part 2 IIA

Ace your homework & exams now with Quizwiz!

233 Which of the following is the most common method management can use to manage risk within its risk appetite? A. Implementation of controls. B. Use of risk registers and dashboard. C. Frequent communication of risk appetite for operating personnel. D. Continuous evaluations and audits.

A

324 When approving the final engagement report, which of the following is most critical? A. Opinions are adequately supported. B. Conclusions are reached for all objectives. C. Report is distributed to appropriate parties. D. Report is clear and concise.

A

34 Which of the following trends found on financial reports would most likely indicate a possible problem? A. A material decrease in the receivables turnover. B. A material increase in inventory turnover. C. A material increase in daily sales compared to total outstanding receivables. D. A material increase in the acid-test ratio.

A

200 Which of the following is a red flag associated with improper asset valuation? A. Unusual increase in gross margin. B. Unusual decrease in the number of days' purchases in inventory. C. Recurring positive cash flows from operations. D. Allowance for bad debts that is increasing in percentage terms.

A Topic 3, Volume C

107 A company owns a machine that will produce 100 light switches in four hours. Due to increased demand, a second machine capable of producing 100 light switches in three hours has been added. Approximately how many hours will it take to produce 100 light switches using both machines working together? A. 7.0 B. 3.5 C. 1.7 D. 0.58

C

114 CORRECT TEXT A fast-food company is developing a computer simulation involving arrival time at a drive-through restaurant. The distribution for arrival times is: Time Single-Digit Random Between Arrivals Probability Number Assigned 1 minute 0.1 0 2 minutes 0.2 1, 2 3 minutes 0.3 3, 4, 5 4 minutes 0.4 6, 7, 8, 9 Six random numbers are selected to represent the arrival of six cars: 1, 6, 9, 0, 5, 6. The mean time between arrivals for these cars, in this run of the simulation model, is:

1 minute. Answer: 2 minutes. Answer: 3 minutes. Answer: 4 minutes. Answer: C

120 One method for dealing with the uncertainty of demand forecasts used in linear programming is to extend the model solution to include. A. Sensitivity analysis. B. Goal seeking. C. Branch-and-bound solutions. D. Nonlinear programming.

A

121 Which of the following factors is least essential to a successful control self-assessment workshop? A. Voting technology. B. Facilitation training. C. Prior planning. D. Group dynamics.

A

101 The use of standard operating procedure questionnaires in audit fieldwork can be beneficial because. A. These questionnaires can both identify discrepancies and educate clients. B. Standard operating procedures are essential to the effectiveness and efficiency of operations. C. These questionnaires are more comprehensive than are other types of techniques for gathering data during fieldwork. D. These questionnaires do not normally require prior clearance with management of the audited area.

A

103 A limitation of using ratio analysis in an audit engagement is that it: A. Often uses financial information provided by management which has not been reviewed for reliability and validity. B. Is an expensive method of testing. C. Requires computer software in order to develop meaningful interpretations of data. D. Is useful only when comparisons can be made across other industries.

A

110 A manager of one of a retailer's several retail outlets is stealing cash from cash sales, recording the sales as accounts receivable, and subsequently writing off the fictitious accounts receivable as bad debts. Which of the following comparisons would be most effective in signaling the possibility of such a fraud? A. Bad debt expense as a percentage of sales, compared to that of the other outlets. B. Bad debt expense as a percentage of sales, compared to that of previous years. C. Percentage of past-due accounts receivable, compared to that of the other outlets. D. Percentage of past-due accounts receivable, compared to that of previous years.

A

112 Which of the following methods would an auditor most likely use to document a complex sales order process? A. Develop a horizontal flowchart, with supporting documentation for key control points. B. Create a critical path method chart, noting the processes involved for each step. C. Perform a process review, assigning time and cost to each step of the process to develop a hierarchy flowchart. D. Utilize a systems narrative, which can be updated during subsequent audits.

A

116 Five brand managers in a consumer products company met to determine how well certain promotions had performed. The data that they needed to analyze consisted of approximately 50 gigabytes of daily point-of-sale (POS) data for each month. The brand managers tried to download the POS data from the mainframe and import it into microcomputer spreadsheets for analysis. Their efforts were unsuccessful, most likely because oF. A. The complexity of the mainframe data structure and the large volume of data. B. The difficulty of establishing access privileges for each subset of the mainframe data. C. Inconsistencies in the mainframe data due to lack of integrity constraints on the data files. D. Error-prone transmission links for downloading the data from the mainframe data files.

A

135 Which of the following is the most appropriate step for the chief audit executive to take in order to avoid defamation of character of the principal suspect in a fraud investigation? A. Restrict the use of potentially damaging words to privileged reports or discussions. B. Label all workpapers, reports, and correspondence of the internal audit activity as private. C. Restrict discussions of the fraud to members of management who express an interest in the investigation. D. Destroy all investigation workpapers and reports if the fraud cannot be proven.

A

136 The scope of a consulting engagement performed by internal auditors should: A. Be sufficient to address the objectives agreed upon with the client. B. Exclude areas that might be the subject of subsequent assurance engagements. C. Be limited to activities within the current operating period. D. Be preapproved in conjunction with the annual plan of consulting engagements.

A

137 The following are potential sources of evidence regarding the effectiveness of a division's total quality management program. The least persuasive evidence would be a comparison oF. A. Employee morale before and after program implementation. B. Scrap and rework costs before and after program implementation. C. Customer returns before and after program implementation. D. Manufacturing and distribution costs per unit before and after program implementation.

A

148 An audit identified a number of weaknesses in the configuration of a critical client/server system. Although some of the weaknesses were corrected prior to the issuance of the audit report, correction of the rest will require between six and 18 months for completion. Consequently, management has developed a detailed action plan, with anticipated completion dates, for addressing the weaknesses. Which of the following is the most appropriate course of action for the chief audit executive to take? A. Assess the adequacy of the action plan and monitor key dates and deliverables. B. Schedule a follow-up audit engagement to assess the status of corrective action. C. Reassign information systems auditors to assist the information technology department in correcting the weaknesses. D. Evaluate statistics related to unplanned system outages, unauthorized access attempts, and denials of service to assess the effectiveness of corrections.

A

152 Recommendations should be included in the audit report in order to: A. Provide management with options for addressing audit findings. B. Ensure that audit findings are resolved in the manner suggested by the auditor. C. Minimize the amount of time required to correct audit findings. D. Ensure that audit findings are addressed by management.

A

157 Which of the following potential performance measures should an auditor recommend excluding from a performance scorecard? A. Number of employees. B. Market share. C. Number of customer complaints. D. Training dollars per employee.

A

159 After completing a fraud investigation but before publishing a formal written report, the chief audit executive should submit a draft of the final report to the organization's: A. Legal counsel. B. External auditor. C. Audit committee chairperson. D. Chief executive officer.

A

160 Senior management of an organization has requested that the internal audit activity provide ongoing internal control training for all managerial personnel. This is best addressed by: A. A formal consulting engagement. B. An informal consulting engagement. C. A performance assurance engagement. D. An operational assurance engagement.

A

165 Which of the following conclusions would be appropriate for a beginning auditor performing an audit of a payroll department? A. Employee taxes have been deducted at the correct rates, and the taxes have been forwarded to the appropriate government agency. B. Although there is insufficient segregation of duties, the impact is mitigated by compensating controls. C. The payroll computer system should be replaced. D. The payroll department staff has the appropriate level of skills.

A

171 Which of the following types of internal audit consulting engagements is an example of a facilitation service? I. Conducting control self-assessment workshops. II. Participating on standing committees. III. Reviewing regulatory compliance. IV. Benchmarking. V. Estimating savings from outsourcing processes. A. I and IV only B. I, III, and IV only C. II, III, and V only D. I, II, III, IV, and V.

A

173 While investigating a compromised Web server, an auditor found that the Web server logs had been deleted. The auditor should recommend that the Web server logs bE. A. Generated and maintained on a separate secure server. B. Accessible by administrative users only C. Encrypted to ensure that the logs cannot be deleted. D. Restored automatically to the Web server from backup files.

A

174 Which of the following actions by management would reduce an employee's opportunity to commit fraud? A. Establishing physical controls over company assets. B. Eliminating bonuses tied to sales or other performance goals. C. Defining ethical behavior expectations in the company handbook. D. Identifying consequences, such as termination, for fraudulent activities.

A

175 Which of the following are typical steps in the design of an organization's performance measurement system? A. Understand organizational strategy; perform a situational assessment; establish measurement categories; and take actions based upon measurement results. B. Categorize performance measures; establish a data collection plan; analyze data; and predict future performance. C. Establish a measurement plan; create an organizational strategy linked to those measurements; trend measurement data; and measure data variability. D. Perform a situational assessment; generate macro measurements; review measurement data; and change strategy based upon measurement results.

A

176 When interviewing an individual suspected of fraud, what type of questions would be asked after the introductory questions? A. Informational questions. B. Admission-seeking questions. C. Assessment questions. D. Closing questions.

A

181 A bank is developing an integrated customer information system. The type of audit involvement that would most likely help avoid implementation of a system that does not cover all types of accounts would be: A. A design review. B. An application control review. C. A source code review. D. An access control review.

A

184 Once an audit report is drafted, the auditor's supervisor should review it primarily to ensure that all: A. Statements are supported and can be authenticated. B. Recommendations for corrective action are clear. C. Processes within the audited area were reviewed. D. Sample sizes appear appropriate for any issues found.

A

19 Company A has a formal comprehensive corporate code of ethics while company B does not. Which of the following statements regarding the existence of the code of ethics in company A can be logically inferred? I. Company A exhibits a higher standard of ethical behavior than does company B. II. Company A has established objective criteria by which an employee's actions can be evaluated. III. The absence of a formal corporate code of ethics in company B would prevent a successfulaudit of ethical behavior in that company. A. II only B. III only C. I and II only D. II and III only

A

208 An internal auditor recommended that an organization implement computerized controls in its sales system in order to prevent sales representatives from executing contracts in excess of their delegated authority levels. A follow-up review found that the sales system had not been modified, but a process had been implemented to obtain written approval by the vice president of sales for all contracts in excess of $1 million. The chief audit executive (CAE) would be justified in reporting this situation to the organization's board iF. I. In the opinion of the CAE, the level of residual risk assumed by senior management is too high. II. Testing of compliance with the new process finds that all new contracts in excess of $1 million have been approved by the vice president of sales. III. The cost of modifying the sales system to include a preventive control is less than $100,000. A. I only B. III only C. I and III only D. I, II, and III

A

21 Which of the following is the best problem-solving technique to use when analyzing performance and cost? A. Value analysis. B. Attribute listing. C. Brainstorming. D. Component analysis.

A

218 Which of the following examples of audit evidence is the most persuasive? A. Real estate deeds, which were properly recorded with a government agency. B. Canceled checks written by the treasurer and returned from a bank. C. Time cards for employees, which are stored by a manager. D. Vendor invoices filed by the accounting department.

A

220 During an audit, an employee, who does not want to be identified, offers to provide information that would be damaging to the organization and may concern illegal activities. Which of the following actions by the auditor would not be consistent with the IIA Code of Ethics and Standards? A. Promising to maintain the employee's anonymity and listening to the information. B. Suggesting that the employee consider talking to legal counsel. C. Informing the employee that an attempt will be made to keep the source of the information confidential while looking into the matter further. D. Informing the employee of other methods of communicating this type of information.

A

221 Which of the following would have the least impact (either positive or negative) on an assessment of a department's control environment? A. The department managed long-term investments, including investment in derivatives and other financial instruments, to maximize return. B. The department manager sets a tone of honesty and integrity in all business dealings and this tone is emulated by department personnel. C. Many department functions were duplicated or verified by other department employees as part of the department's normal procedures. D. Audit tests designed to verify compliance with control procedures detected a general failure to follow standard procedures for transaction authorization.

A

229 When planning an audit engagement, what should an internal auditor first consider when assessing the risk of fraud in the area to be audited? A. Impact of and exposure to fraud. B. Existence of evidence of fraud. C. Organizational structure. D. Management's risk appetite.

A

234 Which of the following is an effective way for an internal auditor to improve communications with the client during a contentious audit? A. Encourage the client to participate as a partner in the decision-making process to determine the changes that need to be made. B. Clearly explain to the client the role of the internal audit activity in the change process. C. Obtain the support of the board of directors for proposed changes before discussing the changes with operating management. D. Speak privately with key client personnel immediately after proposed changes are announced to address their concerns.

A

235 The chief audit executive's responsibility regarding control processes includes: A. Assisting senior management and the audit committee in the development of an annual assessment about internal control. B. Overseeing the establishment of internal control processes. C. Maintaining the organization's governance processes. D. Ensuring that the internal audit activity assesses all control processes annually.

A

236 Inadequate risk assessment would have the strongest negative impact in which of the following phases of an audit engagement? A. Determining the scope. B. Reviewing internal controls. C. Testing. D. Evaluating findings.

A

246 Which of the following would be the least desirable criteria against which to judge current operations of an organization's treasury function? A. The operations of the treasury function as documented during the last audit engagement. B. Company policies and procedures delegating authority and assigning responsibilities. C. Finance textbook illustrations of generally accepted good treasury function practices. D. Codification of best practices of the treasury function in relevant industries.

A

252 Cross-referencing individual payroll time cards to personnel department records and reports would allow an internal auditor to determine whether: A. Individuals are bona fide employees. B. Personnel department records agree with payroll accounting records. C. Individuals were paid at the proper rates. D. Individuals were paid only for time worked.

A

265 With which of the following would the internal audit activity discuss findings, conclusions and recommendations prior to issuance of internal audit report? 1. Business unit management. 2. Chief audit executive. 3. Audit committee. 4. Chief executive officer. A. 1 and 2 only B. 1 and 3 only C. 2 and 3 only D. 1, 2, 3, and 4

A

276 An internal audit manager is supervising an engagement. A senior auditor deviates from the approved engagement plan but meets all deadlines in the approved time schedule. Which activity is not required for the audit manager to provide proper engagement supervision? A. Actively participate in audit procedures. B. Ensure that all engagement objectives are met. C. Approve the deviation from the engagement plan. D. Ensure compliance with the time schedule.

A

29 What does the following scatter gram suggest? A. Sales revenue is related to training costs. B. The training program is not effective. C. Increases in training costs consistently increase sales revenue. D. One data point is incorrectly plotted.

A

290 According to IIA guidance, which of the following are acceptable strategies for an internal audit activity (IAA) to establish or build relationships? A. Assist executives with their administrative and governance responsibilities, and encourage all IAA members to develop relationships with the organization's executives. B. Assist executives with their administrative and governance responsibilities, and ensure that all communications with the board are formal audit reports or preset agendas. C. During an engagement, restrict communications with affected executives to matters pertaining to the engagement; and encourage all IAA members to develop relationships with the organization's executives. D. During an engagement, restrict communications with affected executives to matters pertaining to the engagement; and ensure that all communications with the board are formal audit reports or preset agendas.

A

292 According to IIA guidance, which of the following should be considered when creating policies and procedures for the internal audit activity (IAA)? A. Number of auditors, complexity of audit activities, and structure of the IAA. B. Number of auditors, complexity of audit activities, and audit staff skills and competencies. C. Number of auditors, structure of the IAA, and audit staff skills and competencies. D. Complexity of audit activities, structure of the IAA, and audit staff skills and competencies.

A

295 The internal audit activity performs the following sequence of risk management activities: identification, analysis, and evaluation. According to IIA guidance, which of the following assurance approaches does this describe? A. Process elements approach. B. Enterprise-wide risk management approach. C. Key principles approach. D. Maturity model approach.

A

298 An auditor-in-charge is preparing her audit team for a consulting engagement at one of the organization's foreign subsidiaries. According to the Standards, which of the following would not be a necessary step prior to beginning the engagement? A. Verify that none of the audit team worked for the foreign subsidiary within the last year to ensure independence. B. Agree, in writing, with the subsidiary's senior management regarding the scope of the engagement. C. Communicate a time frame as well as a contingency plan in the event the engagement may take longer than expected. D. Communicate what logistical support will be provided by the subsidiary for the duration of the engagement.

A

30 New credit policies have been implemented in an automated order-entry system to improve the collection of receivables. Sales management has compiled several examples that show decreased sales and delayed order entry, and contends that these examples are a direct result of the new credit-policy constraints. Sales management's data and information provide. A. Feedback control data. B. Irrelevant and argumentative information. C. Evidence that the new credit policies do not meet the stated corporate objective to improve collections. D. A statistically valid conclusion about the impact of the new credit policies on customer goodwill.

A

32 In which of the following situations would it be most appropriate to employ the services of a forensic specialist? A. Detection of unauthorized changes to source documents. B. Review for misapplication of general computer controls over accounts receivable. C. Investigation of ghost employees in a large business. D. Verification of fixed assets in a manufacturing company.

A

323 Which of the following would not include recommendations for process improvements? A. Due diligence engagement. B. Forensic investigation. C. Internal audit engagement. D. Consulting engagement.

A

326 The chief audit executive (CAE) notes during review of the final report of an assurance engagement that management has decided to accept the risks of two significant exposures identified by the audit. Which of the following actions by the CAE would be least prudent in these circumstances? A. Implement follow-up procedures to monitor the potential impact of those risks. B. Review the working papers and conclusions as to the perceived residual risk. C. Meet with senior management to consider their reasoning for the decision. D. Meet with the auditor-in-charge to review the conclusions.

A

332 An organization has an opening for an entry-level internal audit position. When interviewing for the position, which of the following is the least important skill for an entry-level internal auditor? A. Conflict resolution skills. B. Communication skills. C. Time management skills. D. Interpersonal skills.

A

333 During a consulting engagement, an internal auditor identifies new risks which will impact the scope and sufficiency of the engagement audit plan. According to the Standards, the internal auditor should: A. Discuss the potential impact on the scope with the client. B. Modify the scope to incorporate the new risks and continue the engagement. C. End the engagement, as the audit scope is no longer sufficient to meet the audit objective. D. Continue the engagement but highlight the impacts on the audit scope in the final report.

A

347 Ordinarily, which of the following would not be an objective of an internal audit quality assurance review? A. Ensuring that the internal audit activity meets the external auditor's expectations. B. Ensuring that the internal audit activity has an audit charter approved by the board of directors. C. Complying with specific standards for the professional practice of internal auditing. D. Ensuring the adequacy of the goals, mission and vision of the internal audit activity.

A

422 According to IIA guidance, which of the following is true when the internal audit activity is asked to investigate potential ethics violations in a foreign subsidiary? A. Communication of any internal ethics violations to external parties may occur with appropriate safeguards. B. Cultural impacts are less critical where the organization practices uniform polices around the globe. C. Cross-cultural differences should always be handled by the staff of the same cultural background. D. Local law enforcement should be involved as they are more familiar with the applicable local laws.

A

348 An organization has adopted an enterprise-wide risk management process and has appointed a chief risk officer (CRO) to manage the process. The board has requested that the audit committee have oversight over the risk management function. Which of the following statements is not true regarding this situation? A. The audit committee should get assurance on the adequacy and effectiveness of the risk management process from the CRO. B. The chief audit executive has the mandate to conduct risk assessments and give assurance to the audit committee. C. The audit committee, on behalf of the board, has overall responsibility for the risk management process in the organization. D. Senior management is accountable to the board for monitoring the system of internal controls.

A

358 Which of the following controls in a computerized consumer loan system of a major bank would be the least effective in detecting a fraudulent loan? A. All log-in accounts become inaccessible after three incorrect password attempts. B. Loan approvals over a pre-determined limit must have management approval. C. Customer information is matched to payment data prior to funds disbursement. D. System controls prevent supervisors from delegating their approval authority during vacation periods.

A

375 Which of the following is an advantage to using the questionnaire approach when conducting risk and control self assessments? A. Responses can easily be quantified and analyzed. B. Follow-up for clarification is efficient. C. It is educational for participants. D. It allows for in-depth probing of issues.

A

385 The internal auditor is asked to conduct an investigation involving a suspected fraud. According to the Standards, which of the following statements regarding the investigation process is false? A. The auditor should use anonymous surveys of coworkers to assess the character and behavior of the suspect. B. The auditor must give consideration to the risk of unidentified co-conspirators whether indications exist or not. C. The auditor should not limit the collection of information by prejudging its relevance to the investigation. D. The auditor must consider the risk that audit procedures may inadvertently violate the rights of the suspect.

A

398 According to IIA guidance, which of the following are benefits to the internal audit activity when conducting an assurance mapping exercise? A. Identification of gaps in risk coverage, and minimization of duplicate assurance efforts. B. Identification of gaps in risk coverage, and consolidation of risk reporting efforts. C. Resolution of identified testing errors, and miminization of duplicate assurance efforts. D. Resolution of identified testing errors, and consolidation of risk reporting efforts.

A

406 According to IIA guidance, organizations have the most influence on which element of fraud? A. Opportunity. B. Rationalization. C. Pressure. D. Incentives.

A

41 During an interview with a manager in a company's claims department, an auditor noted that the manager became nervous and changed the subject whenever the auditor raised questions about certain types of claims. The manager's answers were consistent with company policies and procedures. When documenting the interview, the auditor should: A. Document the manager's answers, noting the nature of the nonverbal communication. B. Document the manager's answers but not the nonverbal communication because it is subjective and is not corroborated. C. Conclude that the nonverbal communication is persuasive and that sufficient evidence exists to begin a fraud investigation. D. Disregard the interview entirely because the verbal and nonverbal communications were contradictory.

A

411 An internal auditor determines that certain information from the engagement results is not appropriate for disclosure to all report recipients because it is privileged. In this situation, which of the following actions would be most appropriate? A. Disclose the information in a separate report. B. Distribute the information in a confidential report to the board only C. Distribute the reports through the use of blind copies. D. Exclude the results from the report and verbally report the conditions to senior management and the board.

A

415 According to IIA guidance, which of the following are appropriate actions for the chief audit executive regarding management's response to audit recommendations? A. Evaluate and verify management's response, and determine the need and scope for additional work. B. Evaluate and verify management's response, and establish timelines for corrective action by management. C. Oversee the corrective actions undertaken by management, and determine the need and scope for additional work. D. Oversee the corrective actions undertaken by management, and establish timelines for corrective action by management.

A

418 The internal audit activity (IAA) wants to measure its performance related to the quality of audit recommendations. Which of the following client survey questions would best help the IAA meet this objective? A. Were audit findings relevant and useful to management? B. Does the audit report format present issues clearly and concisely? C. Does the IAA work with a high degree of professionalism and objectivity? D. Were the findings reported in a timely manner?

A

420 An internal auditor and engagement client are deadlocked over the auditor's differing opinion with management on the adequacy of access controls for a major system. Which of the following strategies would be the most helpful in resolving this dispute? A. Conduct a joint brainstorming session with management. B. Ask the chief audit executive to mediate. C. Disclose the client's differing opinion in the final report. D. Escalate the issue to senior management for a decision.

A

421 When setting the scope for the identification and assessment of key risks and controls in a process, which of the following would be the least appropriate approach? A. Develop the scope of the audit based on a bottom-up perspective to ensure that all business objectives are considered. B. Develop the scope of the audit to include controls that are necessary to manage risk associated with a critical business objective. C. Specify that the auditors need to assess only key controls, but may include an assessment of non-key controls if there is value to the business in providing such assurance. D. Ensure the audit includes an assessment of manual and automated controls to determine whether business risks are effectively managed.

A

72 Which of the following conditions is the strongest indicator of possible fraud? A. An assistant treasurer who refuses to take vacations. B. Independent reconciliations of subsidiary to general ledgers that are not always completed on a timely basis. C. A condition of excess manufacturing waste material. D. A manager who is often over budget at the end of a reporting period.

A

429 Which of the following is not an outcome of control self-assessment? A. Informal, soft controls are omitted, and greater focus is placed on hard controls. B. The entire objectives-risks-controls infrastructure of an organization is subject to greater monitoring and continuous improvement. C. Internal auditors become involved in and knowledgeable about the self-assessment process. D. Nonaudit employees become experienced in assessing controls and associating control processes with managing risks.

