PART-2 UNIT 4

1. A chief audit executive may use risk analysis in preparing work schedules. Which of the
following is not considered in performing a risk analysis?

A. Issues relating to organizational governance.

B. Skills available on the internal audit staff.

C. Results of prior engagements.

D. Major operating changes.

Answer (B) is correct.

The skills of the internal audit staff do not affect the risk associated with potential engagement clients.

A. Issues relating to organizational governance are factors that should be considered.

C. Results of prior engagements should be considered.

D. Major operating changes should be considered.

2. The term “risk” is best defined as the possibility that

A. An internal auditor will fail to detect a material misstatement that causes financial statements or
internal reports to be misstated or misleading.

B. An event could occur affecting the achievement of objectives.

C. Management will, either knowingly or unknowingly, make decisions that increase the potential
liability of the organization.

D. Financial statements or internal records will contain material misstatements.

Answer (B) is correct.

According to The IIA Glossary, risk is “the possibility of an event occurring that will have an impact
on the achievement of objectives. Risk is measured in terms of impact and likelihood.”

A. Detection risk is a component of audit risk.

C. The risk of increasing the organization’s liability could be termed management decision-making
risk.

D. Risk is not limited to misstated financial statements.

3. Risk modeling or risk analysis is often used in conjunction with development of long-range
engagement work schedules. The key input in the evaluation of risk is

A. Previous engagement results.

B. Management concerns and preferences.

C. Specific requirements of professional standards.

D. Judgment of the internal auditors.

Answer (D) is correct.

Assessing the risk of an activity entails analysis of numerous factors, estimation of probabilities and
amounts of potential losses, and an appraisal of the costs and benefits of risk reduction. Consequently,
in assessing the magnitude of risk associated with any factor in a risk model, informed judgment by the
internal auditor is required.

A. The informed judgment of the internal auditor is still required to assess the magnitude of risk
indicated by previous engagement results.

B. To assess the risk posed by management concerns, informed judgment of the internal auditor is
required.

C. Professional standards do not specify the basic inputs for a risk analysis.

4. The chief audit executive of a manufacturer is updating the long-range engagement work
schedule. There are several possible assignments that can fill a given time spot. Information on
potential monetary exposure and key internal controls has been gathered. Based on perceived
risk, select the assignment of greatest merit.

A. Precious metals inventory -- carrying amount, US $1,000,000; separately stored, but access not
restricted.

B. Branch office petty cash -- ledger amount, US $50,000; 10 branch offices, equal amounts;
replenishment of accounts requires three separate approvals.

C. Sales force travel expenses -- budget, US $1,000,000; 50 sales people; all expenditures over US
$25 must be receipted.

D. Expendable tools inventory -- carrying amount, US $500,000; issued by tool crib attendant upon
receipt of authorization form.

Answer (A) is correct.

Among the many considerations in judging an item’s risk are the ease with which it can be converted to
cash, its accessibility, and its monetary value. The precious metals inventory should receive special
emphasis because of its high inherent risk. The inventory can be easily converted to cash, access is not
restricted, and its monetary value is relatively high.
B. The monetary exposure of petty cash is much smaller than for the other proposed engagements, and
the related controls are very stringent.

C. Although the monetary value of the sales force travel expense is identical to that of the precious
metal inventory, the exposure is divided among 50 people, and the receipting requirement provides
substantial safety against false claims.

D. The expendable tools inventory is subject to adequate control.

5. Risk assessment is a systematic process for assessing and integrating professional judgments
about probable adverse conditions or events. Which of the following statements reflects the
appropriate action for the chief audit executive to take?

A. The CAE should generally assign engagement priorities to activities with higher risks.

B. The CAE should restrict the number of sources of information used in the risk assessment
process.

C. Work schedule priorities should be established to lead the CAE in the risk assessment process.

D. The risk assessment process should be conducted at least every 3 to 5 years.

Answer (A) is correct.

Audit work schedules are based on, among other things, an assessment of risk and exposures.
Prioritizing is needed to make decisions for applying resources. A variety of risk models exist to assist
the CAE. Most risk models use risk factors, such as impact, likelihood, materiality, asset liquidity,
management competence, quality of and adherence to internal controls, degree of change or stability,
timing and results of last audit engagement, complexity, and employee and government relations.

B. Internal auditors are expected to identify and evaluate significant risk exposures in the normal
course of their duties. Thus, they not only use risk analysis to plan engagements but also to assist
management and the board by examining, evaluating, reporting, and recommending improvements on
the adequacy and effectiveness of the management’s risk processes. For these purposes, the CAE
should incorporate information from a variety of sources into the risk assessment process. The
Standards place no limit on such sources.

C. The risk assessment process should be used to determine work schedule priorities.

D. The risk assessment should be undertaken at least every year.

6. When developing the internal audit plan, the chief audit executive must consider the following
expectations of

1. Department managers

2. Stakeholders

3. Human resource managers

A. 1 only.

B. 2 only.

C. 3 only.

D. 2 and 3.

Answer (B) is correct.

During planning, the chief audit executive must identify and consider the expectations of senior
management, the board, and other stakeholders for internal audit opinions and other conclusions (Impl.
Std. 2010.A2).

A. During planning, the chief audit executive must identify and consider the expectations of senior
management, the board, and other stakeholders for internal audit opinions and other conclusions. This
does not include the expectations of department managers.

C. During planning, the chief audit executive must identify and consider the expectations of senior
management, the board, and other stakeholders for internal audit opinions and other conclusions. This
does not include the expectations of HR managers.

D. While the expectations of stakeholders must be considered, the expectations of HR managers are
not.

7. The internal auditing activity of Rivers Financial Group is developing a plan for the current
year. Which of the following should not be emphasized in the audit plan?

A. All control systems.

B. Areas where inherent risk is very high.

C. Control systems on which the organization is most reliant.

D. Unacceptable current risks that require management action.7

Answer (A) is correct.

An internal audit plan normally focuses on control systems for which the organization is most reliant,
not all control systems.

B. An internal audit plan normally focuses on the following: unacceptable current risks requiring
management action, control systems on which the organization is most reliant, areas where the
difference between inherent risk and residual risk is great, and areas where inherent risk is very high.

C. An internal audit plan normally focuses on the following: unacceptable current risks requiring
management action, control systems on which the organization is most reliant, areas where the
difference between inherent risk and residual risk is great, and areas where inherent risk is very high.

D. An internal audit plan normally focuses on the following: unacceptable current risks requiring
management action, control systems on which the organization is most reliant, areas where the
difference between inherent risk and residual risk is great, and areas where inherent risk is very high.
8. The internal audit activity’s audit plan is based on all of the following except

A. The audit universe.

B. The cost of the engagement.

C. Input from senior management and the board.

D. Assessed risk and exposures.

Answer (B) is correct.

The cost of the engagement is not a factor to consider when developing the audit plan.

A. The audit plan is based on the audit universe.

C. The audit plan is based on input from both senior management and the board of directors.

D. The internal audit activity’s audit plan is based on the assessed risk and exposures.

9. Risk management is critical to the sound governance of which of the following?

A. Financial activities of the organization.

B. Manufacturing activities of the organization.

C. All organization activities that produce more than 10% of revenue.

D. All organizational activities, regardless of revenue.

Answer (D) is correct.

Risk management is crucial to sound governance of all organizational activities.

A. Risk management is crucial to sound governance of all organizational activities, not just the
financial activities.

B. Risk management is crucial to sound governance of all organizational activities, not just the
manufacturing activities.

C. Risk management is crucial to sound governance of all organizational activities, not just the
activities producing more than 10% of revenue.

10. An organization has no formal risk management framework. In developing a risk-based plan
to determine the priorities of the internal audit activity, the chief audit executive (CAE) should
A. Use the same risk-based plan developed for other clients.

B. Not establish a risk-based plan because one is not necessary.

C. Consult with senior management and the board and use the best judgment of risks.

D. Limit the scope of the engagement.

Answer (C) is correct.

The CAE considers the risk management framework, including the risk appetite set by management for
each activity or part of the organization. If a framework does not exist, the CAE uses his or her own
judgment after consulting with senior management and the board.

A. The CAE should review and adjust the plan, as necessary, in response to changes in the
organization’s business, risks, operations, programs, systems, and controls.

B. The CAE should establish a risk-based plan to determine the priorities of the internal audit activity,
consistent with the organization’s goals.

D. The CAE should develop a risk-based plan, not limit the scope of the engagement.

11. The chief audit executive (CAE) performs a risk assessment before developing the annual
audit plan. Which of the following is most likely to increase the assessment of an identified risk?

A. An immaterial, anticipated drop in cash flow after plant closings.

B. A request from senior management to review the strategic plan.

C. An unexpected, significant increase in receivables not related to an increase in sales.

D. A critical activity had not been subject to a compliance audit during the past year.

Answer (C) is correct.

Unexpected, unexplained, and significant changes in amounts, such as receivables, increase the
assessed risk for that balance.

A. An immaterial, expected, and explainable decrease in cash flow provides no evidence of increased
risk.

B. A request from senior management to include an engagement in the audit plan is significant, but
does not provide evidence of increased risk.

