QUESTION 250
An organization has adopted an enterprise-wide risk management process and has appointed a chief risk officer (CRO) to manage the process. The board has requested that the audit committee have oversight over the risk management function. Which of the following statements is not true regarding this situation?
A. Theauditcommitteeshouldgetassuranceontheadequacyandeffectivenessoftheriskmanagement process from the CRO.
B. Thechiefauditexecutivehasthemandatetoconductriskassessmentsandgiveassurancetotheaudit committee.
C. The audit committee, on behalf of the board, has overall responsibility for the risk management process in the organization.
D. Senior management is accountable to the board for monitoring the system of internal controls.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 251
Which of the following are key characteristics of enterprise risk management? 1. It considers risk in the formulation of strategy.
2. It applies risk management in some units of an entity.
3. It takes a portfolio view of risks throughout the enterprise.
4. It restricts the organization's ability to seize opportunities inherent in future events.
A. 2and3only B. 1and3only C. 2and4only D. 1and4only
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 252
Due to the expanded role of internal audit in the organization, the chief audit executive (CAE) of a construction company decides to employ the services of an outsourced audit service provider to augment the internal audit staff. What does the CAE need to consider in determining whether the outsourced audit service provider possesses the necessary knowledge, skills and other competencies to perform an audit engagement?
A. Specificmattersexpectedtobecoveredintheengagementcommunications.
B. Thefinancialinterestthattheexternalserviceprovidermayhaveintheorganization.
C. The extent of other ongoing services the external service provider may be performing for the
organization.
D. The reputation of the external service provider.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 253
Which of the following would be an appropriate role of the internal audit function?
A. Determinetheconsequencesforethicsviolations.
B. Beresponsibleforthemanagementofawhistleblowinghotline.
C. Establish the ethics policies for the organization.
D. Evaluate the effectiveness of the organization's ethics-related activities.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 254
Which of the following is a preventive control strategy against fraud?
A. Performingasurpriseaudit.
B. Maintainingawhistleblowerhotline.
C. Implementing control self-assessment.
D. Performing background checks on employees.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 255
An internal auditor is reviewing purchases made through the organization's corporate credit card program. Which of the following statements best describes a root cause of a deficiency?
A. Apersonalcomputerwaspurchasedfromanon-approvedvendor.
B. Companypolicylimitscarduseto$500pertransaction.
C. A control to detect split purchases has not been activated in the credit card system.
D. Sample testing found 10% non-compliance with the organization's business travel policy.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 256
According to the International Professional Practices Framework, which of the following should be excluded from a final communication for a performance audit engagement?
A. Recommendationsandconclusions.
B. Theinternalauditor'sunbiasedopinion. C. Timelyandrelevantinformation.
D. Legal opinions related to illegal acts.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 257
In response to an audit finding, senior management informed the auditor that the issue would be investigated and resolved when time permitted. According to the International Professional Practices Framework, this action was not acceptable because:
A. Theappropriatelevelofmanagementwasnotinvolvedinthereviewandresolutionoftheissue.
B. Responsesshouldincludesufficientinformationtoevaluatetheadequacyandtimelinessofcorrective action.
C. The board had not reviewed management's responses to the engagement observations and recommendations.
D. Other departments should have been contacted to determine if they shared responsibility for corrective action.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 258
Which of the following tasks is typically performed in the analysis phase of a benchmarking consulting engagement?
A. Identifyingbusinesscapabilities.
B. Developingdatacollectiontools.
C. Determining benchmarked process attributes. D. Determining sample size.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 259
Which of the following should be included in the scope of an audit of a third-party contractor? 1. Budgets and financial forecasts for the project.
2. Contractor's information and control systems.
3. Contractor's financial position.
4. Progress of the project and costs incurred.
A. 1and4only
B. 1,2,and3only C. 2,3,and4only D. 1,2,3,and4
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 260
Which of the following controls in a computerized consumer loan system of a major bank would be the least effective in detecting a fraudulent loan?
A. Alllog-inaccountsbecomeinaccessibleafterthreeincorrectpasswordattempts.
B. Loanapprovalsoverapre-determinedlimitmusthavemanagementapproval.
C. Customer information is matched to payment data prior to funds disbursement.
D. System controls prevent supervisors from delegating their approval authority during vacation periods.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 261
According to the International Professional Practices Framework, the responsibility for establishing and maintaining a system to monitor the disposition of results communicated to management falls upon:
A. Complianceofficer. B. Chiefauditexecutive. C. Senior management. D. Risk manager.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 262
Controls are implemented to:
A. Eliminateriskandreducethepotentialforloss. B. Mitigateriskandeliminatethepotentialforloss. C. Mitigate risk and reduce the potential for loss. D. Eliminate risk and eliminate potential for loss.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 263
According to the Standards, which of the following should be the basis for scheduling follow-up of engagement recommendations?
