagement?
The payroll department's relative risk and exposure are greater.
Which of the following represents an external risk factor?
Additional safety regulations enacted by the government have caused a strain on the organization's resources.
An auditor assesses the risks of material misstatement because they
Affect the level of detection risk that the auditor may accept.
An auditor assesses control risk because it
Affects the level of detection risk that the auditor may accept.
The internal auditing activity of Rivers Financial Group is developing a plan for the current year. Which of the following should not be emphasized in the audit plan?
All control systems.
Risk management is critical to the sound governance of which of the following?
All organizational activities, regardless of revenue.
Fact Pattern: The internal auditing process is one of critical thinking, analysis, and careful evaluation. All mechanical procedures are integrated into a larger context of thoughtful inquiry. All engagements include a description and analysis of internal controls. Engagement clients are selected in a number of ways, with risk being the primary basis for selection. The departments being considered for possible review in the coming year and attributes of those departments are as follows: All of these departments, except two, are on the potential list of engagement clients because of a risk analysis performed by the chief audit executive. Production department A is on the list because the president thinks too many bottlenecks occur in that department. The marketing department is on the list because the chief of security received an anonymous phone call accusing a marketing manager of accepting substantial financial kickbacks from a media outlet. Internal controls seem adequate in all departments, with the possible exception of marketing. What is the chief audit executive's most logical definition of risk of loss to be used in selecting engagement clients?
Amount of risk exposure times the probability of loss.
Audit risk is
An aggregate of the risk of material misstatement and detection risk.
The term "risk" is best defined as the possibility that
An event could occur affecting the achievement of objectives.
The chief audit executive (CAE) performs a risk assessment before developing the annual audit plan. Which of the following is most likely to increase the assessment of an identified risk?
An unexpected, significant increase in receivables not related to an increase in sales.
An organization manufactures mirror frames. Scrap is adequately accounted for at the point of generation. The scrap is sorted and sold frequently to the organization's regular buyer at a price negotiated between the scrap manager and the buyer. A risk exposure caused by these procedures is that
The price received for scrap may be inadequate.
Which of the following is the best reason for the chief audit executive to consider the strategic plan in developing the annual audit plan?
To ensure that the internal audit plan supports the overall business objectives.
Which of the following represents the best risk assessment technique?
Assessment of the risk levels of current and future events, their effect on achievement of the organization's objectives, and their underlying causes.
In the audit risk model, the risk that an auditor will express an inappropriate audit opinion when the financial statements are materially misstated is
Audit risk.
At a meeting with engagement managers, the chief audit executive is allocating the engagement work schedule for next year's plan. Which of the following methods will ensure that each manager receives an appropriate share of both the work schedule and internal audit activity resources?
Work is assigned to each manager based on risk and skill analysis.
The chief audit executive of an organization has developed a plan that includes a detailed schedule of engagements to be performed during the coming year, an estimate of the time required for each engagement, and the approximate starting date of each engagement. The scheduling of specific engagements was based upon the time elapsed since the last engagement in each area. The plan is inadequate because it fails to
Consider factors such as risk and effectiveness of risk management processes.
Detection risk differs from both control risk and inherent risk in that detection risk
Can be changed at the auditor's discretion.
Audit risk at the assertion level consists of inherent risk, control risk, and detection risk. Which of the following statements is true?
Cash has a greater inherent risk than an inventory of coal because it is more susceptible to theft.
The chief audit executive for a retail merchandise sales organization is considering engagement assignments for inclusion in the work schedule for the upcoming year. The following areas have not been evaluated recently, and there are no known reasons that they should be given immediate attention. If resources are scarce, which project should be given priority?
Cash management and credit policy.
Updating the audit universe is useful in developing the internal audit plan. The audit universe
Consists of all possible audits.
A chief audit executive's performance report most likely should
Compare engagements completed with engagements planned.
The best means for the internal audit activity to determine whether its goal of implementing broader coverage of functional activities has been met is through
Comparison of the approved audit plan with actual engagement activity.
Risk is measured in terms of significance and likelihood. Assuming internal control of average effectiveness, excessive cash disbursements due to duplicate payments to vendors are events that most likely are placed in which area of a risk map?
High significance, medium likelihood.
On the basis of audit evidence gathered and evaluated, an auditor decides to increase the assessed level of control risk from that originally planned. To achieve an overall audit risk level that is substantially the same as the planned audit risk level, the auditor would
Decrease detection risk.
An annual summary report of completed engagement work submitted to senior management and the board by the chief audit executive should
Describe the extent to which the internal audit activity has completed its approved audit plan.
The risk that an auditor's procedures will lead to the conclusion that a material misstatement does not exist in an account balance when, in fact, such misstatement does exist is
Detection risk.
Which of the following types of risk increases when an auditor performs substantive analytical audit procedures for financial statement accounts at an interim date?
