Wiley CIA P1 MCQs
Wiley CIA P1 MCQs
Wiley CIA P1 MCQs
Question 1 of 111
The Mandatory Guidance in the IIA's new International Professional Practices Framework (IPPF) does
not address which of the following?
A. Code of Ethics
B. Implementation Guidance
C. The Core Principles
D. The Standards
The Implementation Guidance and Supplemental Guidance are a part of Recommended Guidance, not a
part of the Mandatory Guidance.
Question 2 of 111
Question 3 of 111
Which of the following can aid in measuring the effectiveness of an internal audit function?
A. Pareto principle
B. Stevens’ Power Law
C. Gresham's Law
D. Kano principle
The Kano principle can be applied to a feedback process from audit clients using three rating scales such
as satisfied, neutral, and dissatisfied for measuring the effectiveness of internal audit function.
A . The Pareto principle states that there are vital few (20%) and trivial many (80%) things in the world.
B . The Stevens’ Power Law states that there are four types of scales that can be used to define how
things or data can be measured, arranged, or counted. These scales include nominal, ordinal, interval,
and ratio scales, and these scales are used in big-data analytics, as data counting methods.
C . The Gresham's Law of planning states that managers pay more attention and put more time and
effort into planning programmed activities (i.e., routine and simple tasks) than planning for
nonprogrammed activities (i.e., rare and complex tasks).
Question 4 of 111
Question 5 of 111
A. Historical audits.
B. Scheduled audits.
C. Anticipatory audits.
D. Cycle audits.
Answer (C ) is Correct.
Anticipatory audits are sudden and unexpected audits based on current events that just happened or
are about to happen in the immediate future.
A . Agile audits are not historical audits because they have no resemblance to the past events.
Question 6 of 111
An internal audit function is effective in the minds of the board and senior management when it is
performing:
A. Error-seeking audits.
B. Value-adding audits.
C. Nitpicking audits
D. Fault-blaming audits.
In value-adding audits, something good is added to a function or operation that was not there before.
Consulting auditors can provide this value.
A . Error-seeking audits are low-level audits that the board and senior management may not prefer
these types of audits because errors are possible and expected events with employees, meaning errors
are normal and common. Error-seeking audits provide no value to audit clients.
C . Nitpicking audits are surface audits based on using a superficial audit scope and objectives. Nitpicking
audits provide no value to audit clients.
D . Fault-blaming audits are finger-pointing audits blaming policies, procedures, and practices based on
past events. Fault-blaming audits provide no value to audit clients.
Question 7 of 111
The U.S. Securities and Exchange Commission (SEC) and the U.S. Sarbanes-Oxley Act (SOX) did not
recommend which of the following to become the financial expert representing on the audit
committee of a publicly held corporation?
A. Internal auditor
B. External auditor
C. Principal financial officer
D. Principal accounting officer
Answer (A) is Correct.
Both the SEC and SOX did not recommend the internal auditor to represent as the financial expert to sit
on the audit committee.
B . Both the SEC and SOX did recommend the external auditor to represent as the financial expert to sit
on the audit committee.
C . Both the SEC and SOX did recommend the principal financial officer to represent as the financial
expert to sit on the audit committee.
D . Both the SEC and SOX did recommend the principal accounting officer to represent as the financial
expert to sit on the audit committee.
Question 8 of 111
According to the U.S. Securities and Exchange Commission (SEC) and the U.S. Sarbanes-Oxley Act
(SOX), which of the following is referred when a CEO and CFO need to give up their bonuses and
incentives based on financial results that later had to be restated or proved to be fraudulent?
A. Pushback provision
B. Clawback provision
C. Pullback provision
D. Rollback provision
The clawback provision requires that the CEO and CFO of a corporation to give up bonuses and
incentives received based on financial results of their company that later had to be restated or found to
be fraudulent. There is a bad intent on the part of the company's management.
Question 9 of 111
According to the U.S. Securities and Exchange Commission (SEC) and the U.S. Sarbanes-Oxley Act
(SOX), which of the following is referred when a company misrepresents the dates on which stock
options were granted to executives and employees?
A. End-of-year dating
B. Backdating
C. End-of-month dating
D. End-of-quarter-dating
Answer (B) is Correct.
Backdating is a management fraud, resulting in an artificially low exercise price for stock options granted
to executives and employees that could lead to financial restatements. Backdating represents a bad
intent of unnecessarily favoring executives and employees in reducing their tax burden by manipulating
the issue date of stock options. Both the SEC and SOX enforcers have ended the backdating of stock
options.
Question 10 of 111
What is the key word in the Institute of Internal Auditors (IIA) Mission Statement of internal audit?
A. Assurance
B. Advice.
C. Value
D. Insight
The mission of internal audit is to enhance and protect organizational value by providing risk-based and
objective assurance, advice, and insight. Here, value is the key word because it drives the other words.
A . Assurance is a part of the internal audit's mission, not the key word.
B . Advice is a part of the internal audit's mission, not the key word.
D . Insight is a part of the internal audit's mission, not the key word.
Question 11 of 111
The new International Professional Practices Framework (IPPF) effective from 2017 contains which of
the following that was not a part of the previous IPPF?
Answer (A ) is Corrcet.
Mission and Core Principles are new and were added to the new IPPF effective from 2017.
B . The definition of internal auditing and practice guides were in the previous IPPF. They are not new.
C . The Code of Ethics and Glossary were in the previous IPPF. They are not new.
D . The International Standards and local standards for internal auditing were in the previous IPPF. They
are not new.
Question 12 of 111
The internal audit activity's Core Principles can be used as which of the following?
A. Metrics
B. Benchmarks
C. Key performance indicators
D. Dashboards
The Core Principles can be used as a benchmark against which to gauge the effectiveness of an internal
audit activity.
Question 13 of 111
The internal audit activity's Core Principles describe which of the following?
A. Efficiency
B. Resources
C. Plans
D. Effectiveness
The Core Principles are the key elements that describe an internal audit activity's effectiveness.
Question 14 of 111
The internal audit activity's Core Principles underpin which of the following?
A. Code of Ethics and Standards
B. Efficiency and effectiveness
C. Metrics and key performance indicators
D. Resources and skills
Answer (A ) is Correct.
The Core Principles are the foundational underpinnings of the Code of Ethics and the Standards.
Question 15 of 111
Shareholders are not key value drivers because they are outsiders and play little or no role in the day-to-
day operations of an organization, either to create or destroy value. Key value drivers are core elements
that can make an organization either a value creator or a value destroyer.
A . Strategies and goals are key value drivers of an organization. Key value drivers are core elements that
can make an organization either a value creator or a value destroyer.
B . Culture and ethics are key value drivers of an organization. Key value drivers are core elements that
can make an organization either a value creator or a value destroyer.
C . Products and services are key value drivers of an organization. Key value drivers are core elements
that can make an organization either a value creator or a value destroyer.
Question 16 of 111
The IIA definition of internal auditing emphasizes the effectiveness of which of the following?
The definition of internal auditing states the fundamental purpose, nature, and scope of internal
auditing. Internal auditing is an independent, objective assurance and consulting activity designed to
add value and improve an organization’s operations. It helps an organization accomplish its objectives
by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.
Question 17 of 111
Several members of senior management have questioned whether the internal audit department
should report to the newly established, quality audit function as part of the total quality management
process within the company. The chief audit executive (CAE) has reviewed the quality standards and
the programs that the quality audit manager has proposed. The CAE's response to senior management
should include:
A. Changing the applicable standards for internal auditing within the company to provide
compliance with quality audit standards.
B. Changing the qualification requirements for new staff members to include quality audit
experience.
C. Estimating departmental cost savings from eliminating the internal auditing function.
D. Identifying appropriate liaison activities with the quality audit function to ensure coordination of
audit schedules and overall audit responsibilities.
Coordination of audit efforts and the efficiency of audit activities should be primary responsibilities of
the CAE (IIA Standard 1000 – Purpose, Authority, and Responsibility).
A . Adopting the full set of quality auditing standards for the internal auditing function would duplicate
functions within the organization.
B . The issue is the reporting relationship of internal auditing, not the qualifications of audit staff.
C . Sufficient information is not given to conclude that the internal audit function should be eliminated.
Question 18 of 111
The director of internal auditing of a midsize internal auditing organization was concerned that
management might outsource the internal auditing function. Therefore, the manager adopted a very
aggressive program to promote the internal auditing department within the organization. The
manager planned to present the results to management and the audit committee and recommend
modification of the internal audit charter after using the new program. Six actions the audit manager
took to promote a positive image within the organization are listed next.
Audit assignments concentrated on economy and efficiency audits. The audits focused solely on cost
savings, and each audit report highlighted potential costs to be saved. Negative findings were
omitted. The focus on economy and efficiency audits was new, but the auditees seemed very happy.
Drafts of all audit reports were carefully reviewed with auditees to get their input. Their comments
were carefully considered when developing the final audit report.
The information technology auditor participated as part of a development team to review the control
procedures to be incorporated into a major computer application under development.
Given limited resources, the audit manager performed a risk analysis to determine which locations to
audit. This was a marked departure from the previous approach of ensuring that all operations are
reviewed on at least a three-year interval.
In order to save time, the manager no longer required that a standard internal control questionnaire
be completed for each audit.
When the auditors found that management and the auditee had not developed specific criteria or
data to evaluate the operations of the auditee, the audit team was instructed to perform research,
develop specific criteria, review the criteria with the auditee, and if acceptable, use it to evaluate the
auditee's operations. If the auditee disagreed with the criteria, a negotiation took place until
acceptable criteria could be agreed upon. The audit report commented on the auditee's operations in
conjunction with the agreed-on criteria.
Which of the following elements of Action 1 taken by the audit manager would be considered a
violation of the IIA Standards?
I. The type of audits was changed before modifying the charter and going to the audit
committee.
II. Negative findings were omitted from the audit reports.
III. Cost savings and recommendations were highlighted in the report.
A. I and II.
B. I and III.
C. I only.
D. II and III.
Answer ( A) is Correct.
The audit manager dramatically changed the nature of the audit function without consulting with the
audit committee, management, or the audit department charter. A second violation is the omission of
negative findings (IIA Standard 1000 – Purpose, Authority, and Responsibility; IIA Standard 2300 –
Performing the Engagement).
Question 19 of 111
The director of internal auditing of a midsize internal auditing organization was concerned that
management might outsource the internal auditing function. Therefore, the manager adopted a very
aggressive program to promote the internal auditing department within the organization. The
manager planned to present the results to management and the audit committee and recommend
modification of the internal audit charter after using the new program. Six actions the audit manager
took to promote a positive image within the organization are listed next.
Audit assignments concentrated on economy and efficiency audits. The audits focused solely on cost
savings, and each audit report highlighted potential costs to be saved. Negative findings were
omitted. The focus on economy and efficiency audits was new, but the auditees seemed very happy.
Drafts of all audit reports were carefully reviewed with auditees to get their input. Their comments
were carefully considered when developing the final audit report.
The information technology auditor participated as part of a development team to review the control
procedures to be incorporated into a major computer application under development.
Given limited resources, the audit manager performed a risk analysis to determine which locations to
audit. This was a marked departure from the previous approach of ensuring that all operations are
reviewed on at least a three-year interval.
In order to save time, the manager no longer required that a standard internal control questionnaire
be completed for each audit.
When the auditors found that management and the auditee had not developed specific criteria or
data to evaluate the operations of the auditee, the audit team was instructed to perform research,
develop specific criteria, review the criteria with the auditee, and if acceptable, use it to evaluate the
auditee's operations. If the auditee disagreed with the criteria, a negotiation took place until
acceptable criteria could be agreed upon. The audit report commented on the auditee's operations in
conjunction with the agreed-on criteria.
Considering Actions 2, 3, and 4 that were taken, which would be considered a violation of the IIA
Standards?
A. Actions 2, 3, and 4.
B. Action 4 only.
C. Action 2 and 3 only.
D. None of the actions.
None of the actions constitutes a violation of IIA Standard 1000 – Purpose, Authority, and Responsibility
and IIA Standard 2300 – Performing the Engagement. Action 2 is consistent with IIA Standards. Action 3
is consistent with IIA Standards. Action 4 is consistent with IIA Standards on planning the audit. Auditors
are not required to review all operations, unless mandated by law, within a specific time frame.
Question 20 of 111
The director of internal auditing of a midsize internal auditing organization was concerned that
management might outsource the internal auditing function. Therefore, the manager adopted a very
aggressive program to promote the internal auditing department within the organization. The
manager planned to present the results to management and the audit committee and recommend
modification of the internal audit charter after using the new program. Six actions the audit manager
took to promote a positive image within the organization are listed next.
Audit assignments concentrated on economy and efficiency audits. The audits focused solely on cost
savings, and each audit report highlighted potential costs to be saved. Negative findings were
omitted. The focus on economy and efficiency audits was new, but the auditees seemed very happy.
Drafts of all audit reports were carefully reviewed with the auditees to get their input. Their
comments were carefully considered when developing the final audit report.
The information technology auditor participated as part of a development team to review the control
procedures to be incorporated into a major computer application under development.
Given limited resources, the audit manager performed a risk analysis to determine which locations to
audit. This was a marked departure from the previous approach of ensuring that all operations are
reviewed on at least a three-year interval.
In order to save time, the manager no longer required that a standard internal control questionnaire
be completed for each audit.
When the auditors found that management and the auditee had not developed specific criteria or
data to evaluate the operations of the auditee, the audit team was instructed to perform research,
develop specific criteria, review the criteria with the auditee, and if acceptable, use it to evaluate the
auditee's operations. If the auditee disagreed with the criteria, a negotiation took place until
acceptable criteria could be agreed upon. The audit report commented on the auditee's operations in
conjunction with the agreed-on criteria.
A. Yes. Internal control should be evaluated on every audit, but the internal control questionnaire
is not the mandated approach to evaluate the controls.
B. No. Auditors may omit necessary procedures if there is a time constraint. It is a matter of audit
judgment.
C. Yes. Internal control should be evaluated on every audit engagement, and the internal control
questionnaire is the most efficient method to do so.