D. Compliance audits do not have to be performed annually unless evidence indicates an engagement is
necessary.

12. Which internal audit planning tool is general in nature and is used to ensure adequate
engagement coverage over time?
A. The audit plan.

B. The engagement work program.

C. The internal audit activity’s budget.

D. The internal audit activity’s charter.

Answer (A) is correct.

According to Perf. Std. 2010, the CAE must establish a risk-based audit plan to determine the priorities
of the internal audit activity. Such a plan ensures adequate engagement coverage over time.

B. The engagement work program is limited in scope to a particular project.

C. The internal audit activity’s budget may be used to justify a head count, but it is not used to ensure
adequate engagement coverage over time.

D. The charter is not an engagement planning tool.

13. Which of the following actions by the internal audit activity is (are) appropriate in response
to a risk assessment?

1.Although input of senior management and the board should be obtained, the chief audit executive
does not need to consider it when developing the internal audit activity’s plan of engagements.

2.The high-risk areas should be integrated into an audit plan along with the high-priority requests of
management and the audit committee.

3.The risk analysis should be used in determining an audit plan. Thus, it should be performed only on
an annual basis.

A. 1 only.

B. 2 only.

C. 1 and 3 only.

D. 1 and 2 only.

Answer (B) is correct.

The annual risk-based audit plan should integrate the risk analysis with input from senior management
and the board (audit committee). It reflects consideration of the organization’s risk management
framework and risk appetite levels set by management.

A. The internal audit activity’s plan of engagements must be based on a documented risk assessment.
The input of senior management and the board must be considered in this process.
C. A documented risk assessment should be undertaken at least annually. It should be updated for
changes as they occur during the year, and the input of senior management and the board must be
considered.

D. Input of senior management and the board must be considered.

14. Which of the following comments is (are) true regarding the assessment of risk associated
with two projects that are competing for limited internal audit resources?

1.Industry knowledge should be used to identify the project with the higher priority.

2.Activities with higher financial budgets always should be considered higher risk than those
with lower financial budgets.

3.Activities that are requested by the board always should be considered higher risk than those
requested by management.

4.Senior management’s evaluations of the risk associated with each project must be considered.

A. 2 and 4 only.

B. 2 and 3 only.

C. 1 and 4 only.

D. 1 and 3 only.

Answer (C) is correct.

An understanding of the industry enables the internal auditor to identify risks of new or existing
projects. The internal audit activity’s plan of engagements must be based on a documented risk
assessment, undertaken at least annually. The input of senior management and the board must be
considered in this process.

A. Activities with higher financial budgets do not necessarily have greater risk.

B. Activities with higher financial budgets do not necessarily have greater risk. Activities requested by
the board do not necessarily have greater risk.

D. A ranking based on the source of a request for performance of an engagement is unlikely to reflect a
comprehensive assessment based on a sufficient number of risk factors.

15. The internal auditors of Smother Corp. are considering lower-risk audits as a part of their
audit plan. They should

A. Include the lower-risk audits to give them coverage and confirm that their risks have not changed.
B. Not include the lower-risk audits in the audit plan since they are not risky.

C. Include only half of the lower-risk audits to see if the risks have changed.

D. Include the lower-risk audits only with senior management approval.

Answer (A) is correct.

Lower-risk audits need to be included in the audit plan to give them coverage and confirm that their
risks have not changed.

B. Lower-risk audits should be included in the audit plan.

C. Including only half of the lower-risk audits is not required by any guidance of The IIA.

D. While the internal auditor considers input from senior management when determining the audit plan,
the decision to include audits in the plan is ultimately at the discretion of the internal auditor.

16. The chief audit executive is preparing the audit work schedule for the next budget year and
has limited resources. In deciding whether to schedule the purchasing or the personnel
department for an engagement, which of the following is the least important factor?

A. Major changes in operations have occurred in one of the departments.

B. The internal audit staff has recently added an individual with expertise in one of the areas.

C. More opportunities to achieve operating benefits are available in one of the departments than in
the other.

D. Updated assessed risk is significantly greater in one department than the other.

Answer (B) is correct.

The CAE’s responsibility is to assign competent internal auditors to the appropriate engagements, not
to adjust the workplan to the abilities of the staff.

A. A major change in operations is a reason for scheduling an engagement.

C. Potential operating benefits are a reason for scheduling an engagement.

D. Updated assessed risk is a reason for scheduling an engagement.

17. Which of the following factors is least likely to be considered in determining the audit work
schedule?

A. Engagement work programs.

B. The effectiveness of risk management and control processes.

C. Workload requirements.
D. Issues relating to organizational governance.

Answer (A) is correct.

Development of work programs occurs during the planning phase of an individual engagement.

B. Determining an engagement work schedule includes considering the effectiveness of risk

management and control processes.

C. Determining an engagement work schedule includes considering workload requirements.

D. Determining an engagement work schedule includes considering issues relating to organizational

governance.

18. During discussions with senior management, the chief audit executive identified several
strategic business issues to consider in preparing the annual audit work schedule. Which of the
following does not represent a strategic issue for this purpose?

A. A monthly budgeting process will be implemented.

B. An international marketing campaign will be started to develop product recognition and also to
leverage the new organization-based advertising department.

C. Joint-venture candidates will be sought to provide manufacturing and sourcing capabilities in

European and Asian markets.

D. A human resources database will be established to ensure consistent administration of policies and
to improve data retention.

Answer (A) is correct.

Implementing a monthly budgeting process is an operating decision, not a strategic decision. (It does,
however, involve a major change in operations.)

B. An international marketing campaign is a strategic issue. The CAE will need to ensure that the new
marketing process and the centralized advertising department are recognized and monitored in risk
assessment and planning activities.

C. Extending operations to European and Asian markets is a strategic issue. The addition of
joint-venture partners will add new or additional concerns for risk assessment and planning in the
internal audit activity.

D. Establishing a human resources database is a strategic issue. The assumptions and ongoing activities
related to a human resources database will require consideration in the planning of the internal audit
activity.

19. The chief audit executive for an organization has just completed a risk assessment process,
identified the areas with the highest risks, and assigned an engagement priority to each. Which of
the following conclusions most logically follow(s) from such a risk assessment?
1.Items should be quantified as to risk in the rank order of quantifiable monetary exposure to the
organization.

2.The risk priorities should be in order of major control deficiencies.

3.The risk assessment process, though quantified, is the result of professional judgments about both
exposures and probability of occurrences.

A. 1 only.

B. 3 only.

C. 2 and 3 only.

D. 1, 2, and 3.

Answer (B) is correct.

Any assessment of risk priority and exposure necessarily implies the exercise of professional judgment.
Thus, although risk factors may be weighted to determine their relative significance, a ranking based
solely on such specific criteria as monetary exposure or control deficiencies is not always indicated.

A. Quantifiable monetary exposure is not the sole criterion for ranking risk exposures.

C. Major control deficiencies are not the sole criteria for ranking risk exposures.

D. Ranking risk exposures strictly by quantifiable monetary exposure or by major control deficiencies
downplays the importance of professional judgment.

20. Which of the following comments is (are) true regarding the assessment of risk associated
with two projects that are competing for limited internal audit resources?

1.Activities that are requested by the board always should be considered higher risk than those
requested by management.

2.Activities with higher financial budgets always should be considered higher risk than those
with lower financial budgets.

3.Risk always should be measured by the potential monetary or other adverse exposure to the
organization.

A. 1 only.

B. 2 only.

C. 3 only.

D. 1 and 3 only
Answer (C) is correct.

When ranking potential engagements that are competing for limited internal audit resources, a decision
criterion based on the degree of adverse exposure to the organization is preferable.

A. Activities requested by the board do not necessarily have greater risk.

B. Activities with higher financial budgets do not necessarily have greater risk.

C. A ranking based on the source of a request for performance of an engagement is unlikely to reflect a
comprehensive assessment based on a sufficient number of risk factors.

21. Which of the following represent(s) appropriate internal audit action in response to the risk
assessment process?

1.The low-risk areas may be delegated to the external auditor, but the high-risk areas should be
performed by the internal audit activity.

2.The high-risk areas should be integrated into an audit work schedule along with the
high-priority requests of senior management and the audit committee.

3.The risk analysis should be used in determining an annual audit work schedule. Thus, the risk
analysis should be performed only on an annual basis.

A. 1 only.

B. 2 only.

C. 3 only.

D. 1 and 3 only.

Answer (B) is correct.

The high-risk areas should be integrated into an audit work schedule along with the high-priority
requests of senior management and the audit committee.

A. Work should be coordinated with the external auditor to avoid duplication of effort and to ensure
adequate coverage, but allocation of tasks based solely on relative risk is not appropriate.

C. Changing conditions may require updating risk assessment during the year.

D. Work should be coordinated with the external auditor to avoid duplication of effort and to ensure
adequate coverage, but allocation of tasks based solely on relative risk is not appropriate. Also,
changing conditions may require updating the risk assessment during the year.

22. The internal auditor is considering making a risk analysis as a basis for determining the
areas of the organization where engagements should be performed. Which one of the following
statements is true regarding risk analysis?
A. The extent to which management judgments are required in an area could serve as a risk factor in
assisting the internal auditor in making a comparative risk analysis.

