What should the internal auditor’s role be in assessing the organization’s ethical climate?
- A . Perform ongoing surveys of the employees, customers, and partners of the organization to assess the organization’s ethical climate. ^Evaluate the effectiveness of the organization’s strategies and B. processes for achieving the desired level of legal and ethical compliance.
- B . Maintain a whistleblower hotline to identify inappropriate or illegal activity within the organization.
- C . Perform background checks of potential new employees before they are hired by the organization.
According to COSO, which of the following is not considered one of the components of an organization’s internal environment?
- A . Authority and responsibility to resolve issues.
- B . Framework to plan, execute and monitor activities.
- C . Integrated responses to multiple risks.
- D . Knowledge and skills needed to perform activities.
Which of the following enhances the independence of the internal audit activity?
- A . The chief audit executive (CAE) approves the annual internal audit plan.
- B . The CAE administratively reports to the board.
- C . The audit committee approves the CAE’s annual salary increase.
- D . The chief executive officer approves the internal audit charter.
A medical insurance provider uses an electronic claims-submission process and suspects that a number of physicians have submitted claims for treatments that were not performed.
Which of the following control procedures would be most effective to detect this type of fraud?
- A . Require the physician to submit a signed statement attesting that the treatments had been performed.
- B . Send confirmations to the physicians, requesting them to verify the exact nature of the claims submitted to the insurance provider.
- C . Develop an integrated test facility and submit false claims to verify that the system is detecting such claims on a consistent basis.
- D . Use computer software to identify abnormal claims based on the insured’s age and medical history.
Which of the following activities is most likely to require a fraud specialist to supplement the knowledge and skills of the internal audit activity?
- A . Planning an engagement of the area in which fraud is suspected.
- B . Employing audit tests to detect fraud.
- C . Interrogating a suspected fraudster.
- D . Completing a process review to improve controls to prevent fraud.
Non-statistical sampling does not require which of the following?
- A . The sample to be representative of the population.
- B . The sample to be selected haphazardly.
- C . A smaller sample size than if selected using statistical sampling.
- D . Projecting the results to the population.
The internal audit activity is planning a procurement audit and needs to obtain a thorough understanding of the subcontracting process, which can involve multiple individuals in multiple countries.
Which of the following internal audit tools would be most effective to document the process and the key controls?
- A . Internal control checklist.
- B . Procurement employee survey.
- C . Cross-functional flow chart.
- D . Segregation of duties matrix.
An auditor identifies three errors in the sample of 25 entries selected for review (a 12 percent error rate). Based on this result, the auditor assumes that approximately 59 of the total population of 492 entries are incorrect.
To reach this assumption, the auditor has used a technique known as which of the following?
- A . Variability tolerance.
- B . Ratio estimation.
- C . Stratification.
- D . Acceptance sampling.
Which of the following is most likely to enhance an internal auditor’s objectivity?
- A . An auditor is appropriately able to communicate results.
- B . An auditor performs his work free from interference.
- C . An auditor is unrestricted in determination of scope.
- D . An auditor avoids conflicts of interest.
According to IIA guidance, which of the following should be formally documented in the internal audit charter?
- A . The internal audit activity’s responsibility for imposing risk management processes.
- B . The internal audit activity’s responsibility for the organization’s governance framework.
- C . The nature of consulting services provided by the internal audit activity.
- D . The budgeting process for the internal audit activity.
An internal auditor wants to sample data to test an audit theory in a cost-effective way.
Which of the following sampling strategies should she use?
- A . Statistical sampling only
- B . Nonstatistical sampling only
- C . A combination of both statistical and nonstatistical sampling.
- D . Neither approach to testing the audit theory would be cost effective.
An internal auditor wants to sample data to test an audit theory in a cost-effective way.
Which of the following sampling strategies should she use?
- A . Statistical sampling only
- B . Nonstatistical sampling only
- C . A combination of both statistical and nonstatistical sampling.
- D . Neither approach to testing the audit theory would be cost effective.
An internal auditor wants to sample data to test an audit theory in a cost-effective way.
Which of the following sampling strategies should she use?
- A . Statistical sampling only
- B . Nonstatistical sampling only
- C . A combination of both statistical and nonstatistical sampling.
- D . Neither approach to testing the audit theory would be cost effective.
An internal auditor wants to sample data to test an audit theory in a cost-effective way.
Which of the following sampling strategies should she use?
- A . Statistical sampling only
- B . Nonstatistical sampling only
- C . A combination of both statistical and nonstatistical sampling.
- D . Neither approach to testing the audit theory would be cost effective.
An internal auditor wants to sample data to test an audit theory in a cost-effective way.
Which of the following sampling strategies should she use?
- A . Statistical sampling only
- B . Nonstatistical sampling only
- C . A combination of both statistical and nonstatistical sampling.
- D . Neither approach to testing the audit theory would be cost effective.
The internal audit activity’s responsibilities.
- A . 4 only.
- B . 1 and 2 only.
- C . 3 and 4.
- D . 1,2, and 3.
Which of the following would not be considered part of preliminary survey of an engagement area?
- A . Interviews with individuals affected by the entity.
- B . Functional walk through test.
- C . Analytical reviews.
- D . Sampling scope.
Which of the following would not be considered part of preliminary survey of an engagement area?
- A . Interviews with individuals affected by the entity.
- B . Functional walk through test.
- C . Analytical reviews.
- D . Sampling scope.
Which of the following would not be considered part of preliminary survey of an engagement area?
- A . Interviews with individuals affected by the entity.
- B . Functional walk through test.
- C . Analytical reviews.
- D . Sampling scope.
Which of the following would not be considered part of preliminary survey of an engagement area?
- A . Interviews with individuals affected by the entity.
- B . Functional walk through test.
- C . Analytical reviews.
- D . Sampling scope.
The internal audit charter requires the CAE to report functionally to the audit committee.
- A . 3 only
- B . 1 and 2 only
- C . 2 and 3 only
- D . 1, 2, and 3
Management would like to self-assess the overall effectiveness of the controls in place for its 200-person manufacturing department.