A

430 A code of business conduct should include which of the following to increase its deterrent effect? 1. Appropriate descriptions of penalties for misconduct. 2. A notification that code of conduct violations may lead to criminal prosecution. 3. A description of violations that injure the interests of the employer. 4. A list of employees covered by the code of conduct. A. 1 and 2 B. 1 and 3 C. 2 and 4 D. 3 and 4

A

44 The efficiency of internal audit operations is best enhanced if workpaper standards: A. Permit the extent of documentation to vary according to engagement objectives. B. Require supervisors to initial and date each workpaper that they review. C. Allow access to workpapers by external parties if approved by senior management or the audit committee. D. Mandate the workpaper retention period.

A

441 Which of the following is an effective approach for internal auditors to take to improve collaboration with audit clients during an engagement? 1. Obtain control concerns from the client before the audit begins so the internal auditor can tailorthe scope accordingly. 2. Discuss the engagement plan with the client so the client can understand the reasoning behindthe approach. 3. Review test criteria and procedures where the client expresses concerns about the type of teststo be conducted. 4. Provide all observations at the end of the audit to ensure the client is in agreement with thefacts before publishing the report. A. 1 and 2 only B. 1 and 4 only C. 2 and 3 only D. 3 and 4 only

A

446 While conducting an audit of a third party's Web-based payment processor, an internal auditor discovers that a programming error allows customers to create multiple accounts for a single mailing address. Management agrees to correct the program and notify customers with multiple accounts that the accounts will be consolidated. Which of the following actions should the auditor take? 1. Schedule a follow-up review to verify that the program was corrected and the accounts wereconsolidated. 2. Evaluate the adequacy and effectiveness of the corrective action proposed by management. 3. Amend the scope of the subsequent audit to verify that the program was corrected and thataccounts were consolidated. 4. Submit management's plan of action to the external auditors for additional review. A. 1 and 2 B. 1 and 4 C. 2 and 3 D. 3 and 4

A

447 An internal auditor is conducting a review of the procurement function and uncovers a potential conflict of interest between the chief operating officer and a significant supplier of IT software development services. Which of the following actions is most appropriate for the internal auditor to take? A. Inform the audit supervisor. B. Investigate the potential conflict of interest. C. Inform the external auditors of the potential conflict of interest. D. Disregard the potential conflict, because it is outside the scope of the audit assignment.

A

448 A large retail organization, which sells most of its products online, experiences a computer hacking incident. The chief IT officer immediately investigates the incident and concludes that the attempt was not successful. The chief audit executive (CAE) learns of the attack in a casual conversation with an IT auditor. Which of the following actions should the CAE take? 1. Meet with the chief IT officer to discuss the report and control improvements that will beimplemented as a result of the security breach, if any. 2. Immediately inform the chair of the audit committee of the security breach, because thus faronly the chief IT officer is aware of the incident. 3. Meet with the IT auditor to develop an appropriate audit program to review the organization'sInternet-based sales process and key controls. 4. Include the incident in the next quarterly report to the audit committee. 1 and 2 1 and 3 2 and 4 3 and 4

A

450 According to IIA guidance, which of the following strategies would add the least value to the achievement of the internal audit activity's (IAA's) objectives? A. Align organizational activities to internal audit activities and measure according to the approved IAA performance measures. B. Establish a periodic review of monitoring and reporting processes to help ensure relevant IAA reporting. C. Use the results of IAA engagement and advisory reporting to guide current and future internal audit activities. D. Establish a format and frequency for IAA reporting that is appropriate and aligns with the organization's governance structure.

A

452 The chief audit executive (CAE) of a small internal audit activity (IAA) plans to test conformance with the Standards through a quality assurance review. According to the Standards, which of the following are acceptable practice for this review? 1. Use an external service provider. 2. Conduct a self-assessment with independent validation. 3. Arrange for a review by qualified employees outside of the IAA. 4. Arrange for reciprocal peer review with another CAE. A. 1 and 2 B. 2 and 4 C. 1, 2, and 3 D. 2, 3, and 4

A

464 According to IIA guidance, which of the following individuals should receive the final audit report on a compliance engagement for the organization's cash disbursements process? A. The accounts payable supervisor, accounts payable manager, and controller. B. The accounts payable manager, purchasing manager, and receiving manager. C. The accounts payable supervisor, controller, and treasurer. D. The accounts payable manager, chief financial officer, and audit committee.

A

468 Which of the following recommendations made by the internal audit activity (IAA) is most likely to help prevent fraud? A review of password policy compliance found that employees frequently use the same password more than once during a year. The IAA recommends that the access control software reject any password used more than once during a 12-month period. B. A review of internal service-level agreement compliance in financial services found that requests for information frequently are fulfilled up to two weeks late. The IAA recommends that the financial services unit be eliminated for its ineffectiveness. C. A vacation policy compliance review found that employees frequently leave on vacation before their leave applications are signed by their manager. The IAA recommends that the manager attend to the leave applications in a more timely fashion. D. A review of customer service-level agreements found that orders to several customers are frequently delivered late. The IAA recommends that the organization extend the expected delivery time advertised on its website.

A

47 Which of the following will be an appropriate course of action when an auditor disagrees with a client about a well-documented audit finding? A. Include both the audit finding and the client's position in the audit report. B. Defer reporting the item and plan to perform more detailed work during the next audit. C. Change the finding so that it is acceptable to the client. D. Address the issue with senior management and the board for resolution prior to issuing the final report.

A

470 When creating the internal audit plan, the chief audit executive should prioritize engagements based primarily on which of the following? A. The last available risk assessment. B. Requests from senior management and the board. C. The longest interval since the last examination of each audit universe item. D. The auditable areas required by regulatory agencies.

A

476 Which of the following statements is false regarding audit criteria? A. Audit criteria should be consistent across audit assignments. B. Audit criteria should represent reasonable standards against which to assess existing conditions. C. Audit criteria should provide flexibility but allow identification of nonadherence. D. Audit criteria should equate to good or acceptable management practices.

A

489 Which of the following is the primary reason the chief audit executive should consider the organization's strategic plans when developing the annual audit plan? A. Strategic plans reflect the organization's business objectives and overall attitude toward risk. B. Strategic plans are helpful to identify major areas of activity, which may direct the allocation of internal audit activity resources. C. Strategic plans are likely to show areas of weak financial controls. D. The strategic plan is a relatively stable document on which to base audit planning.

A

491 Which of the following factors should a chief audit executive consider when determining the audit universe? 1. Components of the organization's strategic plan. 2. Inputs from senior management and the board. 3. Views of competitors and business associates. 4. Results of exit interviews with departing employees. A. 1 and 2 only B. 2 and 4 only C. 1, 2, and 4 D. 2, 3, and 4

A

496 Which of the following is not a direct benefit of control self-assessment (CSA)? A. CSA allows management to have input into the audit plan. B. CSA allows process owners to identify, evaluate, and recommend improving control deficiencies. C. CSA can improve the control environment. D. CSA increases control consciousness.

A

5 The most effective way for internal auditors to enhance the reliability of computerized financial and operating information is by: A. Determining if controls over record keeping and reporting are adequate and effective. B. Reviewing data provided by information systems to test compliance with external requirements. C. Determining if information systems provide management with timely information. D. Determining if information systems provide complete information.

A

500 According to IIA guidance, which of the following statements is false regarding a review of the controls in place to prevent fraud? A. The review should focus on the efficiency of the controls in place to prevent fraud. B. The scope of the review does not need to include all operating areas of the organization. C. The cost of the control should be compared to the benefit of mitigating the related risk. D. The review should assess whether the internal controls can be circumvented.

A

55 An auditor is scheduled to audit payroll controls for a company which has recently outsourced its processing to an information service bureau. What action should the auditor take, considering the outsourcing decision? A. Review the controls over payroll in both the company and the service bureau. B. Review only the company's controls over data sent to and received from the service bureau. C. Review only the controls over payments to the service bureau based on the contract. D. Cancel the engagement because the processing is being performed outside of the organization.

A

58 During an audit of a branch bank, an internal auditor learned that a series of system failures had resulted in a four-day delay in processing customers' scheduled payroll direct deposits. The first failure was that of a disk drive, followed by software and other minor failures. Which of the following controls should the auditor recommend to avoid similar delays in processing? A. Contingency planning. B. Redundancy checks. C. Process monitoring. D. Preventive maintenance.

A

59 An auditor analyzed a payroll system's data files for unusual activity, such as excessive overtime hours, unusual fluctuations in pay rates, and excessive vacation time. The application controls being verified by this analysis are: A. Edit and validation controls. B. Rejected and suspense item controls. C. Controls over update access to the database. D. Programmed balancing controls.

A

6 Which of the following situations might allow an employee to steal checks sent to an organization and subsequently cash them? A. Checks are not restrictively endorsed when received. B. Only one signature is required on the organization's checks. C. One employee handles both accounts receivable and purchase orders. D. One employee handles both cash deposits and accounts payable.

A

60 During the development of a purchasing system, an auditor reviewed the payment authorization program. Which of the following actions should the auditor recommend for a situation in which the quantity invoiced is greater than the quantity received? A. Issue an exception report. B. Pay the amount billed and adjust the inventory account for the difference. C. Return the invoice to the vendor for correction. D. Authorize payment of the full invoice, but maintain an open purchase order record for the missing goods.

A

65 Which of the following procedures would be most helpful in providing additional evidence when an auditor suspects that an unidentified employee is submitting and approving invoices for payment? A. Use generalized audit software to identify invoices from vendors with post office box numbers or other unusual features. Select a sample of those invoices and trace to supporting documents such as receiving reports. B. Select a sample of payments made during the year and investigate each one for approval. C. Select a sample of receiving reports representative of the period under investigation and trace to approved payment. Note any items not properly processed. D. Select a sample of invoices paid during the past month and trace them to appropriate vendor accounts.

A

77 A retail company uses a computer program that matches electronic vendor invoices with the applicable purchase orders and receiving information, which are also maintained electronically. If an invoice does not match the other items within predefined ranges, a report is generated and sent to the accounts payable department for further investigation. All of the applicable documents are electronically marked, cross-referenced, and retained in open files. Both an integrated test facility and a systems control audit review file (SCARF) have been included in the system. An auditor wants to determine the extent to which items are not matched at year end and to investigate the potential causes of the unmatched items. Which of the following audit procedures would be most effective in determining the items to investigate? A. Use generalized audit software to read the electronically marked unmatched items. B. Use generalized audit software to read the purchase orders and trace to applicable receiving and vendor invoice files. C. Use the SCARF to identify unusual items. Select an attributes sample and trace to the underlying documentation. D. Submit test data to identify attributes of unmatched items. Follow up by investigating the identified attributes.

A

83 Access control software on an organization's mainframe computer records detailed information concerning both successful and unsuccessful log-on attempts to applications. Which of the following audit tools would be best suited to review the access information that has been recorded? A. Generalized audit software. B. Flowcharting. C. Integrated test facility. D. Test data.

A

85 If an auditor used nonstatistical sampling instead of statistical sampling to estimate the value of inventory, which of the following would be true? A. The confidence level could not be quantified. B. The precision would be larger. C. The projected value of inventory would be less reliable. D. The risk of incorrect acceptance would be higher.

A

86 In a sampling application, the group of items about which the auditor wants to estimate some characteristic is called the. A. Population. B. Attribute of interest. C. Sample. D. Sampling unit.

A

91 Which of the following factors would increase the confidence level in a variables sampling plan? I. A larger sample size. II. A stratified sample. III. A larger standard deviation. A. I and II only B. I and III only C. II and III only D. I, II, and III

A

92 If an auditor is sampling to test compliance with a particular company policy, which of the following factors should not affect the allowable level of sampling risk? A. The experience and knowledge of the auditor. B. The adverse consequences of noncompliance. C. The acceptable level of risk of making an incorrect audit conclusion. D. The cost of performing auditing procedures on sample selections.

A

98 An auditor is using an internal control questionnaire as part of a preliminary survey. Which of the following is the best reason for the auditor to interview management regarding the questionnaire responses? A. Interviews provide the opportunity to insert questions to probe promising areas. B. Interviews are the most efficient way to upgrade the information to the level of objective evidence. C. Interviewing is the least costly audit technique when a large amount of information is involved. D. Interviewing is the only audit procedure which does not require confirmation of the information that is obtained.

A

100 An auditor used a questionnaire during an interview to gather information about the nature of credit sales processing. The questionnaire did not cover some pertinent information offered by the person being interviewed, and the auditor did not document the potential problems for further investigation. The primary deficiency with the above process is that: A. The auditor failed to consider the importance of the information offered. B. A questionnaire was used in a situation where a structured interview should have been used. C. Using a questionnaire precludes the auditor from documenting other information. D. The engagement program was incomplete.

A Topic 2, Volume B

10 A manufacturing process could create hazardous waste at several production stages, from raw materials handling to finished goods storage. If the objective of a pollution prevention audit engagement is to identify opportunities for minimizing waste, in what order should the following opportunities be considered? I. Recycling and reuse. II. Elimination at the source. III. Energy conservation. IV. Recovery as a usable product Treatment. A. V, II, IV, I, III. B. IV, II, I, III, V. C. I, III, IV, II, V. D. III, IV, II, V, I.

B

104 Which of the following would cause a company's accounts receivable turnover ratio to decrease steadily over a three-year period? A. An increase in the discount offered for early payment. B. A more liberal credit policy. C. Invoices provided on a weekly rather than a monthly basis. D. Increased cash sales.

B

105 Which of the following would be the best audit procedure to use to determine if a division's unusually high sales and gross margin for November and December were the result of fraudulently recorded sales? A. Trace a sample of shipping documents to related sales invoices to verify proper billing. B. Confirm accounts receivable balances with customers. C. Compare sales and gross margin totals with those of the previous ten months and the first month of the following year. D. Use regression analysis techniques to estimate the sales and cost of goods sold for November and December.

B

108 A retail sales company has discontinued a product that normally sold for $100. During the first month of a sale of the product, a 20 percent discount was given. Later that sale price was reduced by an additional 40 percent. What was the overall discount from the original selling price? A. 60 percent. B. 52 percent. C. 48 percent. D. 30 percent.

B

109 A recent survey indicated that residents of a small town take the train to a nearby city eight times per month, on average. The same survey showed that the number of train trips that a resident takes per month (y) is determined by the number of days per month that the resident works in the nearby city (x), according to the equation: y = 2 + 2x. A person who never works in the nearby city is expected to take the train: A. Zero times per month. B. Two times per month. C. Four times per month. D. Eight times per month.

B

11 An organization's internal auditors are reviewing production costs at a gas-powered electrical generating plant. They identify a serious problem with the accuracy of carbon dioxide emissions reported to the environmental regulatory agency, due to computer errors. The auditors should immediately report the concern to: A. The regulatory agency. B. Plant management. C. A plant health and safety officer. D. The risk management function.

B

119 Which of the following techniques could be used to evaluate the effectiveness of changes to the operation of a computer help line? A. Benchmarking. B. Baseline measurements. C. Walk-throughs. D. Quality circles.

B

12 Which of the following would be an appropriate improvement to controls over large quantities of consumable material that are charged to expense when placed in bins which are accessible to production workers? A. Relocate bins to the inventory warehouse. B. Require management to compare the cost of consumable items used to the budget. C. Lock the bins during normal working hours. D. None of the above actions are needed for items of minor cost and size.

B

125 An auditor decides to vouch a sample of ledger entries back to their original documentation. In terms of whether all transactions had been recorded, this test would bE. A. Relevant to the completeness objective. B. Irrelevant to the completeness objective. C. A more timely test of completeness than evidence from interviews. D. A more biased test of completeness than evidence from interviews.

B

129 What is the primary factor that determines the depth and breadth of audit follow-up? A. The engagement client's written response to the audit findings. B. The auditor's assessment of risk associated with the audit findings. C. The auditor's assessment of personnel responsible for correcting audit findings. D. The availability of audit personnel and financial resources.

B

13 Which of the following is a weakness that is inherent in the use of the test data method to test internal controls in a computer-based accounting system? A. The auditor must test many transactions with the same condition in order to achieve assurance that the condition is being detected. B. Conditions that were not specifically considered by the auditor may go untested. C. The approach requires the creation of "dummy companies," possibly destroying or altering actual company data in the process. D. Inclusion of atypical data in the test data may cause errors to be noted on the exception report.

B

131 When interrogating an individual who is suspected of fraud, it is appropriate to: A. Tell the individual that any information disclosed in the interrogation will not be disclosed outside of the company. B. Start the interview with questions to which the interviewer already knows the answer. C. Discontinue questioning once the individual has confessed to the fraud. D. Prepare a list of questions prior to the interrogation and strictly adhere to the list.

B

133 A chief audit executive (CAE) suspects that several employees have used desktop computers for personal gain. In conducting an investigation, the primary reason that the CAE would choose to engage a forensic information systems auditor rather than using the organization's information systems auditor is that a forensic information systems auditor would possess: A. Knowledge of the computing system that would enable a more comprehensive assessment of the computer use and abuse. B. Knowledge of what constitutes evidence acceptable in a court of law. C. Superior analytical skills that would facilitate the identification of computer abuse. D. Superior documentation and organization skills that would facilitate in the presentation of findings to senior management and the board.

B

138 A chief audit executive (CAE) of a major retailer has engaged an independent firm of information security specialists to perform specialized internal audit activities. The CAE can rely on the specialists' work only if it is: A. Performed in accordance with the terms of the contract. B. Carried out in accordance with the Standards. C. Performed under the supervision of the information technology department. D. Carried out using standard review procedures for retailers.

B

14 Which of the following would be most helpful to a governmental auditor searching for the existence of multiple welfare claims that were filed under different names but used the same address? A. Tagging and tracing. B. Generalized audit software. C. Integrated test facility. D. Spreadsheet analysis.

B

140 An organization contracted a third party to construct a new facility that was estimated to cost $25 million. Which of the following is the most pertinent reason for the organization to audit the contractor's records? A. The contract includes a right-to-audit clause. B. The contractor will be paid on a cost-plus basis. C. The estimated cost is high. D. The contractor has subcontracted much of the work.

B

142 An internal auditor for a financial institution has just completed an audit of loan processing. Of the 81 loans approved by the loan committee, the auditor found seven loans which exceeded the approved amount. Which of the following actions would be inappropriate on the part of the auditor? A. Examine the seven loans to determine if there is a pattern. Summarize amounts and include in the engagement final communication. B. Report the amounts to the loan committee and leave it up to them to correct. Take no further follow-up action at this time and do not include the items in the engagement final communication. C. Follow up with the appropriate vice president and include the vice president's acknowledgment of the situation in the engagement final communication. D. Determine the amount of the differences and make an assessment as to whether the dollar differences are material. If the amounts are not material, not in violation of government regulations, and can be rationally explained, omit the observation from the engagement final communication.

B

145 As part of an operational audit, an auditor compared records of current inventory with usage during the prior two-year period and determined that the spare parts inventory was excessive. What step should the auditor perform first? A. Determine the effects of a stock-out on the organization's profitability. B. Determine whether a clear policy exists for setting inventory limits. C. Determine who approved the purchase orders for the spare parts. D. Determine whether purchases were properly recorded.

B

150 When conducting audit follow-up of a finding related to cash management routines, an internal auditor would expect to find that all of the following changes have occurred except: A. The steps being taken are resolving the condition disclosed by the finding. B. Inherent risk has been eliminated as a result of resolution of the condition. C. Controls have been implemented to deter or detect a recurrence of the finding. D. Benefits have accrued to the entity as a result of resolving the condition.

B

151 Which of the following represents appropriate evidence of supervisory review of engagement workpapers? I. A supervisor's initials on each workpaper. II. An engagement workpaper review checklist. III. A memorandum specifying the nature, extent, and results of the supervisory review ofworkpapers. IV. Performance appraisals that assess the quality of workpapers prepared by auditors. A. II and IV only B. I, II, and III only C. I, III, and IV only D. I, II, III, and IV.

B

155 Which of the following must an auditor establish in order to demonstrate that fraud has occurred? A. Monetary damage to the victim. B. The suspect's intent. C. Existence of an internal control deficiency. D. Evidence of collusion.

B

162 After issuance of the engagement final communication for an audit of an organization's accounts payable function, which of the following should be sent satisfaction surveys? I. Manager of disbursements. II. Controller. III. Chief operating officer. IV. Audit committee members. A. I only B. I and II only C. II and III only D. II, III, and IV only

B

172 Which of the following best defines an engagement conclusion? A. An auditor's determination of the cause of an engagement observation. B. An auditor's professional judgment of the situation which was reviewed. C. An opinion that must be included in the engagement final communication. D. A recommendation for corrective action.

B

18 An auditor plans to analyze customer satisfaction, including. (1) customer complaints recorded by the customer service department during the last three months; (2) merchandise returned in the last three months; and (3) responses to a survey of customers who made purchases in the last three months. Which of the following statements regarding this audit approach is correct? A. Although useful, such an analysis does not address any risk factors. B. The survey would not consider customers who did not make purchases in the last three months. C. Steps 1 and 2 of the analysis are not necessary or cost-effective if the customer survey is comprehensive. D. Analysis of three months' activity would not evaluate customer satisfaction.

B

185 In preparing to facilitate a control self-assessment session, an auditor would be least likely to ensure that: A. Key stakeholders are represented in the group. B. An independent content expert is available to help settle disagreements. C. Background research is completed to familiarize the auditor with relevant issues. D. Management is consulted on the issues and priorities.

B

186 What decision-making approach should a facilitator initiate if a group addresses an unfamiliar situation during a control self-assessment session? A. Spontaneous agreement. B. Consensus building. C. Majority voting. D. Compromise.

B

187 If participants in a control self-assessment workshop begin breaking their agreed-upon ground rules, the facilitator should: A. Ignore the behavior and continue the workshop. B. Allow them to continue briefly and then remind them of the ground rules. C. Have the participants modify the ground rules. D. Strictly enforce the ground rules.

B

189 An internal auditor has a recommendation to change operations which could potentially increase profits by $50,000. The best way to sell this recommendation to management is to: A. Carefully work out the details of implementation before presenting it to department management. B. Discuss it with operating supervisors who are directly affected by the change, and then with department management. C. Bring it to the audit manager, who should bring it immediately to senior management's attention. D. Wait until the exit conference to discuss it in order to ensure all affected parties are present.

B

191 During an information security audit, an auditor discovers that the current disaster recovery plan was developed three years ago but never tested. There have been significant changes to information systems since the plan was developed. The auditor should: A. Ask management to test the recovery plan immediately. B. Recommend that management and users update and test the recovery plan. C. Update the recovery plan for management as part of the review. D. Review the recovery plan and report weaknesses to management.

B

194 An internal auditor is conducting tests to determine if an organization is in compliance with its payment approval policies. After reviewing a sample of vouchers selected, the internal auditor concluded that there were indicators of fraud. Which of the following would be the most appropriate method to expand the audit test to achieve the audit objective? I. Validate the completeness of the accounts payable files. II. Examine the sample of vouchers in greater detail. III. Increase the number of vouchers in the sample. IV. Broaden the scope of the examination to include credits received by accounts payable. A. I and II only B. II and III only C. I, II, and IV only D. I, III, and IV only

B

195 During a review of performance measures in an organization's purchasing function, the preliminary survey indicates that most of the measures have been in use for some time. The internal auditor should: A. Review the data that was used to develop the measures. B. Perform benchmarking in order to verify that the measures being used are meaningful. C. Establish the history of the measures and reasons for use. D. Report that the measures being used are out-of-date and should be improved.

B

197 Which of the following best defines an audit opinion? A. A summary of the significant audit observations and recommendations. B. An auditor's evaluation of the effects of the observations and recommendations on the activities reviewed. C. A conclusion which must be included in the audit report. D. A recommendation for corrective action.

B

198 Which of the following is typically not a reason for committing financial statement fraud? A. To dispel negative market perception. B. To disguise a duplicate payment to a vendor. C. To obtain more favorable terms on financing. D. To receive performance-related bonuses.

B

2 During an operational audit of a chain of pizza delivery stores, an auditor determined that cold pizzas were causing customer dissatisfaction. A review of oven calibration records for the last six months revealed that adjustments were made on over 40 percent of the ovens. Based on this, the auditor: A. Has enough evidence to conclude that improperly functioning ovens are the cause. B. Needs to conduct further inquiries and reviews to determine the impact of the oven variations on the pizza temperature. C. Has enough evidence to recommend the replacement of some of the ovens. D. Must search for another cause since approximately 60 percent of the ovens did not require adjustment.