B. The highest risk assessment should always be assigned to the area with the largest potential loss.

C. The highest risk assessment should always be assigned to the area with highest probability of
occurrence.

D. Risk analysis must be reduced to quantitative terms in order to provide meaningful comparisons
across an organization.

Answer (A) is correct.

Among the common factors used in risk models for establishing the priority of engagements is
management competence. Hence, the internal auditor could appropriately consider the extent of
management competence, which includes judgment, as a risk factor.

B. Risk analysis considers both the potential loss (or damages) and the probability of occurrence. An
area with the largest potential loss may have a very low likelihood.

C. A high probability of occurrence may be associated with a small potential loss.

D. The concept of risk analysis is not limited to quantitative measures.

23. The chief audit executive set up a computerized spreadsheet to facilitate the risk assessment
process involving a number of different divisions in the organization. The spreadsheet included
the following factors:

Pressure on divisional management to meet profit goals

Complexity of operations

Competence of divisional personnel

The monetary amount of subjectively influenced accounts in the division, such as accounts in
which management’s judgment can affect the expense, e.g., postretirement benefits

The CAE used a group meeting of internal audit managers to reach a consensus on the
competence of divisional personnel. Other factors were assessed as high, medium, or low by
either the CAE or an internal audit manager who had performed an engagement at the division.
The CAE assigned a weight ranging from 0.5 to 1.0 to each factor and then computed a
composite risk score. Which statement is true?

A. The risk analysis is not appropriate because it mixes both quantitative and qualitative factors,
thereby making expected value calculations impossible.

B. Assessing factors at discrete levels such as high, medium, and low is inappropriate for the risk
assessment process because the ratings are not quantifiable.

C. The weighting is subjective and should have been determined through a process such as
multiple-regression analysis.

D. Using a subjective group consensus to assess personnel competence is appropriate.

Answer (D) is correct.

The risk assessment incorporates information from a variety of sources, such as discussions with the
board and management and with internal audit management and staff. Thus, seeking the consensus of
experienced internal audit managers regarding personnel matters is appropriate. This method tends to
eliminate the extreme judgments that might be made by a single evaluator.

A. Risk analysis considers all appropriate factors. It need not be limited to quantitative or expected
value calculations.

B. High, medium, and low may be the most precise measures available.

C. Subjective analysis is acceptable. Use of multiple-regression analysis to determine a weighted

average for the risk-weighting model is not feasible because no criteria exist to determine the
weightings.

24. When a risk assessment process has been used to construct an audit engagement schedule,
which of the following should receive attention first?

A. The external auditors have requested assistance for their upcoming annual audit.

B. A new accounts payable system is currently undergoing testing by the information technology
department.

C. Management has requested an investigation of possible lapping in receivables.

D. The existing accounts payable system has not been audited over the past year.

Answer (C) is correct.

Prioritizing is needed to make decisions about applying resources to engagements based on the relative
significance of their risk and exposure estimates. Most risk models use risk factors to establish
engagement priorities. Internal auditors traditionally regard fraud as significant even if the immediate
exposure is not. Thus, management’s request to investigate a possible fraud in the accounts receivable
unit must take precedence.

A. External audit requests for assistance should be subordinate to fraud investigations.

B. Given that the new system is not yet in production, it need not receive immediate attention.

D. A management request involving a fraud should take priority over a system that has not been
audited over the past year.

25. Which of the following factors is considered the least important in deciding whether existing
internal audit resources should be moved from an ongoing compliance engagement to a
divisional-level engagement requested by management?

A. A financial audit of the division performed by the external auditor a year ago.
B. The potential for fraud associated with the ongoing engagement.

C. An increase in the level of expenditures experienced by the division for the past year.

D. The potential for significant regulatory fines associated with the ongoing engagement.

Answer (A) is correct.

Prioritizing is needed to make decisions about applying relative resources based on the significance of
risk and exposure. Most risk models use risk factors to establish engagement priorities. One such factor
is the potential for fraud. Internal auditors traditionally regard fraud as significant even if the
immediate exposure is not significant. Increased expenditures also constitute a significant risk factor
because they represent an increase in potential loss. For the same reason, potential regulatory fines may
also create an exposure sufficiently great to affect the determination of priorities. Thus, the result of an
external financial audit performed a year ago is the least likely to affect the current allocation of
internal audit resources. Any adverse engagement observations most probably have been acted upon
and, in any case, may not be germane to the ongoing compliance engagement or the proposed
divisional-level engagement.

B. Potential fraud is likely to be a more important factor in the use of limited internal audit resources
than the results of an external financial audit.

C. Increased expenditures is likely to be a more important factor in the use of limited internal audit
resources than the results of an external financial audit.

D. Potential significant fines are likely to be a more important factor in the use of limited internal audit
resources than the results of an external financial audit.

26. Which of the following represents the best risk assessment technique?

A. Assessment of the risk levels for future events based on the extent of uncertainty of those events
and their impact on achievement of long-term organizational goals.

B. Assessment of inherent and control risks and their impact on the extent of financial misstatements.

C. Assessment of the risk levels of current and future events, their effect on achievement of the
organization’s objectives, and their underlying causes.

D. Assessment of the risk levels of current and future events, their impact on the organization’s
mission, and the potential for elimination of existing or possible risk factors.

Answer (C) is correct.

When determining the best risk assessment technique, internal auditors should choose the most
comprehensive. Of the options given, assessing risks, their effects, and their causes is the technique
meeting that criterion.

A. Causation also should be considered.

B. Risk events include more than those classified as inherent and control risks (terms used in the audit
risk model used in financial statement audits). Moreover, a comprehensive approach should be
adopted.

D. Elimination of risks is less likely than mitigation.

27. Fact Pattern: The internal auditing process is one of critical thinking, analysis, and careful
evaluation. All mechanical procedures are integrated into a larger context of thoughtful inquiry.
All engagements include a description and analysis of internal controls. Engagement clients are
selected in a number of ways, with risk being the primary basis for selection. The departments
being considered for possible review in the coming year and attributes of those departments are
as follows:

Department Assets Annual Costs

Probability of Loss

Production A US $50,000 US $700,000

10%

Production B 5,000,000 10,000,000

1%

Production C 1,000,000 1,000,000

1%

Purchasing 50,000 150,000

10%

Marketing 50,000 500,000

10%

Shipping 60,000 100,000

50%

Security 10,000 100,000

90%

Travel 6,000 30,000

50%
All of these departments, except two, are on the potential list of engagement clients because of a
risk analysis performed by the chief audit executive. Production department A is on the list
because the president thinks too many bottlenecks occur in that department. The marketing
department is on the list because the chief of security received an anonymous phone call accusing
a marketing manager of accepting substantial financial kickbacks from a media outlet. Internal
controls seem adequate in all departments, with the possible exception of marketing.

What is the chief audit executive’s most logical definition of risk of loss to be used in selecting
engagement clients?

A. Amount of risk exposure times the probability of loss.

B. Amount of annual costs in a department.

C. Probability of loss.

D. Amount of assets in a department.

Answer (A) is correct.

The IIA Glossary defines risk as “the possibility of an event occurring that will have an impact on the
achievement of objectives. Risk is measured in terms of impact and likelihood.” Thus, risk of loss is
most logically defined as an expected value equal to the amount at risk times the probability of loss.

B. The amount of costs in a department is not necessarily the amount exposed to a risk of loss.

C. The probability of a loss must be multiplied by the amount exposed to possible loss.

D. The amount of assets in a department is not necessarily the amount exposed to a risk of loss.

28. Fact Pattern: The internal auditing process is one of critical thinking, analysis, and
careful evaluation. All mechanical procedures are integrated into a larger context of thoughtful
inquiry. All engagements include a description and analysis of internal controls. Engagement
clients are selected in a number of ways, with risk being the primary basis for selection. The
departments being considered for possible review in the coming year and attributes of those
departments are as follows:

All of these departments, except two, are on the potential list of engagement clients because of a
risk analysis performed by the chief audit executive. Production department A is on the list
because the president thinks too many bottlenecks occur in that department. The marketing
department is on the list because the chief of security received an anonymous phone call accusing
a marketing manager of accepting substantial financial kickbacks from a media outlet. Internal
controls seem adequate in all departments, with the possible exception of marketing.
Which department most likely needs a pure operational (nonfinancial) engagement?

Department Assets Annual Costs

Probability of Loss

Production A US $50,000 US $700,000

10%

Production B 5,000,000 10,000,000

1%

Production C 1,000,000 1,000,000

1%

Purchasing 50,000 150,000

10%

Marketing 50,000 500,000

10%

Shipping 60,000 100,000

50%

Security 10,000 100,000

90%

Travel 6,000 30,000

50

A. Production A.

B. Production C.

C. Purchasing.

D. Marketing.

Answer (A) is correct.

An operational engagement includes reviewing the activities, systems, and controls within an
organization to reach efficiency, effectiveness, economic, or other goals.

B. department that is causing bottlenecks needs an operational audit to aid in determining the cause of
the bottlenecks and correcting the problem.

