QUESTION NO: 1

A large retail organization, which sells most of its products online, experiences a computer hacking
incident. The chief IT officer immediately investigates the incident and concludes that the attempt was
not successful. The chief audit executive (CAE) learns of the attack in a casual conversation with an IT
auditor. Which of the following actions should the CAE take?

1. Meet with the chief IT officer to discuss the report and control improvements that will be
implemented as a result of the security breach, if any.

2. Immediately inform the chair of the audit committee of the security breach, because thus far only the
chief IT officer is aware of the incident.

3. Meet with the IT auditor to develop an appropriate audit program to review the organization\\'s
Internet- based sales process and key controls.

4. Include the incident in the next quarterly report to the audit committee.

A. 1 and 2

B. 1 and 3

C. 2 and 4

D. 3 and 4
Correct Answer: A
QUESTION NO: 2

Which of the following would have the least significance in an audit of the efficiency of a driver\\'s
license testing facility?

A. Clerical staff administer written tests to allow examiners more time to supervise driving tests.

B. Staff are cross-trained to provide backup for other areas of the facility as required.

C. A point-of-sale cashiering system reduces the need to reenter payment data.

D. Examiners are required to be recertified on an annual basis.

Correct Answer: D
QUESTION NO: 3

When assessing the risk associated with an activity, an internal auditor should:

A. Determine how the risk should best be managed.

B. Provide assurance on the management of the risk.

C. Modify the risk management process based on risk exposures.

D. Design controls to mitigate the identified risks.

Correct Answer: B
QUESTION NO: 4

A draft internal audit report that cites deficient conditions generally should be reviewed with which of
the following groups?

1. The client manager and her superior.

2. Anyone who may object to the report's validity.

3. Anyone required to take action.

4. The same individuals who receive the final report.

A. 1 only

B. 1 and 2 only

C. 1, 2, and 3

D. 1, 2, and 4
Correct Answer: C
QUESTION NO: 5

Which of the following is not likely to be included as an audit step when assessing vendor
performance policies?

A. Determine whether agreed-upon lot sizes were sent by vendors.

B. Determine whether only authorized items were received from vendors.
C. Determine whether the balances owed to vendors are correct.
D. Determine whether the quality of the goods purchased from the vendors has been
satisfactory.
Correct Answer: C
QUESTION NO: 6

The chief audit executive established an internal audit activity (IAA) performance standard requiring all
audit reports to be issued within 48 hours of the exit meeting with the client.

Which of the following describes an exit meeting strategy that would best help the IAA meet this
performance standard?

A. The objective of the exit meeting is to reach agreement on audit observations.

B. The objective of the exit meeting is to solicit action plans for audit observations.

C. The objective of the exit meeting is to confirm final details of fieldwork.

D. The objective of the exit meeting is to confirm understanding of audit results

Correct Answer: D
QUESTION NO: 7

During an audit of an ethics program, which of the following procedures are most appropriate to
evaluate the effectiveness of the program?

Testing whether corrective actions taken on involved parties breaching the ethics program are
adequate.

Testing whether all employees are mandated through policy to comply with the ethics program.

Testing whether all employees are required to confirm in writing their compliance with the ethics
program.

Testing through surveys employee's level of understanding and commitment to the ethics program.

A. 1 and 2 only

B. 1 and 4 only

C. 2 and 3 only

D. 3 and 4 only
Correct Answer: B
QUESTION NO: 8

When constructing a staffing schedule for the internal audit activity (IAA), which of the following criteria
are most important for the chief audit executive to consider for the effective use of audit resources?

1. The competency and qualifications of the audit staff for specific assignments.
2. The effectiveness of IAA staff performance measures.
3. The number of training hours received by staff auditors compared to the budget.
4. The geographical dispersion of audit staff across the organization.

A. 1 and 3
B. 1 and 4
C. 2 and 3
D. 2 and 4
Correct Answer: B
QUESTION NO: 9

Which of the following would provide the best evidence of compliance with an airline's standard
of having aircraft refueled and cleaned within a specified time of arrival at an airport?

A. Vendor fuel invoices that have been reconciled to inventory records.

B. Time cards completed by aircraft cleaning and fueling crews.
C. Observation of selected aircraft while they are being refueled and cleaned.
D. Comparison of the standard hourly labor costs for cleaning and fueling personnel with actual
labor charges.
Correct Answer: C
QUESTION NO: 10

Many questionnaires are made up of a series of different questions that use the same response
categories (for example: strongly agree, agree, neither, disagree, strongly disagree).

Some designs will have different groups of respondents answer alternate versions of the questionnaire
that present the questions in different orders and reverse the orientation of the endpoints of the scale
(for example: agree on the right and disagree on the left).

The purpose of such questionnaire variations is to:

A. Eliminate intentional misrepresentations.

B. Reduce the effects of pattern response tendencies.

C. Test whether respondents are reading the questionnaire.

D. Make it possible to get information about more than one population parameter using the same
questions.
Correct Answer: B
QUESTION NO: 11

Which of the following would be the best audit procedure to use to determine if a division's unusually
high sales and gross margin for November and December were the result of fraudulently recorded sales?

A. Trace a sample of shipping documents to related sales invoices to verify proper billing.

B. Confirm accounts receivable balances with customers.

C. Compare sales and gross margin totals with those of the previous ten months and the first month of
the following year.

D. Use regression analysis techniques to estimate the sales and cost of goods sold for November and
December.

Correct Answer: B
QUESTION NO: 12
While conducting a payroll audit, an internal auditor in a large government organization found
inadequate segregation in the duties assigned to the assistant director of personnel. When the auditor
explained the risk of fraud, the assistant director became upset, terminated the interview, and
threatened to sue the organization for defamation of character if the audit engagement was not
curtailed. The auditor discussed the situation with the chief audit executive (CAE).

The CAE should then:

A. Curtail the audit engagement to avoid potential legal action.

B. Provide a report to senior management recommending a fraud investigation.

C. Continue the original engagement program as planned but include a comment about the assistant
director's reaction in the engagement final communication.

D. Add additional testing to determine whether other indicators of fraud exist.

Correct Answer: D

QUESTION NO: 13
According to IIA guidance, which of the following are appropriate actions for the chief audit executive
regarding management's response to audit recommendations?

A. Evaluate and verify management's response, and determine the need and scope for additional work.

B. Evaluate and verify management's response, and establish timelines for corrective action by
management.

C. Oversee the corrective actions undertaken by management, and determine the need and scope for
additional work.

D. Oversee the corrective actions undertaken by management, and establish timelines for corrective
action by management.

Correct Answer: A
QUESTION NO: 14
A company has recently incurred significant cost overruns on one of its construction projects.
Management suspects that these overruns were caused by the contractor improperly accounting for
costs related to contract change orders. Which of the following procedures would be appropriate for
testing this suspicion?

I. Verify that the contractor has not charged change orders with costs that have already been
billed to the original contract.
II. Determine if the contractor has billed for original contract work that was canceled as a result of
change orders.
III. Verify that the change orders were properly approved by management.

A. I only
B. III only
C. I and II only
D. I and III only

Correct Answer: C
QUESTION NO: 15
The external auditor has identified a number of production process control deficiencies involving several
departments. As a result, senior management has asked the internal audit activity to complete internal
control training for all related staff. According to IIA guidance, which of the following would be the most
appropriate course of action for the chief audit executive to follow?