B

202 An auditor evaluating excessive product rejection rates should investigatE. I. Communication between sales and production departments on sales returns. II. Volume of product sales year-to-date in comparison to prior year-to-date. III. Changes in credit ratings of customers versus sales to those customers. IV. Detailed product scrap accounts and accumulations. A. I and III only B. I and IV only C. II, III, and IV only D. I, II, III, and IV.

B

204 During an audit of a major contract, an auditor finds that actual hours and dollars billed are consistently at or near budgeted amounts. This condition is a red flag for which of the following procurement fraud schemes? A. Defective pricing. B. Cost mischarging. C. Fictitious vendor. D. Bid rotation.

B

206 An internal auditor has completed an audit of an organization's activities and is ready to issue a report. However, the client disagrees with the internal auditor's conclusions. The auditor should: A. Withhold the issuance of the audit report until agreement on the issues is obtained. B. Issue the audit report and state both the auditor and client positions and the reasons for the disagreement. C. Issue the audit report and omit the client's conclusion as it is not the opinion of the internal auditor. D. Perform additional work, with the client's concurrence, to resolve the areas of disagreement and delay the issuance of the report until agreement is reached.

B

210 Persuasive evidence indicates that a member of senior management has been involved in insider trading that would be considered fraudulent. However, the evidence was encountered during an operational audit and is not considered relevant to the audit. Which of the following is the most appropriate action for the chief audit executive to take? A. Report the evidence to external legal counsel for investigation. Report the legal counsel findings to management. B. Report the evidence to the chairperson of the audit committee and recommend an investigation. C. Conduct sufficient audit work to conclude whether fraudulent activity has taken place, then report the findings to the chairperson of the audit committee and to government officials if appropriate action is not taken. D. Discontinue audit work associated with the insider trading since it is not relevant to the existing audit.

B

214 In evaluating the validity of different types of audit evidence, which of the following conclusions is not correct? A. Recomputation, though highly valid, is limited in usefulness due to its limited scope. B. The validity of documentary evidence is independent of the effectiveness of the control system in which it was created. C. Internally created documentary evidence is considered less valid than externally created documentary evidence. D. The validity of confirmations varies directly with the independence of the party receiving the confirmation.

B

215 Which of the following types of sampling techniques should an internal auditor use when testing the effectiveness of internal controls? A. Mean-per-unit sampling. B. Attributes sampling. C. Variables sampling. D. Dollar-unit sampling.

B

227 Risk assessments can vary in format, but generally include: 1. A description of identified risks. 2. Tests of audit controls. 3. A system of rating risks. 4. Sample size identification. A. 1 and 2 only B. 1 and 3 only C. 1, 3, and 4 only D. 2, 3, and 4 only

B

228 An internal auditor has just undertaken an organization-wide risk assessment. In identifying potential audit engagements the internal auditor should consider least: A. Focusing on the high risk areas as sources of potential engagements. B. Focusing in areas not audited last year. C. Factoring in management requests. D. Focusing on those risks highlighted by the external auditor.

B

231 A code of business conduct provides: A. A fraud avoidance plan that does not explicitly describe punishments for violations. B. A passive method of fraud deterrence. C. A program to anonymously report irregularities to authorities. D. An alternative to "tone at the top" programs.

B

237 The best method for assessing the relative importance of risk factors is to: A. Change the rating of the factors from a 1-3 scale to a 1-5 scale. B. Assign weights to the factors based on the comparative impact. C. List the risk factors in a priority order. D. Use data from an independent source.

B

239 The internal audit activity's primary responsibility in a review or examination of the organization by an external regulatory body is to: A. Verify that regulatory reviews occur with adequate frequency. B. Provide follow-up to determine if the regulator's findings are appropriately resolved by management. C. Prepare documentation for the regulator. D. Document the responses to the regulator's findings.

B

240 Under what circumstances would internal audit not become involved when intentional misconduct is suspected? A. Management is involved in wrongdoing. B. Management is running a parallel investigation. C. Management does not believe a trusted employee could be guilty. D. Management does not maintain strong internal controls.

B

241 During a payroll audit of a large organization, an internal auditor noted that the assistant personnel director is responsible for many aspects of the computerized payroll system, including adding new employees in the system; entering direct-deposit information for employees; approving and entering all payroll changes; and providing training for system users. After discussions with the director of personnel, the auditor concluded that the director was not comfortable dealing with information technology issues and felt obliged to support all actions taken by the assistant director. The auditor should: A. Continue to follow the engagement program because the engagement scope and objectives have already been discussed with management. B. Review the engagement program to ensure testing of direct deposits to employee bank accounts is adequately covered. C. Recommend to the chief audit executive that a fraud investigation be started. D. Test a sample of payroll changes to ensure that they were approved by the assistant director before being processed.

B

242 The most effective procedure to verify compliance with a requirement that materials be purchased from the lowest-priced source is to compare: A. Prices paid for selected materials with prices listed on related purchase orders. B. Bids obtained for selected purchases with related purchase orders. C. Vendors' current prices with prices listed on related purchase orders. D. Approved vendor lists with bids obtained for selected purchases.

B

244 Which of the following best describes the most important criteria when assigning responsibility for specific tasks required in an audit engagement? A. Auditors must be given assignments based primarily upon their years of experience. B. All auditors assigned an audit task must have the knowledge and skills necessary to complete the task satisfactorily. C. Tasks must be assigned to the audit team member who is most qualified to perform them. D. All audit team members must have the skills necessary to satisfactorily complete any task that will be required in the audit engagement.

B

245 In advance of a preliminary survey, a chief audit executive sends a memorandum and questionnaire to the supervisors of the department to be audited. What is the most likely result of that procedure? A. It creates apprehension about the audit engagement. B. It involves the engagement client's supervisory personnel in the audit. C. It is an uneconomical approach to obtaining information. D. It is only useful for audits of distant locations.

B

247 An internal auditor compared the number of human resources professionals per employee with industry standards. This comparison would assist the auditor in evaluating which of the following areas? A. Sufficiency of controls over payroll rate increases. B. Current level of performance of the human resources department. C. Adequacy of controls over hiring new employees. D. Degree of compliance with human resources policies.

B

249 An internal auditor noticed that employees with responsibilities for cash collection had recently issued an unusually large number of credit memos, indicating that the original charges had been made to the wrong customer accounts. From a control standpoint, the auditor would be concerned with the possibility that: A. The organization is selling a large number of defective items. B. Employees in this function are concealing a theft of cash collected from customers. C. Credit memos are not being submitted on a timely basis. D. The credit department has not been properly screening customers and, as a result, a large portion of the accounts receivable may not be collectible.

B

250 After becoming aware of control weaknesses indicating that a fraud could have been committed, which of the following actions should an internal auditor take next? A. Issue a written report identifying the control weaknesses. B. Perform tests directed toward the identification of other fraud indicators. C. Notify external auditors of the suspicion that fraud has been committed. D. Recommend that a fraud investigation be conducted involving internal auditors, lawyers, investigators, security personnel, and other specialists, as appropriate.

B

255 A bakery chain has a statistical model that can be used to predict daily sales at individual stores based on a direct relationship to the cost of ingredients used and an inverse relationship to rainy days. What conditions would an internal auditor look for as an indicator of employee theft of food from a specific store? A. On a rainy day, total sales are greater than expected when compared to the cost of ingredients used. B. On a sunny day, total sales are less than expected when compared to the cost of ingredients used. C. Both total sales and cost of ingredients used are greater than expected. D. Both total sales and cost of ingredients used are less than expected.

B

257 Production managers for a manufacturing company are authorized to prepare emergency purchase orders for raw materials. These manually prepared orders do not go through the purchasing department and do not require a receiving report. The managers forward the invoice and purchase order to the accounting department for payment. Which of the following internal controls would efficiently prevent abuse of this system? A. Institute a company policy requiring rotation of orders among several suppliers. B. Require a manual receiving report from the warehouse prior to payment. C. Forbid the use of emergency purchase orders. D. Review the level of safety stock.

B

259 Which of the following types of contracts would provide the least incentive for a contractor to achieve economy and efficiency? A. Lump-sum contract. B. Cost-plus contract. C. Unit-price contract. D. Indefinite delivery contract.

B

26 Which of the following audit procedures is most suitable for verifying that all sales transactions have been recorded? A. Observation. B. Tracing. C. Re-computation. D. Vouching.

B

266 According to the International Professional Practices Framework, which of the following statements is true regarding the use of the statement, "Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing," when communicating results of a seven-year-old internal audit activity? A. The statement may be used only when conducting international engagements. B. The statement may be used only if the results of the quality assurance and improvement program support the statement. C. The statement may be used whether or not the internal audit department has an external quality assessment review or an independent validation of a self assessment. D. The statement should not be used for a consulting engagement.

B

267 During an engagement, an internal auditor discovered that an organization's policy on delegation of authority listed six individuals who were no longer employed with the organization. In addition, four individuals acting with disbursement authority were not identified in the policy as having such authority. Which of the following is the most effective course of action to address the control weakness? A. Immediately initiate a complete audit of the disbursement function to determine if significant frauds have occurred. B. Recommend that management review the process supporting the policy and make improvements. C. Advise management to add the four additional names and remove the incorrect names from the policy to make it current. D. Review further to ensure that the four individuals do not have the appropriate authority through delegation.

B

270 Which of the following actions has the least influence on the chief audit executive's development of an audit plan? A. Input from senior management and the board. B. An evaluation of the complexity of each audit engagement. C. Changes in the organizations structure or budget. D. An assessment of risk and exposures affecting the organization.

B

272 Because of an abundance of high priority requests from management, an internal audit activity no longer has the resources to meet all of its commitments contained in the annual audit plan. Which of the following would be the best course of action for the chief audit executive to follow? A. Continue with the plan and seek opportunities to adjust priorities and reallocate resources. B. Present a reassessment of the plan to the board and senior management for consideration. C. Reassess the plan and either cancel or divert resources away from the lowest priority activities. D. Advise the board immediately and seek their support for additional resources to meet the needs of the plan.

B

274 An internal auditor is planning an assurance engagement. The auditor first reviews the department's business objectives. What is the next step? A. Review control activities. B. Evaluate potential risks. C. Establish risk management roles. D. Set the scope of the engagement.

B

279 Given the scarcity of internal audit resources, a chief audit executive (CAE) decides not to schedule a follow-up of audit recommendations when developing engagement work schedules. Why does the CAE's decision violate the Standards? A. It is not the CAE's responsibility to establish a process for a follow-up. B. Lack of resources is not a sufficient reason to forgo a follow-up. C. Follow-up actions should take priority over new engagements in scheduling. D. When resources are scarce, the follow-up can be incorporated into the next engagement.

B

280 As part of a preliminary survey of the purchasing function, an internal auditor reads the department's policies and procedures manual and concludes that the manual describes the processing steps clearly and contains an appropriate internal control design. The next engagement objective is to evaluate the operating effectiveness of internal controls. Which procedure would fulfill this objective most effectively? A. Perform a design test. B. Perform a compliance test. C. Perform a systems test. D. Perform an efficiency test.

B

283 An internal auditor notices that a division has recorded uncharacteristically high sales and gross margins for the past three months and now suspects the division is reporting fictitious sales. Which course of action should the auditor follow to determine whether fraud has occurred? A. Trace a sample of shipping documents to related sales invoices to verify proper billing. B. Send accounts receivable balance confirmations to customers. C. Compare the division's sales and gross margins to those of the prior three-month period. D. Estimate the sales and cost of goods sold for the three-month period by using regression analysis.

B

284 An audit of an organization's fulfillment department discovered that problems in the order processing system led to a significant number of orders being fulfilled multiple times. During the exit conference, the head of the department informed the auditors that the processing system would be enhanced within six months to correct the problems. Which course of action should the chief audit executive follow? A. Adjust the scope of the next scheduled audit to determine that the problems have been resolved. B. Monitor the status of corrective action and schedule a follow-up engagement when appropriate. C. Meet with the audit committee to determine the appropriate follow-up action. D. Assess the status of corrective action in a follow-up engagement in six months.

B

285 When interviewing an individual in relation to a fraud investigation, which course of action should the internal auditor follow? A. Assure the individual that the results of the interview will remain confidential. B. Establish a rapport with the subject to encourage openness. C. Discontinue questioning once the individual has confessed to the fraud. D. Refrain from deviating from the list of questions prepared before the interview.

B

287 Because of a new marketing initiative, an organization has reduced requirements for extending credit to new customers. As a result, outstanding accounts receivable as a percentage of revenue has increased significantly during the past two years. Which of the following would be least useful in monitoring this finding? A. Updates from the manager of accounts receivable regarding collection of outstanding receivables. B. Updates from the information technology division regarding development of a new accounts receivable system. C. Updates from the controller regarding the status of corrective actions. D. Updates from the credit and marketing personnel tasked with reevaluating credit policies.

B

291 During an audit of an ethics program, which of the following procedures are most appropriate to evaluate the effectiveness of the program? • Testing whether corrective actions taken on involved parties breaching the ethics program areadequate. • Testing whether all employees are mandated through policy to comply with the ethics program. • Testing whether all employees are required to confirm in writing their compliance with the ethicsprogram. • Testing through surveys employee's level of understanding and commitment to the ethicsprogram. A. 1 and 2 only B. 1 and 4 only C. 2 and 3 only D. 3 and 4 only

B

296 A chief audit executive (CAE) has decided to add an engagement to the current audit plan which will exceed available audit resources. Which of the following is the best course of action for the CAE to take? A. Present the plan change to senior management and request additional resources before going to the board of directors. B. Seek approval from senior management and the board of directors for the plan change and advise them of the issue of limited resources. C. Add this change to the plan and request senior management to indicate which other engagement should be deleted to keep the overall plan within resource constraints. D. Immediately seek additional resources from senior management and the board of directors to meet the needs of the organization.

B

297 While performing an audit of the human resources department, an internal auditor discovered unencrypted files containing the personal information of employees stored on a public shared drive. According to IIA guidance, which of the following actions by the auditor would be the most appropriate? A. Remove the files containing the social security numbers and personal information. B. Communicate the issue to the chief audit executive as well as IT and legal departments. C. Change permissions to the shared drive to only allow access to human resources personnel. D. Immediately review the audit logs to see if anyone has accessed this information and follow-up.

B

3 When assessing the risk associated with an activity, an internal auditor should: A. Determine how the risk should best be managed. B. Provide assurance on the management of the risk. C. Modify the risk management process based on risk exposures. D. Design controls to mitigate the identified risks.

B

305 A report prepared by the internal audit activity contains several observations that disclose proprietary information regarding the organization's manufacturing process. According to the International Professional Practices Framework, which of the following is the appropriate treatment for this report? A. Distribute the report only to the board to protect disclosure. B. Disclose and distribute this information in a separate report. C. Remove the observations and report verbally to senior management. D. Require a separate non-disclosure statement from each recipient.

B

306 According to the International Professional Practices Framework, the internal audit activity's decision to defer follow-up of recommendations and management's corrective actions until the next scheduled engagement for the area is justified when: A. The reported findings or recommendations are significant enough to require immediate action by management. B. The action taken by management to address the recommendation is sufficient when weighed against the importance of the finding. C. Management has adequately understood and appropriately accepted the risk of not taking action to implement the recommendation. D. The significance of the finding or recommendation will allow auditors to perform monitoring by receiving periodic updates from management on corrective actions taken.

B

82 Which of the following audit techniques provides for continuous monitoring and analysis of computer transactions for detailed auditing? A. Integrated test facility. B. Parallel simulation. C. Test data. D. Embedded audit routines.

D

307 Which of the following conditions should a chief audit executive take into account when deciding if a follow-up audit engagement is necessary? • The reported observations were significant and high risk. • Internal audit resources and the time it will require for follow-up. • Management may not have the resources to take action. • Management has previously decided not to take any action. A. 1, 2, and 3 only B. 1, 2, and 4 only C. 1, 3, and 4 only D. 2, 3, and 4 only

B

312 The internal audit activity of an investment company received a request to provide assurance on the risk management process. Preliminary discussion with senior management revealed that separate functions within the organization perform some form of risk management activities. Which of the following is the most effective tool for ensuring that risk management activities are coordinated among these functions? A. Delphi technique. B. Assurance map. C. Facilitated workshop. D. Analytical reviews.

B

317 In performance auditing, which of the following must first be determined by the internal auditor? A. Which key performance indicators are in use. B. Management's objectives for the process. C. Whether management controls are appropriate. D. Determination that appropriate benchmarks are in place.

B

321 According to IIA guidance, which of the following strategies would be the least effective in helping a chief audit executive build a stronger relationship with the board? A. Consider formality and tone of communications to ensure they are appropriate. B. Minimize instances of ad hoc communications with board members. C. Consider the possible repercussions created by commentary on deficiencies. D. Avoid making presumptuous comments without sufficient facts.

B

336 Which of the following is not a reason for an internal auditor to prepare an audit plan before the detailed audit work begins? A. The objectives of the audit should be set. B. The organization's management should be informed about the work to be performed. C. Attention should be devoted toward the key audit areas. D. The timing of the audit should be set.

B

339 While preparing the annual audit plan, the newly assigned chief audit executive (CAE) learns that the organization has not yet implemented a risk framework. Which of the following would be the most appropriate action for the CAE to take regarding potential engagements? A. Prioritize the engagements that were not done in previous years and schedule them for the upcoming year. B. Consult with senior management and the board and make adjustments regarding risk. C. Review all outstanding recommendations from prior audit engagements and focus on them in the upcoming year. D. Use the previous three-year audit plan to extrapolate potential engagements for the upcoming year's schedule of engagement.

B

340 Which of the following would be the most important reason for the chief audit executive (CAE) to use inputs from management strategy to update the audit universe? A. The audit charter requires the CAE to update the audit universe before embarking on the selection of potential audit engagements. B. The CAE wants to consider the organization's strategic plan including attitude toward risk and the degree of difficulty to achieving planned objectives. C. The CAE wants to cover management planned activities for the upcoming year in the audit plan. D. The CAE wants to determine internal audit resourcing requirements to cover the organization's major processes and activities over time.

B

341 Management requested the chief audit executive (CAE) to include an audit of the organization's health and safety program in next year's annual audit plan. However, the internal audit department has no expertise in this area. Which of the following would be the most appropriate action by the CAE? A. With management's agreement, amend the scope of the audit to ensure that areas examined do not require specialized knowledge and expertise. B. Meet with management to explain that the audit cannot be undertaken and discuss alternative strategies that can be implemented until internal audit can develop its capability in the area. C. Accept the request provided management has conducted a thorough risk assessment prior to the engagement to help guide the audit. D. Advise management that compliance audits of this type should only be conducted by the corresponding regulatory agency to ensure independence.

B

342 While developing a risk based audit plan, which of the following sources of information would provide the least value to the chief audit executive? A. Results from the organization's business process management program. B. User acceptance testing of the organization's enterprise resource planning application. C. Risk assessments conducted by the board. D. Key business strategies adopted by the organization in the strategic plan.

B

343 An organization has a large number of vendors supplying goods to its various branches across the region. The code of conduct statements signed by the employees specify that the employees or their families will not sell goods to the organization. However, during the internal audit of a branch, the internal auditor suspected that some of the employees may be supplying goods to the organization contrary to the code of conduct. The chief audit executive has requested that a thorough review be completed to identify the potential employee vendors. Of the following tests, it would be least useful to compare [List A] with [List B]. [List A] [List B] A. Vendor bank account numbers Employee bank account numbers B. Dates of payments to vendors Dates of salary payments to employees C. Addresses of vendors from the vendor database Addresses of employees from the employee database D .Vendor names Employee names

B

345 According to the Standards, which of the following is applicable to the internal audit activity's quality assurance and improvement program? A. Periodic monitoring of the internal audit activity should be done. B. All aspects of the internal audit activity should be evaluated. C. An external assessment should be obtained every three years. D. The review of assurance services should be the primary focus.

B

349 Which of the following are key characteristics of enterprise risk management? 1. It considers risk in the formulation of strategy. 2. It applies risk management in some units of an entity. 3. It takes a portfolio view of risks throughout the enterprise. 4. It restricts the organization's ability to seize opportunities inherent in future events. A. 2 and 3 only B. 1 and 3 only C. 2 and 4 only D. 1 and 4 only

B

43 Which of the following performance criteria would be most useful when measuring the performance of a customer service desk? A. The number of customer inquiries recorded per day. B. The percentage of customer issues resolved within 24 hours. C. The number of customer complaints recorded per day. D. The percentage of total customers served per day.

B

355 In response to an audit finding, senior management informed the auditor that the issue would be investigated and resolved when time permitted. According to the International Professional Practices Framework, this action was not acceptable because: A. The appropriate level of management was not involved in the review and resolution of the issue. B. Responses should include sufficient information to evaluate the adequacy and timeliness of corrective action. C. The board had not reviewed management's responses to the engagement observations and recommendations. D. Other departments should have been contacted to determine if they shared responsibility for corrective action.

B

359 According to the International Professional Practices Framework, the responsibility for establishing and maintaining a system to monitor the disposition of results communicated to management falls upon: A. Compliance officer. B. Chief audit executive. C. Senior management. D. Risk manager.

B

36 When conducting research, which of the following is most important? A. Using computer databases or the Internet to find all relevant sources. B. Providing documentation of the reference sources. C. Presenting only those facts that support the conclusion. D. Presenting all contrary views to balance the opinion.

B

364 The chief audit executive (CAE) notes that management has adopted the option of not taking action on an audit issue involving a sizeable risk which has been accepted in the past. Which would be an appropriate action by the CAE? A. Close the issue by noting that follow-up will be completed as part of the next engagement. B. Discuss the matter with management to determine a resolution. C. Accept management's decision as the same risk has been accepted in the past. D. Report the situation to the board for immediate resolution.

B

367 Which two of the following considerations must an internal auditor take into account while planning an audit of an accounting system/application that has been in use for the last five years? • The level and manner of linkages between the business' mission, objectives, and structure andthe accounting system/application. • Presence or absence of computerized and manual controls that address risks. • Identification of risks at the application level, e.g. availability and security of the system. • Testing of the system/application for bugs and errors. A. 1 and 3 only B. 2 and 3 only C. 2 and 4 only D. 3 and 4 only

B

37 Productivity statistics are provided quarterly to a company's board of directors. An auditor checked the ratios and other statistics in the four most recent reports. The auditor used scratch paper and copies of the board reports to verify the accuracy of computations and compared the data used in the computations with supporting documents. The auditor wrote a note describing this work for the workpapers and then discarded the scratch paper and report copies. The auditor's note stated. "The ratios and other statistics in the quarterly board reports were checked for the last four quarters, and appropriate supporting documents were examined. All amounts appear to be appropriate." In this situation: A. Four quarters is not a large enough sample on which to base a conclusion. B. The auditor's workpapers are not sufficient to facilitate an efficient review of the auditor's work. C. The auditor should have included the scratch paper in the workpapers. D. The auditor should have considered whether the information in the board report was compiled efficiently.

B

371 According to the Standards, which of the following is an attribute when applied to the observations and recommendations contained in the audit report? A. Client accomplishments. B. Effect. C. Supportive information. D. Scope statements.