C. Production department C appears to be operating efficiently and effectively.

D. The purchasing department appears to be operating efficiently and effectively.

29. Fact Pattern: During the planning phase, a chief audit executive (CAE) is evaluating four
audit engagements based on the following factors: the engagement’s ability to reduce risk to the
organization, the engagement’s ability to save the organization money, and the extent of change
in the area since the last engagement. The CAE has scored the engagements for each factor from
low to high, assigned points, and calculated an overall ranking. The results are shown below with
the points in parentheses:

Audit Risk Reduction Cost Savings

Changes

1 High (3) Medium (2)

Low (1)

2 High (3) Low (1)

High (3)

3 Low (1) High (3)

Medium (2)

4 Medium (2) Medium (2)

High (3)

Which audit engagements should the CAE pursue if all factors are weighed equally?

A. 1 and 2 only.

B. 1 and 3 only.

C. 2 and 4 only.

D. 3 and 4 only.

Answer (C) is correct.

Given that the areas to be audited are weighted equally, the CAE should pursue audits 2 and 4 because
they have the highest total points (7).

A. Audit 1 has fewer total points than audit 4.

B. Audits 1 and 3 have fewer total points than audits 2 and 4.

D. Audit 3 has fewer total points than audit 2.

30. Fact Pattern: During the planning phase, a chief audit executive (CAE) is evaluating four
audit engagements based on the following factors: the engagement’s ability to reduce risk to the
organization, the engagement’s ability to save the organization money, and the extent of change
in the area since the last engagement. The CAE has scored the engagements for each factor from
low to high, assigned points, and calculated an overall ranking. The results are shown below with
the points in parentheses:

Audit Risk Reduction Cost Savings

Changes

1 High (3) Medium (2)

Low (1)

2 High (3) Low (1)

High (3)

3 Low (1) High (3)

Medium (2)

4 Medium (2) Medium (2)

High (3)

If the organization has asked the CAE to consider the cost savings factor to be twice as important
as any other factor, which engagements should the CAE pursue?

A. 1 and 2 only.

B. 1 and 3 only.

C. 2 and 4 only.
D. 3 and 4 only.

Answer (D) is correct.

After doubling the cost savings points, audit 3 [1 + (2 × 3) + 2 = 9] and audit 4 [2 + (2 × 2) + 3 = 9]

have the highest total points.

A. Audit 1 and audit 2 have 8 total points each.

B. Audit 1 has 8 total points.

C. Audit 2 has 8 total points.

31. Which of the following is the best reason for the chief audit executive to consider the strategic
plan in developing the annual audit plan?

A. To ensure that the internal audit plan supports the overall business objectives.

B. To ensure that the internal audit plan will be approved by senior management.

C. To make recommendations to improve the strategic plan.

D. To emphasize the importance of the internal audit function.

Answer (A) is correct.

The chief audit executive must establish risk-based plans to determine the priorities of the internal audit
activity consistent with the organization’s goals (Perf. Std. 2010). Including the strategic plan in the
audit universe ensures that it reflects the overall business objectives stated in the strategic plan.

B. Making the internal audit plan fit better with the strategic plan may not have an effect on
management’s approval.

C. Recommending improvements to the strategic plan is not the primary purpose of the CAE’s review.

D. The importance of the internal audit function depends on the authority granted to it by the board and
senior management.

32. A chief audit executive most likely uses risk assessment for audit planning because it provides

A. A systematic process for assessing and integrating professional judgment about probable adverse
conditions.

B. A listing of potentially adverse effects on the organization.

C. A list of auditable activities in the organization.

D. The probability that an event or action may adversely affect the organization.
Answer (A) is correct.

The chief audit executive must establish risk-based plans to determine the priorities of the internal audit
activity consistent with the organization’s goals (Perf. Std. 2010).

B. A listing of potentially adverse effects might convince the CAE of the need for risk assessment. But
this process is not itself a risk assessment.

C. A list of auditable activities is used in the risk assessment process but is not the rationale for using
risk assessment.

D. The probability that an event or action may adversely affect the organization is one definition of
risk.

33. A service company is currently experiencing a significant downsizing and process

reengineering. Its board of directors has redefined the business goals and established initiatives
using in-house developed technology to meet these goals. As a result, a more decentralized
approach has been adopted to run the business functions by empowering the business branch
managers to make decisions and perform functions traditionally done at a higher level.

The internal auditing staff is made up of the director, two managers, and five staff auditors, all
with financial background. In the past, the primary focus of successful audit activities has been
the service branches and the six regional division headquarters that support the branches. These
division headquarters are the primary targets for possible elimination. The support functions,
such as human resources, accounting, and purchasing, will be brought into the national
headquarters, and technology will be enhanced to enable and augment these operations.

Assuming that total available resources remain the same, what activities should the internal audit
activity perform to best serve the organization?

A. Decrease engagement time in systems development.

B. Increase engagement time in service branches.

C. Increase engagement time in functions being centralized.

D. Continue the allocation of engagement time as before.

Answer (C) is correct.

A major change in organizational structure is a significant risk factor. Of the choices provided,
devoting internal audit resources to this engagement best serves the organization.

A. Major technology changes require that the engagement time devoted to systems development be
increased.

B. Given the major changes in other areas, limited internal audit activity resources most likely must be
shifted away from their primary focus on the service branches.

D. Major changes in the business, operations, programs, systems, and controls also require changes by
the internal audit activity.
34. Which of the following statements is false regarding risk assessment as the term is used in
internal auditing?

A. Risk assessment is a judgmental process of assigning monetary amounts to the perceived level of
risk found in an activity being evaluated. These amounts allow a chief audit executive to select the
engagement clients most likely to result in identifiable savings.

B. The chief audit executive should incorporate information from a variety of sources into the risk
assessment process, including discussions with the board, management, external auditors, review of
regulations, and analysis of financial/operating data.

C. Risk assessment is a systematic process of assessing and integrating professional judgments about
events that could affect the achievement of organizational objectives. It provides a means of organizing
an engagement work schedule.

D. As a result of an engagement or preliminary survey, the chief audit executive may revise the level
of assessed risk of an engagement client at any time, making appropriate adjustments to the work
schedule.

Answer (A) is correct.

Risk assessment is a complex process that cannot be reduced to simple monetary terms.

B. The CAE should incorporate information from a variety of sources into the risk assessment process.
The Standards place no limit on such sources.

C. Risk assessment is a systematic process of assessing and integrating professional judgments about
events that could affect the achievement of organizational objectives. It provides a means of organizing
an engagement work schedule.

D. Risk assessments may be revised on the basis of new information.

35. The chief audit executive for a retail merchandise sales organization is considering
engagement assignments for inclusion in the work schedule for the upcoming year. The following
areas have not been evaluated recently, and there are no known reasons that they should be given
immediate attention. If resources are scarce, which project should be given priority?

A. Corporate code of ethics and conflict of interest policy.

B. Cash management and credit policy.

C. Employee time reporting system.

D. Budget preparation and forecasts.

Answer (B) is correct.

Of the areas listed, cash management and credit policy in a retail merchandise sales organization would
likely rank the highest in financial exposure and risk of potential loss.
A. Cash and credit policy has a greater risk of loss.

C. Cash and credit policy has a greater risk of loss.

D. Cash and credit policy has a greater risk of loss.

36. The chief audit executive of an organization has developed a plan that includes a detailed
schedule of engagements to be performed during the coming year, an estimate of the time
required for each engagement, and the approximate starting date of each engagement. The
scheduling of specific engagements was based upon the time elapsed since the last engagement in
each area. The plan is inadequate because it fails to

A. Cite authoritative support for such a plan.

B. Consider factors such as risk and effectiveness of risk management processes.

C. State whether all internal audit activity resources had been committed to the plan.

D. Seek senior management approval of the plan.

Answer (B) is correct.

The internal audit activity’s plan of engagements must be based on a documented risk assessment,
undertaken at least annually (Impl. Std. 2010.A1).

A. The Standards contain no requirement to cite authoritative support for the plan.

C. The plan should be flexible in the event of unanticipated needs for internal audit activity resources.

D. Activity reports should be submitted to senior management and to the board at least annually, but
the Standards contain no requirement for seeking approval of the annual engagement work schedule.

37. Which of the following is a valid reason for an internal auditing engagement involving a
payroll department to receive priority over a purchasing department engagement?

A. The director of the payroll department requested that the payroll department engagement be
performed first.

B. The purchasing department engagement will require more time to perform.

C. The payroll department’s relative risk and exposure are greater.

D. The purchasing department recently restructured its major operations.

Answer (C) is correct.

The CAE must establish risk-based plans to determine the priorities of the internal audit activity
consistent with the organization’s goals (Perf. Std. 2010). Audit work schedules are based on, among
other factors, an assessment of risk and exposures.
A. This request is not as compelling a reason for granting priority as the greater assessed risk of another
engagement client.

B. The time required may not correlate with risk and other factors that determine the internal audit
activity’s priorities.

D. The restructuring is a reason for giving priority to the purchasing department.

38. An organization manufactures mirror frames. Scrap is adequately accounted for at the
point of generation. The scrap is sorted and sold frequently to the organization’s regular buyer at
a price negotiated between the scrap manager and the buyer. A risk exposure caused by these
procedures is that

A. Excessive scrap has been generated.

B. The price received for scrap may be inadequate.

C. The production of scrap indicates inefficiencies in production.

D. The collection of amounts receivable from the scrap buyer is questionable.

Answer (B) is correct.

