Upgrade to remove ads
Terms in this set (85)
Which of the following activities is NOT presumed to impair the objectivity of an internal auditor?
I. Recommending standards of control for a new information system application
II. Drafting procedures for running a new computer application to ensure that proper controls are installed
III. Performing reviews of procedures for a new computer application before it is installed
I & III. Recommending standards of control & Performing reviews of procedures.
The software that manages the interconnectivity of the system hardware devices is
operating system software
Which of the following is an advantage of outsourcing technology?
A minimum level of investment accompanied by the ability to expedite the introduction of new technology.
Which of the following best illustrates the use of EDI?
computerized placement of a purchase order from a customer to its supplier
An organization's IT governance committee has several important responsibilities. Which of the following is NOT normally such a responsibility?
a. Overseeing changes to IT systems.
b. Monitoring IT security procedures.
c. Designing IT application-based controls.
d. Aligning investments in IT with business strategies.
Designing IT application-based controls.
Which of the following is a factor affecting risk?
a. New personnel.
b. New or revamped information systems.
c. Rapid growth.
d. All of the answers are correct
The purpose of logical security controls is to:
restrict access to data
A comprehensive plan to deal with business interruptions will provide for all but which of the following?
a. Segregation of duties.
b. Alternative site facilities.
c. Business impact assessments.
d. Procedures for restoring utility services
segregation of duties
The possibility of someone maliciously shutting down an information systems is most directly an element of:
The difference between physical access control activities and logical access control activities is that:
although physical controls allow a person into a computer facility, logical access controls authorize a person into the computer software
Which of the following activities is not presumed to impair the objectivity of an internal auditor?
I. Recommending standards of control for a new information system application.
II. Drafting procedures for running a new computer application to ensure that proper controls are installed.
III. Performing reviews of procedures for a new computer application before it is installed.
I & III. recommending standards of controls & Performing reviews of procedures
Senior management has requested that the internal audit function perform an operational review of the telephone marketing operations of a major division and recommend procedures and policies for improving management control over the operation. The internal audit function should:
accept? not accept? why?
accept the engagement because independence would not be impaired
The International Standards for the Professional Practice of Internal Auditing require the chief audit executive to share information and coordinate activities with other internal and external providers of assurance services. With regard to the external auditor which of the following would not be an appropriate way for the chief audit executive to meet this requirement?
Requiring the external auditor to have the chief audit executive's approval of their annual audit plan for conducting the financial statement audit
Which of the following is not a responsibility of the CAE?
a. To follow up on whether appropriate management actions have been taken on significant reported risks
b. To communicate the internal audit function's plans and resource requirements to senior management and the board for review and approval
c. To oversee the establishment, administration, and assessment of the organization's system of internal controls and risk management processes
d. To establish a risk-based plan to accomplish the objectives of the internal auditing activity consistent with the organization's goals
To oversee the establishment, administration, and assessment of the organization's system of internal controls and risk management processes.
When evaluating the independence of an internal audit activity, a quality assurance review team performing an external assessment considers several factors. Which of the following factors has the least amount of influence when judging an internal audit activity's independence?
a. Relationship between engagement records and engagement communications.
b. Impartial and unbiased judgments.
c. Criteria used in making internal auditors' assignments.
d. The extent of internal auditor training in communications skills.
the extent of internal auditor training in communication skills.
When faced with an imposed scope limitation, the CAE should
communicate the potential effects of the scope limitation to the audit committee of the Board of Directors.
Which of the following does NOT represent a key element of the IIAs quality assurance programs?
a. Monitoring risk mitigation
b. Implementing quality programs
c. Communicating results
d. Continuous improvement
Monitoring risk mitigation
When conducting a consulting engagement to improve the efficiency and quality of a production process, the audit team is faced with a scope limitation because several months of the production data have been lost or are incomplete. Faced with this scope limitation, the CAE should:
Discuss the problem with the customer and together evaluate whether the engagement should be continued
Who is ultimately responsible for determining that the objectives for an internal audit engagement have been met?
Which of the following is the best reason for the CAE to consider the organizations strategic plan in developing the annual audit plan?
To ensure that the IA plan supports the overall business objectives
IAs perform both assurance engagements and consulting engagement. Which of the following would be classified as a consulting engagement?
a. Assisting the independent outside auditor during the financial statement audit engagement.
b. Assessing the design adequacy of the organization's entity-level monitoring activities.
c. Facilitating senior management's assessment of risk threatening the organization.
d. Directly assessing the organization's compliance with laws and regulations.
Facilitating senior management's assessment of risk threatening the organization.
Which of the following is LEAST likely to be placed on the agenda for discussion at a pre-engagement meeting as one of assurance engagement planning activities?
a. Sampling plan and key criteria.
b. Objectives/purposes and scope of the engagement.
c. Records and client personnel needed.
d. Expected starting and completion dates.