Which of the following client-facilitated approaches is likely to be the most efficient way to accomplish this objective?
- A . Workshops.
- B . Surveys.
- C . Interviews.
- D . Observation.
Management would like to self-assess the overall effectiveness of the controls in place for its 200-person manufacturing department.
Which of the following client-facilitated approaches is likely to be the most efficient way to accomplish this objective?
- A . Workshops.
- B . Surveys.
- C . Interviews.
- D . Observation.
Management would like to self-assess the overall effectiveness of the controls in place for its 200-person manufacturing department.
Which of the following client-facilitated approaches is likely to be the most efficient way to accomplish this objective?
- A . Workshops.
- B . Surveys.
- C . Interviews.
- D . Observation.
Management would like to self-assess the overall effectiveness of the controls in place for its 200-person manufacturing department.
Which of the following client-facilitated approaches is likely to be the most efficient way to accomplish this objective?
- A . Workshops.
- B . Surveys.
- C . Interviews.
- D . Observation.
Management would like to self-assess the overall effectiveness of the controls in place for its 200-person manufacturing department.
Which of the following client-facilitated approaches is likely to be the most efficient way to accomplish this objective?
- A . Workshops.
- B . Surveys.
- C . Interviews.
- D . Observation.
Information regarding assumptions and procedures to be employed.
- A . 1 and 4 only
- B . 2 and 3 only
- C . 1, 2, and 3 only
- D . 1, 2, 3, and 4
In the area of business acumen, which of the following competencies would be the sole responsibility of an internal audit staff member?
- A . Maintaining industry-specific knowledge appropriate to the organization.
- B . Assessing how IT contributes to organization objectives, risks, and relevance to audit.
- C . Maintaining technical aspects of accounting standards and reporting processes.
- D . Understanding regulatory and legal framework and assessing its relevance.
When developing the organization’s first risk universe, which of the following would the chief audit executive be least likely to consider?
- A . The amount of risk that an organization is willing to seek or accept.
- B . The extent and degree of interdependency for identified key risks.
- C . The boundaries established to manage the amount of risk taken.
- D . The exposure to risks following management’s risk responses.
A multinational organization has asked the internal audit activity to assist in setting up the organization’s risk management system. The chief audit executive (CAE) agrees to take on the engagement as a consultant.
Which of the following tasks is appropriate for the CAE to undertake?
- A . Coordinate and facilitate risk workshops for management to attend.
- B . Establish the degree of risk appetite for management to accept.
- C . Set risk indicators and mitigation plans for management to implement.
- D . Determine the number of significant risks for management to report to the board.
Which of the following is a common type of payroll fraud?
- A . Unauthorized overtime.
- B . Fictitious employees.
- C . Unearned bonuses or commissions.
- D . Skimming.
Which of the following types of fraud includes embezzlement?
- A . Fraudulent statements.
- B . Bribery.
- C . Misappropriation of assets.
- D . Corruption.
A furniture manufacturer has installed a new fire sprinkler system at its central warehouse and canceled the existing fire insurance policy on that property.
What change of risk response strategy does this course of action most likely reflect?
- A . From sharing to reduction.
- B . From acceptance to reduction.
- C . From sharing to avoidance.
- D . From acceptance to avoidance.
A furniture manufacturer has installed a new fire sprinkler system at its central warehouse and canceled the existing fire insurance policy on that property.
What change of risk response strategy does this course of action most likely reflect?
- A . From sharing to reduction.
- B . From acceptance to reduction.
- C . From sharing to avoidance.
- D . From acceptance to avoidance.
A furniture manufacturer has installed a new fire sprinkler system at its central warehouse and canceled the existing fire insurance policy on that property.
What change of risk response strategy does this course of action most likely reflect?
- A . From sharing to reduction.
- B . From acceptance to reduction.
- C . From sharing to avoidance.
- D . From acceptance to avoidance.
A furniture manufacturer has installed a new fire sprinkler system at its central warehouse and canceled the existing fire insurance policy on that property.
What change of risk response strategy does this course of action most likely reflect?
- A . From sharing to reduction.
- B . From acceptance to reduction.
- C . From sharing to avoidance.
- D . From acceptance to avoidance.
A furniture manufacturer has installed a new fire sprinkler system at its central warehouse and canceled the existing fire insurance policy on that property.
What change of risk response strategy does this course of action most likely reflect?
- A . From sharing to reduction.
- B . From acceptance to reduction.
- C . From sharing to avoidance.
- D . From acceptance to avoidance.
Providing a vehicle driver handbook is an example of a detective control.
- A . 1 and 2.
- B . 1 and 4.
- C . 2 and 3.
- D . 3 and 4.
Which of the following scenarios best illustrates a rationalization as the root cause of potential fraud?
- A . Managers who have been with the organization for several decades become aware that newly hired, younger managers are being moved more quickly into senior positions.
- B . The controller at a nationwide manufacturing company recently opted to no longer require two-week mandatory vacations for accounting staff.
- C . Security cameras that monitor cash handling at the register are not functioning.
- D . The organization is slowly phasing out three mature products that produce the highest commissions for the sales staff.
Who is responsible for setting the risk appetite?
- A . External auditors.
- B . Chief risk officer.
- C . Operations management.
- D . Board of directors.
Which of the following offers the best evidence that the internal audit activity has achieved organizational independence?
- A . An independent third party has assessed the organization’s system of internal controls to be adequate and effective.
- B . The chief audit executive reports both functionally and administratively to the CEO.
- C . The internal audit charter is drafted properly and approved by the appropriate parties.
- D . The mission statement and strategy of the internal audit activity demonstrates alignment to organizational objectives.
Which of the following offers the best evidence that the internal audit activity has achieved organizational independence?
- A . An independent third party has assessed the organization’s system of internal controls to be adequate and effective.
- B . The chief audit executive reports both functionally and administratively to the CEO.
- C . The internal audit charter is drafted properly and approved by the appropriate parties.
- D . The mission statement and strategy of the internal audit activity demonstrates alignment to organizational objectives.
Which of the following offers the best evidence that the internal audit activity has achieved organizational independence?