Various problems may arise. For example, the scrap manager may be tempted to collude with the
regular buyer to establish an inadequate price. In the absence of fraud, the failure to seek competing
bids, the line manager’s lack of expertise in negotiation, ignorance of quoted prices in established
markets, and other factors may result in an inadequate price. Hence, a separate subunit of the
organization may be necessary to manage all aspects of scrap disposition.

A. Nothing suggests excessive scrap generation.

C. Nothing suggests inefficiency.

D. A regular buyer is likely to be reliable.

39. Management has just implemented a policy that every department must downsize by
immediately cutting 10% of each department’s staff and budget. The chief audit executive has
reacted to the organization’s recent plans for “downsizing” (reducing the size of staff across the
board) by notifying the internal audit managers that the time allocated for all jobs must be cut by
10%. Which of the following statements regarding the CAE’s action and potential internal audit
manager’s action is true?

A. The CAE’s action should result in approximately the same amount of risk coverage as the
previous engagement work schedule but reduced by 10%.

B. Individual internal audit managers can attain 90% of the previously defined engagement coverage
by uniformly cutting engagement procedures by 10%.
C. The CAE should have re-prioritized risks and eliminated specific engagements rather than cutting
10% across the board.

D. All of the answers are correct.

Answer (C) is correct.

The CAE must establish risk-based plans to determine the priorities of the internal audit activity
consistent with the organization’s goals (Perf. Std. 2010). Audit work schedules are based on, among
other factors, an assessment of risk and exposures. Prioritizing is needed to make decisions for
applying resources. Hence, when the internal audit activity’s resources are reduced, the CAE should
allocate the remaining resources in the manner that best meets its goals. For this purpose, risk priorities
must be reevaluated. Eliminating some projects may be preferable to reducing the effort devoted to all
projects.

A. Reducing the time allocation for all jobs by 10% does not necessarily mean that the risks addressed
will be reduced proportionately. The CAE should reprioritize the engagement work schedule to ensure
the optimal mitigation of risk with the more limited resources.

B. A uniform 10% reduction in engagement procedures or scope may result in gathering insufficient
information and failure to meet engagement objectives for all projects.

D. Only one of the responses is true.

40. The work of the internal audit activity includes evaluating and contributing to the
improvement of risk management systems. Risk is

1.The negative effect of events certain to occur

2.Measured in terms of impact

3. Measured in terms of likelihood

A. 1 only.

B. 1 and 2 only.

C. 2 and 3 only.

D. 1, 2, and 3.

Answer (C) is correct.

The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk
management processes (Perf. Std. 2120). Risk is the possibility of an event’s occurrence that will have
an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood (The
IIA Glossary).

A. Risk is measured in terms of impact and likelihood. Moreover, it involves uncertainty, and the
effects of events are not necessarily negative.
B. Risk also is measured in terms of likelihood. Moreover, it involves uncertainty, and the effects of
events are not necessarily negative.

D. Risk involves uncertainty, and the effects of events are not necessarily negative.

41. Updating the audit universe is useful in developing the internal audit plan. The audit universe

A. Consists of all possible audits.

B. Reflects only past organizational strategies.

C. May not overlap with the organization’s strategic plan.

D. Is typically updated every 5 years.

Answer (A) is correct.

In developing the internal audit activity’s audit plan, many CAEs find it useful to first develop or
update the audit universe. The audit universe is a list of all the possible audits that could be performed.

B. The audit universe needs to reflect the most current strategies.

C. The audit universe may include elements of the strategic plan and therefore reflect overall business
objectives.

D. The audit universe needs to be updated at least annually.

42. The chief audit executive develops a risk-based plan after updating the audit universe. The
item least likely to be part of the audit universe is

A. Major programs.

B. Cost, profit, and investment centers.

C. A component of the organization’s strategic plan.

D. The minutes from the last board of directors meeting.

Answer (D) is correct.

In developing the internal audit activity’s audit plan, many chief audit executives (CAEs) find it useful
to first develop or update the audit universe. The audit universe is a list of all the possible audits that
could be performed. The CAE may obtain input on the audit universe from senior management and the
board.

A. Major programs are activities of the organization and are thus part of the audit universe.

B. Cost, profit, and investment centers are parts of the organization and are thus part of the audit
universe.
C. The audit universe can include components from the organization’s strategic plan. By incorporating
components of the organization’s strategic plan, the audit universe will consider and reflect the overall
business’ objectives.

43. Risk is measured in terms of significance and likelihood. Excessive cash disbursements due to
duplicate payments to vendors are events that most likely are placed in which area of a risk map?

A. Low significance, low likelihood.

B. Low significance, high likelihood.

C. High significance, medium likelihood.

D. High significance, low likelihood.

Answer (C) is correct.

Duplicate payments to vendors are considered high significance because they result in a material loss
of cash if undetected. The likelihood is medium because they are a common irregularity. However,
there is most often a good chance (not guaranteed) that a vendor will detect the error and correct it.

A. Duplicate payments to vendors tend to have medium to high impact and more than a low likelihood.

B. Duplicate payments to vendors tend to have medium to high impact and more than a low likelihood.

D. The likelihood is more than low (rare or unlikely).

44. The internal audit activity of a large organization has established its operating plan and
budget for the coming year. The operating plan is restricted to the following categories: a
prioritized listing of all engagements, staffing, a detailed expense budget, and the commencement
date of each engagement. Which of the following best describes the major deficiency of this
operating plan?

A. Requests by management for special projects are not considered.

B. Opportunities to achieve operating benefits are ignored.

C. Measurability criteria and targeted dates of completion are not provided.

D. Knowledge, skills, and other competencies required to perform work are ignored.

Answer (C) is correct.

The goals of the internal audit activity should be capable of accomplishment within given operating
plans and budgets and should be measurable to the extent possible. They should be accompanied by
measurement criteria and targeted dates of accomplishment.

A. Requests by management would have been considered in establishing engagement work schedule
priorities.
B. Opportunities to achieve operating benefits would have been considered in establishing engagement
work schedule priorities.

D. The appropriate resources, including staffing, needed to achieve engagement objectives would have
been considered in establishing engagement work schedule priorities. Staff members must possess the
knowledge, skills, and other competencies needed to perform their responsibilities (Attr. Std. 1210).

45. An approved audit plan for the internal audit activity is an essential part of

A. Scheduling support for the external audit.

B. Establishing standards for employee performance.

C. Providing senior management with information about the quality of the internal audit activity’s
performance.

D. Planning for the internal audit activity.

Answer (D) is correct.

The audit plan should include the activities to be performed, when they will be performed, and the
estimated time required, considering the scope of the engagement work planned and the nature and
extent of related work performed by others. This plan permits determination of staffing plans and
financial budgets and is a basis for the presentation of reports.

A. The engagement work schedule is not essential to proper support for the external audit.

B. Management sets operating standards.

C. Providing information about internal audit’s performance is not a function of the audit workplan.

46. A chief audit executive (CAE) uses a risk assessment model to establish the annual audit plan.
Which of the following would be an appropriate action by the CAE?

Maintain ongoing dialogue with management and the audit committee

Ensure that the schedule of audit priorities remains unchanged

Employ only quantitative methods to determine risk weightings

Revise the risk assessment and audit priorities as warranted

A. 3 only.

B. 1 and 2 only.

C. 1 and 4 only.

D. 3 and 4 only.
Answer (C) is correct.

It is a best practice for risk assessment to be a dynamic process, changing over time and as new
information, business strategies, and risks are identified. Ongoing consultation with members of
management and the board is a way for the internal audit activity to obtain such information and stay
attuned to organizational developments that may affect existing audit priorities. To accommodate such
emerging priorities, the work schedule may need to be altered.

A. The weighting of risk is both a quantitative and a qualitative (judgment) exercise.

B. Audit schedules will likely change regularly to meet the needs of the organization, particularly if
based on an effective risk assessment process.

D. The weighting of risk is both a quantitative and a qualitative (judgment) exercise. Furthermore, the
CAE should engage in ongoing consultation with members of management and the board.

48. At a meeting with engagement managers, the chief audit executive is allocating the
engagement work schedule for next year’s plan. Which of the following methods will ensure that
each manager receives an appropriate share of both the work schedule and internal audit activity
resources?

A. Work is assigned to each manager based on risk and skill analysis.

B. Each of the managers selects the individual assignments desired, based on preferences for the area
and the management personnel involved.

C. Each manager chooses assignment preferences based on the total staff hours that are currently
available to each manager.

D. The full list of scheduled engagements is published for the staff, and work assignments are made
based on career interests and travel requirements.

Answer (A) is correct.

Due professional care requires work assignments to be proportional to the complexities of the
engagement and must ensure that the technical proficiency and educational background of the
personnel assigned are appropriate. A skill analysis of tasks to be performed is therefore necessary.
Furthermore, matters to be considered in establishing audit work schedule priorities include, among
many other factors, an assessment of risk and exposures.

B. Choice based on personal preference does not ensure the exercise of due professional care.

C. Available staff hours do not correlate with risk or the composite skills necessary for individual
assignments.

D. Although career interests and travel requirements are considerations for staffing engagements, these
factors do not constitute an objective basis for making assignments.

