Exam 3: The Internal Audit Activity Role in Governance, Risk, and Control

A) Must be sufficient to permit the accomplishment of its audit responsibilities.
B) Is best when the reporting relationship is direct to the board of directors.
C) Requires the board's annual approval of the audit schedules, plans, and budgets.
D) Is guaranteed when the charter specifically defines its independence.

A) State the work steps in the form of questions.
B) Use standard audit program for HR from previous years.
C) Include in the audit program certain audit tests requested by audit client.
D) Defer preparation of the audit program after the field work.

A) Borrowers may not sign all required mortgage loan documentation.
B) Fees paid by the borrower at the time of the loan may not be deposited in a timely manner.
C) The bank's loan documentation may not meet the government's disclosure requirements.
D) Loan officers may override the lending criteria established by senior management.

A) The extent to which the internal audit activity is outsourced.
B) The maturity level of risk management practices in the organization.
C) The competency of the internal auditors in risk management.
D) The nature of the business and the environment in which the organization operates.

A) Although useful, such an analysis does not address any risk factors.
B) The survey would not consider customers who did not make purchases in the last three months.
C) Steps 1 and 2 of the analysis are not necessary or cost-effective if the customer survey is comprehensive.
D) Analysis of three months' activity would not evaluate customer satisfaction.

A) Impair the internal auditors' objectivity with respect to an assurance service involving the same engagement client.
B) Would preclude the achievement of assurance from the consulting engagement.
C) Should be consistent with the internal audit activity's empowerment reflected in the charter.
D) Impose no responsibility to communicate information other than to the engagement client.

A) Objective setting.
B) Information and Communication.
C) Risk Assessment.
D) Internal Environment.

A) Oversight of Work Coordination of Activities Chief audit executive Senior management II. Board III. Chief financial officer IV. Board Chief financial officer
B) I
C) II.
D) III.
E) IV.

A) Control matrix.
B) Internal control questionnaire.
C) Control flowchart.
D) Program evaluation and review technique (PERT) analysis.

A) Recommending an environmental management system as part of policies and procedures. II. Verifying the existence of tracking records for these materials from creation to destruction. III. Using consultants to avoid self-incrimination of the firm in the event illegalities were detected in an environmental audit. IV. Evaluating the cost provided for in an environmental liability accrual account.
B) II only
C) III and IV only
D) I, II, and IV only
E) I, III, and IV only

A) External industry associate that performed a similar review for a supplier of the organization.
B) A team from an independent entity that previously employed the chief audit executive of the organization.
C) A team under the direction of the organization's chief audit executive with validation by a former manager of the internal audit activity.
D) The same external service provider because of its competency and experience with the organization.

A) The auditor located two checks for $9, 000 each that contained one authorized signature.
B) The $10, 000 was an immaterial amount to the organization and very few cash disbursements required an amount in excess of $10, 000.
C) The director of accounting was not one of the authorized signers.
D) There were several instances in which successively numbered checks for amounts between $5, 000 and $10, 000 were made payable to the same vendor.

A) Investigation of the physical security over access to the components of the LAN.
B) The ability of the LAN application to identify data items at the field or record level and implement user access security at that level.
C) Interviews with users to determine their assessment of the level of security in the system and the vulnerability of the system to compromise.
D) The level of security of other LANs in the company which also utilize sensitive data.

A) Management should set objectives before assessing risk.
B) Every entity exists to provide value for its stakeholders.
C) Policies are established to ensure that risk responses are performed effectively.
D) Enterprise risk management can minimize the impact and likelihood of unanticipated events.

A) Potential problems like technological obsolescence.
B) Unusual pressures on management.
C) Complex accounts that require expert valuations.
D) Segregation of duties.

A) Interviewing an official of the security services company to determine the cause of recent increases in billings for services.
B) Interviewing the manager who requested the audit engagement.
C) Obtaining a copy of the contract between the two organizations.
D) Preparing an engagement program.