A. Refuse to accept the consulting engagement because it would be a violation of independence.

B. Collaborate with the external auditor to ensure the most efficient use of resources.

C. Accept the engagement but hire an external training specialist to provide the necessary expertise.

D. Accept the engagement even if the audit engagement staff was previously responsible for operational
areas being trained.
Correct Answer: D

QUESTION NO: 16
While developing a risk based audit plan, which of the following sources of information would provide
the least value to the chief audit executive?

A. Results from the organization's business process management program.

B. User acceptance testing of the organization's enterprise resource planning application.

C. Risk assessments conducted by the board.

D. Key business strategies adopted by the organization in the strategic plan.

Correct Answer: B

QUESTION NO: 17
An auditor is using an internal control questionnaire as part of a preliminary survey.

Which of the following is the best reason for the auditor to interview management regarding the
questionnaire responses?

A. Interviews provide the opportunity to insert questions to probe promising areas.

B. Interviews are the most efficient way to upgrade the information to the level of objective evidence.

C. Interviewing is the least costly audit technique when a large amount of information is involved.

D. Interviewing is the only audit procedure which does not require confirmation of the information that
is obtained.

Correct Answer: A
QUESTION NO: 18
Company A has a formal comprehensive corporate code of ethics while company B does not. Which of
the following statements regarding the existence of the code of ethics in company A can be logically
inferred?

I. Company A exhibits a higher standard of ethical behavior than does company

II. Company A has established objective criteria by which an employee's actions can be evaluated.

III. The absence of a formal corporate code of ethics in company B would prevent a successful audit of
ethical behavior in that company.

A. II only

B. III only

C. I and II only

D. II and III only

Correct Answer: A
QUESTION NO: 19
If an organization's chief audit executive wants to implement continuous auditing, what is the
appropriate order in which key steps should be undertaken?

I. Identify business applications that require access.

II. Implement steps to continuously assess risks and controls.
III. Define objectives of continuous auditing.
IV. IV. Manage and report results.

A. III, I, IV, II.

B. II, I, III, IV.
C. III, I, II, IV.
D. II, III, I, IV.

Correct Answer: C
QUESTION NO: 20
During an interview with a manager in a company's claims department, an auditor noted that the
manager became nervous and changed the subject whenever the auditor raised questions about certain
types of claims. The manager's answers were consistent with company policies and procedures. When
documenting the interview, the auditor should:

A. Document the manager's answers, noting the nature of the nonverbal communication.

B. Document the manager's answers but not the nonverbal communication because it is subjective and
is not corroborated.

C. Conclude that the nonverbal communication is persuasive and that sufficient evidence exists to begin
a fraud investigation.

D. Disregard the interview entirely because the verbal and nonverbal communications were
contradictory.

Correct Answer: A
QUESTION NO: 21
An internal control questionnaire would be most appropriate in which of the following situations?

A. Testing controls where operating procedures vary.

B. Testing controls in decentralized offices.

C. Testing controls in high risk areas.

D. Testing controls in areas with high control failure rates.

Correct Answer: B
QUESTION NO: 22
Which of the following is the most common method management can use to manage risk within its risk
appetite?

A. Implementation of controls.

B. Use of risk registers and dashboard.

C. Frequent communication of risk appetite for operating personnel.

D. Continuous evaluations and audits.

Correct Answer: A
QUESTION NO: 23
During a systems development audit, software developers indicated that all programs were moved from
the development environment to the production environment and then tested in the production
environment. What should the auditor recommend?

I. Implement a test environment to ensure that testing is not performed in the production
environment.
II. Require developers to move modified programs from the development environment to the
test environment and from the test environment to the production environment.
III. Eliminate access by developers to the production environment.

A. I only
B. III only
C. I and II only
D. I and III only

Correct Answer: D
QUESTION NO: 24
Which of the following best defines an audit opinion?

A. A summary of the significant audit observations and recommendations.

B. An auditor's evaluation of the effects of the observations and recommendations on the activities
reviewed.

C. A conclusion which must be included in the audit report.

D. A recommendation for corrective action.

Correct Answer: B

QUESTION NO: 25
A code of business conduct should include which of the following to increase its deterrent
effect?

1. Appropriate descriptions of penalties for misconduct.

2. A notification that code of conduct violations may lead to criminal prosecution.

3. A description of violations that injure the interests of the employer.

4. A list of employees covered by the code of conduct.

A. 1 and 2
B. 1 and 3
C. 2 and 4
D. 3 and 4

Correct Answer: A
QUESTION NO: 26
Which of the following controls in a computerized consumer loan system of a major bank would be the
least effective in detecting a fraudulent loan?

A. All log-in accounts become inaccessible after three incorrect password attempts.

B. Loan approvals over a pre-determined limit must have management approval.

C. Customer information is matched to payment data prior to funds disbursement.

D. System controls prevent supervisors from delegating their approval authority during vacation periods.
Correct Answer: A

QUESTION NO: 27
According to IIA guidance, which of the following strategies would add the least value to the
achievement of the internal audit activity's (IAA's) objectives?

A. Align organizational activities to internal audit activities and measure according to the approved IAA
performance measures.

B. Establish a periodic review of monitoring and reporting processes to help ensure relevant IAA
reporting.

C. Use the results of IAA engagement and advisory reporting to guide current and future internal audit
activities.

D. Establish a format and frequency for IAA reporting that is appropriate and aligns with the
organization's governance structure.

Correct Answer: A
QUESTION NO: 28
During a fraud interview, it was discovered that unquestioned authority enabled a vice president to steal
funds from the organization.

Which of the following best describes this condition?

A. Scheme.

B. Opportunity.

C. Rationalization.

D. Pressure.
Correct Answer: B

QUESTION NO: 29
While preparing the annual audit plan, the newly assigned chief audit executive (CAE) learns that the
organization has not yet implemented a risk framework.

Which of the following would be the most appropriate action for the CAE to take regarding potential
engagements?

A. Prioritize the engagements that were not done in previous years and schedule them for the upcoming
year.

B. Consult with senior management and the board and make adjustments regarding risk.

C. Review all outstanding recommendations from prior audit engagements and focus on them in the
upcoming year.

D. Use the previous three-year audit plan to extrapolate potential engagements for the upcoming year's
schedule of engagement.
Correct Answer: B

QUESTION NO: 30
According to IIA guidance, which of the following should be considered when creating policies and
procedures for the internal audit activity (IAA)?

A. Number of auditors, complexity of audit activities, and structure of the IAA.

B. Number of auditors, complexity of audit activities, and audit staff skills and competencies.

C. Number of auditors, structure of the IAA, and audit staff skills and competencies.

D. Complexity of audit activities, structure of the IAA, and audit staff skills and competencies.
Correct Answer: A

QUESTION NO: 31
Which of the following audit steps would be most effective to review proper recording of and
accountability over physical assets?

I. Physically inspect all assets on the organization's property.

II. Select a sample department and physically inspect assets in the department.
III. Select a sample from the organization's records of physical assets and physically locate each
asset.
IV. Identify assets at a sample of locations and trace to the organization's records.

A. I only
B. I and IV only
C. II and III only
D. III and IV only

Correct Answer: D
QUESTION NO: 32
Which of the following, if observed, would not indicate the need to extend the search for other
indicators of fraud in a purchasing department?