Sampling plan and key criteria.
Reported internal audit observations emerge by a process of comparing "what should be" with"what is." In determining "what should be" during an audit of company's treasury function, which of the following would be the LEAST desirable criterion against which to judge current operations?
a. Performance standards established by senior management.
b. Company policies and procedures delegating authority and assigning responsibilities.
c. The operations of the treasury function as documented during the last audit.
d. Best practices of the treasury function in relevant industries.
The operations of the treasury function as documented during the last audit.
Which of the following statements best describes an internal audit function's responsibility for assurance engagement follow-up activities?
a. The internal audit function should determine whether management has initiated corrective action but has no responsibility to determine whether the corrective action is achieving the desired results. That determination is management's responsibility.
b. The CAE is responsible for scheduling audit follow-up activities only if asked to do so by senior management or the audit committee. Otherwise, such activities are discretionary.
c. The internal audit function should determine that corrective action has been taken and is achieving the desired results, or that senior management has assumed the risk associated with not taking corrective action on reported observations.
d. Audit follow-up activities are not necessary if the auditee has agreed in writing to implement the internal audit function's recommendations.
The IAF should determine that corrective action has been taken and is achieving the desired results, or that senior management has assumed the risk associated with not taking corrective action on reported observations.
Internal auditors obtain an understanding of controls and perform tests of controls to
evaluate the design adequacy and operating effectiveness of the controls
Comprehensive risk assessment involves analysis of both causes and effects. Which of the following statements concerning the analysis of causes and effects is FALSE?
a. Analyzing the causes and effects of a particular risk provides insights about how to best manage the risk.
b. Analyzing the effects of a particular risk provides insights about the relative size of the risk and the relative importance of the business objective threatened by the risk.
c. Analyzing the causes and effects of a particular risk should only be performed after the internal auditor has first obtained evidence that a problem has occurred.
d. Analyzing the root causes of a particular risk helps the internal auditor formulate recommendations for reducing the risk to an acceptable level.
Analyzing the causes and effects of a particular risk should only be performed after the internal auditor has first obtained evidence that a problem has occurred.
During an assurance engagement planning, an internal auditor found that several accounts payable vouchers for major suppliers required adjustments for duplicate payment of prior invoices. This would indicate
a need for additional testing to determine related controls and the current exposure to duplicate payments made to suppliers.
The tasks performed during an internal audit assurance engagement should address the following questions:
I. What are the reasons for the results?
II. How can performance be improved?
III. What results are being achieved?
The chronological order in which these questions should be addressed is:
III, I, II
If an IAs evaluation of internal control design indicates that the controls are designed adequately, the appropriate next step would be to:
test the operating effectiveness of the controls.
While planning an assurance engagement, the IA obtains knowledge about the auditee's operations to, among other things,
develop an understanding of the auditee's objectives, risks and controls.
An internal auditor determines that the process is not designed adequately to reduce the underlying risks to an acceptable level. Which of the following should the internal auditor do next?
a. Write the audit report, there's no reason to test the operating effectiveness of control activities that are not designed adequately
b. Tests compensating control activities in other (adjacent) processes to see if the impact of the design inadequacy is mitigated to an acceptable level.
c. Test the existing key control activities anyway to prove that, despite the design inadequacy, the process is still meeting the process objectives.
d. Postpone the engagement until design inadequacy has been rectified.
Tests compensating control activities in other (adjacent) processes to see if the impact of the design inadequacy is mitigated to an acceptable level.
If an IA identifies an exception while testing, which of the following may be appropriate?
a. Test additional items to determine whether the exception is an isolated occurrence or indicative of a control deficiency.
b. Gain an understanding of the root cause, that is, the reason the exception occurred.
c. Draft an observation for the audit report.
d. All of the above.
All of the answers
Analytical procedures can be applied during which phases of the an assurance engagement?
engagement planning and engagement performance phases
A process objective stating "all contracts must be approved by an officer of the company before being consummated" is an example of what type of the four objectives?
Which of the following auditee-prepared documents will likely be of greatest assistance to the internal auditor in their assessment of design adequacy?
a. Policies and procedures manual
b. Organization charts and job descriptions
c. Process maps depicting the flow of the process
d. Narrative memorandum listing key tasks for portions of the process
Process maps depicting the flow of the process
Which of the following is not likely to be an assurance engagement objective?
a. Evaluate the design adequacy of the payroll input process
b. Guarantee the accuracy of recorded inventory balances
c. Assess compliance with health and safety laws and regulations
d. Determine the operating effectiveness of fixed asset control
Guarantee the accuracy of recorded inventory balances
Which of the following is an appropriate conclusion that can be drawn when the internal auditor identifies an observation from testing control activities?
a. The process objectives cannot be achieved.
b. The area may be vulnerable to fraud.
c. Overall, the process is not operating effectively.
d. Certain risks are not effectively mitigated.