A. Thefollow-upmanualprocedures. B. Theinternalauditcharter.
C. The agreement made between internal auditors and management. D. The risks and exposures involved.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 264
Which of the following would be a legitimate action for the internal auditor to take when monitoring audit engagement results?
1. Disregard a certain risk because management and the board accepted the risk in the past.
2. Abdicate the responsibility for a particular risk because it is not part of the audit plan.
3. Obtain agreement from senior management that unresolved audit issues will be reported to the board. Request corrective action from management in writing.
A. 1and3only
B. 2and3only
C. 3and4only
D. 1,2,and4only
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 265
Which of the following statements is not true about the oversight and review of working papers by the chief audit executive (CAE)?
A. TheCAEhasultimateresponsibilityforreviewingworkingpapersandremainsaccountableforthe achievement of objectives and the quality of work.
B. TheneedforCAEreviewdependsontheproficiencyandexperienceoftheinternalauditorandthe complexity of the task.
C. The CAE is responsible for all significant professional judgments made during the audit process and should therefore personally review working papers to ensure conclusions were professionally arrived at.
D. The CAE, although having overall responsibility for reviewing work completed, can delegate such task to appropriately experienced internal audit staff.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 266
The chief audit executive (CAE) notes that management has adopted the option of not taking action on an audit issue involving a sizeable risk which has been accepted in the past. Which would be an appropriate action by the CAE?
A. Closetheissuebynotingthatfollow-upwillbecompletedaspartofthenextengagement. B. Discussthematterwithmanagementtodeterminearesolution.
C. Accept management's decision as the same risk has been accepted in the past.
D. Report the situation to the board for immediate resolution.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 267
Which of the following is a preventive control for fraud?
A. Determiningifthenumberofmanuallyprepareddisbursementchecksishigh. B. Reconcilingthepurchaseorderswiththerequisitions.
C. Verifying that new vendors appear on the vendor pre-approved list.
D. Conducting an inventory count of the warehouse.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 268
The chief audit executive (CAE) decided that based on management's oral response, the action taken on an audit observation for a minor improvement in the client's process is sufficient and no further follow- up is necessary. Which of the following would be the best statement regarding the action of the CAE?
A. TheCAEactionisnotacceptable,asafollow-upauditisneededtoensurethatactionisreallytakenby management.
B. TheCAEactionisnotacceptable,asfollow-upontheissueiscriticaluntilawrittenresponseis obtained from management.
C. The CAE action is acceptable as long as the follow-up is sufficient when weighed against the relative importance of the recommendation.
D. The CAE action is acceptable as long as the issue has been escalated to the board to get their position on the issue.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 269
Which two of the following considerations must an internal auditor take into account while planning an audit of an accounting system/application that has been in use for the last five years? · The level and manner of linkages between the business' mission, objectives, and structure and the accounting system/application.
· Presence or absence of computerized and manual controls that address risks. · Identification of risks at the application level, e.g. availability and security of the system. · Testing of the system/application for bugs and errors.
A. 1and3only B. 2and3only
C. 2and4only D. 3and4only
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 270
The following audit observation was included in the final audit report:
"Our review concluded that bank reconciliation statements for March and April did not show evidence of supervisory review. We recommend strict compliance with the controller's manual, which requires the department head to place their initials on the reconciliation statements to document their review."
Which of the following attributes are missing from the above audit observation? 1. Criteria.
2. Condition.
3. Cause.
4. Effect.
A. 1and4only
B. 2and3only
C. 1,3,and4only D. 3and4only
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 271
If the chief audit executive believes that senior management has accepted a level of residual risk that is unacceptable to the organization, they should:
A. Acceptthedecisionofseniormanagementastheyareultimatelyresponsibleforriskmanagement. B. Reporttheconcerndirectlytotheboard.
C. Discuss the concern with management and if not resolved, escalate it to the board.
D. Disclose the issue in the audit report when auditing the area where the risk was identified.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 272
During an engagement the internal auditors reported that the organization was paying suppliers without receiving the merchandise. Management responded that it would immediately establish the use of receiving reports. As part of the follow-up activity, which of the following procedures would be the most appropriate in determining that management action was implemented?
A. Askmanagementifthenewpolicyrelatedtothereceivingreportsisinplace. B. Selectasampleofreceivingreportsanddetermineifpaymentsweremade. C. Interview warehouse employees to ascertain adherence to new policy.
D. Select a sample of payments and determine if a receiving report exists.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
appropriate answer.
QUESTION 273
According to the Standards, which of the following is an attribute when applied to the observations and recommendations contained in the audit report?
A. Clientaccomplishments. B. Effect.
C. Supportive information. D. Scope statements.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
answer is confirmed.
QUESTION 274
An internal auditor was assigned to conduct an inventory control and stock room area engagement. During the audit, the auditor observed that there were some items that have a shelf life expiration date requirement based on a certificate of conformance received with the product. The certificates of conformance are kept on file in the inventory area office and the expiration date is verified at the time the item is taken from stock. The auditor reviewed the items in the stock room and also on the production floor for the expiration dates to see if there was any expired product. All items with a shelf life requirement were found to be within the expiration date requirement. Which of the following recommendations would be appropriate?