B

373 In addition to the internal auditor, which of the following parties should be present at an exit or closing conference? 1. Audit committee members. 2. The external auditor. 3. The management responsible for the areas covered by the engagement. 4. The chief executive officer. A. 2 only B. 3 only C. 3 and 4 only D. 1, 3, and 4 only

B

376 Which of the following documents should the chief audit executive review and approve? 1. Workpaper retention policy. 2. Audit committee meeting minutes. 3. Internal audit handbook. 4. Quarterly financial statements. A. 1 and 2 only B. 1 and 3 only C. 2 and 4 only D. 1, 3, and 4 only

B

377 Which of the following topics must the internal audit staff discuss with management during the exit conference? 1. Issues identified during the audit. 2. Evaluation criteria used to select controls for testing. 3. Staff who were interviewed during the audit. 4. The reporting process for the draft and final report. A. 1 and 3 only B. 1 and 4 only C. 2 and 3 only D. 2 and 4 only

B

380 During the audit of a large decentralized supply chain function, the chief audit executive (CAE) receives serious allegations of fraud concerning the vice president responsible for this function. The CAE engages a third party to provide forensic audit services and lead the investigation portion of the engagement. As part of this team, which of the following would be an appropriate role for the investigator? 1. Authenticate the original approval signatures on contracts. 2. Interview personnel to understand the supply chain processes. 3. Provide certified copies of relevant original documents for the audit file. 4. Identify variances in pixels on original electronic documents. A. 1 and 2 only B. 1 and 4 only C. 2 and 3 only D. 3 and 4 only

B

381 The chief audit executive (CAE) of a new organization is in the process of determining the manner in which audit reports will be distributed and to whom. According to the Standards, which of the following is the most appropriate course of action for the CAE to take to develop this distribution process? A. The process should be determined in meetings with the external auditor and senior management to ensure alignment with external reporting. B. The CAE should meet with senior management for their input, but finalize the distribution of all reports with the board. C. The CAE should independently implement the report distribution, using best judgment to ensure that all relevant stakeholders are informed. D. The CAE should request that senior management and the board meet to determine the most appropriate reporting method.

B

427 An internal auditor has been assigned to facilitate a risk and control self-assessment for the finance group. Which of the following is the most appropriate role that she should assume when facilitating the workshop? A. Express an opinion on the participants' inputs and conclusions as the assessment progresses. B. Provide appropriate techniques and guidelines on how the exercise should be undertaken. C. Evaluate and report on all issues that may be uncovered during the exercise. D. Screen and vet participants so that the most appropriate candidates are selected to participate in the exercise.

B

382 An organization has acquired a new line of business. None of the organization's internal auditors have the required expertise to perform an internal audit of the new business line; therefore, the chief audit executive (CAE) has contracted the services of an external audit firm to perform the engagement. The CAE has assigned a member of the internal audit team to assist the external team with the engagement. According to the Standards, which of the following statements is true regarding supervision of the engagement? A. The CAE may rely upon the external firm's auditor in charge to supervise the engagement. B. The external firm's auditor in charge must defer to the judgment of the CAE for any disputes. C. The CAE is not responsible for the quality of an audit performed by an external firm. D. The CAE should not assign an inexperienced staff member to assist with the engagement.

B

387 An internal auditor is conducting an assessment of the organization's fraud controls. Which of the following would not be considered a preventive control? 1. Daily report that identifies unsuccessful system log-in attempts. 2. Weekly management communication with tips on identifying possible fraud. 3. E-mail alert sent to management for checks issued over $100,000.00. 4. New hire training to explain fraud and employee misconduct. A. 1 and 2 only B. 1 and 3 only C. 2 and 4 only D. 3 and 4 only

B

388 Which of the following is the least relevant when preparing the internal audit activity's annual engagement plan? A. Senior management's requests for internal audit engagements. B. A rotation of internal audit engagements selected on a time basis. C. The organization's current risk priority and exposure. D. Coordination with the audit plans of the external auditor.

B

395 An internal auditor for a large telecommunications organization identified potential risk factors related to a planned billing system conversion. Which of the following risk factors would present the least potential exposure to the organization? A. Critical customer support functions are not available for a short period. B. Invoice generation disruptions due to required maintenance. C. Inaccurate billing of telephone calls due to database error. D. End user criticism and lack of support for the new system.

B

396 While reviewing the draft report of an audit engagement, the chief audit executive (CAE) is not in agreement with management's acceptance of the potential risk exposure resulting from an observed key control weakness. Which of the following actions by the CAE would be appropriate for addressing this concern? • Meet with the auditor-in-charge. • Discuss with senior management. • Monitor the result of the accepted risk. • Report the matter to the board. A. 1, 2, and 3 only B. 1, 2, and 4 only C. 1, 3, and 4 only D. 2, 3, and 4 only

B

397 Which of the following statements is correct regarding the use of a program evaluation and review technique (PERT) model? • It makes use of a probability model to arrive at a realistic estimate of time necessary forcompletion of the audit engagement. • It requires that activities are performed in sequence such that each task is completed before thecommencement of the next activity. • It remains fixed once completed to act as a baseline for measuring the performance of the auditstaff following completion of the engagement. • It begins with the auditor-in-charge identifying the overall scope and then breaking down theaudit engagement into identifiable activity units. A. 1 and 3 only B. 1 and 4 only C. 2 and 3 only D. 2 and 4 only

B

399 The chief audit executive (CAE) of a large retail operation believes that senior management has accepted a level of risk that exceeds the organization's current risk tolerance with respect to a major expansion. The CAE plans to meet with senior management to discuss these concerns. According to IIA guidance, which of the following would be an appropriate course of action in preparation for this meeting? • Understand management's basis for the decision. • Advise the board of the concern and upcoming meeting. • Ascertain which members of management have accepted the risk. • Determine if management has the authority to accept the risk. A. 1 and 2 only B. 1 and 4 only C. 2 and 3 only D. 3 and 4 only

B

4 Which of the following procedures would provide the best evidence of the effectiveness of a creditgranting function? a. Observe the process. b. Review the trend in receivables write-offs. c. Ask the credit manager about the effectiveness of the function. d. Check for evidence of credit approval on a sample of customer orders.

B

414 During a fraud interview, it was discovered that unquestioned authority enabled a vice president to steal funds from the organization. Which of the following best describes this condition? A. Scheme. B. Opportunity. C. Rationalization. D. Pressure.

B

419 When forming an opinion on the adequacy of management's systems of internal control, which of the following findings would provide the most reliable assurance to the chief audit executive? • During an audit of the hiring process in a law firm, it was discovered that potential employees'credentials were not always confirmed sufficiently. This process remained unchanged at the following audit. • During an audit of the accounts payable department, auditors calculated that two percent ofaccounts were paid past due. This condition persisted at a follow up audit. • During an audit of the vehicle fleet of a rental agency, it was determined that at any given time,eight percent of the vehicles were not operational. During the next audit, this figure had increased. • During an audit of the cash handling process in a casino, internal audit discovered controldeficiencies in the transfer process between the slot machines and the cash counting area. It was corrected immediately. A. 1 and 3 only B. 1 and 4 only C. 2 and 3 only D. 2 and 4 only

B

425 An internal control questionnaire would be most appropriate in which of the following situations? A. Testing controls where operating procedures vary. B. Testing controls in decentralized offices. C. Testing controls in high risk areas. D. Testing controls in areas with high control failure rates.

B

426 According to IIA guidance, which of the following statements is true regarding the authority of the chief audit executive (CAE) to release previous audit reports to outside parties? A. The CAE can release prior internal audit reports with the approval of the board and senior management. B. The CAE can employ judgment and release prior audit results as they deem appropriate and necessary. C. The CAE can only release prior information outside the organization when mandated by legal or statutory requirements. D. The CAE can release prior information provided it is as originally published and distributed within the organization.

B

431 New environmental regulations require the board to certify that the organization's reported pollutant emissions data is accurate. The chief audit executive (CAE) is planning an audit to provide assurance over the organization's compliance with the environmental regulations. Which of the following groups or individuals is most important for the CAE to consult to determine the scope of the audit? A. The audit committee of the board. B. The environmental, health, and safety manager. C. The organization's external environmental lawyers. D. The organization's insurance department.

B

434 An internal auditor is assessing the organization's risk management framework. Which of the following formulas should he use to calculate the residual risk? C) D) A. Option A B. Option B C. Option C D. Option D

B

435 Which of the following statements is false regarding roles and responsibilities pertaining to risk management and control? A. Senior management is charged with overseeing the establishment risk management and control processes. B. The chief audit executive is responsible for overseeing the evaluation risk management and control processes. C. Operating managers are responsible for assessing risks and controls in their departments.

B

451 According to IIA guidance, which of the following statements best justifies a chief audit executive's request for external consultants to complement internal audit activity (IAA) resources? A. The organization's audit universe is extensive and diverse. B. There has been an increase in unanticipated requests for advisory work. C. Previous work provided by the external service provider has been of great quality and value. D. A recent benchmarking study found that using external service providers is a common practice of similarly-sized IAAs in other organizations.

B

457 An internal auditor notes that employees continue to violate segregation-of-duty controls in several areas of the finance department, despite previous audit recommendations. Which of the following recommendations is the most appropriate to address this concern? A. Recommend additional segregation-of-duty reviews. B. Recommend appropriate awareness training for all finance department staff. C. Recommend rotating finance staff in this area. D. Recommend that management address these concerns immediately.

B

458 Which of the following has the greatest effect on the efficiency of an audit? A. The complexity of deficiency findings. B. The adequacy of preliminary survey information. C. The organization and content of workpapers. D. The method and amount of supporting detail used for the audit report.

B

465 If observed during fieldwork by an internal auditor, which of the following activities is least important to communicate formally to the chief audit executive? Acts that may endanger the health or safety of individuals. B. Acts that favor one party to the detriment of another. C. Acts that damage or have an adverse effect on the environment. D. Acts that conceal inappropriate activities in the organization.

B

471 Which of the following conditions are necessary for successful change management? 1. Decisions and necessary actions are taken promptly. 2. The traditions of the organization are respected. 3. Changes result in improvement or reform. 4. Internal and external communications are controlled. A. 1 and 2 B. 1 and 3 C. 2 and 3 D. 2 and 4

B

472 A chief audit executive (CAE) is determining which engagements to include on the annual audit plan. She would like to consider the organization's attitude toward risk and the degree of difficulty in achieving objectives. Which of the following resources should the CAE consult? A. The corporate risk register. B. The strategic plan. C. Internal and external audit reports. D. The board's meeting records.

B

477 An audit client responded to recommendations from a recent consulting engagement. The client indicated that several recommended process improvements would not be implemented. Which of the following actions should the internal audit activity take in response? A. Escalate the unresolved issues to the board, because they could pose significant risk exposures to the organization. B. Confirm the decision with management and document this decision in the audit file. C. Document the issue in the audit file and follow up until the issues are resolved. D. Initiate an assurance engagement on the unresolved issues.

B

480 According to IIA guidance, which of the following are the most important objectives for helping to ensure the appropriate completion of an engagement? 1. Coordinate audit team members to ensure the efficient execution of all engagement procedures. 2. Confirm engagement workpapers properly support the observations, recommendations, andconclusions. 3. Provide structured learning opportunities for engagement auditors when possible. 4. Ensure engagement objectives are reviewed for satisfactory achievement and are documentedproperly. A. 1, 2, and 3 B. 1, 2, and 4 C. 1, 3, and 4 D. 2, 3, and 4

B

481 When constructing a staffing schedule for the internal audit activity (IAA), which of the following criteria are most important for the chief audit executive to consider for the effective use of audit resources? 1. The competency and qualifications of the audit staff for specific assignments. 2. The effectiveness of IAA staff performance measures. 3. The number of training hours received by staff auditors compared to the budget. 4. The geographical dispersion of audit staff across the organization. A. 1 and 3 B. 1 and 4 C. 2 and 3 D. 2 and 4

B

482 When developing the scope of an audit engagement, which of the following would the internal auditor typically not need to consider? A. The need and availability of automated support. B. The potential impact of key risks. C. The expected outcomes and deliverables. D. The operational and geographic boundaries.

B

486 According to IIA guidance, which of the following procedures would be least effective in managing the risk of payroll fraud? A. The employee's name listed on organization's payroll is compared to the personnel records. B. Payroll time sheets are reviewed and approved by the timekeeper before processing. C. Employee access to the payroll database is deactivated immediately upon termination. D. Changes to payroll are validated by the personnel department before being processed.

B

487 During an assurance engagement, an internal auditor discovered that a sales manager approved numerous sales contracts for values exceeding his authorization limit. The auditor reported the finding to the audit supervisor, noting that the sales manager had additional new contracts under negotiation. According to IIA guidance, which of the following would be the most appropriate next step? A. The audit supervisor should include the new contracts in the finding for the final audit report. B. The audit supervisor should communicate the finding to the supervisor of the sales manager through an interim report. C. The audit supervisor should remind the sales manager of his authority limit for the contracts under negotiation. D. The auditor should not reference the new contracts, because they are not yet signed and therefore cannot be included in the final report.

B

490 An organization has a health and safety division that conducts audits to meet regulatory requirements. The chief health and safety officer reports directly to the CEO. Which of the following describes an appropriate role for the chief audit executive (CAE) with regard to the organization's health and safety program? A. The CAE has no role to play, because the chief health and safety officer reports to a senior executive. B. The CAE should coordinate with, and review the work of, the chief health and safety officer to gain an understanding of whether risks related to health and safety are managed properly. C. The CAE should give periodic reports directly to the regulator regarding health and safety issues, as it is the appropriate regulatory oversight body. D. The CAE should hire an independent external specialist to conduct an annual assessment and provide assurance over the effectiveness of the health and safety program and the reliability of its reports.

B

493 Which of the following behaviors could represent a significant ethical risk if exhibited by an organization's board? 1. Intervening during an audit involving ethical wrongdoing. 2. Discussing periodic reports of ethical breaches. 3. Authorizing an investigation of an unsafe product. 4. Negotiating a settlement of an employee claim for personal damages. A. 1 and 2 B. 1 and 4 C. 2 and 3 D. 3 and 4

B

497 An internal auditor is conducting a financial audit. Which of the following audit procedures is most appropriate when existing internal controls are weak? A. Analytical procedures. B. Detail testing. C. Test of design. D. Test of control.

B

51 An internal auditor provided the following statement about division A's performance during the month: "Because supplies of raw material X were scarce, division A's profits declined by 15 percent." Which of the following can be validly concluded from the auditor's statement? I. Division A's production level declined by 15 percent. II. Division A could have sold more products than it produced. III. Division A usually sells all of the products that it produces. A. I only B. II only C. III only D. I and II only

B

56 An internal auditor is reviewing a new automated human resources system. The system contains a table of pay rates which are matched to the employee job classifications. The best control to ensure that the table is updated correctly for only valid pay changes would be to: A. Limit access to the data table to management and line supervisors who have the authority to determine pay rates. B. Require a supervisor in the department, who does not have the ability to change the table, to compare the changes to a signed management authorization. C. Ensure that adequate edit and reasonableness checks are built into the automated system. D. Require that all pay changes be signed by the employee to verify that the change goes to a bona fide employee.

B

57 What is the most important risk in determining the validity of construction delay claims? A. Contractor claims may be submitted prior to completion of the work. B. Contractor claims may include costs considered in the fixed-price portion of the work. C. Contractor claims may include subcontractor estimates of balances due to the subcontractor. D. Contractor claims may be understated.

B

66 Insurance companies often receive electronic hospitalization claims directly from hospitals. Which of the following control procedures would be most effective in detecting fraud in such an environment? A. Use integrated test facilities to test the accuracy of processing in a manner that is transparent to data processing. B. Develop monitoring programs to identify unusual types of claims or an unusual number of claims by demographic class for investigation by the claims department. C. Use generalized audit software to match the claimant identification number with a master list of valid policyholders. D. Develop batch controls over all items received from a particular hospital and process those claims in batches.

B

67 During an audit of executive travel, an auditor noted that the president's travel expense reimbursements were approved by an executive secretary who reported to the president. The organization's reimbursement policy requires all travel expense reimbursements to be approved by the traveler's supervisor, but it does not address the president's reimbursements. Which of the following represents the auditor's best recommendation in this situation? A. The organization's reimbursement policy should be amended to grant the president's executive secretary the authority to approve the president's travel expense reimbursements. B. The approval policy for executive travel should be considered at the next meeting of the audit committee of the board of directors. C. The president's travel expense reimbursements should be reviewed and approved by the chief financial officer. D. The president's noncompliance should be considered immaterial.

B

70 Which of the following might alert an auditor to the possibility of fraud in a division? I. The division is not scheduled for an external audit this year. II. Sales have increased by 10 percent. III. A significant portion of management's compensation is directly tied to reported net income ofthe division. A. I only B. III only C. I and II only D. I, II, and III

B

76 Which of the following would provide the best audit evidence regarding the effectiveness of an applied research department? A. Develop a cost-per-product analysis for products developed over the past five years. B. Develop a report on revenue generated by or cost savings directly attributable to newly developed products. C. Compare research as a percentage of revenue between this company and all major competitors in the same industry. D. Compare the number of this year's new product developments to the number of new product developments for the past five years.

B

78 An auditor receives anonymous information that fraud is occurring in the operation being audited, but no details are given as to the type of fraud or the individuals involved. There are several areas in which fraud could occur. The auditor should: A. Identify the area that has the greatest volume of transactions and design a sampling plan for substantive testing. B. Apply analytical procedures to areas that might be impacted by possible fraudulent activities. C. Interview employees to identify areas where the fraud could be occurring. D. Plan detailed tests of the areas that have the highest dollar amount of transactions.

B

84 Which of the following would provide the greatest assurance of the accuracy of a computer program's computation of freight charges for catalog sales? A. Use discovery sampling, selecting transactions from invoices which should have freight charges added to them. B. Use either test data or parallel simulation to test the computer application. C. Use difference estimation, selecting transactions from invoices which should have freight charges added to them. D. Use generalized audit software to select a monetary-unit sample of invoices that have been billed to customers.

B

87 An internal auditor would most likely use attributes sampling when testing which of the following? A. Accounts receivable balances. B. Correct coding of accounts payable disbursement vouchers. C. Year-end inventory value. D. Fixed asset book value.

B

96 If management expects 100 percent compliance with a procedure, which of the following sampling approaches would be most appropriate? A. Attributes sampling. B. Discovery sampling. C. Targeted sampling. D. Variables sampling.

B

99 Many questionnaires are made up of a series of different questions that use the same response categories (for example: strongly agree, agree, neither, disagree, strongly disagree). Some designs will have different groups of respondents answer alternate versions of the questionnaire that present the questions in different orders and reverse the orientation of the endpoints of the scale (for example: agree on the right and disagree on the left). The purpose of such questionnaire variations is to: A. Eliminate intentional misrepresentations. B. Reduce the effects of pattern response tendencies. C. Test whether respondents are reading the questionnaire. D. Make it possible to get information about more than one population parameter using the same questions.

B

400 During the quarterly review of the internal audit activity's performance, the chief audit executive (CAE) notes that actual engagement hours consistently exceed the budget. Which of the following strategies would most likely help the CAE address this problem? • The budget should consider time spent on similar engagements. • The budget should consider the proficiency of the assigned auditors. • The budget estimate should provide for unexpected delays. • The budget should be specific as to time for each work assignment. A. 1 and 2 only B. 1 and 4 only C. 2 and 3 only D. 3 and 4 only

B Topic 5, Volume E

1 Which of the following would be a red flag that indicates the possibility of inventory fraud? I. The controller has assumed responsibility for approving all payments to certain vendors. II. The controller has continuously delayed installation of a new accounts payable system, despitea corporate directive to implement it. III. Sales commissions are not consistent with the organization's increased levels of sales. IV. Payments to certain vendors are supported by copies of receiving memos, rather thanoriginals. a. I and II only b. II and III only c. I, II, and IV only d. I, III, and IV only

C

102 Checklists used to assess audit risk have been criticized for all of the following reasons except: A. Providing a false sense of security that all relevant factors are addressed. B. Inappropriately implying equal weight to each item on the checklist. C. Decreasing the uniformity of data acquisition. D. Being incapable of translating the experience or sound reasoning intended to be captured by each item on the checklist.

C

111 An auditor is performing a review of a complex process to identify opportunities to increase efficiency. What is the most practical way to document the process to identify areas of inefficiency? A. Write a description of the process activities in sequential order. B. Develop a PERT (program evaluation and review technique) diagram. C. Flowchart the process. D. Create a decision tree.

C

113 An internal auditor is evaluating controls over the purchasing function. The function includes the material control department, the purchasing department, and the receiving department. Which of the following is true regarding the presentation of the process flow among the three departments? A. A vertical flowchart of each department, showing inputs at the top and outputs at the bottom, would be most useful. B. Flowcharts are not useful for documenting process flow. C. A horizontal flowchart, with the departments described across the top and the process flowing horizontally, would be most useful. D. Both a flowchart and narratives are needed due to the number of departments involved.

C

115 The internal auditor of a bank has developed a multiple regression model which has been used for a number of years to estimate the amount of interest income from commercial loans. During the current year, the auditor applies the model and discovers that the R2 value has decreased dramatically, but that the model otherwise seems to be working correctly. Which of the following conclusions is justified by the change? A. Changing to a cross-sectional regression analysis should cause the R2 to increase. B. Regression analysis is no longer an appropriate technique to estimate interest income. C. Some new factors, not included in the model, are causing interest income to change. D. A linear regression analysis would increase the model's reliability.

C

117 After completing a net present value (NPV) calculation on a proposed project, an analyst explores the change in NPV with changes in the interest rate. This additional analysis is referred to as: A. Decision analysis. B. Simulation. C. Sensitivity analysis. D. Variance analysis.

C

118 A company used simple regression analysis to analyze maintenance costs against machine hours (MH) for a 26-week period when the plant was in full operation. The regression yielded the following estimated cost function: Maintenance Cost = $60 + $0.25/MH The regression analysis also generated a coefficient of determination (R2), or goodness of fit, of 0.85. Which of the following statements regarding this regression analysis is appropriate? A. This regression can be used to determine the maintenance cost for any period at any activity level by substituting the machine hours in the equation. B. The $60 component represents the best estimate of fixed maintenance costs for the company in a shutdown situation. C. The $0.25 component is the slope coefficient of the cost estimate and represents the average variable maintenance cost per machine hour. D. The coefficient of determination of R2 = 0.85 indicates that the goodness of fit is poor because the value is close to the maximum value of one.

C

122 Which of the following would not be characteristic of control self-assessment implemented by an audit department? A. An auditor usually facilitates the discussion during the workshop phase while another records comments for subsequent use. B. Auditors and business-unit employees work as a team. C. Auditors perform traditional audit tests to identify control weaknesses. D. Participants discuss the control weaknesses that hinder the achievement of objectives.

C

123 Which of the following is an advantage of control self-assessment (CSA) over conventional auditing techniques? A. CSA evaluates control activities and human resource practices. B. CSA provides assurance about whether business objectives will be met. C. CSA facilitates obtaining input from subject-matter experts efficiently. D. CSA provides assurance that action will be taken to improve deficiencies.

C

124 During which of the following systems development stages would it be most useful for an internal auditor to be involved? A. Coding and testing. B. User acceptance and post-implementation. C. Design and implementation. D. Testing and user acceptance.

C

126 All of the following tools are employed to control large-scale projects except: A. Program evaluation and review technique (PERT). B. Critical path method. C. Statistical process control. D. Gantt charts.

C

132 Questions used to interrogate individuals suspected of fraud should: A. Adhere to a predetermined order. B. Cover more than one subject or topic. C. Move from general to specific. D. Direct the individual to a desired answer.

C

139 When conducting a performance appraisal of an internal auditor who has been a below-average performer, it is not appropriate to: A. Notify the internal auditor of the upcoming appraisal several days in advance. B. Use objective, impartial language. C. Use generalizations. D. Document the appraisal.

C

144 A post-audit questionnaire sent to audit clients is an effective mechanism for: A. Substantiating audit observations. B. Promoting the internal audit activity. C. Improving future audit engagements. D. Validating process flow.

C

146 A performance audit engagement typically involves: A. Review of financial statement information, including the appropriateness of various accounting treatments. B. Tests of compliance with policies, procedures, laws, and regulations. C. Appraisal of the environment and comparison against established criteria. D. Evaluation of organizational and departmental structures, including assessments of process flows.

C

149 An internal auditor found that the cost of some material installed on capital projects had been transferred to the inventory account because the capital budget had been exceeded. Which of the following would be an appropriate technique for the auditor to use to determine the extent of the problem? A. Identify variances between amounts capitalized each month and the capital budget. B. Analyze a sample of capital transactions each quarter to detect instances in which installed material was transferred to inventory. C. Review all journal entries that transferred costs from capital to inventory accounts. D. Compare inventory receipts with debits to the inventory account and investigate discrepancies.

