INTERNAL AUDIT EXAM 3 (FINAL)
3. Senior management of an organization has requested that the internal audit function help educate employees about internal control concepts. This work is an example of: a. An assurance engagement. b. A training consulting engagement. c. A facilitative consulting engagement. d. An advisory consulting engagement.
b. A training consulting engagement.
5. Which of the following controls is not likely to be an entity-level control? a. All employees must receive ongoing training to ensure they maintain their competence. b. All cash disbursement transactions must be approved before they are paid. c. All employees must comply with the Code of Ethics and Business Conduct. d. An organization-wide risk assessment is conducted annually.
b. All cash disbursement transactions must be approved before they are paid.
14. In which of the following scenarios do consulting services provided by the internal audit function prove to be most beneficial? a. An organization that is completely stable and has very little change. b. An organization that has frequent, significant change. c. An organization that wants to reduce the level of change in the organization. d. An organization that has a lot of standards and procedures already in place and does not want to change them.
b. An organization that has frequent, significant change.
6. The chief operating officer (COO) has requested that the internal audit function advise her regarding a new incentive plan being developed for sales representatives. Which of the following tasks should the CAE decline with respect to providing advice to the COO? a. Researching and benchmarking incentive plans provided by other companies in the industry. b. Determining the appropriate bonus formula for inclusion in the plan. c. Recommending monitoring procedures so that appropriate amounts are paid under the plan. d. Determining how to best document the support for amounts paid to provide a sufficient audit trail.
b. Determining the appropriate bonus formula for inclusion in the plan.
9. Which of the following controls is likely to be least relevant when evaluating the design adequacy of a cash collections process? a. Calculating the amount of cash received. b. Documenting the rationale for selecting the bank account into which the deposit will be made. c. Matching the total deposits to the amounts credited to customers' accounts receivable balances. d. Segregating the preparation of deposit slips from the adjustment of customer account balances.
b. Documenting the rationale for selecting the bank account into which the deposit will be made.
11. Which of the following areas of culture presents the greatest challenge for internal auditors who want to become trusted advisors? a. Receiving approval to include consulting services in the internal audit charter. b. Educating all areas on the internal audit function's role in performing consultative internal audit services. c. Internal audit staff are trained to perform assurance engagements only. d. Movement to a more controlled environment for the corporate enterprise.
b. Educating all areas on the internal audit function's role in performing consultative internal audit services.
1. Which of the following is not likely to be an assurance engagement objective? a. Evaluate the design adequacy of the payroll input process. b. Guarantee the accuracy of recorded inventory balances. c. Assess compliance with health and safety laws and regulations. d. Determine the operating effectiveness of fixed asset controls.
b. Guarantee the accuracy of recorded inventory balances.
11. A specific objective of an audit of an organization's expenditure cycle is to determine if all goods paid for have been received and charged to the correct account. This objective would address which of the following primary objectives identified in The IIA's International Standards for the Professional Practice of Internal Auditing? I. Reliability and integrity of financial and operational information. II. Compliance with laws, regulations, and contracts. III. Effectiveness and efficiency of operations. IV. Safeguarding of assets. a. I and II only. b. I and IV only. c. I, II, and IV only. d. II, III, and IV only.
b. I and IV only.
1. The tasks performed during an internal audit assurance engagement should address the following questions: I. What are the reasons for the results? II. How can performance be improved? III. What results are being achieved? The chronological order in which these questions should be addressed is: a. III, I, II. b. I, III, II. c. III, II, I. d. II, III, I.
a. III, I, II.
13. Which of the following statements best describes the internal audit function's responsibility for follow-up activities related to a previous engagement? a. Internal auditors should determine if corrective action has been taken and is achieving the desired results or if management has assumed the risk of not taking the corrective action. b. Internal auditors should determine if management has initiated corrective action, but they have no responsibility to determine if the action is achieving the desired results. That determination is management's responsibility. c. The CAE is responsible for scheduling follow-up activities only if directed to do so by senior management or the audit committee. Otherwise, follow-up is entirely discretionary. d. None of the above.
a. Internal auditors should determine if corrective action has been taken and is achieving the desired results or if management has assumed the risk of not taking the corrective action.