A. Takenoaction,becausealltheitemswerewithintheexpirationdaterequirement,andnocorrective action is needed.
B. Permitproductionstafftheaccesstofileswherethecertificatesofconformityarekept,sotheycan choose the items with the closest expiration date.
C. Determine the cost of inventory for the items that have a shelf life and apply a new policy regarding inventory levels to be maintained (i.e., minimums, maximums, reorder points etc.).
D. Addtotheproductlabela"usebydate"line,entertheexpirationatthetimeofreceipt,andperform periodic inventory checks.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
answer is complete.
QUESTION 275
In addition to the internal auditor, which of the following parties should be present at an exit or closing conference?
1. Audit committee members.
2. The external auditor.
3. The management responsible for the areas covered by the engagement. 4. The chief executive officer.
A. 2only
B. 3only
C. 3and4only
D. 1,3,and4only
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
well defined answer.
QUESTION 276
Reviewing internal audit report drafts with clients is: 1. Required according to the Standards.
2. A form of courtesy.
3. Ethically mandated.
4. A form of validation.
A. 1and2only B. 2and3only C. 2and4only D. 3and4only
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 277
Which of the following is an advantage to using the questionnaire approach when conducting risk and control self assessments?
A. Responsescaneasilybequantifiedandanalyzed. B. Follow-upforclarificationisefficient.
C. It is educational for participants.
D. It allows for in-depth probing of issues.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 278
Which of the following documents should the chief audit executive review and approve? 1. Workpaper retention policy.
2. Audit committee meeting minutes.
3. Internal audit handbook.
4. Quarterly financial statements.
A. 1and2only
B. 1and3only
C. 2and4only
D. 1,3,and4only
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 279
Which of the following topics must the internal audit staff discuss with management during the exit conference?
1. Issues identified during the audit.
2. Evaluation criteria used to select controls for testing.
3. Staff who were interviewed during the audit.
4. The reporting process for the draft and final report.
A. 1and3only B. 1and4only C. 2and3only D. 2and4only
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 280
A manufacturing organization is considering a merger with a similar firm, and requests that the chief audit executive (CAE) perform a due diligence audit. During the preliminary survey, the CAE notes that inventory management is a high risk area. In consultation with the external auditors and legal advisors, the CAE learns that they share those concerns. Which of the following is the CAE's best course of action?
A. Performanindependentauditofthemergingfirm'sinventorymanagementpracticestoverifythe concerns and to provide relevant and reliable results to management for their consideration and action.
B. Advisemanagementthatinternalaudit,externalaudit,andlegaladvisorsallhaveconcernsabout inventory management and, given the high materiality of inventory, management should not proceed with the merger.
C. Coordinate a review of inventory management with external auditors and legal advisors and ensure each group focuses on their area of expertise to ascertain the extent of the problems, if any.
D. Coordinate with the merging firm's internal audit department to better understand the inventory management function and whether the concerns are well-founded.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 281
The chief audit executive (CAE) manages a large internal audit activity (IAA) reporting functionally to the audit committee and administratively to the chief risk officer. During the CAE's recent unplanned medical leave, several internal audit reports were completed and waiting for CAE approval, however, no formal delegation of authority was in place to anticipate this situation. In order to preserve the independence of the IAA, which of the following would be the most appropriate individual to review and approve these reports during the CAE's absence?
A. Externalauditor.
B. Chief risk officer.
C. Engagement lead auditor. D. Audit committee chair.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 282
During the audit of a large decentralized supply chain function, the chief audit executive (CAE) receives serious allegations of fraud concerning the vice president responsible for this function. The CAE engages a third party to provide forensic audit services and lead the investigation portion of the engagement. As part of this team, which of the following would be an appropriate role for the investigator?
1. Authenticate the original approval signatures on contracts.
2. Interview personnel to understand the supply chain processes.
3. Provide certified copies of relevant original documents for the audit file. 4. Identify variances in pixels on original electronic documents.
A. 1and2only B. 1and4only C. 2and3only D. 3and4only
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 283
The chief audit executive (CAE) of a new organization is in the process of determining the manner in which audit reports will be distributed and to whom. According to the Standards, which of the following is the most appropriate course of action for the CAE to take to develop this distribution process?
A. Theprocessshouldbedeterminedinmeetingswiththeexternalauditorandseniormanagementto ensure alignment with external reporting.
B. TheCAEshouldmeetwithseniormanagementfortheirinput,butfinalizethedistributionofallreports with the board.
C. The CAE should independently implement the report distribution, using best judgment to ensure that all relevant stakeholders are informed.
D. The CAE should request that senior management and the board meet to determine the most appropriate reporting method.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 284
An organization has acquired a new line of business. None of the organization's internal auditors have the required expertise to perform an internal audit of the new business line; therefore, the chief audit executive (CAE) has contracted the services of an external audit firm to perform the engagement. The CAE has assigned a member of the internal audit team to assist the external team with the engagement. According to the Standards, which of the following statements is true regarding supervision of the engagement?
