A staff auditor, nearly finished with an audit engagement, discovers that the director of marketing has a gambling habit. The gambling issue is not directly related to the existing engagement, and there is pressure to complete the current engagement. The auditor notes the problem and forwards the information to the chief audit executive, but performs no further follow-up.
Which of the following statements is true about the auditor’s actions?
- A . They are in violation of the IIA Code of Ethics because the auditor withheld meaningful information.
- B . They are in violation of the Standards because the auditor did not properly follow up on a red flag that might indicate the existence of fraud.
- C . They are in violation of neither the IIA Code of Ethics nor the Standards.
- D . They are not in violation of the Standards but are in violation of the IIA Code of Ethics.
Which of the following is a preventive control?
- A . Creating an audit trail.
- B . Placing controls on physical access to inventory.
- C . Reconciling purchase orders with approvals.
- D . Reviewing expense accounts for irregularities.
A candidate has applied for an entry level internal audit position. The candidate holds a CISA (Certified Information Systems Auditor) designation, and has six months of audit experience, but limited knowledge of accounting principles and techniques. According to the IIA guidance, which of the following is the most relevant reason for the chief audit
executive to consider this candidate?
- A . Other internal auditors possess sufficient knowledge of accounting principles and techniques.
- B . The candidate’s information systems knowledge and real-world experience in internal auditing.
- C . Accounting skills can be learned over time with appropriate training.
- D . An entry level position does not require expertise in any particular area.
The results of an internal audit activity’s (IAA) quality assurance and improvement program are favorable and an external assessment was completed within the last five years.
Which of the following statements may the IAA use to describe its work?
- A . "Completed with the advance certification of the External Assessors Association for Auditing Review."
- B . "Conforms with the International Standards for the Professional Practice of Internal Auditing."
- C . "Certified 100% accuracy, per the International Standards of External Assessment."
- D . "Compliant with all domestic and international legal statutes, and certified quality assured for ten years."
An organization has implemented a new automated payroll system that contains a table of pay rates that are matched to employee job classifications.
Which control should an internal auditor suggest in order to ensure that the table is updated correctly, and is used only for valid pay changes?
- A . Restrict data-table access from management and line supervisors who have the authority to determine pay rates.
- B . Require a supervisor in the department, who has the ability to change the table, to compare the changes to a signed management authorization.
- C . Ensure that adequate edit and reasonableness checks are built into the automated
system. - D . Require a manager, who is independent of the system and who cannot change the table, to authorize and sign-off on any employee pay changes.
According to IIA guidance, which of the following statements regarding the internal audit charter is true?
- A . Senior management should approve the charter before it is submitted to the board.
- B . The charter should describe the purpose and authority of the internal audit activity, consistent with the Standards.
- C . The charter should define the consulting services that the internal audit activity is permitted to perform.
- D . The CEO periodically should assess whether the terms of the charter continue to be adequate.
A chief audit executive (CAE) learns that the brother-in-law of a senior auditor who audits the procurement process was hired as the head of the procurement department six months prior.
Which of the following is the most appropriate action for the CAE to take?
- A . The CAE should not interfere because there is no evidence that a conflict of interest has occurred.
- B . The CAE should remind the senior auditor of his obligation to be objective and impartial.
- C . The CAE should change the senior auditor’s assignment and take corrective action for the auditor’s failure to disclose the conflict of interest.
- D . The CAE should require the senior auditor to disclose the relationship in writing before continuing his responsibility for monitoring procurement.
According to IIA guidance, which of the following objectives of an assurance engagement for the organization’s risk management process is valid?
- A . All risks have been identified and mitigated.
- B . Risks have been accurately analyzed and evaluated.
- C . All controls are both adequate and efficient.
- D . The board is appropriately addressing intolerable risks.
During an internal audit, an organization’s processing department is found to have incidences of both duplicate invoices and notices from customers that purchased goods were not received. The department under review insists that some of these reports are false and that others were isolated oversights due to understaffing.
Which of the following tests would best help the internal auditor detect fraudulent activity?
- A . Check inventory levels.
- B . Search for gaps in check numbers.
- C . Compare vendor summaries.
- D . Review raw material purchase quantities.
An internal auditor for a large retail chain suspects that a store manager has been stealing money from cash sales by listing the sales as accounts receivable and then writing off the accounts as bad debts.
Which of the following irregularities is the most likely cause of the auditor’s suspicion?
- A . A much higher bad debt expense as a percentage of sales than that of previous years.
- B . A much higher bad debt expense as a percentage of sales than that of other stores.
- C . A much higher percentage of past-due accounts receivable than that of other stores.
- D . A much higher percentage of past-due accounts receivable than that of previous years.
An internal auditor makes a series of observations when performing an analytical review of division operations. The auditor notes the following things: the current ratio is increasing and the quick ratio is decreasing, sales and current liabilities have remained constant, and the number of day sales in inventory is increasing.
Which conclusion should the auditor draw from this data?
- A . Cash or accounts receivable has decreased.
- B . The gross margin has decreased.
- C . The division produced fewer items this year than in prior years.
- D . The gross margin has increased.
An internal auditor would like to identify the involvement of various organizational units in handling employee travel reimbursement claims.
Which of the following methods would be most effective and efficient in completing this task?
- A . Process mapping.
- B . Interviewing.
- C . Monitoring.
- D . Distributing questionnaires.
Allegations have been made that an organization’s share price has been manipulated.
Which of the following would provide an internal auditor with the most objective evidence in this case?
- A . Major shareholders of the organization.
- B . Large customers of the organization.
- C . Former members of management.
- D . Former financial consultants.
Which of the following best describes the assessment of risks?
- A . Assess the actions necessary to reduce the likelihood and/or impact of risk to tolerable levels.
- B . Assess the likelihood and/or impact of risk on the achievement of organizational objectives.
- C . Assess the amount of risk an organization can accept while pursuing its objectives.