A) Preparing written organizational policies that relate to compliance with laws, regulations, ethics, and conflicts of interest.
B) Ensuring that financial statements are understandable, transparent, and reliable.
C) Assisting the internal audit activity in performing annual reviews of governance.
D) Working with the organization's attorneys to develop a strategy regarding current litigation, pending litigation, or regulatory proceedings governance.

A) Monitoring.
B) Control environment.
C) Information and communication.
D) Control activities.

A) Proficiency in applying internal auditing standards, procedures, and techniques. II. Proficiency in accounting principles and techniques. III. An understanding of management principles. IV. An understanding of the fundamentals of economics, commercial law, taxation, finance, and quantitative methods.
B) I only
C) II only
D) I and III only
E) I, III, and IV only

A) It creates apprehension about the audit engagement.
B) It involves the engagement client's supervisory personnel in the audit.
C) It is an uneconomical approach to obtaining information.
D) It is only useful for audits of distant locations.

A) The total number of cars approved.
B) The ratio of cars rejected to total cars inspected.
C) The number of cars inspected per inspection agent.
D) The average amount of fees collected per cashier.

A) Senior executives are using company travel and entertainment funds for activities that might be considered questionable.
B) Purchases of office supplies are made from fictitious vendors.
C) Grants are made to organizations associated with senior executives.
D) A payroll clerk has added a fictitious employee.

A) Have confidence in the rigorous and detailed safety department procedures, since that department has the main responsibility for radiation safety, and should not use audit time to review other departments.
B) Adjust the engagement schedule and budget, if needed, and interview the appropriate individuals in the purchasing and facilities departments to ascertain whether additional controls exist that complement those identified within the safety department.
C) Test the controls identified within the safety department; if results are unfavorable, the auditor should consider whether to involve the other departments.
D) Defer questions regarding purchasing, facilities, and other departments until audit projects can be scheduled for those departments.

A) Board of directors. II. Senior management. III. Shareholders. IV. External auditors.
B) II only
C) I and II only
D) I, II, and III only
E) I, III, and IV only

A) Engage the former head of the institution's derivatives trading desk to perform the investigation and submit a report with supporting documentation to the CAE.
B) Request that senior management allow a delay of the fraud investigation until the internal audit activity's on-staff certified fraud examiner is able to obtain the appropriate training regarding the analysis of derivatives trading.
C) Request that senior management exclude the internal audit activity from the investigation completely and instead contract with an external certified fraud examiner with derivatives experience to perform all aspects of the investigation and subsequent reporting.
D) Contract with an external certified fraud examiner with derivatives experience to perform the investigation and subsequent reporting, with the chief audit executive approving the scope of the investigation and evaluating the adequacy of the work performed.

A) Document the flow of sales price information, and determine how the table is accessed and updated.
B) Develop a flowchart of the sales order process to determine how orders are taken and priced.
C) Identify who approves the shipment of goods and how the goods are priced.
D) Obtain a copy of the existing flowchart for the computer program to determine how price data are accessed.

A) Purchasing procedures are well designed and are followed unless otherwise directed by the purchasing supervisor.
B) Pre-numbered blank purchase orders are secured within the purchasing department.
C) Normal operational purchases fall in the range from $500 to $1, 000 with two signatures required for purchases over $1, 000.
D) The purchasing agent invests in a publicly traded mutual fund that lists the stock of one of the company's suppliers in its portfolio.

A) Auditors must be given assignments based primarily upon their years of experience.
B) All auditors assigned an audit task must have the knowledge and skills necessary to complete the task satisfactorily.
C) Tasks must be assigned to the audit team member who is most qualified to perform them.
D) All audit team members must have the skills necessary to satisfactorily complete any task that will be required in the audit engagement.

A) An analysis of quality control documents.
B) The permanent audit file.
C) The prior audit report.
D) Management's charter for the quality control department.

A) Seek agreement with the client as to the standards to be used to measure operating performance.
B) Determine best practices in the area and use them as the standard.
C) Interpret the standards in their strictest sense because standards are otherwise only minimum measures of acceptance.
D) Omit any comments on standards and the client's performance in relationship to those standards, because such an analysis would be meaningless.