- A . An independent third party has assessed the organization’s system of internal controls to be adequate and effective.
- B . The chief audit executive reports both functionally and administratively to the CEO.
- C . The internal audit charter is drafted properly and approved by the appropriate parties.
- D . The mission statement and strategy of the internal audit activity demonstrates alignment to organizational objectives.
Which of the following offers the best evidence that the internal audit activity has achieved organizational independence?
- A . An independent third party has assessed the organization’s system of internal controls to be adequate and effective.
- B . The chief audit executive reports both functionally and administratively to the CEO.
- C . The internal audit charter is drafted properly and approved by the appropriate parties.
- D . The mission statement and strategy of the internal audit activity demonstrates alignment to organizational objectives.
Which of the following offers the best evidence that the internal audit activity has achieved organizational independence?
- A . An independent third party has assessed the organization’s system of internal controls to be adequate and effective.
- B . The chief audit executive reports both functionally and administratively to the CEO.
- C . The internal audit charter is drafted properly and approved by the appropriate parties.
- D . The mission statement and strategy of the internal audit activity demonstrates alignment to organizational objectives.
Losing bidders are hired as subcontractors.
- A . 1 only
- B . 2 only
- C . 1 and 3.
- D . 2 and 4.
Which of the following responsibilities would fall under the role of the chief audit executive, rather than internal audit staff or the audit manager?
- A . Manage and support a quality assurance and improvement program.
- B . Maintain industry-specific knowledge appropriate to the audit engagements
- C . Set clear performance standards for internal auditors and the internal audit activity.
- D . Apply problem-solving techniques for routine situations.
According to The IIA’s Code of Ethics, which of the following statements is true?
- A . When an internal auditor releases required information to a regulator, resulting in a significant loss through fines and penalties for the organization, he fails to add value.
- B . When an internal auditor limits the scope of the audit engagement after learning that management is hiding relevant information, he demonstrates integrity.
- C . When an internal auditor disagrees with the treatment received by workers in the organization’s foreign subsidiary and alters the audit program to highlight the issue, he fails to demonstrate objectivity.
- D . When an internal auditor continues with an audit engagement, despite the audit client’s claims that the work performed is unnecessary and redundant he fails to demonstrate competency.
Which of the following controls could an internal auditor reasonably conclude is effective by observing the physical controls of a large server room?
- A . Adequate signs are in place to assist in locating safety equipment.
- B . Servers are secured individually to their racks by locks.
- C . Foam fire extinguishers are operable to protect against electrical fires.
- D . Swipe card access is required to gain access to the server room.
Which of the following are generally recognized as essential elements of a corporate social responsibility program?
- A . Human rights and the environment.
- B . Organizational governance and financial reporting.
- C . Fair operating practices and government regulation.
- D . Consumer issues and return on investment.
While preparing for an audit of senior management expenses, the chief audit executive (CAE) learns that management is unable to locate a number of original expense claims to support the related disbursements. She decides to defer the engagement until they can be located.
Which of the following principles likely guided the CAE’s decision?
- A . Objectivity.
- B . Proficiency.
- C . Independence.
- D . Due professional care.
According to IIA guidance, which of the following must the internal auditor consider to meet the requirements for due professional care?
- A . The training courses necessary to enhance the internal auditor’s knowledge, skills, and other competencies.
- B . The appropriateness of assurance procedures necessary to ensure all significant risks will be identified.
- C . The use of innovative technology and data analysis techniques.
- D . The extent of work needed to achieve the engagement’s objectives.
Which of the following is not an objective of internal control?
- A . Compliance.
- B . Accuracy.
- C . Efficiency.
- D . Validation.
A headquarters-based internal auditor has been sent to a major overseas subsidiary to conduct various engagements. Initially, the internal auditor spends time to become familiar with local customs and organization’s practices while embarking on the first engagement.
Which of the following competencies does the internal auditor exercise?
- A . Communication.
- B . Persuasion and collaboration.
- C . Business acumen.
- D . Governance, risk, and control.
According to IIA guidance, which of the following statements describes one of the similarities between assurance and consulting services?
- A . When planning assurance and consulting engagements, internal auditors must consider the strategies and objectives of the activity being reviewed.
- B . Internal auditors determine the engagement objectives, scope, and work program for both assurance and consulting services.
- C . Internal auditors must not provide assurance or consulting services for an activity for which they had responsibility within the previous year.
- D . Both assurance and consulting services generally involve the internal auditor, the area under review, senior management, and the board.
An organization is beginning to implement an enterprise risk management program. One of the first steps is to develop a common risk language.
Which of the following statements about a common risk language is true?
- A . Management will be able to reduce inherent risk because they will have a better understanding of risk.
- B . Internal auditors will be able to reduce their sample sizes because controls will be more consistent.
- C . Stakeholders will have more assurance that the risks are assessed consistently.
- D . Decision makers will understand that the likelihood of missing or ineffective controls will be reduced.
Which of the following is the primary engagement responsibility of an entry-level internal auditor?
- A . Leadership.
- B . Documentation.
- C . Analysis.
- D . Reporting.
Which of the following options is the most cost-effective and efficient way for internal auditors to keep current with the latest developments in the internal audit profession?
- A . Attending annual professional conferences and seminars.
- B . Participating in on-the-job training in various departments of the organization.
- C . Pursuing as many professional certifications as possible.
- D . Maintaining membership in The HA and similar professional organizations and subscribing to relevant email updates or news feeds.
According to The MA Global Internal Audit Competency Framework, which of the following areas of training would best assist the internal audit activity in improving its use of tools and techniques?
- A . Negotiation and conflict resolution.
- B . Project management.
- C . Financial accounting.
- D . Ethics and fraud.
Forty-five percent of an organization’s customer payments are submitted online. Eight percent of online payments are rejected. Executive management decides to outsource its online payment services to a contractor that will assume 75 percent of the total value of rejected payments. The organization estimates $1.25 million customer payments due during the contract period.
Which of the following represents the organization’s residual risk for online customer payments due?