A. The standard of living of one of the purchasing agents has increased.

B. The internal control structure has significant weaknesses.

C. The purchasing agents have convinced management to adopt a policy of paying vendors on a more
timely basis in order to avoid incurring penalty charges.

D. The cost of goods procured seems to be excessive in comparison with previous years.
Correct Answer: C

QUESTION NO: 33
The chief audit executive (CAE) of a small internal audit activity (IAA) plans to test
conformance with the Standards through a quality assurance review.
According to the Standards, which of the following are acceptable practice for this review?

1. Use an external service provider.

2. Conduct a self-assessment with independent validation.
3. Arrange for a review by qualified employees outside of the IAA.
4. Arrange for reciprocal peer review with another CAE.

A. 1 and 2
B. 2 and 4
C. 1, 2, and 3
D. 2, 3, and 4

Correct Answer: A
QUESTION NO: 34
The chief risk officer (CRO) of a large manufacturing organization decided to facilitate a workshop for
process managers and staff to identify opportunities for improving productivity and reducing defects.
Which of the following is the most likely reason the CRO chose the workshop approach?

A. It minimizes the amount of time spent and cost incurred to gather the necessary information.

B. Responses can be confidential, thus encouraging participants to be candid expressing their concerns.

C. Workshops do not require extensive facilitation skills and are therefore ideal for nonauditors.

D. Workshop participants have an opportunity to learn while contributing ideas toward the objectives.

Correct Answer: D
QUESTION NO: 35
A company used simple regression analysis to analyze maintenance costs against machine hours (MH)
for a 26-week period when the plant was in full operation. The regression yielded the following
estimated cost function: Maintenance Cost = $60 + $0.25/MH The regression analysis also generated a
coefficient of determination (R2), or goodness of fit, of 0.85.

Which of the following statements regarding this regression analysis is appropriate?

A. This regression can be used to determine the maintenance cost for any period at any activity level by
substituting the machine hours in the equation.

B. The $60 component represents the best estimate of fixed maintenance costs for the company in a
shutdown situation.

C. The $0.25 component is the slope coefficient of the cost estimate and represents the average variable
maintenance cost per machine hour.

D. The coefficient of determination of R2 = 0.85 indicates that the goodness of fit is poor because the
value is close to the maximum value of one.

Correct Answer: C
QUESTION NO: 36
During a payroll audit of a large organization, an internal auditor noted that the assistant personnel
director is responsible for many aspects of the computerized payroll system, including adding new
employees in the system; entering direct-deposit information for employees; approving and entering all
payroll changes; and providing training for system users. After discussions with the director of
personnel, the auditor concluded that the director was not comfortable dealing with information
technology issues and felt obliged to support all actions taken by the assistant director. The auditor
should:

A. Continue to follow the engagement program because the engagement scope and objectives have
already been discussed with management.

B. Review the engagement program to ensure testing of direct deposits to employee bank accounts is
adequately covered.

C. Recommend to the chief audit executive that a fraud investigation be started.

D. Test a sample of payroll changes to ensure that they were approved by the assistant director before
being processed.

Correct Answer: B
QUESTION NO: 37
A post-audit questionnaire sent to audit clients is an effective mechanism for:

A. Substantiating audit observations.

B. Promoting the internal audit activity.

C. Improving future audit engagements.

D. Validating process flow.

Correct Answer: C

QUESTION NO: 38
An audit department has received anonymous information that an employee has allegedly been able to
steal and cash checks sent to the organization by customers. What is the most efficient way for an
auditor to determine how this type of fraud could occur and who might be the perpetrator?

A. Confirm accounts receivable.

B. Confirm accounts payable.

C. Review the endorsements and banks of deposit on customers' canceled checks.

D. Flowchart and analyze key controls in the cash receipts process.

Correct Answer: D
QUESTION NO: 39

A chief audit executive (CAE) of a major retailer has engaged an independent firm of information
security specialists to perform specialized internal audit activities. The CAE can rely on the specialists'
work only if it is:

A. Performed in accordance with the terms of the contract.

B. Carried out in accordance with the Standards.

C. Performed under the supervision of the information technology department.

D. Carried out using standard review procedures for retailers.

Correct Answer: B
QUESTION NO: 40
When performing a compliance audit of the organization's outsourced services, which of the following is
considered the primary engagement objective?

A. Verifying that the organization does not have the appropriate knowledge and resources in- house.

B. Ensuring the provider has adequate internal controls in order to protect the quality of their service.

C. Evaluating the efficiency, effectiveness, economy, and sufficiency of the services provided.

D. Assessing the provider's adherence to contract and regulatory requirements.

Correct Answer: D
QUESTION NO: 41
An internal auditor compared the number of human resources professionals per employee with industry
standards. This comparison would assist the auditor in evaluating which of the following areas?

A. Sufficiency of controls over payroll rate increases.

B. Current level of performance of the human resources department.

C. Adequacy of controls over hiring new employees.

D. Degree of compliance with human resources policies.

Correct Answer: B
QUESTION NO: 42
Which of the following would provide the best audit evidence regarding the effectiveness of an applied
research department?

A. Develop a cost-per-product analysis for products developed over the past five years.

B. Develop a report on revenue generated by or cost savings directly attributable to newly developed
products.

C. Compare research as a percentage of revenue between this company and all major competitors in the
same industry.

D. Compare the number of this year's new product developments to the number of new product
developments for the past five years.

Correct Answer: B
When determining the number and experience level of an internal audit staff to be assigned to an
engagement, the chief audit executive should consider which of the following?
 1. Complexity of the engagement.
2. Length of the engagement.
3. Available internal audit activity resources.
4. Lapsed time since the last engagement.

1 & 3 Only
An auditor is least likely to use computer software to

Construct parallel simulations.

Prepare spreadsheets.

Assess computer control risk.

Access client data files.

Assess computer control risk.

The best means for the internal audit activity to determine whether its goal of implementing broader
coverage of functional activities has been met is through

A. Implementation of a quality assurance program.

B. Accumulation of engagement observations by engagement client.
C. Surveys of management satisfaction with the internal audit activity.
D. Comparison of the approved audit plan with actual engagement activity.

This answer D is correct.

The CAE must report periodically to senior management and the board on the internal audit activity’s
purpose, authority, responsibility, and performance relative to its plan and on conformance with the Code
of Ethics and the Standards (Perf. Std. 2060).
To test whether debits to accounts receivable represent valid transactions, the internal auditor should
trace entries from the

A. Accounts receivable ledger to sales documentation.

B. Sales journal to the accounts receivable ledger.
C. Cash receipts documentation to the accounts receivable ledger.
D. Accounts receivable ledger to the cash receipts journal.

This answer A is correct.

The auditor wants to verify that recorded amounts are properly supported by originating events. This is
accomplished through vouching. Only the two choices that involve tracking ledger entries back to a
journal or source document describe a vouching procedure. A debit to accounts receivable is properly
supported by a credit sale to a customer.

To determine the sufficiency of information regarding interpretation of a contract, an internal auditor uses

A. Subjective judgments.
B. The best obtainable information.
C. Objective evaluations.
D. Logical relationships between information and issues.
This answer C is correct.
Sufficient information is factual, adequate, and convincing so that a prudent, informed person would reach
the same conclusions as the auditor (Inter. Std. 2310). Because the internal auditor must avoid distortion
by personal feelings, prejudices, or interpretations, this judgment must be objective.