A. TheCAEmayrelyupontheexternalfirm'sauditorinchargetosupervisetheengagement. B. Theexternalfirm'sauditorinchargemustdefertothejudgmentoftheCAEforanydisputes. C. The CAE is not responsible for the quality of an audit performed by an external firm.
D. The CAE should not assign an inexperienced staff member to assist with the engagement.
Correct Answer: B Section: (none)
Explanation Explanation/Reference:
Explanation:
QUESTION 285
An organization does not have a formal risk management function. According to the Standards, which of the following are conditions where the internal audit activity (IAA) may provide risk management consulting? 1. There is a clear strategy and timeline to migrate risk management responsibility back to management.
2. The IAA has the final approval on any risk management decisions.
3. The IAA does not give objective assurance on any part of the risk management framework for which it is responsible.
4. The nature of services provided to the organization is documented in the internal audit charter.
A. 1,2,and3only B. 1,2,and4only C. 1,3,and4only D. 2,3,and4only
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 286
Which of the following statements regarding the use of external contracted services by the chief audit executive (CAE) is false?
A. TheCAE'sresponsibilityisnotimpairedbyengaginganexternalexpert. B. Theexternalexpertcouldhaveapriorrelationshipwiththeauditclient. C. The audit report should not disclose the use of contracted services.
D. The expert should be directed by the objectives and scope of work.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 287
The internal auditor is asked to conduct an investigation involving a suspected fraud. According to the Standards, which of the following statements regarding the investigation process is false?
A. Theauditorshoulduseanonymoussurveysofcoworkerstoassessthecharacterandbehaviorofthe suspect.
B. Theauditormustgiveconsiderationtotheriskofunidentifiedco-conspiratorswhetherindicationsexist or not.
C. The auditor should not limit the collection of information by prejudging its relevance to the investigation.
D. The auditor must consider the risk that audit procedures may inadvertently violate the rights of the suspect.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 288
According to the Standards, which of the following control strategies would be the most effective in helping to prevent fraud?
A. Haveemployeesannuallysignacodeofconductrequiringthattheyreportanyknownviolations.
B. Implementawhistleblowerhotlinewhereindividualscanmakeanonymousphonecallstoreport fraudulent activities.
C. Provide periodic fraud awareness training to employees and test their understanding of the training through online surveys.
D. Conduct routine employee surveys to solicit their knowledge of fraud and unethical behavior within the organization.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 289
An internal auditor is conducting an assessment of the organization's fraud controls. Which of the following would not be considered a preventive control?
1. Daily report that identifies unsuccessful system log-in attempts.
2. Weekly management communication with tips on identifying possible fraud.
3. E-mail alert sent to management for checks issued over $100,000.00. 4. New hire training to explain fraud and employee misconduct.
A. 1and2only B. 1and3only C. 2and4only D. 3and4only
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 290
Which of the following is the least relevant when preparing the internal audit activity's annual engagement plan?
A. Seniormanagement'srequestsforinternalauditengagements. B. Arotationofinternalauditengagementsselectedonatimebasis. C. The organization's current risk priority and exposure.
D. Coordination with the audit plans of the external auditor.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 291
Which of the following statements is true?
A. Ifmanagementchoosesnottotakeactiononinternalaudit'sassuranceengagementobservation,the chief audit executive (CAE) has a responsibility to propose an action plan to the board.
B. Internalaudit'sresponsibilityforanassuranceengagementobservationendswhenmanagement implements changes to remediate the observation.
C. When management decides to accept the risk of not taking action on an assurance observation, the (CAE) is responsible for judging whether or not that decision is prudent.
D. An assurance engagement observation is considered remediated when management's corrective action plan is approved by the board.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 292
An audit engagement objective at a manufacturer is to determine the quality of raw materials purchased. Which of the following actions would best enable an internal auditor to satisfy this objective?
A. Analyzetheprovisionforsalesallowances.
B. Analyzethepercentageofscrapincurredduringproduction.
C. Research the rationale for customer returns.
D. Evaluate the volume and characteristics of products rejected during processing.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 293
Which of the following statements is true regarding the communication of audit engagement observations?
A. Criteria,condition,cause,andeffectmustbecommunicatedformaterialobservationsonly
B. Criteria,condition,cause,andeffectmustbecommunicatedformaterialobservationsandsignificant deficiencies only
C. Criteria, condition, cause, and effect must be communicated for all engagement observations.
D. Criteria, condition, cause, and effect do not need to be communicated for insignificant observations with adquate compensating key controls.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 294
Which of the following situations justifies the release of an interim report to management and the board?
· The internal auditor is convinced that the audit observations require immediate attention. · The internal auditor would like to communicate a change in engagement scope for the activity under review.