A) Consider the scope of work and level of responsibility when establishing criteria for education and experience in filling internal auditing positions.
B) Ensure that each newly hired auditor is qualified in all of the disciplines needed to accomplish the department's audit mission.
C) Oversee a training program that matches the actual training provided with the interests of individual auditors.
D) Require all of the audit staff to pursue a minimum number of continuing professional education hours each year.

A) Reviewing policies and procedures.
B) Interviewing a group of research managers.
C) Observing report preparation in a number of laboratories.
D) Sending a questionnaire to a sample of research sponsors.

A) Compare the proportion of erroneous medication orders before and after system installation for similar periods.
B) Compare the number of errors before and after system installation for similar periods.
C) Compare, after adjusting for the number of patients, the proportion of erroneous medication orders before and after system installation.
D) Compare, after adjusting for the number of patients, the number of errors before and after system installation for similar periods.

A) The auditor notes strong indicators of a specific fraud involving this account.
B) The company has relatively stable operations which have not changed much over the past year.
C) The auditor would like to identify large, unusual, or non-recurring transactions during the year.
D) The operating expenses vary in relation to other operating expenses, but not in relation to revenue.

A) Maintained an independent mental attitude and is therefore objective.
B) Has subordinated professional judgment, and objectivity is therefore impaired.
C) Does not have objectivity since the auditor recently transferred from the engineering department.
D) Does not have independent organizational status since the auditor recently transferred from the engineering department.

A) The credit department is responsible for approving shipments to all customers.
B) The finance committee of the board of directors periodically reviews credit standards.
C) Customers who fail to meet credit requirements must pay cash for shipments upon delivery.
D) The sales department is responsible for determining the credit ratings of customers.

A) Discussions of audit needs with executive management and the audit committee.
B) Review of audit staff education and training records.
C) Review of audit staff size and composition of similar-sized companies in the same industry.
D) Interviews with existing audit staff.

A) Person A is a member of the internal audit staff and has the required technical skills. Person A participated in a controls review of the system to be audited when it was being developed. II. Person B is a technical specialist who understands the audit area but is not a member of the internal audit staff. Although person B has personal credibility in the information systems department to be audited, person B works for another department in the organization.
B) I only
C) II only
D) Both I and II.
E) Neither I nor II.

A) Accept the assignment provided that such consulting services are defined in the charter.
B) Decline the assignment because participation on task forces will impair the auditor's objectivity in future audit engagements.
C) Accept the assignment if the auditor believes that it will not impair objectivity in future audit engagements.
D) Do not accept the assignment because the assignment is not part of an approved audit plan.

A) It defines the authorities and responsibilities of the internal audit activity.
B) It specifies the minimum resources needed for the internal audit activity.
C) It provides a basis for evaluating the internal audit activity.
D) It should be approved by senior management and the board.

A) Review the open systems interconnect network model.
B) Identify the network operating costs.
C) Determine the business purpose of the network.
D) Map the network software and hardware products into their respective layers.

A) Drafts of engagement communications were reviewed with the audit client to obtain input. The client's comments were considered when developing the engagement final communication. II. An auditor participated as part of a development team to review the control procedures to be incorporated into a major computer application under development. III. Given limited resources, the chief audit executive performed a risk analysis to determine which functions to audit.
B) II only
C) I and III only
D) I, II, and III.
E) None of the above.

A) Operating Executive Internal Management Auditing Responsibility for risk Oversight role Advisory role II. III. IV.
B) I Only
C) II
D) III
E) IV

A) Event scenarios with regression analysis.
B) Past audit findings and instances of management failures.
C) Consequences and economic predictability of loss.
D) Management assessment and corroboration by the internal audit activity.

A) Better manage perceived high risks.
B) Strengthen controls over the bank's investments.
C) Ensure the independence of line and senior management.
D) Better respond to shareholder expectations.