49. Which of the following represent(s) appropriate internal audit action in response to the risk
assessment process?
1. The high-priority requests of senior management and the audit committee should be given little
weight with regard to the audit work schedule.

2. Engagements for the low-risk areas may be delegated to the external auditor, but engagements for
the high-risk areas should be performed by the internal audit activity.

3. The chief audit executive should develop a risk-based plan, making adjustments as necessary in
response to organizational changes.

4. The risk analysis should be used in determining an annual audit work schedule. Thus, the risk
analysis should be performed only on an annual basis.

A. 1 only.

B. 2 only.

C. 3 only.

D. 2 and 4 only.

Answer (C) is correct.

The chief audit executive is responsible for developing a risk-based plan that considers the
organization’s risk management framework, including using risk appetite levels set by management for
the different activities or parts of the organization. If a framework does not exist, the chief audit
executive uses his or her own judgment of risks after consideration of input from senior management
and the board. The chief audit executive must review and adjust the plan, as necessary, in response to
changes in the organization’s business, risks, operations, programs, systems, and controls.

A. The high-risk areas should be integrated into an audit work schedule with the high-priority requests
of senior management and the audit committee.

B. Work should be coordinated with the external auditor to avoid duplication of effort and to ensure
adequate coverage, but allocation of tasks based solely on relative risk is not appropriate.

D. Work should be coordinated with the external auditor to avoid duplication of effort and to ensure
adequate coverage, but allocation of tasks based solely on relative risk is not appropriate. Also,
changing conditions may require updating the risk assessment during the year.

50. The chief audit executive of a manufacturer is updating the long-range engagement work
schedule. Several possible engagements can be assigned to a given time slot. Information on
potential monetary exposure and key internal controls has been gathered. Based on perceived
risk, select the assignment of greatest merit.

A. Precious metals inventory -- carrying amount, US $10,000; separately stored, access restricted by
keycard and management approval.

B. Branch office petty cash -- ledger amount, US $75,000; 10 branch offices, equal amounts;
replenishment of accounts requires three separate approvals.

C. Sales force travel expenses -- budget, US $1,200,000; 50 sales people; all expenditures over US
$25 must be receipted.
D. Expendable tools inventory -- carrying amount, US $1,100,000; Stored with other inventory.

Answer (D) is correct.

Among the many considerations for judging an item’s risk are the ease with which it can be converted
to cash, its accessibility, and its monetary value. The expendable tools inventory is subject to
considerable risk because inventory can be easily converted to cash, access is not restricted, and its
monetary value is relatively high.

A. Although the inventory is easily convertible to cash, sufficient controls are in place, and its
monetary value is relatively low.

B. The monetary exposure of petty cash is much smaller than for the other proposed engagements, and
the related controls are very stringent.

C. Although the monetary value of the sales force travel expense is slightly higher than that of
expendable tools inventory, the exposure is divided among 50 people, and the receipting requirement
provides substantial safety against false claims

51. In deciding whether to accept a consulting engagement, the Standards require the CAE to
consider the engagement’s potential to

1. Add value

2. Improve management of risks

3. Develop internal audit competencies

4. Improve the organization’s operations

A. 1 only.

B. 1 and 2 only.

C. 1, 2, and 4 only.

D. 1, 2, 3, and 4.

Answer (C) is correct.

Planning for consulting services involves considering what benefits these engagements may offer.
According to Implementation Standard 2010.C1, “The chief audit executive should consider accepting
proposed consulting engagements based on the engagement’s potential to improve management of risk,
add value, and improve the organization’s operations. Accepted engagements must be included in the
plan.”

A. The CAE also considers the engagement’s potential to improve management of risks and improve
the organization’s operations.
B. The CAE also considers the engagement’s potential to improve the organization’s operations.

D. The engagement’s potential to develop internal audit competencies is not a criterion explicitly stated
in the Standards.

52. The internal audit activity’s plan of engagements is based on which of the following?

Risk Assessment Input of

A.Undertaken at least annually The board

B.Undertaken at least annually The board and senior management

C.Undertaken at least semi-annually The board

D.Undertaken at least semi-annually The board and senior management

Answer (B) is correct.

According to Implementation Standard 2010.A1, the internal audit activity’s plan of engagements must
be based on a documented risk assessment, undertaken at least annually. Additionally, the input of
senior management and the board must be considered in this process.

A. The plan must also be based on the input of senior management.

C. The plan must be based on a documented risk assessment, undertaken at least annually, and consider
the input of senior management.

D. The plan must be based on a documented risk assessment, undertaken at least annually.

53. Which of the following is not a requirement of risk-based audit planning?

A. The chief audit executive consults with external auditors.

B. The risk-based plan considers the organization’s strategies and objectives.

C. The risk-based plan is adjusted for changes in the organization’s business.

D. To determine the priorities of the internal audit activity, a risk-based plan must be established.

Answer (A) is correct.

The Standards only require the CAE to consult with the board and senior management (Interpretation
of Standard 2010, Implementation Standard 2010.A1).
B. According to the Interpretation of Standard 2010, the chief audit executive obtains an understanding
of the organization’s strategies, key objectives, associated risks, and risk management processes to
develop the risk-based plan.

C. According to the Interpretation of Standard 2010, the chief audit executive adjusts the risk-based
plan in response to changes in the organization’s business, risks, operations, programs, systems, and
controls.

D. According to Performance Standard 2010, the chief audit executive must establish a risk-based plan
to determine the priorities of the internal audit activity.

54. What is the purpose of establishing an internal audit plan?

A. To update the audit universe.

B. To ensure adequate coverage of areas with the greatest exposure to risks.

C. To identify areas of audits with lower risks.

D. To identify, document, and analyze the means by which management mitigates the risks.

Answer (B) is correct.

The purpose of establishing an internal audit plan is to ensure adequate coverage of areas with the
greatest exposure to risks. The internal audit activity must prioritize to make decisions for applying
resources. An internal audit plan normally focuses on (1) unacceptable current risks requiring
management action, (2) control systems on which the organization is most reliant, (3) areas where the
difference between inherent risk and residual risk is great, and (4) areas where inherent risk is very
high.

A. The audit universe represents all auditable risk areas. The internal audit plan is based on the audit
universe. However, updating the audit universe is not the purpose of establishing an internal audit plan.

C. Lower-risk audits need to be included in the audit plan to give them coverage and confirm that their
risk levels have not changed. It is not the purpose of establishing an internal audit plan.

D. The internal auditor considers the significant risks of the activity and the means by which
management mitigates risks in internal audit planning. Risks and activities should be documented.
However, neither of these are the purpose for establishing an internal audit plan.

55. Which of the following is not a characteristic of effective risk management?

A. It provides absolute assurance that organizational objectives will be achieved.

B. It is fully integrated into management at all levels.

C. It assists in identifying key controls.

D. It reduces unacceptable risks to tolerable levels.

Answer (A) is correct.

The IIA Glossary defines risk management as a process to identify, assess, manage, and control
potential events or situations to provide reasonable assurance regarding the achievement of the
organization’s objectives. Thus, effective risk management only provides reasonable assurance, not
absolute assurance.

B. Effective risk management is fully integrated into management at all levels.

C. Effective risk management assists in identifying key controls.

D. Effective risk management assists in identifying key controls. Key controls reduce an otherwise
unacceptable risk to a tolerable level.

56. Which of the following represents an external risk factor?

A. The organization’s CEO unexpectedly became ill and had to resign. The chairman of the board of
directors stepped into the vacant role until a new CEO could be found.

B. Constant repairs to outdated equipment used in the manufacturing process cost three times more
than the amount budgeted.

C. Additional safety regulations enacted by the government have caused a strain on the
organization’s resources.

D. Weak controls over cash accounts have resulted in employee theft.

Answer (C) is correct.

External risk factors arise from outside the organization. Examples of external risks include competitor
actions, suppliers, industry issues, and employee and government relations. Examples of internal risk
factors include quality and adherence to controls, timing and results of last engagement, materiality,
asset liquidity, and management competence.

A. Risks arising from changes in organizational personnel are internal risks.

B. Risks arising from organizational equipment are internal risks.

D. Risks arising from inadequate controls are internal risks.

57. In the AICPA’s audit risk model, the risk that an auditor will express an inappropriate
audit opinion when the financial statements are materially misstated is

A. Audit risk.

B. Inherent risk.

C. Control risk.

D. Detection risk.
Answer (A) is correct.

Audit risk is “the risk that the auditor expresses an inappropriate audit opinion when the financial
statements are materially misstated.” In the internal audit context, audit risk is the risk that the auditor
will provide senior management and the board with inaccurate or incomplete information about
governance, risk management, or control.

B. Inherent risk is the susceptibility of an assertion to material misstatement in the absence of related
controls.

C. Control risk is the risk that a material misstatement will not be prevented or detected by internal
control.

D. Detection risk is the risk that the auditor will not detect a material misstatement that exists in a
relevant assertion. It is affected by the auditor’s procedures and can be changed at his or her discretion.

58. On the basis of audit evidence gathered and evaluated, an auditor decides to decrease the
level of detection risk from that originally planned. Assuming the same planned audit risk level,
the change in the planned detection risk most likely resulted from a(n)

A. Decrease in the assessed control risk.

B. Increase in materiality levels.

C. Decrease in the assessed inherent risk.

D. Increase in the assessed control risk.

Answer (D) is correct.