· The internal auditor notes that the engagement may extend over a longer time period. · The audit supervisor believes that issuing interim reports eases supervisory review and controls over working papers.
A. 1and3only
B. 2and3only
C. 1,2,and3only D. 2,3,and4only
Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 295
The chief audit executive of a large publicly held bank is using a risk based approach to update the annual audit plan. Which of the following sources of information will have the least impact on the plan?
A. The12monthforecastofcommercialpropertyvalues.
B. Recentchangestothebank'sstrategicplan.
C. Regulatory changes impacting capitalization for all publicly traded banks.
D. Continuous changes in the prime lending rate set by the country's central bank.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 296
According to IIA guidance,when performing a compliance audit of data security standards for a large e- commerce retailer, which of the following would represent the least likely area of risk exposure?
A. Operationalrisks.
B. Changeorconfigurationrisks. C. Access risks.
D. Physicalsecurityrisks.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 297
An internal auditor for a large telecommunications organization identified potential risk factors related to a planned billing system conversion. Which of the following risk factors would present the least potential exposure to the organization?
A. Criticalcustomersupportfunctionsarenotavailableforashortperiod. B. Invoicegenerationdisruptionsduetorequiredmaintenance.
C. Inaccurate billing of telephone calls due to database error.
D. End user criticism and lack of support for the new system.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 298
While reviewing the draft report of an audit engagement, the chief audit executive (CAE) is not in agreement with management's acceptance of the potential risk exposure resulting from an observed key control weakness. Which of the following actions by the CAE would be appropriate for addressing this concern?
· Meet with the auditor-in-charge.
· Discuss with senior management.
· Monitor the result of the accepted risk. · Report the matter to the board.
A. 1,2,and3only B. 1,2,and4only C. 1,3,and4only D. 2,3,and4only
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 299
Which of the following statements is correct regarding the use of a program evaluation and review technique (PERT) model?
· It makes use of a probability model to arrive at a realistic estimate of time necessary for completion of the audit engagement.
· It requires that activities are performed in sequence such that each task is completed before the commencement of the next activity.
· It remains fixed once completed to act as a baseline for measuring the performance of the audit staff following completion of the engagement.
· It begins with the auditor-in-charge identifying the overall scope and then breaking down the audit engagement into identifiable activity units.
A. 1and3only B. 1and4only C. 2and3only D. 2and4only
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 300
According to IIA guidance, which of the following are benefits to the internal audit activity when conducting an assurance mapping exercise?
A. Identificationofgapsinriskcoverage,andminimizationofduplicateassuranceefforts. B. Identificationofgapsinriskcoverage,andconsolidationofriskreportingefforts.
C. Resolution of identified testing errors, and miminization of duplicate assurance efforts. D. Resolution of identified testing errors, and consolidation of risk reporting efforts.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 301
The chief audit executive (CAE) of a large retail operation believes that senior management has accepted a level of risk that exceeds the organization's current risk tolerance with respect to a major expansion. The CAE plans to meet with senior management to discuss these concerns. According to IIA guidance, which of
the following would be an appropriate course of action in preparation for this meeting?
· Understand management's basis for the decision.
· Advise the board of the concern and upcoming meeting. · Ascertain which members of management have accepted the risk. · Determine if management has the authority to accept the risk.
A. 1and2only B. 1and4only C. 2and3only D. 3and4only
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 302
During the quarterly review of the internal audit activity's performance, the chief audit executive (CAE) notes that actual engagement hours consistently exceed the budget. Which of the following strategies would most likely help the CAE address this problem? · The budget should consider time spent on similar engagements. · The budget should consider the proficiency of the assigned auditors. · The budget estimate should provide for unexpected delays. · The budget should be specific as to time for each work assignment.
A. 1and2only B. 1and4only C. 2and3only D. 3and4only
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 303
According to IIA guidance, which of the following actions might place the independence of the internal audit function in jeopardy?
A. Havingnoactiveroleorinvolvementintheriskmanagementprocess. B. Auditingtheriskmanagementprocessforreasonableness.
C. Coordinating and managing the risk management process.
D. Participating with management in identifying and evaluating risks.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 304
According to IIA guidance, which of the following would not be a consideration for the internal audit activity (IAA) when determining the need to follow-up on recommendations?
A. Degreeofeffortandcostneededtocorrectthereportedcondition. B. Complexityofthecorrectiveaction.
C. Impact that may result should the corrective action fail.
D. Amount of resources required to conduct the follow-up activities.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 305
Which of the following is an appropriate responsibility for the internal audit activity with regard to the organization's risk management program?
A. Identifyingandmanagingrisksinlinewiththeentity'sriskappetite.
B. Ensuringthataproperandeffectiveriskmanagementprocessexists.
C. Attaininganadequateunderstandingoftheentity'skeymitigationstrategies. D. Identifying and ensuring that appropriate controls exist to mitigate risks.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 306
Which of the following is a detective control for managing the risk of fraud?