- A . $11, 250
- B . $25, 000
- C . $33, 750
- D . $45, 000
Which of the following is the most common way that occupational fraud is detected?
- A . Internal audits.
- B . Whistleblower hotline.
- C . Key controls.
- D . External audits.
An internal auditor completed an audit of a bank’s loan department and found all significant risks to be managed adequately through effective internal controls.
Which of the following would be an appropriate conclusion to report to management?
- A . The residual risk is lower than or equal to the risk appetite.
- B . The residual risk is higher than or equal to the risk appetite.
- C . The inherent risk is lower than or equal to the risk tolerance.
- D . The inherent risk is higher than or equal to the risk tolerance.
An organization is facing a financial downturn and needs to impose major budget reductions to all departments.
According to MA guidance, which of the following actions is most appropriate for the board to take to evaluate the potential impact on the internal audit activity?
- A . Ask management to determine which internal audit engagements are lower risk and could be considered for removal from the annual audit plan.
- B . Ask appropriate stakeholders for their opinion on the potential impacts of reducing the scope of the internal audit plan.
- C . Ask the chief audit executive to determine whether budgetary limitations impede the ability of the internal audit activity to execute its responsibilities.
- D . Ask The human resources department to determine how the annual compensation and salary of the audit staff could be adjusted to achieve savings.
Which of the following control activities is the most effective to ensure users’ levels of access are appropriate for their current roles?
- A . The human resources department generates a monthly list of terminated and transferred
employees and requests IT to update the user access as required. - B . Standardized user access profiles are developed and the appropriate access profiles are automatically assigned to new or transferred employees.
- C . System administrator rights are assigned to one user in each department who can update user access of terminated or transferred employees immediately.
- D . Department managers are required to perform periodic user access reviews of relevant systems and applications.
Which of the following items should the chief audit executive disclose to senior management regarding the results of the internal audit activity’s quality assessments?
- A . The internal audit activity’s plan for resource allocation.
- B . The amount of the organization’s potential loss prevented by the risk-based auditing of the internal audit activity.
- C . The number of audits from the annual internal audit plan that were completed last year.
- D . The qualifications and independence of the assessment Team.
Which of the following is an example of a management control technique?
- A . A budget.
- B . A risk assessment.
- C . The board of directors.
- D . The control environment.
An internal auditor uses a predefined macro provided in a popular spreadsheet application to verify the present value of the organization’s investments.
Which of the following is the most appropriate course of action regarding the auditor’s use of this functionality?
- A . The auditor should accept the calculations generated by the function, as any further work or documentation would be inefficient.
- B . The auditor should perform a manual recalculation of several results to validate and document the results.
- C . The auditor should review the programming of the macro before its use to ensure that it is appropriate for the required calculations.
- D . The auditor should tabulate the results in the spreadsheet to ensure the macro has generated the correct results for all calculations.
CORRECT TEXT
According to IIA guidance, which of the following scenarios demonstrates an internal auditor exercising due professional care?
When auditing investments, the auditor identified instruments with which he was unfamiliar. He decided not to select that type of investment in his sample, as he did not have the knowledge needed to
- A . perform a proper assessment.
- B . An auditor was reviewing inventory counts conducted by the warehouse staff. One truck containing an immaterial amount of inventory was off-site and wasn’t verified by the auditor.
- C . An auditor visited a plant that produces a significant portion of the organization’s inventory. The day he arrived, the plant manager was out sick, so the auditor issued the report without interviewing the manager.
- D . An auditor in charge needed to have testing completed by the end of the month, but was behind schedule. He identified a junior auditor to conduct the work for him on a complex area of the organization.
A snow removal company is conducting a scenario planning exercise where participating employees consider the potential impacts of a significant reduction in annua snowfall for the coming winter.
Which of the following best describes this type of risk?
- A . Residual.
- B . Net.
- C . Inherent.
- D . Accepted.
An internal auditor needs to recommend a policy element to be included in an organization’s code of ethics.
Which of the following recommendations would be most effective?
- A . Ethics should vary with local customs in the organization’s foreign operations.
- B . Whistleblowing should be discouraged because it can cause distrust among employees.
- C . Ethical behavior should be incorporated into performance evaluations.
- D . Senior management should be granted specific exemptions to the code of ethics.
An internal audit activity is using the auditing-by-element approach to audit the organization’s controls around corporate social responsibility.
Which of the following would be an element for the internal audit activity to consider?
- A . Working conditions.
- B . Employees’ families.
- C . Marketplace competition.
- D . Shareholders and investors.
According to IIA guidance, which of the following statements about working papers is false?
- A . They assist in the implementation of recommendations.
- B . They provide support for communication to third parties.
- C . They demonstrate compliance with auditing standards.
- D . They contribute to development of the internal audit staff.
Which of the following factors have the greatest influence on the independence of the internal audit activity?
- A . Quality assessments and cultural biases of the internal audit activity.
- B . Rotational assignments and familiarity of the internal audit activity.
- C . Employee incentives and self review of the internal audit activity.
- D . Organizational positioning and scope control of the internal audit activity.
Which of the following is a requirement for an assurance engagement that may not be for a consulting engagement?
- A . The internal audit activity has to ensure team members’ objectivity is not impaired.
- B . Auditors cannot participate in an assurance engagement of a function for which they previously performed a consulting engagement.
- C . The scope and objective of the engagement is agreed upon based on the engagement client’s needs.
- D . The internal audit activity must ensure management actions have been implemented effectively or risk accepted.
Which of the following would be the most appropriate first step for the board to take when developing an effective system of governance?
- A . Determine the organization’s overall risk appetite.
- B . Establish a governance committee.
- C . Delegate authority to members of senior management.
- D . Identify key stakeholders and their expectations.
Which of the following would be the most appropriate first step for the board to take when developing an effective system of governance?
- A . Determine the organization’s overall risk appetite.
- B . Establish a governance committee.
- C . Delegate authority to members of senior management.
- D . Identify key stakeholders and their expectations.
Which of the following would be the most appropriate first step for the board to take when developing an effective system of governance?