C

154 As a result of a recent discovery of false information on employment applications, an internal auditor has reviewed hiring procedures. Which of the following represents a weakness in the control system? I. Applicants are not required to have their signed applications legally authenticated. II. Applicants' educational information is not validated with the educational institution beforeemployment is offered. III. Information related to applicants' long-term work history is not validated before employment isoffered. A. III only B. I and II only C. II and III only D. I, II, and III

C

16 Which of the following would provide the best evidence of compliance with an airline's standard of having aircraft refueled and cleaned within a specified time of arrival at an airport? A. Vendor fuel invoices that have been reconciled to inventory records. B. Time cards completed by aircraft cleaning and fueling crews. C. Observation of selected aircraft while they are being refueled and cleaned. D. Comparison of the standard hourly labor costs for cleaning and fueling personnel with actual labor charges.

C

161 A key to effective benchmarking in a consulting engagement is identifying the issues that can be: A. Reviewed by all internal audit staff members. B. Shared with all internal audit customers. C. Measured and controlled by the engagement client. D. Discussed with the board or audit committee.

C

163 In a client satisfaction survey for an internal audit engagement, client management should be asked to assess which of the following factors? I. Audit team's knowledge of the audited area. II. Usefulness of the audit results. III. Quality of management of the internal audit activity. IV. Clarity of the scope and objectives of the audit engagement. A. I and II only B. II and IV only C. I, II, and IV only D. I, III, and IV only

C

167 During an audit of a major metropolitan museum, an auditor was unable to locate selected items from the museum's collection. The director of the museum informed the auditor that the upcoming replacement of the museum's inventory tracking system would address the auditor's concerns. What follow-up activity should the auditor propose? A. Receive periodic feedback from museum staff regarding the status of the system implementation. B. Monitor the system implementation and schedule a follow-up review once the new system is in place. C. Determine whether the items are indeed missing and assess the ability of the new system to remedy the problem. D. Schedule an audit of the museum's security systems to determine if theft is a problem.

C

169 A company's cellular phone costs vary significantly by sales representative and by month. Which of the following would be the most appropriate approach for a consulting project concerning this issue? A. Control self-assessment involving sales representatives. B. Benchmarking with other cellular phone users. C. Business process review of cellular phone needs. D. Performance measurement and design of the budgeting process.

C

320 According to the International Professional Practices Framework, which of the following would not be considered when performing an initial risk assessment in engagement planning? A. The reliability of management's assessment of risk. B. Management's process for monitoring, reporting, and resolving risk issues. C. Management's methodology for defining risk criteria. D. Risks in related activities relevant to the activity under review.

C

178 Which of the following tests must an internal auditor perform in order to ensure that inbound electronic data interchange (EDI) transactions are received and translated accurately? I. Computerized tests to assess transaction reasonableness and validity. II. Review of log books to ensure that transactions are logged upon receipt. III. Edit checks to identify unusual transactions. IV. Verification of limitations on the authority of users to initiate specific EDI transactions. A. I and IV only B. II and III only C. I, II, and III only D. I, II, III, and IV.

C

180 Which of the following is a responsibility of the internal auditor once a fraud investigation has been concluded? A. Ascertain the extent to which fraud has been perpetrated. B. Notify the appropriate regulatory authorities regarding the outcome of the investigation. C. Determine if controls need to be implemented or strengthened to reduce future vulnerability. D. Implement controls to prevent future occurrences.

C

182 The internal audit activity can be involved with systems development continuously, immediately prior to implementation, after implementation, or not at all. An advantage of continuous internal audit involvement compared to the other types of involvement is that: A. The cost of audit involvement can be minimized. B. There are clearly defined points at which to issue audit comments. C. Redesign costs can be minimized. D. The threat of lack of audit independence can be minimized.

C

190 A chief audit executive agrees to conduct an engagement that will focus on customers' perceptions of the quality of the organization's products and services. Which of the following issues should be addressed first? A. Cost-effectiveness. B. Quality control. C. Customer complaints. D. Supplier deliveries.

C

192 The most effective method of reporting engagement results to management and stimulating action is to: A. Deliver a lecture on the engagement results. B. Limit verbal commentary and present a series of slides that graphically depict the engagement results. C. Use slides to support a discussion of major points. D. Distribute copies of the report, ask the participants to read the report, and ask for questions.

C

193 Which of the following items should be addressed in an organization's privacy statement? I. Intended use of collected information. II. Data storage and security. III. Network/infrastructure authentication controls. IV. Data retention policy of the organization. Parties authorized to access information. A. I and II only B. I and IV only C. I, II, and V only D. II, III, IV, and V only

C

20 Which of the following files, when compared with billing records, would provide the best source of information for determining if all goods shipped are billed to customers? A. Pre-numbered customer invoices. B. Accounts receivable transactions. C. Pre-numbered shipping documents. D. Customer purchase orders.

C

203 Which of the following is the correct ratio to use in calculating the dollar value of the population if the auditor is using ratio estimation? Number of Items Audited Value Carrying Amount Sample 300 $500,000 $480,000 Population 3,000 $5,000,000 A. 0.10 B. 0.96 C. 1.04 D. 10.00

C

205 A staff auditor, nearly finished with an audit engagement, discovers that the director of marketing has a gambling habit. The gambling issue is not directly related to the existing engagement and there is pressure to complete the current engagement. The auditor notes the problem and forwards the information to the chief audit executive but performs no further follow-up. The auditor's actions woulD. I. Be in violation of the IIA Code of Ethics for withholding meaningful information. II. Be in violation of the Standards because the auditor did not properly follow up on a red flag that might indicate the existence of fraud. III. Not be in violation of either the IIA Code of Ethics or Standards. A. I only B. II only C. III only D. I and II only

C

207 Which of the following is an advantage of an interim report? I. An interim report provides timely feedback to the audit engagement client. II. An interim report provides a mechanism for communicating information on red flags promptly while they are being investigated. III. An interim report provides an opportunity for auditor follow-up of findings before the engagement is completed. IV. An interim report increases the probability that corrective action will be initiated more quickly. A. I and IV only B. II and III only C. I, III, and IV only D. I, II, III, and IV.

C

209 Which of the following factors would not be considered in determining appropriate follow-up procedures? A. The significance of the audit finding. B. The effort and cost needed to correct the reported condition. C. The availability of funds in the audited department's budget to correct the reported condition. D. The potential consequences if the corrective action fails.

C

212 Confirmation would be most effective in addressing the existence assertion for: A. The addition of a milling machine to a machine shop. B. Sales of merchandise during the regular course of business. C. Inventory held on consignment. D. The granting of a patent for a special process developed by the organization.

C

216 What type of analysis is performed when an auditor tests for unusual variations in information by comparing the number of employees working at a factory site with the direct cost of production each month over a period of one year? A. Trend analysis. B. Ratio analysis. C. Regression analysis. D. Horizontal analysis.

C

217 Which of the following data sources would provide the least valid data for an audit of a retail store's customer service? A. A graph that compares staffing levels for selected times with store traffic (number of customers) over the same time period. B. A random survey of customer satisfaction given to customers as they leave the store. C. Interviews of randomly selected service personnel regarding the quality of service that they provide. D. A graph of customer service training across stores, comparing training with overall levels of service satisfaction.

C

219 In reviewing the appropriateness of the minimum quantity level of inventory established by a department, an auditor would be least likely to consider: A. Stockout costs, including lost customers. B. Seasonal variations in forecasting inventory demand. C. Optimal order sizes determined by an economic order quantity model. D. The potential for obsolescence of inventory items.

C

22 In order to effectively elicit sensitive information from an employee during an audit engagement, an auditor should: A. Tell the employee a piece of information obtained from a coworker in a previous interview. B. Put sensitive questions at the beginning of a questionnaire to ensure that they are answered. C. Explain that the auditor's reputation for integrity, which is vital to the auditor's business success, would be seriously damaged if confidentiality were breached. D. Point out that management has given the auditor full authority to conduct this interview.

C

222 A bank uses a risk analysis matrix to quantify the relative risk of auditable entities. The analysis involves rating auditable entities on risk factors using a scale of 1 to 10, with 10 representing the greatest risk. A partial list of risk factors and the ratings given to three of the bank's departments is provided below: Which of the following statements regarding risk in the department is true? A. As compared to departments A and C, department B has a stronger control system to compensate for the greater complexity of the department's transactions and dollar value of its assets. B. The internal audit activity should schedule audits of department B more often than audits of department C because of the relative control strength of department C as compared to department B. C. The nature of department A's control structure may be justified by the nature of the department's assets and the complexity of its transactions. D. The relative ranking of the departments in order of their risk, from greatest to least risk, is: A; C; B.

C

224 Which of the following is least likely to vary when conducting audit engagements in different regions of an international organization? A. Application of governmental regulations to business activities. B. Work schedules and holidays of the individual regions. C. Level of workpaper documentation needed to support audit observations. D. Availability of technology and technical support.

C

225 Which of the following is not likely to be included as an audit step when assessing vendor performance policies? A. Determine whether agreed-upon lot sizes were sent by vendors. B. Determine whether only authorized items were received from vendors. C. Determine whether the balances owed to vendors are correct. D. Determine whether the quality of the goods purchased from the vendors has been satisfactory.

C

226 An organization has developed a large database that tracks employees, employee benefits, payroll deductions, job classifications, and other similar information. The internal auditor reviews the retirement benefits plan and determines that the pension and medical benefits have been changed several times in the past ten years. The auditor wishes to determine whether there is justification to perform further audit investigation. The most appropriate audit procedure would be to: A. Review the trend of overall retirement expense over the last ten years. If the retirement expense increased, it would indicate the need for further investigation. B. Use generalized audit software to select a monetary-unit sample of retirement pay, and determine whether each retired employee was paid correctly. C. Review reasonableness of retirement pay and medical expenses on a per-person basis stratified by which plan was in effect when the employee retired. D. Use generalized audit software to select an attributes sample of retirement pay, and perform detailed testing to determine whether each person chosen was given the proper benefits.

C

23 During a routine audit of a customer service hotline, an internal auditor noticed that an unusually high number of customer complaints pertained to payments not being applied to the customers' accounts. Which of the following would most likely be the reason for the high volume of complaints? A. An ineffective customer service department. B. Poor controls in the invoice approval processes. C. Check tampering by an employee. D. Submission of fraudulent expense reports.

C

230 Which of the following actions is related to the preliminary survey process? A. Determining if controls are effective. B. Preparing the engagement work program. C. Identifying the current controls. D. Completing a detailed test of controls.

C

232 The chief executive officer has requested that the chief audit executive (CAE) coordinate the establishment of an enterprise risk management (ERM) program for the organization. Which of the following would be the most appropriate action for the CAE? A. Accept the request as the role of coordinating ERM is a core function of internal audit. B. Decline the request as this role compromises the CAE's objectivity. C. Accept the request after consulting with the board and adhering to proper safeguards. D. Decline the request as internal audit has limited knowledge and experience of risk at the enterprise level to undertake the assignment.

C

24 Direct staff as a percentage of total staff is an example of which of the following types of efficiency measures? A. Productivity ratio. B. Productivity index. C. Operating ratio. D. Resource utilization rate.

C

243 A major insurance company provides a discount on automobile insurance if the vehicle meets certain safety criteria. Which of the following audit tests would provide an internal auditor with the best evidence that all qualifying insured automobiles are receiving the discount? A. Compare the percentage of automobiles receiving discounts this year to that of last year. B. Ask managers whether they are aware of the discount criteria and whether they are providing the discount to all qualifying automobiles. C. Select a sample of automobiles that are not receiving the discount and determine if they have been properly excluded. D. Select a sample of automobiles receiving the discount and determine that the required discount criteria are being met.

C

248 During an audit of a contract for computer security, a governmental auditor finds that a contractor has developed a system that could be the most advanced in the industry. If it seems that the contractor is charging the government for developmental cost of a system that might be sold to other organizations, what is the auditor's best course of action? A. Estimate the cost to develop the advanced security system and inform the contractor that it will be a disallowed cost. B. Exclude the observation from the engagement final communication because the contract was vague and the level of security is clearly acceptable. C. Estimate the added cost, report it to management, and suggest that management meet with its lawyers and the contractor to resolve differences. D. Compare the cost of the security program with previous costs incurred by governmental operations and inform the contractor that the difference will be a disallowed cost.

C

263 According to the Standards, which of the following describes the condition attribute when applied to the observations and recommendations contained in the audit report? A. The standards, measures, or expectations used in making an evaluation or verification. B. The reason for the difference between the expected state and the actual state. C. The factual evidence that the internal auditor found in the course of the examination. D. The risk or exposure the organization encounters because the actual state is not consistent with the criteria.

C

264 When determining the nature, timing, and extent of follow up, the chief audit executive considers all of the following factors except: A. Significance of the reported observation or recommendation, degree of effort, and cost needed to correct the reported condition. B. Impact that may result should the corrective action fail. C. Authority and responsibility of the person required to take corrective action. D. Complexity of the corrective action and time period involved.

C

27 Which of the following would be an appropriate and effective control self-assessment approach in an organization with an authoritative culture? I. Facilitated meeting II. Survey III. Management-produced analysis A. I only B. I and III only C. II and III only D. I, II, and III

C

273 Why should internal auditors develop a strong relationship with the external auditors? A. External auditors offer an additional layer of approval to internal auditors' reports. B. External auditors can help improve the effectiveness of internal control sampling techniques. C. External auditors can offer an independent and knowledgeable viewpoint. D. External auditors can share information gained from work with similar clients.

C

275 Which characteristic of risk assessment makes it a useful tool for audit planning? A. It provides a list of auditable activities in the organization. B. It ranks the severity of potentially adverse effects on the organization. C. It provides a process for identifying and analyzing potentially adverse effects. D. It evaluates the probability that an event or action may adversely affect the organization.

C

278 Management has asked the internal audit activity to perform an operational audit of a division that recently reported an increase in expenditures in addition to a decrease in profits. However, existing internal audit resources are currently engaged in a legal compliance audit. Which factor would be considered least important in deciding whether resources should be removed from the legal compliance audit to the operational audit? A. The increase in expenditures at the division over the past year. B. The probability that the legal compliance audit will detect fraud. C. The results of the external auditor's most recent financial audit. D. The potential for regulatory fines associated with the legal compliance audit.

C

28 A film company determined that income level impacts the number of films that people watch per month, as shown by the graph below: The graph indicates that: A. A richer person always sees more films than a poorer person. B. The number of films seen per month is a linear function of income level. C. A 20 percent pay increase is more likely to increase film viewing at lower income levels than at higher income levels. D. A 20 percent pay increase is likely to increase film viewing by a constant amount regardless of income level.

C

281 An organization has recently incurred significant cost overruns on one of its construction projects. Management suspects that these overruns were caused by the contractor improperly charging for costs related to contract change orders. Which of the following procedures are appropriate for testing this suspicion? 1. Determine if the contractor has received proper approval of change orders from management. 2. Determine if the contractor has billed for original contract work cancelled by the change orders. 3. Determine if the contractor has charged change orders with costs already billed to the originalcontract. 4. Determine if the contractor has been paid for change orders that have not yet been completed. A. 1 and 2 only B. 1 and 3 only C. 2 and 3 only D. 3 and 4 only

C

288 Which of the following tasks would be considered unusual for planning a control self-assessment workshop? A. Conducting interviews to identify relevant issues for the discussion. B. Identifying key stakeholders and ensuring they are represented in the group. C. Securing an external subject matter expert to arbitrate disputes. D. Ensuring that managers are willing to accept constructive criticism.

C

293 The internal audit activity of an organization obtained approval to add a senior auditor to its staff. The chief audit executive, audit manager, and audit supervisor each will interview the candidates. According to the Standards, which of the following best explains the involvement of management in the interview process? A. Provides audit management with the opportunity to communicate expectations regarding ethical behavior standards. B. Enables audit management to outline its quality assurance and improvement program with the senior auditor. C. Assists audit management in planning by more effectively allocating the senior auditor to appropriate audits. D. Allows audit management to explain the criteria that will be used to evaluate the senior auditor's performance.

C

294 The chief audit executive (CAE) of an organization has established an internal audit activity (IAA) quality assessment program. According to IIA guidance, which of the following would be part of this program? A. Assessment of the IAA conducted independently of client feedback, and the review of individual audits to determine the quality and timeliness of supervision. B. Assessment of the IAA conducted independently of client feedback, and identified areas of improvement reviewed at the end of the year. C. Compliance with a checklist of required audit procedures, and review of individual audits to determine the quality and timeliness of supervision. D. Compliance with a checklist of required audit procedures, and identified areas of improvement reviewed at the end of the year.

C

365 Which of the following is a preventive control for fraud? A. Determining if the number of manually prepared disbursement checks is high. B. Reconciling the purchase orders with the requisitions. C. Verifying that new vendors appear on the vendor pre-approved list. D. Conducting an inventory count of the warehouse.

C

444 A newly promoted chief audit executive (CAE) is faced with a backlog of assurance engagement reports to review for approval. In an attempt to attach a priority for this review, the CAE scans the opinion statement on each report. According to IIA guidance, which of the following opinions would receive the lowest review priority? 1. Graded positive opinion. 2. Negative assurance opinion. 3. Limited assurance opinion. 4. Third-party opinion. 1 and 3 1 and 4 2 and 3 2 and 4

C

299 The chief audit executive (CAE) of a multinational entity with highly automated and complex operations has just completed the update of the risk-based audit plan. Interviews with management revealed the introduction of new technology and a significant increase in both the number and severity of technology-based risk exposures. According to the International Professional Practices Framework, which of the following would be the best course of action for the CAE to undertake next? A. Develop a detailed audit plan that makes the most efficient use and reallocation of existing internal audit resources. B. Arrange for the outsourcing of some technology intensive audit processes and procedures based on the plan changes. C. Evaluate whether appropriate skills and knowledge required to perform the necessary audit work currently exist in the department. D. Begin planning to recruit information technology audit specialists and other expert personnel into the internal audit activity.

C

300 Which of the following risks assumes an absence of compensating controls in the area being reviewed? A. Control risk. B. Detection risk. C. Inherent risk. D. Sampling risk.

C

302 According to the International Professional Practices Framework, which of the following is not an objective of the exit conference? A. Receive client feedback and clarification. B. Review audit recommendations. C. Plan future engagements. D. Resolve disagreements.

C

308 According to the Standards, which of the following would least likely be considered a red flag when evaluating the risk for fraud? A. Cash receipts appear to be lower than expected from an employee's cash drawer. B. Health benefits are detected to be claimed for a deceased employee. C. An employee did not approve an internal report detailing expenses for the month. D. It is alleged that an employee is receiving vendor kickbacks.

C

31 If an organization's chief audit executive wants to implement continuous auditing, what is the appropriate order in which key steps should be undertaken? I. Identify business applications that require access. II. Implement steps to continuously assess risks and controls. III. Define objectives of continuous auditing. IV. Manage and report results. A. III, I, IV, II. B. II, I, III, IV. C. III, I, II, IV. D. II, III, I, IV.

C

310 According to the International Professional Practices Framework, which of the following situations is an indicator of a healthy relationship between the audit committee and the internal audit function? A. The chief audit executive (CAE) has direct access to the audit committee and the board but typically does not interact directly with them unless a material weakness in the control environment is identified. B. The CAE sends the audit committee all communications between the internal audit department and the audit client in order to keep the audit committee up to date on the engagement. C. The CAE does not distribute audit reports to the audit committee. However, the audit committee is made aware of the scope and findings of audits performed. D. Whenever a potential audit finding or testing exception is first identified, the audit committee is immediately notified, as well as for any subsequent changes in the status of the engagement.

C

311 An internal auditor has been asked to participate in an advisory capacity to assist a committee in redesigning the organization's current financial reports to provide better information to management and the board. Which of the following actions on the part of the auditor would provide the greatest value to this project? A. The internal auditor has a set of generic report templates from a former project and presents them to the group because they worked so well for the previous employer. B. The internal auditor interviews each stakeholder and documents the requirements and preferences of each and creates a report template that meets as many of the requirements and preferences as possible. C. The internal auditor gathers the stakeholder group and holds a brainstorming session where they generate report requirements and preferences and then rank them in order of importance. D. The internal auditor undertakes a project to gather report templates and formats from other organizations in the same line of business and presents them all to the group for review.

C

314 According to IIA guidance, which of the following are potential benefits of using an assurance map? A. Indication of any gaps in assurance coverage, and improved relevance of assurance recommendations. B. Identification of duplicate or overlapping assurance activities, and improved relevance of assurance recommendations. C. Indication of gaps in assurance coverage, and enhanced effectiveness of assurance providers. D. Enhanced effectiveness of assurance providers, and improved relevance of assurance recommendations.

C

315 Which of the following events would most likely cause the chief audit executive to consider changing the current year's audit plan? The government announced that new regulatory requirements will be introduced in the coming years which may significantly impact the organization's primary product. A major competitor unexpectedly introduced a new model at a lower price point to compete with the organization's market leading product. The organization announced a new joint venture with a long time corporate partner to introduce a new product with development costs and sales beginning next fiscal year. An equal joint venture partner filed a lawsuit against the organization and requested that the court issue an immediate suspension of future product shipments. A. 1 and 2 only B. 1 and 3 only C. 2 and 4 only D. 3 and 4 only

C

316 Which of the following statements is true? A. Consulting engagements provide the internal audit activity with flexibility to add value and do not need to be included in the long-range audit plan. B. The internal audit activity's plan of engagments must be based on a formal quantitative risk assessment. C. The chief audit executive should consider changes to the long-range audit plan based on the requests of business unit managers. D. A risk assessment on which to base the internal audit activity's long-range plan must be undertaken at least once every three years.

C

319 An airline contracted with an external service provider to perform maintenance on all aircraft ground support equipment. Management then asked the internal audit activity (IAA) to evaluate the controls in place that would permit appropriate oversight of the service provider in maintaining required maintenance standards. According to the International Professional Practices Framework, which of the following would be the most appropriate course of action for the IAA to undertake to establish the engagement objectives? A. Develop a draft audit plan and create an appropriate scope and resource schedule. B. Develop a preliminary audit program and obtain senior management's approval. C. Conduct a preliminary assessment of the risks associated with the maintenance contract. D. Obtain a copy of the maintenance contract and review the contract for pricing discrepancies.

C

327 According to the International Professional Practices Framework, which of the following is correct regarding conducting and reporting follow-up activities by the internal audit activity (IAA)? A. Due to management changes, the IAA is advised by management that no further work will be done. Further follow-up work is not required as management has accepted the related risk. B. A newly appointed auditor immediately proceeds to conduct follow-up testing based on previous work performed for the engagement and then reports the results to the chief audit executive (CAE). C. Management has stopped implementing several key recommendations citing a growing disagreement with their effectiveness. The auditor communicates the situation to the CAE who then escalates the matter to senior management. D. In situations where the identified risk may have a significant impact to the business and senior management has accepted the risk, it is not necessary for the CAE to inform the board of the decision.

C

329 According to IIA guidance, which of the following is the least appropriate role for the internal audit activity in the organization's risk management program? A. Conducting full investigations of suspected fraud. B. Monitoring the organization's whistle-blower hotline. C. Assessing the risk of fraudulent activity in the organization. D. Providing ethics training sessions to organization staff.

C

33 The following is an excerpt from an audit engagement workpaper: - A Company - Accounts Receivable - Date Objective. To determine if the computer system is correctly recording all accounts receivable transactions. Procedures: Judgmental selection of a sample of all accounts receivable balances greater than $50,000 for positive confirmation of balances. Conclusion: Based on the results of testing wherein all but three confirmations were returned, the accounts receivable balance is fairly presented in all material respects. Which of the following is true regarding the workpaper? A. It is not appropriate to judgmentally select a sample when testing accounts receivable. B. A conclusion should be reached only for the results of overall testing, not for individual procedures. C. The audit procedures used are not consistent with the audit objective. D. The format of the workpaper does not conform to the standard format for workpapers.

C

330 An organization decides to create an internal audit function and hires a new chief audit executive (CAE). Which of the following should the CAE first consider when developing the internal audit process? A. Requirements of the external auditors to ensure an efficient coordination of audit effort. B. Sufficient resources to adequately meet the needs of the annual audit plan. C. Alignment of internal audit objectives with the organization's strategic plan. D. An appropriate training plan for audit staff.