- D . Assess alternative strategies to reduce or eliminate major risks.
Which of the following is not a standard technique that the chief audit executive (CAE) would use to provide evidence of supervisory review of working papers?
- A . The CAE initials and dates every working paper after it has been reviewed.
- B . The CAE completes an engagement working paper checklist.
- C . The CAE prepares a memorandum discussing the results of the working paper review.
- D . The CAE utilizes an external third party to make an objective recommendation after each working paper review.
Why are preventative controls generally preferred to detective controls?
- A . Because preventive controls promote doing the right thing in the first place, and lessen the need for corrective action.
- B . Because preventive controls are more sensitive and identify more exceptions than detective controls.
- C . Because preventive controls include output procedures, which cover the full range of possible reviews, reconciliations and analysis.
- D . Because preventive controls identify exceptions after-the-fact, allowing them to be used after the entire review is complete and therefore finding exceptions that detective controls may have missed.
Which of the following best ensures an internal audit activity has the ability to render impartial and unbiased assessments?
- A . Organizational status and objectivity.
- B . Supervision of the chief audit executive (CAE) by senior management.
- C . Organizational knowledge and skills.
- D . CAE certification.
Which of the following actions indicates a lack of due professional care by an internal auditor performing an audit of a store’s cash function?
- A . The audit report included a well-supported recommendation for a reduction in staff even though such a reduction might adversely impact morale.
- B . The auditor tested samples of transactions to test the cash function’s process flows.
- C . After determining that the cash function internal controls were strong, the audit report assured senior management that fraud was not present.
- D . The auditor discovered an instance of potential fraud and reported it immediately to management, but did not alert authorities outside the organization.
While attending a conference, an internal auditor won an all-expense paid trip sponsored by a vendor of the internal auditor’s organization.
Which of the following actions are most appropriate for the auditor to take?
- A . Consult with an immediate supervisor and notify the organization’s audit committee.
- B . Consult with an immediate supervisor and review the organization’s ethics policy.
- C . Give the prize to a friend or family member and notitfy the organization’s audit committee.
- D . Give the prize to a friend or family member and review the organization’s ethics policy.
While attending a conference, an internal auditor won an all-expense paid trip sponsored by a vendor of the internal auditor’s organization.
Which of the following actions are most appropriate for the auditor to take?
- A . Consult with an immediate supervisor and notify the organization’s audit committee.
- B . Consult with an immediate supervisor and review the organization’s ethics policy.
- C . Give the prize to a friend or family member and notitfy the organization’s audit committee.
- D . Give the prize to a friend or family member and review the organization’s ethics policy.
While attending a conference, an internal auditor won an all-expense paid trip sponsored by a vendor of the internal auditor’s organization.
Which of the following actions are most appropriate for the auditor to take?
- A . Consult with an immediate supervisor and notify the organization’s audit committee.
- B . Consult with an immediate supervisor and review the organization’s ethics policy.
- C . Give the prize to a friend or family member and notitfy the organization’s audit committee.
- D . Give the prize to a friend or family member and review the organization’s ethics policy.
While attending a conference, an internal auditor won an all-expense paid trip sponsored by a vendor of the internal auditor’s organization.
Which of the following actions are most appropriate for the auditor to take?
- A . Consult with an immediate supervisor and notify the organization’s audit committee.
- B . Consult with an immediate supervisor and review the organization’s ethics policy.
- C . Give the prize to a friend or family member and notitfy the organization’s audit committee.
- D . Give the prize to a friend or family member and review the organization’s ethics policy.
While attending a conference, an internal auditor won an all-expense paid trip sponsored by a vendor of the internal auditor’s organization.
Which of the following actions are most appropriate for the auditor to take?
- A . Consult with an immediate supervisor and notify the organization’s audit committee.
- B . Consult with an immediate supervisor and review the organization’s ethics policy.
- C . Give the prize to a friend or family member and notitfy the organization’s audit committee.
- D . Give the prize to a friend or family member and review the organization’s ethics policy.
Cost of the engagement versus the potential benefits.
- A . 1 and 4 only
- B . 2 and 3 only
- C . 2, 3, and 4 only
- D . 1, 2, 3, and 4
Which of the following is the most significant disadvantage of using checklists to evaluate internal controls?
- A . They serve as a reminder of what controls should exist in a process.
- B . They require yes/no responses to specific questions, not open-ended responses.
- C . They do not capture all controls that may exist.
- D . They are useful in assessing risk.
An internal auditor notes that employees are able to download files from the internet. According to IIA guidance, which of the following strategies would best protect the organization from the risk of copyright infringement and licensing violations resulting from this practice?
- A . Apply antivirus and patch management software.
- B . Utilize dedicated and encrypted network connections.
- C . Install a software inventory management application.
- D . Utilize secure socket layer encryption.
An internal auditor notes that employees are able to download files from the internet. According to IIA guidance, which of the following strategies would best protect the organization from the risk of copyright infringement and licensing violations resulting from this practice?
- A . Apply antivirus and patch management software.
- B . Utilize dedicated and encrypted network connections.
- C . Install a software inventory management application.
- D . Utilize secure socket layer encryption.
An internal auditor notes that employees are able to download files from the internet. According to IIA guidance, which of the following strategies would best protect the organization from the risk of copyright infringement and licensing violations resulting from this practice?
- A . Apply antivirus and patch management software.
- B . Utilize dedicated and encrypted network connections.
- C . Install a software inventory management application.
- D . Utilize secure socket layer encryption.
An internal auditor notes that employees are able to download files from the internet. According to IIA guidance, which of the following strategies would best protect the organization from the risk of copyright infringement and licensing violations resulting from this practice?
- A . Apply antivirus and patch management software.
- B . Utilize dedicated and encrypted network connections.
- C . Install a software inventory management application.
- D . Utilize secure socket layer encryption.
Justified and necessary, according to the IIA Code of Ethics and Standards.