9. Which of the following statements best describes an internal audit function's responsibility for assurance engagement follow-up activities? a. The internal audit function should determine that corrective action has been taken and is achieving the desired results, or that senior management has assumed the risk associated with not taking corrective action on reported observations. b. The internal audit function should determine whether management has initiated corrective action but has no responsibility to determine whether the corrective action is achieving the desired results. That determination is management's responsibility. c. The CAE is responsible for scheduling audit follow-up activities only if asked to do so by senior management or the audit committee. Otherwise, such activities are discretionary. d. Audit follow-up activities are not necessary if the auditee has agreed in writing to implement the internal audit function's recommendations.
a. The internal audit function should determine that corrective action has been taken and is achieving the desired results, or that senior management has assumed the risk associated with not taking corrective action on reported observations.
3. Which of the following statements does not illustrate the concept of inherent business risk? a. Cash is more susceptible to theft than an inventory of sheet metal. b. A broken lock on a security gate allows employees to access a restricted area that they are not authorized to enter. c. Transactions involving complex calculations are more likely to be misstated than transactions involving simple calculations. d. Technological developments might make a particular product obsolete.
b. A broken lock on a security gate allows employees to access a restricted area that they are not authorized to enter.
4. An internal auditor has just completed an assurance engagement and is in the process of evaluating the observations identified during the performance phase. The observations included in the formal engagement communications should include: a. Statements of opinion about the cause of an observation. b. Pertinent factual statements concerning the control weaknesses uncovered during the course of the assurance engagement. c. Statements of both fact and opinion developed during the course of the engagement. d. Statements concerning potential future events that may be helpful to the engagement client.
b. Pertinent factual statements concerning the control weaknesses uncovered during the course of the assurance engagement.
11. When assessing the risk associated with an activity, an internal auditor should: a. Determine how the risk should best be managed. b. Provide assurance on the management of the risk. c. Update the risk management process based on risk exposures. d. Design controls to mitigate the identified risks.
b. Provide assurance on the management of the risk.
12. Which of the following best describes internal audit workpapers for consulting engagements? a. Workpapers are not required for consulting engagements. b. Workpaper requirements for consulting engagements are similar to assurance engagements but typically have less documentation. c. Consulting engagements typically require more documentation than assurance engagements. d. Workpapers for consulting engagements do not require a review by internal audit management.
b. Workpaper requirements for consulting engagements are similar to assurance engagements but typically have less documentation.
8. The audit committee has requested that the internal audit function assist with the annual enterprise risk assessment process. What type of consulting engagement does this assistance represent? a. An assurance engagement. b. A training consulting engagement. c. A facilitative consulting engagement. d. An advisory consulting engagement.
c. A facilitative consulting engagement.
13. A performance audit engagement typically involves: a. Review of financial statement information, including the appropriateness of various accounting treatments. b. Tests of compliance with policies, procedures, laws, and regulations. c. Appraisal of the environment and comparison against established criteria. d. Evaluation of organizational and departmental structures, including assessment of process flows.
c. Appraisal of the environment and comparison against established criteria.
2. Which of the following is an appropriate conclusion that can be drawn when the internal auditor identifies an observation from testing controls? a. The process objectives cannot be achieved. b. The area may be vulnerable to fraud. c. Certain risks are not effectively mitigated. d. Overall, the process is not operating effectively.
c. Certain risks are not effectively mitigated.
4. Which of the following auditee-prepared documents will likely be of greatest assistance to the internal auditors in their assessment of process design adequacy? a. Policies and procedures manual. b. Organization charts and job descriptions. c. Detailed flowcharts depicting the flow of the process. d. Narrative memoranda listing key tasks for portions of the process.
c. Detailed flowcharts depicting the flow of the process.