C

334 When establishing the internal audit activity's annual plan, which of the following would be the best source of potential audit engagement topics? A. The organization's budget. B. Operations involving cash transactions. C. Recent changes in management objectives. D. Risk factors utilized in the organization's risk models.

C

337 When determining if appropriate resources exist to achieve engagement objectives, which of the following factors should a chief audit executive consider? 1. Nature and complexity of the audit engagement. 2. Time constraints. 3. Effectiveness of the audit committee. 4. Availability of resources for the engagement. A. 1 and 2 only B. 1, 2, and 3 only C. 1, 2, and 4 only D. 1, 3, and 4 only

C

338 Which of the following is true regarding roles and responsibilities in risk management processes? A. Setting strategic direction resides with senior management. B. Ownership of risks resides with the board. C. Acceptance of residual risk resides with executive management level. D. Identifying, assessing, mitigating and monitoring activities on a continuous basis rests with the internal audit activity.

C

344 Which of the following is correct with respect to roles within an enterprise-wide risk management process? 1. The board provides oversight to the risk management process. 2. Executive management owns the risk management framework. 3. Senior management is assigned ownership of risks. 4. Internal audit modifies the risk assessment determined by management. A. 1 and 2 only B. 3 and 4 only C. 1, 2, and 3 only D. 1, 2, 3, and 4

C

353 An internal auditor is reviewing purchases made through the organization's corporate credit card program. Which of the following statements best describes a root cause of a deficiency? A. A personal computer was purchased from a non-approved vendor. B. Company policy limits card use to $500 per transaction. C. A control to detect split purchases has not been activated in the credit card system. D. Sample testing found 10% non-compliance with the organization's business travel policy.

C

356 Which of the following tasks is typically performed in the analysis phase of a benchmarking consulting engagement? A. Identifying business capabilities. B. Developing data collection tools. C. Determining benchmarked process attributes. D. Determining sample size.

C

360 Controls are implemented to: A. Eliminate risk and reduce the potential for loss. B. Mitigate risk and eliminate the potential for loss. C. Mitigate risk and reduce the potential for loss. D. Eliminate risk and eliminate potential for loss.

C

362 Which of the following would be a legitimate action for the internal auditor to take when monitoring audit engagement results? 1. Disregard a certain risk because management and the board accepted the risk in the past. 2. Abdicate the responsibility for a particular risk because it is not part of the audit plan. 3. Obtain agreement from senior management that unresolved audit issues will be reported to theboard. Request corrective action from management in writing. A. 1 and 3 only B. 2 and 3 only C. 3 and 4 only D. 1, 2, and 4 only

C

363 Which of the following statements is not true about the oversight and review of working papers by the chief audit executive (CAE)? A. The CAE has ultimate responsibility for reviewing working papers and remains accountable for the achievement of objectives and the quality of work. B. The need for CAE review depends on the proficiency and experience of the internal auditor and the complexity of the task. C. The CAE is responsible for all significant professional judgments made during the audit process and should therefore personally review working papers to ensure conclusions were professionally arrived at. D. The CAE, although having overall responsibility for reviewing work completed, can delegate such task to appropriately experienced internal audit staff.

C

366 The chief audit executive (CAE) decided that based on management's oral response, the action taken on an audit observation for a minor improvement in the client's process is sufficient and no further follow-up is necessary. Which of the following would be the best statement regarding the action of the CAE? A. The CAE action is not acceptable, as a follow-up audit is needed to ensure that action is really taken by management. B. The CAE action is not acceptable, as follow-up on the issue is critical until a written response is obtained from management. C. The CAE action is acceptable as long as the follow-up is sufficient when weighed against the relative importance of the recommendation. D. The CAE action is acceptable as long as the issue has been escalated to the board to get their position on the issue.

C

369 If the chief audit executive believes that senior management has accepted a level of residual risk that is unacceptable to the organization, they should: A. Accept the decision of senior management as they are ultimately responsible for risk management. B. Report the concern directly to the board. C. Discuss the concern with management and if not resolved, escalate it to the board. D. Disclose the issue in the audit report when auditing the area where the risk was identified.

C

374 Reviewing internal audit report drafts with clients is: 1. Required according to the Standards. 2. A form of courtesy. 3. Ethically mandated. 4. A form of validation. A. 1 and 2 only B. 2 and 3 only C. 2 and 4 only D. 3 and 4 only

C

378 A manufacturing organization is considering a merger with a similar firm, and requests that the chief audit executive (CAE) perform a due diligence audit. During the preliminary survey, the CAE notes that inventory management is a high risk area. In consultation with the external auditors and legal advisors, the CAE learns that they share those concerns. Which of the following is the CAE's best course of action? A. Perform an independent audit of the merging firm's inventory management practices to verify the concerns and to provide relevant and reliable results to management for their consideration and action. B. Advise management that internal audit, external audit, and legal advisors all have concerns about inventory management and, given the high materiality of inventory, management should not proceed with the merger. C. Coordinate a review of inventory management with external auditors and legal advisors and ensure each group focuses on their area of expertise to ascertain the extent of the problems, if any. D. Coordinate with the merging firm's internal audit department to better understand the inventory management function and whether the concerns are well-founded.

C

379 The chief audit executive (CAE) manages a large internal audit activity (IAA) reporting functionally to the audit committee and administratively to the chief risk officer. During the CAE's recent unplanned medical leave, several internal audit reports were completed and waiting for CAE approval, however, no formal delegation of authority was in place to anticipate this situation. In order to preserve the independence of the IAA, which of the following would be the most appropriate individual to review and approve these reports during the CAE's absence? A. External auditor. B. Chief risk officer. C. Engagement lead auditor. D. Audit committee chair.

C

38 Which of the following is an example of the verification of internal documentary evidence? A. Reviewing a carrier's bill of lading. B. Reconciling a vendor's month-end statement. C. Vouching a copy of a sales invoice to receivables. D. Recalculating a customer's purchase order.

C

383 An organization does not have a formal risk management function. According to the Standards, which of the following are conditions where the internal audit activity (IAA) may provide risk management consulting? 1. There is a clear strategy and timeline to migrate risk management responsibility back tomanagement. 2. The IAA has the final approval on any risk management decisions. 3. The IAA does not give objective assurance on any part of the risk management framework forwhich it is responsible. 4. The nature of services provided to the organization is documented in the internal audit charter. A. 1, 2, and 3 only B. 1, 2, and 4 only C. 1, 3, and 4 only D. 2, 3, and 4 only

C

384 Which of the following statements regarding the use of external contracted services by the chief audit executive (CAE) is false? A. The CAE's responsibility is not impaired by engaging an external expert. B. The external expert could have a prior relationship with the audit client. C. The audit report should not disclose the use of contracted services. D. The expert should be directed by the objectives and scope of work.

C

386 According to the Standards, which of the following control strategies would be the most effective in helping to prevent fraud? A. Have employees annually sign a code of conduct requiring that they report any known violations. B. Implement a whistleblower hotline where individuals can make anonymous phone calls to report fraudulent activities. C. Provide periodic fraud awareness training to employees and test their understanding of the training through online surveys. D. Conduct routine employee surveys to solicit their knowledge of fraud and unethical behavior within the organization.

C

389 Which of the following statements is true? A. If management chooses not to take action on internal audit's assurance engagement observation, the chief audit executive (CAE) has a responsibility to propose an action plan to the board. B. Internal audit's responsibility for an assurance engagement observation ends when management implements changes to remediate the observation. C. When management decides to accept the risk of not taking action on an assurance observation, the (CAE) is responsible for judging whether or not that decision is prudent. D. An assurance engagement observation is considered remediated when management's corrective action plan is approved by the board.

C

391 Which of the following statements is true regarding the communication of audit engagement observations? A. Criteria, condition, cause, and effect must be communicated for material observations only B. Criteria, condition, cause, and effect must be communicated for material observations and significant deficiencies only C. Criteria, condition, cause, and effect must be communicated for all engagement observations. D. Criteria, condition, cause, and effect do not need to be communicated for insignificant observations with adquate compensating key controls.

C

392 Which of the following situations justifies the release of an interim report to management and the board? • The internal auditor is convinced that the audit observations require immediate attention. • The internal auditor would like to communicate a change in engagement scope for the activityunder review. • The internal auditor notes that the engagement may extend over a longer time period. • The audit supervisor believes that issuing interim reports eases supervisory review and controlsover working papers. A. 1 and 3 only B. 2 and 3 only C. 1, 2, and 3 only D. 2, 3, and 4 only

C

40 An auditor prepared a workpaper that consisted of a list of employee names and identification numbers as well as the following statement: "A statistical sample of 40 employee personnel files was selected to verify that they contain all documents required by company policy 501 (copy attached). No exceptions were noted." The auditor did not place any audit verification symbols on this workpaper. Which of the following changes would most improve the auditor's workpaper? A. Use of audit verification symbols to show that each file was examined. B. Removal of the employee names to protect their confidentiality. C. Justification for the sample size. D. Listing of the actual documents examined for each employee.

C

401 According to IIA guidance, which of the following actions might place the independence of the internal audit function in jeopardy? A. Having no active role or involvement in the risk management process. B. Auditing the risk management process for reasonableness. C. Coordinating and managing the risk management process. D. Participating with management in identifying and evaluating risks.

C

403 Which of the following is an appropriate responsibility for the internal audit activity with regard to the organization's risk management program? A. Identifying and managing risks in line with the entity's risk appetite. B. Ensuring that a proper and effective risk management process exists. C. Attaining an adequate understanding of the entity's key mitigation strategies. D. Identifying and ensuring that appropriate controls exist to mitigate risks.

C

404 Which of the following is a detective control for managing the risk of fraud? A. Awareness of prior incidents of fraud. B. Contractor non-disclosure agreements. C. Verification of currency exchange rates. D. Receipts for employee expenses.

C

405 Which of the following is a justifiable reason for omitting advance client notice when planning an audit engagement? A. Advance notice may result in management making corrections to reduce the number of potential deficiencies. B. Previous management action plans addressing prior internal audit recommendations remain incomplete. C. The engagement includes audit assurance procedures such as sensitive or restricted asset verifications. D. The audit engagement has already been communicated and approved through the annual audit plan.

C

409 Which of the following statements about internal audit's follow-up process is true? A. The nature, timing, and extent of follow-up for assurance engagements is standardized to ensure quality performance. B. The actions of external auditors and other external assurance providers is not encompassed by internal audit's follow-up process. C. Internal auditors have responsibility for determining if management and the board have implemented the recommended action or otherwise accepted the risk. D. The follow-up process must be complete and documented in the working papers in order to conclude the engagement.

C

417 The newly appointed chief audit executive (CAE) of a large multinational corporation, with seasoned internal audit departments located around the world, is reviewing responsibilities for engagement reports. According to IIA guidance, which of the following statements is true? A. The CAE is required to review, approve, and sign every engagement report. B. The CAE is required to review, approve, and sign all regulatory compliance engagement reports only C. The CAE may delegate responsibility for reviewing, approving and signing engagement reports, but should review the reports after they are issued. D. The internal audit charter must identify authorized signers of engagement reports.

C

433 According to IIA guidance, which of the following statements are true regarding the internal audit plan? 1. The audit plan is based on an assessment of risks to the organization. 2. The audit plan is designed to determine the effectiveness of the organization's risk managementprocess. 3. The audit plan is developed by senior management of the organization. 4. The audit plan is aligned with the organization's goals. A. 1 and 2 only B. 3 and 4 only C. 1, 2, and 4 D. 1, 3, and 4

C

437 Due to price risk from the foreign currency purchase of aviation fuel, an airliner has purchased forward contracts to hedge against fluctuations in the exchange rate. When recalculating the exchange losses from individual purchases of jet fuel, which of the following details does the internal auditor need to validate? 1. The hedge documentation designating the hedge. 2. The spot exchange rate on the transaction date. 3. The terms of the forward contract. 4. The amount of fuel purchased. A. 1 and 2 B. 1 and 4 C. 2 and 3 D. 3 and 4

C

440 After the team member who specialized in fraud investigations left the internal audit team, the chief audit executive decided to outsource fraud investigations to a third party service provider on an as needed basis. Which of the following is most likely to be a disadvantage of this outsourcing decision? Cost. Independence. Familiarity. Flexibility.

C

442 According to IIA guidance, which of the following is true regarding the exit conference for an internal audit engagement? A. A primary purpose of the exit conference is to provide for the timely communication of observations that call for immediate management action. B. Both the chief audit executive and the chief executive over the activity or function reviewed must attend the exit conference to validate the findings. C. The exit conference provides only anticipated results for inclusion in the final audit communication. D. During the exit conference, the performance of the internal auditors who executed the engagement is reviewed.

C

443 Which of the following components should be included in an audit finding? 1. The scope of the audit. 2. The standard(s) used by the auditor to make the evaluation. 3. The engagement's objectives. 4. The factual evidence that the internal auditor found in the course of the examination. A. 1 and 2 B. 1 and 3 only C. 2 and 4 D. 1, 3, and 4

C

449 During an assurance engagement, an internal auditor noted that the time staff spent accessing customer information in large Excel spreadsheets could be reduced significantly through the use of macros. The auditor would like to train staff on how to use the macros. Which of the following is the most appropriate course of action for the internal auditor to take? A. The auditor must not perform the training, because any task to improve the business process could impact audit independence. B. The auditor must create a new, separate consulting engagement with the business process owner prior to performing the improvement task. C. The auditor should get permission to extend the current engagement, and with the process owner's approval, perform the improvement task. D. The auditor may proceed with the improvement task without obtaining formal approval, because the task is voluntary and not time-intensive.

C

45 According to the International Professional Practices Framework, which of the following statements is correct regarding the communication of audit results? I. Summary reports may be issued separately from or in conjunction with the final report. II. Interim reports may be written or oral. III. Detailed reports should always be issued to the audit committee. IV. Interim reports should be used to communicate information which requires immediate attention. A. I and III only B. II and IV only C. I, II, and IV only D. I, II, III, and IV.

C

453 A large investment organization hired a chief risk officer (CRO) to be responsible for the organization's risk management processes. Which of the following people should prioritize risks to be used for the audit plan? A. Operational management, because they are responsible for the day-to-day management of the operational risks. B. The CRO, because he is responsible for coordinating and project managing risk activities based on his specialized skills and knowledge. C. The chief audit executive, although he is not accountable for risk management in the organization. D. The CEO, because he has ultimate responsibility for ensuring that risks are managed within the agreed tolerance limits set by the board.

C

454 Which of the following actions are appropriate for the chief audit executive to perform when identifying audit resource requirements? 1. Consider employees from other operational areas as audit resources, to provide additional auditcoverage in the organization. 2. Approach an external service provider to conduct internal audits on certain areas of theorganization, due to a lack of skills in the organization. 3. Suggest to the audit committee that an audit of technology be deferred until staff can be trained,due to limited IT audit skills among the audit staff. 4. Communicate to senior management a summary report on the status and adequacy of auditresources. A. 1 and 3 only B. 2 and 4 only C. 1, 2, and 4 D. 2, 3, and 4

C

456 Which of the following is the primary purpose of financial statement audit engagements? A. To assess the efficiency and effectiveness of the accounting department. B. To evaluate organizational and departmental structures, including assessments of process flows related to financial matters. C. To provide a review of routine financial reports, including analyses of selected accounts for compliance with generally accepted accounting principles. D. To provide an analysis of business process controls in the accounting department, including tests of compliance with internal policies and procedures.

C

461 Which of the following factors would the auditor in charge be least likely to consider when assigning tasks to audit team members for an engagement? A. The amount of experience the auditors have conducting audits in the specific area of the organization. B. The availability of the auditors in relation to the availability of key client staff. C. Whether the budgeted hours are sufficient to complete the audit within the current scope. D. Whether outside resources will be needed, and their availability.

C

462 An organization's internal audit plan includes a recurring assurance review of the human resources (HR) department. Which of the following statements is true regarding preliminary communication between the auditor in charge (AIC) and the HR department? 1. The AIC should notify HR management when the draft audit plan is being developed, as acourtesy. 2. The AIC should notify HR management before the planning stage begins. 3. The AIC should schedule formal status meetings with HR management at the start of theengagement. 4. The AIC should finalize the scope of the engagement before communicating with HRmanagement. 1 and 3 B. 1 and 4 C. 2 and 3 D. 2 and 4

C

463 The final internal audit report should be distributed to which of the following individuals? A. Audit client management only B. Executive management only C. Audit client management, executive management, and others approved by the chief audit executive. D. Audit client management, executive management, and any those who request a copy.

C

467 Which of the following would most likely cause an internal auditor to consider adding fraud work steps to the audit program? A. Improper segregation of duties. B. Incentives and bonus programs. C. An employee's reported concerns. D. Lack of an ethics policy.

C

474 Which of the following best illustrates the primary focus of a risk-based approach to control selfassessment? A. To evaluate controls regarding the computer security of an oil refinery. B. To examine the processes involved in exploring, developing, and operating a gold mine. C. To assess the likelihood and impact of events associated with operating a finished goods warehouse. D. To link a financial institution's business objectives to a work unit responsible for the associated risk.

C

475 Due to a recent system upgrade, an audit is planned to test the payroll process. Which of the following audit objectives would be most important to prevent fraud? A. Verify that amounts are correct. B. Verify that payments are on time. C. Verify that recipients are valid employees. D. Verify that benefits deductions are accurate.

C

478 Which of the following is the most important concept to be included in a consulting engagement agreement? A. Define the duties and responsibilities needed from management to perform the engagement. B. Disclose the fact that auditors who perform the work may not be subject matter experts in the topic of the review. C. Clarify that matters discovered during the engagement may also be reported to senior management and the audit committee. D. Disclose the fact that follow-up reviews may be conducted to ensure that recommendations are implemented adequately.

C

479 An employee in the sales department completes a purchase requisition and forwards it to the purchaser. The purchaser places competitive bids and orders the requested items using approved purchase orders. When the employee receives the ordered items, she forwards the packing slips to the accounts payable department. The invoice for the ordered items is sent directly to the sales department, and an administrative assistant in the sales department forwards the invoices to the accounts payable department for payment. Which of the following audit steps best addresses the risk of fraud in the cash receipts process? A. Verify that approvals of purchasing documents comply with the authority matrix. B. Observe whether the purchase orders are sequentially numbered. C. Examine whether the sales department supervisor approves invoices for payment. D. Determine whether the accounts payable department reconciles all purchasing documents prior to payment.

C

48 A governmental auditor was assigned to determine reasons why the students in one region scored significantly higher on education evaluation tests than did the students in another region. Previous research showed that there is a direct correlation between public financial support and student results. Which of the following is most likely to explain the difference in the regional results? A. The more successful region spends 30 percent more money on education than does the other region. B. A higher percentage of the general tax fund is spent on education in the more successful region than in the other region. C. The more successful region spends more money per student on education than does the other region. D. The more successful region has increased educational spending by an average of 10 percent each year for the last three years, whereas the other region's increase averaged only three percent.

C

483 Which of the following situations would justify the removal of a finding from the final audit report? A. Management disagrees with the report findings and conclusions in their responses. B. Management has already satisfactorily completed the recommended corrective action. C. Management has provided additional information that contradicts the findings. D. Management believes that the finding is insignificant and unfairly included in the report.

C

49 Which of the following would constitute a violation of the IIA Code of Ethics? A. An internal auditor, who has recently joined the organization, has accepted an assignment to audit the electronics manufacturing division. The auditor previously served as senior auditor for the external audit of that division and has audited many electronics companies during the past two years. B. An internal auditor has accepted an assignment to audit the warehousing function six months from now. The auditor has no expertise in that area but has signed up for courses in warehousing that will be completed before the assignment begins. C. An internal auditor has no ambitions for promotion and has not engaged in training or other professional development activities during the last three years. The auditor's performance assessments indicate consistent quality of work. D. An internal auditor discovered an internal financial fraud during the year, and the financial statements were adjusted to properly reflect the loss associated with the fraud. The auditor discussed the fraud with the external auditor during the external auditor's review of the working papers detailing the incident.

C

498 A draft internal audit report that cites deficient conditions generally should be reviewed with which of the following groups? 1. The client manager and her superior. 2. Anyone who may object to the report's validity. 3. Anyone required to take action. 4. The same individuals who receive the final report. A. 1 only B. 1 and 2 only C. 1, 2, and 3 D. 1, 2, and 4

C

499 Which of the following statements is true pertaining to interviewing a fraud suspect? 1. Information gathered can be subjective as well as objective to be useful. 2. The primary objective is to obtain a voluntary written confession. 3. The interviewer is likely to begin the interview with open-ended questions. 4. Video recordings always should be used to provide the highest quality evidence. A. 1 only B. 4 only C. 1 and 3 D. 2 and 4

C

504 Which of the following is an appropriate role for the internal audit activity with regard to the organization's risk management program? A. Identify and manage risks in line with the organization's risk appetite. B. Ensure that a proper and effective risk management process exists. C. Attain an adequate understanding of the organization's key risk mitigation strategies. D. Identify and ensure that appropriate controls exist to mitigate risks.

C

505 Which of the following would not be a typical activity for the chief audit executive to perform following an audit engagement? A. Report follow-up activities to senior management. B. Implement follow-up procedures to evaluate residual risk. C. Determine the costs of implementing the recommendations. D. Evaluate the extent of improvements.

C

507 A chief audit executive (CAE) received a detailed internal report of senior management's internal control assessment. Which of the following subsequent actions by the CAE would provide the greatest assurance over management's assertions? A. Assert whether the described and reported control processes and systems exist. B. Assess whether senior management adequately supports and promotes the internal control culture described in the report. C. Evaluate the completeness of the report and management's responses to identified deficiencies. D. Determine whether management's operating style and the philosophy described in the report reflect the effective functioning of internal controls.

C

53 An internal audit activity implemented an integrated test facility to test payroll processing. The auditors identified the key controls and processing steps built into the computer program and developed test data to test them. The auditors submitted test transactions throughout the year and did not find any differences in their test results. The auditors can conclude that: A. The system is properly capturing the hours worked by employees during the year and the hours have been properly submitted to payroll and processed correctly. B. All employees were correctly paid during the year and their pay was correctly computed. C. The computer application and its control procedures were processing payroll transactions correctly during the past year. D. All of the above.

C

54 A code of ethics within the internal auditing profession is necessary in order to: A. Reduce the likelihood that members of the profession will be sued for substandard work. B. Ensure that all members of the profession perform at approximately the same level of competence. C. Provide guidance to internal auditors in their service to others. D. Require members of the profession to exhibit loyalty in all matters pertaining to the affairs of their organization.

C

63 Given the scarcity of internal audit resources, a chief audit executive (CAE) decided not to schedule a follow-up of audit recommendations when developing engagement work schedules. Does the CAE's decision violate the Standards? A. No, because the Standards do not specify whether follow-up is needed. B. No, because when there is evidence of sufficient motivation by the client, there is no need for follow-up action. C. Yes, because scarcity of resources is not a sufficient reason to omit follow-up action. D. Yes, because the Standards require the auditors to determine whether the client has appropriately implemented all of the auditor's recommendations.

C

64 An auditor for a major retail company suspects that inventory fraud is occurring at three stores which have high costs of goods sold. Which of the following audit activities would provide the most persuasive evidence that fraud is occurring? A. Use an integrated test facility (ITF) to compare individual sales transactions with test transactions submitted through the ITF and investigate all differences. B. Interview the three individual store managers to determine if their explanations about the observed differences are the same, and then compare their explanations to that of the section manager. C. Schedule a surprise inventory audit to include a physical inventory and investigate areas of inventory shrinkage. D. Select a sample of individual store prices and compare them with the sales entered on the cash register for the same items.

C

68 Which of the following, if observed, would not indicate the need to extend the search for other indicators of fraud in a purchasing department? A. The standard of living of one of the purchasing agents has increased. B. The internal control structure has significant weaknesses. C. The purchasing agents have convinced management to adopt a policy of paying vendors on a more timely basis in order to avoid incurring penalty charges. D. The cost of goods procured seems to be excessive in comparison with previous years.

