INTERNAL AUDIT EXAM 2
7. Which of the following is an example of misappropriation of assets? a. A small amount of petty cash is stolen. b. A journal entry is modified to improve reported financial results. c. A foreign official is bribed by the chief operating officer (COO) to facilitate approval of a new product. d. A duplicate bill is sent to a customer in hopes that they will pay it twice.
a. A small amount of petty cash is stolen.
4. Documentary evidence is one of the principal types of corroborating information used by an internal auditor. Which one of the following examples of documentary evidence generally is considered the most reliable? a. A vendor's invoice obtained from the accounts payable department. b. A credit memorandum prepared by the credit manager. c. A receiving report obtained from the receiving department. d. A copy of a sales invoice prepared by the sales department.
a. A vendor's invoice obtained from the accounts payable department.
13. Which of the following is not a technique to conceal inventory shrinkage? a. Counting and valuing physical inventory at the end of each year. b. Writing off inventory after physical inventory counts. c. Understating the value of physical inventory counts. d. Altering the yearly physical inventory counts.
a. Counting and valuing physical inventory at the end of each year.
1. According to COSO ERM, which of the following is not an inherent challenge that arises as part of establishing strategy and business objectives? a. Ensuring culture is clearly articulated by the board. b. Possibility of strategy not aligning. c. Implications from the strategy chosen. d. Risk to achieving the strategy.
a. Ensuring culture is clearly articulated by the board.
7. Which of the following is not a potential value driver for implementing ERM? a. Financial results will improve in the short run. b. There will be fewer surprises from year to year. c. There will be better information available to make risk decisions. d. An organization's risk appetite can be aligned with strategic planning.
a. Financial results will improve in the short run.
9. After business risks have been identified, they should be assessed in terms of their inherent: a. Impact and likelihood. b. Likelihood and probability. c. Significance and severity. d. Significance and control effectiveness.
a. Impact and likelihood.
2. Which of the following statements regarding audit evidence would be the least appropriate for an internal auditor to make? a. "I consider the level of risk involved when deciding the kind of evidence I will gather." b. "I do not perform procedures that provide persuasive evidence because I must obtain convincing evidence." c. "I evaluate both the usefulness of the evidence I can obtain and the cost to obtain it." d. "I am seldom absolutely certain about the conclusions I reach based on the evidence I examine."
b. "I do not perform procedures that provide persuasive evidence because I must obtain convincing evidence."
10. In a risk-by-process matrix, a process that helps to manage a risk indirectly would be shown to have: a. A key link. b. A secondary link. c. An indirect link. d. No link at all.
b. A secondary link.
8. Which of the following symbols in a process map will most likely contain a question? a. Rectangle. b. Diamond. c. Arrow. d. Oval.
b. Diamond.
12. COSO's internal control framework has five internal control components and 17 principles for achieving effective internal control. Which of the following is/are (a) principle(s)? I. The organization demonstrates a commitment to integrity and ethical values. II. Monitoring activities. III. A level of assurance that is supported by generally accepted auditing procedures and judgments. IV. A body of guiding principles that form a template against which organizations can evaluate a multitude of business practices. V. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. a. II only. b. I and V only. c. II and IV only. d. I, II, III, IV, and V.
b. I and V only.
2. Which of the following is true? a. Continuous monitoring is the CAE's responsibility. b. If a control breakdown is identified through continuous auditing, it should be reported to management on a timely basis. c. Data analytics technologies cannot be used for substantive testing. d. Continuous auditing routines developed by internal auditors should not be shared with management.
b. If a control breakdown is identified through continuous auditing, it should be reported to management on a timely basis.
10. Which of the following is not a major classification of the types of financial statement fraud? a. Fictitious revenues. b. Improper disclosures. c. Concealed liabilities. d. Channel stuffing.
b. Improper disclosures.
10. Internal audit engagement teams prepare workpapers primarily for the benefit of the: a. Auditee. b. Internal audit function. c. Board and senior management. d. Independent outside auditor.
b. Internal audit function.
1. After anonymous tips/complaints and pure accident as a source of fraud discovery, the next highest source according to the 2020 ACFE Report to the Nations survey was: a. External auditors. b. Internal auditors. c. Vendors. d. Customers.
b. Internal auditors.