D. No. Auditors are not required to fill out internal control questionnaires on every audit.
Auditors are not required to perform control evaluations, and certainly are not required to fill out
standard internal control questionnaires (IIA Standard 1000 – Purpose, Authority, and Responsibility; IIA
Standard 2300 – Performing the Engagement).
Question 21 of 111
The director of internal auditing of a midsize internal auditing organization was concerned that
management might outsource the internal auditing function. Therefore, the manager adopted a very
aggressive program to promote the internal auditing department within the organization. The
manager planned to present the results to management and the audit committee and recommend
modification of the internal audit charter after using the new program. Six actions the audit manager
took to promote a positive image within the organization are listed next.
Audit assignments concentrated on economy and efficiency audits. The audits focused solely on cost
savings and each audit report highlighted potential costs to be saved. Negative findings were omitted.
The focus on economy and efficiency audits was new, but the auditees seemed very happy.
Drafts of all audit reports were carefully reviewed with the auditees to get their input. Their
comments were carefully considered when developing the final audit report.
The IT auditor participated as part of a development team to review the control procedures to be
incorporated into a major computer application under development.
Given limited resources, the audit manager performed a risk analysis to determine which locations to
audit. This was a marked departure from the previous approach of ensuring that all operations are
reviewed on at least a three-year interval.
In order to save time, the manager no longer required that a standard internal control questionnaire
be completed for each audit.
When the auditors found that management and the auditee had not developed specific criteria or
data to evaluate the operations of the auditee, the audit team was instructed to perform research,
develop specific criteria, review the criteria with the auditee, and if acceptable, use it to evaluate the
auditee's operations. If the auditee disagreed with the criteria, a negotiation took place until
acceptable criteria could be agreed upon. The audit report commented on the auditee's operations in
conjunction with the agreed-on criteria.
Regarding Action 6, which of the following elements of the action would be considered a violation of
the IIA Standards?
Answer (A ) is Correct.
This is a violation of IIA Standard 1000 – Purpose, Authority, and Responsibility and IIA Standard 2300 –
Performing the Engagement, which requires that the lack of established criteria should be reported to
the appropriate levels of management. This would normally be one level above the auditee. The
negotiated formulation of the criteria may result in the correct criteria, but it should be discussed with,
and communicated to, the appropriate level of management.
B . According to the Standards, auditors may formulate criteria they believe are adequate.
C . Auditors should comment on the quality of operations in comparison with suitable criteria. The
problem in this situation was the manner in which the criteria were formulated.
Question 22 of 111
It has been established that an internal auditing charter is one of the more important factors
positively affecting the internal auditing department's independence. The IIA Standards help clarify
the nature of the charter by providing guidelines as to the contents of the charter. Which of the
following is not suggested in the Standards as part of the charter?
This is not included in IIA Standard 1000 – Purpose, Authority, and Responsibility.
Question 23 of 111
IIA Standards assign the responsibility for providing appropriate audit supervision to the:
A. Audit committee.
B. Director of internal auditing.
C. Audit supervisor.
D. Senior auditor.
As per IIA Standard 2340 – Engagement Supervision, the chief audit executive is responsible for
providing appropriate audit supervision.
A . Although the audit committee may determine whether due care is being exercised by the chief audit
executive, audit supervision is not the committee's responsibility.
C . Although the audit supervisor may act on behalf of the chief audit executive, the chief audit
executive ultimately is responsible for audit supervision.
D . It is the senior or in-charge auditor who is in need of supervision, for which the chief audit executive
is responsible.
Question 24 of 111
The IIA Standards require that the chief audit executive seek the approval of management and
acceptance by the board of a formal written charter for the internal auditing department. The
purpose of this charter is to:
This is the purpose established by IIA Standard 1000 – Purpose, Authority, and Responsibility.
A . While a charter may help to do this, this option is not the best choice.
D . While a charter may help to do this, this option is not the best choice.
Question 25 of 111
An auditor often faces special problems when auditing a foreign subsidiary. Which of the following
statements is false with respect to the conduct of international audits?
Note that the IIA Standards are not limited to U.S. locations; they are global (IIA Introduction to the
International Standards).
B . This is true.
C . This is true.
D . This is true.
Question 26 of 111
A. Furnishes members of the organization with information needed to effectively discharge their
responsibilities.
B. Reviews the reliability and integrity of financial and operating information.
C. Reviews the means of safeguarding assets and, as appropriate, verifies the existence of such
assets.
D. Appraises the economy and efficiency with which resources are employed.
Service to all members of the organization is the pervasive theme of the introduction to the Standards
(IIA Standard 1000 – Purpose, Authority, and Responsibility).
Question 27 of 111
The chief audit executive (CAE) of a newly formed internal auditing department is seeking
management approval of a charter. What is the authoritative source for seeking such approval?
A. The IIA Standards, which clearly place that responsibility on the director.
B. The appropriate practice advisories, which require the director to take that course of action.
C. The Code of Ethics, which requires internal auditors to document company policy.
D. According to the IIA Standards, no approval is necessary.
B . Practice advisories are not authoritative sources for Standards; instead, they assist auditors in
applying the Standards.
Question 28 of 111
A written charter approved by the board of directors, that outlines the internal audit department's
purpose, authority, and responsibility is primarily meant to enhance the department's:
A. Due professional care.
B. Stature within the organization.
C. Relationship with management.
D. Independence.
A charter establishes the department's independence from management (IIA Standard 1000 – Purpose,
Authority, and Responsibility).
B . Although stature within the organization may be increased, the main function of the charter is to
establish the department's independence not stature.
Question 29 of 111
The IIA Standards require the director of internal auditing to establish and maintain a quality
assurance program to evaluate the operations of the internal audit department. Which of the
following relates most directly to the objective of maintaining high quality in all audits?
A. Required supervisory review of all audit programs, working papers, and draft audit reports.
B. Required coordination with external auditors.
C. Required compliance with the Code of Ethics of the Institute of Internal Auditors.
D. Required educational standards for all members of the professional audit staff.
The purpose of supervisory review is to assure quality (IIA Standard 2340 – Engagement Supervision).
D . This relates directly to the quality of audits but is not as effective a control as supervisory review.
Question 30 of 111
An audit supervisor would challenge whether audit evidence is sufficient to support the conclusion
that journal entries are properly prepared and approved if the working papers included:
A. A note stating the controller's assurance those journal entries are always looked at by the
accounting supervisor before entry into the computer system.
B. A copy of a handwritten schedule of standard and appended nonstandard journal entries for the
most recent month showing the initials of the preparer for each entry and the summary
approval of the controller at the top.
C. A copy of a computer-generated list of automated and nonstandard journal entries initialed by
the controller showing the auditor's references to system reports and monthly reconciliations.
D. A cross-reference to another section of the working papers containing sufficient evidence for
this conclusion.
This evidence suggests that the auditor did not confirm this information or follow up with testing (IIA
Standard 2340 – Engagement Supervision).
B .This evidence shows the source and approval of journal entry information.
C . This evidence shows testing based on computer-based reports and manual reconciliations.
D . This evidence demonstrates efficiency by referencing work already done in another section of the
working papers.
Question 31 of 111
An internal auditor observes that a receivables clerk has physical access to and control of cash
receipts. The auditor worked with the clerk several years before and has a high level of trust in the
individual. Accordingly, the auditor notes in the working papers that controls over receipts are
adequate. Is the auditor in compliance with the Standards?
Analysis and Evaluation requires alertness for irregularities and knowledge of high- risk areas.
D . Following instructions by rote is unacceptable. Professional judgment and alertness must be used.
Question 32 of 111
During an audit of the organization's accounts payable function, an internal auditor plans to confirm
balances with suppliers. What is the source of authority for such contacts with units outside the
organization?
A. Internal auditing department policies and procedures.
B. IIA Standards.
C. IIA Practice Guides.
D. Internal auditing department's charter.
Answer (D ) is Correct.
The charter should prescribe internal auditing's relationships to other units within the organization and
to those outside (IIA Standard 1000 – Purpose, Authority, and Responsibility).
A . Departmental policies and procedures guide the audit staff in the consistent compliance with the
department's standards of performance.
C . The Practice Guides provide detailed guidance for conducting internal audit activities.
Question 33 of 111
A. Governance processes.
B. Risk management processes.
C. Internal audit activities.
D. Control processes.
The internal audit activity adds value to the organization (and its stakeholders) when it provides
objective and relevant assurance and contributes to the effectiveness and efficiency of governance, risk
management, and control processes.
Question 34 of 111
The IIA Standards state that the chief audit executive should have direct communication with the
board. Such communication often is accomplished through the board's audit committee. Which of the
following best describes why the charter for internal auditing should provide for direct access to the
audit committee?
This is the primary reason why the Standards require direct access to the board (IIA Standard 1000 –
Purpose, Authority, and Responsibility; IIA Standard 1100 – Independence and Objectivity).
A . Access to audit committees by the internal auditor is not required by law for publicly traded
companies.
C . Internal auditing serves the organization and does not necessarily influence policy decisions.
D . The board sets policy and management authorizes implementation of audit recommendations.
Question 35 of 111
To avoid being the apparent cause of conflict between an organization's top management and the
audit committee, the chief audit executive should:
A. Submit copies of all audit reports to both top management and the audit committee.
B. Strengthen the independence of the department through organizational status.
C. Discuss all reports to top management with the audit committee first.
D. Request board acceptance of charter, which include internal auditing relationships with the
audit committee.
To clearly establish the purpose, authority, and responsibility of the internal auditing department, a
formal written charter should be approved by the board (IIA Standard 1000 – Purpose, Authority, and
Responsibility).
A . It is impractical due to time constraints of top management and the audit committee.
C . It is impractical due to time constraints of top management and the audit committee.
Question 36 of 111
An audit committee of the board of directors of a corporation is being established. Which of the
following would normally be a responsibility of the committee?
A. Approval of the appointment and removal of the chief audit executive.
B. Development of the annual internal audit schedule.
C. Approval of internal audit programs.
D. Determination of findings appropriate for specific internal audit reports.
B . This activity is an operational function of the chief audit executive and the audit staff. It is submitted
to the committee.
Question 37 of 111
A. Authorize access to records, personnel, and physical properties relevant to the performance of
audits.
B. Provide recommended formats to report significant audit findings and recommendations.
C. Describe audit programs to be carried out.
D. Define the audit department's work schedule, staffing plan, and financial budget.
Answer (A ) is Correct.
The charter defines the purpose, authority, and responsibility of the internal auditing department (IIA
Standard 1000 – Purpose, Authority, and Responsibility).
B . Specific instructions, such as report format, would be covered by the internal auditing manual or
individual policies.
C . Annual audit work schedules, not a charter, would describe planned audit programs.
D . The audit department's work schedule, staffing plan, and financial budget are approved annually and
are not a part of the charter.
Question 38 of 111
According to the IIA Standards, the organizational status of the internal auditing department:
It is the correct answer because it is the definition of the organizational status (IIA Standard 1000 –
Purpose, Authority, and Responsibility; IIA Standard 1100 – Independence and Objectivity).
B . The department still needs day-to-day support. The department still should report to management.
D . Most charters have a statement on independence; however, they need support to accomplish their
responsibilities.
Question 39 of 111
The IIA Code of Ethics includes which of the following two essential components?
The IIA Code of Ethics extends beyond the definition of internal auditing to include two essential
components:
1. Principles that are relevant to the profession and practice of internal auditing.
2. Rules of conduct that describe behavior norms expected of internal auditors. These rules are an
aid to interpreting the principles into practical applications and are intended to guide the ethical
conduct of internal auditors.
Note that the IIA bylaws and administrative directives are applicable to IIA members and Certified
Internal Auditor designation holders. Integrity, objectivity, confidentiality, and competency are part of
the principles and the rules of conduct (IIA Code of Ethics; IIA Standard 1200 – Proficiency and Due
Professional Care).
Question 40 of 111
A Certified Internal Auditor (CIA) is working in a non–internal audit position as the director of
purchasing. The CIA signs a contract to procure a large order from the supplier with the best price,
quality, and performance. Shortly after signing the contract, the supplier presents the CIA with a gift
of significant monetary value. Which of the following statements regarding the acceptance of the gift
is correct?
As long as an individual is a Certified Internal Auditor, he or she should be guided by the profession's
Code of Ethics in addition to the organization's code of conduct. Objectivity (rules of conduct) of the
Code of Ethics would preclude such a gift because it could be presumed to have influenced the
individual's decision.
A . Acceptance of the gift could easily be presumed to have impaired independence and thus would not
be acceptable.
C . There is not sufficient information given to judge possible violations of the organization's code of
conduct. However, the action could easily be perceived as a kickback (IIA Standard 2431 – Engagement
Disclosure of Nonconformance).
D . There is not sufficient information given to judge possible violations of the organization's code of
conduct. However, the action could easily be perceived as a kickback (IIA Standard 2431 – Engagement
Disclosure of Nonconformance).
Question 41 of 111
An auditor, nearly finished with an audit, discovers that the director of marketing has a gambling
habit. The gambling issue is not directly related to the existing audit, and there is pressure to
complete the current audit. The auditor notes the problem and passes the information on to the chief
audit executive but does no further follow-up. The auditor's actions would:
There is no violation of either the Code of Ethics or the Standards (IIA Standard 2431 – Engagement
Disclosure of Nonconformance).
A . The auditor is not withholding information because he or she has passed the information along to
the chief audit executive. The information may be useful in a subsequent audit in the marketing area.
B . The auditor has documented a red flag that may be important in a subsequent audit. This does not
violate the Standards.
Question 42 of 111
As used by the internal auditing profession, the IIA Standards refer to all of the following except:
A. Criteria by which the operations of an internal audit department are evaluated and measured.
B. Criteria that dictate the minimum level of ethical actions to be taken by internal auditors.
C. Statements intended to represent the practice of internal auditing as it should be.
D. Criteria that are applicable to all types of internal audit departments.
The IIA Code of Ethics defines the minimum ethical standards for the internal auditor.
C . The Standards define the practice of internal auditing “as it should be.”
D . The IIA Standards are equally applicable across all industries and all types of internal audit
organizations globally.