C

71 The most common motivation for management fraud is the existence of: A. Vices, such as a gambling habit. B. Job dissatisfaction. C. Financial pressures on the organization. D. The challenge of committing the perfect crime.

C

74 After partially completing an internal control review of the accounts payable department, an auditor suspects that some type of fraud has occurred. To ascertain whether the fraud is present, the best sampling approach would be to usE. A. Simple random sampling to select a sample of vouchers processed by the department during the past year. B. Probability-proportional-to-size sampling to select a sample of vouchers processed by the department during the past year. C. Discovery sampling to select a sample of vouchers processed by the department during the past year. D. Judgmental sampling to select a sample of vouchers processed by clerks who were identified by the department manager as acting suspiciously.

C

75 Which of the following processes real-transaction data through auditor-developed test programs? A. Generalized audit software. B. Tracing. C. Parallel simulation. D. Mapping.

C

79 A company has recently incurred significant cost overruns on one of its construction projects. Management suspects that these overruns were caused by the contractor improperly accounting for costs related to contract change orders. Which of the following procedures would be appropriate for testing this suspicion? I. Verify that the contractor has not charged change orders with costs that have already been billedto the original contract. II. Determine if the contractor has billed for original contract work that was canceled as a result ofchange orders. III. Verify that the change orders were properly approved by management. A. I only B. III only C. I and II only D. I and III only

C

8 An audit of management's quality program includes testing the accuracy of the cost-of-quality reports provided to management. Which of the following internal control objectives is the focus of this testing? A. To ensure compliance with policies, plans, procedures, laws, and regulations. B. To ensure the accomplishment of established objectives and goals for operations or programs. C. To ensure the reliability and integrity of information. D. To ensure the economical and efficient use of resources.

C

80 An internal audit activity is participating in the due diligence work for an acquisition that a company is considering. One engagement objective is to determine if the acquisition's accounts payable contain all outstanding liabilities. Which of the following audit procedures would not be relevant for this objective? A. Examine supporting documentation of subsequent (after-period) cash disbursements and verify period of liability. B. Send confirmations, including zero-balance accounts, to vendors with whom the company normally does business. C. Select a sample of accounts payable from the accounts payable list and verify the supporting receiving reports, purchase orders, and invoices. D. Trace receiving reports issued before the period end to the related vendor invoices and accounts payable list.

C

89 If an auditor expects to find numerous discrepancies between recorded values and audited values of sample selections, which sampling technique would be most appropriate? A. Attributes sampling. B. Probability-proportional-to-size sampling. C. Difference estimation sampling. D. Discovery sampling.

C

9 When internal auditors provide consulting services, the scope of the engagement is primarily determined by: A. Internal auditing standards. B. The audit engagement team. C. The engagement client. D. The internal audit activity's charter.

C

90 During an audit of a retail organization, an internal auditor found a scheme in which the warehouse director and the purchasing agent diverted approximately $500,000 of goods to their own warehouse, then sold the goods to third parties. The fraud was not found earlier since the warehouse director updated the perpetual inventory records and then forwarded receiving reports to the accounts payable department for processing. Which of the following procedures would have most likely led to the discovery of the missing materials and the fraud? A. Select a random sample of receiving reports and trace to the recording in the perpetual inventory records. Note differences and investigate by type of product. B. Select a random sample of purchase orders and trace to receiving reports and to the records in the accounts payable department. C. Take an annual physical inventory, reconciling amounts with the perpetual inventory records. Note the pattern of differences and investigate. D. Select a random sample of sales invoices and trace to the perpetual inventory records to see if inventory was on hand. Investigate any differences.

C

301 According to the Standards, which of the following objectives is not required to ensure the appropriate completion of an engagement? A. Determining audit team members are coordinated to ensure the efficient execution of all engagement procedures. B. Confirming engagement working papers properly support the observations, recommendations and conclusions. C. Providing structured learning opportunities for engagement auditors when and wherever possible. D. Ensuring all engagement objectives are reviewed for satisfactory achievement and properly documented.

C Topic 4, Volume D

253 Which of the following would most likely contribute to discrepancies between receiving reports and the number of units in a shipment? A. Failing to compare the quality of goods received with specifications. B. Using inadequate vendor selection procedures. C. Accepting improper authorization for purchases. D. Indicating the quantities ordered on the receiving department's copy of the purchase order.

D

106 Which of the following factors could interfere with effective problem solving by an internal auditor? I. Reacting to previous experiences with clients. II. Focusing only on the most likely cause. III. Correcting the symptoms of problems. A. I only B. III only C. I and II only D. I, II, and III

D

127 An audit of an organization's claims department determined that a large number of duplicate payments had been issued due to problems in the claims processing system. During the exit conference, the vice president of the claims department informed the auditors that attempts to recover the duplicate payments would be initiated immediately and that the claims processing system would be enhanced within six months to correct the problems. Based on this response, the chief audit executive should: A. Adjust the scope of the next regularly scheduled audit to assess controls within the claims processing system. B. Discuss the findings with the audit committee and ask the committee to determine the appropriate follow-up action. C. Schedule a follow-up engagement within six months to assess the status of corrective action. D. Monitor the status of corrective action and schedule a follow-up engagement when appropriate.

D

128 An audit of a company's accounts payable found that the individuals responsible for maintaining the vendor master file could also enter vendor invoices into the accounts payable system. During the exit conference, management agreed to correct this problem. When performing a follow-up engagement of accounts payable, the auditor should expect to find that management has: A. Transferred the individuals who maintained the vendor master file to another department to ensure that responsibilities are appropriately segregated. B. Compared the vendor and employee master files to determine if any unauthorized vendors have been added to the vendor master file. C. Changed the access control system to prevent employees from both entering invoices and approving payments. D. Modified the accounts payable system to prevent individuals who maintain the vendor master file from entering invoices.

D

130 At the conclusion of an audit of an organization's treasury department, a report was issued to the treasurer, chief financial officer, president, and board. Because of the sensitivity of some findings, a follow-up review was performed. The auditor should provide the report of follow-up findings to the. I. Treasurer. II. Chief financial officer. III. President. IV. Board. A. I and II only B. III and IV only C. I, II, and III only D. I, II, III, and IV.

D

134 While conducting a payroll audit, an internal auditor in a large government organization found inadequate segregation in the duties assigned to the assistant director of personnel. When the auditor explained the risk of fraud, the assistant director became upset, terminated the interview, and threatened to sue the organization for defamation of character if the audit engagement was not curtailed. The auditor discussed the situation with the chief audit executive (CAE). The CAE should then: A. Curtail the audit engagement to avoid potential legal action. B. Provide a report to senior management recommending a fraud investigation. C. Continue the original engagement program as planned but include a comment about the assistant director's reaction in the engagement final communication. D. Add additional testing to determine whether other indicators of fraud exist.

D

141 Which of the following would not be an appropriate step for an internal auditor to perform during an assessment of compliance with an organization's privacy policy? A. Determine who can access databases containing confidential information. B. Evaluate the organization's privacy policy to determine if appropriate information is covered. C. Analyze access to permanent files and reports containing confidential information. D. Evaluate the government's security measures related to confidential information received from the organization.

D

143 During a systems development audit, software developers indicated that all programs were moved from the development environment to the production environment and then tested in the production environment. What should the auditor recommend? I. Implement a test environment to ensure that testing is not performed in the productionenvironment. II. Require developers to move modified programs from the development environment to the testenvironment and from the test environment to the production environment. III. Eliminate access by developers to the production environment. A. I only B. III only C. I and II only D. I and III only

D

147 The scope of a business process review primarily involves: A. Appraising the environment and comparing against established criteria. B. Assessing the organization's system of internal controls. C. Reviewing routine financial information and assessing the appropriateness of various accounting treatments. D. Evaluating organizational and departmental structures, including assessments of transaction flows.

D

15 What would be used to determine the collectability of accounts receivable balances? A. The file of related shipping documents. B. Negative accounts receivable confirmations. C. Positive accounts receivable confirmations. D. An aged accounts receivable listing.

D

153 Which of the following is not relevant when developing recommendations for inclusion in audit reports? A. Feasibility. B. Cost of implementation. C. Underlying causes. D. Timing of follow-up.

D

156 Which of the following would be the least important reason for a company to merge with another company? A. To diversify risk. B. As a response to new government policy. C. To reduce labor costs. D. To increase stock prices.

D

158 Which of the following is the best approach for obtaining feedback from engagement clients regarding the quality of internal audit work? A. Ask questions during the exit interviews and send copies of the documented responses to the clients. B. Call engagement clients after the exit interviews and send copies of the documented responses to the clients. C. Distribute questionnaires to selected engagement clients shortly before preparing the internal audit annual activity report. D. Provide questionnaires to engagement clients at the beginning of each engagement and request that the clients complete and return them after the engagements.

D

164 In response to an accounts receivable confirmation, a customer indicated that the invoice listed on the confirmation letter had been paid two months earlier. This may indicate that: A. The receivable was selected for confirmation in error. B. The customer is a bad credit risk. C. The receivable should be written off. D. Fraudulent activity has occurred.

D

166 An audit of customer accounts receivable found that outstanding receivables as a percentage of revenue had increased significantly during the past two years. The increase was attributed to the extension of credit, at the urging of the marketing department, to a number of companies that were not creditworthy. Which of the following would be least useful in monitoring the disposition of this finding? A. Responses from the manager of accounts receivable regarding collection of outstanding receivables. B. Periodic updates from the controller regarding the status of corrective actions. C. Information from the credit and marketing personnel assigned the responsibility for reevaluating credit policies. D. Updates from the information technology division regarding implementation of a new accounts receivable system.

D

168 An audit of a Web-based third-party payment processor determined that a programming error enabled customers to create multiple accounts for each mailing address. This caused problems during the processing of credit card transactions. Management agreed to correct the program and notify customers with multiple accounts that the accounts would be consolidated. What should the auditor do in response? I. Amend the scope of the subsequent audit to verify that the program was corrected and thataccounts were consolidated. II. Evaluate the adequacy and effectiveness of the corrective action proposed by management. III. Schedule a follow-up review to verify that the program was corrected and the accounts wereconsolidated. IV. Do nothing because management has agreed to address the problem. A. III only B. IV only C. I and II only D. II and III only

D

17 A company's policy requires that all customers be treated in a fair and consistent manner. Which of the following audit procedures would provide the most persuasive evidence that the policy was followed? A. Compare the aging of outstanding receivables due from each customer. B. Compare credit reports with annual sales for a sample of customers. C. Compare the ratio of outstanding receivables to the authorized credit limit for each customer. D. Compare the sales discounts offered to each customer.

D

254 Which of the following would have the least significance in an audit of the efficiency of a driver's license testing facility? A. Clerical staff administer written tests to allow examiners more time to supervise driving tests. B. Staff are cross-trained to provide backup for other areas of the facility as required. C. A point-of-sale cashiering system reduces the need to reenter payment data. D. Examiners are required to be recertified on an annual basis.

D

170 Which of the following would be the most effective method to prevent installation of new equipment that does not meet environmental permit requirements, or to prevent modification of current processes in such a way that they no longer meet permit requirements? A. Require that the environmental compliance department perform regular inspections of the manufacturing facility to identify new equipment or process modifications in progress. B. Rely on annual inspections by various regulatory agencies to identify equipment or processes that require a permit. C. Require that the staff of the environmental compliance department attend monthly safety meetings in different parts of the facility so that they can hear directly from the workers about any changes. D. Include the environmental compliance department in the review of proposed process changes and equipment purchases affecting permit requirements.

D

177 Which of the following activities would be performed during a benchmarking consulting engagement? I. Collect data relevant to the benchmarking process. II. Review all business processes. III. Define critical success factors. IV. Identify performance gaps. A. I and III only B. II and IV only C. I, II, and III only D. I, III, and IV only

D

179 A chief audit executive has noticed that staff auditors are presenting more oral reports to supplement written reports. The best reason for the increased use of oral reports is that they: A. Reduce the amount of testing required to support audit findings. B. Can be delivered in an informal manner without preparation. C. Can be prepared using a flexible format and reduce the information included in the written report. D. Permit auditors to counter arguments and provide additional information that the audience may require.

D

183 In a review of an electronic data interchange application using a third-party service provider, the auditor should: I. Ensure encryption keys meet International Organization for Standardization (ISO) standards. II. Determine whether an independent review of the service provider's operation has beenconducted. III. Verify that only public-switched data networks are used by the service provider. IV. Verify that the service provider's contracts include necessary clauses, such as the right toaudit. A. I and II only B. I and IV only C. II and III only D. II and IV only

D

188 Which of the following is the first step in the process where auditors and clients work together to evaluate the clients' system of internal control? A. Assess risks. B. Develop questionnaires. C. Identify and assess controls. D. Identify objectives.

D

196 What is the primary reason for having audit management approve audit engagement reports? A. To ensure that client concerns are appropriately addressed. B. To confirm proper format, grammar, and punctuation. C. To verify that senior management supports the report's conclusions. D. To validate that report findings are substantiated.

D

199 Which of the following is a red flag associated with fictitious revenues? A. Slow growth or unusually low profitability. B. Unusual decrease in the number of days' sales in receivables. C. Substantial increase in receivables turnover. D. Significant transactions with related parties.

D

201 To furnish useful and timely information and promote improvements in operations, internal auditors should provide: A. Senior management with reports that emphasize the operational details of defective conditions. B. Operating management with reports that emphasize general concerns and risks. C. Information in written form before it is discussed with the engagement client. D. Reports that meet the expectations of both operational and senior management.

D

211 What is the most likely source of information for a detailed schedule of a company's insurance policies in force? A. Original journal entries found in the cash disbursements journal, along with supporting checks processed by the bank. B. Policies and procedures governing insurance coverage. C. The current fiscal year's budget for insurance, together with the beginning balance of the prepaid insurance account. D. The files containing insurance policies with various carriers.

D

213 In a payroll audit, a staff auditor suspects that signatures on some of the documents being sampled for examination are not authentic. What action should the auditor take before proceeding with the examination? A. Suggest to the payroll manager that the suspicious documents should be sent to the organization's security department for forensic review. B. Keep the suspicious documents in the workpaper file until the end of the engagement, and then discuss the suspicions with the payroll manager. C. Discuss the suspicious documents with payroll staff to seek their views on the authenticity of the signatures. D. Review the suspicious documents with the chief audit executive and seek advice concerning further examination.

D

223 A chief audit executive (CAE) is evaluating four potential audit engagements based on the following factors: the engagement's ability to reduce risk to the organization, the engagement's ability to save the organization money, and the extent of change in the area since the last engagement. The CAE has scored the engagements for each factor from low to high, assigned points, and calculated an overall ranking. The results are shown below with the points in parentheses: Risk Reduction Cost Savings Changes High (3) Medium (2) Low (1) High (3) Low (1) High (3) Low (1) High (3) Medium (2) Medium (2) Medium (2) High (3) If the organization has asked the CAE to consider the cost savings factor to be twice as important as any other factor, which engagements should the CAE pursue? A. 1 and 2 only B. 1 and 3 only C. 2 and 4 only D. 3 and 4 only

D

238 Which of the following audit planning activities adds the least value in understanding the current risk exposures facing the corporation? A. Review of organizational strategic plans and operational plans. B. Consultation with senior management and the audit committee. C. Review of the external auditor's risk assessment. D. Review of corporate performance reporting and benchmarking.

D

25 Which of the following data collection strategies systematically tests the effects of various factors on an outcome? A. Content analysis. B. Sampling. C. Evaluation synthesis. D. Modeling.

D

251 Audit supervision includes approval of the engagement report in order to ensure that: A. The client's objectives are met. B. Senior management supports the report's conclusions. C. Report style and grammar are appropriate. D. Report findings are substantiated.

D

256 An organization's policies allow buyers to authorize expenditures up to $50,000 without any other approval. Which of the following audit procedures would be most effective in determining if fraud in the form of payments to fictitious companies has occurred? A. Use generalized audit software to list all purchases over $50,000 to determine whether they were properly approved. B. Develop a snapshot technique to trace all transactions by suspected buyers. C. Use generalized audit software to take a random sample of all expenditures under $50,000 to determine whether they were properly approved. D. Use generalized audit software to select a sample of paid invoices to new vendors and examine evidence that shows that services or goods were received.

D

258 Which of the following is most appropriate when conducting an interview during the course of a fraud investigation? A. Schedule the interview well in advance. B. Explain the detailed purpose to the interviewee. C. Assume that the interviewee is guilty. D. Have a witness present during the interview.

D

260 Which of the following best describes the primary concern of the audit manager upon review of engagement working papers of an auditor? A. To ensure adequate control over the custody of working papers is exercised by the auditor. B. To ensure that as part of the documentation the auditor collected original documents that can corroborate the audit findings. C. To ensure that the work papers create background for subsequent reviews. D. To ensure that the audit programs are followed by the auditor.

D

261 Information gathered in a forensic investigation of business fraud is usually gathered with which of the following standards in mind? A. Generally Accepted Auditing Standards. B. Generally Accepted Accounting Principles. C. The International Professional Practices Framework. D. Legal evidence.

D

262 The internal auditor's opinion in terms of due professional care should be: A. Limited to the effectiveness of internal controls. B. Expressed only when consensus with top management has been achieved. C. Based on experience and free of all bias. D. Based on sufficient factual evidence.

D

268 In which of the following cases is it appropriate for an audit report to not contain management's response either within the report or as an attachment? A. Management's response to an audit report is generally not a requirement. B. Internal controls were found to be properly designed and operating effectively although operations are deemed inefficient. C. There was insufficient time to obtain management's response during the draft reporting process. D. An internal audit report contains no observations.

D

269 When performing a compliance audit of the organization's outsourced services, which of the following is considered the primary engagement objective? A. Verifying that the organization does not have the appropriate knowledge and resources inhouse. B. Ensuring the provider has adequate internal controls in order to protect the quality of their service. C. Evaluating the efficiency, effectiveness, economy, and sufficiency of the services provided. D. Assessing the provider's adherence to contract and regulatory requirements.

D

271 Which role is not considered a change agent when an organization wants to implement structural changes? A. Senior management. B. Line management. C. Independent consultant. D. Shareholder.

D

277 Which of the following statements is correct regarding the assessment of risk in the annual audit planning process? 1. Activities requested by management should be considered higher risk than those requested bythe audit committee. 2. Activities with lower budgets can be as high risk as those with higher budgets. 3. The potential financial or adverse exposure should always be considered in the assessment ofrisk. A. 1 only B. 2 only C. 3 only D. 2 and 3 only

D

282 A consumer electronics company is considering acquiring a small flash memory manufacturer. An internal auditor has been assigned to determine if the manufacturer's accounts payable contain all outstanding liabilities. Which audit procedure is not relevant for this objective? A. Verify the period of liability of subsequent cash disbursements using related supporting documentation. B. Send confirmations, including zero-balance accounts, to vendors with whom the manufacturer normally does business. C. Trace receiving reports issued before the period end to the accounts payable list and vendor invoices. D. Verify a sample of accounts payable by using related invoices, receiving reports, and purchase orders.

D

286 While performing a follow-up of a concern about equipment-inventory tracking, which course of action is not necessary for the auditor to take? A. Ensure that the steps being taken resolve the condition disclosed by the initial finding. B. Ensure that controls have been implemented to prevent the issue from occurring again. C. Ensure that the entity has begun to experience benefits as a result of resolving the issue. D. Ensure that the inherent risk has been eliminated as a result of resolving the issue.

D

289 An internal auditor has been assigned to perform a quality audit on a manufacturing plant. Which course of action should the auditor perform first? A. Compare the planned outputs with the actual outputs. B. Ascertain the costs of materials purchased. C. Evaluate the plant's ability to meet production quotas. D. Review the levels of scrap and rework.

D

303 Which of the following would most likely include recommendations for process improvements? • Due diligence engagement. • Forensic investigation. • Internal audit engagement. • Consulting engagement. A. 1, 2, and 3 only B. 1, 2, and 4 only C. 1, 3, and 4 only D. 2, 3, and 4 only

D

304 According to the Standards, which of the following best describes the responsibility of the chief audit executive (CAE) for approving the final engagement report? • The CAE is responsible for obtaining management approval before issuing the final report. • The CAE has overall responsibility for the report but can delegate the review and approval of thereport. • The CAE is responsible for obtaining senior management's approval before releasing the finalreport. • The CAE is responsible for approving to whom and how the final report will be disseminated. A. 1 and 3 only B. 1 and 4 only C. 2 and 3 only D. 2 and 4 only

D

354 According to the International Professional Practices Framework, which of the following should be excluded from a final communication for a performance audit engagement? A. Recommendations and conclusions. B. The internal auditor's unbiased opinion. C. Timely and relevant information. D. Legal opinions related to illegal acts.

D

309 A payroll clerk enters payroll transactions into the general ledger. The staff accountant reconciles the payroll ledgers. The payroll manager issues the manual payroll checks. The checks are maintained in a locked cabinet. The chief financial officer secures the keys to the cabinet. The payroll clerk distributes the manual checks. The payroll manager reconciles the bank statements monthly. Which of the following audit steps best addresses the risk of fraud in the payroll process? A. Examine whether the payroll manager approves the reconciliations of ledgers. B. Determine whether an approved list of voided checks exists. C. Determine whether the cabinet keys are secured properly. D. Vouch a sample of items on bank reconciliations to supporting documentation.

D

313 The chief audit executive (CAE) is adding a new audit position to the team. According to the International Professional Practices Framework, which of the following candidates would the CAE be least likely to accept for the position? A. The candidate is applying for an IT audit position, while originally coming from an IT background, but has only experiences of financial and compliance audits in the previous position. B. The candidate is knowledgeable about potential indicators of fraud including typical risks, but has only participated as a staff auditor in one investigative fraud audit. C. The candidate meets the minimum educational requirements established by the chief audit executive, but has less formal education than any of the other candidates being considered. D. The candidate provides examples of previous reports demonstrating excellent writing skills, but lacks ability to clearly communicate ideas and conclusions in a meeting.

D

318 According to the Standards, which of the following best describes what must be agreed upon to establish an understanding with clients prior to starting a consulting engagement? A. The engagement objectives, access to clients records, and expectations. B. The engagement objectives, scope, and time frame to complete the engagement. C. The engagement scope, opportunities for making significant improvements, and client expectations. D. The engagement objectives, scope, respective responsibilities, and other client expectations.

D

322 The chief audit executive established an internal audit activity (IAA) performance standard requiring all audit reports to be issued within 48 hours of the exit meeting with the client. Which of the following describes an exit meeting strategy that would best help the IAA meet this performance standard? A. The objective of the exit meeting is to reach agreement on audit observations. B. The objective of the exit meeting is to solicit action plans for audit observations. C. The objective of the exit meeting is to confirm final details of fieldwork. D. The objective of the exit meeting is to confirm understanding of audit results

D

325 According to the Standards, which of the following would have the least direct interest in the draft report of a compliance review of the purchasing function? A. Purchasing staff. B. Purchasing manager. C. Director of finance. D. Audit committee.

D

328 An internal auditor compares real-time gasoline production data to corresponding final gasoline production reports and finds minor but consistent daily discrepancies. If the auditor is concerned about theft, which of the following next steps is most consistent with IIA guidance? A. Reconcile online data and the final production reports to gasoline sales reports. B. Contact security personnel as evidence suggests gasoline is being stolen from production premises. C. Confront the production manager and ask her to explain the differences between real-time and reported data. D. Review the processes used to collect the production data and to compile the final production reports.

D

331 Which of the following is not true regarding the management of internal audit resources? A. A minimum level of information technology knowledge is necessary. B. The adequacy of internal audit resources is ultimately a board responsibility. C. Resources include external service providers and computer-assisted audit techniques. D. Skills availability must be aligned with financial constraints.

D

335 Which of the following would be included in an internal audit department's quality assurance and improvement program? 1. Ongoing internal assessments of the performance of the internal audit department. 2. Periodic internal reviews through self-assessments. 3. Assessments conducted by a qualified external reviewer at least once every five years. A. 1 only B. 1 and 2 only C. 2 and 3 only D. 1, 2, and 3

D

346 During the planning phase of an audit of the treasury function, an internal auditor conducted a risk assessment of the function in order to: A. Report any high-risk exposures of the treasury function to management and the board. B. Determine whether appropriate resources are present to carry out the treasury function. C. Comply with the internal audit charter and applicable regulatory requirements. D. Identify areas of the treasury function that should be considered for potential engagement objectives.

