Internal Audit Exam 3

Which of the following statements regarding audit evidence would be the least appropriate for an internal auditor to make?

"I do not perform procedures that provide persuasive evidence because i must obtain convincing evidence.

Key components of modern IS

Computer hardware, networks, computer software, databases, information, people

Which of the following best illustrates the use of EDI?

Computerized placement of a purchase order from a customer to its supplier

An organization that manufactures and sells computers is trying to boost sales between now and the end of the year. It decides to offer its sales representatives a bonus based on the number of units they deliver to customers before the end of the year. The price of all computers is determined by the VP of sales and cannot be changed by sales representatives. Which of the following presents the greatest reason a sales representative may commit fraud with this incentive program?

Customers have the right to return a laptop for to 90 days after purchase.

The Standards requires policies and procedures to guide the internal audit staff. Which of the following statements is false with respect to this requirement? a. A small internal audit function may be managed informally through close supervision and written memos. b. Formal administrative and technical audit manuals may not be needed by all internal audit functions. c. The CAE should establish the function's policies and procedures. d. All internal audit functions should have a detailed policies and procedures manual.

D

Standard 2210

Engagement objectives

Which of the following best describes an auditors responsibility after noting some indicators of fraud?

Expand activities to determine whether an investigation is warranted

Hardware/software risk

Failure of hardware/software to perform properly may cause business interruptions, temporary or permanent damage to or destruction of data, and hardware/software repair or replacement costs

Key principles of managing fraud risk

Fraud risk governance Fraud risk assessment Fraud risk activity Fraud investigation and corrective action Fraud RM monitoring activities

Which of the following is the best source of IT audit guidance within the IPPF?

GTAG

GTAG

Global Technology Audit Guide First line:management owns and manages data, processes, risks Second Line:comprises risk, control, and compliance oversight Third:internal audit function provides independent and objective assurance

Standard 2110

Governance

When using a rational decision-making process, the next step after defining the problem is:

Identifying acceptable levels of risk.

Internal Audit engagement teams prepare working papers primarily for the benefit of the:

Internal Audit Function

According to the IPPF, internal auditors should possess which of the following skills?

Internal auditors should understand human relations and be skilled in dealing with people Internal auditors should be able to recognize and evaluate the materiality and significance of deviations from good business practices Internal auditors should be skilled in oral and written communication

Competent Evidence is best defined as evidence that:

Is reasonably free from error and bias and faithfully represents that which it purports to represent.

A payroll clerk increased the hourly pay rate of a friend and shared the resulting overpayment with the friend. Which of the following controls would have best served to prevent this fraud?

Limiting the ability to make changes in payroll system personnel information to authorized HR department supervisors.

Organizational independence exists if the CAE reports <List A> to some other organizational level than the CEO or similar head of the organization as long as the internal audit activity <List B> without interference:

List A: administratively; List B: controls the scope and performance of work and reporting of results.

Fraud Red Flags

Living beyond their means Experiencing financial difficulties Excessive organizational pressure

What fraud schemes were reported to be most common in the ACFEs 2016 report to the nation?

Misappropriation of assets by employees.

Professional skepticism means that internal auditors beginning an assurance engagement should:

Neither assume client personnel are honest nor assume they are dishonest.

Which of the following is true about new and emerging technologies?

New technologies take time for the users to transition and adapt to the new technology, so training is critical.

Which of the following most completely describes the appropriate content of internal audit assurance engagement working papers?

Objectives, procedures, facts, conclusion, and recommendations.

Observation is one audit procedure that involves cost-benefit tradeoffs. Which of the following statements regarding observation as an audit procedure is/are correct?

Observation is limited b/c individuals may react differently when being watched Observation provides evidence about whether certain controls are operating as designed

The software that manages the inter connectivity of the system hardware devices is the:

Operating system software

According to the IPPF, the independence of the internal audit activity is achieved through

Organizational status and objectivity.