Detection.
Which of the following types of risks most likely would increase if accounts receivable are confirmed 3 months before year end?
Detection.
Which of the following factors is least likely to be considered in determining the audit work schedule?
Engagement work programs.
The internal auditors of Smother Corp. are considering lower-risk audits as a part of their audit plan. They should
Include the lower-risk audits to give them coverage and confirm that their risks have not changed.
The chief audit executive of a manufacturer is updating the long-range engagement work schedule. There are several possible assignments that can fill a given time spot. Information on potential monetary exposure and key internal controls has been gathered. Based on perceived risk, select the assignment of greatest merit.
Precious metals inventory -- carrying amount, $1,000,000; separately stored, but access not restricted.
If the annual audit plan does not allow for adequate review of compliance with all material regulations affecting the company, the internal audit activity should:
Ensure that the board of directors and senior management are aware of the limitation.
Inherent risk and control risk differ from detection risk in that they
Exist independently of the audit engagement.
The chief audit executive of a manufacturer is updating the long-range engagement work schedule. Several possible engagements can be assigned to a given time slot. Information on potential monetary exposure and key internal controls has been gathered. Based on perceived risk, select the assignment of greatest merit.
Expendable tools inventory -- carrying amount, US $1,100,000; Stored with other inventory.
The acceptable level of detection risk is inversely related to the
Extent of engagement procedures performed.
When an auditor increases the assessed risks of material misstatement because certain control activities were determined to be ineffective, the auditor most likely would increase the
Extent of tests of details.
Inherent risk and control risk differ from detection risk in that inherent risk and control risk are
Functions of the client and its environment, whereas detection risk is not.
Johnny Hagerts, the chief audit executive of Booster, Inc., is having a meeting with senior management about the status of the internal audit. In this meeting, Mr. Hagerts should provide assurance to management about which of the following?
Governance, risk management, and control.
A service company is currently experiencing a significant downsizing and process reengineering. Its board of directors has redefined the business goals and established initiatives using in-house developed technology to meet these goals. As a result, a more decentralized approach has been adopted to run the business functions by empowering the business branch managers to make decisions and perform functions traditionally done at a higher level. The internal auditing staff is made up of the director, two managers, and five staff auditors, all with financial background. In the past, the primary focus of successful audit activities has been the service branches and the six regional division headquarters that support the branches. These division headquarters are the primary targets for possible elimination. The support functions, such as human resources, accounting, and purchasing, will be brought into the national headquarters, and technology will be enhanced to enable and augment these operations. Assuming that total available resources remain the same, what activities should the internal audit activity perform to best serve the organization?
Increase engagement time in functions being centralized.
On the basis of audit evidence gathered and evaluated, an auditor decides to decrease the level of detection risk from that originally planned. Assuming the same planned audit risk level, the change in the planned detection risk most likely resulted from a(n)
Increase in the assessed control risk.
After testing a client's internal control activities, an auditor discovers a number of significant deficiencies in the operation of a client's internal controls. Under these circumstances, the auditor most likely would
Increase the assessment of control risk and increase the extent of substantive tests.
Some account balances, such as those for pensions or leases, are the results of complex calculations. The susceptibility to material misstatements in these types of accounts is defined as
Inherent risk.
Which of the following is not a characteristic of effective risk management?
It provides absolute assurance that organizational objectives will be achieved.
Risk modeling or risk analysis is often used in conjunction with development of long-range engagement work schedules. The key input in the evaluation of risk is
Judgment of the internal auditors.
When a risk assessment process has been used to construct an audit engagement schedule, which of the following should receive attention first?
Management has requested an investigation of possible lapping in receivables.
The audit risk against which the auditor and those who rely on his or her opinion require reasonable protection is a combination of two separate risks at the assertion level. The first risk (consisting of inherent risk and control risk) is that balances, classes of transactions, or disclosures contain material misstatements. The second is that
Material misstatements that occur will not be detected by the audit.
The internal audit activity of a large organization has established its operating plan and budget for the coming year. The operating plan is restricted to the following categories: a prioritized listing of all engagements, staffing, a detailed expense budget, and the commencement date of each engagement. Which of the following best describes the major deficiency of this operating plan?
Measurability criteria and targeted dates of completion are not provided.
As the acceptable level of detection risk decreases, an auditor may change the
Nature of substantive procedures from a less effective to a more effective procedure.
In which of the following duties would the chief audit executive least likely have a primary role?
Organize and draft the final engagement communication.
An approved audit plan for the internal audit activity is an essential part of
Planning for the internal audit activity.