Question 43 of 111
Which of the following situations would be a violation of the IIA Code of Ethics?
A. An auditor was subpoenaed in a court case in which a merger partner claimed to have been
defrauded by the auditor's company. The auditor divulged confidential audit information to the
court.
B. An auditor for a manufacturer of office products recently completed an audit of the corporate
marketing function. Based on this experience, the auditor spent several hours one Saturday
working as a paid consultant to a hospital in the local area, which intended to conduct an audit
of its marketing function.
C. An auditor gave a speech at a local IIA chapter meeting outlining the contents of a program the
auditor had developed for auditing electronic data interchange connections. Several auditors
from major competitors were in the audience.
D. During an audit, an auditor learned that the company was about to introduce a new product
that would revolutionize the industry. Because of the probable success of the new product, the
product manager suggested that the auditor buy additional stock in the company, which the
auditor did.
Confidentiality (Rules of Conduct) of the IIA Code of Ethics states that members and Certified Internal
Auditors shall not use confidential information for any personal gain.
A . Article II prohibits members and Certified Internal Auditors from being party to illegal activities.
Failure to comply with a subpoena would be illegal.
B . A part-time job would not be a problem since it was not with a competitor or supplier.
C . Giving a speech is not a violation of the Code of Ethics. In fact, the IIA motto is “progress through
sharing.”
Question 44 of 111
In applying the standards of conduct set forth in the Code of Ethics, internal auditors are expected to:
Giving a speech is not a violation of the Code of Ethics. In fact, the IIA motto is “progress through
sharing.”
B . While the comparison might be interesting, it would not help determine how to apply the code.
D . Judgment may be applied to their use but not to whether or not to use them.s
Question 45 of 111
During an audit of a manufacturing division of a defense contractor, the auditor came across a scheme
that looked like the company was inappropriately adding costs to a cost‐plus governmental contract.
The auditor discussed the manner with senior management, which suggested that the auditor seek an
opinion from legal counsel. The auditor did so. Upon review of the government contract, legal counsel
indicated that the practice was questionable but not technically in violation of the government
contract. Based on legal counsel's decision, the auditor decided to omit any discussion of the practice
in the formal audit report that went to management and the audit committee but did informally
communicate legal counsel's decision to management. Did the auditor violate the IIA Code of Ethics?
A. No. The auditor followed up the matter with appropriate personnel within the organization and
reached a conclusion that no fraud was involved.
B. No. If a fraud is suspected, it should be resolved at the divisional level where it is taking place.
C. Yes. It is a violation because all‐important information, even if resolved, should be reported to
the audit committee.
D. Yes. Internal legal counsel's opinion is not sufficient. The auditor should have sought advice from
outside legal counsel.
Although an argument should be made that it would make common sense to bring the issue to both the
audit committee and management, there is no evidence that the auditor is deliberately withholding
information. Therefore, there is no violation of the IIA Code of Ethics.
B . Material fraud, if suspected, should be brought to the attention of management. However, in this
case, the auditor did enough work to alleviate the suspicion of fraud.
C . It is not a violation. The auditor did not deliberately withhold important information.
D . The auditor has gathered sufficient information. Internal legal counsel opinion would appear to be
sufficient.
Question 46 of 111
An internal auditor, recently terminated from a company due to downsizing, has found a job with
another company in the same industry. Which of the following disclosures made by the internal
auditor to the new organization would constitute a violation of the IIA Code of Ethics?
A. The auditor used the audit risk approach that was used by the auditor's former employer in
determining audit priorities in the new job.
B. The new audit department does not utilize probability proportional to size (PPS) sampling, and
the auditor believes PPS sampling has advantages for many of the types of audits conducted by
the new employer. The auditor conducts training sessions and develops forms to implement
sampling in the same manner as the previous employer.
C. While at the previous firm, the auditor conducted a great deal of research to identify "best
practices" for the management of the treasury function as part of an audit for that firm. Since
most of the research was done at home and during nonoffice hours, the auditor retained much
of the research and plans to use it in conducting an audit of the treasury function at the new
employer.
D. None of the choices represent a violation of the Code of Ethics.
Answer (D) is Correct.
All the three choices are not violated as per the IIA Code of Ethics.
A . This could be viewed as general information about "best practices" and is acceptable to carry to the
next employer.
B . The auditor is applying knowledge of a commonly used, standard, audit technique. It is not
confidential information.
C . This information could be viewed as part of continuing education of the auditor. As long as it is
general information about "best practices," carrying it to the next employer is acceptable.
Question 47 of 111
Which of the following could be an organizational factor that might adversely affect the ethical
behavior of the chief audit executive (CAE)?
A. The CAE reports directly to an independent audit committee of the board of directors.
B. The CAE is not assigned any operational responsibilities.
C. The CAE may not be appointed or approved without concurrence of the board of directors.
D. The CAE's annual bonuses are based on dollar recoveries or recommended future savings as a
result of audits.
This could taint the CAE's objectivity and promote unethical behavior (IIA Code of Ethics).
Question 48 of 111
A profession's code of ethics summarizes principles or standards of conduct that govern the members of
the profession.
B . This response describes the by-laws of a professional organization.
C . Certain actions may not be illegal yet are contrary to an organization's code of ethics (e.g., a Certified
Internal Auditor attempting to perform a service for which he or she does not possess the necessary
competence).
D . This response, a paraphrase from the foreword to the Standards for the Professional Practice of
Internal Auditing, implies more emphasis on adequacy of procedures than is normally contained within a
code of ethics.
Question 49 of 111
The IIA Code of Ethics identifies three personal characteristics that form the foundation upon which
the entire Code rests. Which is not one of these three personal characteristics?
A. Objectivity.
B. Diligence.
C. Probity.
D. Honesty.
Question 50 of 111
Under IIA Code of Ethics provisions with respect to gifts and fees, which of the following would be
acceptable for an internal auditor to receive?
A. A pen received from the sales manager of a subsidiary imprinted with the name of the
company's product and a phone number.
B. A dinner and baseball tickets from the manager of a department being audited. The tickets
usually are made available to employees of the audited department.
C. A dinner and baseball tickets from the manager of a department that has never been audited
and for which there are no plans for a future audit. The tickets usually are made available to
employees of that department.
D. A bottle of whiskey from the corporate treasurer.
Answer (A) is Correct.
Small promotional items, such as pens that are available to the general public and are of minimal value,
are not likely to hinder the auditor's professional judgment.
B . Gifts may not be accepted, under Objectivity (Rules of Conduct) of the IIA Code of Ethics.
C . The manager may think that a gift will ward off future audits.
Question 51 of 111
A Certified Internal Auditor (CIA) is found to have committed a very serious violation of the Code of
Ethics of the Institute of Internal Auditors. Which of the following describes the disciplinary action
most likely to be imposed by the Institute? The CIA will:
Answer C is Correct
The IIA board of directors specifically mentions forfeiture of IIA membership as a possible penalty for
violation of its provisions.
A.Incorrect. The board is not authorized to require continuing professional education as a sanction for
misconduct.
B.Incorrect. The board is not authorized to require retaking of the CIA examination as a sanction for
misconduct.
Question 52 of 111
Which of the following actions by an internal auditor would violate the IIA Code of Ethics?
Answer B is Correct.
Without consent by appropriate senior management, acceptance of any gift is prohibited.
A.Incorrect. Continuing education is encouraged and because the program is open to all employees, there
is no violation.
C.Incorrect. The auditor is required to reveal all material facts in his or her opinion.
D.Incorrect. A violation would occur only if confidential information was used for personal gain. In this
case, no information was known.
Question 53 of 111
An internal auditor for XYZ Company is auditing the revenues and operating expenses of a shopping
mall managed by ABC Company. ABC is the operating partner of this joint venture with XYZ. The
internal auditor discovers numerous audit exceptions where some credits will be due to each party.
Which of the following should the auditor report in this situation?
Answer D is Correct
Correct. To neither overstate nor understate the audit exceptions, all material claims should be presented
with a net amount owing either party. Either an overstatement or understatement of audit claims would
violate the Objectivity (Rules of Conduct) of the IIA Code of Ethics.
A.Incorrect. To report only those audit exceptions in favor of XYZ would inflate the amount due XYZ by
the credits due ABC.
B.Incorrect. It is not necessary to perform audit work on behalf of ABC. However, detailed information
on the credits due XYZ plus any amounts due ABC probably would expedite the audit claim.
C.Incorrect. To report only those audit exceptions in favor of ABC would not give benefits to the auditor's
company, XYZ.
Question 54 of 111
Which of the following actions by an auditor would violate the IIA Code of Ethics?
Answer A is Correct
Correct. Auditing a spouse may create a conflict of interest and would prejudice the ability to carry out an
assignment objectively.
B.Incorrect. An investment in the employer creates no conflict.
D.An ownership interest in a nonrelated business does not create a conflict of interest.
Question 55 of 111
Through an audit of the credit department, the chief audit executive (CAE) became aware of a
material misstatement of the year-end accounts receivable balance. The external auditor has
completed the audit without detecting the misstatement. What should the CAE do in this situation?
Answer A is Correct
According to the Objectivity (Rules of Conduct) of the IIA Code of Ethics, internal auditors shall disclose
all material facts known to them that, if not disclosed, may distort the reporting of activities under review.
B.Incorrect. The internal auditor should cooperate with the external auditor and coordinate audit efforts
with professional conduct.
C.Incorrect. Although an internal auditor's main focus may be on internal controls and operating
efficiencies, a material misstatement must be reported as per the Code of Ethics.
D.Incorrect. The external auditor should determine what work the internal auditor should perform in order
that the external auditor may express an opinion per Statement on Auditing Standards 9.
Question 56 of 111
A Certified Internal Auditor (CIA) who is judged by the IIA board of directors to be in violation of the
provisions of the IIA Code of Ethics shall be subject to:
Answer D is Correct
The IIA board of directors specifically mentions forfeiture of CIA designation as a possible penalty for
violation of its provisions (IIA Bylaws and Administrative Directives).
A.Incorrect. The Code does not contain any provisions for suspensions for one year or more.
B.Incorrect. There are no provisions in the Code for CPD hours to be completed for ethics violations.
Question 57 of 111
In a review of warranty programs for new products introduced by a company with low and declining
profits, an auditor has determined, and management has acknowledged, that the company will be
unable to fulfill promised warranty coverage. The auditor should:
Answer C is Correct
Integrity (principles) of the IIA Code of Ethics states that trust requires reporting to the employer such as
the audit committee (IIA Standard 2431- Engagement Disclosure of Nonconformance).
A.Incorrect. Reporting findings outside the organization violates the Code of Ethics.
B.Incorrect. Reporting findings outside the organization violates the Code of Ethics.
Question 58 of 111
A Certified Internal Auditor (CIA) is found to have committed a violation of the Code of Ethics of the
Institute of Internal Auditors. The violation is not serious enough to warrant the maximum disciplinary
action. The most likely result is that the CIA will:
Answer D is Correct
Censure is the disciplinary action prescribed by the IIA Bylaws and Administrative Directives for the
least serious misconduct cases.
A.Incorrect. The IIA board of directors is not authorized to require continuing professional education as a
sanction for misconduct.
B.Incorrect. Forfeiture of the CIA designation is imposed only for the most serious misconduct cases.
C.Incorrect. The board has no authority to prohibit a person from practicing internal auditing.
Question 59 of 111
Internal auditors should be prudent in their relationships with persons and organizations external to
their employers. Which of the following activities would most likely not adversely affect internal
auditors' ethical behavior?
Answer A is Correct
Professional organizations usually do not deal with auditors' employees and are not in competition with
them. They also normally do not reveal or use confidential information to the detriment of employers.
B.Incorrect. There could be a conflict of interest and could involve misuse of confidential information.
C.Incorrect. There could be a conflict of interest and could involve misuse of confidential information.
Question 60 of 111
A primary purpose for establishing a code of conduct within a professional organization is to:
A. Reduce the likelihood that members of the profession will be sued for substandard work.
B. Ensure that all members of the profession perform at approximately the same level of
competence.
C. Demonstrate acceptance of responsibility to the interests of those served by the profession.
D. Require members of the profession to exhibit loyalty in all matters pertaining to the affairs of
their organization.
Answer C is Correct
A.Incorrect. Although this may be a result of establishing a code of conduct, it is not the primary purpose.
To consider it so would be self‐serving.
B.Incorrect. A code of conduct may help to establish minimum standards of competence, but it would be
impossible to legislate equality of competence by all members of a profession.
D.Incorrect. There are situations in which responsibility to the public at large may conflict with, and be
more important than, loyalty to one's organization
Question 61 of 111
An auditor discovers some material inefficiency in a purchasing function. The purchasing manager
happens to be the auditor's next-door neighbor and best friend. In accordance with the Code of Ethics,
the auditor should:
Answer A is Correct
Objectivity (Rules of Conduct) of the IIA Code of Ethics requires the auditor to be trustworthy to his or
her employer. This means internal auditors shall not participate in any activity or relationship that may
impair or be presumed to impair their unbiased assessment (IIA Standard 2431 – Engagement Disclosure
of Nonconformance).
Question 62 of 111
Which of the following actions could be construed as a violation of the IIA Code of Ethics?
Answer A is Correct
Objectivity (Principles) of the IIA Code of Ethics requires auditors to report any information that is
material to management.
Question 63 of 111
Which of the following would constitute a violation of the IIA Code of Ethics?
A. Janice has accepted an assignment to audit the electronics manufacturing division. She has
recently joined the internal auditing department. But she was senior auditor for the external
audit of that division and has audited many electronics companies during the past two years.
B. George has been assigned to do an audit of the warehousing function six months from now. He
has no expertise in that area but accepted the assignment anyway. He has signed up for
continuing professional education courses in warehousing, which will be completed before his
assignment begins.
C. Jane is content with her career as an internal auditor and has come to look at it as a regular 9-
to-5 job. She has not engaged in continuing professional education or other activities to improve
her effectiveness during the last three years. However, she feels she is performing the same
quality work she always has.
D. John discovered an internal financial fraud during the year. The books were adjusted to properly
reflect the loss associated with the fraud. John discussed the fraud with the external auditor
when the external auditor reviewed working papers detailing the incident.