- A . Determine the organization’s overall risk appetite.
- B . Establish a governance committee.
- C . Delegate authority to members of senior management.
- D . Identify key stakeholders and their expectations.
Which of the following would be the most appropriate first step for the board to take when developing an effective system of governance?
- A . Determine the organization’s overall risk appetite.
- B . Establish a governance committee.
- C . Delegate authority to members of senior management.
- D . Identify key stakeholders and their expectations.
Which of the following would be the most appropriate first step for the board to take when developing an effective system of governance?
- A . Determine the organization’s overall risk appetite.
- B . Establish a governance committee.
- C . Delegate authority to members of senior management.
- D . Identify key stakeholders and their expectations.
Planning safeguards for assets in high-risk areas.
- A . 1 and 2.
- B . 1 and 3.
- C . 2 and 3.
- D . 3 and 4.
If appropriate safeguards exist, which of the following is considered a legitimate internal audit role within risk management at an organization?
- A . Imposing risk management processes.
- B . Providing consolidated reporting on risks.
- C . Taking accountability for risk management.
- D . Making decisions on risk responses.
According to COSO, which of the following describes a principle related to the control environment?
- A . The organization identifies and assesses changes that could significantly impact the system of internal control.
- B . The organization establishes appropriate authorities and responsibilities in the pursuit of objectives.
- C . The organization selects and develops control activities that contribute to the mitigation of risks.
- D . The organization performs evaluations to ascertain whether internal control components are present and functioning.
The manager for an organization’s accounts payable department resigned her post in that capacity. Three months later, she was recruited to the internal audit activity and has been working with the audit team for the last eight months.
Which of the following assignments would the newly hired internal auditor be able to execute without any impairments to independence or objectivity?
- A . An operations audit of the accounts payable department.
- B . A consulting engagement related to a new accounts payable optimization initiative.
- C . A review of the employees’ sports club finances, which are overseen by the chief audit executive.
- D . An assurance review for a sales program on which she previously provided consultation.
A chief audit executive (CAE) is reviewing the internal audit activity’s performance and is concerned that the average number of revisions to findings is steadily rising, making it increasingly difficult to trace the finding to the supporting evidence and workpapers.
According to MA guidance, which of the following elements of the internal audit activity’s quality assurance and improvement program would provide the CAE with the most helpful insight into the cause of this problem?
- A . The overall effectiveness of the internal audit activity’s periodic self assessments.
- B . The type of audit productivity and performance statistics reported.
- C . The adequacy of the day-to-day supervision and review process.
- D . The scope and frequency of external assessments.
Which of the following is most likely to be considered a control weakness?
- A . Vendor invoice payment requests are accompanied by a purchase order and receiving report.
- B . Purchase orders are typed by the purchasing department using prenumbered forms.
- C . Buyers promptly update the official vendor listing as new supplier sources become known.
- D . Department managers initiate purchase requests that must be approved by the plant superintendent.
A new director was hired to lead the internal audit activity at a small start-up company.
Which of the following assignments would impair the director’s independence?
- A . Preparing the financial statements for the company’s defined contribution plan.
- B . Performing a pre-implementation review of the company’s payroll application.
- C . Providing the COBIT framework as a possible IT management tool.
- D . Reviewing the company’s policy for foreign currency translation adjustments for compliance with accounting standards.
A credit card company detects potential errors in credit card numbers by checking whether all entered numbers contain the correct amount of digits.
This is an example of which of the following IT controls?
- A . Logic test.
- B . Check digits.
- C . Data integrity tests.
- D . Balancing control activities.
According to IIA guidance, the results of a formal quality assessment should be reported to which of the following groups?
- A . The audit committee and senior management.
- B . The audit committee and the external auditors.
- C . Senior management and management of the audited area.
- D . Senior management and the external auditors.
Which of the following documents is most appropriate in promoting the objectivity of the internal audit activity?
- A . Usage of IT system policy.
- B . Risk management framework.
- C . Acceptance of gifts policy.
- D . Personal responsibility policy.
An organization decides to take no action on one of its financial risks because the cost of implementing the control outweighs the value of the asset being protected.
Which of the following best describes this risk strategy?
- A . Risk avoidance.
- B . Risk-benefit analysis.
- C . Risk sharing.
- D . Risk acceptance.
An internal auditor in a small broadcasting organization was assigned to review the revenue collection process. The auditor discovered that some checks from three customers were never recorded in the organization’s financial records.
Which of the following documents would be the least useful for the auditor to verify the finding?
- A . Bank statements.
- B . Customer confirmation letters.
- C . Copies of sales invoices.
- D . Copies of deposit slips.
An internal auditor in a small broadcasting organization was assigned to review the revenue collection process. The auditor discovered that some checks from three customers were never recorded in the organization’s financial records.
Which of the following documents would be the least useful for the auditor to verify the finding?
- A . Bank statements.
- B . Customer confirmation letters.
- C . Copies of sales invoices.
- D . Copies of deposit slips.
An internal auditor in a small broadcasting organization was assigned to review the revenue collection process. The auditor discovered that some checks from three customers were never recorded in the organization’s financial records.
Which of the following documents would be the least useful for the auditor to verify the finding?
- A . Bank statements.
- B . Customer confirmation letters.
- C . Copies of sales invoices.
- D . Copies of deposit slips.
An internal auditor in a small broadcasting organization was assigned to review the revenue collection process. The auditor discovered that some checks from three customers were never recorded in the organization’s financial records.
Which of the following documents would be the least useful for the auditor to verify the finding?
- A . Bank statements.
- B . Customer confirmation letters.
- C . Copies of sales invoices.
- D . Copies of deposit slips.
An internal auditor in a small broadcasting organization was assigned to review the revenue collection process. The auditor discovered that some checks from three customers were never recorded in the organization’s financial records.
Which of the following documents would be the least useful for the auditor to verify the finding?
- A . Bank statements.
- B . Customer confirmation letters.
- C . Copies of sales invoices.
- D . Copies of deposit slips.
Evidence of strong access controls ensuring that authorized individuals have access only to the functions related to their responsibilities.