Fact Pattern: The internal auditing process is one of critical thinking, analysis, and careful evaluation. All mechanical procedures are integrated into a larger context of thoughtful inquiry. All engagements include a description and analysis of internal controls. Engagement clients are selected in a number of ways, with risk being the primary basis for selection. The departments being considered for possible review in the coming year and attributes of those departments are as follows: All of these departments, except two, are on the potential list of engagement clients because of a risk analysis performed by the chief audit executive. Production department A is on the list because the president thinks too many bottlenecks occur in that department. The marketing department is on the list because the chief of security received an anonymous phone call accusing a marketing manager of accepting substantial financial kickbacks from a media outlet. Internal controls seem adequate in all departments, with the possible exception of marketing. Which department most likely needs a pure operational (nonfinancial) engagement?
Production A.
The chief audit executive routinely reports to the board as part of the board meeting agenda each quarter. Senior management has asked to review this presentation before each board meeting so that any issues or questions can be discussed beforehand. The CAE needs to
Provide the report to senior management as requested and discuss any issues that may require action to be taken.
All of the following are required communications by the chief audit executive (CAE) to senior management and the board except
Results of analysis into staffing needs.
Which of the following is an appropriate responsibility of the board?
Reviewing the internal audit activity's engagement work schedule submitted by the chief audit executive.
Which of the following is an example of an inherent risk that an auditor should consider?
Technological developments that may render inventory obsolete.
Risk assessment is a systematic process for assessing and integrating professional judgments about probable adverse conditions or events. Which of the following statements reflects the appropriate action for the chief audit executive to take?
The CAE should generally assign engagement priorities to activities with higher risks.
Management has just implemented a policy that every department must downsize by immediately cutting 10% of each department's staff and budget. The chief audit executive has reacted to the organization's recent plans for "downsizing" (reducing the size of staff across the board) by notifying the internal audit managers that the time allocated for all jobs must be cut by 10%. Which of the following statements regarding the CAE's action and potential internal audit manager's action is true?
The CAE should have re-prioritized risks and eliminated specific engagements rather than cutting 10% across the board.
What should the CAE do if the scope of the internal audit plan is insufficient to permit expression of an opinion about risk management and control?
The CAE should inform senior management and the board about gaps in audit coverage.
Which of the following statements, if true, would justify a chief audit executive's decision not to report certain control concerns regarding derivatives trading in a report to the audit committee?
The amounts of trading and the potential risks associated with the derivatives trading are not material to the overall organization.
Which internal audit planning tool is general in nature and is used to ensure adequate engagement coverage over time?
The audit plan.
Which of the following is not a requirement of risk-based audit planning?
The chief audit executive consults with external auditors.
The internal audit activity's audit plan is based on all of the following except
The cost of the engagement.
As the chief audit executive, you have determined that the acquisition of some expensive, state-of-the-art software for paperless working paper files will be useful. Identify the preferred method for presenting your request to senior management.
The effect of not obtaining the software.
Which of the following matters relating to an entity's operations would an auditor most likely consider as an inherent risk factor in planning an audit?
The entity enters into transactions with high estimation uncertainty.
The internal auditor is considering making a risk analysis as a basis for determining the areas of the organization where engagements should be performed. Which one of the following statements is true regarding risk analysis?
The extent to which management judgments are required in an area could serve as a risk factor in assisting the internal auditor in making a comparative risk analysis.
The chief audit executive is preparing the audit work schedule for the next budget year and has limited resources. In deciding whether to schedule the purchasing or the personnel department for an engagement, which of the following is the least important factor?
The internal audit staff has recently added an individual with expertise in one of the areas.
In the audit risk model, which of the following is a definition of control risk?
The risk that a material misstatement will not be prevented or detected on a timely basis by the client's internal controls.
Which of the following is a definition of control risk?
The risk that a material misstatement will not be prevented or detected on a timely basis by the client's internal controls.
In a financial statement audit, inherent risk is evaluated to help an auditor assess which of the following?
The susceptibility of a financial statement assertion to a material misstatement before consideration of related controls.
What is the purpose of establishing an internal audit plan?
To ensure adequate coverage of areas with the greatest exposure to risks.
Gerald Fitz, CAE, believes that the internal controls over cash disbursements need major revisions. He discussed this matter with senior management and was alarmed at their acceptance of this serious risk. The CAE should
Understand management's basis for accepting the risk.
The chief audit executive set up a computerized spreadsheet to facilitate the risk assessment process involving a number of different divisions in the organization. The spreadsheet included the following factors: Pressure on divisional management to meet profit goals Complexity of operations Competence of divisional personnel The monetary amount of subjectively influenced accounts in the division, such as accounts in which management's judgment can affect the expense, e.g., postretirement benefits The CAE used a group meeting of internal audit managers to reach a consensus on the competence of divisional personnel. Other factors were assessed as high, medium, or low by either the CAE or an internal audit manager who had performed an engagement at the division. The CAE assigned a weight ranging from 0.5 to 1.0 to each factor and then computed a composite risk score. Which statement is true?
Using a subjective group consensus to assess personnel competence is appropriate.