According to the International Professional Practices Framework, which of the following situations is an indicator of a healthy relationship between the audit committee and the internal audit function?
The chief audit executive (CAE) notes that management has adopted the option of not taking action on an audit issue involving a sizeable risk which has been accepted in the past. Which would be an appropriate action by the CAE?
According to IIA guidance,when performing a compliance audit of data security standards for a large e-commerce retailer, which of the following would represent the least likely area of risk exposure?
According to the International Professional Practices Framework, which of the following would not be considered when performing an initial risk assessment in engagement planning?
An organization has acquired a new line of business. None of the organization's internal auditors have the required expertise to perform an internal audit of the new business line; therefore, the chief audit executive (CAE) has contracted the services of an external audit firm to perform the engagement. The CAE has assigned a member of the internal audit team to assist the external team with the engagement. According to the Standards, which of the following statements is true regarding supervision of the engagement?
According to the International Professional Practices Framework, the responsibility for establishing and maintaining a system to monitor the disposition of results communicated to management falls upon:
In response to an audit finding, senior management informed the auditor that the issue would be investigated and resolved when time permitted. According to the International Professional Practices Framework, this action was not acceptable because:
The chief audit executive (CAE) decided that based on management's oral response, the action taken on an audit observation for a minor improvement in the client's process is sufficient and no further follow-up is necessary. Which of the following would be the best statement regarding the action of the CAE?
Which of the following events would most likely cause the chief audit executive to consider changing the current year's audit plan?
The government announced that new regulatory requirements will be introduced in the coming years which may significantly impact the organization's primary product.
A major competitor unexpectedly introduced a new model at a lower price point to compete with the organization's market leading product.
The organization announced a new joint venture with a long time corporate partner to introduce a new product with development costs and sales beginning next fiscal year.
An equal joint venture partner filed a lawsuit against the organization and requested that the court issue an immediate suspension of future product shipments.
Which of the following statements is true?
An internal auditor compares real-time gasoline production data to corresponding final gasoline production reports and finds minor but consistent daily discrepancies. If the auditor is concerned about theft, which of the following next steps is most consistent with IIA guidance?
An organization does not have a formal risk management function. According to the Standards, which of the following are conditions where the internal audit activity (IAA) may provide risk management consulting?
1. There is a clear strategy and timeline to migrate risk management responsibility back to management.
2. The IAA has the final approval on any risk management decisions.
3. The IAA does not give objective assurance on any part of the risk management framework for which it is responsible.
4. The nature of services provided to the organization is documented in the internal audit charter.
Which of the following should be included in the scope of an audit of a third-party contractor?
1. Budgets and financial forecasts for the project.
2. Contractor's information and control systems.
3. Contractor's financial position.
4. Progress of the project and costs incurred.
When establishing the internal audit activity's annual plan, which of the following would be the best source of potential audit engagement topics?
Management requested the chief audit executive (CAE) to include an audit of the organization's health and safety program in next year's annual audit plan. However, the internal audit department has no expertise in this area. Which of the following would be the most appropriate action by the CAE?
A consumer electronics company is considering acquiring a small flash memory manufacturer. An internal auditor has been assigned to determine if the manufacturer's accounts payable contain all outstanding liabilities. Which audit procedure is not relevant for this objective?
Which of the following tasks would be considered unusual for planning a control self-assessment workshop?
An auditor-in-charge is preparing her audit team for a consulting engagement at one of the organization's foreign subsidiaries. According to the Standards, which of the following would not be a necessary step prior to beginning the engagement?
Confirmation would be most effective in addressing the existence assertion for:
Given the scarcity of internal audit resources, a chief audit executive (CAE) decides not to schedule a follow-up of audit recommendations when developing engagement work schedules. Why does the CAE’s decision violate the Standards?
In which of the following cases is it appropriate for an audit report to not contain management's response either within the report or as an attachment?
With which of the following would the internal audit activity discuss findings, conclusions and recommendations prior to issuance of internal audit report?
1. Business unit management.
2. Chief audit executive.
3. Audit committee.
4. Chief executive officer.
What type of analysis is performed when an auditor tests for unusual variations in information by comparing the number of employees working at a factory site with the direct cost of production each month over a period of one year?
The chief audit executive (CAE) of a multinational entity with highly automated and complex operations has just completed the update of the risk-based audit plan. Interviews with management revealed the introduction of new technology and a significant increase in both the number and severity of technology-based risk exposures. According to the International Professional Practices Framework, which of the following would be the best course of action for the CAE to undertake next?
An internal auditor recommended that an organization implement computerized controls in its sales system in order to prevent sales representatives from executing contracts in excess of their delegated authority levels. A follow-up review found that the sales system had not been modified, but a process had been implemented to obtain written approval by the vice president of sales for all contracts in excess of $1 million. The chief audit executive (CAE) would be justified in reporting this situation to the organization's board iF.
In the opinion of the CAE, the level of residual risk assumed by senior management is too high.