Answer C is Correct
This would be a violation of Competency (Rules of Conduct) of the IIA Code of Ethics, which requires
auditors to continually strive for improvement in their proficiency and the effectiveness and quality of
their services.
A.Incorrect. There is no professional conflict of interest per se. However, the auditor should be aware of
potential conflicts.
B.Incorrect. George has committed to obtaining the needed expertise before conducting the audit.
D.Incorrect. The information was disclosed as part of the normal process of cooperation between the
internal and external auditor. Since the books were adjusted, it would be expected that the external auditor
would inquire as to the nature of the adjustment.
Question 64 of 111
Which of the following would be permissible under the IIA Code of Ethics?
Answer A is Correct
Auditors must establish trust in the organization but not be a party to any illegal activity. Thus, auditors
must comply with legal subpoenas.
B.Incorrect. The IIA Code of Ethics prohibits auditors from using audit information for personal gain.
C.Incorrect. The Code of Ethics prohibits auditors form accepting gifts from other employees that might
be presumed to impair the auditor's professional judgment.
D.Incorrect. The Code of Ethics prohibits auditors from knowingly being a party to any illegal or
improper activity. The Standards specify that significant findings of illegal account should be reported to
the audit committee.
Question 65 of 111
During an audit, an employee with whom you have developed a good working relationship informs
you that she has some information about top management, which would be damaging to the
organization and may concern illegal activities. The employee does not want her name associated
with the release of the information. Which of the following actions would be considered inconsistent
with the IIA Code of Ethics and Standards?
A. Assure the employee that you can maintain her anonymity and listen to the information.
B. Suggest the person consider talking to legal counsel.
C. Inform the individual that you will attempt to keep the source of the information confidential
and will look into the matter further.
D. Inform the employee of other methods of communicating this type of information.
Answer A is Correct
The IIA Code of Ethics and the IIA Standards do not provide for strict confidentiality of information (IIA
Standard 2431 – Engagement Disclosure of Nonconformance).
B.Incorrect. This option is allowable, and an attorney can provide legal confidentiality.
D.Incorrect. To maintain confidentiality, the employee can be directed to other options to provide the
information.
Question 66 of 111
An internal auditor for a large regional bank holding company was asked to serve on the board of
directors of a local bank. The bank competes in many of the same markets as the bank holding
company but focuses more on consumer financing than on business financing. In accepting this
position, the auditor:
I. Violates the IIA Code of Ethics because serving on the board may be in conflict with the best
interests of the auditor's employer.
II. Violates the IIA Code of Ethics because the information gained while serving on the board of
directors of the local bank may influence recommendations regarding potential acquisitions.
A. I only.
B. II only.
C. I and II.
D. Neither I nor II.
Answer C is Correct
The action may represent a violation of the IIA Code of Ethics for both of the reasons given.
B.Incorrect. It could cause a conflict of the type described and would be considered a discreditable act.
Question 67 of 111
The chief audit executive (CAE) has been appointed to a committee to evaluate the appointment of
the external auditors. The engagement partner for the external accounting firm wants the director to
join him for a week of hunting at his private lodge. The CAE should:
Answer B is Correct
The CAE has to avoid conflict of interest or activities that might prejudice his ability to carry out assigned
duties. The CAE may not accept anything of value that might impair his professional judgment
(Objectivity [Rules of Conduct] of the IIA Code of Ethics).
In a review of travel and entertainment expenses, a Certified Internal Auditor (CIA) questioned the
business purposes of an officer's reimbursed travel expenses. The officer promised to compensate for
the questioned amounts by not claiming legitimate expenses in the future. If the officer makes good
on the promise, the internal auditor:
Answer C is Correct
The IIA Code of Ethics requires that all internal auditors, whether they are CIAs or not, reveal all material
facts that could conceal unlawful practices.
A.Incorrect. The auditor cannot ignore the matter since it is an ethical issue.
B.Incorrect. The Standards require the CIA to distribute audit reports to those members of the
organization who can take appropriate action.
Question 69 of 111
Answer A is Correct.
Today's internal auditor often encounters a wide range of potential ethical dilemmas, not all of which
are explicitly addressed by the Code of Ethics of the Institute of Internal Auditors (IIA). If the auditor
encounters such a dilemma, the auditor should always:
Answer B is Correct.
This is consistent with the principles and rules of conduct embodied in the IIA Code of Ethics. The Code
of Ethics clearly indicates that the auditor needs to promote an ethical culture in the profession of internal
auditing.
A.The auditor must act consistently with the spirit embodied in the Code of Ethics. It would not be
practical to seek the advice of legal counsel for all ethical decisions. Ethics is a moral and professional
concept, not just a legal concept.
C.Incorrect. It would not be practicable to seek management advice for all potential dilemmas. Further,
the advice might not be consistent with the profession's standards.
D.Incorrect. If the company's standards are not consistent with or as high as the profession's standards, the
professional internal auditor is held to the standards of his or her profession.
Question 71 of 111
An internal auditor has been assigned to audit a foreign subsidiary. The auditor is aware that the
social climate of the country is such that “facilitating payments” (bribes) are often used to make
things happen and are an accepted part of that society. The auditor has completed an audit of the
division and has found significant weaknesses relating to important controls. The division manager
offers the auditor a substantial “facilitating payment” to omit the audit findings from the audit report
with a provision that the auditor could revisit the division in six months to verify that the problem
areas had been properly addressed. The auditor should:
A. Not accept the payment since such acceptance would be in conflict with the Code of Ethics.
B. Not accept the payment but omit the findings as long as there is a verification visit in six months.
C. Accept the offer since it is consistent with the ethical concepts of the country in which the
division is doing business.
D. Accept the payment because it has the effect of doing the greatest good for the greatest
number; the auditor is better off, the division is better off, and the organization is better off
because there is strong motivation to correct the deficiencies found by the auditor.
Answer A is Correct.
This is consistent with the Objectivity (Rules of Conduct) of the IIA Code of Ethics.
B.Incorrect. This would be inconsistent with the Standards adopted by the profession.
C.Incorrect. The internal auditor is guided by the profession's standards, not the customs of individual
countries or regions.
Question 72 of 111
A staff auditor has been assigned to the treasury audit for the second consecutive year. The auditor
confirmed investment securities held by a brokerage house and realized that several large securities
were improperly used as collateral for personal loans a few years ago by the current treasurer. Last
year the staff auditor had mistakenly signed off on the audit steps involving the confirmations and
verification of the securities without completing all of the steps. The audit manager also mistakenly
signed off on the review last year. When the error was detected this year, the audit manager
commented that "it was an error, but the loan has been repaid, and the securities returned. We have
corrected the control weakness, and I'm positive it will not happen again. Pursuit of this issue will be
an embarrassment to everyone involved. Leave it like it is."
Which of the following should be considered by the staff auditor when deciding whether to report the
situation?
Answer A is Correct.
Securities were improperly used; the fact that they are not now being used improperly should not prevent
the internal reporting of the situation, as per the IIA Code of Ethics.
B.Incorrect. This is a fact but is not relevant to the decision as to whether to report the improper use of the
securities. An auditor may want to include the information in the report, but whether to report should not
be based on this information.
C.Incorrect. This is a fact but is not relevant to the decision as to whether to report the improper use of the
securities. An auditor may want to include the information in the report, but whether to report should not
be based on this information.
D.Incorrect. This is a fact, but not relevant to the decision as to whether to report the improper use of the
securities. An auditor may want to include the information in the report, but whether to report should not
be based on this information.
Question 73 of 111
A staff auditor has been assigned to the treasury audit for the second consecutive year. The auditor
confirmed investment securities held by a brokerage house and realized that several large securities
were improperly used as collateral for personal loans a few years ago by the current treasurer. Last
year the staff auditor had mistakenly signed off on the audit steps involving the confirmations and
verification of the securities without completing all of the steps. The audit manager also mistakenly
signed off on the review last year. When the error was detected this year, the audit manager
commented that "it was an error, but the loan has been repaid, and the securities returned. We have
corrected the control weakness, and I'm positive it will not happen again. Pursuit of this issue will be
an embarrassment to everyone involved. Leave it like it is."
As a staff auditor, which of the following actions would be considered a violation of the IIA Standards
or Code of Ethics?
A. Inform the audit manager that you will be including the information in your working papers as
an audit finding.
B. Discuss the matter with the chief audit executive without further discussion with the audit
manager.
C. Disclose the matter to the external auditor without further discussion.
D. Resign from the audit department and company if further action is not taken on the matter.
Answer C is Correct.
It is the chief audit executive who is responsible to communicate with the external auditor (IIA Standard
2431 – Engagement Disclosure of Nonconformance).
A. Incorrect. Including facts in the working papers is not a violation of the code of ethics.
B.Incorrect. Additional discussion with the audit manager is not necessary before discussion with the
chief audit executive.
D.Incorrect. Resigning is an option always available to the auditor without a code of ethics violation.
Question 74 of 111
Which of the following situations would most likely be considered a violation of the IIA Code of Ethics
and thus the Standards?
A. As chief audit executive (CAE), you are perplexed as to how to resolve a particular disagreement
between you and auditee management regarding the finding and recommendation in a very
sensitive audit area. Unsure as to what to do, you discuss the details of the finding and your
proposed recommendation with a fellow CAE you know from your work in the local chapter of
the Institute of Internal Auditors.
B. After researching and developing the proposed yearly audit plan, your company audit charter
requires that, as chief audit executive, you present the plan to the audit committee for its
approval and suggestions.
C. Your audit manager has just removed your most significant finding and recommendation from
your audit report. Being the in-charge auditor, you have voiced your opposition to the removal
and have explained that you know the reported condition exists. Although you agree that,
technically, the audit lacks sufficient evidence to support the finding, management cannot
explain the condition and your audit finding is the only reasonable conclusion.
D. Because your department lacks skill and knowledge in a specialty area, your chief audit
executive has engaged the services of an expert consultant. As audit manager, you have been
asked to review the expert's approach to the assignment. You are knowledgeable regarding the
area under review but are hesitant to accept the assignment because you lack the expertise to
judge the validity of the expert's conclusion.
Answer A is Correct.
B.Incorrect. Approval of audit committee or management is required by the Standards (IIA Standard 2431
– Engagement Disclosure of Nonconformance).
Question 75 of 111
Internal auditors sometimes express opinions in audit reports in addition to stating facts. Due
professional care requires that the auditors' opinions be:
A. Based on sufficient factual evidence that warrants the expression of the opinions.
B. Based on experience and not biased in any manner.
C. Expressed only when requested by the auditee or executive management.
D. Limited to the effectiveness of controls and the appropriateness of accounting treatments.
Answer A is Correct.
This is what is required by the IIA Code of Ethics and IIA Standard 1220 – Due Professional Care.
Question 76 of 111
An accounting association established a code of ethics for all members. Identify the association's
primary purpose for establishing the code of ethics.
Answer A is Correct.
This is the primary purpose of the code of ethics for any professional association.
B.Incorrect. Codes of ethics were not designed to serve as standards for effective accounting.
C.Incorrect. Codes of ethics do not provide the framework within which accounting policies are
developed.
D.Incorrect. The primary purpose of codes of ethics is not for interviewing new accountants.
Question 77 of 111
During an audit, a Certified Internal Auditor (CIA) learned that certain individuals in the organization
were involved in industrial espionage for the benefit of the organization. According to the IIA Code of
Ethics, identify the auditor's course of action.
CIAs must not knowingly be a party to any illegal or improper act. Also, reporting within the organization
is the proper action (IIA Code of Ethics).
B.CIAs must not knowingly be a party to any illegal or improper act. The fact that this activity is
improper and probably illegal requires the CIA to report it.
C.CIAs must not knowingly be a party to any illegal or improper act. The fact that this activity is
improper and probably illegal requires the CIA to report it. Merely noting the condition in the audit
working papers does not constitute "reporting" it.
D.CIAs are not required to voluntarily reveal illegal or improper acts to outside individuals or
organizations. They should try to work within their organizations.
Question 78 of 111
An organization has recently placed a former operating manager in the position of chief audit
executive (CAE). The new CAE is not a member of the IIA and is not a Certified Internal Auditor (CIA).
Henceforth, the internal auditing department will be run strictly by the CAE's standards, not the IIA's.
All four staff auditors are members of the Institute, but they are not CIAs. According to the IIA Code of
Ethics, what is the best course of action for the staff auditors?
A. The Code does not apply because the auditors are not CIAs.
B. The auditors should adopt suitable means to comply with the IIA Standards.
C. The auditors must exhibit loyalty to the organization and ignore the IIA Standards.
D. The auditors must resign their jobs to avoid improper activities.
Answer B is Correct.
The IIA Code of Ethics requires members and CIAs to adopt suitable means to comply with the Standards
(IIA Standard 2431 – Engagement Disclosure of Nonconformance).
C.Incorrect. Loyalty to the organization must be exhibited, but a member or CIA must follow the
Standards.
C.Incorrect. The Code of Ethics says nothing about resignation to avoid improper activities.
Question 79 of 111
A primary purpose for establishing a code of conduct within a professional organization is to:
A. Reduce the likelihood that members of the profession will be sued for substandard work.
B. Ensure that all members of the profession perform at approximately the same level of
competence.
C. Demonstrate acceptance of responsibility to the interests of those served by the profession.
D. Require members of the profession to exhibit loyalty in all matters pertaining to the affairs of
their organization.
Answer C is Correct.
A.Incorrect. Although this may be a result of establishing a code of conduct, it is not the primary purpose.
To consider it so would be self‐serving.
B.Incorrect. A code of conduct may help to establish minimum standards of competence, but it would be
impossible to legislate equality of competence by all members of a profession.
D.Incorrect. There are situations where responsibility to the public at large may conflict with, and be
more important than, loyalty to one's organization..
Question 80 of 111
While performing an operational audit of the firm's production cycle, an internal auditor discovers
that, in the absence of specific guidelines, some engineers and buyers routinely accept vacation trips
paid by certain of the firm's vendors. Other engineers and buyers will not accept even a working lunch
paid for by a vendor. Which of the following actions should the internal auditor take?