- A . 1 only
- B . 2 only
- C . 3 only
- D . 1 and 2 only
Justified and necessary, according to the IIA Code of Ethics and Standards.
- A . 1 only
- B . 2 only
- C . 3 only
- D . 1 and 2 only
Justified and necessary, according to the IIA Code of Ethics and Standards.
- A . 1 only
- B . 2 only
- C . 3 only
- D . 1 and 2 only
Justified and necessary, according to the IIA Code of Ethics and Standards.
- A . 1 only
- B . 2 only
- C . 3 only
- D . 1 and 2 only
Justified and necessary, according to the IIA Code of Ethics and Standards.
- A . 1 only
- B . 2 only
- C . 3 only
- D . 1 and 2 only
End user security is inadvertently granted to an unauthorized individual by management.
- A . 1 and 3.
- B . 1 and 4.
- C . 2 and 3.
- D . 2 and 4.
Which of the following would not be a red flag for fraud?
- A . Several recent, large expenditures to a new vendor have not been documented.
- B . A manager has bragged about multiple extravagant vacations taken within the last year, which are excessive relative to the manager’s salary.
- C . A weak control environment has been accepted by management to encourage creativity.
- D . New employees occasionally fail to meet established project deadlines due to staffing shortages.
Which of the following is the most effective strategy to manage the risk of foreign exchange losses due to sales to foreign customers?
- A . Hire a risk consultant.
- B . Implement a hedging strategy.
- C . Maintain a large foreign currency balance.
- D . Insist that customers only pay in a stable currency.
When conducting an interview, an internal auditor is most likely to ask open-ended questions in order to:
- A . Obtain specific answers and maximize efficiency.
- B . Gather factual data on several different topics.
- C . Determine agreement or disagreement with a stated viewpoint.
- D . Obtain information based on the person’s own perspective.
Which of the following scenarios would represent the greatest threat to the authority of the internal audit activity (IAA)?
- A . A change was implemented requiring the IAA to report administratively to the organization’s chief legal counsel rather than the board.
- B . Responsibility for risk management processes were removed from the IAA and placed
under a newly created chief risk officer. - C . The IAA was denied access to expenditure and budget requirement reports because the reports were considered to be financial administrative matters.
- D . An internal auditor was informed by the chief financial officer that client survey results would be unfavorable unless the auditor changed a finding in the report.
According to IIA guidance, which of the following best describes processes and tools typically used in ongoing internal assessments?
- A . Benchmarking of the internal audit activity’s practices and performance.
- B . Report of internal assessment results, response plans, and outcomes.
- C . Analysis of performance metrics such as cycle times.
- D . Self-assessments and surveys of stakeholder groups.
What type of risk management strategy is being employed when an organization installs two firewalls to provide protection from unauthorized access to the network?
- A . Diversifying the risk that network access will not be available to legitimate, authorized users.
- B . Accepting the risk that there may be attempts at unauthorized access to the network.
- C . Avoiding the risk of having a direct network connection to un-trusted networks.
- D . Sharing the risk that either firewall could be compromised by hackers.
According to IIA guidance, which of the following individuals would best be considered independent for the purpose of participating in an external assessment of the quality assurance and improvement program for an internal audit activity (IAA)?
- A . A former employee knowledgeable of the IAA who resigned three years earlier from the organization.
- B . A competent employee of an independent external organization that provides co-sourcing services to the IAA.
- C . An employee in an affiliated organization who has never worked directly with the IAA.
- D . An employee in the parent organization who has not had any previous contact with the IAA.
Which of the following is an example of a transaction-level control?
- A . Human resource policies.
- B . Tone at the top.
- C . Reconciliations of primary accounts.
- D . Inventory counts.
Which of the following would provide the best guidance to a chief audit executive who is setting internal audit staff requirements?
- A . A review of audit staff education and training records.
- B . Information about the audit staff size and composition of comparable organizations.
- C . Results from discussions of audit needs with executive management and the audit committee.
- D . The results of the audit staff’s most recent performance reviews.
What is the primary purpose of a fishbone diagram?
- A . To depict the areas of responsibility for departments in an organization.
- B . To plan and control complex projects, such as internal audits.
- C . To represent the frequencies of adverse conditions in a given process.
- D . To identify the possible causes of adverse conditions.
During an internal audit, the internal auditor compares the employee turnover rate in the area being audited with the employee turnover rate in the organization as a whole.
This is an example of which of the following analytical auditing procedures?
- A . Reasonableness test.
- B . Regression analysis.
- C . Benchmarking.
- D . Trend analysis.
Which of the following is not one of the 10 core competencies identified in the IIA Competency Framework?
- A . Governance, risk, and control.
- B . Performance management.
- C . Business acumen.
- D . Internal audit delivery.
A manufacturing organization discovers that the waste water released has failed to meet permitted limits.
Which control function will be least effective in correcting the issue?
- A . Performing a chemical analysis of the water, prior to discharge, for components specified in the permit.
- B . Posting signs that tell employees which substances may be disposed of via sinks and floor drains within the facility.
- C . Diluting pollutants by flushing sinks and floor drains daily with large volumes of clean water.
- D . Establishing a preventive maintenance program for the pretreatment system.
If an engagement client disputes that a specific action or process is within the scope of the internal audit activity, what would be the most appropriate way for the internal audit activity (IAA) to respond?
- A . Terminate the audit engagement in full because an operational audit will not be productive without the client’s cooperation.
- B . Terminate only the specific action or process with which the client disagrees and work to determine a substitute function that will not impede further IAA or the client-audit relationship.
- C . Refer the client to the IAA’s charter and the approved yearly audit plan, which includes the areas designated for audit in the current time period.
- D . Seek the approval of senior management or the board in mediation, allowing an overseer to clarify the scope of the audit engagement for the client.
In which of the following scenarios would a customer service hotline receive a high volume of complaints regarding payments not being applied to customers’ accounts?
- A . Invoices are not being mailed to customers.