On the basis of audit evidence gathered and evaluated, an auditor decides to decrease the level of
detection risk from that originally planned. Assuming the same planned audit risk level, the change in the
planned detection risk most likely resulted from a(n)

A. Increase in materiality levels.

B. Increase in the assessed control risk.
C. Decrease in the assessed inherent risk.
D. Decrease in the assessed control risk.
This answer B is correct.
Audit risk is a function of inherent risk, control risk, and detection risk.
The only risk the auditor directly controls is detection risk.
Thus, the auditor achieves the desired level of overall audit risk by adjusting detection risk in response to
the assessed levels of inherent risk and control risk.

Detection risk has an inverse relationship with control risk and inherent risk.

If the auditor chooses to increase his or her assessment of control risk or inherent risk, detection risk
should be decreased for a given planned audit risk.

Inherent risk and control risk differ from detection risk in that inherent risk and control risk are

A. Functions of the client and its environment, whereas detection risk is not.
B. Elements of audit risk, whereas detection risk is not.
C. Considered only for entity as a whole, not for each engagement.
D. Changed at the auditor’s discretion, whereas detection risk is not.

This answer is A correct.

Detection risk is a function of the effectiveness of an engagement procedure and of its application by an
auditor and can be changed at his or her discretion.

Inherent risk and control risk differ from detection risk in that they exist independently of the engagement.
They are functions of the client’s line of business and system of internal control.

Of the following, the information collected by the internal auditor during an engagement is best described
as

A. The records of preliminary planning and surveys, the engagement work program, and the results
of field work.

B. Detailed documentation for systems that do not achieve desired objectives, actions that were
taken improperly, and actions that should have been taken but were not.

C. An intermediate fact, or group of facts, from which the internal auditor can infer the fairness of an
assertion being reviewed.

D. The information documented by the internal auditor and obtained through observing conditions,
interviewing people, and examining records.

This answer is D correct.

The three activities that constitute information-gathering by an internal auditor are observing conditions,
interviewing people, and examining records.

During an engagement to review the personnel function, an internal auditor notes that there are several
employee benefit programs and that participation in some of the programs is optional. Which of the
following is the best information for assessing the acceptability of various benefit programs to employees?

A. Discuss satisfaction levels with program participants.

B. Evaluate program participation ratios and their trends.
C. Discuss satisfaction levels with the director of personnel.
D. Evaluate methods used to make employees aware of available program options.
This answer is B correct.
Analytical information obtained by determining employee participation in optional programs is the most
persuasive. Actual participation requires an affirmative act that strongly suggests a positive employee
evaluation of a program.

When planning an attribute sampling application, the difference between the expected error rate and the
maximum tolerable error rate is the planned

A. Reliability.
B. Dispersion.
C. Skewness.
D. Precision.
This answer is D correct.

The precision of an attribute sample (also called the confidence interval or allowance for sampling risk) is
an interval around the sample statistic that the auditor expects to contain the true value of the population.

In attribute sampling (used for tests of controls), the achieved precision is the difference between the
sample deviation rate and the achieved upper deviation limit (customarily determined from a standard
table given the sample deviation rate and the sample size).

An auditor for the state highway and safety department needs to estimate the average highway weight of
tractor-trailer trucks using the state’s highway system. Which estimation method must be used?

A. Probability-proportional-to-size.
B. Difference.
C. Mean-per-unit.
D. Ratio.
This answer is C correct.
Mean-per-unit sampling estimates the average value of population items, in this case, truck weight.

According to the Standards, when should a signed report be issued?

A. Whenever an opinion is expressed.

B. Only if required by the particular engagement.

C. At predetermined stages as the engagement progresses.

D. At the conclusion of an engagement.

This answer is D correct.

A signed report is issued after the engagement’s completion.

The audit committee may serve several important purposes, some of which directly benefit the internal
audit activity. The most significant benefit provided by the audit committee to the internal audit activity is

A. Approving engagement work schedules, scheduling, staffing, and meeting with the internal
auditors as needed.
B. Reviewing annual engagement work schedules and monitoring engagement results.
C. Protecting the independence of the internal audit activity from undue management influence.
D. Reviewing copies of the procedures manuals for selected organizational operations and meeting
with organizational officials to discuss them.
This answer C is correct.

The audit committee is a subcommittee of the board of directors composed of outside directors
who are independent of corporate management. Its purpose is to help keep external and internal
auditors independent of management and to ensure that the directors are exercising due care. This
committee often selects the external auditors, reviews their overall audit plan, and examines the results of
external and internal audits.

An automobile parts manufacturer has received complaints from customers about declining quality. After
a quick review, management realizes the problem has no single source. To perform a thorough process
of problem identification, the most appropriate tool is a(n)

ISO 9000 audit.

Histogram.

Fishbone (Ishikawa) diagram.

Pareto diagram.
This answer is C correct.
A fishbone diagram (also called a cause-and-effect diagram or an Ishikawa diagram) is used in total
quality management for process improvement. It is useful in studying causation (why the actual and
desired situations differ).

Pareto diagram (also known as 80:20 analysis) displays the values of an independent variable
An ISO 9000 audit focuses on process, not product, quality.

Direct staff as a percentage of total staff is an example of which of the following types of efficiency
measures?

A. Productivity ratio.

B. Productivity index.

C. Operating ratio.

D. Resource utilization rate.

Answer: C
QUESTION NO: 43

Two individuals are being considered for an audit team that is to perform a highly technical review.
Which of the following situations would preclude selection of the individual for the audit due to an
objectivity concern?

I. Person A is a member of the internal audit staff and has the required technical skills. Person
A participated in a controls review of the system to be audited when it was being
developed.
II. Person B is a technical specialist who understands the audit area but is not a member of the
internal audit staff. Although person B has personal credibility in the information systems
department to be audited, person B works for another department in the organization.

A. I only
B. II only
C. Both I and II.
D. Neither I nor II.
Answer: D
 QUESTION NO: 44

Which of the following measurements could an auditor use in an audit of the efficiency of a motor
vehicle inspection facility?

A. The total number of cars approved.

B. The ratio of cars rejected to total cars inspected.
C. The number of cars inspected per inspection agent.
D. The average amount of fees collected per cashier.
Answer: C
 QUESTION NO: 45

A code of business conduct provides?

A. A fraud avoidance plan that does not explicitly describe punishments for violations.
B. A passive method of fraud deterrence.
C. A program to anonymously report irregularities to authorities.
D. An alternative to "tone at the top" programs.
Answer: B
 QUESTION NO: 46

Fraud is most frequently detected by:

A. Following up on tips from employees or citizens.

B. Following up on analytical review of high-risk areas.
C. Performing periodic reconciliations over cash and other assets.
D. Performing unannounced audits or reviews of programs or departments.
Answer: A
 QUESTION NO: 47

After several years in the engineering department, an engineer was transferred to the internal audit
department. One month later, the new auditor was assigned to an assurance engagement for the
engineering department. When the auditor's former engineering supervisor suggested a change in
the sample selection method, the auditor consulted with the audit supervisor. They determined that
the suggested method would not be as representative and that the original selection method should
be used. In this situation, the auditor:

A. Maintained an independent mental attitude and is therefore objective.

B. Has subordinated professional judgment, and objectivity is therefore impaired.
C. Does not have objectivity since the auditor recently transferred from the engineering department.
D. Does not have independent organizational status since the auditor recently transferred from the
engineering department.
Answer: C
 QUESTION NO: 48

A charitable organization provides substantial grants for important medical research. Assuming
marginal controls are in place, which of the following possible frauds or misuses of organization
assets should be considered the area of greatest risk?