Levels of Reliability: Low

PBC, policy statements, timecards

Predication is a technical term that refers to: a. the ability of internal auditors to predict fraud successfully. b. the ability of a fraud examiner to commence an investigation if a form of evidence exists that fraud has occurred. c. the activities of fraud perpetrators in concealing their tracks so that fraud is covered up and may not be discovered. d. management's analysis of fraud risks so they can put in place effective anti-fraud programs and controls

b. the ability of a fraud examiner to commence an investigation if a form of evidence exists that fraud has occurred.

Levels of Reliability: High

documents prepared by the internal auditor; inventory test maps, process maps, conformations.

IT controls

involve processes that provide assurance for information and help to mitigate risks associated with the use of technology

Fraud Triangle:

pressure, opportunity, rationalization

Fraud investigation

receiving the allegation, evaluating, est. protocols, determine appropiate actions

Selection Risk

solution misaligned with a strategic objective

Effective controls to address cybersecurity

strong security framework identifying and controlling top risks cyber security awareness

Professional Skepticism

the state of mind in which internal auditors take nothing for granted; they continuously question what they hear and see and critically assess audit evidence

Which of the following represents the most competent evidence that trade receivables actually exist?

Positive confirmations

Requiring a user ID and password would be an example of what type of control?

Preventative.

Development/acquisition and deployment risk

Problems encountered as the IT solution is being developed/acquired and deployed may cause unforeseen delays, cost overruns, or even abandonment of the project

See page 10-6

Procedures.

Which of the following activities undertaken by the internal auditor might be in conflict with the standard of independence?

Product development team leader.

Standard 1210

Profiency

Which of the following activities are designed to provide feedback on the effectiveness of an internal audit activity?

Proper supervision, internal assessments, and external assessments.

Standard 2060

Reporting to senior mgmt/board

The purpose of logical security controls is to:

Restrict access to data

Standard 2120

Risk mgmt

IT risks

Selection risk, develop/acquisition and deployment risk, availability risk

system reliability and information integrity risk

Systematic errors or inconsistencies in processing may produce irrelevant, incomplete, inaccurate, and/or untimely information

Who is ultimately responsible for determining that the objectives for an internal audit engagement have been met?

The CAE.

Audit committees are most likely to participate in approval of:

The appointment of the CAE

From an organization's standpoint, because internal auditors are seen to be "internal control experts," they also are:

The best resource for audit committees, management, and others to consult in house when setting up anti-fraud programs and controls, even if they may not have any fraud investigation experience.

EDI

The computer to computer exchange of business documents in electronic form between an organization and its trading partners

Which of the following statements regarding an internal audit function's continuous auditing responsibilities is/are true?

The internal audit function is responsible for assessing the effectiveness of management's continuous monitoring activities. In areas of the organization in which management has implemented effective monitoring activities, the internal audit function can conduct less stringent continuous assessments of risks and controls.

IT governance

The leadership, structure, and oversight processes that ensure the organization's IT supports the objectives and strategies of the organization.

IT Risk Management

The process conducted by management to understand and handle the IT risks and opportunities that could affect the organization's ability to achieve its objectives.

Fraud Triangle

The three factors that contribute to fraudulent activity by employees: opportunity, pressure, and rationalization.

Which of the following best describes continuous auditing?

The use of continuous risk assessment, continuous controls assessment, and assessment of continuous monitoring.

Fraud and malicious acts risk

Theft of IT resources, intentional misuse of IT resources, or intentional distortion or destruction of information may result in financial losses and/or misstated information that decision makers rely upon

Audit evidence is generally considered sufficient when:

There is enough of it to support well-founded conclusions

Levels of reliability: Medium

Third party provided documents; vendor invoices, bank statements, POs

Which of the following is the best reason for the CAE to consider the organization's strategic plan in developing the annual internal audit plan?

To ensure that the internal audit plan supports the overall business objectives.