Certain risks are not effectively mitigated.
Which of the following types of control activities is likely to be least important when evaluating the design adequacy of cash collections process?
a. Approving the deposit of cash receipts into the company's bank account.
b. Calculating the amount of cash received.
c. Documenting the rationale behind the bank account in which the deposit will be made.
d. Matching the total deposits to the amounts credited to customers accounts receivable balances.
e. Segregating the preparation of deposit slips from the adjustment of customer account balances.
Documenting the rationale behind the bank account in which the deposit will be made.
Which of the following is not typically a key element of process maps or narrative memorandum?
a. Overall process objectives
b. Key inputs to the process
c. Key processing steps involved in the process
d. Key outputs from the process
e. Key risks and control activities
Overall process objectives
Which of the following control is not likely to be an entity-level control?
a. All employees must receive ongoing training to ensure they maintain their competence.
b. All cash disbursement transactions must be approved before they are paid.
c. All employees must comply with the Code of Ethics and Business Conduct.
d. An organization-wide risk assessment is conducted annually.
All cash disbursement transactions must be approved before they are paid.
Once an observation is identifies by the internal auditors, the first thing should be done by IAs would be:
documenting in the working papers
Which of the following external risks is least likely to impact the accuracy of financial reporting?
a. The standard setting body in the organization's country issues a new financial accounting standard.
b. A recent judicial court case increases the likelihood that pending litigation will result in an unfavorable outcome.
c. Changes in standard industry contracts now allow for netting of payables and receivables.
d. Competitor pressures cause the organization to pursue new sales channels.
Competitor pressures cause the organization to pursue new sales channels.
Which of the following groups risk tolerance levels are least important when conducting an assurance engagement?
a. The audit committee or other board governance committees.
b. Senior management.
c. Process-level management.
d. The internal audit function.
e. Vendors and customers
Vendors and customers
Recommendations should be included in final audit communications to:
provide management with options for addressing audit observations
Which of the following would not be considered a primary objective of a closing or exit conference?
a. To resolve conflicts
b. To discuss the engagement observations and recommendations
c. To identify concerns for future audit engagements
d. To identify management's actions and responses to the engagement observations and recommendations
to identify concerns for future audit engagement
Once an observation is identified by the IA, it may be
included in the final audit report.
The primary purpose of issuing an interim report during an internal audit is to
provide auditee management the opportunity to act on certain observations immediately
An excerpt from an internal audit observation indicates that travel advances exceeds prescribing maximum amounts. Company policy provides travel funds to authorized employees for travel. Advances are not to exceed 45 days of anticipated expenses. Company procedures do not require justification for large travel advances. Employees can, and do, accumulate large unneeded advances. In this audit observation, the element of an audit finding known as "effect" is:
employees accumulate large, unneeded advances
The primary reason for having a formal audit engagement communication is to:
record observations and recommended courses of action
A formal engagement communication must
report significant observations
Which of the following does the CAE need to consider when determining the extent of follow-up required?
I. Significance of the reported observation.
II. Past experience with the manager charged with the corrective action.
III. Degree of effort and cost needed for the corrective action.
IV. The experience of the internal audit staff.
I & III
Internal audit reports can be structured to motivate management to correct deficiencies.
Which of the following report-writing techniques is most likely to be effective?
a. State the procedural inadequacies and resulting improprieties in specific terms.
b. Recommend changes and state the punitive measures that will follow if the recommendations are not implemented.
c. List the deficiencies found so as to provide an easy-to-follow checklist.
d. Suggest practical improvements to address the identified observations.
Suggest practical improvements to address the identified observations.
During a review of purchasing operations, an internal auditor found that procedures in use did not agree with stated company procedures. However, audit test revealed that the procedures used represented an increase in efficiency and a decrease in processing time, without a discernible decrease in control. The internal auditor should:
report the change and suggest that the change in procedures be documented
According to the IPPF, which of the following is part of the minimum requirements for an engagement final communication?
II.Purpose of the engagement
IV.Results of the engagement
II, III & IV
The software that manages the interconnectivity of the system hardware devices is the:
operating system software
An internet firewall is designed to provide protection against
unauthorized access from outsiders.
Which of the following best illustrates the use of EDI?
a. Purchasing merchandise from a companys internet site
b. computerized placement of a purchase order from a customer to its supplier
c. transfer of data from a desktop computer to a database server
d. withdrawing cash from an ATM
computerized placement of a purchase order from a customer to its supplier
The possibility of someone maliciously shutting down an info system is most directly an element of :
An organizations IT governance committee has several important responsibilities. Which of the following is not normally one?
a. aligning investments in IT with business strategies
b. overseeing changes to IT systems
c. monitoring IT security procedures
d. designing IT application based controls
designing IT application based controls
If a sales transaction record was rejected during input because the customer account number entered was not listed in the customer master file, the error was most likely detected by a:
The purpose of logical security controls is to
restrict access to data
Which of the following statements regarding an IAFs continuous auditing responsibilities is/are true?