A. None. The engineers and buyers are professionals. It is inappropriate for an internal auditor to
interfere in what is essentially a personal decision.
B. Informally counsel the engineers and buyers who accept the vacation trips. This helps prevent
the possibility of kickbacks while preserving good auditor/auditee relations.
C. Formally recommend that the organization establish a corporate code of ethics. Guidelines of
acceptable conduct within which individual decisions may be made should be provided.
D. Issue a formal deficiency report naming the personnel who accept vacations but make no
recommendations. Corrective action is the responsibility of management.
Answer C is Correct.
A.Incorrect. Internal auditors are charged with the responsibility of evaluating that which they examine
and of making recommendations, where appropriate.
B.Incorrect. Management is charged with the responsibility of making any corrections necessary within
departments.
You work for an organization that has adopted a conflict‐of‐interest policy that prohibits any activity
contrary to the best interests and well‐being of the organization. Which of the following statements
should be included in the policy to illustrate unacceptable behavior?
Answer C is Correct.
Even though the training could benefit the organization, the relative (and you, albeit indirectly) stand to
benefit from company information.
D.Incorrect. Teaching is not considered in conflict with the interests of most organizations.
Question 82 of 111
The IIA Code of Ethics requires IIA members to exercise three particular qualities in the performance
of their duties. These three qualities are:
Answer A is Correct.
The IIA Code of Ethics states these three qualities under Integrity (Rules of Conduct).
According to the Code of Ethics, the IIA board of directors may take action against a Certified Internal
Auditor (CIA) whose work is dishonest by:
Answer D is Correct.
The IIA Board of Directors under Administrative Directives may revoke the CIA designation if it is
established that the person violated the Code of Ethics.
B.Incorrect. The Code of Ethics contains no provision for reporting the CIA to legal authorities. Further,
it has not been established that the CIA broke a law.
C.Incorrect. The IIA Code of Ethics contains no provision to require the employer to issue a reprimand.
Question 84 of 111
Answer A is Correct.
C.Incorrect. Acceptance of a gift with the consent of senior management does not impair the auditor's
judgment.
D.Incorrect. Gifts of minimal value that are available to the general public are not likely to hinder
professional judgment.
Question 85 of 111
The IIA board of directors has been informed that a Certified Internal Auditor (CIA) was tried and
convicted of tax evasion. The probable consequences for this person are:
A. Immediate revocation of the CIA designation by the Internal Auditing Standards Board.
B. Nothing; the act was performed outside of the normal line of work.
C. Censure by the director of Professional Practices of the Institute.
D. Review by the board of directors and forfeiture of the CIA designation.
Answer D is Correct.
Correct. The sanction must be imposed by the IIA Board under Administrative Directives. This act is
probably severe enough to warrant forfeiture of the CIA designation.
B.Incorrect. The CIA violated the law and performed an act discreditable to the profession.
Question 86 of 111
A chief audit executive (CAE) learns that a staff auditor has provided confidential information to a
relative. Both the CAE and staff auditor are Certified Internal Auditors. Although the auditor did not
benefit from the transaction, the relative used the information to make a significant profit. The most
appropriate way for the CAE to deal with this problem is to:
Answer D is Correct.
Since the Confidentiality (Rules of Conduct) of the IIA Code of Ethics was violated, the IIA should be
notified. In addition, company policy must be followed.
A.Incorrect. The auditor has violated the IIA Code of Ethics standard regarding use of confidential
information. The Institute should be notified.
B.Incorrect. Summary discharge may not be in accordance with company personnel policies.
C.Incorrect. The auditor was negligent in his use of confidential information and violated the Code of
Ethics. Some action is warranted.
Question 87 of 111
During the course of an audit, an auditor discovers that a clerk is embezzling company funds. Although
this is the first embezzlement ever encountered and the organization has a security department, the
auditor decides to personally interrogate the suspect. If the auditor is violating the IIA Code of Ethics,
the rule violated is most likely:
Answer C is Correct.
Competency (Rules of Conduct) of the IIA Code of Ethics requires members and Certified Internal
Auditors to refrain from undertaking services that cannot be reasonably completed with professional
competence.
A.Incorrect. Due diligence does not override professional competence or use of good judgment.
B.Incorrect. Loyalty would be better exhibited by consulting professionals in interrogation and knowing
your limits of competence.
D.Incorrect. The auditor may violate the suspect's civil rights due to inexperience, but that is not a
certainty.
Question 88 of 111
The chief audit executive (CAE) of a company is aware of a material inventory shortage caused by
internal control deficiencies at one manufacturing plant. The shortage and related causes are of
sufficient magnitude to impact the external auditor's report. Based on the IIA Code of Ethics, identify
the CAE's most appropriate course of action:
A. Say nothing; guard against interfering with the independence of the external auditors.
B. Discuss the issue with management and take appropriate action to ensure that the external
auditors are informed.
C. Inform the external auditors of the possibility of a shortage but allow them to make an
independent assessment of the amount.
D. Report the shortages to the board of directors and allow them to report it to the external
auditor.
Answer B is Correct.
The IIA Code of Ethics calls for compliance with the Standards, which charge the CAE with coordination
with external auditors and exchanging information. In addition, the Code of Ethics requires that all
material facts known be revealed. Since coordination impacts the external auditor's work, in which the
internal auditors are participating, the situation must be divulged.
A.Incorrect. This is a material fact that could distort a report of operations if not revealed.
C.Incorrect. The shortage is known, and the external auditors should be told more than that there is a
possibility.
D.Incorrect. The CAE should discuss the issue with management first and later with the board of
directors. The CAE can report these issues directly with the external auditors.
Question 89 of 111
Which of the following statements is not appropriate to include in a manufacturer's conflict of interest
policy? An employee shall not:
Generally, there should be no prohibition from public service. This is a right, if not a duty, of all citizens.
Question 90 of 111
A firm's code of ethics contains the following statement: “Employees shall not accept gifts or
gratuities over $50 in value from persons or firms with whom our organization does business.” This
provision is designed to prevent:
A . The first person benefited by a diversion of the firm's securities is the thieving employee. The stated
provision of the code of ethics is designed to prevent a vendor from an inordinate benefit.
C . Employees who operate cash registers are in a position to keep cash from sales and to fail to record
the transaction. Since this action first benefits the thief, the stated provision of the code of ethics is not
designed to prevent this.
Question 91 of 111
A code of conduct was developed several years ago and distributed by a large financial institution to
all its officers and employees. Identify the best audit approach to provide the audit committee with
the highest level of comfort about the code of conduct:
A. Fully evaluate the comprehensiveness of the code and compliance therewith, and report the
results to the audit committee.
B. Fully evaluate company practices for compliance with the code and report to the audit
committee.
C. Review employee activities for compliance with provisions of the code and report to the audit
committee.
D. Perform tests on various employee transactions to detect potential violations of the code of
conduct.
Evaluating the comprehensiveness of the code of conduct for appropriate provisions, compliance
therewith, and reporting the results would provide the audit committee with the greatest level of
comfort.
Question 92 of 111
A . That would ensure employee knowledge of the code; that isn't the issue here.
B . That would ensure employee acceptance of the code; that isn't an issue here.
C .Public knowledge might impact the behavior of professionals, but it isn't likely to help in the case of
general employees.
Question 93 of 111
The best reason for establishing a code of conduct within an organization is that such codes:
In addressing ethical conduct, codes of conduct provide a model of conduct for individuals within an
organization.
A . Codes of conduct are not required by the Foreign Corrupt Practices Act.
D . Public relations value may accrue, but it is not the best reason for establishing a code of conduct.
Question 94 of 111
A company with a whistleblowing hotline has received an anonymous tip that three senior internal
auditors are in violation of the IIA Code of Ethics. The company has adopted the IIA Code as a part of
its corporate ethical code. Among the allegations against the auditors were the following:
1. Auditor 1 has a part-time job outside of office hours as a visiting professor at a local community
college.
2. Auditor 1 owns stock in the employer company.
3. Auditor 1 told her next-door neighbor to start looking for a new job because an audit of the
executive office indicated that the neighbor's division was going to be closed down in about six
months.
4. Auditor 2 received an item of value from a local nonprofit organization of purchasing agents for
whom he gave a speech.
5. Auditor 2 received an item of value from a customer of the employer.
6. Auditor 2 has a part-time job as president of a local charitable organization.
7. Auditor 2 shared audit techniques with auditors from another company while attending a
professional meeting.
8. A buyer accepted a kickback of $500 to give bid amounts to a supplier to enable that supplier to
bid the contract. Auditor 2 omitted this information from the audit report since the contract
amount was not material to the financial statements.
9. Auditor 3 received royalties from a publisher for authoring a professional book on internal
auditing.
10. Auditor 3 has a part-time job as a real estate broker, and his real estate firm recently received a
commission from the employer company.
11. Auditor 3 received an item of value from a fellow employee in the same company whose
department has never been audited and whose department is not scheduled to be audited in
the foreseeable future.
12. Auditor 3 did not include in an audit report that the bottlenecks in a shipping department were
caused by the absence of the supervisor. The supervisor was the auditor's friend and neighbor
who had a hospitalized child requiring her to miss work off and on for several weeks.
How many of the allegations about Auditor 1 represent violations of the IIA Code of Ethics?
A. None.
B. One.
C. Two.
D. Three.
According to the Confidentiality (Rules of Conduct) of the IIA Code of Ethics, telling the neighbor about a
plant closing (item 3) is the only violation.
Question 95 of 111
A company with a whistleblowing hotline has received an anonymous tip that three senior internal
auditors are in violation of the IIA Code of Ethics. The company has adopted the IIA Code as a part of
its corporate ethical code. Among the allegations against the auditors were the following:
1. Auditor 1 has a part-time job outside of office hours as a visiting professor at a local community
college.
2. Auditor 1 owns stock in the employer company.
3. Auditor 1 told her next-door neighbor to start looking for a new job because an audit of the
executive office indicated that the neighbor's division was going to be closed down in about six
months.
4. Auditor 2 received an item of value from a local nonprofit organization of purchasing agents for
whom he gave a speech.
5. Auditor 2 received an item of value from a customer of the employer.
6. Auditor 2 has a part-time job as president of a local charitable organization.
7. Auditor 2 shared audit techniques with auditors from another company while attending a
professional meeting.
8. A buyer accepted a kickback of $500 to give bid amounts to a supplier to enable that supplier to
bid the contract. Auditor 2 omitted this information from the audit report since the contract
amount was not material to the financial statements.
9. Auditor 3 received royalties from a publisher for authoring a professional book on internal
auditing.
10. Auditor 3 has a part-time job as a real estate broker, and his real estate firm recently received a
commission from the employer company.
11. Auditor 3 received an item of value from a fellow employee in the same company whose
department has never been audited and whose department is not scheduled to be audited in
the foreseeable future.
12. Auditor 3 did not include in an audit report that the bottlenecks in a shipping department were
caused by the absence of the supervisor. The supervisor was the auditor's friend and neighbor
who had a hospitalized child requiring her to miss work off and on for several weeks. How many
of the allegations about Auditor 2 represent violations of the IIA Code of Ethics?
A. One.
B. Two.
C. Three.
D. Four.
According to the Objectivity (Rules of Conduct) of the IIA Code of Ethics, receiving an item of value from
a customer of the employer (item 5) and failure to disclose a kickback (item 8) are the only violations.
Question 96 of 111
A company with a whistleblowing hotline has received an anonymous tip that three senior internal
auditors are in violation of the IIA Code of Ethics. The company has adopted the IIA Code as a part of
its corporate ethical code. Among the allegations against the auditors were the following:
1. Auditor 1 has a part-time job outside of office hours as a visiting professor at a local community
college.
2. Auditor 1 owns stock in the employer company.
3. Auditor 1 told her next-door neighbor to start looking for a new job because an audit of the
executive office indicated that the neighbor's division was going to be closed down in about six
months.
4. Auditor 2 received an item of value from a local nonprofit organization of purchasing agents for
whom he gave a speech.
5. Auditor 2 received an item of value from a customer of the employer.
6. Auditor 2 has a part-time job as president of a local charitable organization.
7. Auditor 2 shared audit techniques with auditors from another company while attending a
professional meeting.
8. A buyer accepted a kickback of $500 to give bid amounts to a supplier to enable that supplier to
bid the contract. Auditor 2 omitted this information from the audit report since the contract
amount was not material to the financial statements.
9. Auditor 3 received royalties from a publisher for authoring a professional book on internal
auditing.
10. Auditor 3 has a part-time job as a real estate broker, and his real estate firm recently received a
commission from the employer company.
11. Auditor 3 received an item of value from a fellow employee in the same company whose
department has never been audited and whose department is not scheduled to be audited in
the foreseeable future.
12. Auditor 3 did not include in an audit report that the bottlenecks in a shipping department were
caused by the absence of the supervisor. The supervisor was the auditor's friend and neighbor
who had a hospitalized child requiring her to miss work off and on for several weeks.
How many of the allegations about Auditor 3 represent violations of the IIA Code of Ethics?
A. One.
B. Two.
C. Three.
D. Four.
Question 97 of 111
System security engagement is a part of assurance services while the other three choices are a part of
consulting services. Consulting services are defined as advisory and related client service activities, the
nature and scope of which are agreed with the client, are intended to add value and improve an
organization's governance, risk management, and control processes without the internal auditor
assuming management responsibility. Examples include counsel, advice, facilitation, and training.
Question 98 of 111
According to the IIA Standards, which of the following is not included in the scope of the internal audit
function?
A . This is included in the scope of internal auditing as stated in the IIA Standard 2130—Control.
C . This is included in the scope of internal auditing as stated in the IIA Standard 2130—Control.
D . This is included in the scope of internal auditing as stated in the IIA Standard 2130—Control.
Question 99 of 111
A charter is being drafted for a newly formed internal auditing department. Which of the following
best describes the appropriate organizational status that should be incorporated into the charter?
A. The chief audit executive should report to the chief executive officer but have access to the
board of directors.