A. Senior executives are using company travel and entertainment funds for activities that might be
considered questionable.
B. Purchases of office supplies are made from fictitious vendors.
C. Grants are made to organizations associated with senior executives.
D. A payroll clerk has added a fictitious employee.
Answer: C
 QUESTION NO: 49

If earnings on financial statements for internal use only have been manipulated in the past, an
internal auditor is likely to focus on which of the following?

A. The proper accrual of payables at the end of the interim period.

B. The timing of revenue recognition and the valuation of inventories.
C. Whether accounting estimates are reasonable given past actual results.
D. Whether there have been changes in accounting principles that materially affect the financial
statements.
Answer: B
 QUESTION NO: 50

Which of the following procedures would provide the best evidence of the effectiveness of a credit
granting function?

A. Observe the process.

B. Review the trend in receivables write-offs.
C. Ask the credit manager about the effectiveness of the function.
D. Check for evidence of credit approval on a sample of customer orders.
Answer: B
 QUESTION NO: 51

Which of the following best describes how the increased use of computerization may impact an
auditor's assessment of the risk of fraud?

A. Access to assets may be available to information systems personnel as well as to computer users.
B. Computer controls are generally less effective than human review.
C. Overrides of key controls may require less collaboration.
D. Audit trails are less effective.
Answer: A
 QUESTION NO: 52

An internal auditor plans to use an analytical review to verify the correctness of various operating
expenses in a division. The use of an analytical review as a verification technique would not be a
preferred approach if.

A. The auditor notes strong indicators of a specific fraud involving this account.
B. The company has relatively stable operations which have not changed much over the past year.
C. The auditor would like to identify large, unusual, or non-recurring transactions during the year.
D. The operating expenses vary in relation to other operating expenses, but not in relation to revenue.
Answer: A
 QUESTION NO: 53

Which of the following is not a benefit of using information technology in solving audit problems?

A. It helps reduce audit risk.

B. It improves the timeliness of the audit engagement.
C. It increases audit opportunities.
D. It improves the auditor's judgment.
Answer: D
 QUESTION NO: 54

An organization has developed a large database that tracks employees, employee benefits, payroll
deductions, job classifications, and other similar information. In order to test whether data currently
within the automated system are correct, an auditor should:

A. Use test data and determine whether all the data entered are captured correctly in the updated
database.
B. Select a sample of data to be entered for a few days and trace the data to the updated database to
determine the correctness of the updates.
C. Use generalized audit software to provide a printout of all employees with invalid job descriptions.
Investigate the causes of the problems.
D. Use generalized audit software to select a sample of employees from the database. Verify the data
fields.
Answer: D
 QUESTION NO: 55

In order to ensure that the internal auditors have the objectivity required by the Standards, the chief
audit executive should:

A. Demonstrate willingness to include in engagement final communications all matters believed to be

important.
B. Require all auditors to sign statements attesting to their independent mental attitudes and honest
belief in their work product.
C. Carefully assign personnel to individual audit engagements and require auditors to disclose all
conflicts of interest.
D. Appraise each auditor's performance on each audit assignment.
Answer: C
 QUESTION NO: 56

Which of the following audit activities is within the scope of assurance activities as stated in the
International Professional Practices Framework?

A. Review a make-or-buy decision and report a recommendation to management for approval.

B. Participate in negotiations for a corporate acquisition.
C. Assess financing alternatives for a new generator.
D. Perform an evaluation of management's planning process.
Answer: D
 QUESTION NO: 57

Which of the following would be most effective in determining if the percentage of medication
orders containing errors improved after a hospital installed a computerized medication-tracking
system?

A. Compare the proportion of erroneous medication orders before and after system installation for
similar periods.
B. Compare the number of errors before and after system installation for similar periods.
C. Compare, after adjusting for the number of patients, the proportion of erroneous medication orders
before and after system installation.
D. Compare, after adjusting for the number of patients, the number of errors before and after system
installation for similar periods.
Answer: A
 QUESTION NO: 58

Which of the following would be the best source of information for a chief audit executive to use in
planning future audit staff requirements?

A. Discussions of audit needs with executive management and the audit committee.
B. Review of audit staff education and training records.
C. Review of audit staff size and composition of similar-sized companies in the same industry.
D. Interviews with existing audit staff.
Answer: A
 QUESTION NO: 59

An auditor for a large wholesaler is evaluating the controls over the approval and oversight of credit
sales. Which of the following procedures would be a control weakness?

A. The credit department is responsible for approving shipments to all customers.

B. The finance committee of the board of directors periodically reviews credit standards.
C. Customers who fail to meet credit requirements must pay cash for shipments upon delivery.
D. The sales department is responsible for determining the credit ratings of customers.
Answer: D
 QUESTION NO: 60

To determine if a new computer system is improving the use of a manufacturer's limited facilities in
serving the largest number of customers, an auditor should compare.

A. The number of reworked orders and their costs before and after system installation.
B. Inventory and materials handling costs before and after system installation.
C. The number of orders filled and their cycle times before and after system installation.
D. The number of reworked orders and orders filled before and after system installation.
Answer: C
QUESTION NO: 61

In a manufacturing organization, all sales prices are determined centrally and are electronically sent to
the distribution centers to update their sales price tables. Any pricing deviations must be approved by
central headquarters. To determine how this process is functioning, an internal auditor should:

A. Document the flow of sales price information, and determine how the table is accessed and
updated.
B. Develop a flowchart of the sales order process to determine how orders are taken and priced.
C. Identify who approves the shipment of goods and how the goods are priced.
D. Obtain a copy of the existing flowchart for the computer program to determine how price data
are accessed.
Answer: A
QUESTION NO: 62
It would be appropriate for an internal audit activity to use consultants with expertise in health-care
benefits when the internal audit activity is:
I. Conducting an audit of the organization's estimate of its liability for post retirement benefits,
which include health care benefits.
II. Comparing the cost of the organization's health care program with that of other programs
offered in the industry.
III. Training its staff to conduct an audit of health care costs in a major division of the organization.

A. I only
B. I and III only
C. II and III only
D. I, II, and III.
Answer: D
QUESTION NO: 63
To assure that the technical proficiency of internal auditors is appropriate for the audit engagements to
be performed, a chief audit executive should:

A. Consider the scope of work and level of responsibility when establishing criteria for education
and experience in filling internal auditing positions.
B. Ensure that each newly hired auditor is qualified in all of the disciplines needed to accomplish
the department's audit mission.
C. Oversee a training program that matches the actual training provided with the interests of
individual auditors.
D. Require all of the audit staff to pursue a minimum number of continuing professional education
hours each year.
Answer: A
QUESTION NO: 64
Which of the following best describes the most important criteria when assigning responsibility for
specific tasks required in an audit engagement?