Vouching

Tracking information backward from one document or record to a previously prepared document or record, or to a tangible resource - VALIDITY

Tracing

Tracking information forward from one document, record, or tangible resource to a subsequently prepared document or record - COMPLETENESS

The 17 principles in the updated COSO 2013 Internal Controls -Integrated Framework include one devoted specifically to addressing fraud risk:

True

FCPA (Foreign Corrupt Practices Act)

U.S. law regulating behavior regarding the conduct of international business in the taking of bribes and other unethical actions.

An internet firewall is designed to provide protection against:

Unauthorized access from outsiders

Confidentiality and privacy risk

Unauthorized disclosure of business partners' proprietary information or individuals' personal information may result in a loss of business, lawsuits, negative press, and reputation impairment.

Access Risk

Unauthorized physical or logical access to the system may result in theft or misuse of hardware, malicious software modifications, and theft, misuse, or destruction of data

Availability risk

Unavailability of the system when needed may cause delays in decision-making, business interruptions, lost revenue, and customer dissatisfaction

Fraud Detection

Whistleblower hotlines. Process controls. Proactive fraud detection procedures.

Which of the following is an example of misappropriation of assets?

A small amount of petty cash is stolen.

Which one of the following examples of documentary evidence generally is considered the most reliable?

A vendor's invoice obtained from the accounts payable department.

Responsibilities of the CAE:

Communicate the internal audit functions plans and resource requirements to senior management and the board for review and approval. To follow up on whether appropriate management actions have been taken on significant issues cited in internal audit reports. To establish a risk based plan to accomplish the objectives of the internal function consistent with the organization's goal.

When discussing integration of IT into audit engagements, which of the following is the most desirable integration of IT into specific engagement?

Developing and performing computer audit software steps into the process-level audits along with testing of IT controls.

When conducting a consulting engagement to improve the efficiency and quality of a production process, the audit team is faced with a scope limitation because several months of the production data have been lost or are incomplete. Faced with this scope limitation, the CAE should:

Discuss the problem with the customer and together evaluate whether the engagement should be continued.

Standard 1220

Due Professional Care

IT proficiency and due professional care

1210.A3 = internal auditors must have sufficient knowledge of key information technology risks and controls 1220.A2 = auditors must consider the use of technology based audit.

Assurance Engagement IT responsibilites

2110.A2 - asses info technology 2120.A1 - Internal Audit must evaluate risk 2130.A1 - evaluate the adequacy and effectiveness

Workpaper summaries, if prepared, can be used to A. Promote efficient workpaper review by internal audit supervisors. B. Replace the detailed workpaper files for permanent retention. C. Serve as an engagement final communication to senior management. D. Document the full development of engagement observations and recommendations.

A

Your audit objective is to determine that purchases of office supplies have been properly authorized. If purchases of office supplies are made through the purchasing department, which of the following procedures is most appropriate? a. Vouch purchase orders to approved purchase requisitions b. Trace approved purchase requisitions to purchase orders c. Inspect purchase requisitions for proper approval d. Vouch receiving reports to approved purchase orders

A

Which of the following types of companies would most likely need the strongest anti fraud controls?

A Bank

ERP system

A modular software system that enables an organization to integrate its business processes using a single operating database

According to research in personality psychology, the three dark triad personalities do not mention: A.) Sociopaths B.) Psychopaths C.) Narcissists D.) Machiavellians

A.) Sociopaths

See book for problem 15 - on page 10-21.

AR analysis and ratios.

Senior management has requested that the internal audit function perform an operational review of the telephone marketing operations of a major division and recommend procedures and policies for improving management control over the operation. The internal audit function should:

Accept the audit engagement because independence would not be impaired.

How should an organization handle an anonymous accusation from an employee that a supervisor in the organization has manipulated time reports?

Assess the facts provided by the anonymous party against the pre-established criteria to determine whether a formal investigation is warranted.