- B . An employee is tampering with customer checks.
- C . Employees are submitting fraudulent expense reports.
- D . The customer service department is not forwarding complaints to the accounts
receivable department.
After being terminated due to downsizing, an internal auditor finds a different job with an organization in the same industry.
Which of the following actions would violate the IIA Code of Ethics?
- A . To determine audit priorities in the new job, the auditor uses the audit risk approach that the auditor’s previous employer used, without receiving permission to do so.
- B . At the new organization, the auditor is asked to develop forms to implement probability-proportional-to-size sampling. Although unsure of how to perform this type of sampling, the auditor proceeds without asking for assistance.
- C . In preparing for an audit at the previous organization, the auditor had conducted a great deal of research on the Internet at home to identify best practices for the management of a treasury function. The auditor has retained much of the research and uses it to conduct an audit of the new employer’s treasury function.
- D . In the first week at the new organization, the auditor discovers a high fraud risk surrounding the organization’s database and suggests that the information technology department implement a new password system to prevent fraudulent actions before they occur.
The director of purchasing, a certified internal auditor (CIA), signs a contract to procure a large order from a supplier whose products provide the best price, quality, and performance. A few days after signing the contract, the supplier presents the CIA with $1, 000 as a gift.
Which statement regarding acceptance of the money is correct?
- A . Accepting the money would be prohibited only if it were non-customary.
- B . Accepting the money would violate the IIA Code of Ethics.
- C . Because the CIA is not acting as an internal auditor, accepting the money would be governed only by the organization’s code of conduct.
- D . Because the contract was signed before the money was offered, accepting the money would not violate the IIA Code of Ethics.
Which of the following statements is true regarding the use of non-statistical sampling in auditing control tests?
- A . It considers tolerable deviation rate more effectively than does statistical sampling.
- B . Sampling risk will be accurately quantified through non-statistical sampling.
- C . Non-statistical sample results must be projected to the population.
- D . Lesser evidence is required to support a conclusion than for statistical sampling.
According to IIA guidance, which of the following statements is false regarding continuing professional education for the internal audit activity (IAA)?
- A . Continuing professional education can be obtained through IAA involvement in research projects.
- B . Employers are responsible for ensuring that the continuing professional education needs of the IAA are met.
- C . Completion of self-study courses fulfills IAA continuing professional education requirements.
- D . Specialized education that meets unique organizational needs cannot qualify as IAA professional development.
The last quality assessment of the internal audit activity identified three areas for improvement: the achievement of audit engagement objectives, quality of work, and staff development.
According to IIA guidance, which of the following should be the chief audit executive’s primary focus to achieve these recommended improvements?
- A . Demonstrated compliance with procedures.
- B . Due professional care.
- C . Engagement supervision.
- D . Employment of tools and techniques.
The chief audit executive (CAE) has been asked to manage the regulatory compliance function for the organization’s retail store operations. Store operations are included in the annual audit plan.
Which of the following strategies best fulfills the requirements of the Standards regarding these audits?
- A . The scope of store operations audits should exclude compliance.
- B . Store operations audits can be fully executed with appropriate disclosure to the board.
- C . Store operations audits should be performed by an external service provider.
- D . A store operations compliance audit should be performed by a staff internal auditor under the direction of the CAE.
Which of the following conditions is the most likely indicator of fraud?
- A . Commissions are paid based on verified increases to sales.
- B . Departmental reports are consistently issued in an untimely manner.
- C . A manager regularly assumes subordinates’ duties.
- D . Lower earnings occur during the industry’s down cycle.
Which of the following conditions is the most likely indicator of fraud?
- A . Commissions are paid based on verified increases to sales.
- B . Departmental reports are consistently issued in an untimely manner.
- C . A manager regularly assumes subordinates’ duties.
- D . Lower earnings occur during the industry’s down cycle.
Which of the following conditions is the most likely indicator of fraud?
- A . Commissions are paid based on verified increases to sales.
- B . Departmental reports are consistently issued in an untimely manner.
- C . A manager regularly assumes subordinates’ duties.
- D . Lower earnings occur during the industry’s down cycle.
Which of the following conditions is the most likely indicator of fraud?
- A . Commissions are paid based on verified increases to sales.
- B . Departmental reports are consistently issued in an untimely manner.
- C . A manager regularly assumes subordinates’ duties.
- D . Lower earnings occur during the industry’s down cycle.
Which of the following conditions is the most likely indicator of fraud?
- A . Commissions are paid based on verified increases to sales.
- B . Departmental reports are consistently issued in an untimely manner.
- C . A manager regularly assumes subordinates’ duties.
- D . Lower earnings occur during the industry’s down cycle.
Control activities.
- A . 1 and 3 only
- B . 1 and 4 only
- C . 2 and 3 only
- D . 2 and 4 only
A new chief audit executive (CAE) of a large internal audit activity (IAA) is dissatisfied with the current amount and quality of training being provided to the staff and wishes to implement improvements.
According to IIA guidance, which of the following actions would best help the CAE reach this objective?
- A . Require that all staff obtain a minimum of two relevant audit certifications.
- B . Perform a gap analysis of the IAA’s existing knowledge, skills and competencies.
- C . Engage a consultant to benchmark the IAA’s training program against its peers.
- D . Assign one experienced manager to better coordinate staff training and development activities.
During an account receivables audit, an internal auditor found a significant number of input errors resulting in a $500, 000 balance understatement.
Which of the following is the most important question the internal auditor should ask to develop an appropriate recommendation for this finding?
- A . Who?
- B . How?
- C . Why?
- D . When?
An internal audit manager of a furniture manufacturing organization is planning an audit of the procurement process for kiln-dried wood. The procurement department maintains six procurement officers to manage 24 different suppliers used by the organization.
Which of the following controls would best mitigate the risk of employees receiving kickbacks from suppliers?
- A . The periodic rotation of procurement officers’ assignments to supplier accounts.