Testing of compliance with the new process finds that all new contracts in excess of $1 million have been approved by the vice president of sales.
The cost of modifying the sales system to include a preventive control is less than $100,000.
While performing a follow-up of a concern about equipment-inventory tracking, which course of action is not necessary for the auditor to take?
Because of a new marketing initiative, an organization has reduced requirements for extending credit to new customers. As a result, outstanding accounts receivable as a percentage of revenue has increased significantly during the past two years. Which of the following would be least useful in monitoring this finding?
An audit of an organization's fulfillment department discovered that problems in the order processing system led to a significant number of orders being fulfilled multiple times. During the exit conference, the head of the department informed the auditors that the processing system would be enhanced within six months to correct the problems. Which course of action should the chief audit executive follow?
An internal auditor compared the number of human resources professionals per employee with industry standards. This comparison would assist the auditor in evaluating which of the following areas?
Which of the following best describes the most important criteria when assigning responsibility for specific tasks required in an audit engagement?
Which of the following would be the least desirable criteria against which to judge current operations of an organization's treasury function?
Audit supervision includes approval of the engagement report in order to ensure that:
To furnish useful and timely information and promote improvements in operations, internal auditors should provide:
During an operational audit of a chain of pizza delivery stores, an auditor determined that cold pizzas were causing customer dissatisfaction. A review of oven calibration records for the last six months revealed that adjustments were made on over 40 percent of the ovens. Based on this, the auditor:
Which of the following situations would best support the decision of a chief audit executive (CAE) to defer follow-up activity at a branch office until the next audit engagement?
If an auditor expects to find numerous discrepancies between recorded values and audited values of sample selections, which sampling technique would be most appropriate?
An internal audit activity implemented an integrated test facility to test payroll processing. The auditors identified the key controls and processing steps built into the computer program and developed test data to test them. The auditors submitted test transactions throughout the year and did not find any differences in their test results. The auditors can conclude that:
An internal auditor is discussing an audit problem with an engagement client. While listening to the client, the internal auditor should:
An auditor prepared a workpaper that consisted of a list of employee names and identification numbers as well as the following statement:
“A statistical sample of 40 employee personnel files was selected to verify that they contain all documents required by company policy 501 (copy attached). No exceptions were noted.”
The auditor did not place any audit verification symbols on this workpaper. Which of the following changes would most improve the auditor's workpaper?
An internal auditor provided the following statement about division A's performance during the month: "Because supplies of raw material X were scarce, division A's profits declined by 15 percent."
Which of the following can be validly concluded from the auditor's statement?
I. Division A's production level declined by 15 percent.
II. Division A could have sold more products than it produced.
III. Division A usually sells all of the products that it produces.
If management expects 100 percent compliance with a procedure, which of the following sampling approaches would be most appropriate?
A company's policy requires that all customers be treated in a fair and consistent manner. Which of the following audit procedures would provide the most persuasive evidence that the policy was followed?
New credit policies have been implemented in an automated order-entry system to improve the collection of receivables. Sales management has compiled several examples that show decreased sales and delayed order entry, and contends that these examples are a direct result of the new credit-policy constraints. Sales management's data and information provide.
The balanced scorecard approach differs from traditional performance measurement approaches because it adds which of the following measures?
I. Financial measures.
II. Internal business process measures.
III. Client satisfaction measures.
IV. Innovation and learning measures.
An organization's internal auditors are reviewing production costs at a gas-powered electrical generating plant. They identify a serious problem with the accuracy of carbon dioxide emissions reported to the environmental regulatory agency, due to computer errors. The auditors should immediately report the concern to:
Which of the following would provide the best audit evidence regarding the effectiveness of an applied research department?
After partially completing an internal control review of the accounts payable department, an auditor suspects that some type of fraud has occurred. To ascertain whether the fraud is present, the best sampling approach would be to usE.
A retail company uses a computer program that matches electronic vendor invoices with the applicable purchase orders and receiving information, which are also maintained electronically.
If an invoice does not match the other items within predefined ranges, a report is generated and sent to the accounts payable department for further investigation. All of the applicable documents are electronically marked, cross-referenced, and retained in open files. Both an integrated test facility and a systems control audit review file (SCARF) have been included in the system.
An auditor wants to determine the extent to which items are not matched at year end and to investigate the potential causes of the unmatched items. Which of the following audit procedures would be most effective in determining the items to investigate?
Which of the following procedures would be most helpful in providing additional evidence when an auditor suspects that an unidentified employee is submitting and approving invoices for payment?
Which of the following is used to identify and prioritize critical business applications to determine those that must be restored and the order of restoration in the event that a disaster impairs information systems processing?
Which of the following does not represent a difficulty in using red flags as fraud indicators?
After completing a net present value (NPV) calculation on a proposed project, an analyst explores the change in NPV with changes in the interest rate. This additional analysis is referred to as:
Which of the following would be the least important reason for a company to merge with another company?
All of the following tools are employed to control large-scale projects except:
Which of the following items should be addressed in an organization's privacy statement?