The possibility of someone maliciously shutting down an information system is most directly an element of:

Availability Risk

If a sales transaction record was rejected during input because the customer account number entered was not listed in the customer master file, the error was most likely detected by a: a. completeness check b. limit check c. validity check d. reasonableness check

C. Validity check

Which of the following is not an example of a fraud prevention program element? A.) Background investigations of new employees B.) Exit interviews of departing employees C.) Establish authority limits to purchasing commitments. D.) Analyzing cash disbursements to determine whether any duplicate payments have been made

B. Exit interviews of departing employees.

Which of the following is not one of the top 10 technology risks facing organizations? A. Cyber-security B. Use of older technology C. IT governance D. Mobile computing

B. Use of older technology

Fraud Prevention

Background checks, anti-fraud training, evaluating performance exit interviews, authority limits, transaction level procedures

The internal audit function's responsibilities with respect to fraud are limited to:

Being aware of fraud indicators, including those relating to financial reporting fraud, but not necessarily possessing the expertise of a fraud investigation specialist.

Per IIA Standards, internal audit functions must establish:

Both internal and external quality assurance and improvement program assessments.

A production manager of MSM Company ordered excessive raw materials and had them delivered to a side business he operated. The manager falsified receiving reports and approved the invoices for payment. Which of the following procedures would most likely detect his fraud? a. Vouch cash disbursements to receiving reports and invoices b. Confirm the amounts of raw materials purchased, purchase prices, and dates of shipment with vendors c. Perform ratio and trend analysis. Compare the cost of raw materials purchased with the cost of goods produced d. Observe the receiving dock and count materials received. Compare the counts with receiving reports completed by receiving personnel.

C

An internal auditor is concerned that fraud, in the form of payments to fictitious vendors, may exist. Company purchasers, responsible for purchases of specific product lines, have been granted the authority to approve expenditures up to $10,000. Which of the following applications of GAS would be most effective in addressing the auditor's concern? a. List all purchases over $10,000 to determine whether they were properly approved. b. Take a random sample of all expenditures under $10,000 to determine whether they were properly approved c. List all major vendors by product line. Select a sample of major vendors and examine supporting documentation for goods or services received d. List all major vendors by product line. Select a sample of major vendors and send negative confirmations to validate that they actually provided goods or services.

C

The Standards requires the CAE to share information and coordinate activities with other internal and external providers of assurance services. With regard to the independent outside auditor, which of the following would not be an appropriate way for the CAE to meet this requirement? a. Holding a meeting between the CAE and the independent outside audit firm's partner to discuss the upcoming audit of the financial statements. b. Providing the independent outside auditor with access to the working papers for an audit of third-party contractors. c. Requiring the independent outside auditor to have the CAE's approval of their annual audit plan for conducting the financial statement audit. d. Requesting that the internal audit function receive a copy of the independent outside auditor's management letter.

C

Which is not a benefit of user-developed applications (UDAs)? A.) Quick to develop and use B.) Readily available and at a low cost C.) More configurable and flexible D.) Easy to control access to

D.) Easy to control access to

Which of the following is not a typical "rationalization" of a fraud perpetrator? A.) It's in the organization's best interest. B.) The company owes me because im underpaid. C.) I want to get back at my boss (revenge). D.) Im smarter than the rest of them.

D.) Im smarter than the rest of them.

Which of the following is not something all levels of employees should do? A.) Understand their role within the internal control framework. B.) Have a basic understanding of fraud and be aware of red flags C.) Report suspicions of incidences of fraud D.) Investigate suspicious activities that they believe may be fraudulent.

D.) Investigate suspicious activities that they believe may be fraudulent.

GAIT

Describes the relationships among financial reporting risks, key process controls, automated controls and other critical IT functionality, and key IT general controls.

An organization's IT governance committee has several important responsibilities. Which of the following is not normally such a responsibility?

Designing IT application based controls