- B . A pre-award financial capacity analysis of suppliers.
- C . An automated computer report, organized by supplier, of any invoices for the same amount.
- D . Periodic inventories of kiln-dried wood at the organization’s warehouse.
An internal audit manager of a furniture manufacturing organization is planning an audit of the procurement process for kiln-dried wood. The procurement department maintains six procurement officers to manage 24 different suppliers used by the organization.
Which of the following controls would best mitigate the risk of employees receiving kickbacks from suppliers?
- A . The periodic rotation of procurement officers’ assignments to supplier accounts.
- B . A pre-award financial capacity analysis of suppliers.
- C . An automated computer report, organized by supplier, of any invoices for the same amount.
- D . Periodic inventories of kiln-dried wood at the organization’s warehouse.
An internal audit manager of a furniture manufacturing organization is planning an audit of the procurement process for kiln-dried wood. The procurement department maintains six procurement officers to manage 24 different suppliers used by the organization.
Which of the following controls would best mitigate the risk of employees receiving kickbacks from suppliers?
- A . The periodic rotation of procurement officers’ assignments to supplier accounts.
- B . A pre-award financial capacity analysis of suppliers.
- C . An automated computer report, organized by supplier, of any invoices for the same amount.
- D . Periodic inventories of kiln-dried wood at the organization’s warehouse.
An internal audit manager of a furniture manufacturing organization is planning an audit of the procurement process for kiln-dried wood. The procurement department maintains six procurement officers to manage 24 different suppliers used by the organization.
Which of the following controls would best mitigate the risk of employees receiving kickbacks from suppliers?
- A . The periodic rotation of procurement officers’ assignments to supplier accounts.
- B . A pre-award financial capacity analysis of suppliers.
- C . An automated computer report, organized by supplier, of any invoices for the same amount.
- D . Periodic inventories of kiln-dried wood at the organization’s warehouse.
An internal audit manager of a furniture manufacturing organization is planning an audit of the procurement process for kiln-dried wood. The procurement department maintains six procurement officers to manage 24 different suppliers used by the organization.
Which of the following controls would best mitigate the risk of employees receiving kickbacks from suppliers?
- A . The periodic rotation of procurement officers’ assignments to supplier accounts.
- B . A pre-award financial capacity analysis of suppliers.
- C . An automated computer report, organized by supplier, of any invoices for the same amount.
- D . Periodic inventories of kiln-dried wood at the organization’s warehouse.
They can rely on evidence taken from the work of other assurance activities across the organization.
- A . 1 and 2.
- B . 1 and 3.
- C . 2 and 3.
- D . 3 and 4.
An organization’s chief audit executive (CAE) determines that the internal audit staff does not have the requisite skills to conduct an audit of the financial derivatives area.
Which of the following would be the best course of action for the CAE to follow?
- A . Outsource the audit engagement to a qualified external auditing firm without burdening the audit committee with the decision.
- B . Determine the requisite knowledge needed, and obtain the proper training for auditors, even if the training will significantly push back the project’s timeframe as outlined by the audit committee.
- C . Notify the audit committee of the problem, and assign the most competent auditors on staff to perform the audit engagement.
- D . Employ the skills of a financial derivatives expert to consult on the project, and supplement the consulting with a local seminar on financial derivatives.
This chief audit executive (CAE) engaged an internal auditor to consult on an organization’s complex information technology system. Shortly after beginning the engagement, the auditor unexpectedly resigned. Unfortunately, this auditor was the only available auditor with the necessary expertise. The CAE will not be able to hire someone with similar expertise in time to meet a regulatory deadline.
Which of the following would be the best course of action for the CAE to take?
- A . Continue with the engagement in order to meet the regulatory deadline, but highlight areas in the final report that might need to be revised in the future.
- B . Ask that a senior member of the organization’s IT department with the required systems expertise join the audit team to assist in completing the engagement.
- C . Delay the engagement and inform the board of the situation, asking them to provide acceptable alternatives for completing the engagement.
- D . Remove the planned engagement from the audit plan and explain to senior management the problems with moving forward without an auditor with the necessary expertise.
While reviewing the workpapers of a new auditor, the auditor in charge discovered that additional audit procedures might be necessary.
According to IIA guidance, which of the following would be most relevant for the auditor in charge to consider when making this decision?
- A . Resource management.
- B . Coordination.
- C . Due professional care.
- D . Engagement supervision.
Which of the following would provide the best evidence of errors in the quantities of items received from suppliers?
- A . Suppliers’ reports of over shipments.
- B . Warehouse receiving logs.
- C . Purchase requisitions and purchase orders.
- D . Observation and inspection of inventory.
The internal audit supervisor is reviewing the workpapers prepared by the staff.
According to the Standards, which of the following statements regarding workpaper supervision is not true?
- A . Review notes of questions that arise during the review process must be retained.
- B . Dating and initialing each workpaper provides evidence of review.
- C . Workpaper review allows for staff training and development.
- D . Workpapers may be amended during the review process.
According to the Standards, which of the following best describes why initial audit test results should be reported to the auditor-in-charge prior to advising management?
- A . It increases the likelihood of obtaining the audit client’s agreement with the results.
- B . It ensures that an appropriate chain of evidence is maintained through the workpapers.
- C . It helps ensure that appropriate professional judgments and conclusions are made.
- D . It is required to demonstrate that effective engagement supervision has occurred.
A government agency’s policy states that board members’ travel and hospitality expenses must be audited annually.
Which of following people or groups is most appropriate to perform this audit?
- A . The government’s independent auditor.
- B . The external auditors from an accounting firm.
- C . The internal audit activity.
- D . The agency’s chief compliance officer.
Management of a publicly-held organization requires the internal audit activity to be involved with quarterly financial statements, which are made public and used internally.
Which of the following explanations of management’s decision is least plausible?
- A . Management may be concerned about its reputation in the financial markets.
- B . Management is following best-practice protocol, as stipulated by the Standards, which states that internal auditors must review quarterly financial statements.