Audit risk is a function of inherent risk, control risk, and detection risk. The only risk the auditor
directly controls is detection risk. Thus, the auditor achieves the desired level of overall audit risk by
adjusting detection risk in response to the assessed levels of inherent risk and control risk. Detection
risk has an inverse relationship with control risk and inherent risk. If the auditor chooses to increase his
or her assessment of control risk or inherent risk, detection risk should be decreased for a given
planned audit risk.

A. An increase in the assessed control risk may require a lower planned detection risk for a given
planned audit risk.

B. Materiality and risk are interrelated. However, as assessed risk increases, the auditor is likely to
reduce the levels of materiality.

C. An increase in the assessed inherent risk may require a lower planned detection risk for a given
planned audit risk.

59. In the AICPA’s audit risk model, the risk that an auditor’s procedures will lead to the
conclusion that a material misstatement does not exist in an account balance when, in fact, such
misstatement does exist is
A. Audit risk.

B. Inherent risk.

C. Control risk.

D. Detection risk.

Answer (D) is correct.

Detection risk is the risk that the auditor will not detect a material misstatement that exists in a relevant
assertion. It is affected by the auditor’s procedures and can be changed at his or her discretion.

A. Audit risk includes inherent risk and control risk, which are not affected by the auditor’s procedures

B. Inherent risk is the susceptibility of an assertion to material misstatement in the absence of related
controls.

C. Control risk is the risk that a material misstatement will not be prevented or detected by internal
control.

60. The acceptable level of detection risk is inversely related to the

A. Extent of engagement procedures performed.

B. Risk of misapplying auditing procedures.

C. Preliminary judgment about materiality levels.

D. Risk of failing to discover material misstatements.

Answer (A) is correct.

Detection risk is the only one of the three components of audit risk that is subject to the auditor’s direct
control. The greater the assessed levels of control risk and/or inherent risk, the lower the acceptable
level of detection risk. Hence, the relationship between performing engagement procedures and
detection risk is inverse.

B. The risk of misapplying auditing procedures is related to the auditor’s training and experience.

C. Preliminary judgments about materiality are used by the auditor to determine the acceptable level of
audit risk. Detection risk is just one component of audit risk.

D. The acceptable level of detection risk is directly related to the risk of failing to discover material
misstatements.

61. Inherent risk and control risk differ from detection risk in that they

A. Arise from the misapplication of engagement procedures.

B. May be assessed in either quantitative or nonquantitative terms.

C. Exist independently of the audit engagement.

D. Can be changed at the auditor’s discretion.

Answer (C) is correct.

Inherent risk and control risk exist independently of the engagement and cannot be changed by the
auditor, only assessed. Detection risk is set by the auditor in response to his or her assessment of
inherent and control risk.

A. The misapplication of engagement procedures may affect detection risk but is independent of
inherent and control risk.

B. All three components of audit risk may be assessed either quantitatively or nonquantitatively.

D. Inherent risk and control risk must be assessed by the auditor, who then sets detection risk in
response.

62. Inherent risk and control risk differ from detection risk in that inherent risk and control
risk are

A. Elements of audit risk, whereas detection risk is not.

B. Changed at the auditor’s discretion, whereas detection risk is not.

C. Considered only for entity as a whole, not for each engagement.

D. Functions of the client and its environment, whereas detection risk is not.

Answer (D) is correct.

Detection risk is a function of the effectiveness of an engagement procedure and of its application by
an auditor and can be changed at his or her discretion. Inherent risk and control risk differ from
detection risk in that they exist independently of the engagement. They are functions of the client’s line
of business and system of internal control.

A. Detection risk is also a component of audit risk.

B. Inherent risk and control risk are assessed by the auditor, but only detection risk can be changed at
his or her discretion.

C. Audit risk is assessed at the engagement level.

63. Which of the following audit risk components may be assessed in nonquantitative terms?

Control Risk Detection Risk Inherent Risk

 A. Yes Yes Yes

B. No Yes Yes

C. Yes Yes No

D. Yes No Yes

Answer (A) is correct.

All three components of audit risk may be assessed in quantitative terms such as percentages or in
nonquantitative terms that range, for example, from high to low.

B. Control risk can be assessed in nonquantitative terms.

C. Inherent risk can be assessed in nonquantitative terms.

D. Detection risk can be assessed in nonquantitative terms.

64. An auditor assesses control risk because it

A. Is relevant to the auditor’s understanding of the control environment.

B. Provides assurance that the auditor’s materiality levels are appropriate.

C. Indicates to the auditor where inherent risk may be the greatest.

D. Affects the level of detection risk that the auditor may accept.

Answer (D) is correct.

Inherent risk and control risk exist independently of the engagement and must be assessed by the
auditor, who then sets detection risk in response.

A. The understanding of the control environment provides evidence for assessing control risk, not the
other way around.

B. Materiality levels are based upon auditor judgment.

C. Inherent risk is independent of internal control.

65. On the basis of audit evidence gathered and evaluated, an auditor decides to increase the
assessed level of control risk from that originally planned. To achieve an overall audit risk level
that is substantially the same as the planned audit risk level, the auditor would

A. Increase inherent risk.

B. Increase materiality levels.

C. Decrease inherent risk.

D. Decrease detection risk.

Answer (D) is correct.

Audit risk is a function of inherent risk, control risk, and detection risk. The only risk the auditor
directly controls is detection risk. Thus, the auditor achieves the desired level of overall audit risk by
adjusting detection risk in response to the assessed levels of inherent risk and control risk. Detection
risk has an inverse relationship with control risk. If the auditor chooses to increase the assessment of
control risk, detection risk should be decreased.

A. Inherent risk is not controllable by the auditor and can only be assessed.

B. Materiality and risk are interrelated. However, as risk increases, the auditor will likely reduce
materiality.

C. Inherent risk is not controllable by the auditor and can only be assessed.

66. In the AICPA’s audit risk model, which of the following is a definition of control risk?

A. The risk that a material misstatement will not be prevented or detected on a timely basis by the
client’s internal controls.

B. The risk that the auditor will not detect a material misstatement.

C. The risk that the auditor’s assessment of internal controls will be at less than the maximum level.

D. The susceptibility of material misstatement assuming there are no related internal control policies
or procedures.

Answer (A) is correct.

Control risk is the risk that internal control will not prevent or detect on a timely basis a material
misstatement that could occur in a relevant assertion.

B. The risk that the auditor will not detect a material misstatement that exists in a relevant assertion is
the definition of detection risk.

C. When the auditor’s assessment of internal controls is at less than the maximum level, the auditor has
an expectation of their operating effectiveness. This expectation results in a reduced assessment of the
risk of material misstatement.
D. The susceptibility of material misstatement assuming there are no related internal control policies or
procedures is the definition of inherent risk.

67. Risk modeling in a consulting service can be accomplished by

1. Ranking the engagement’s potential to improve management of risks

2. Ranking the engagement’s potential to add value

3. Ranking the engagement’s potential to improve the organization’s operations

A. 1 and 2.

B. 1 and 3.

C. 1, 2, and 3.

D. 3 only.

Answer (C) is correct.

Risk modeling in a consulting service can be accomplished by ranking the engagement’s potential to
improve management of risks, add value, and improve the organization’s operations as identified in
Impl. Std. 2010.C1.

A. Risk modeling in a consulting service can also be accomplished by ranking the engagement’s
potential to improve the organization’s operations.

B. Risk modeling in a consulting service can also be accomplished by ranking the engagement’s
potential to add value

D. Risk modeling in a consulting service can also be accomplished by ranking the engagement’s
potential to improve the management of risks and ranking the engagement’s potential to add value.

68. Who reviews and approves a summary of the internal audit plan?

A. Senior management and the board.

B. The audit committee and the board.

C. Senior management only.

D. The chief audit executive (CAE) only.

Answer (A) is correct.

According to Perf. Std. 2020, senior management and the board review and approve the internal audit
plan.

B. The CAE also submits the internal audit plan to senior management.

C. The CAE also submits the internal audit plan to the board.

D. The audit plan is submitted to senior management and the board.

69. As the chief audit executive, you have determined that the acquisition of some expensive,
state-of-the-art software for paperless working paper files will be useful. Identify the preferred
method for presenting your request to senior management.

A. The effect of not obtaining the software.

B. Statement of need.

C. Comparison with other internal audit activities.

D. Evaluation of the software’s technical specifications.

Answer (A) is correct.

The CAE must communicate the internal audit activity’s plans and resource requirements to senior
management and the board for review and approval. The CAE also must communicate the effect of
resource limitations (Perf. Std. 2020).

B. The need must be weighed against the cost.

C. Other internal audit activities may have different cost-benefit relationships.

D. Specialists, not senior management, will perform this evaluation.

70. Bobby Fitz, CAE, believes that the internal controls over cash disbursements need major
revisions. Mr. Fitz discussed this matter with senior management and was very alarmed at their
acceptance of this serious risk. What action should Mr. Fitz take next?

A. Report the matter to the board immediately.

B. Understand management’s basis for accepting the risk.

C. Determine whether management has the authority to accept the risk.

D. Further attempt to resolve the disagreement.

Answer (B) is correct.