A. Auditors must be given assignments based primarily upon their years of experience.
B. All auditors assigned an audit task must have the knowledge and skills necessary to
complete the task satisfactorily.
C. Tasks must be assigned to the audit team member who is most qualified to perform
them.
D. All audit team members must have the skills necessary to satisfactorily complete any task
that will be required in the audit engagement.
Answer: B
QUESTION NO: 65
In advance of a preliminary survey, a chief audit executive sends a memorandum and questionnaire to
the supervisors of the department to be audited. What is the most likely result of that procedure?

A. It creates apprehension about the audit engagement.

B. It involves the engagement client's supervisory personnel in the audit.
C. It is an uneconomical approach to obtaining information.
D. It is only useful for audits of distant locations.
Answer: B
QUESTION NO: 66
Which of the following steps would not be included in a program of selecting and developing human
resources for an internal audit department?

A. Scheduling periodic meetings with individual auditors, during which the chief audit provides counsel
regarding each auditor's performance and professional career development.
B. Establishing an internal review team to assess the auditors' and audit department's compliance with
standards, level of audit effectiveness, and compliance with departmental policy.
C. Developing specific job descriptions for audit staff, audit managers, and other auditing positions.
D. Establishing in-house training programs and requiring continuing education for audit staff.
Answer: B
QUESTION NO: 67
Auditors 1, 2, and 3 work out of various offices. Each must be assigned to one, and only one, of
three audit locations (A, B, or C). The cost of sending each auditor to each location is listed
below:
Audit Locations
Auditor 1 A B C
Auditor 2 $200 $300 $400
Auditor 3 $400 $300 $600
Auditor 4 $200 $200 $500
The minimum cost with which this assignment can be accomplished is:
A. $800
B. $900
C. $1,000
D. $1,100
Answer: B
QUESTION NO: 68
An audit of the quality control department is being planned. Which of the following would least
likely be used in the preparation of a preliminary survey questionnaire?
A. An analysis of quality control documents.
B. The permanent audit file.
C. The prior audit report.
D. Management's charter for the quality control department.
Answer: A
QUESTION NO: 69
An objective for an audit of a medical research corporation is to evaluate management's
controls to ensure that timely reports are submitted to sponsors of contracted research
projects. In planning the audit to achieve this objective, the auditor should begin by:
A. Reviewing policies and procedures.
B. Interviewing a group of research managers.
C. Observing report preparation in a number of laboratories.
D. Sending a questionnaire to a sample of research sponsors.
Answer: A
QUESTION NO: 70
Which of the following internal control weaknesses would an auditor most likely detect
while reviewing a flowchart that depicts the purchasing function of an organization?

A. Purchasing policies have not been updated.

B. The organization is not taking advantage of quantity discounts available from its
suppliers.
C. Payments for goods received have not been authorized at the appropriate level.
D. Payments to suppliers are made before goods are received.
Answer: D
QUESTION NO: 71
Which source of audit evidence would provide the least value in flowcharting an organization's
purchasing process?

A. An interview with the purchasing supervisor.

B. A review of a sample of purchase orders which were completed during the last month.
C. A review of the purchasing policies and procedures manual.
D. A walk-through of the process with a member of the purchasing staff.
Answer: B
QUESTION NO: 72
Internal auditors exercise judgment about the type and amount of information to be collected.
The primary purpose of this judgment is to:

A. Eliminate the risk of drawing incorrect conclusions.

B. Minimize the cost of the audit engagement.
C. Comply with the Standards.
D. Provide a sound basis for audit observations and recommendations.
Answer: D
QUESTION NO: 73
Which of the following is a benefit from reduced testing during a particular phase of an audit
engagement?
A. The size of the internal audit activity can be reduced.
B. There is less concern about assessing inherent risk.
C. The level of planned audit risk is lowered.
D. Additional audit hours are available for pursuing other engagement objectives.
Answer: D
QUESTION NO: 74
Which of the following would be the least desirable criteria against which to judge current
operations of a company's treasury function?

A. The operations of the treasury function as documented during the last audit engagement.
B. Company policies and procedures delegating authority and assigning responsibilities.
C. Finance textbook illustrations of generally accepted good treasury function practices.
D. Codification of best practices of the treasury function in relevant industries.
Answer: A
QUESTION NO: 75
A bakery chain has a statistical model that can be used to predict daily sales at individual stores
based on a direct relationship to the cost of ingredients used and an inverse relationship to rainy
days. What conditions would an auditor look for as an indicator of employee theft of food from
a specific store?

A. On a rainy day, total sales are greater than expected when compared to the cost of
ingredients used.
B. On a sunny day, total sales are less than expected when compared to the cost of ingredients
used.
C. Both total sales and cost of ingredients used are greater than expected.
D. Both total sales and cost of ingredients used are less than expected.
Answer: B
QUESTION NO: 76
To promote a positive image within an organization, a chief audit executive (CAE) adjusted the
audit plan to focus on assurance engagements that highlighted potential costs to be saved.
Negative observations were to be omitted from engagement final communications. Which
action taken by the CAE would be considered a violation of the Standards?
I. The focus of the audit function was changed without modifying the audit charter or
notifying the audit committee.
II. Negative observations were omitted from the engagement final communications.
III. Cost savings and recommendations were highlighted in the engagement final
communications.
A. II only
B. I and II only
C. I and III only
D. I, II, and III.
Answer: B
QUESTION NO: 77
Which of the following actions would be considered a violation of the Standards?
I. Drafts of engagement communications were reviewed with the audit
client to obtain input. The client's comments were considered when
developing the engagement final communication.
II. An auditor participated as part of a development team to review the
control procedures to be incorporated into a major computer
application under development.
III. Given limited resources, the chief audit executive performed a risk
analysis to determine which functions to audit.

A. II only
B. I and III only
C. I, II, and III.
D. None of the above.
Answer: D
QUESTION NO: 78
A manufacturer uses a materials requirements planning (MRP) system to track
inventory, orders, and raw materials requirements. What condition should an auditor
search for in the MRP database if a preliminary assessment indicated that inventory is
understated?
I. Item cost set at zero.
II. Negative quantities on hand.
III. Order quantity exceeding requirements.
IV. Inventory lead times exceeding delivery schedule.

A. I and II only
B. I and IV only
C. II and IV only
D. III and IV only
Answer: A
QUESTION NO: 79
To identify those components of a telecommunications system that present the greatest
risk, an internal auditor should first:
A. Review the open systems interconnect network model.
B. Identify the network operating costs.
C. Determine the business purpose of the network.
D. Map the network software and hardware products into their respective layers.
Answer: C
QUESTION NO: 80
The chief audit executive's responsibility regarding control processes includes:
A. Assisting senior management and the audit committee in the development of an
annual assessment about internal control.
B. Overseeing the establishment of internal control processes.
C. Maintaining the organization's governance processes.
D. Ensuring that the internal audit activity assesses all control processes annually.
Answer: A
QUESTION NO: 81
In order to save time, an audit manager no longer required that a standard internal control
questionnaire be completed for each audit engagement. Does this represent a violation of the
Standards?