4. It would be appropriate for the internal audit function to perform which of the following? a. Design controls for a process. b. Develop a new whistleblower policy. c. Review a new IT application before implementation. d. Lead a process reengineering project.
c. Review a new IT application before implementation.
1. Which of the following would be a typical consulting engagement activity performed by the internal audit function? a. Testing compliance with accounts payable policies and procedures. b. Determining the scope of an engagement to test IT application controls. c. Reviewing and commenting on a draft of a new ethics policy created by the company. d. Testing the design adequacy of controls over the termination of employees.
c. Reviewing and commenting on a draft of a new ethics policy created by the company.
1. If an internal auditor identifies an exception while testing, which of the following may be appropriate? a. Test additional items to determine whether the exception is an isolated occurrence or indicative of a control deficiency. b. Gain an understanding of the root cause, that is, the reason the exception occurred. c. Draft an observation for the audit report. d. All of the above.
d. All of the above.
13. Which auditor will be the most successful in being perceived as a trusted advisor? a. One who audits using a checklist. b. One who best uses audit sampling techniques. c. One who ensures 100 percent compliance with all policies, procedures, and rules. d. One who collaborates with management to reach a consensus on the best solution to balance controls and efficient processes.
d. One who collaborates with management to reach a consensus on the best solution to balance controls and efficient processes.
3. Analytical procedures can be applied during which phase(s) of an assurance engagement? a. Plan phase. b. Perform phase. c. Communicate phase. d. Plan and perform phases.
d. Plan and perform phases.
2. Which of the following is not a required consideration regarding proficiency and due professional care when choosing to perform a consulting engagement? a. Availability of adequate skills and resources to conduct the engagement. b. Needs and expectations of the engagement customer. c. Cost of the engagement relative to the potential benefits. d. Potential impact on the independent outside auditor's financial statement audit.
d. Potential impact on the independent outside auditor's financial statement audit.
10. Internal auditors are working to become trusted advisors to management on risk management techniques. Which of the following would be the best way for internal audit to demonstrate they are truly a trusted advisor? a. Providing testing of key controls. b. Assisting management in developing procedures for accounts payable. c. Performing a post-implementation review after a system has been installed. d. Providing guidance and audit resources to develop an enterprise risk management process for the organization.
d. Providing guidance and audit resources to develop an enterprise risk management process for the organization.
12. The primary reason for having written formal audit reports is to: a. Provide an opportunity for engagement client response. b. Document the corrective actions required of senior management. c. Provide a formal means by which the external auditor assesses potential reliance on the internal audit function. d. Record observations and recommended courses of action.
d. Record observations and recommended courses of action.
6. A formal engagement communication must: a. Provide an opportunity for the auditee to respond. b. Document the corrective actions required of senior management. c. Provide a formal means by which the independent outside auditor assesses potential reliance on the internal audit function. d. Report significant observations.
d. Report significant observations.
9. Internal audit reports can be structured to motivate management to correct deficiencies. Which of the following report-writing techniques is most likely to be effective? a. State the procedural inadequacies and resulting improprieties in specific terms. b. Recommend changes and state the punitive measures that will follow if the recommendations are not implemented. c. List the deficiencies found so as to provide an easy-to-follow checklist. d. Suggest practical improvements to address the identified observations.
d. Suggest practical improvements to address the identified observations.
2. Reported internal audit observations emerge as a result of comparing "what should be" with "what is." In determining "what should be" during an internal audit engagement, which of the following would be the least appropriate criterion against which to assess current controls? a. Industry best practices. b. Control policies and procedures prescribed by senior management. c. A standard of control effectiveness determined by the internal audit function. d. The controls documented as being in place during the last audit.
d. The controls documented as being in place during the last audit.
12. In an assurance engagement of treasury operations, an internal auditor is required to consider all of the following issues except: a. The audit committee has requested assurance on the treasury department's compliance with a new policy on use of financial instruments. b. Treasury management has not instituted any risk management policies. c. Due to the recent sale of a division, the amount of cash and marketable securities managed by the treasury department has increased by 350 percent. d. The external auditors have indicated some difficulties in obtaining account confirmations.
d. The external auditors have indicated some difficulties in obtaining account confirmations.