- C . Management may be concerned about potential penalties that could occur if quarterly financial statements are misstated.
- D . Management may perceive that having quarterly financial information examined by the internal auditors enhances the information’s value to internal decision making.
The audit committee is concerned that the small size of the internal audit activity (IAA) makes it impractical to achieve full conformance with the Standards.
To address this concern, which of the following actions is most appropriate for the CAE to take?
- A . The CAE should agree with the audit committee and implement only those standards appropriate to the size of the IAA.
- B . The CAE should request the audit committee to review the Standards to identify specifically which are creating the greatest concern.
- C . The CAE should seek sufficient funding to increase audit resources to meet the minimum requirements of the Standards.
- D . The CAE should explain that conformance with the Standards is essential and not dependent upon the size of the IAA.
Which of the following does not need to be defined in the internal audit charter?
- A . The audit engagements to be performed during the upcoming year.
- B . The internal audit activity’s position within the organization.
- C . The scope of internal audit activities.
- D . Management and the board of directors’ agreement regarding the roles and responsibilities of the internal audit activity.
Which of the following is not a role of the internal audit activity in facilitating risk identification and evaluation?
- A . Evaluating risk management processes.
- B . Recommending accountability for risk management.
- C . Providing assurance that risks are evaluated correctly.
- D . Supporting managers to identify ways to mitigate risks.
Which of the following audit procedures would provide the most relevant information to identify discrepancies between budgeted versus actual raw material consumption in a production facility?
- A . Analytical review.
- B . Inquiry.
- C . Document verification.
- D . Observation.
Which of the following audit procedures would provide the most relevant information to identify discrepancies between budgeted versus actual raw material consumption in a production facility?
- A . Analytical review.
- B . Inquiry.
- C . Document verification.
- D . Observation.
Which of the following audit procedures would provide the most relevant information to identify discrepancies between budgeted versus actual raw material consumption in a production facility?
- A . Analytical review.
- B . Inquiry.
- C . Document verification.
- D . Observation.
Which of the following audit procedures would provide the most relevant information to identify discrepancies between budgeted versus actual raw material consumption in a production facility?
- A . Analytical review.
- B . Inquiry.
- C . Document verification.
- D . Observation.
Which of the following audit procedures would provide the most relevant information to identify discrepancies between budgeted versus actual raw material consumption in a production facility?
- A . Analytical review.
- B . Inquiry.
- C . Document verification.
- D . Observation.
To identify potential efficiency improvements.
- A . 1 and 2.
- B . 1 and 3.
- C . 2 and 4.
- D . 3 and 4.
While reviewing first quarter sales transactions, an internal auditor discovered that 10 invoices for a new customer had not been posted into the accounts receivable subsidiary ledger. Those 10 invoices were listed in an error report automatically generated by the sales processing system. The system had rejected the invoices because the customer’s account number was not found in the customer master file.
In this scenario, which of the following controls was lacking?
- A . Corrective control.
- B . Preventive control.
- C . Detective control.
- D . Directive control.
Which of the following would most likely be considered a red flag for fraud?
- A . An organization lacks a whistleblower hotline for reporting suspicious activity.
- B . A senior manager has been delegating the authority to sign-off on small dollar amount purchases to a subordinate.
- C . An employee in charge of payroll disbursements has rotated these duties with several colleagues.
- D . An employee with significant personal debt is in charge of handling large wire transfers for the organization.
Which of the following actions does not violate the IIA Code of Ethics or Standards?
- A . An internal auditor performing an audit on an operation that they managed less than a year ago.
- B . An internal auditor performing an audit on procedures that they were responsible for creating.
- C . An internal auditor disclosing details of an audit report to colleagues from a different organization.
- D . An internal auditor disclosing confidential information in response to a lawsuit.
Which of the following risk management activities is most appropriate for an internal auditor to undertake?
- A . Impose risk management processes.
- B . Coordinate risk management activities.
- C . Implement risk responses on management’s behalf.
- D . Review the management of key risks.
An internal auditor finds during an engagement that payment for the organization’s general insurance policy is two months overdue. The issue is informally mentioned tothe finance department which immediately submits the invoice for payment. The auditor decides to exclude this finding from the final audit report as the oversight was immediately corrected and there were no consequences because of this late payment.
Which of the following rules of conduct as described in the IIA Code of Ethics, did the auditor fail to uphold?
- A . Confidentiality.
- B . Objectivity.
- C . Integrity.
- D . Competency.
Which of the following would be considered a preventive control?
- A . A library control log.
- B . A review of exception reports.
- C . A password lock on a server.
- D . A software scan of financial records for irregularities.
Which of the following would be considered a preventive control?
- A . A library control log.
- B . A review of exception reports.
- C . A password lock on a server.
- D . A software scan of financial records for irregularities.
Which of the following would be considered a preventive control?
- A . A library control log.
- B . A review of exception reports.
- C . A password lock on a server.
- D . A software scan of financial records for irregularities.
Which of the following would be considered a preventive control?
- A . A library control log.
- B . A review of exception reports.
- C . A password lock on a server.
- D . A software scan of financial records for irregularities.
Which of the following would be considered a preventive control?
- A . A library control log.
- B . A review of exception reports.
- C . A password lock on a server.
- D . A software scan of financial records for irregularities.
Leave blank space for cross-references to be completed during the post-audit process.
- A . 1 and 2 only
- B . 1 and 4 only
- C . 2 and 3 only
- D . 3 and 4 only
Which type of objectives can best be described as broad goals that promote the effective and efficient use of resources?
- A . Strategic objectives.
- B . Operational objectives.
- C . Reporting objectives.
- D . Compliance objectives.
According to the Standards, for how long should internal auditors who have previously performed or had management responsibility for an operation wait to become involved in future internal audit activity with that same operation?
- A . Three months.
- B . Six months.
- C . One year.
- D . Two years.