B. The chief audit executive should be a member of the audit committee of the board of directors.
C. The chief audit executive should be a staff officer reporting to the chief financial officer.
D. The chief audit executive should report to an administrative vice president.
This arrangement provides for the most operating flexibility and independence (IIA Standard 1000 –
Purpose, Authority, and Responsibility).
The chief audit executive (CAE) for a large manufacturing company is considering revising the
department's audit charter with respect to the minimum educational and experience qualifications
required. The CAE wants to require all staff auditors to possess specialized training in accounting and
a professional auditing certification such as the Certified Internal Auditor (CIA) or the Chartered
Accountant (CA). One of the disadvantages of imposing this requirement would be:
A. The policy might negatively affect the department's ability to perform quality examinations of
the company's financial and accounting systems.
B. The policy would not promote the professionalism of the department.
C. The policy would prevent the department from using outside consultants when the department
did not have the skills and knowledge required in certain audit situations.
D. The policy could limit the range of activities that could be audited by the department due to the
department's narrow expertise and backgrounds.
The mix of audit skills in an audit staff affects the range of activities that can be audited (IIA Standard
1000 – Purpose, Authority, and Responsibility). Auditing departments comprised only of people trained
in accounting probably would be better able to examine financial and accounting systems than
engineering systems for example. As a result, departments should strive for an appropriate balance of
experience, training, and ability in order to audit a range of activities within their respective
organizations.
A . Auditing departments that hired only CIAs or CAs and individuals possessing accounting degrees
would be better equipped to audit certain operations, such as financial and accounting systems, than
would other departments that did not have these minimum standards.
B . A charter that set minimum professional standards (i.e., CIA or CA) for its department's auditors
would promote professionalism.
C . The impact of this requirement would not affect whether consultants were used. The Standards state
that when auditors do not possesses adequate knowledge and skills in certain required area, consultants
should be used.
Follow-up activity may be required to ensure that corrective action has taken place for certain
findings. The internal audit department's responsibility to perform follow-up activities as required
should be defined in the:
Responsibility for follow-up should be defined in the internal auditing department's written charter (IIA
Standard 1000 – Purpose, Authority, and Responsibility; IIA Standard 2500 – Monitoring Progress).
B . Follow-up is not specified in the content of the audit committee's mission statement.
C . This memo may contain a statement about responsibility for follow-up, but such a statement should
be based on the wording and authority of the departmental charter.
D . Follow-up authority and responsibility may be cited in applicable audit reports, but the definition
should be first contained in the departmental charter.
Question 102 of 111
The status of the internal auditing function should be free from the impact of irresponsible policy
changes by management. The most effective way to ensure that freedom is to:
A. Have the internal auditing charter approved by both management and the board of directors.
B. Adopt policies for the functioning of the auditing department.
C. Establish an audit committee within the board of directors.
D. Develop written policies and procedures to serve as standards of performance for the
department.
Approval of the charter by the board of directors will protect the internal auditing function from
management actions, which could weaken the status of the internal auditing department (IIA Standard
1000—Purpose, Authority, and Responsibility).
B . While adoption of the Standards serves as a guide and a measure of internal auditing performance, it
will not protect and preserve the department's status.
C . The establishment of an audit committee does not ensure the status of internal auditing without its
involvement in areas such as approval of the charter.
D . Written policies and procedures serve to guide the audit staff but have little impact on management.
Since auditors alone cannot implement audit recommendations, auditee participation and involvement
make improvements better (IIA Standard 1000—Purpose, Authority, and Responsibility).
D . Due to the requirement for independence, auditors should never implement policies and procedures.
In planning a system of internal operating controls, the role of the internal auditor is to:
A. Design the controls.
B. Appraise the effectiveness of the controls.
C. Establish the policies for controls.
D. Create the procedures for the planning process.
This is the proper role of the internal auditor, who reports the results to management (IIA Standard
1000—Purpose, Authority, and Responsibility).
Accepting the concept that internal auditing should be an integral part of an organization can involve
a major change of attitude on the part of top management. Which of the following would be the best
way for internal auditors to convince management of the need for and benefits of internal auditing?
A. Persuading top managers to accept the idea of internal audits by contacting company
shareholders and regulatory agencies.
B. Educating top managers about the benefits and communicating with them on a regular basis.
C. Negotiating with top management to provide them with rewards, such as favorable audits.
D. Involving top management in deciding which audit findings will be reported.
Education and communication, although lengthy and costly, are the only way to achieve long-term
results (IIA Standard 1000—Purpose, Authority, and Responsibility).
A . Manipulation is not an option since it can be done only if the party manipulating has power. Its
effects are also short-lived and do not lead to long-term commitment.
C . Negotiation is not an alternative since the two parties do not have equal power. Furthermore,
internal auditors often do not have immediate rewards available to them to offer management.
element of authority that should be included in the charter of the internal auditing department is:
A. Identification of the operational departments that the audit department must audit.
B. Identification of the types of disclosures that should be made to the audit committee.
C. Access to records, personnel, and physical properties relevant to the performance of audits.
D. Access to the external auditor's working papers.
The auditor must have access to all audit evidence in order to fulfill his or her obligations and
responsibilities.
A . The internal audit department should not specifically identify what activities will be audited.
B . The auditor is obligated to make all needed disclosures to the audit committee.
D . Access to the external auditor's working papers cannot be guaranteed in the charter.
The director of a newly formed internal auditing department is in the process of drafting a formal
written charter for the department. Which one of the following items, related to the operational
effectiveness of the internal audit department, should be included in the charter?
The IIA Standards state that the charter should include the internal auditors' access to those records,
personnel, and physical properties that are relevant to their work. Having limitations on such access
would impact the operational effectiveness of the internal audit department because the internal
auditor would not be able to conduct the audit in the proper approach that he or she designed it.
A . The IIA Standards state that “the charter should (a) establish the department's position within the
organization; (b) authorize access to records, personnel, and physical properties relevant to the
performance of audits; and (c) define the scope of internal auditing activities.” Accordingly, not only is
the frequency of audits not included in the charter, but also such information is not related to the
operational effectiveness of the internal audit department.
B . The procedures to be employed by internal auditors in investigating and reporting fraud are not
included in the charter.
C . The procedures to be employed by internal auditors in investigating and reporting fraud are not
included in the charter.
Responsibility for follow-up should be defined in the internal auditing department's written charter (IIA
Standard 2500—Monitoring Progress and Standard 1000—Purpose, Authority, and Responsibility).
B . Follow-up is not specified in the content of the audit committee's mission statement.
C . This memo may contain a statement about responsibility for follow-up, but such a statement should
be based on the wording and authority of the departmental charter.
D . Follow-up authority and responsibility may be cited in applicable audit reports, but the definition
should be first contained in the departmental charter.
An element of authority that should be included in the charter of the internal auditing department is:
A. Identification of the operational departments that the audit department must audit.
B. Identification of the types of disclosures that should be made to the audit committee.
C. Access to records, personnel, and physical properties relevant to the performance of audits.
D. Access to the external auditor's working papers.
The auditor must have access to all audit evidence in order to fulfill obligations and responsibilities (IIA
Standard 1000—Purpose, Authority, and Responsibility).
A . The internal audit department should not specifically identify what activities will be audited.
B . The auditor is obligated to make all needed disclosures to the audit committee.
D . Access to the external auditor's working papers cannot be guaranteed in the charter.
IIA Standard 1000—Purpose, Authority, and Responsibility states that the charter should include the
internal auditors' access to those records, personnel, and physical properties that are relevant to their
work. Having limitations on such access would impact the operational effectiveness of the internal audit
department because the internal auditor would not be able to conduct the audit in the proper manner.
A . IIA Standard 1000 states that “the charter should (a) establish the department's position within the
organization; (b) authorize access to records, personnel, and physical properties relevant to the
performance of audits; and (c) define the scope of internal auditing activities.” Accordingly, not only is
the frequency of audits not included in the charter, but also such information is not related to the
operational effectiveness of the internal audit department.
B . The manner of reporting audit findings (how it is reported, to whom it will be reported, etc.) is not
included in the charter and is not related to operational effectiveness of the internal audit department.
C . The procedures to be employed by internal auditors in investigating and reporting fraud are not
included in the charter.
In some cultures and organizations, managers insist that the internal auditing function is not needed
to provide a critical assessment of the organization's operations. A management attitude such as this
will most probably have an adverse effect on the internal auditing department's:
A . An operating budget variance report is a control device used to monitor actual performance versus
budget. Management foot-dragging could cause unfavorable variances, but favorable variances could
also occur if many audits were cut short due to scope impairments.
C . An unbiased evaluation of audit staff would not be affected by lack of cooperation on the part of
non-audit management.
D . Policies and procedures of the internal audit function are developed by the internal audit
department and should not be affected by non-audit management.
PART-1 DOAMIN 2
1.All of the following are major concerns for a chief audit executive (CAE) except:
It is common for audit client management to reject major audit findings for various reasons, such as:
(1) little or no value added to the audit client department, (2) unclear audit scope and audit objectives,
(3) the audit client manager is new to his or her department, or (4) other reasons. These rejections can
be fixed by, for example, revising the audit scope and objectives and/or redoing the same audit with the
same auditor or with a different auditor. These issues should not be the major concern for the CAE.
B.Incorrect. Audit work failures, for whatever reasons, should be a major concern for the CAE because
they deal with an auditor's competency and professionalism.
C.Incorrect. False assurances to audit clients should be a major concern for the CAE because they deal
with an auditor's competency and professionalism.
D.Incorrect. An audit department's reputation issues should be a major concern for the CAE because
they deal with an auditor's competency and professionalism.
2.Which of the following is not compromised when an internal auditor has compromised her
independence of mind?
A.Integrity
B.Objectivity
C.Continuing education
D.Professional skepticism
An internal auditor receives continuing education whether she has independence of mind or not
because independence and continuing education are two separate and unconnected activities and
events.
A.Incorrect. When independence is compromised, the auditor cannot act with integrity.
A.Bias threat
B.Familiarity threat
Organizational politics is a major challenge in maintaining independence from its undue influence
from power playing. Extreme and unnecessary playing of organizational politics can slowly lead to an
organization's failure or decline.
4.A peer review can help in mitigating which of the following threats to an auditor's objectivity?
B.Mirror-imaging trap
C.Analogy trap
D.Projection trap
A mirror-imaging trap is an auditor's false assumption that his or her followers and others think
exactly like him- or herself. Auditors who fall into this trap are unwilling to examine or analyze other
views, variations, or alternatives of the subject matter at hand. Peer reviews can help in mitigating this
trap.
A.Stereotyping trap.
B.Culture trap.
C.Stovepiping trap.
D.Conflicts-of-interest trap
A stovepiping trap means acknowledging only one source of information or knowledge as the official
source and disregarding other sources of information or knowledge as unofficial sources. This trap is
similar to a silo trap or legacy trap.
6.When internal audit work is performed based on facts, the audit work is referring to which of
the following ethical principles?
A.Integrity
B.Objectivity
C.Resource utilization
D.Professional behavior
Integrity refers to auditors performing their work with an attitude that is objective, fact-based,
nonpartisan, and nonideological with regard to audit clients and users of the audit reports.
C.Incorrect. Resource utilization deals with handling sensitive and confidential information.
D.Incorrect. Professional behavior deals with putting forth an honest effort in performing audit duties.
7.Which of the following actions would be a violation of independence?
A.Continuing on an audit assignment at a division for which the auditor will soon be responsible as the
result of a promotion.
C.Participating on a task force which recommends standards for control of a new distribution system.
IIA Standard 1130 – Impairment to Independence or Objectivity specifies that an auditor who has been
promoted to an operating department should not continue on an audit of his or her new department.
B.Incorrect. The Standards state that budget restrictions do not constitute a violation of an auditor's
independence.
C.Incorrect. The Standards state that an auditor may participate on a task force that recommends new
systems. However, designing, installing, or operating such systems might impair objectivity.
D.Incorrect. The Standards state that an auditor may review contracts prior to their execution.
8.Which of the following will best promote the independence of the internal auditing function?
A.A quality control system within the internal auditing function designed to ensure that departmental
objectives are met.
B.Direct lines of communication between the audit committee and the chief audit executive (CAE).
C.A written charter that reflects the concepts contained in the International Standards for the
Professional Practice of Internal Auditing.
IIA Standard 1110 – Organizational Independence and IIA Standard 1111 – Direct Interaction with the
Board note that access to the board helps assure independence and provides a means for the board and
the CAE to keep each other informed on matters of mutual interest.
9.According to the IIA Organizational Independence Standard, which of the following is not a
part of functional reporting to the board?
A.Audit charter.
C.Audit budgets.
D.Audit plan.
The chief audit executive, reporting functionally to the board and administratively to the organization's
chief executive officer, facilitates organizational independence (IIA Standard 1110 – Organizational
Independence). Functional reporting to the board typically involves the board approving the internal
audit activity's overall charter and approving the internal audit risk assessment and related audit plan.
Administrative reporting is the reporting relationship within the organization's management structure
that facilitates the day-to-day operations of the internal audit activity. Administrative reporting
typically includes audit budgets among other things.
10.According to the IIA Organizational Independence Standard, which of the following is not a
part of administrative reporting to organization's management?
C.Management accounting.
The chief audit executive, reporting functionally to the board and administratively to the organization's
chief executive officer, facilitates organizational independence. Administrative reporting is the
reporting relationship within the organization's management structure that facilitates the day-to-day
operations of the internal audit activity. Administrative reporting typically includes management
accounting; human resource administration, including personnel evaluations and compensation;
administration of the internal audit activity's policies and procedures; and other things (IIA Standard
1110 – Organizational Independence). Annual confirmation of the internal audit activity's
organizational independence belongs to the functional reporting to the board.
11.According to the IIA Standards, the independence of internal auditors is achieved through:
Organizational status and objectivity permit internal auditors to render the impartial and unbiased
judgments essential to the proper conduct of audits (IIA Standard 1100 – Independence and
Objectivity).
A.Incorrect. Staffing and supervision relate to the professional proficiency of the internal auditing
department.
B.Incorrect. Continuing education and due professional care are related to the professional proficiency
of the internal auditor.