- A . 1 and 3.
- B . 1 and 4.
- C . 2 and 3.
- D . 2 and 4.
A fraud investigation was completed by management, and a proven fraud was communicated to relevant authorities.
According to MA guidance, which of the following roles would be most appropriate for the internal audit activity to undertake after the investigation?
- A . Plan employee sessions and team building strategies for the organization to improve awareness of fraud among employees.
- B . Review the investigation and implement any improvements to the process.
- C . Conduct lessons learned sessions to ascertain how the fraud occurred and which controls failed.
- D . Determine why The fraud was not detected earlier and design controls to strengthen early detection.
Which of the following statements is true about The IIA Global Internal Audit Competency Framework?
- A . The core competencies outlined in the framework are not expected of a person undertaking an entry-level position as an internal auditor.
- B . The framework is designed to be used primarily by chief audit executives that are developing indicators to measure the performance of the internal audit activity for which they are responsible.
- C . The framework lists the core competencies internal auditors should possess before attempting to attain The IIA’s Certified Internal Auditor certification.
- D . The framework describes competencies needed for individual internal auditors, but not those necessary at the chief audit executive level.
Which of the following is an example of a directive control?
- A . Segregation of duties.
- B . Exception reports.
- C . Incentive compensation plans.
- D . Automated reconciliations.
Which of the following is an example of a directive control?
- A . Segregation of duties.
- B . Exception reports.
- C . Incentive compensation plans.
- D . Automated reconciliations.
Which of the following is an example of a directive control?
- A . Segregation of duties.
- B . Exception reports.
- C . Incentive compensation plans.
- D . Automated reconciliations.
Which of the following is an example of a directive control?
- A . Segregation of duties.
- B . Exception reports.
- C . Incentive compensation plans.
- D . Automated reconciliations.
Which of the following is an example of a directive control?
- A . Segregation of duties.
- B . Exception reports.
- C . Incentive compensation plans.
- D . Automated reconciliations.
Identify fraud.
- A . 1 and 4.
- B . 1 and 3.
- C . 2 and 3.
- D . 3 and 4.
According to IIA guidance, which of the following best describes internal auditors’ responsibility regarding fraud?
- A . Internal auditors should take a leading role in investigating all fraud-related cases.
- B . Internal auditors must have sufficient knowledge to evaluate the risk of fraud.
- C . Internal auditors should report all fraud cases to law enforcement agents, in accordance with the Code of Ethics.
- D . Internal auditors are responsible for ensuring that fraud does not occur.
Which of the following types of social responsibilities is voluntary and guided purely by the organization’s desire to make social contributions?
- A . The bottom of the pyramid responsibility.
- B . Innovative responsibility.
- C . Ethical responsibility.
- D . Discretionary responsibility.
Which of the following combinations of conditions is most likely a red flag for fraud?
- A . The practice of surprise audits and the implementation of an employee support program.
- B . Hiring an employee with a prior fraud conviction and yearly management review.
- C . Occasional accounting department overrides and discontinuation of the anonymous fraud hotline due to infrequent use.
- D . A veteran employee in upper management experiencing financial difficulties and recently implemented enhanced controls.
According to IIA guidance, which of the following statements is true when an internal auditor performs consulting services that improve an organization’s operations?
- A . The services must be aligned with those defined in the internal audit charter.
- B . The services must not be performed by the same internal auditor who performed assurance services, in order to maintain objectivity.
- C . The services may preclude assurance services from the consulting engagement.
- D . The services impose no responsibility to communicate information other than to the engagement client.
According to IIA guidance, which of the following statements is true when an internal auditor performs consulting services that improve an organization’s operations?
- A . The services must be aligned with those defined in the internal audit charter.
- B . The services must not be performed by the same internal auditor who performed assurance services, in order to maintain objectivity.
- C . The services may preclude assurance services from the consulting engagement.
- D . The services impose no responsibility to communicate information other than to the engagement client.
According to IIA guidance, which of the following statements is true when an internal auditor performs consulting services that improve an organization’s operations?
- A . The services must be aligned with those defined in the internal audit charter.
- B . The services must not be performed by the same internal auditor who performed assurance services, in order to maintain objectivity.
- C . The services may preclude assurance services from the consulting engagement.
- D . The services impose no responsibility to communicate information other than to the engagement client.
According to IIA guidance, which of the following statements is true when an internal auditor performs consulting services that improve an organization’s operations?
- A . The services must be aligned with those defined in the internal audit charter.
- B . The services must not be performed by the same internal auditor who performed assurance services, in order to maintain objectivity.
- C . The services may preclude assurance services from the consulting engagement.
- D . The services impose no responsibility to communicate information other than to the engagement client.
According to IIA guidance, which of the following statements is true when an internal auditor performs consulting services that improve an organization’s operations?
- A . The services must be aligned with those defined in the internal audit charter.
- B . The services must not be performed by the same internal auditor who performed assurance services, in order to maintain objectivity.
- C . The services may preclude assurance services from the consulting engagement.
- D . The services impose no responsibility to communicate information other than to the engagement client.
The extent of other ongoing services that the engineer may be performing for the organization.
- A . 1 and 4 only
- B . 2 and 3 only
- C . 3 and 4 only
- D . 1, 2, and 4 only
According to the COSO enterprise risk management (ERM) framework, which of the following is not part of the new paradigm in ERM?
- A . Assessing the risk factors.
- B . Aligning risk appetite and strategy.
- C . Enhancing risk response decisions.
- D . Reducing operational surprises and losses.
According to IIA guidance, which of the following statements is true regarding periodic internal assessments of the internal audit activity?
- A . Internal assessments are conducted to benchmark the internal audit activity’s performance against industry best practices.
- B . Internal assessments must be performed at least once every five years by a qualified assessor.
- C . An internal auditor may perform a peer review of a colleague’s workpapers, as long as the auditor wasn’t involved in the audit under review.
- D . Follow-up to ensure appropriate improvements are implemented is a recommended, but not mandatory, element of internal assessments.