A computer system automatically locks a user’s account after three unsuccessful attempts to log on.
Which type of control does this scenario represent?
- A . Corrective control.
- B . Preventive control.
- C . Detective control.
- D . Compensating control.
A computer system automatically locks a user’s account after three unsuccessful attempts to log on.
Which type of control does this scenario represent?
- A . Corrective control.
- B . Preventive control.
- C . Detective control.
- D . Compensating control.
A computer system automatically locks a user’s account after three unsuccessful attempts to log on.
Which type of control does this scenario represent?
- A . Corrective control.
- B . Preventive control.
- C . Detective control.
- D . Compensating control.
A computer system automatically locks a user’s account after three unsuccessful attempts to log on.
Which type of control does this scenario represent?
- A . Corrective control.
- B . Preventive control.
- C . Detective control.
- D . Compensating control.
A computer system automatically locks a user’s account after three unsuccessful attempts to log on.
Which type of control does this scenario represent?
- A . Corrective control.
- B . Preventive control.
- C . Detective control.
- D . Compensating control.
Visual observations can assist an auditor in determining if a material observation should be communicated through informal means to the organization’s senior management.
- A . 1 and 2 only
- B . 1 and 4 only
- C . 2 and 3 only
- D . 3 and 4 only
Which of the following scenarios exemplifies a potential internal control weakness?
- A . The same employee who receives cash from customers prepares a prelisting of cash receipts.
- B . The same employee who records cash receipts in the accounts receivable subsidiary ledger ensures that the ledger automatically updates the information.
- C . The same employee who restrictively endorses checks received from customers prepares the bank’s check deposit slips.
- D . The same employee who makes deposits at the bank prepares the monthly bank reconciliation.
Which of the following is not an appropriate activity for internal auditors to perform?
- A . Recommend management seek a consulting firm to advise on outsourcing.
- B . Highlight matters that require management’s attention.
- C . Implement solutions for specific organizational problems.
- D . Accumulate data, obtain varying views, and report information to senior management.
An internal audit charter describes the mission and scope of the internal audit activity (IAA), responsibilities of the IAA, accountability of the chief audit executive, independence of the IAA, and standards followed by the IAA.
Which of the following also should be included in the charter?
- A . The purpose of the IAA.
- B . The IAA’s right to have unrestricted access to functions, records, personnel, and physical property.
- C . A detailed audit plan or program for the year.
- D . The job specifications and descriptions of the internal audit staff.
According to IIA guidance, which of the following statements is true?
- A . Risks in IT processes are best mitigated by individual controls.
- B . The overall focus of the framework is on significant controls in all critical IT applications.
- C . IT risks and related controls are operational and best identified using a bottom-up approach.
- D . Control process risks are found at multiple layers of the IT environment.
Why is it important for the chief audit executive to periodically review the audit charter and present the results to senior management and the board?
- A . Because management requires the review to measure effectiveness of the internal audit activity.
- B . So that the individual objectivity of the internal audit staff can be more clearly established.
- C . So that there is assurance of the internal audit staff’s proficiency to complete audit activities.
- D . Because changes in the organization may impair the internal audit activity’s ability to meet its objectives.
Suspecting fraud, the chief financial officer (CFO) asked the internal audit activity to investigate a significant increase in travel related expenditures. Work was performed by a qualified internal auditor. Following the completion of the engagement, the chief audit executive (CAE) reported to the CFO that no violations were found and no fraud had occurred.
According to the Standards, which of the following principles did the CAE violate?
- A . Due professional care.
- B . Individual objectivity.
- C . Proficiency.
- D . Organizational independence.
An accounts receivable clerk receives cash payments, posts the payments to customer accounts, and prepares the daily cash deposit.
The clerk has been stealing some cash and manipulating the customer payments to hide the theft.
This fraud could be detected with which of the following controls?
- A . Monthly bank reconciliations are performed by the clerk on a timely basis.
- B . Total cash deposits for the month are reconciled to the cash receipts journal.
- C . Names, amounts, and dates on remittance advices are reconciled with the names, amounts, and dates recorded in the cash receipts journal.
- D . Total cash deposits are compared with the bank reconciliation.
A chief audit executive (CAE) of an international charity reports functionally to the audit committee of the board of directors and administratively to the charity’s chief financial officer (CFO).
Which of the following would impair the internal audit function’s independence?
- A . The CFO determines the scope of internal audit work in the accounting department.
- B . The CFO manages the accounting of the budget for the internal audit function.
- C . The CFO administers the annual evaluation process for the internal auditors.
- D . The CFO provides feedback on the CAE’s audit reports.
According to IIA guidance, which of the following is the best example of a system application control?
- A . A physical security control over a data center.
- B . A system development life cycle control.
- C . A program change management control.
- D . An input control over data integrity.
An internal auditor is reviewing employee travel data to identify opportunities to cut costs while ensuring adequate participation at conferences to support the organization’s mission.
Which of the following pieces of evidence would be sufficient for completing this task?
- A . A log from the last year that includes dates of travel, conference titles, and conference objectives, all of which correspond with employee names and costs per trip.
- B . A log that includes titles of conferences that all employees were invited to attend in the last year, along with the dates of those conferences and average costs per traveler.
- C . A log of conferences titles, dates of travel for each employee, and a detailed summary of conference objectives and how they relate to the organization’s mission needs.
- D . A log of employee travel requests, which include the title of each conference, the conference objectives, anticipated dates of travel, and estimated costs.
During an engagement, an internal auditor decided to use variance analysis as an auditing techniques.
Which of the following steps should the auditor pursue if he discovers unexpected deviations of actual results from budget?
- A . Report the deviations immediately to the audit committee.
- B . Gather additional information to determine the cause of the deviations.
- C . Conclude that the budget was unreasonably set and accept the deviations.
- D . Perform alternative forms of analytical procedures which provide no deviations.