A. Yes, because internal control should be evaluated on every engagement and the internal
control questionnaire is the mandated approach to evaluate controls.
B. Yes, because internal control should be evaluated on every engagement and the internal
control questionnaire is the most efficient method to do so.
C. No, because auditors may omit necessary procedures if there is a time constraint, based on
audit judgment.
D. No, because auditors are not required to complete internal control questionnaires on every
engagement.
Answer: D
QUESTION NO: 82

The primary reason that a bank would maintain a separate compliance function is to:
A. Better manage perceived high risks.
B. Strengthen controls over the bank's investments.
C. Ensure the independence of line and senior management.
D. Better respond to shareholder expectations.
Answer: A
QUESTION NO: 83

Which of the following would be the most useful in developing an annual audit plan?
A. General purpose audit software.
B. Voting software and hardware.
C. Flowcharting and data capture software.
D. Risk assessment software.
Answer: D
QUESTION NO: 84

Which of the following is not an appropriate control related to sales in a manufacturing

company?
A. Customers' orders are recorded promptly.
B. Goods shipped are matched with valid customer orders.
C. Goods returned are inspected for damage by the sales department and then entered into
inventory.
D. Credit department approval is required for credit sales transactions.
Answer: C
QUESTION NO: 85
Inadequate risk assessment would have the strongest negative impact in which of the following
phases of an audit engagement?
A. Determining the scope.
B. Reviewing internal controls.
C. Testing.
D. Evaluating findings.
Answer: A
QUESTION NO: 86

In order to exercise due professional care as defined in the International Professional Practices
Framework, an internal auditor should:
I. Consider the probability of significant noncompliance in each audit engagement.
II. Perform assurance procedures with sufficient care to ensure that all risks are identified.
III. Weigh the cost of assurance against the benefits.

A. I and II only
B. I and III only
C. II and III only
D. I, II, and III.
Answer: B
QUESTION NO: 87

In developing an appropriate work program for an audit engagement, the most important factor
for an audit supervisor to consider is the:

A. Availability of records and data.

B. Potential impact of risks.
C. Capabilities of audit personnel.
D. Time required to complete the engagement.
Answer: B
QUESTION NO: 88

Organizations that use a highly structured command-and-control management approach are at

greater risk of:

A. Delayed response due to the inability to reach consensus among decision makers.
B. Negative consequences that result from lower-level staff's unwillingness to confront errors by
superiors.
C. Erosion of staff morale due to perceptions of ineffective leadership.
D. Waste and abuse of organizational resources resulting from management override of
controls.
Answer: B
QUESTION NO: 89

In order to provide the most useful information for an organization's risk management
decisions, which of the following should be assessed?

A. Risk levels for future events based on the degree of uncertainty of those events and their cost
of mitigation.
B. Inherent and control risks and their impact on the extent of financial misstatements.
C. Risk levels of current and future events, their effect on the achievement of the organization's
objectives, and their underlying causes.
D. Risk levels of current and future events, their impact on the organization's mission, and the
potential for the elimination of existing risk factors.
Answer: C
QUESTION NO: 90

Which of the following represents the most effective governance structure?

I. Operating Executive Internal Management Responsibility for risk Oversight role Advisory
role
II. Oversight role Responsibility for risk Advisory role
III. Responsibility for risk Advisory role Oversight role
IV. Oversight role Advisory role Responsibility for risk
A. I Only
B. II
C. III
D. IV
Answer: A
QUESTION NO: 91

Which of the following represents the correct order of the risk management process?

A. Resource allocation, risk management metrics, risk assessment, post-mortem analysis,

effective communication.
B. Risk management metrics, resource allocation, risk assessment, effective communication,
post mortem analysis.
C. Risk assessment, resource allocation, risk governance and reporting, post-mortem analysis,
feedback.
D. Resource allocation, risk monitoring, risk assessment, feedback, post-mortem analysis.
Answer: C
QUESTION NO: 92

Which of the following is a role of the board of directors in the governance process?

A. Conduct periodic assessments of the organization's governance systems.

B. Obtain assurance concerning the effectiveness of the organization's governance systems.
C. Implement an effective system of internal controls to support the organization's governance
systems.
D. Review and approve operational goals and objectives.
Answer: B
QUESTION NO: 93

Which is the least effective form of risk management?

A. Systems-based preventive control.

B. People-based preventive control.
C. Systems-based detective control.
D. People-based detective control.
Answer: D
QUESTION NO: 94

Which of the following should be incorporated in a risk management policy?

I. Boundaries and limit structures.
II. Requirements for reporting risk.
III. Risk authorities.

A. I and II only
B. I and III only
C. II and III only
D. I, II, and III.
Answer: D
QUESTION NO: 95

In an assurance engagement of treasury operations, an internal auditor is required to consider

all of the following issues except:

A. The audit committee has requested assurance on the treasury department's compliance with
a new policy on the use of financial instruments.
B. Treasury management has not instituted any risk management policies.
C. Due to the recent sale of a division, the amount of cash and marketable securities managed
by the treasury department has increased by 350 percent.
D. The external auditors have indicated some difficulties in obtaining account confirmations.
Answer: D
QUESTION NO: 96

Regarding an organization's decision to retain an external audit firm, the chief audit executive
(CAE) should:

A. Work with the organization's chief financial officer to evaluate the external auditor's
performance and together make the decision.
B. Not be involved in this decision process as it would compromise the CAE's objectivity.
C. Evaluate the external auditor's performance and retain the external auditor if quality and cost
criteria are met.
D. Assist the audit committee by facilitating the development of an appropriate evaluation
process.
Answer: D
QUESTION NO: 97

Which of the following would provide the most reliable information on the risk associated with
an auditable activity?

A. Event scenarios with regression analysis.

B. Past audit findings and instances of management failures.
C. Consequences and economic predictability of loss.
D. Management assessment and corroboration by the internal audit activity.
Answer: D
QUESTION NO: 98

At the beginning of fieldwork in an audit of investments, an internal auditor noted that the
interest rate had declined significantly since the engagement work program was created. The
auditor should:

A. Proceed with the existing program since this was the original scope of work that was
approved.
B. Modify the audit program and proceed with the engagement.
C. Consult with management to verify the interest rate change and proceed with the
engagement.
D. Determine the effect of the interest rate change and whether the program should be
modified.
Answer: D
QUESTION NO: 99

In publicly held companies, management often requires the internal audit activity's involvement
with quarterly financial statements that are made public and used internally. Which of the
following is generally not a reason for such involvement?

A. Management may be concerned about its reputation in the financial markets.

B. Management may be concerned about potential penalties that could occur if quarterly
financial statements are misstated.
C. The Standards state that internal auditors should be involved with reviewing quarterly
financial statements.
D. Management may perceive that having quarterly financial information examined by the
internal auditors enhances its value for internal decision making.
Answer: C
QUESTION NO: 100

Overall audit efficiency is enhanced between the internal and external audit functions when:

A. Internal audit coverage is reduced to avoid potential conflicts of interest.

B. Audits of the same department are conducted at different times.
C. The internal audit department reviews functions or departments prior to the external audit.
D. External audit scope is reduced based on the internal audit department's activities.
Answer: D
QUESTION NO: 101

When reviewing management reports to the board of directors, the internal audit activity
should:

A. Evaluate the process used to prepare the management reports.

B. Maintain supporting documentation for the management reports.
C. Tie all financial numbers in the reports to the general ledger.
D. Compare to prior-period reports for consistency.
Answer: A
QUESTION NO: 102

The internal audit activity's role in the risk assessment and management processes of an
organization is determined by the:

A. Board of directors.
B. Chief audit executive.
C. Risk management department.
D. External auditors.
Answer: A
QUESTION NO: 103

Which of the following best contributes to the effectiveness of the internal audit activity in an
organization?