A. Awarenessofpriorincidentsoffraud. B. Contractornon-disclosureagreements. C. Verification of currency exchange rates. D. Receipts for employee expenses.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 307
Which of the following is a justifiable reason for omitting advance client notice when planning an audit engagement?
A. Advancenoticemayresultinmanagementmakingcorrectionstoreducethenumberofpotential deficiencies.
B. Previousmanagementactionplansaddressingpriorinternalauditrecommendationsremain incomplete.
C. The engagement includes audit assurance procedures such as sensitive or restricted asset verifications.
D. The audit engagement has already been communicated and approved through the annual audit plan.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 308
According to IIA guidance, organizations have the most influence on which element of fraud?
A. Opportunity.
B. Rationalization. C. Pressure.
D. Incentives.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 309
The external auditor has identified a number of production process control deficiencies involving several departments. As a result, senior management has asked the internal audit activity to complete internal control training for all related staff. According to IIA guidance, which of the following would be the most appropriate course of action for the chief audit executive to follow?
A. Refusetoaccepttheconsultingengagementbecauseitwouldbeaviolationofindependence.
B. Collaboratewiththeexternalauditortoensurethemostefficientuseofresources.
C. Accepttheengagementbuthireanexternaltrainingspecialisttoprovidethenecessaryexpertise.
D. Accept the engagement even if the audit engagement staff was previously responsible for operational areas being trained.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 310
Which of the following is not a primary reason for outsourcing a portion of the internal audit activity?
A. Togainaccesstoawidervarietyofskills,competenciesandbestpractices.
B. Tocomplementexistingexpertisewitharequiredskillandcompetencyforaparticularaudit engagement.
C. To focus on and strengthen core audit competencies.
D. To provide the organization with appropriate contingency planning for the internal audit function.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 311
Which of the following statements about internal audit's follow-up process is true?
A. Thenature,timing,andextentoffollow-upforassuranceengagementsisstandardizedtoensurequality performance.
B. Theactionsofexternalauditorsandotherexternalassuranceprovidersisnotencompassedbyinternal audit's follow-up process.
C. Internal auditors have responsibility for determining if management and the board have implemented the recommended action or otherwise accepted the risk.
D. The follow-up process must be complete and documented in the working papers in order to conclude
the engagement.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 312
A manufacturer is under contract to produce and deliver a number of aircraft to a major airline. As part of the contract, the manufacturer is also providing training to the airline's pilots. At the time of the audit, the delivery of the aircraft had fallen substantially behind schedule while the training had already been completed. If half of the aircraft under contract have been delivered, which of the following should the internal auditor expect to be accounted for in the general ledger?
A. Trainingcostsallocatedtothenumberofaircraftdelivered,andthecostofactualproductionhours completed to date.
B. Allcompletedtrainingcosts,andthecostofactualproductionhourscompletedtodate.
C. Training costs allocated to the number of aircraft delivered, and 50% of contracted production costs.
D. All completed training costs, and 50% of the contracted production costs.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 313
An internal auditor determines that certain information from the engagement results is not appropriate for disclosure to all report recipients because it is privileged. In this situation, which of the following actions would be most appropriate?
A. Disclosetheinformationinaseparatereport.
B. Distributetheinformationinaconfidentialreporttotheboardonly
C. Distribute the reports through the use of blind copies.
D. Exclude the results from the report and verbally report the conditions to senior management and the board.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 314
For which of the following fraud engagement activities would it be most appropriate to involve a forensic auditor?
A. Independentlyevaluatingconflictsofinterests.
B. Assessingcontractsforrelevanttermsandconditions. C. Performing statistical analysis for data anomalies.
D. Preparingevidentiarydocumentation.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 315
According to IIA guidance,which of the following is true about the supervising internal auditor's review notes?
· They are discussed with management prior to finalizing the audit. · They may be discarded after working papers are amended as appropriate. · They are created by the auditor to support her fieldwork in case of questions. · They are not required to support observations issued in the audit report.
A. 1and3only B. 1and4only C. 2and3only D. 2and4only
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 316
During a fraud interview, it was discovered that unquestioned authority enabled a vice president to steal funds from the organization. Which of the following best describes this condition?
A. Scheme.
B. Opportunity.
C. Rationalization. D. Pressure.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 317
According to IIA guidance, which of the following are appropriate actions for the chief audit executive regarding management's response to audit recommendations?
A. Evaluateandverifymanagement'sresponse,anddeterminetheneedandscopeforadditionalwork.
B. Evaluateandverifymanagement'sresponse,andestablishtimelinesforcorrectiveactionby management.
C. Oversee the corrective actions undertaken by management, and determine the need and scope for additional work.
D. Oversee the corrective actions undertaken by management, and establish timelines for corrective action by management.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 318
According to the Standards, which of the following is leastimportant in determining the adequacy of an annual audit plan?
A. Sufficiency.
B. Appropriateness.
C. Effective deployment. D. Cost effectiveness.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 319
The newly appointed chief audit executive (CAE) of a large multinational corporation, with seasoned internal audit departments located around the world, is reviewing responsibilities for engagement reports. According to IIA guidance, which of the following statements is true?