Intended use of collected information.
Data storage and security.
Network/infrastructure authentication controls.
Data retention policy of the organization.
Parties authorized to access information.
After completing a fraud investigation but before publishing a formal written report, the chief audit executive should submit a draft of the final report to the organization's:
An internal auditor for a financial institution has just completed an audit of loan processing. Of the 81 loans approved by the loan committee, the auditor found seven loans which exceeded the approved amount. Which of the following actions would be inappropriate on the part of the auditor?
An auditor is performing a review of a complex process to identify opportunities to increase efficiency. What is the most practical way to document the process to identify areas of inefficiency?
A recent survey indicated that residents of a small town take the train to a nearby city eight times per month, on average. The same survey showed that the number of train trips that a resident takes per month (y) is determined by the number of days per month that the resident works in the nearby city (x), according to the equation: y = 2 + 2x. A person who never works in the nearby city is expected to take the train:
In response to an accounts receivable confirmation, a customer indicated that the invoice listed on the confirmation letter had been paid two months earlier.
This may indicate that:
Questions used to interrogate individuals suspected of fraud should:
Which of the following is an advantage of control self-assessment (CSA) over conventional auditing techniques?
Which of the following methods would an auditor most likely use to document a complex sales order process?
Senior management of an organization has requested that the internal audit activity provide ongoing internal control training for all managerial personnel. This is best addressed by:
As a result of a recent discovery of false information on employment applications, an internal auditor has reviewed hiring procedures. Which of the following represents a weakness in the control system?
I. Applicants are not required to have their signed applications legally authenticated.
II. Applicants' educational information is not validated with the educational institution before employment is offered.
III. Information related to applicants' long-term work history is not validated before employment is offered.
Recommendations should be included in the audit report in order to:
A manager of one of a retailer's several retail outlets is stealing cash from cash sales, recording the sales as accounts receivable, and subsequently writing off the fictitious accounts receivable as bad debts. Which of the following comparisons would be most effective in signaling the possibility of such a fraud?
Which of the following activities would be performed during a benchmarking consulting engagement?
I. Collect data relevant to the benchmarking process.
II. Review all business processes.
III. Define critical success factors.
IV. Identify performance gaps.
The use of standard operating procedure questionnaires in audit fieldwork can be beneficial because.
According to IIA guidance, organizations have the most influence on which element of fraud?
When creating the internal audit plan, the chief audit executive should prioritize engagements based primarily on which of the following?
Which of the following statements is true pertaining to interviewing a fraud suspect?
1. Information gathered can be subjective as well as objective to be useful.
2. The primary objective is to obtain a voluntary written confession.
3. The interviewer is likely to begin the interview with open-ended questions.
4. Video recordings always should be used to provide the highest quality evidence.
In which of the following situations would an internal auditor consider the need to outsource competencies and skills9
An internal auditor conducted interviews with several employees, documented the interviews analyzed the summaries, and drew a number of conclusions. What sort of audit evidence has the internal auditor primarily obtained?
According to IIA guidance, which of the following is true regarding audit supervision?
1. Supervision should be performed throughout the planning, examination, evaluation, communication, and follow-up stages of the audit engagement.
2. Supervision should extend to training, time reporting, and expense control, as well as administrative matters.
3. Supervision should include review of engagement workpapers, with documented evidence of the review.
Which of the following is not an outcome of control self-assessment?
Which of the following describes (he primary reason why a preliminary risk assessment is conducted during engagement planning?
Which of the following best describes how an internal auditor would use a flowchart during engagement planning?
During the filework phase of an assurance engagement the internal auditor decides that she wants to adjust the audit work program. Which of the following is the most appropriate next step for the auditor to take9
A newly promoted chief audit executive (CAE) is faced with a backlog of assurance engagement reports to review for approval. In an attempt to attach a priority for this review, the CAE scans the opinion statement on each report. According to IIA guidance, which of the following opinions would receive the lowest review priority?
1. Graded positive opinion.
2. Negative assurance opinion.
3. Limited assurance opinion.
4. Third-party opinion.
In which of the following situations would an internal control questionnaire best suit the internal auditor's purpose?
Which of the following statements is false regarding roles and responsibilities pertaining to risk management and control?
A code of business conduct should include which of the following to increase its deterrent effect?
1. Appropriate descriptions of penalties for misconduct.
2. A notification that code of conduct violations may lead to criminal prosecution.
3. A description of violations that injure the interests of the employer.
4. A list of employees covered by the code of conduct.
Management has taken immediate action to address an observation received during an audit of the organization's manufacturing process Which of the following is true regarding the validity of the observation closure?
Which of the following computerized audit tools or techniques should be used if the internal auditor wants to extract specific files and records in the database?
Which of the following components should be included in an audit finding?
1. The scope of the audit.
2. The standard(s) used by the auditor to make the evaluation.
3. The engagement's objectives.
4. The factual evidence that the internal auditor found in the course of the examination.
Which of the following should management action plans include at a minimum?