I. The IAF is responsible for assessing the effectiveness of management's continuous monitoring activities.
II. In areas of the organization in which management has implemented effective monitoring activities, the IAF can conduct less stringent continuous assessments of risks and controls.
Both statements I & II are true.
Per IIA Standards, IAFs must establish
both internal and external quality assurance and improvement program assessments.
Senior management has requested that the IAF perform an operational review of the telephone marketing operations of a major division and recommend procedures and policies for improving management control over the operation. The IAF should
accept the audit engagement since independence is not impaired
The Standards requires policies and procedures to guide the IA staff. Which of the following statements is false with respect to this requirement?
All IAFs should have a detailed policies and procedures manual.
Which of the following statements does not illustrate the concept of inherent business risk?
a. cash is more susceptible to theft than an inventory of sheet metal
b. a broken lock on a security gate allows employees to access a restricted area they are not authorized to enter
c. transactions involving complex calculations are more likely to be misstated than transactions involving simple calculations
d. technological developments might make a particular product obsolete
a broken lock on a security gate allows employees to access a restricted area they are not authorized to enter
IAs sometimes express opinions in addition to stating observations in their reports. Due professional care requires that IA opinions be
based on sufficient appropriate evidence
Which of the following is not typically a key element of flowcharts or narrative memoranda?
a. overall process objectives
b. key inputs to the process
c. key outputs from the process
d. key risks and controls
overall process objectives
What is the nature of audit procedures when creating a test plan?
direct test of controls or indirect test of controls or a combo of both
What is the extent of audit procedures when creating a test plan?
how much evidence you want to collect (sampling or continuous auditing)
What is the timing of audit procedures when creating a test plan?
whether you are taking evidence at a certain time or over a duration of time
What purposes does a well-written work program serve?
1. Record keeping that is needed to justify everything we do to support it
2. Supervision to make sure all procedures are done correctly, on time, comprehensively, etc; ensures due diligence
What should a CAE do to promote proficiency?
1. Recruit & hire competent individuals.
2. Obtain competent assessment from outside entities
3. Decline engagement if previous 2 cannot happen
What should a CAE do to promote due professional care?
1. create awareness of fraud, intentional wrongdoings, omissions, conflict of interest, or inefficiencies.
2. identify inadequate procedures/processes
3.supervision of documentation, working papers, status reports, progress reports, etc.
What are the recommended steps to crate the IA plan?
1. Develop audit universe
2. Obtain info or input from Board of Directors
3. Conduct an assessment of Risk Exposures
4. Inquire changes in business processes
5. Make evaluation of management's response of risk
6. Align audit plan with organization's strategic plan
7. Consider the time since the last audit.
What are the 3 phases of the assurance engagement process? Should they be integrated and how?
Plan, Perform, Communicate
Yes they should be integrated:
-plan throughout entire process since you can learn info continuously & you will need to make new plans as you learn
-make new plans as you learn or alter existing plans as you work
-communicate findings as you perform and plan with the audit clients
Describe how to make the assurance engagement effective.
2. Align audit engagement objectives with organizations' strategic objectives
3. Support the IAFs audit charter
Why is it important for IA to ID & understand KPIs for a process?
1. to understand management's tolerance of risk to know if they established KPIs
2. evaluate design adequacy and operating efficiency
Identify characteristics of good KPIs.
Relevant, Measurable, Available, Aligned, Articulated
Who has primary responsibility for providing information to the audit committee on the professional and organizational benefits of coordinating internal audit assurance and consulting activities with other assurance and consulting activities?
If an auditor's preliminary evaluation of internal controls results in an observation that controls may be inadequate, the next step would be to:
expand audit work before the preparation of a final final communication
A finding, determination, or judgement derived from the internal auditor's test results is
A rating or conclusion by the internal auditor that provides specific assurances about an engagement is considered
Formal communications should include all of the following, except:
A formal rating.
The internal audit function's responsibilities end when engagement results are distributed.
YOU MIGHT ALSO LIKE...
Exam 2 (Ch. 7, 9, 12-14)
IA ch. 12, 13, 14, 15
Internal Auditing Chapter 12
ACCT 749: Quizzes
OTHER SETS BY THIS CREATOR
Internal Audit Exam 2 (Ch7-10,14,15)
Internal Auditing Chapter 15
Internal Audit Chapter 10
Internal Auditing Chapter 9