C.Incorrect. Human relations and communications relate to the professional proficiency of the internal
auditor.
12.Which of the following relationships best depicts the appropriate dual reporting responsibility
of the internal auditor? Administratively to the:
13.The chief audit executive (CAE) for a large retail organization reports to the controller and is
responsible for designing and installing computer applications relating to inventory control.
Which of the following is the major limitation of this arrangement?
A.It prevents the audit organization from devoting full time to auditing.
B.Auditors generally do not have the required expertise to design and implement such systems.
C.It potentially affects the CAE's independence and thereby lessens the value of audit services.
D.Such arrangements are unlawful because the director participates in incompatible functions.
Independence would be adversely affected since internal auditors would be expected to review systems
for which the CAE and the CAE's immediate superior were responsible (IIA Standard 1110 –
Organizational Independence; IIA Standard 1120 – Individual Objectivity).
14.An auditor's objectivity could be compromised in all of the following situations except:
Auditors sometimes must rely on outside experts; the standards allow this reliance (Standard 1120 –
Individual Objectivity).
A.Incorrect. A conflict of interest compromises objectivity.
15.When evaluating the independence of an internal audit department, a quality review team
considers several factors. Which of the following factors has the least amount of influence when
judging an internal audit department's independence?
Training is a factor of skill, not independence (IIA Standard 1110 – Organizational Independence; IIA
Standard 1312 – External Assessments).
A.Incorrect. How auditors are assigned is a factor related to independence, whether the auditor has
personal relationships with operating personnel, work experience with the auditee, and so on.
C.Incorrect. If significant findings found in the working papers are left out of the report, independence
is brought into question.
16.You have been asked to be a member of a peer review team. In assessing the independence of
the internal audit department being reviewed, you should consider all of the following factors
except:
A.Access to and frequency of communications with the board of directors or its audit committee.
B.The criteria of education and experience considered necessary when filling vacant positions on the
audit staff.
D.The scope and depth of audit objectives for the audits included in the review.
The Answer B is Correct.
This criterion is related to skill, not independence (IIA Standard 1110 – Organizational Independence;
IIA Standard 1311 – Internal Assessments).
D.Incorrect. The scope and depth of the audit objectives reflects on the department's independence.
17.In the past, the internal auditing department of XYZ Company designed and installed
computerized systems for the company. A newly appointed member of the audit committee has
questioned the auditing department's independence due to its performance of that activity.
Which of the following actions would best satisfy the committee's concern regarding
independence?
A.The internal audit department should continue to design and install other computer systems as long
as the internal audit staff possesses the expertise to do so.
B.The internal audit department should refrain from designing and installing any computer systems for
the organization in the future.
C.The internal audit department should not assign those internal auditors who designed and installed
the payroll system to audit the payroll area.
D.The internal audit department should refrain from operating and drafting procedures for any of its
organization's systems.
IIA Standard 1120 – Individual Objectivity states that internal auditors are independent when they
carry out their work freely and objectively. Independence permits internal auditors to render the
impartial and unbiased judgments essential to the proper conduct of audits. It is achieved through
organizational status and objectivity. Furthermore, these Standards state that designing, installing, and
operating systems are not audit functions. Also, the drafting of procedures for systems is not an audit
function. Performing such activities is presumed to impair audit objectivity. Accordingly, it would be
inappropriate for the internal audit department to continue to design and install other computer systems,
regardless of the expertise of the audit staff in such areas, because such functions impair independence.
A.Incorrect. According to the IIA Standards, refraining from designing and installing any systems
would enhance independence, and is therefore an appropriate action.
C.Incorrect. IIA Standards state that objectivity is presumed to be impaired when internal auditors audit
any activity for which they had authority or responsibility. Assigning internal auditors other than those
who designed and installed the payroll system to audit the payroll system slightly enhances
independence. However, this is not the best answer, as it does not address the ongoing independence
concern the audit committee has voiced.
D.This is discussed in the Standards.
18.Which of the following most seriously compromises the independence of the internal auditing
department?
A.Internal auditors frequently draft revised procedures for departments whose procedures they have
criticized in an audit report.
B.The chief audit executive has dual reporting responsibility to the firm's top executive and the board
of directors.
C.The internal auditing department and the firm's external auditors engage in joint planning of total
audit coverage to avoid duplicating each other's work.
D.The internal auditing department is included in the review cycle of the firm's contracts with other
firms before the contracts are executed.
If the auditing department drafts procedures, it will be in the position of auditing its own work during
the next audit cycle (IIA Standard 1120 – Individual Objectivity).
B.Incorrect. This type of dual reporting enhances the internal auditing department's independence,
since it protects auditors from the potentially disastrous effect of unwarranted displeasure on the part of
the chief executive officer.
C.Incorrect. Independence refers to the internal auditing department's relationship with management,
not with the external auditors. While the internal auditing department should not allow its audit plans to
be dictated by the external auditors, close cooperation eliminates wasteful duplication and permits an
efficient division of labor.
D.Incorrect. This policy is a good example of preemptive auditing and affords an opportunity to
evaluate the adequacy of controls and audit trails in the proposed contracts.
19.Which of the following reporting structures would best depict the internal audit
organizational guidelines contained in the IIA Standards?
20.As the chief audit executive for your organization, you have developed a plan that includes a
detailed schedule of areas to be audited during the coming year, an estimate of the time required
for each audit, and the approximate starting date of each audit. The scheduling of specific audits
was based on the time elapsed since the last audit in each area. The plan is inadequate because it
fails to:
A.Cite authoritative support, such as the IIA Standards, for such a plan.
B.Consider factors such as risk, exposure, and potential loss to the organization.
C.State whether all audit resources had been committed to the plan.
IIA Standard 2010 – Planning states that audit priorities should be based on financial exposure,
potential loss and risk, requests from management, and opportunities to achieve operating benefits as
well as the date and results of the last audit.
AIncorrect. While the Standards provide authoritative support for work schedules, there is no
requirement to cite them.
C.Incorrect. To the contrary, the Standards suggest keeping the plan flexible in the event of
unanticipated needs.
21.The audit committee can serve several important purposes, some of which directly benefit
internal auditing. The most significant benefit provided by the audit committee to the internal
auditor is:
C.Approving audit plans, scheduling, staffing, and meeting with the internal auditor as needed.
D.Reviewing copies of the internal control procedures for selected company operations and meeting
with company officials to discuss them.
Supporting independence by senior management and the board allows the auditor to perform necessary
duties. This is an important purpose (IIA Standard 1110 – Organizational Independence).
22.The IIA Standards indicate that independence permits internal auditors to render the
impartial and unbiased judgments essential to the proper conduct of audits. Which of the
following would best promote independence?
A.A policy that requires internal auditors to report to the chief audit executive any situation in which a
conflict of interest or bias on the part of the individual auditor is present or may reasonably be inferred.
B.An internal audit department policy that prevents it from recommending standards of controls for
systems that it audits.
C.An organizational policy that allows internal audits of sensitive operations to be contracted out to
other audit providers.
D.An organizational policy that prevents personnel transfers from operating activities to the internal
audit department.
Such a policy is called for by the IIA Standards to promote independence (IIA Standard 1120 –
Individual Objectivity).
B.The Standards specifically indicate that this is a part of internal auditing's responsibilities and that it
would not cause an independence problem.
D.Incorrect. The Standards specifically provide for such transfers. However, the Standards note that
transfers should not be assigned to audit those activities they previously performed until a reasonable
period of time has elapsed.
23.An audit committee of the board of directors of a corporation is being established. Which of
the following would normally be a responsibility of the committee?
A.Approval of the appointment and removal of the chief audit executive.
B.Incorrect.This activity is an operational function of the chief audit executive and the audit staff. It is
submitted to the committee.
24.The audit committee of an organization has charged the chief audit executive (CAE) with
bringing the department into full compliance with the IIA Standards. The CAE's first task is to
develop a charter. Identify the item that should be included in the statement of objectives:
C.Determine the adequacy and effectiveness of the organization's systems of internal controls.
This is a primary function of any internal auditing department (IIA Standard 1110 – Organizational
Independence).
A.Incorrect. Only significant audit findings should be discussed with the audit committee.
B.Incorrect. Internal auditors are not required to report deficiencies in regulatory compliance to the
appropriate agencies. However, Institute members and Certified Internal Auditors (CIAs) may not
knowingly be involved in illegal acts.
D.Incorrect. This is not a primary objective of the internal auditing department. It is a budgetary control
that management may require on a periodic basis.
25.In which of the following situations does the auditor potentially lack objectivity?
A.An auditor reviews the procedures for a new electronic data interchange connection to a major
customer before it is implemented.
B.A former purchasing assistant performs a review of internal controls over purchasing four months
after being transferred to the internal auditing department.
C.An auditor recommends standards of control and performance measures for a contract with a service
organization for the processing of payroll and employee benefits.
D.A payroll accounting employee assists an auditor in verifying the physical inventory of small motors.
The IIA Standard 1130 – Impairment to Independence or Objectivity says that persons transferred to
the internal auditing department should not be assigned to audit those activities they previously
performed until a reasonable period of time has elapsed.
A.The IIA Standards says the internal auditor's objectivity is not adversely affected when the auditor
reviews procedures before they are implemented.
C. The Standards say the internal auditor's objectivity is not adversely affected when the auditor
recommends standards of control for systems before they are implemented.
D.Use of staff from other areas to assist the internal auditor does not impair objectivity, especially
when the staff is from outside of the area being audited.
A.Continuing on an audit assignment at a division for which the auditor will soon be responsible as the
result of a promotion.
C.Participating on a task force that recommends standards for control of a new distribution system.
IIA Standard 1130 – Impairment to Independence or Objectivity specifies that an auditor who has been
promoted to an operating department should not continue on an audit of the new department.
B.Incorrect. The Standards state that budget restrictions do not constitute a violation of an auditor's
independence.
C.Incorrect. The Standards state that an auditor may participate on a task force that recommends new
systems. However, designing, installing, or operating such systems might impair objectivity.
D.Incorrect. The Standards state that an auditor may review contracts prior to their execution.
27.Which of the following activities would not be presumed to impair the independence of an
internal auditor?
II. Drafting procedures for running a new computer application to ensure that proper controls are
installed
III. Performing reviews of procedures for a new computer application before it is installed
A.I only.
B.II only.
C.III only.
Items I and III are presumed not to impair independence per IIA Standard 1130 – Impairment to
Independence or Objectivity.
B.Incorrect. This choice is not relevant because this is presumed to impair independence per the
Standards.
28.An organization was in the process of establishing its new internal audit department. The
controller had no previous experience with internal auditors. Due to this lack of experience, the
controller advised the applicants that they would be reporting to the external auditors. However,
the new chief audit executive (CAE) would have free access to the controller to report anything
important. The controller would convey the CAE's concerns to the board of directors. Which of
the following is true?
A.The internal audit department will be independent because the CAE has direct access to the board of
directors.
B.The internal audit department will not be independent because the CAE reports to the external
auditors.
C.The internal audit department will not be independent because the controller has no experience with
internal auditors.
D.The internal audit department will not be independent because the company did not specify that the
applicants must be Certified Internal Auditors.
According to IIA Standard 1100 – Independence and Objectivity, the CAE of the internal auditing
department should be responsible to an individual in the organization with sufficient authority to
promote independence. External auditors are not individuals in the organization.
A.The internal audit department will not have direct access to the board of directors. The access is
indirect, via the controller. According to the Standards, the CAE should have direct communication
with the board.
C.Incorrect. Whether the controller has experience with internal auditors does not affect the audit
department's independence.
D.Incorrect. Although desirable, the Certified Internal Auditor designation is not mandatory for a
person to become an internal auditor. A CIA would, of course, insist on internal audit department
independence.
29.During a year-end planning meeting with senior management, the chief audit executive (CAE)
learns that a recent draft audit report on one of the company's inventory costing systems had
provoked a discussion in the accounting area. The audit report proposed a relatively large
adjustment due to an error in the local inventory system. The auditor's conclusion stated that six
other production facilities using the same costing system would require similar inventory
adjustments. The total required adjustment for all seven locations represented a material
adjustment to the financial statements, according to the chief financial officer (CFO). The CFO
questioned the method used by the auditor to calculate the amount of the inventory adjustment
and asked the CAE to delay processing the audit report until all aspects of the finding had been
fully considered. The CAE reports directly to the CFO. The audit committee has not been
apprised of this audit because the audit report is still in draft stage awaiting management
comment.
Assuming that there is a meeting later the same day with the audit committee of the board, which
of the following is not a responsibility of the director of internal auditing?
A.Inform the audit committee of senior management's decisions on all significant audit findings.
B.Highlight significant audit findings and recommendations and report on the approved audit work
schedule.
C.Inform the audit committee of the outcome of earlier meetings with the CFO and the options being
considered for recording the inventory adjustment.
D.Attempt to resolve the inventory issue before reporting the finding to the audit committee.
The Answer C is Correct.
There is no provision for the discussion of the meeting or the related options for handling the necessary
transaction in IIA Standard 1111 – Direct Interaction with the Board.
A.Incorrect. The Standards prescribe informing the board of management's decision on significant
audit findings.
B.Incorrect. The Standards prescribe highlighting significant audit findings and recommendations and
reporting on the approved audit work schedule.
D.Incorrect. The auditor does not yet know if this is actually a problem that can adversely affect the
organization.
30.During a year-end planning meeting with senior management, the chief audit executive (CAE)
learns that a recent draft audit report on one of the company's inventory costing systems had
provoked a discussion in the accounting area. The audit report proposed a relatively large
adjustment due to an error in the local inventory system. The auditor's conclusion stated that six
other production facilities using the same costing system would require similar inventory
adjustments. The total required adjustment for all seven locations represented a material
adjustment to the financial statements, according to the chief financial officer (CFO). The CFO
questioned the method used by the auditor to calculate the amount of the inventory adjustment
and asked the CAE to delay processing the audit report until all aspects of the finding had been
fully considered. The CAE reports directly to the CFO. The audit committee has not been
apprised of this audit because the audit report is still in draft stage awaiting management
comment.
A.Schedule audits to review the inventory costing systems at all locations after year-end.