The first thing the CAE should do is understand management’s basis for the decision. It is possible that
management has knowledge about the risk that the CAE does not. This knowledge may prove it
suitable to accept the risk.

A. While this is an action the CAE could take, the CAE should first understand and try to further
resolve the disagreement before reporting it to the board.

C. While this is an action the CAE should take, the CAE should first understand management’s basis
for accepting the risk.

D. While this is an action the CAE should take, the CAE should first understand management’s basis
for accepting the risk. This is the last step the CAE should attempt before informing the board.

71. What should the CAE do if the scope of the internal audit plan is insufficient to permit
expression of an opinion about risk management and control?

A. Design more procedures to ensure the audit plan becomes sufficient.

B. The CAE should inform senior management and the board about gaps in audit coverage.

C. Make the decision to outsource the internal audit function so the scope of the audit plan can be
sufficient.

D. Hire more internal auditors to increase the scope of the engagement.

Answer (B) is correct.

In the event that the audit plan is insufficient, the CAE should inform senior management and the board
about gaps in audit coverage.

A. In the event that the audit plan is insufficient, the CAE should inform senior management and the
board.

C. In the event that the audit plan is insufficient, the CAE should inform senior management and the
board. Also, the CAE does not have the authority to make this type of decision.

D. In the event that the audit plan is insufficient, the CAE should inform senior management and the
board. Also, the CAE does not have the authority to make this type of decision.

72. A chief audit executive’s performance report should

A. List the material engagement observations of major engagements.

B. List uncorrected reported conditions.

C. Report the weekly activities of the individual internal auditors.

D. Compare engagements completed with engagements planned.

Answer (D) is correct.

The CAE must report periodically to senior management and the board on the internal audit activity’s
purpose, authority, responsibility, and performance relative to its plan and on conformance with the
Code of Ethics and the Standards (Perf. Std. 2060). Therefore, the performance report should compare
engagements completed with engagements planned.

A. A list of material engagement observations is not a performance report.

B. A list of uncorrected reported conditions is not a performance report.

C. A report of weekly activities is not a performance report.

73. The chief audit executive routinely reports to the board as part of the board meeting agenda
each quarter. Senior management has asked to review this presentation before each board
meeting so that any issues or questions can be discussed beforehand. The CAE needs to

A. Provide the report to senior management as requested and discuss any issues that may require
action to be taken.

B. Withhold disclosure of the report to senior management because such matters are the sole
province of the board.

C. Disclose to the board only those matters in the report that pertain to expenditures and financial
budgets of the internal audit activity.

D. Provide information to senior management that pertains only to completed engagements and
observations available in published engagement communications.

Answer (A) is correct.

The frequency and content of reporting are determined collaboratively by the chief audit executive,
senior management, and the board. The frequency and content of reporting depends on the importance
of the information to be communicated and the urgency of the related actions to be taken by senior
management and/or the board (Inter. Std. 2060).

B. Reports must be presented to senior management

C. The report is not restricted to expenditures and financial budgets. Information about significant
deviations from the approved audit plan and staffing plans also is included.

D. The information need not be limited to completed engagements and observations available in
published engagement communications.

74. The best means for the internal audit activity to determine whether its goal of implementing
broader coverage of functional activities has been met is through

A. Accumulation of engagement observations by engagement client.

B. Comparison of the approved audit plan with actual engagement activity.

C. Surveys of management satisfaction with the internal audit activity.

D. Implementation of a quality assurance program.

Answer (B) is correct.

The CAE must report periodically to senior management and the board on the internal audit activity’s
purpose, authority, responsibility, and performance relative to its plan and on conformance with the
Code of Ethics and the Standards (Perf. Std. 2060).

A. The number of engagement observations is not an indicator of breadth or quality of work.

C. Management satisfaction does not directly relate to the expressed goal (broader engagement
coverage).

D. Implementation of a quality assurance program has no bearing on the stated goal.

75. In which of the following duties would the chief audit executive least likely have a primary
role?

A. Determine the need for expanded testing.

B. Review the summary observations sheet.

C. Select or approve team members.

D. Organize and draft the final engagement communication

Answer (D) is correct.

The CAE has overall responsibility for the internal audit activity. Consequently, (s)he would most
likely delegate the task of organizing and drafting the final engagement communication for a specific
engagement.

A. Determining the need for expanded testing is a supervisory task more likely to be undertaken by the
CAE.

B. Reviewing summary findings is a supervisory task more likely to be undertaken by the CAE.

C. Selecting or approving team members is a supervisory task more likely to be undertaken by the
CAE.

76.An annual summary report of completed engagement work submitted to senior management
and the board by the chief audit executive should

A. Discuss the administrative condition of the internal audit activity.

B. Inform management of the scope of proposed work for the following year.

C. Describe the extent to which the internal audit activity has completed its approved audit plan.
D. Emphasize the number of deficiency observations discovered by the internal auditors.

Answer (C) is correct.

According to Perf. Std. 2060, the CAE must report the internal audit activity’s performance relative to
its plan. An annual summary report ordinarily includes such performance results.

A. The administrative condition of the internal audit activity is a subject appropriate for an external
assessment.

B. This information is contained in the summary of the engagement work schedule, staffing plan, and
financial budget for the coming year submitted to senior management and the board.

D. The materiality of observations, not their number, should be emphasized.

77. Which of the following is an appropriate responsibility of the board?

A. Performing a review of the procurement function of the organization.

B. Reviewing the internal audit activity’s engagement work schedule submitted by the chief audit
executive.

C. Reviewing the engagement records of the public accounting firm to determine the firm’s
competence.

D. Recommending the assignment of specific internal audit staff members for specific engagements.

Answer (B) is correct.

The CAE must communicate the internal audit activity’s plans and resource requirements, including
significant interim changes, to senior management and the board for review and approval (Perf. Std.
2020).

A. Reviewing the procurement function of the organization requires detailed technical ability.

C. The board will not likely have access to the public accounting firm’s engagement reports.

D. Specific assignments should be made by internal audit activity management.

78. Johnny Hagerts, the chief audit executive of Booster, Inc., is having a meeting with senior
management about the status of the internal audit. In this meeting, Mr. Hagerts should provide
assurance to management about which of the following?

A. Governance, risk management, and control.

B. Sufficiency of internal audit staff.

C. The time schedule of the engagement.

D. The frequency and nature of reports.

Answer (A) is correct.

The CAE has a duty to provide assurance to senior management and the board about governance, risk
management, and control.

B. While the CAE reports this information to senior management and the board in a performance report,
the CAE does not provide assurance about this information.

C. While the CAE reports this information to senior management and the board in a performance report,
the CAE does not provide assurance about this information.

D. The CAE should agree with the board about the frequency and nature of reporting but provides no
assurance about them.

79. Which of the following statements, if true, would justify a chief audit executive’s decision
not to report certain control concerns regarding derivatives trading in a report to the audit
committee?

A. Management plans to initiate corrective action.

B. The board has a separate committee to make recommendations on trading issues.

C. The amounts of trading and the potential risks associated with the derivatives trading are not
material to the overall organization.

D. Derivatives are complex, and the auditor should rely on management’s analysis of the extent of
the problem.

Answer (C) is correct.

The chief audit executive (CAE) must report periodically to senior management and the board
significant risk and control issues, including fraud risks, governance issues, and other matters that
require the attention of senior management or the board (Perf. Std. 2060). Thus, the CAE is not
required to report immaterial risk and control issues.

A. The CAE must report significant control issues even if management plans to initiate corrective
action.

B. The CAE must report significant control issues even if the board has a separate committee to make
recommendations on trading issues.

D. The CAE must report significant control issues regardless of the complexity of derivative trading or
management’s analysis of the problem.

80. If the annual audit plan does not allow for adequate review of compliance with all material
regulations affecting the company, the internal audit activity should:
A. Ensure that the board of directors and senior management are aware of the limitation.

B. Include a memo with the audit planning file listing the reasons for the lack of coverage.

C. Document that regulations not included will be reviewed in the subsequent year.

D. Decrease the scope of operational and financial audits to make additional audit time available.

Answer (A) is correct.

The CAE must communicate the internal audit activity’s plans and resource requirements, including
limitations, to senior management and the board for review and approval.

B. The knowledge of incomplete audit coverage should not be limited to the internal audit activity.

C. Compliance with material regulations may need to be reviewed at least on an annual basis.

D. Audit coverage in other areas should not be automatically reduced. The internal audit activity may
require additional resources to provide adequate coverage of risks.

81. All of the following are required communications by the chief audit executive (CAE) to senior
management and the board except

A. Results of analysis into staffing needs.

B. Significant interim changes in plans and resources.

C. Effects of any resource limitations.

D. The internal audit activity’s plans and resource requirements.

Answer (A) is correct.

The CAE must communicate the internal audit activity’s plans and resource requirements, including
significant interim changes, to senior management and the board for review and approval. The CAE
also must communicate the effects of resource limitations. The CAE is not required to report the results
of an analysis of staffing needs.

B. The CAE must communicate significant interim changes in plans to senior management and the
board.

C. The CAE must communicate the effects of resource limitations to senior management and the board.

D. The CAE must communicate the internal audit activity’s plans and resource requirements to senior
management and the board.