11. A major upgrade to an important information system would most likely represent a high: a. External risk factor. b. Internal risk factor. c. Other risk factor. d. Likelihood of future systems problems.
b. Internal risk factor.
12. Competent evidence is best defined as evidence that: a. Is persuasive, reasonably free from error and bias, and faithfully represents that which it purports to represent. b. Is obtained by observing people, property, and events. c. Is supplementary to other evidence already gathered and tends to strengthen or confirm it. d. Proves an intermediate fact, or group of facts, from which still other facts can be inferred.
a. Is persuasive, reasonably free from error and bias, and faithfully represents that which it purports to represent.
13. One of the challenges of ERM in an organization that has a centralized structure is that: a. It may be difficult to raise awareness of the impact of work actions on other employees or work areas. b. Employees in these structures are inherently less risk averse. c. Managers have less incentive to implement and monitor controls. d. Effective controls are more difficult to design, and consistent application is more difficult to achieve across the organization.
a. It may be difficult to raise awareness of the impact of work actions on other employees or work areas.
11. Which of the following is not a fictitious revenue scheme? a. Matching expenses to revenues. b. Premature revenue recognition. c. Conditional sales. d. Channel stuffing.
a. Matching expenses to revenues.
11. Which of the following represents the most persuasive evidence that trade receivables actually exist? a. Positive confirmations. b. Sales invoices. c. Receiving reports. d. Bills of lading.
a. Positive confirmations.
3. The requirement that purchases be made from suppliers on an approved vendor list is an example of a: a. Preventive control. b. Detective control. c. Compensating control. d. Monitoring control.
a. Preventive control.
13. Workpaper summaries, if prepared, can be used to: a. Promote efficient workpaper review by internal audit supervisors. b. Replace the detailed workpaper files for permanent retention. c. Serve as an engagement final communication to senior management. d. Document the full development of engagement observations and recommendations.
a. Promote efficient workpaper review by internal audit supervisors.
6. Your audit objective is to determine whether purchases of office supplies have been properly authorized. If purchases of office supplies are made through the purchasing department, which of the following procedures is most appropriate? a. Vouch purchase orders to approved purchase requisitions. b. Trace approved purchase requisitions to purchase orders. c. Inspect purchase requisitions for proper approval. d. Vouch receiving reports to approved purchase orders.
a. Vouch purchase orders to approved purchase requisitions.
10. Which of the following best exemplifies a control activity referred to as independent verification? a. Reconciliation of bank accounts by someone who does not handle cash or record cash transactions. b. Identification badges and security codes used to restrict entry to the production facility. c. Accounting records and documents that provide a trail of sales and cash receipt transactions. d. Separating the physical custody of inventory from inventory accounting.
a. Reconciliation of bank accounts by someone who does not handle cash or record cash transactions.
14. A CAE survey revealed several definitions for internal audit data analytics. Which definition was not mentioned as the most popular? a. Reduce internal audit head count. b. Repeatable and automated processes that search for patterns and identify anomalies. c. Analysis of operational, financial, and other data that quantifies and highlights risk and/or opportunity. d. Data-mining information across multiple sources to provide actionable results.
a. Reduce internal audit head count.
10. Understanding "What data do I need" in the DAP framework requires the following key data attributes: a. Sufficient, reliable, relevant, and useful. b. Sufficient, numerical, reliable, and useful. c. Reliable, relevant, useful, and audited. d. Reliable, relevant, database-ready, and useful.
a. Sufficient, reliable, relevant, and useful.
2. Which of the following is a valid statement about the detection of fraud? a. The combined frequency of tips and accidents in discovering fraud exceeds the combined frequency of internal and external audits. b. Law enforcement plays a significant role in the detection of white collar (economic) crimes. c. Internal controls, when properly designed, are almost bullet proof in terms of preventing fraud. d. For the purposes of understanding how fraud is discovered, whistleblower hotlines are the only method proven to detect fraud.
a. The combined frequency of tips and accidents in discovering fraud exceeds the combined frequency of internal and external audits.
7. Appropriate internal control for a multinational corporation's branch office that has a department responsible for the transfer of money requires that: a. The individual who initiates wire transfers does not reconcile the bank statement. b. The branch manager must receive all wire transfers. c. Foreign currency rates must be computed separately by two different employees. d. Corporate management approves the hiring of employees in this department.
a. The individual who initiates wire transfers does not reconcile the bank statement.