A. Appropriate terms of internal audit scope and responsibility in the charter.

B. Appropriate compliance coverage in the annual audit plan.
C. Regular review of the audit charter by management.
D. Assurance of internal audit objectivity by the board.
Answer: A
QUESTION NO: 104

During a review of data center physical security and environmental controls, an auditor should
ensure that:
I. Visitors are accompanied by authorized personnel at all times.
II. Only developers and operators have access to the data center.
III. Fire suppression equipment is tested periodically.
IV. Fire and water detectors have been installed.

A. I and III only

B. II and IV only
C. I, III, and IV only
D. II, III, and IV only
Answer: C
QUESTION NO: 105

To enhance the independence of both the internal and external audit functions, audit
committees should be composed of:

A. A rotating subcommittee of the board of directors or its equivalent.

B. A combination of external members of the board of directors and company officers.
C. Members from all important constituencies, specifically including representatives from
banking, labor, regulatory agencies, shareholders, and officers.
D. Only external members of the board of directors or other similar oversight committees.
Answer: D
QUESTION NO: 106

Which of the following is not true with regard to the internal audit charter?

A. It defines the authorities and responsibilities of the internal audit activity.

B. It specifies the minimum resources needed for the internal audit activity.
C. It provides a basis for evaluating the internal audit activity.
D. It should be approved by senior management and the board.
Answer: B
QUESTION NO: 107

The primary objective of risk-based auditing is to assess the:

A. Economy of controls.
B. Compliance with controls.
C. Adequacy of controls.
D. Efficiency of controls.
Answer: C
QUESTION NO: 108

Which of the following would be most relevant regarding the internal control environment?

A. Assessing controls over computerized applications.

B. Documenting the organizational structure.
C. Comparing and validating internal performance with external benchmarking.
D. Maintaining and reviewing detailed financial records.
Answer: B
QUESTION NO: 109

Due to urgent requests from management, a busy internal audit activity finds that it can no
longer meet all of its commitments contained in the annual audit plan. The best course of action
for the chief audit executive to take would be to:

A. Continue with the plan and seek opportunities to adjust priorities and reallocate resources.
B. Advise senior management and request that they reconsider these additional requests using
more rigorous risk assessment and prioritization factors.
C. Advise the board and senior management and request a reassessment of the plan.
D. Advise the board immediately and seek their support for additional resources to meet the
needs of the plan.
Answer: C
QUESTION NO: 110

The chairperson of an organization's audit committee has obtained a risk management report
that identifies significant industry concerns that impact the organization. The chairperson has
asked the chief audit executive (CAE) to review these concerns and advise if they are relevant to
the organization. How should the CAE respond?

A. Accept the engagement but communicate only with the audit committee to protect the
confidentiality of the request.
B. Decline the engagement because it is outside of the scope of the internal audit charter.
C. Decline the engagement because it impairs the internal audit activity's independence.
D. Accept the engagement but inform senior management of the request.
Answer: D
QUESTION NO: 111

During an audit engagement, an internal auditor finds that management is not complying with
previous commitments made to the external auditors. However, the auditor determines
management's actions to be justified due to significant changes in the business. The best course
of action for the auditor to take would be to:

A. Proceed with the audit engagement and assess the changes actually implemented by
management.
B. Inform the external auditors and seek their guidance.
C. Inform the external auditors and remove the associated work from the internal audit scope.
D. Compare the recommended changes against the changes made by management and advise
management which action to take.
Answer: A
QUESTION NO: 112

Which of the following statements is correct regarding risk analysis?

A. The extent to which management judgments are required in an area could serve as a risk
factor in assisting the auditor in making a comparative risk analysis.
B. The highest risk assessment should always be assigned to the area with the largest potential
loss.
C. The highest risk assessment should always be assigned to the area with the highest
probability of occurrence.
D. Risk analysis must be reduced to quantitative terms in order to provide meaningful
comparisons across an organization.
Answer: A
QUESTION NO: 113

During an audit of financial contracts, an auditor learns that a relative has a substantial loan with
the organization. The auditor should:

A. Exclude the relative's information from the audited work and proceed with the audit
engagement.
B. Proceed with the audit engagement but disclose in the engagement final communication that
the relative is a customer.
C. Immediately withdraw from the audit engagement.
D. Notify management and the chief audit executive (CAE) and have the CAE determine whether
the auditor should continue with the audit engagement.
Answer: D
QUESTION NO: 114

The audit process used by the internal audit activity of a large wholesale clothing company does
not include an engagement letter or project approval document. The most serious consequence
of this deficiency in the process is that the:

A. Audit schedule may not be optimal from the engagement client's perspective.
B. Audit objectives may not be understood by management of the area being audited.
C. Audit resources may not be sufficient.
D. Audit plan priority may have changed.
Answer: B
QUESTION NO: 115

Which of the following situations allows for the most objectivity on the part of an internal
auditor?

A. Assessing testing procedures in a new computer system.

B. Performing a risk assessment of a new financial instrument.
C. Drawing conclusions from a sample of financial transactions.
D. Comparing current environmental activities against legislation.
Answer: D
QUESTION NO: 116

A chief audit executive (CAE) for a specialty retailer is asked by management to review the
controls in place to manage their electronic funds transfer process. The internal audit activity
has no experience with similar engagements. What is the most appropriate course of action for
the CAE to take?

A. Plan the engagement and begin fieldwork using existing staff.

B. Attempt to discourage management from the request.
C. Hire an outside consulting firm to assist with the engagement.
D. Defer the audit until current staff can be appropriately trained.
Answer: C
QUESTION NO: 117

Using the internal audit department to coordinate regulatory examiners' efforts is beneficial to
the organization because internal auditors can:

A. Influence regulatory interpretation of law to better match corporate practice.

B. Recommend changes to the scope of the regulatory examiners' review.
C. Perform fieldwork for the regulatory examiners and thus shorten the regulatory examiners'
review.
D. Supply evidence of adequate compliance testing through internal audit workpapers and
reports.
Answer: D
QUESTION NO: 118

Internal auditors can benefit from a strong relationship with the external auditors because
external auditors can:

A. Provide internal auditors with an independent and knowledgeable viewpoint.

B. Concur with the internal auditors' reports and thus improve the quality of assurance provided
to management.
C. Increase the effectiveness of internal control sampling techniques.
D. Assist the internal auditor by providing information obtained from similar audits with other
clients.
Answer: A
QUESTION NO: 119

Risk assessments can vary in format, but generally include.

I. A description of identified risks.
II. Tests of audit controls.
III. A system of rating risks.
IV. Sample size identification.

A. I and II only
B. I and III only
C. I, III, and IV only
D. II, III, and IV only
Answer: B
QUESTION NO: 120

Risk assessments are valuable to the internal audit activity's planning process because they
assist in:

A. Eliminating all areas with low risk from the audit plan.
B. Educating management on the importance of keeping the internal audit activity informed of
organizational changes.
C. Identifying the audit universe or auditable activities that need to be reviewed.
D. Identifying risks that management and the internal auditors have overlooked.
Answer: C