A. TheCAEisrequiredtoreview,approve,andsigneveryengagementreport.
B. TheCAEisrequiredtoreview,approve,andsignallregulatorycomplianceengagementreportsonly
C. The CAE may delegate responsibility for reviewing, approving and signing engagement reports, but should review the reports after they are issued.
D. The internal audit charter must identify authorized signers of engagement reports.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 320
The internal audit activity (IAA) wants to measure its performance related to the quality of audit recommendations. Which of the following client survey questions would best help the IAA meet this objective?
A. Wereauditfindingsrelevantandusefultomanagement?
B. Doestheauditreportformatpresentissuesclearlyandconcisely?
C. Does the IAA work with a high degree of professionalism and objectivity? D. Were the findings reported in a timely manner?
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 321
When forming an opinion on the adequacy of management's systems of internal control, which of the following findings would provide the most reliable assurance to the chief audit executive? · During an audit of the hiring process in a law firm, it was discovered that potential employees' credentials were not always confirmed sufficiently. This process remained unchanged at the following audit.
· During an audit of the accounts payable department, auditors calculated that two percent of accounts were paid past due. This condition persisted at a follow up audit. · During an audit of the vehicle fleet of a rental agency, it was determined that at any given time, eight percent of the vehicles were not operational. During the next audit, this figure had increased. · During an audit of the cash handling process in a casino, internal audit discovered control deficiencies in the transfer process between the slot machines and the cash counting area. It was corrected immediately.
A. 1and3only
B. 1and4only C. 2and3only D. 2and4only
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 322
An internal auditor and engagement client are deadlocked over the auditor's differing opinion with management on the adequacy of access controls for a major system. Which of the following strategies would be the most helpful in resolving this dispute?
A. Conductajointbrainstormingsessionwithmanagement. B. Askthechiefauditexecutivetomediate.
C. Disclose the client's differing opinion in the final report. D. Escalate the issue to senior management for a decision.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 323
When setting the scope for the identification and assessment of key risks and controls in a process, which of the following would be the least appropriate approach?
A. Developthescopeoftheauditbasedonabottom-upperspectivetoensurethatallbusinessobjectives are considered.
B. Developthescopeoftheaudittoincludecontrolsthatarenecessarytomanageriskassociatedwitha critical business objective.
C. Specify that the auditors need to assess only key controls, but may include an assessment of non-key controls if there is value to the business in providing such assurance.
D. Ensure the audit includes an assessment of manual and automated controls to determine whether business risks are effectively managed.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 324
According to IIA guidance, which of the following is true when the internal audit activity is asked to investigate potential ethics violations in a foreign subsidiary?
A. Communicationofanyinternalethicsviolationstoexternalpartiesmayoccurwithappropriate safeguards.
B. Culturalimpactsarelesscriticalwheretheorganizationpracticesuniformpolicesaroundtheglobe.
C. Cross-cultural differences should always be handled by the staff of the same cultural background.
D. Local law enforcement should be involved as they are more familiar with the applicable local laws.
Correct Answer: A Section: (none)
Explanation Explanation/Reference:
Explanation:
QUESTION 325
The chief audit executive of a medium-sized financial institution is evaluating the staffing model of the internal audit activity (IAA). According to IIA guidance, which of the following are the most appropriate strategies to maximize the value of the current IAA resources? · The annual audit plan should include audits that are consistent with the skills of the IAA. · Audits of high-risk areas of the organization should be conducted by internal audit staff. · External resources may be hired to provide subject-matter expertise but should be supervised. · Auditors should develop their skills by being assigned to complex audits for learning opportunities.
A. 1and2only B. 1and4only C. 2and3only D. 3and4only
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 326
It is close to the fiscal year end for a government agency, and the chief audit executive (CAE) has the following items to submit to either the board or the chief executive officer (CEO) for approval. According to IIA guidance, which of the following items should be submitted only to the CEO?
A. Theinternalauditriskassessmentandauditplanforthenextfiscalyear. B. Theinternalauditbudgetandresourceplanforthecomingfiscalyear. C. A request for an increase of the CAE's salary for the next fiscal year.
D. The evaluation and compensation of the internal audit team.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 327
An internal control questionnaire would be most appropriate in which of the following situations?
A. T esting controls where operating procedures vary.
B. T esting controls in decentralized offices.
C. Testing controls in high risk areas.
D. Testing controls in areas with high control failure rates.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 328
According to IIA guidance, which of the following statements is true regarding the authority of the chief audit
executive (CAE) to release previous audit reports to outside parties?
A. TheCAEcanreleasepriorinternalauditreportswiththeapprovaloftheboardandseniormanagement.
B. TheCAEcanemployjudgmentandreleasepriorauditresultsastheydeemappropriateandnecessary.
C. The CAE can only release prior information outside the organization when mandated by legal or statutory requirements.
D. The CAE can release prior information provided it is as originally published and distributed within the organization.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 329
An internal auditor has been assigned to facilitate a risk and control self-assessment for the finance group. Which of the following is the most appropriate role that she should assume when facilitating the workshop?