5. If a risk appears in the middle of quadrant IV in the above risk control map, it means that: a. There is an appropriate balance between risk and control. b. The controls may be excessive relative to the risk. c. The controls may be inadequate relative to the risk. d. There is not enough information to make a judgment.
a. There is an appropriate balance between risk and control.
2. Internal auditors often prepare process maps and reference portions of these maps to narrative descriptions of certain activities. This is an appropriate procedure to: a. Determine the ability of the activities to produce reliable information. b. Obtain the understanding necessary to test the process. c. Document that the process meets internal audit standards. d. Determine whether the process meets established management objectives.
b. Obtain the understanding necessary to test the process.
12. When assessing the risk associated with an activity, an internal auditor should: a. Determine how the risk should best be managed. b. Provide assurance on the management of the risk. c. Update the risk management process based on risk exposures. d. Design controls to mitigate the identified risks.
b. Provide assurance on the management of the risk.
13. When assessing the risk associated with an activity, an internal auditor should: a. Determine how the risk should best be managed. b. Provide assurance on the management of the risk. c. Update the risk management process based on risk exposures. d. Design controls to mitigate the identified risks.
b. Provide assurance on the management of the risk.
3. Which of the following is not an example of a risk-sharing strategy? a. Outsourcing a noncore, high-risk area. b. Selling a nonstrategic business unit. c. Hedging against interest rate fluctuations. d. Buying an insurance policy to protect against adverse weather.
b. Selling a nonstrategic business unit.
4. An effective system of internal controls is most likely to detect a fraud perpetrated by a: a. Group of employees in collusion. b. Single employee. c. Group of managers in collusion. d. Single manager.
b. Single employee.
9. What key IIA Standard(s) does the DAP framework follow? a. Standards 2310 - Identifying Information and 2600 - Communicating the Acceptance of Risks. b. Standards 2310 - Identifying Information and 2320 - Analysis and Evaluation. c. Standards 1230 - Continuing Professional Development and 2320 - Analysis and Evaluation. d. Standards 2320 - Analysis and Evaluation and 2600 - Communicating the Acceptance of Risks.
b. Standards 2310 - Identifying Information and 2320 - Analysis and Evaluation.
4. If a risk appears in the bottom right of quadrant II in the above risk control map, it means that: a. There is an appropriate balance between risk and control. b. The controls may be excessive relative to the risk. c. The controls may be inadequate relative to the risk. d. There is not enough information to make a judgment.
b. The controls may be excessive relative to the risk.
3. What is a business process? a. How management plans to achieve the organization's objectives. b. The set of connected activities linked with each other for the purpose of achieving an objective or goal. c. A group of interacting, interrelated, or interdependent elements forming a complex whole. d. A finite endeavor (having specific start and completion dates) undertaken to create a unique product or service that brings about beneficial change or added value.
b. The set of connected activities linked with each other for the purpose of achieving an objective or goal.
3. Audit evidence is generally considered sufficient when: a. It is appropriate. b. There is enough of it to support well-founded conclusions. c. It is relevant, reliable, and free from bias. d. It has been obtained via random sampling.
b. There is enough of it to support well-founded conclusions.
9. Which of the following types of companies would most likely need the strongest anti-fraud controls? a. A manufacturer of popular athletic shoes. b. A grocery store. c. A bank. d. An internet-based electronics retailer.
c. A bank.
11. An internal audit engagement was included in the approved internal audit plan. This is considered a moderately high-risk audit based on the internal audit function's risk model. It is currently on a two-year audit cycle. Which of the following will likely have the greatest impact on the scope and approach of the internal audit engagement? a. The area being audited involves the processing of a high volume of transactions. b. Certain components of the process are outsourced. c. A new system was implemented during the year, which changed how the transactions are processed. d. The total dollars processed in this area are material.
c. A new system was implemented during the year, which changed how the transactions are processed.
6. Which of the following circumstances would concern the internal auditor the most? a. A risk in the lower left corner of quadrant I. b. A risk in the lower right corner of quadrant II. c. A risk in the upper left corner of quadrant III. d. A risk in the upper right corner of quadrant IV.
c. A risk in the upper left corner of quadrant III.