Given the highly technical and legal nature of privacy issues, which of the following statements best describes the internal audit activity’s responsibility with regard to assessing an organization’s privacy framework?
- A . If an organization does not have a mature privacy framework, the internal audit activity should assist in developing and implementing an appropriate privacy framework.
- B . Because the audit committee is ultimately responsible for ensuring that appropriate control processes are in place to mitigate risks associated with personal information, the internal audit activity is
- C . required to conduct privacy assessments.
- D . The internal audit activity may delegate to nonaudit IT specialists the responsibility of determining whether personal information has been secured adequately and data protection controls are sufficient.
- E . The internal audit activity should have appropriate knowledge and competence to conduct an asses …….framework.
Which of the following best demonstrates the authority of the internal audit activity?
- A . Suggesting alternatives to decision makers.
- B . Improving the integrity of information.
- C . Determining the scope of internal audit services.
- D . Achieving engagement objectives.
Which of the following would be the most important consideration by the internal audit activity when selecting employees to perform an internal quality assessment?
- A . Their understanding of auditing standards.
- B . Previous experience working with the internal audit activity.
- C . Their reporting line within the organization.
- D . The nature of their regular duties and responsibilities.
Which of the following actions best demonstrates that an internal auditor is exercising due professional care?
- A . The auditor performs thorough reviews and provides absolute assurance of regulatory compliance.
- B . The auditor is alert to the possibility of fraud and activities where irregularities are most likely to occur.
- C . The auditor recommends improvements for all of the organization’s procedures and practices.
- D . The auditor is cognizant of reducing travel expenses by combining a personal vacation with a business trip.
An internal auditor is reviewing the accounts receivable when she discovers account balances more than three years old. The auditor was previously supervising the area during this time, and she subsequently advises the chief audit executive (CAE) of a potential conflict.
Which of the following is the most appropriate course of action for the CAE to take?
- A . Replace the auditor with another audit staff member.
- B . Continue with the present auditor, as more than one year has passed.
- C . Withdraw the audit team and outsource the financial audit of the division.
- D . Work with the division’s management to resolve the situation.
An internal auditor is reviewing the accounts receivable when she discovers account balances more than three years old. The auditor was previously supervising the area during this time, and she subsequently advises the chief audit executive (CAE) of a potential conflict.
Which of the following is the most appropriate course of action for the CAE to take?
- A . Replace the auditor with another audit staff member.
- B . Continue with the present auditor, as more than one year has passed.
- C . Withdraw the audit team and outsource the financial audit of the division.
- D . Work with the division’s management to resolve the situation.
An internal auditor is reviewing the accounts receivable when she discovers account balances more than three years old. The auditor was previously supervising the area during this time, and she subsequently advises the chief audit executive (CAE) of a potential conflict.
Which of the following is the most appropriate course of action for the CAE to take?
- A . Replace the auditor with another audit staff member.
- B . Continue with the present auditor, as more than one year has passed.
- C . Withdraw the audit team and outsource the financial audit of the division.
- D . Work with the division’s management to resolve the situation.
An internal auditor is reviewing the accounts receivable when she discovers account balances more than three years old. The auditor was previously supervising the area during this time, and she subsequently advises the chief audit executive (CAE) of a potential conflict.
Which of the following is the most appropriate course of action for the CAE to take?
- A . Replace the auditor with another audit staff member.
- B . Continue with the present auditor, as more than one year has passed.
- C . Withdraw the audit team and outsource the financial audit of the division.
- D . Work with the division’s management to resolve the situation.
An internal auditor is reviewing the accounts receivable when she discovers account balances more than three years old. The auditor was previously supervising the area during this time, and she subsequently advises the chief audit executive (CAE) of a potential conflict.
Which of the following is the most appropriate course of action for the CAE to take?
- A . Replace the auditor with another audit staff member.
- B . Continue with the present auditor, as more than one year has passed.
- C . Withdraw the audit team and outsource the financial audit of the division.
- D . Work with the division’s management to resolve the situation.
The ability to recognize the existence of problems related to tax accounting.
- A . 1 and 4 only.
- B . 3 and 4 only.
- C . 2, 3, and 4 only.
- D . 1,2, 3, and 4.
According to IIA guidance, which of the following practices by the chief audit executive (CAE) best enhances the organizational independence of the internal audit activity?
- A . CAE reviews and approves the annual audit plan.
- B . CAE meets privately with The CEO at least annually.
- C . CAE meets privately with The board at least annually.
- D . CAE reports to the board regarding audit staff performance evaluation and compensation.
Evidence discovered during the course of an engagement suggests that multiple incidents
of fraud have occurred. There do not appear to be sufficient controls in place to prevent reoccurrence.
Which of the following is the internal auditor’s most appropriate next step?
- A . Immediately notify management of the area under review and the other internal auditors involved in the engagement.
- B . Discuss the situation with the engagement supervisor to determine whether fraud investigation experts are required to investigate the matter properly.
- C . Fully document in the workpapers the evidence that has been discovered and recommend appropriate controls to address the fraud.
- D . Provide the evidence that was discovered to local law enforcement for possible prosecution of the suspected fraud.
Evidence discovered during the course of an engagement suggests that multiple incidents
of fraud have occurred. There do not appear to be sufficient controls in place to prevent reoccurrence.
Which of the following is the internal auditor’s most appropriate next step?
- A . Immediately notify management of the area under review and the other internal auditors involved in the engagement.
- B . Discuss the situation with the engagement supervisor to determine whether fraud investigation experts are required to investigate the matter properly.
- C . Fully document in the workpapers the evidence that has been discovered and recommend appropriate controls to address the fraud.
- D . Provide the evidence that was discovered to local law enforcement for possible prosecution of the suspected fraud.
Evidence discovered during the course of an engagement suggests that multiple incidents
of fraud have occurred. There do not appear to be sufficient controls in place to prevent reoccurrence.
Which of the following is the internal auditor’s most appropriate next step?
- A . Immediately notify management of the area under review and the other internal auditors involved in the engagement.
- B . Discuss the situation with the engagement supervisor to determine whether fraud investigation experts are required to investigate the matter properly.