4. Comprehensive risk assessment involves analysis of both causes and effects. Which of the following statements concerning the analysis of causes and effects is false? a. Analyzing the causes and effects of a particular risk should only be performed after the internal auditor has first obtained evidence that a problem has occurred. b. Analyzing the causes and effects of a particular risk provides insights about how to best manage the risk. c. Analyzing the effects of a particular risk provides insights about the relative size of the risk and the relative importance of the business objective threatened by the risk. d. Analyzing the root causes of a particular risk helps the internal auditor formulate recommendations for reducing the risk to an acceptable level.
a. Analyzing the causes and effects of a particular risk should only be performed after the internal auditor has first obtained evidence that a problem has occurred.
8. Internal auditors sometimes express opinions in addition to stating observations in their reports. Due professional care requires that internal audit opinions be: a. Based on sufficient appropriate evidence. b. Limited to the effectiveness of internal controls. c. Expressed only when requested by management or the audit committee. d. Based on experience and free from errors in judgment.
a. Based on sufficient appropriate evidence.
15. What is the difference between a blended engagement and a consulting engagement? a. Blended engagements include components of both assurance and consulting services. b. Blended engagements take advantage of statistical sampling. c. A blended engagement always focuses on assurance services versus a balance of assurance and consulting services. d. A blended engagement uses external auditors versus a consulting engagement, which uses internal auditors.
a. Blended engagements include components of both assurance and consulting services.
3. Once an observation is identified by the internal auditor, it should be: a. Documented in the workpapers. b. Discussed with the audit committee. c. Included in the final audit report. d. Scheduled for follow-up.
a. Documented in the workpapers.
15. If an auditor's preliminary evaluation of internal controls results in an observation that controls may be inadequate, the next step would be to: a. Expand audit work before the preparation of a final engagement communication. b. Prepare a flowchart depicting the internal control system. c. Note an exception in the engagement final communication if losses have occurred. d. Implement the desired controls.
a. Expand audit work before the preparation of a final engagement communication.
7. Which of the following does the CAE need to consider when determining the extent of follow-up required? I. Significance of the reported observation. II. Past experience with the manager charged with the corrective action. III. Degree of effort and cost needed for the corrective action. IV. The experience of the internal audit staff. a. I and III. b. I, II, and III. c. II, III, and IV. d. I, II, III, and IV.
a. I and III.
6. Which of the following is not typically a key element of flowcharts or narrative memoranda? a. Overall process objectives. b. Key inputs to the process. c. Key outputs from the process. d. Key risks and controls.
a. Overall process objectives.
10. The primary purpose of issuing an interim report during an internal audit is to: a. Provide auditee management the opportunity to act on certain observations immediately. b. Set the stage for the final report. c. Promptly inform auditee management and their supervisors of audit procedures performed to date. d. Describe the scope of the audit.
a. Provide auditee management the opportunity to act on certain observations immediately.
1. Recommendations should be included in final audit communications to: a. Provide management with options for addressing audit observations. b. Ensure that problems are resolved in the manner suggested by the auditor. c. Minimize the amount of time required to correct audit observations. d. Guarantee that audit observations are addressed, regardless of cost.
a. Provide management with options for addressing audit observations.
6. If an internal auditor's evaluation of internal control design indicates that the controls are designed adequately, the appropriate next step would be to: a. Test the operating effectiveness of the controls. b. Prepare a flowchart depicting the system of internal controls. c. Conclude that residual risk is low. d. Conclude that control risk is high.
a. Test the operating effectiveness of the controls.