6. How should an organization handle an anonymous accusation from an employee that a supervisor in the organization has manipulated time reports? a. Assign a staff internal auditor to review all time reports for the past six months in the supervisor's area. b. Make a record of the accusation but do nothing, as anonymous accusations are typically not true. c. Assess the facts provided by the anonymous party against pre-established criteria to determine whether a formal investigation is warranted. d. Turn the issue over to the HR department because this type of anonymous accusation is usually just a human resource issue.
c. Assess the facts provided by the anonymous party against pre-established criteria to determine whether a formal investigation is warranted.
12. The internal audit function's responsibilities with respect to fraud are limited to: a. The organization's operational and compliance activities, only because financial reporting matters are the responsibility of the independent outside auditor. b. Monitoring any calls received through the organization's whistleblower hotline but not necessarily conducting a follow-up investigation. c. Being aware of fraud indicators, including those relating to financial reporting fraud, but not necessarily possessing the expertise of a fraud investigation specialist. d. Ensuring that all employees have received adequate fraud awareness training.
c. Being aware of fraud indicators, including those relating to financial reporting fraud, but not necessarily possessing the expertise of a fraud investigation specialist.
4. Which of the following is not typically a barrier to internal auditors using data analytics in achieving the engagement objective? a. Knowing what data exists and where to find it. b. Poorly defining the scope of the intended use of data analytics. c. Data analytics software is limited by the number of records it can process. d. The effort required to cleanse and prepare data for import to the data analytics tool.
c. Data analytics software is limited by the number of records it can process.
5. Which of the following risk management activities is out of sequence in terms of timing? a. Identify, assess, and prioritize risks. b. Develop risk responses/treatments. c. Determine key organizational objectives. d. Monitor the effectiveness of risk responses/treatments.
c. Determine key organizational objectives.
6. An internal auditor plans to conduct an audit of the adequacy of controls over investments in new financial instruments. Which of the following would not be required as part of such an engagement? a. Determine whether policies exist that describe the risks the treasurer may take and the types of instruments in which the treasurer may invest. b. Determine the extent of management oversight over investments in sophisticated instruments. c. Determine whether the treasurer is getting higher or lower rates of return on investments than treasurers in comparable organizations. d. Determine the nature of monitoring activities related to the investment portfolio.
c. Determine whether the treasurer is getting higher or lower rates of return on investments than treasurers in comparable organizations.
9. When senior management accepts a level of residual risk that the CAE believes is unacceptable to the organization, the CAE should: a. Report the unacceptable risk level immediately to the chair of the audit committee and the independent outside audit firm partner. b. Resign his or her position in the organization. c. Discuss the matter with knowledgeable members of senior management and, if not resolved, take it to the audit committee. d. Accept senior management's position because it establishes the risk appetite for the organization.
c. Discuss the matter with knowledgeable members of senior management and, if not resolved, take it to the audit committee.
7. The data analytics program (DAP) framework helps to guide internal auditors in planning and deploying data analytics. Which of the following is not a key step in the DAP framework? a. What can we analyze and learn from this data? b. What do we know about the business process? c. How do we back up the database for analysis? d. What data tells me about the highest risk/value?
c. How do we back up the database for analysis?
5. An internal auditor must weigh the cost of an audit procedure against the persuasiveness of the evidence to be gathered. Observation is one audit procedure that involves cost-benefit tradeoffs. Which of the following statements regarding observation as an audit procedure is/are correct? I. Observation is limited because individuals may react differently when being watched. II. Observation is more effective for testing completeness than it is for testing existence. III. Observation provides evidence about whether certain controls are operating as designed. a. I only. b. II only. c. I and III. d. I, II, and III.
c. I and III.
3. Which of the following is/are barriers to widespread use of data analytics by internal audit functions? I. The scope of the intended use of data analytics is not well defined. II. The amount of time required to clean and prepare data for analysis. III. The extensive programing skills required to perform data analytics. IV. Not understanding the data to be analyzed (its source, context, use, and meaning). a. II and III only. b. I and IV only. c. I, II, and IV only. d. I, II, III, and IV.
c. I, II, and IV only.
7. Which of the following are business processes? I. Strategic planning. II. Review and write-off of delinquent loans. III. Safeguarding of assets. IV. Remittance of payroll taxes to the respective tax authorities. a. I and III. b. II and IV. c. I, II, and IV. d. I, II, III, and IV.
c. I, II, and IV.