- C . Fully document in the workpapers the evidence that has been discovered and recommend appropriate controls to address the fraud.
- D . Provide the evidence that was discovered to local law enforcement for possible prosecution of the suspected fraud.
Evidence discovered during the course of an engagement suggests that multiple incidents
of fraud have occurred. There do not appear to be sufficient controls in place to prevent reoccurrence.
Which of the following is the internal auditor’s most appropriate next step?
- A . Immediately notify management of the area under review and the other internal auditors involved in the engagement.
- B . Discuss the situation with the engagement supervisor to determine whether fraud investigation experts are required to investigate the matter properly.
- C . Fully document in the workpapers the evidence that has been discovered and recommend appropriate controls to address the fraud.
- D . Provide the evidence that was discovered to local law enforcement for possible prosecution of the suspected fraud.
Evidence discovered during the course of an engagement suggests that multiple incidents
of fraud have occurred. There do not appear to be sufficient controls in place to prevent reoccurrence.
Which of the following is the internal auditor’s most appropriate next step?
- A . Immediately notify management of the area under review and the other internal auditors involved in the engagement.
- B . Discuss the situation with the engagement supervisor to determine whether fraud investigation experts are required to investigate the matter properly.
- C . Fully document in the workpapers the evidence that has been discovered and recommend appropriate controls to address the fraud.
- D . Provide the evidence that was discovered to local law enforcement for possible prosecution of the suspected fraud.
Ensure that the entire data set is tested.
- A . 1 and 2.
- B . 1 and 3.
- C . 2 and 3.
- D . 2 and 4.
What is the primary benefit to the internal audit activity for undertaking an internal quality assessment?
- A . To help the internal audit activity complete its annual assurance plan.
- B . To identify inefficiencies within the internal audit team.
- C . To help improve the overall quality of the internal audit activity’s work.
- D . To identify key risks and areas of concern within the organization.
According to IIA guidance, which of the following statements is true regarding the reporting of results from an external quality assessment of the internal audit activity?
- A . The external assessment results are reported upon completion in confidence directly to the board, and senior management is advised only of the recommendations and improvement action plans.
- B . The results of self-assessments with independent external validation are shared with the board upon completion, and monitoring of recommended improvements must be reported monthly.
- C . The external assessment results are communicated upon completion to senior management and the board, but action plans for recommended improvements do not have to be reported.
- D . The requirements for reporting quality assessment results are the same for external assessments and self-assessments with independent external validation.
A large sales organization maintains a system of internal control according to the COSO model and has updated its code of conduct.
This change relates to which component of the COSO framework?
- A . Control activities.
- B . Information and communication.
- C . Commitment.
- D . Control environment.
Which of the following techniques would provide the most compelling evidence that a safety hazard exists within a manufacturing facility?
- A . Observation of the facility during operations.
- B . Questioning of facility management, including the facility safety officer.
- C . Analysis of facility operating reports, focusing on instances when breakdowns occurred.
- D . Review of records involving safety violations, filed by facility production employees.
An IT contractor applied for an internal audit position at a bank. The contractor worked for the bank’s IT security manager two years ago.
If the audit manager interviewed the contractor and wants to extend a job offer, which of the following actions should the chief audit executive pursue?
- A . Allow the audit manager to hire the contractor and state that the individual is free to perform IT audits, including security.
- B . Not allow the audit manager to hire the contractor, as it would be a conflict of interest.
- C . Allow the audit manager to hire the contractor, but state that the individual is not allowed to work on IT security audits for one year.
- D . Not allow the audit manager to hire the contractor and ask the individual to apply again in one year.
A new internal audit activity is creating its first charter.
According to IIA guidance, which of the following objectives would be appropriate for inclusion in the charter?
- A . Continuously monitor the organization’s overall risk activities in relation to its risk appetite.
- B . Evaluate the adequacy and effectiveness of the organization’s governance activities.
- C . Oversee the establishment and administration of an effective risk management program.
- D . Assist management in implementing recommended control improvements.
An internal audit charter, approved by the board, restricts the internal audit activity to providing assurance only on the reliability of financial information and the effectiveness of internal accounting controls.
Which of the following statements is true regarding the extent to which the external auditor may rely on the internal audit activity’s work?
- A . The external auditor may make full use of the work, as the audit charter is very specific as to the work the internal audit activity may undertake.
- B . The external auditor may use the work, as the board has approved the charter, thus taking responsibility for any deficiencies.
- C . The external auditor must disregard the work, as the scope of the charter may introduce bias and result in a lack of due professional care.
- D . The external auditor may use the work with caution, due to the internal audit activity’s scope and responsibility restrictions.
An internal auditor is performing analytical reviews as part of an audit of a supermarket’s merchandising department.
Because the economy has declined since midyear, the auditor can expect to encounter which of the following?
- A . Higher inventory turnover.
- B . Higher operating margin.
- C . Lower obsolete stock disposal.
- D . Lower sales volume.
Which of the following is an example of collusion?
- A . An employee includes a faked receipt in his expense claim, and the claim is signed by the employee’s manager.
- B . A vendor inflates the price of an item and remits a portion of the excess to the purchasing manager.
- C . A vendor sends a duplicate invoice with a new invoice number, and the accounts payable system fails to detect the duplication.
- D . An employee works with the IT manager to develop a program for identifying duplicate invoice payments.
In which of the following scenarios would the chief audit executive (CAE) be required to decline the assignment?
- A . The CAE would need to procure external services to deliver the internal audit assurance program.
- B . There is no expertise within the internal audit team for detecting and investigating fraud.
- C . There is no expertise within the internal audit team for auditing an IT engagement.
- D . There is no available expertise on the internal audit team to perform a consulting engagement.
Which of the following actions should the audit committee take to promote organizational independence for the internal audit activity?
- A . Delegate final approval of the risk-based internal audit plan to the chief audit executive (CAE).
- B . Approve the annual budget and resource plan for the internal audit activity.
- C . Assist the CAE with hiring objective and competent internal audit staff.
- D . Encourage the CAE to communicate and coordinate with the external auditor.