5. Which of the following combinations of participants is most appropriate to attend an exit meeting? a. The responsible internal auditor and representatives from management who are knowledgeable about detailed operations and who can authorize the implementation of corrective action. b. The chief audit executive and the executive in charge of the activity or function reviewed. c. Staff internal auditors who conducted the fieldwork and operating personnel in charge of the daily performance of the activity or function reviewed. d. Staff auditors who conducted the fieldwork and the executive in charge of the activity or function reviewed.
a. The responsible internal auditor and representatives from management who are knowledgeable about detailed operations and who can authorize implementation of corrective action.
10. An internal auditor determines that the process is not designed adequately to reduce the underlying risks to an acceptable level. Which of the following should the internal auditor do next? a. Write the audit report. There's no reason to test the operating effectiveness of controls that are not designed adequately. b. Test compensating controls in other (adjacent) processes to see if the impact of the design inadequacy is reduced to an acceptable level. c. Test the existing key controls anyway to prove that, despite the design inadequacy, the process is still meeting the process objectives. d. Postpone the engagement until the design inadequacy has been rectified.
b. Test compensating controls in other (adjacent) processes to see if the impact of the design inadequacy is reduced to an acceptable level.
11. Who has primary responsibility for providing information to the audit committee on the professional and organizational benefits of coordinating internal audit assurance and consulting activities with other assurance and consulting activities? a. The external auditor. b. The CAE. c. The CEO. d. Each assurance and consulting function.
b. The CAE.
12. In deciding whether to schedule the purchasing or the human resources department for an audit engagement, which of the following would be the least important factor? a. There have been major changes in operations in one of the departments. b. The audit staff has recently added an individual with expertise in one of the areas. c. There are more opportunities to achieve operating benefits in one of the departments than in the other. d. The potential for loss is significantly greater in one department than in the other.
b. The audit staff has recently added an individual with expertise in one of the areas.
4. Which of the following would not be considered a primary objective of a closing or exit conference? a. To resolve conflicts. b. To identify concerns for future audit engagements. c. To discuss the engagement observations and recommendations. d. To identify management's actions and responses to the engagement observations and recommendations.
b. To identify concerns for future audit engagements.
8. An excerpt from an internal audit observation indicates that travel advances exceeded prescribed maximum amounts. Company policy provides travel funds to authorized employees for travel. Advances are not to exceed 45 days of anticipated expenses. Company procedures do not require justification for large travel advances. Employees can, and do, accumulate large unneeded advances, resulting in unnecessary allocation of capital. In this audit observation, the element of an audit observation known as "effect" is: a. Advances are not to exceed estimated expenses for 45 days. b. Travel advances exceed prescribed maximum amounts. c. Employees accumulate large, unneeded advances, resulting in unnecessary allocation of capital. d. Unauthorized employees are given travel advances.
c. Employees accumulate large, unneeded advances, resulting in unnecessary allocation of capital.
5. Internal auditors obtain an understanding of controls and perform tests of controls to: a. Detect material misstatements in account balances. b. Reduce control risk to an acceptable level. c. Evaluate the design adequacy and operating effectiveness of the controls. d. Assess the inherent risks associated with transactions.
c. Evaluate the design adequacy and operating effectiveness of the controls.
9. A financial services organization is planning on staffing a complex consulting engagement that involves the consolidation of two large banking organizations, including changing many of the processes. Which of the following skills is the least important for auditors to possess in assisting in the review of target processes? a. Ability to quickly develop relationships. b. Specific business-related skills related to the processes being reengineered. c. Experience in performing testing of controls. d. Unstructured problem-solving skills.
c. Experience in performing testing of controls.
10. Internal auditors perform both assurance engagements and consulting engagements. Which of the following would be classified as a consulting engagement? a. Directly assessing the organization's compliance with laws and regulations. b. Assessing the design adequacy of the organization's entity-level monitoring activities. c. Facilitating senior management's assessment of risks threatening the organization. d. Assisting the independent outside auditor during the financial statement audit engagement.
c. Facilitating senior management's assessment of risks threatening the organization.