A) The focus of the audit function was changed without modifying the audit charter or notifying the audit committee. II. Negative observations were omitted from the engagement final communications. III. Cost savings and recommendations were highlighted in the engagement final communications.
B) II only
C) I and II only
D) I and III only
E) I, II, and III.

A) General purpose audit software.
B) Voting software and hardware.
C) Flowcharting and data capture software.
D) Risk assessment software.

A) Economy of controls.
B) Compliance with controls.
C) Adequacy of controls.
D) Efficiency of controls.

A) Assisting senior management and the audit committee in the development of an annual assessment about internal control.
B) Overseeing the establishment of internal control processes.
C) Maintaining the organization's governance processes.
D) Ensuring that the internal audit activity assesses all control processes annually.

A) Systems-based preventive control.
B) People-based preventive control.
C) Systems-based detective control.
D) People-based detective control.

A) Visitors are accompanied by authorized personnel at all times. II. Only developers and operators have access to the data center. III. Fire suppression equipment is tested periodically. IV. Fire and water detectors have been installed.
B) I and III only
C) II and IV only
D) I, III, and IV only
E) II, III, and IV only

A) Determining the scope.
B) Reviewing internal controls.
C) Testing.
D) Evaluating findings.

A) Work with the organization's chief financial officer to evaluate the external auditor's performance and together make the decision.
B) Not be involved in this decision process as it would compromise the CAE's objectivity.
C) Evaluate the external auditor's performance and retain the external auditor if quality and cost criteria are met.
D) Assist the audit committee by facilitating the development of an appropriate evaluation process.

A) Proceed with the existing program since this was the original scope of work that was approved.
B) Modify the audit program and proceed with the engagement.
C) Consult with management to verify the interest rate change and proceed with the engagement.
D) Determine the effect of the interest rate change and whether the program should be modified.

A) Internal audit coverage is reduced to avoid potential conflicts of interest.
B) Audits of the same department are conducted at different times.
C) The internal audit department reviews functions or departments prior to the external audit.
D) External audit scope is reduced based on the internal audit department's activities.

A) Risk levels for future events based on the degree of uncertainty of those events and their cost of mitigation.
B) Inherent and control risks and their impact on the extent of financial misstatements.
C) Risk levels of current and future events, their effect on the achievement of the organization's objectives, and their underlying causes.
D) Risk levels of current and future events, their impact on the organization's mission, and the potential for the elimination of existing risk factors.

A) The operations of the treasury function as documented during the last audit engagement.
B) Company policies and procedures delegating authority and assigning responsibilities.
C) Finance textbook illustrations of generally accepted good treasury function practices.
D) Codification of best practices of the treasury function in relevant industries.

A) Conduct periodic assessments of the organization's governance systems.
B) Obtain assurance concerning the effectiveness of the organization's governance systems.
C) Implement an effective system of internal controls to support the organization's governance systems.
D) Review and approve operational goals and objectives.

A) Resource allocation, risk management metrics, risk assessment, post-mortem analysis, effective communication.
B) Risk management metrics, resource allocation, risk assessment, effective communication, post-mortem analysis.
C) Risk assessment, resource allocation, risk governance and reporting, post-mortem analysis, feedback.
D) Resource allocation, risk monitoring, risk assessment, feedback, post-mortem analysis.

A) Accept the engagement but communicate only with the audit committee to protect the confidentiality of the request.
B) Decline the engagement because it is outside of the scope of the internal audit charter.
C) Decline the engagement because it impairs the internal audit activity's independence.
D) Accept the engagement but inform senior management of the request.

A) Provide internal auditors with an independent and knowledgeable viewpoint.
B) Concur with the internal auditors' reports and thus improve the quality of assurance provided to management.
C) Increase the effectiveness of internal control sampling techniques.
D) Assist the internal auditor by providing information obtained from similar audits with other clients.