Which of the following techniques would best assist an internal auditor in evaluating the efficiency of a wholesale grocery distributor`s process to fill and package orders for shipping?
- A . A Bedford analysis of orders filled to average delivery times.
- B . Decision trees rating actual performance against requirements.
- C . Queuing theory to assess potential bottlenecks in the process.
- D . A program evaluation and review technique chart.
Which of the following activities best reflects the scope and status of the internal audit activity as defined in the internal audit policy statement?
- A . The internal auditor reviews the physical access to merchandise during an inventory count.
- B . The audit manager conducts an internal quality assessment of the internal audit activity’s adherence to the Standards.
- C . The audit manager refrains from assigning an auditor who was a former payroll clerk to conduct a payroll audit.
- D . The board approves the annual performance evaluation of the chief audit executive.
Why is a code of ethics for the internal audit profession necessary?
- A . It ensures that all members of the profession possess the same level of competence.
- B . It provides auditors with protection from lawsuits.
- C . It guides internal auditors in their service to others.
- D . It requires auditors to exhibit loyalty to their organizations.
Why is a code of ethics for the internal audit profession necessary?
- A . It ensures that all members of the profession possess the same level of competence.
- B . It provides auditors with protection from lawsuits.
- C . It guides internal auditors in their service to others.
- D . It requires auditors to exhibit loyalty to their organizations.
Why is a code of ethics for the internal audit profession necessary?
- A . It ensures that all members of the profession possess the same level of competence.
- B . It provides auditors with protection from lawsuits.
- C . It guides internal auditors in their service to others.
- D . It requires auditors to exhibit loyalty to their organizations.
Why is a code of ethics for the internal audit profession necessary?
- A . It ensures that all members of the profession possess the same level of competence.
- B . It provides auditors with protection from lawsuits.
- C . It guides internal auditors in their service to others.
- D . It requires auditors to exhibit loyalty to their organizations.
Perform assurance procedures with sufficient care to ensure that all risks are identified.
- A . 1 and 2 only
- B . 1 and 3 only
- C . 2 and 3 only
- D . 1, 2, and 3
According to the IIA guidance, who is responsible for periodically assessing the internal audit activity?
- A . The board.
- B . The chief audit executive.
- C . Senior management.
- D . The external auditors.
Which of the following audit techniques is used to evaluate control design while also embodying auditing’s analytical process?
- A . A risk and control matrix.
- B . A flowchart.
- C . A walk-through.
- D . A process narrative.
Which of the following audit techniques is used to evaluate control design while also embodying auditing’s analytical process?
- A . A risk and control matrix.
- B . A flowchart.
- C . A walk-through.
- D . A process narrative.
Which of the following audit techniques is used to evaluate control design while also embodying auditing’s analytical process?
- A . A risk and control matrix.
- B . A flowchart.
- C . A walk-through.
- D . A process narrative.
Which of the following audit techniques is used to evaluate control design while also embodying auditing’s analytical process?
- A . A risk and control matrix.
- B . A flowchart.
- C . A walk-through.
- D . A process narrative.
Which of the following audit techniques is used to evaluate control design while also embodying auditing’s analytical process?
- A . A risk and control matrix.
- B . A flowchart.
- C . A walk-through.
- D . A process narrative.
Maintain open and effective communications with the audit committee.
- A . 1 and 2 only
- B . 3 and 4 only
- C . 1, 3, and 4 only
- D . 2, 3, and 4 only
Management has asked the chief audit executive (CAE) to provide assurance on the organization’s automated control system related to financial data. The current audit staff does not have the expertise needed to conduct this type of engagement.
Which of the following would be the best response by the CAE?
- A . Accept the assignment and use control self-assessment to complete the project.
- B . Do not accept the assignment because the internal audit activity lacks the competency to perform the engagement with due professional care.
- C . Accept the assignment and use an external provider with the necessary knowledge and skills to perform the engagement.
- D . Accept the assignment if the engagement is included in the current audit plan, but inform senior management that the current audit staff does not have the knowledge and skills required.
The chief audit executive (CAE) of a mid-sized pharmaceutical organization has operational responsibility for the regulatory compliance function. The auditcommittee requests an assessment of regulatory compliance. According to IIA guidance, which of the following is the CAE’s best course of action?
- A . Have a proficient internal audit staff member perform the assessment and disclose the impairment in the audit report and to the board.
- B . Have a regulatory compliance staff member perform a self-assessment, to be reviewed by a proficient internal auditor.
- C . Have a proficient internal audit staff member perform the audit and report the results of the assessment directly to senior management and the board.
- D . Contract with a third-party entity or external auditor to complete the assessment and report the results to senior management and the board.
Which of the following decisions made during the testing phase of a compliance audit requires the most judgment by an internal auditor?
- A . Which sampling methodology to select for testing.
- B . Which fields to examine on each invoice.
- C . Whether an individual expenditure is allowable.
- D . What level of noncompliance is acceptable.
According to the Standards, which of the following is not a consideration when exercising due professional care for an assurance engagement?
- A . The relative complexity, materiality, or significance of matters to which assurance procedures are applied.
- B . The extent of assurance services necessary to ensure that all risks are identified.
- C . The cost of providing the assurance services in relation to potential benefits.
- D . The probability of significant errors, irregularities or instances of noncompliance.
An internal audit activity (IAA) provided assurance services for an activity it was responsible for during the preceding year.
As a result, which IIA Code of Ethics principle is presumed to be impaired?
- A . Competence.
- B . Flexibility.
- C . Objectivity.
- D . Independence.
Which of the following controls is not appropriate for sales in a manufacturing organization?
- A . Customers’ orders are recorded promptly.
- B . Goods shipped are matched with valid customer orders.
- C . Goods returned are inspected for damage by the receiving department for proper disposition.
- D . Sales department approval is required for credit sales transactions.
Which of the following is a second line of defense in effective risk management and control?
- A . Purchasing department.
- B . Compliance department.
- C . Credit department.
- D . Internal audit department.