3. According to the International Professional Practices Framework (IPPF), an engagement final communication should include, at minimum, which of the following? I. Background information. II. Purpose of the engagement. III. Engagement scope. IV. Results of the engagement. V. Summaries. a. I, II, and III. b. I, III, and V. c. II, III, and IV. d. II, IV, and V.
c. II, III, and IV.
5. During a review of purchasing operations, an internal auditor found that procedures in use did not agree with stated company procedures. However, audit tests revealed that the procedures used represented an increase in efficiency and a decrease in processing time, without a discernible decrease in control. The internal auditor should: a. Report the lack of adherence to documented procedures as an operational deficiency. b. Develop a flowchart of the new procedures and include it in the report to management. c. Report the change and suggest that the change in procedures be documented. d. Suspend the completion of the engagement until the engagement client documents the new procedures.
c. Report the change and suggest that the change in procedures be documented.
14. A follow-up review found that a significant internal control weakness had not been corrected. The CAE discussed this matter with senior management and was informed of management's willingness to accept the risk. The CAE should: a. Do nothing further because management is responsible for deciding the appropriate action to be taken in response to reported engagement observations and recommendations. b. Initiate a fraud investigation to determine if employees took advantage of the internal control weakness. c. Inform senior management that the weakness must be corrected and schedule another follow-up review. d. Assess the reasons that senior management decided to accept the risk and inform the board of senior management's decision.
d. Assess the reasons that senior management decided to accept the risk and inform the board of senior management's decision.
7. Which of the following external risks is least likely to impact the accuracy of financial reporting? a. The standard-setting body in the organization's country issues a new financial accounting standard. b. A recent judicial court case increases the likelihood that pending litigation will result in an unfavorable outcome. c. Changes in standard industry contracts now allow for netting of payables and receivables. d. Competitor pressures cause the organization to pursue new sales channels.
d. Competitor pressures cause the organization to pursue new sales channels.
2. A process objective stating "All contracts must be approved by an officer of the company before being consummated" is an example of what type of objective? a. Strategic. b. Operations. c. Reporting. d. Compliance.
d. Compliance.
2. While planning an assurance engagement, the internal auditor obtains knowledge about the auditee's operations to, among other things: a. Develop an attitude of professional skepticism concerning management's assertions. b. Make constructive suggestions to management regarding internal control improvements. c. Evaluate whether misstatements in the auditee's performance reports should be communicated to senior management and the audit committee. d. Develop an understanding of the auditee's objectives, risks, and controls.
d. Develop an understanding of the auditee's objectives, risks, and controls.
5. Which of the following is not likely to be a step during a consulting engagement? a. Understanding the objectives of a process. b. Assessing the risks in a process. c. Flowcharting the key steps in a process. d. Expressing a conclusion on the design adequacy and operating effectiveness of a process.
d. Expressing a conclusion on the design adequacy and operating effectiveness of a process.
7. When internal auditors are dealing with a new process or technologies, the best way to deal with it would be to: a. Tell management that the internal audit function must remain independent and not get involved until the new process or technology has been implemented. b. Discuss the new disruption to the enterprise with management and immediately hire subject matter experts. c. Contact the external audit firm and make them aware of the upcoming change. d. Gather more information about the change, determine the risk of the new innovation, and provide sufficient audit resources for the consulting project.
d. Gather more information about the change, determine the risk of the new innovation, and provide sufficient audit resources for the consulting project.
7. Reportable internal audit observations emerge by a process of comparing "what should be" with "what is." In determining "what should be" during an audit of a company's treasury function, which of the following would be the least desirable criterion against which to judge current operations? a. Best practices of the treasury function in relevant industries. b. Company policies and procedures delegating authority and assigning responsibilities. c. Performance standards established by senior management. d. The operations of the treasury function as documented during the last audit.
d. The operations of the treasury function as documented during the last audit.
8. Which of the following groups' risk tolerance levels are least relevant when conducting an assurance engagement? a. Senior management. b. Process-level management. c. The internal audit function. d. Vendors and customers.
d. Vendors and customers.