A) Items should be ranked in the order of quantifiable dollar exposure to the organization. II. The audit priorities should be in order of major control deficiencies. III. The risk assessment, though quantified, is the result of professional judgments about both exposures and probability of occurrences.
B) I only
C) III only
D) II and III only
E) I, II, and III.

A) Audit schedule may not be optimal from the engagement client's perspective.
B) Audit objectives may not be understood by management of the area being audited.
C) Audit resources may not be sufficient.
D) Audit plan priority may have changed.

A) Exclude the relative's information from the audited work and proceed with the audit engagement.
B) Proceed with the audit engagement but disclose in the engagement final communication that the relative is a customer.
C) Immediately withdraw from the audit engagement.
D) Notify management and the chief audit executive (CAE) and have the CAE determine whether the auditor should continue with the audit engagement.

A) Employee decisions follow department and company guidelines.
B) The manager considers employees' input when designing new procedures.
C) Employees are empowered to deal with unusual or emergency situations.
D) Management has adopted an open-door policy to assist with communication.

A) Department's budget constraints.
B) Internal auditors' personal development needs.
C) Content of potential training courses.
D) Organization's objectives.

A) Focuses primarily on enterprise-level risks.
B) Considers activities at all levels of the organization.
C) Reviews special projects and new initiatives.
D) Validates supporting financial and operational data.

A) The type and nature of the activities to be examined.
B) Whether employees in key positions of trust are bonded.
C) The history of losses suffered by the company.
D) The results of prior risk assessments.

A) Accommodating a large number of risk factors in the assessment.
B) Providing documentation for the chief audit executive, who must defend the long-range audit plan.
C) Providing a systematic method of applying weightings to risks and priorities.
D) Removing the need for judgment on the part of the chief audit executive.

A) Influence regulatory interpretation of law to better match corporate practice.
B) Recommend changes to the scope of the regulatory examiners' review.
C) Perform fieldwork for the regulatory examiners and thus shorten the regulatory examiners' review.
D) Supply evidence of adequate compliance testing through internal audit workpapers and reports.

A) An organization's internal privacy policies. II. Financial accounting standards. III. Privacy laws and regulations. IV. The Standards.
B) I and III only
C) II and IV only
D) II, III, and IV only
E) I, II, III, and IV.

A) Assessing testing procedures in a new computer system.
B) Performing a risk assessment of a new financial instrument.
C) Drawing conclusions from a sample of financial transactions.
D) Comparing current environmental activities against legislation.

A) A systematic process for assessing and integrating professional judgment about probable adverse conditions.
B) A listing of potentially adverse effects on the organization.
C) A list of auditable activities in the organization.
D) The probability that an event or action may adversely affect the organization.

A) Excessive labor charged to the project.
B) Poor physical protection of materials and equipment.
C) Failure to complete the project within budget.
D) Substitution of inferior materials.

A) Eliminating all areas with low risk from the audit plan.
B) Educating management on the importance of keeping the internal audit activity informed of organizational changes.
C) Identifying the audit universe or auditable activities that need to be reviewed.
D) Identifying risks that management and the internal auditors have overlooked.

A) Ensure that the board is aware of all fraud that has been identified or reported.
B) Train the internal audit staff in identifying fraud indicators.
C) Review the adequacy of all policies that describe prohibited activities.
D) Submit an annual report to the board on all fraud that has been detected.

A) Support the board in enterprise-wide risk assessment.
B) Ensure the timely implementation of audit recommendations.
C) Monitor compliance with the organization's ethics policies.
D) Discuss areas of significant risk.

A) A description of identified risks. II. Tests of audit controls. III. A system of rating risks. IV. Sample size identification.
B) I and II only
C) I and III only
D) I, III, and IV only
E) II, III, and IV only

A) The extent to which management judgments are required in an area could serve as a risk factor in assisting the auditor in making a comparative risk analysis.
B) The highest risk assessment should always be assigned to the area with the largest potential loss.
C) The highest risk assessment should always be assigned to the area with the highest probability of occurrence.
D) Risk analysis must be reduced to quantitative terms in order to provide meaningful comparisons across an organization.