8. The Grant Thornton survey calls out the need for internal audit data analytics competencies. The CAE, assuming they have the budget, should hire an internal audit data analyst with the following competencies: I. Audit experience. II. Industry knowledge. III. Legal experience. IV. Data analytic experience. a. I and II only. b. II and IV only. c. I, II, and IV. d. I, II, and III.
c. I, II, and IV.
6. Common uses for data analytics within internal audit functions may include all of the following except: a. Identify invalid expense report items. b. Identify ghosts on the payroll. c. Identify theft of inventory. d. Identify suspect timesheets.
c. Identify theft of inventory.
9. Reasonable assurance, as it pertains to internal control, means that: a. The objectives of internal control vary depending on the method of data processing used. b. A well-designed system of internal controls will prevent or detect all errors and fraud. c. Inherent limitations of internal control preclude a system of internal control from providing absolute assurance that objectives will be achieved. d. Management cannot override controls, and employees cannot circumvent controls through collusion.
c. Inherent limitations of internal control preclude a system of internal control from providing absolute assurance that objectives will be achieved.
15. Enterprise risk management: a. Guarantees achievement of business objectives. b. Requires establishment of risk and control activities by internal auditors. c. Involves the identification of events with negative impacts on business objectives. d. Includes a selection of the best risk response for the organization.
c. Involves the identification of events with negative impacts on business objectives.
15. How does a control manage a specific risk? a. It reduces the likelihood of the event giving rise to the risk. b. It reduces the impact of the event giving rise to the risk. c. It reduces either likelihood or impact or both. d. It prevents the occurrence of the event.
c. It reduces either likelihood or impact or both.
8. An internal auditor is concerned that fraud, in the form of payments to fictitious vendors, may exist. Company purchasers, responsible for purchases of specific product lines, have been granted the authority to approve expenditures up to $10,000. Which of the following applications of generalized audit software would be most effective in addressing the auditor's concern? a. List all purchases over $10,000 to determine whether they were properly approved. b. Take a random sample of all expenditures under $10,000 to determine whether they were properly approved. c. List all major vendors by product line. Select a sample of major vendors and examine supporting documentation for goods or services received. d. List all major vendors by product line. Select a sample of major vendors and send negative confirmations to validate that they actually provided goods or services.
c. List all major vendors by product line. Select a sample of major vendors and examine supporting documentation for goods or services received.
3. What fraud schemes were reported to be most common in the ACFE's 2020 Report to the Nations? a. Corruption. b. Fraudulent billing. c. Misappropriation of assets by employees. d. Inappropriately reporting revenues in published financial results.
c. Misappropriation of assets by employees.
1. Professional skepticism means that internal auditors beginning an assurance engagement should: a. Assume the auditee is dishonest until they gather evidence that clearly indicates otherwise. b. Assume the auditee is honest until they gather evidence that clearly indicates otherwise. c. Neither assume the auditee is honest nor assume they are dishonest. d. Assume that internal controls are designed inadequately and/or operating ineffectively.
c. Neither assume the auditee is honest nor assume they are dishonest.
9. Which of the following most completely describes the appropriate content of internal audit assurance engagement workpapers? a. Objectives, procedures, and conclusions. b. Purpose, criteria, techniques, and conclusions. c. Objectives, procedures, facts, conclusions, and recommendations. d. Subject, purpose, sampling information, and analysis.
c. Objectives, procedures, facts, conclusions, and recommendations.
11. The risk assessment component of internal control involves the: a. Independent outside auditor's assessment of residual risk. b. Internal audit function's assessment of control deficiencies. c. Organization's identification and analysis of the risks that threaten the achievement of its objectives. d. Organization's monitoring of financial information for potential material misstatements.
c. Organization's identification and analysis of the risks that threaten the achievement of its objectives.
14. Which flowcharting symbol indicates the start or end of a process? a. Arrow. b. Diamond c. Oval. d. Rectangle.
c. Oval.