D

35 Which of the following situations would best support the decision of a chief audit executive (CAE) to defer follow-up activity at a branch office until the next audit engagement? A. An audit of the branch office is routinely scheduled every three years. B. On-site follow-up of a remote branch may not be feasible due to travel costs. C. Branch office management states that correction of the audit issue may take longer than expected. D. The CAE and management agree that the corrective action taken to date is sufficient.

D

350 Due to the expanded role of internal audit in the organization, the chief audit executive (CAE) of a construction company decides to employ the services of an outsourced audit service provider to augment the internal audit staff. What does the CAE need to consider in determining whether the outsourced audit service provider possesses the necessary knowledge, skills and other competencies to perform an audit engagement? A. Specific matters expected to be covered in the engagement communications. B. The financial interest that the external service provider may have in the organization. C. The extent of other ongoing services the external service provider may be performing for the organization. D. The reputation of the external service provider.

D

351 Which of the following would be an appropriate role of the internal audit function? A. Determine the consequences for ethics violations. B. Be responsible for the management of a whistle blowing hotline. C. Establish the ethics policies for the organization. D. Evaluate the effectiveness of the organization's ethics-related activities.

D

352 Which of the following is a preventive control strategy against fraud? A. Performing a surprise audit. B. Maintaining a whistleblower hotline. C. Implementing control self-assessment. D. Performing background checks on employees.

D

357 Which of the following should be included in the scope of an audit of a third-party contractor? 1. Budgets and financial forecasts for the project. 2. Contractor's information and control systems. 3. Contractor's financial position. 4. Progress of the project and costs incurred. A. 1 and 4 only B. 1, 2, and 3 only C. 2, 3, and 4 only D. 1, 2, 3, and 4

D

361 According to the Standards, which of the following should be the basis for scheduling follow-up of engagement recommendations? A. The follow-up manual procedures. B. The internal audit charter. C. The agreement made between internal auditors and management. D. The risks and exposures involved.

D

368 The following audit observation was included in the final audit report: "Our review concluded that bank reconciliation statements for March and April did not show evidence of supervisory review. We recommend strict compliance with the controller's manual, which requires the department head to place their initials on the reconciliation statements to document their review." Which of the following attributes are missing from the above audit observation? 1. Criteria. 2. Condition. 3. Cause. 4. Effect. A. 1 and 4 only B. 2 and 3 only C. 1, 3, and 4 only D. 3 and 4 only

D

370 During an engagement the internal auditors reported that the organization was paying suppliers without receiving the merchandise. Management responded that it would immediately establish the use of receiving reports. As part of the follow-up activity, which of the following procedures would be the most appropriate in determining that management action was implemented? A. Ask management if the new policy related to the receiving reports is in place. B. Select a sample of receiving reports and determine if payments were made. C. Interview warehouse employees to ascertain adherence to new policy. D. Select a sample of payments and determine if a receiving report exists.

D

372 An internal auditor was assigned to conduct an inventory control and stock room area engagement. During the audit, the auditor observed that there were some items that have a shelf life expiration date requirement based on a certificate of conformance received with the product. The certificates of conformance are kept on file in the inventory area office and the expiration date is verified at the time the item is taken from stock. The auditor reviewed the items in the stock room and also on the production floor for the expiration dates to see if there was any expired product. All items with a shelf life requirement were found to be within the expiration date requirement. Which of the following recommendations would be appropriate? A. Take no action, because all the items were within the expiration date requirement, and no corrective action is needed. B. Permit production staff the access to files where the certificates of conformity are kept, so they can choose the items with the closest expiration date. C. Determine the cost of inventory for the items that have a shelf life and apply a new policy regarding inventory levels to be maintained (i.e., minimums, maximums, reorder points etc.). D. Add to the product label a "use by date" line, enter the expiration at the time of receipt, and perform periodic inventory checks.

D

39 The balanced scorecard approach differs from traditional performance measurement approaches because it adds which of the following measures? I. Financial measures. II. Internal business process measures. III. Client satisfaction measures. IV. Innovation and learning measures. A. I only B. II and IV only C. III and IV only D. II, III, and IV only

D

390 An audit engagement objective at a manufacturer is to determine the quality of raw materials purchased. Which of the following actions would best enable an internal auditor to satisfy this objective? A. Analyze the provision for sales allowances. B. Analyze the percentage of scrap incurred during production. C. Research the rationale for customer returns. D. Evaluate the volume and characteristics of products rejected during processing.

D

393 The chief audit executive of a large publicly held bank is using a risk based approach to update the annual audit plan. Which of the following sources of information will have the least impact on the plan? A. The 12 month forecast of commercial property values. B. Recent changes to the bank's strategic plan. C. Regulatory changes impacting capitalization for all publicly traded banks. D. Continuous changes in the prime lending rate set by the country's central bank.

D

394 According to IIA guidance,when performing a compliance audit of data security standards for a large e-commerce retailer, which of the following would represent the least likely area of risk exposure? A. Operational risks. B. Change or configuration risks. C. Access risks. D. Physical security risks.

D

402 According to IIA guidance, which of the following would not be a consideration for the internal audit activity (IAA) when determining the need to follow-up on recommendations? A. Degree of effort and cost needed to correct the reported condition. B. Complexity of the corrective action. C. Impact that may result should the corrective action fail. D. Amount of resources required to conduct the follow-up activities.

D

407 The external auditor has identified a number of production process control deficiencies involving several departments. As a result, senior management has asked the internal audit activity to complete internal control training for all related staff. According to IIA guidance, which of the following would be the most appropriate course of action for the chief audit executive to follow? A. Refuse to accept the consulting engagement because it would be a violation of independence. B. Collaborate with the external auditor to ensure the most efficient use of resources. C. Accept the engagement but hire an external training specialist to provide the necessary expertise. D. Accept the engagement even if the audit engagement staff was previously responsible for operational areas being trained.

D

408 Which of the following is not a primary reason for outsourcing a portion of the internal audit activity? A. To gain access to a wider variety of skills, competencies and best practices. B. To complement existing expertise with a required skill and competency for a particular audit engagement. C. To focus on and strengthen core audit competencies. D. To provide the organization with appropriate contingency planning for the internal audit function.

D

495 Which of the following best describes the four components of a balanced scorecard? A. Customers, innovation, growth, and internal processes. B. Business objectives, critical success factors, innovation, and growth. C. Customers, support, critical success factors, and learning. D. Financial measures, learning and growth, customers, and internal processes.

D

410 A manufacturer is under contract to produce and deliver a number of aircraft to a major airline. As part of the contract, the manufacturer is also providing training to the airline's pilots. At the time of the audit, the delivery of the aircraft had fallen substantially behind schedule while the training had already been completed. If half of the aircraft under contract have been delivered, which of the following should the internal auditor expect to be accounted for in the general ledger? A. Training costs allocated to the number of aircraft delivered, and the cost of actual production hours completed to date. B. All completed training costs, and the cost of actual production hours completed to date. C. Training costs allocated to the number of aircraft delivered, and 50% of contracted production costs. D. All completed training costs, and 50% of the contracted production costs.

D

412 For which of the following fraud engagement activities would it be most appropriate to involve a forensic auditor? A. Independently evaluating conflicts of interests. B. Assessing contracts for relevant terms and conditions. C. Performing statistical analysis for data anomalies. D. Preparing evidentiary documentation.

D

413 According to IIA guidance,which of the following is true about the supervising internal auditor's review notes? • They are discussed with management prior to finalizing the audit. • They may be discarded after working papers are amended as appropriate. • They are created by the auditor to support her fieldwork in case of questions. • They are not required to support observations issued in the audit report. A. 1 and 3 only B. 1 and 4 only C. 2 and 3 only D. 2 and 4 only

D

416 According to the Standards, which of the following is leastimportant in determining the adequacy of an annual audit plan? A. Sufficiency. B. Appropriateness. C. Effective deployment. D. Cost effectiveness.

D

42 Which of the following is true of engagement recommendations? I. Specific suggestions for implementation must be included. II. The internal auditor's observations and conclusions may serve as the basis. III. Actions to correct existing conditions or improve operations may be included. IV. Approaches to correcting or enhancing performance may be suggested. A. I only B. III only C. I, III, and IV only D. II, III, and IV only

D

423 The chief audit executive of a medium-sized financial institution is evaluating the staffing model of the internal audit activity (IAA). According to IIA guidance, which of the following are the most appropriate strategies to maximize the value of the current IAA resources? • The annual audit plan should include audits that are consistent with the skills of the IAA. • Audits of high-risk areas of the organization should be conducted by internal audit staff. • External resources may be hired to provide subject-matter expertise but should be supervised. • Auditors should develop their skills by being assigned to complex audits for learningopportunities. A. 1 and 2 only B. 1 and 4 only C. 2 and 3 only D. 3 and 4 only

D

424 It is close to the fiscal year end for a government agency, and the chief audit executive (CAE) has the following items to submit to either the board or the chief executive officer (CEO) for approval. According to IIA guidance, which of the following items should be submitted only to the CEO? A. The internal audit risk assessment and audit plan for the next fiscal year. B. The internal audit budget and resource plan for the coming fiscal year. C. A request for an increase of the CAE's salary for the next fiscal year. D. The evaluation and compensation of the internal audit team.

D

428 An audit identified a number of weaknesses in the configuration of a critical client/server system. Although some of the weaknesses were corrected prior to the issuance of the audit report, correction of the rest will require between 6 and 18 months for completion. Consequently, management has developed a detailed action plan, with anticipated completion dates, for addressing the weaknesses. What is the most appropriate course of action for the chief audit executive to take? A. Assess the status of corrective action during a follow-up audit engagement after the action plan has been completed. B. Assess the effectiveness of corrections by reviewing statistics related to unplanned system outages, and denials of service. C. Reassign information systems auditors to assist in implementing management's action plan. D. Evaluate the ability of the action plan to correct the weaknesses and monitor key dates and deliverables.

D

432 The board has asked the internal audit activity (IAA) to be involved in the organization's enterprise risk management process. Which of the following activities is appropriate for IAA to perform without safeguards? A. Coach management in responding to risks. B. Develop risk management strategies for board approval. C. Facilitate identification and evaluation of risks. D. Evaluate risk management processes.

D

436 Which of the following should be included in a privacy audit engagement? 1. Assess the appropriateness of the information gathered. 2. Review the methods used to collect information. 3. Consider whether the information collected is in compliance with applicable laws. 4. Determine how the information is stored. A. 1 and 3 only B. 2 and 4 only C. 1, 3, and 4 only D. 1, 2, 3, and 4

D

438 Which of the following statements describes an engagement planning best practice? A. It is best to determine planning activities on a case-by-case basis because they can vary widely from engagement to engagement. B. If the engagement subject matter is not unique, it is not necessary to outline specific testing procedures during the planning phase. C. The engagement plan includes the expected distribution of the audit results, which should be kept confidential until the audit report is final. D. Engagement planning activities include setting engagement objectives that align with audit client's business objectives.

D

439 Which of the following is not a primary purpose for conducting a walk-through during the initial stages of an assurance engagement? A. To help develop process maps. B. To determine segregation of duties. C. To identify residual risks. D. To test the adequacy of controls.

D

494 According to IIA guidance, which of the following is true regarding audit supervision? 1. Supervision should be performed throughout the planning, examination, evaluation,communication, and follow-up stages of the audit engagement. 2. Supervision should extend to training, time reporting, and expense control, as well asadministrative matters. 3. Supervision should include review of engagement workpapers, with documented evidence ofthe review. A. 1 and 2 only B. 1 and 3 only C. 2 and 3 only D. 1, 2, and 3

D

445 After finalizing an assurance engagement concerning safety operations in the oil mining process, the audit team concluded that no key controls were compromised. However, some opportunities for improvement were noted. Which of the following would be the most appropriate way for the chief audit executive (CAE) to report these results? A. The CAE should send the final report to operational and senior management and the audit committee. B. The CAE should send the final report to operational management only, as there is no need to communicate this information to higher levels. C. The CAE should notify operational and senior management that the audit engagement was completed with no significant findings to report. D. The CAE should send the final report to operational management and notify senior management and the audit committee that no significant findings were identified.

D

455 The chief risk officer (CRO) of a large manufacturing organization decided to facilitate a workshop for process managers and staff to identify opportunities for improving productivity and reducing defects. Which of the following is the most likely reason the CRO chose the workshop approach? A. It minimizes the amount of time spent and cost incurred to gather the necessary information. B. Responses can be confidential, thus encouraging participants to be candid expressing their concerns. C. Workshops do not require extensive facilitation skills and are therefore ideal for nonauditors. D. Workshop participants have an opportunity to learn while contributing ideas toward the objectives.

D

459 Which of the following is least likely to help ensure that risk is considered in a work program? A. Risks are discussed with audit client. B. All available information from the risk-based plan is used. C. Client efforts to affect risk management are considered. D. Prior risk assessments are considered.

D

46 The chief audit executive (CAE) determined that based on management's oral response, the action taken regarding an audit observation was sufficient when weighted against the relative importance of the audit recommendation. Which of the following is the most appropriate step for the internal auditor to take next? A. Initiate a follow-up audit to ensure that action has really been taken. B. Follow-up with management until a written response is obtained. C. Escalate the issue to the board and get their position on the issue. D. Note in the permanent file that follow-up needs to be performed as part of the next engagement.

D

460 An internal auditor is conducting an assessment of the purchasing department. She has worked the full amount of hours budgeted for the engagement; however, the audit objectives are not yet complete. According to IIA guidance, which of the following are appropriate options available to the chief audit executive? 1. Allow the auditor to decide whether to extend the audit engagement. 2. Determine whether the work already completed is sufficient to conclude the engagement. 3. Provide the auditor feedback on areas of improvement for future engagements. 4. Provide the auditor with instructions and directions to complete the audit. A. 1, 2, and 3 B. 1, 2, and 4 C. 1, 3, and 4 D. 2, 3, and 4

D

466 An internal auditor submitted a report containing recommendations for management to enhance internal controls related to investments. To follow up, which of the following is the most appropriate action for the internal auditor to take? A. Observe corrective measures. B. Seek a management assurance declaration. C. Follow up during the next scheduled audit. D. Conduct appropriate testing to verify management responses.

D

469 An organization's board would like to establish a formal risk management function and has asked the chief audit executive (CAE) to be involved in the process. According to IIA guidance, which of the following roles should the CAE not undertake? A. Manage and coordinate risk management processes. B. Audit risk management processes. C. Become involved in risk oversight committees, monitoring activities, and status reporting. D. Accept management's responsibility for risk management without board approval.

D

473 When establishing a quality assurance and improvement program, the chief audit executive should ensure the program is designed to accomplish which of the following objectives? 1. Add value. 2. Improve operations. 3. Provide assurance that the internal audit activity conforms with the Standards. 4. Provide assurance that the internal audit activity conforms with the IIA Code of Ethics. A. 1 only B. 1 and 2 only C. 1 and 3 only D. 1, 2, 3, and 4

D

484 According to IIA guidance, which of the following activities is most likely to enhance stakeholders' perception of the value the internal audit activity (IAA) adds to the organization? 1. The IAA uses computer-assisted audit techniques and IT applications. 2. The IAA uses a consistent risk-based approach in both its planning and engagement execution. 3. The IAA demonstrates the ability to build strong and constructive relationships with audit clients. 4. The IAA frequently is involved in various project teams and task forces in an advisory capacity. A. 1 and 2 B. 1 and 3 C. 2 and 4 D. 3 and 4

D

485 A chief audit executive is preparing interview questions for the upcoming recruitment of a senior internal auditor. According to IIA guidance, which of the following attributes shows a candidate's ability to probe further when reviewing incidents that have the appearance of misbehavior? A. Integrity. B. Flexibility. C. Initiative. D. Curiosity.

D

488 An internal auditor wants to determine whether employees are complying with the information security policy, which prohibits leaving sensitive information on employee desks overnight. The auditor checked a sample of 90 desks and found eight that contained sensitive information. How should this observation be reported, if the organization tolerates 4 percent noncompliance? A. The matter does not need to be reported, because the noncompliant findings fall within the acceptable tolerance limit. B. The deviations are within the acceptable tolerance limit, so the matter only needs to be reported to the information security manager. C. The incidents of noncompliance fall outside the acceptable tolerance limit and require immediate corrective action, as opposed to reporting. D. The incidents of noncompliance exceed the tolerance level and should be included in the final engagement report.

D

492 Which of the following evaluation criteria would be the most useful to help the chief audit executive determine whether an external service provider possesses the knowledge, skills, and other competencies needed to perform a review? A. The financial interest the service provider may have in the organization. B. The relationship the service provider may have had with the organization or the activities being reviewed. C. Compensation or other incentives that may be applicable to the service provider. D. The service provider's experience in the type of work being considered.

D

50 An auditor decides to perform an inventory turnover analysis for both raw materials inventory and finished goods inventory. The analysis would be potentially useful in: I. Identifying products for which management has not been attuned to changes in market demand. II. Identifying potential problems in purchasing activities. III. Identifying obsolete inventory. A. III only B. I and II only C. II and III only D. I, II, and III

D

501 According to IIA guidance, which of the following accurately describes the responsibilities of the chief audit executive with respect to the final audit report? 1. Coordinate post-engagement conferences to discuss the final audit report with management. 2. Include management's responses in the final audit report. 3. Review and approve the final audit report. 4. Determine who will receive the final audit report. A. 1 and 2 B. 1 and 4 C. 2 and 3 D. 3 and 4

D

502 According to IIA guidance, which of the following factors should the auditor in charge consider when determining the resource requirements for an audit engagement? A. The number, experience, and availability of audit staff as well as the nature, complexity, and time constraints of the engagement. B. The appropriateness and sufficiency of resources and the ability to coordinate with external auditors. C. The number, proficiency, experience, and availability of audit staff as well as the ability to coordinate with external auditors. D. The appropriateness and sufficiency of resources as well as the nature, complexity, and time constraints of the engagement.

D

503 According to IIA guidance, which of the following is least likely to be a key financial control in an organization's accounts payable process? A. Require the approval of additions and changes to the vendor master listing, where the inherent risk of false vendors is high. B. Monitor amounts paid each period and compare them to the budget to identify potential issues. C. Compare employee addresses to vendor addresses to identify potential employee fraud. D. Monitor customer quality complaints compared to the prior period to identify vendor issues.

D

506 During an audit of the accounts receivable (AR) process, an internal auditor noted that reconciliations are still not performed regularly by the AR staff, a recommendation that was made following a previous audit. Monitoring by the financial reporting function has failed to detect the shortcoming. Both the financial reporting function and AR report to the controller, who is responsible for implementing action plans. Which of the following supports the internal auditor's decision to combine both observations into one reported finding? A. The observation was made during the same audit, and the action plan has a common owner. B. The observation relates to the same control activity within a common process. C. The observation has a common control, and it was noted in a prior audit. D. The observation has a common process, and the action plan for the observation has a common owner.

D

508 Which of the followings statements describes a best practice regarding assurance engagement communication activities? A. All assurance engagement observations should be communicated to the audit committee. B. All assurance engagement observations should be included in the main section of the engagement communication. C. During the "communicate" phase of an assurance engagement, it is best to define the methods and timing of engagement communications. D. A detailed escalation process should be developed during the planning stage of an assurance engagement.

D

52 As part of an operational audit of the shipping department, an auditor selected a sample of 45 daily shipping logs from the department's files. On 44 of the days, the log contained a sufficient number of shipments to meet the department's daily quota. Based on this test, the auditor concluded that the shipping department was effective at meeting its quotas. Which of the following is true about the auditor's conclusion? A. The number of items selected for testing is inadequate to justify the conclusion. B. The shipping department is effective in meeting its responsibilities. C. This conclusion would negate any need to perform tests of efficiency. D. None of the above.

D

61 Which of the following is used to identify and prioritize critical business applications to determine those that must be restored and the order of restoration in the event that a disaster impairs information systems processing? A. Contingent facility contract analysis. B. System backup analysis. C. Vendor supply agreement analysis. D. Risk analysis.

D

62 In forming a team to investigate an organization's potential adoption of an activity-based costing system, the best reason to include an internal auditor on the team would be the auditor's knowledge of: A. Activities and cost drivers. B. Information processing procedures. C. Current product cost structures. D. Internal control alternatives.

D

69 Which of the following does not represent a difficulty in using red flags as fraud indicators? A. Many common red flags are also associated with situations where no fraud exists. B. Some red flags are difficult to quantify or to evaluate. C. Red flag information is only gathered in extraordinary circumstances. D. The red flags literature is not well enough established to have a positive impact on auditing.

D

7 An internal auditor is assigned to conduct an audit of security for a local area network (LAN) in the finance department of the organization. Investment decisions, including the use of hedging strategies and financial derivatives, use data and financial models which run on the LAN. The LAN is also used to download data from the mainframe to assist in decisions. Which of the following should be considered outside the scope of this security audit engagement? A. Investigation of the physical security over access to the components of the LAN. B. The ability of the LAN application to identify data items at the field or record level and implement user access security at that level. C. Interviews with users to determine their assessment of the level of security in the system and the vulnerability of the system to compromise. D. The level of security of other LANs in the company which also utilize sensitive data.

D

73 Which sampling plan requires no additional sampling once the first error is found? A. Stratified sampling. B. Attributes sampling. C. Stop-or-go sampling. D. Discovery sampling.

D

81 Which of the following audit steps would be most effective to review proper recording of and accountability over physical assets? I. Physically inspect all assets on the organization's property. II. Select a sample department and physically inspect assets in the department. III. Select a sample from the organization's records of physical assets and physically locate eachasset. IV. Identify assets at a sample of locations and trace to the organization's records. A. I only B. I and IV only C. II and III only D. III and IV only

D

88 An audit department has received anonymous information that an employee has allegedly been able to steal and cash checks sent to the organization by customers. What is the most efficient way for an auditor to determine how this type of fraud could occur and who might be the perpetrator? A. Confirm accounts receivable. B. Confirm accounts payable. C. Review the endorsements and banks of deposit on customers' canceled checks. D. Flowchart and analyze key controls in the cash receipts process.

D

93 Which of the following describes an internal auditor's responsibilities to include audit procedures to detect fraud in audits of a multinational organization? A. International Accounting Standards require the internal auditor to include audit procedures which would detect fraud if it would cause a material misrepresentation of the financial statements. B. Internal auditors do not have any specific responsibilities with respect to including fraud-related audit procedures. C. Proper audit procedures, when carried out with due professional care, will guarantee that fraud, if present, will be detected. D. If significant control weaknesses are detected, additional tests should be directed toward other indicators of fraud.

D

94 An appliance repair company is considering relocating the center that houses its service vehicles. An internal auditor wants to determine the potential reduction in average miles driven by the service vehicles if the center is relocated. Which of the following statistical sampling methods would be most appropriate for this test? A. Attributes sampling. B. Discovery sampling. C. Probability-proportional-to-size sampling. D. Mean-per-unit sampling.

D

95 Monetary-unit sampling is most useful when the internal auditor: A. Is testing the accounts payable balance. B. Cannot cumulatively arrange the population items. C. Expects to find several material errors in the sample. D. Is concerned with overstatements.

D

97 An internal auditor is discussing an audit problem with an engagement client. While listening to the client, the internal auditor should: A. Prepare a response to the client. B. Take mental notes on the speaker's nonverbal communication, as it is more important than what is being said. C. Make sure that all details, as well as the main ideas of the client, are remembered. D. Integrate the incoming information from the client with information that is already known.

D


Related study sets

Environmental Exam Final Questions

View Set

Chapter 21 - Foundations - Pain Management, Comfort, Rest, and Sleep + Practice NCLEX

View Set

Dissociative Disorders (Topic 6)

View Set

Principles of Biology Lab Homework Questions 3

View Set

CIT270 Unit 2 Exam: Chapter 5,6,7, and

View Set

Civil Air Laws and Regulations - Module 1

View Set

Intro to Geography: Midterm Exam (CH. 1-7)

View Set

Chapter 1: Binary Systems and Hexadecimal

View Set