A. Expressanopinionontheparticipants'inputsandconclusionsastheassessmentprogresses.
B. Provideappropriatetechniquesandguidelinesonhowtheexerciseshouldbeundertaken.
C. Evaluate and report on all issues that may be uncovered during the exercise.
D. Screen and vet participants so that the most appropriate candidates are selected to participate in the exercise.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 330
An audit identified a number of weaknesses in the configuration of a critical client/server system. Although some of the weaknesses were corrected prior to the issuance of the audit report, correction of the rest will require between 6 and 18 months for completion. Consequently, management has developed a detailed action plan, with anticipated completion dates, for addressing the weaknesses. What is the most appropriate course of action for the chief audit executive to take?
A. Assessthestatusofcorrectiveactionduringafollow-upauditengagementaftertheactionplanhas been completed.
B. Assesstheeffectivenessofcorrectionsbyreviewingstatisticsrelatedtounplannedsystemoutages, and denials of service.
C. Reassign information systems auditors to assist in implementing management's action plan.
D. Evaluate the ability of the action plan to correct the weaknesses and monitor key dates and deliverables.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 331
Which of the following is not an outcome of control self-assessment?
A. Informal,softcontrolsareomitted,andgreaterfocusisplacedonhardcontrols.
B. Theentireobjectives-risks-controlsinfrastructureofanorganizationissubjecttogreatermonitoringand
continuous improvement.
C. Internal auditors become involved in and knowledgeable about the self-assessment process.
D. Nonaudit employees become experienced in assessing controls and associating control processes with managing risks.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 332
A code of business conduct should include which of the following to increase its deterrent effect? 1. Appropriate descriptions of penalties for misconduct.
2. A notification that code of conduct violations may lead to criminal prosecution.
3. A description of violations that injure the interests of the employer.
4. A list of employees covered by the code of conduct.
A. 1and2 B. 1and3 C. 2and4 D. 3and4
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 333
New environmental regulations require the board to certify that the organization's reported pollutant emissions data is accurate. The chief audit executive (CAE) is planning an audit to provide assurance over the organization's compliance with the environmental regulations. Which of the following groups or individuals is most important for the CAE to consult to determine the scope of the audit?
A. Theauditcommitteeoftheboard.
B. Theenvironmental,health,andsafetymanager. C. The organization's external environmental lawyers. D. The organization's insurance department.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 334
The board has asked the internal audit activity (IAA) to be involved in the organization's enterprise risk management process. Which of the following activities is appropriate for IAA to perform without safeguards?
A. Coachmanagementinrespondingtorisks.
B. Developriskmanagementstrategiesforboardapproval. C. Facilitate identification and evaluation of risks.
D. Evaluate risk management processes.
Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 335
According to IIA guidance, which of the following statements are true regarding the internal audit plan? 1. The audit plan is based on an assessment of risks to the organization.
2. The audit plan is designed to determine the effectiveness of the organization's risk management process.
3. The audit plan is developed by senior management of the organization. 4. The audit plan is aligned with the organization's goals.
A. 1and2only B. 3and4only C. 1,2,and4 D. 1,3,and4
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 336
An internal auditor is assessing the organization's risk management framework. Which of the following formulas should he use to calculate the residual risk?
A. B. C. D.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 337
Which of the following statements is false regarding roles and responsibilities pertaining to risk management and control?
A. Seniormanagementischargedwithoverseeingtheestablishmentriskmanagementandcontrol processes.
B. Thechiefauditexecutiveisresponsibleforoverseeingtheevaluationriskmanagementandcontrol processes.
C. Operating managers are responsible for assessing risks and controls in their departments.
D. Internal auditors provide assurance about risk management and control process effectiveness.
A. Option A B. Option B C. Option C D. Option D
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 338
Which of the following should be included in a privacy audit engagement?
1. Assess the appropriateness of the information gathered.
2. Review the methods used to collect information.
3. Consider whether the information collected is in compliance with applicable laws. 4. Determine how the information is stored.
A. 1and3only
B. 2and4only
C. 1,3,and4only D. 1,2,3,and4
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 339
Due to price risk from the foreign currency purchase of aviation fuel, an airliner has purchased forward contracts to hedge against fluctuations in the exchange rate. When recalculating the exchange losses from individual purchases of jet fuel, which of the following details does the internal auditor need to validate?
1. The hedge documentation designating the hedge.
2. The spot exchange rate on the transaction date. 3. The terms of the forward contract.
4. The amount of fuel purchased.
A. 1and2 B. 1and4 C. 2and3 D. 3and4
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
Certified Internal Auditor Questions + Answers Part 13
-
answerhappygod
- Site Admin
- Posts: 899603
- Joined: Mon Aug 02, 2021 8:13 am