7. A production manager of MSM Company ordered excessive raw materials and had them delivered to a side business he operated. The manager falsified receiving reports and approved the invoices for payment. Which of the following procedures would most likely detect this fraud? a. Vouch cash disbursements to receiving reports and invoices. b. Confirm the amounts of raw materials purchased, purchase prices, and dates of shipment with vendors. c. Perform ratio and trend analysis. Compare the cost of raw materials purchased with the cost of goods produced. d. Observe the receiving dock and count materials received. Compare the counts with receiving reports completed by receiving employees.
c. Perform ratio and trend analysis. Compare the cost of raw materials purchased with the cost of goods produced.
2. Which of the following external events will most likely impact a defense contractor that relies on large government contracts for its success? a. Economic event. b. Natural environment event. c. Political event. d. Social event.
c. Political event.
5. Which of the following is the most significant to the auditee in providing information related to the future direction and actions that can improve the operation of the organization? a. Descriptive. b. Diagnostic. c. Predictive. d. Prescriptive.
c. Predictive.
5. The control that would most likely ensure that payroll checks are written only for authorized amounts is to: a. Conduct periodic floor verification of employees on the payroll. b. Require the return of undelivered checks to the cashier. c. Require supervisory approval of employee time cards. d. Periodically witness the distribution of payroll checks.
c. Require supervisory approval of employee time cards.
2. What is residual risk? a. Impact of risk. b. Risk that is under control. c. Risk that is not managed. d. Underlying risk in the environment.
c. Risk that is not managed.
14. An internal auditor gathered the following accounts receivable trend and ratio analysis information: Which of the following is the least reasonable explanation for the changes observed by the auditor? a. Fictitious sales may have been recorded in years 2 and 3. b. The effectiveness of credit and collection procedures deteriorated over the three-year period. c. Sales returned for credit were overstated in years 2 and 3. d. The allowance for bad debts was understated in years 2 and 3.
c. Sales returned for credit were overstated in years 2 and 3.
13. You are in the last part of an internal audit engagement that leveraged data analytics to test controls. The internal audit team is starting to wrap up fieldwork and is validating findings. You get a phone call from the auditee that they did not provide a complete data population for the period you are auditing. What would be your next step? a. Continue on with the dataset because it is close enough for audit work. b. Tell the auditee to compare the existing dataset with what they gave you and explain the difference. Because it was their fault, they are responsible for explaining why they gave you the wrong data. c. Take the new dataset and consult with your supervisor and CAE as to what to do next. d. Do nothing because you already found nothing wrong with the data.
c. Take the new dataset and consult with your supervisor and CAE as to what to do next.
8. Who has primary responsibility for the monitoring component of internal control? a. The organization's independent outside auditor. b. The organization's internal audit function. c. The organization's management. d. The organization's board of directors.
c. The organization's management.
1. Which of the following best describes an internal auditor's purpose in reviewing the organization's existing governance, risk management, and control processes? a. To help determine the nature, timing, and extent of tests necessary to achieve engagement objectives. b. To ensure that weaknesses in the internal control system are corrected. c. To provide reasonable assurance that the processes will enable the organization's objectives and goals to be met efficiently and economically. d. To determine whether the processes ensure that the accounting records are correct and that financial statements are fairly stated.
c. To provide reasonable assurance that the processes will enable the organization's objectives and goals to be met efficiently and economically.
11. The following represent examples of internal audit data analytics usage except for: a. Compliance. b. Operational performance. c. Tone at the top. d. Internal controls.
c. Tone at the top.
4. An organization tracks a website hosting anonymous blogs about its industry. Recently, anonymous posts have focused on potential legislation that could have a dramatic effect on this industry. Which of the following may create the greatest risk if this organization makes business decisions based on the information contained on this website? a. Appropriateness of the information. b. Timeliness of the information. c. Accessibility of the information. d. Accuracy and reliability of the information.
d. Accuracy and reliability of the information.
8. Which of the following is not an example of a fraud prevention program element? a. Background investigations of new employees. b. Exit interviews of departing employees. c. Establishing authority limits related to purchasing commitments. d. Analyzing cash disbursements to determine whether any duplicate payments have been made.
d. Analyzing cash disbursements to determine whether any duplicate payments have been made.
14. Determining that engagement objectives have been met is ultimately the responsibility of the: a. Internal auditor. b. Audit committee. c. Internal audit supervisor. d. CAE.
d. CAE.
15. Which of these does the Cressey fraud triangle not include as one of its vertices? a. Pressure. b. Opportunity. c. Rationalization. d. Fraudster personality.
d. Fraudster personality.
4. Which of the following is not a typical "rationalization" of a fraud perpetrator? a. It's in the organization's best interest. b. The company owes me because I'm underpaid. c. I want to get back at my boss (revenge). d. I'm smarter than the rest of them.
d. I'm smarter than the rest of them.
1. In which phase(s) of the internal audit engagement can data analytics be used? I. Planning the individual engagement. II. Testing the effectiveness and efficiency of controls. III. Assessing risk to determine which areas of the organization to audit. a. I only. b. II only. c. I and III only. d. I, II, and III.
d. I, II, and III.
5. Which of the following is not something all levels of employees should do? a. Understand their role within the internal control framework. b. Have a basic understanding of fraud and be aware of the red flags. c. Report suspicions of incidences of fraud. d. Investigate suspicious activities that they believe may be fraudulent.
d. Investigate suspicious activities that they believe may be fraudulent.
6. Who is responsible for implementing ERM? a. The chief financial officer. b. The chief audit executive. c. The chief compliance officer. d. Management throughout the organization.
d. Management throughout the organization.
12. Which of the following is true regarding business process outsourcing? a. Outsourcing a core, high-risk business process reduces the overall operational risk. b. Outsourced processes should not be included in the internal audit universe. c. The independent outside auditor is required to review all significant outsourced business processes. d. Management's controls to ensure the outsourcing provider meets contractual performance requirements should be tested by the internal audit function.
d. Management's controls to ensure the outsourcing provider meets contractual performance requirements should be tested by the internal audit function.
14. The function of the chief risk officer is most effective when he or she: a. Manages risk as a member of senior management. b. Shares the management of risk with line management. c. Shares the management of risk with the CAE. d. Monitors risk as part of the ERM team.
d. Monitors risk as part of the ERM team.
1. In assessing organizational risk in a manufacturing organization, which of the following would have the greatest long-range impact on the organization? a. Advertising budget. b. Production scheduling. c. Inventory policy. d. Product quality.
d. Product quality.
13. A company has recently outsourced its payroll process to a third-party service provider. An audit team was scheduled to audit payroll controls in the annual audit plan prepared prior to the outsourcing. What action should the audit team take, considering the outsourcing decision? a. Cancel the engagement, because the processing is being performed outside the organization. b. Review only the controls over payments to the third-party provider based on the contract. c. Review only the company's controls over data sent to and received from the third-party service provider. d. Review the controls over payroll processing in both the company and the third-party service provider
d. Review the controls over payroll processing in both the company and the third-party service provider
12. What represents a good first step to obtain the data for the internal audit function immediately? a. Request a download of all of the organization's data onto the internal audit function's database or file share by asking the chief information security officer. b. Start with the chief information officer who will authorize access for you to run SQL queries and collect the necessary data files. c. Request read access to all production databases by asking the database administrator for a superuser account. d. Start with existing databases, data warehouses, and application record files and talk to the data owners.
d. Start with existing databases, data warehouses, and application record files and talk to the data owners.
10. The CAE is asked to lead the enterprise risk assessment as part of an organization's implementation of ERM. Which of the following would not be relevant with respect to protecting the internal audit function's independence and the objectivity of its internal auditors? a. A cross-section of management is involved in assessing the impact and likelihood of each risk. b. Risk owners are assigned responsibility for each key risk. c. A member of senior management presents the results of the risk assessment to the board and communicates that it represents the organization's risk profile. d. The internal audit function obtains assistance from an outside consultant in the conduct of the formal risk assessment session.
d. The internal audit function obtains assistance from an outside consultant in the conduct of the formal risk assessment session.
8. Which of the following is the best reason for the CAE to consider the organization's strategic plan in developing the annual internal audit plan? a. To emphasize the importance of the internal audit function to the organization. b. To ensure that the internal audit plan will be approved by senior management. c. To make recommendations to improve the strategic plan. d. To ensure that the internal audit plan supports the overall business objectives.
d. To ensure that the internal audit plan supports the overall business objectives.
14. What is the best way to prevent and detect conflicts of interest? a. An effective control environment, including an ethical tone at the top. b. Segregation of duties. c. Bank reconciliations. d. Transparent and full disclosure.
d. Transparent and full disclosure.