B.Recall all copies of the draft audit report sent out for management review and response.
C.Tell the representatives of senior management that distorting financial reports is not acceptable.
D.Offer to review the basis for the conclusion about the inventory valuation at all locations.
Because the case indicates that the amount of the inventory adjustment is in question, this would be the
appropriate step for the CAE to take (IIA Standard 1111 – Direct Interaction with the Board).
A.Incorrect. Reviews after year-end will not address the current year's financial reporting integrity.
31.Management has requested the internal auditing department to perform an operational audit
of the telephone marketing operations of a major division and to recommend procedures and
policies for improving management control over the operation. The auditor should:
A.Not accept the engagement because recommending controls would impair future objectivity of the
department regarding this auditee.
B.Not accept the engagement because audit departments are presumed to have expertise on accounting
controls, not marketing controls.
C.Accept the engagement but indicate to management that recommending controls would impair audit
independence so management knows that future audits of the area would be impaired.
The auditor should accept the engagement, assign staff with sufficient control knowledge, and make
recommendations where appropriate. This would not impair objectivity (IIA Standard 1100 –
Independence and Objectivity).
A.Incorrect. The auditor should accept the engagement. Recommending controls is not considered a
violation of the auditor's independence or objectivity.
B.Incorrect. The auditor should accept the engagement. Auditors should have control knowledge,
which is not limited to accounting controls.
32.According to the IIA Standards, internal auditors must be objective in performing audits.
Assume that the chief audit executive (CAE) received an annual bonus as part of that individual's
compensation package. The bonus may impair the CAE's objectivity if:
i. The bonus is administered by the board of directors or its salary administration committee.
ii. The bonus is based on dollar recoveries or recommended future savings as a result of audits.
iii. The scope of internal auditing work is reviewing control rather than account balances.
A.I.
B.II.
C.III.
D.IV.
The Answer B is Correct.
A.According to the IIA Standards, objectivity is not impaired if the bonus is administered by the board
of directors or its salary administration committee. Use of a board compensation committee would be
an environmental factor that would enhance the director's independence and objectivity.
C.Incorrect. According to the IIA Standards, objectivity is not impaired if the scope of internal auditing
work is reviewing control rather than account balances. Compensation packages are often tied to
financial results. If the scope of work was reviewing account balances, the director might be unduly
influenced to report results that would be favorable to his or her bonus. In contrast, there would be less
inducement if the scope of work were limited to reviewing controls.
33.A company is planning to develop and implement a new computerized purchase order system
in one of its manufacturing subsidiaries. The Vice President of Manufacturing has requested that
internal auditors participate on a team consisting of representatives from Finance,
Manufacturing, Purchasing, and Marketing. This team will be responsible for the
implementation effort. Eager to take on this high-profile project, the chief audit executive (CAE)
assigns a senior auditor to the project to assist "as needed." Assuming the senior auditor
performed all of the following activities, which one would impair objectivity if asked to review
the purchase order system on a postaudit basis?
According to IIA Standard 1130 – Impairment to Independence or Objectivity, the internal auditor's
objectivity is not impaired when the auditor recommends standards of control for systems or reviews
procedures before they are implemented. Designing, installing, and operating systems are not audit
functions. Also, the drafting of procedures for systems is not an audit function. Performing such
activities is presumed to impair audit objectivity. Internal auditors are not independent if they cannot
do their work objectively.
A.Incorrect. According to the IIA Standards, an internal auditor's objectivity would not be impaired
when performing such tasks as helping to identify and define control objectives. Identifying and
defining control objectives are necessary parts of any audit. The auditor's familiarity with the process
of documenting systems and integrating recommendations into systems of control would be helpful to
management in developing new systems. As long as the auditor's involvement did not cross over in
operating areas, which are the responsibility of management, the auditor's objectivity would not be
compromised.
B.Incorrect. According to the IIA Standards, testing for compliance with system development standards
would be a standard procedure for any system under development. Participation in this area would not
place the auditor in an operating capacity. Consequently, this would not impair the auditor's objectivity.
C.Incorrect. According to the IIA Standards, reviewing the adequacy of systems and programming
standards would be standard procedures in performing a review of systems under development.
Participation in this area would not place the auditor in an operating capacity. Consequently, this would
not impair the auditor's objectivity.
34.An internal audit department is currently undergoing its first external quality assurance
review since its formation three years ago. From interviews with a few of the staff auditors, the
review team is informed of certain auditor activities that occurred over the past year. Which of
the following activities could affect the quality assurance review team's evaluation of the
A.One internal auditor told the review team that during the payroll audit, the payroll manager
approached him. The manager indicated he was looking for an accountant to prepare his financial
statements for his part-time business. The internal auditor agreed to perform this work for a reduced fee
during nonwork hours.
B.During the audit of the company's construction of a building addition to the corporate office, the
Vice-President of Facilities Management gave the auditor a commemorative mug with the company's
logo. These mugs were distributed to all employees present at the groundbreaking ceremony.
C.After reviewing the installation of a data processing system, the auditor made recommendations on
standards of control. Three months after completing the audit, the auditee requested the auditor's
review of certain procedures for adequacy. The auditor agreed and performed this review.
D.An auditor's participation was requested on a task force to reduce the company's inventory losses
from theft and shrinkage. This is the first consulting assignment undertaken by the audit department.
The auditor's role is to advise the task force on appropriate control techniques.
According to IIA Standard 1130 – Impairment to Independence or Objectivity and IIA Standard 1312 –
External Assessments, internal auditors should be independent of the activities they audit. Accepting a
fee or gift from an auditee would impair the auditor's objectivity. As a result, the auditor might feel
obligated to render a more favorable result than would be warranted if the auditor maintained
professional objectivity.
B.Incorrect. According to the IIA Standards, the receipt of promotional items, such as pens, calendars,
or samples available to the general public that have minimal value, would not impair the auditor's
objectivity. Under these circumstances, it is unlikely that the receipt of these items would unduly
influence the auditor to render a more favorable opinion than warranted.
C.Incorrect. According to the IIA Standards, reviewing the installation of a data processing system
would not impair the auditor's objectivity. Reviewing and documenting systems are necessary parts of
auditing a system under development. As long as the auditor did not assume any operating
responsibilities (e.g., documenting operating procedures), the auditor's objectivity would not be
compromised.
D.Incorrect. According to the IIA Standards, participation in a task force and advising on control
techniques would not impair the auditor's objectivity. As long as the auditor refrained from performing
operating functions, such as designing or installing operating systems or drafting detailed control
procedures, the auditor's objectivity would not be compromised.
35.A medium-size publicly owned corporation operating in Country X has grown to a size that
the directors of the corporation believe warrants the establishment of an internal auditing
department. Country X has legislated internal auditing requirements for government-owned
companies. The company changed the corporate by-laws to reflect the establishment of the
internal auditing department. The directors decided that the chief audit executive (CAE) must be
a Certified Internal Auditor (CIA) and will report directly to the newly established audit
committee of the board of directors.
Which of the items discussed above will contribute the most to the new CAE's independence?
C.The fact that the CAE will report to the audit committee of the board of directors.
IIA Standard 1110 – Organizational Independence states that independence is achieved through
organizational status and objectivity. The auditor is reporting to the highest level possible.
A.Incorrect. The IIA Standards state that independence is achieved through organizational status and
objectivity, which are more directly related to the reporting level of the director.
B.Incorrect. The IIA Standards state that independence is achieved through organizational status and
objectivity. Independence is not ensured by regulations.
D.Incorrect. The IIA Standards state that independence is achieved through organizational status and
objectivity. A CIA designation will ensure a better auditor but does not guarantee independence.
36.An internal auditor reports directly to the board of directors. The auditor discovered a
material cash shortage. When questioned, the person responsible explained that the cash was
used to cover sizable medical expenses for a child and agreed to replace the funds. Because of the
corrective action, the internal auditor did not inform management. In this instance, the auditor:
The auditor reports directly to the board of directors and so has organizational independence (IIA
Standard 1110 – Organizational Independence; IIA Standard 1120 – Individual Objectivity).
B.The auditor reports directly to the board of directors and so has independence and therefore
objectivity.
C.Incorrect. The auditor has objectivity because he or she reports directly to the board of directors. The
auditor is, however, not exercising objectivity because he or she is trying to avoid conflict.
D.Incorrect. The auditor has organizational independence because he or she reports directly to the
board of directors (the highest level in the organization). The auditor has not exercised independence
because, although the auditor can render any opinion he or she wants, the auditor has lost objectivity by
adjusting the opinion.
A.Programmed checks.
B.Batch controls.
C.Implementation controls.
D.One-for-one checking.
Implementation controls are designed to ensure that only authorized program procedures are introduced
into the system (IIA Standard 2130—Control).
A.Incorrect. Programmed checks are used to check the potential accuracy of input data (e.g., a range
check).
B.Incorrect. Batch control is used to ensure the completeness and accuracy of input and update.
D.Incorrect. One-for-one checking is a technique used to check individual documents for accuracy and
completeness of data input or update.
C.Serve as the investigative arm of the audit committee of the board of directors.
D.Serve as an appraisal function to examine and evaluate activities as a service to the organization.
This alternative describes the basic role concept of internal auditing (IIA Standard
1110—Organizational Independence).
A.Incorrect. Reduction of external audit fees is a result of internal audit work but not a role.
B.Incorrect. This does not represent a complete description of the proper role.
C.Incorrect. This role is too limited for internal auditing. It also serves operations management and top
management.
39.In some cultures and organizations, managers insist that the internal auditing function is not
needed to provide a critical assessment of the organization's operations. A management attitude
such as this will most probably have an adverse effect on the internal auditing function's:
B.Effectiveness.
C.Performance appraisals.
In this type of situation, management is highly averse to analysis or possible criticism of its actions and
will inhibit the internal audit department's effectiveness (IIA Standard 1110—Organizational
Independence).
A.Incorrect. An operating budget variance report is a control device used to monitor actual
performance versus budget. Management foot-dragging could cause unfavorable variances, but
favorable variances could also occur if many audits were cut short due to scope impairments.
C.Incorrect. An unbiased evaluation of audit staff would not be affected by lack of cooperation on the
part of nonaudit management.
D.Incorrect. Policies and procedures of the internal audit function are developed by the internal audit
department and should not be affected by nonaudit management.
The internal auditing staff is made up of the director, two managers, and five staff auditors, all
with financial background. In the past, the primary focus of successful audit activities has been
the service branches and the six regional division headquarters, which support the branches.
These division headquarters are the primary targets for possible elimination. The support
functions, such as human resources, accounting, and purchasing, will be brought into the
national headquarters, and technology will be enhanced to enable and augment these operations.
Up to this point, internal auditing has reported to the chief operating officer. Due to the
significant changes, there has been some discussion as to changing this reporting relationship.
What would be the best reporting relationship for internal auditing?
Independence is less likely to be impaired if the internal auditing department reports to the board (IIA
Standard 1110—Organizational Independence).
A.Incorrect. Independence is impaired because the president is responsible for the areas to be audited.
C.Incorrect. Independence may be impaired in financial audits as well as audits of line functions.
D.Incorrect. Independence may be impaired for all audits of operational areas.
PART 1 DOMAIN 3
Question 1 of 38
A. A . Direct.
B. B . Indirect.
C. C . Not tested.
D. D . Not observed.
Proficiency is defined as the ability to apply knowledge to situations likely to be faced and to deal with
them without extensive recourse to technical research and assistance. There is a built-in and direct
relationship between a person's proficiency and competency. One needs to be fully proficient first to
become a fully competent person.
Question 2 of 38
Competency of a person is derived from a combination of that person's education and experience.
A . This choice is not applicable because it says informal knowledge and skills.
B . This choice is not applicable because the proportion of theory and practice is not proven.
D . This choice is not applicable because the proportion of theory and practice is not proven.
Question 3 of 38
Regarding competency levels, staff auditors belong to which of the following levels?
A. A . Entry level
B. B . Journeyman level
C. C . Functional level
D. D . Expert level
Answer (A ) is Correct.
In the audit management hierarchy, staff auditors are at a low competency level, in their first jobs or in
new jobs with little or no work experience.
Question 4 of 38
Regarding competency levels, audit consultants belong to which of the following levels?
A. Entry level
B. Journeyman level
C. Functional level
D. Expert level
By definition, audit consultants are at a very high competency level and are supposed to be subject
matter experts.
Question 5 of 38
Regarding competency levels, audit supervisors belong to which of the following levels?
A. Entry level
B. Journeyman level
C. Functional level
D. Expert level
Question 6 of 38
Regarding competency levels, senior auditors belong to which of the following levels?
A. Entry level
B. Journeyman level
C. Functional level
D. Expert level
Senior auditors have more work experience than the staff auditors and are at a medium competency
level, which is the Journeyman level.
Question 7 of 38
Due professional care for internal auditors is derived from which of the following?
Due professional care refers to understanding the systematic and disciplined approach to internal
auditing, which is derived from an internal audit's policies and procedures manual (i.e., audit manual).
Core competencies are defined as the unique and collective capabilities (training and know-how) and
specific competencies (skills, experience, and education) that a company has and its competitors do not
have. Therefore, the internal audit management should perform the competency gap assessment every
year.
Question 9 of 38
Professional judgment does not mean eliminating all possible limitations or weaknesses associated with
a specific audit engagement but rather identifying, assessing, mitigating, and concluding on them.
Question 10 of 38
Attending audit-related professional seminars provides proficiency. It does not improve due professional
care.
Question 11 of 38
Due professional care is not exercised at all when internal auditors fail to follow up on repeated audit
findings.
Question 12 of 38
By definition, professional judgment includes exercising reasonable care and showing professional
skepticism.
Question 13 of 38
A. Absolute assurance.
B. Reasonable assurance.
C. Possible assurance.
D. Expected assurance.
Auditors must use professional judgment in planning and conducting the audit engagement and in
reporting the audit results. In doing so, auditors cannot provide absolute assurance because so many
things could go wrong.
B . Reasonable assurance can be provided, not absolute assurance. Reasonable assurance includes
acting diligently in accordance with applicable professional standards and ethical principles.
C . Possible assurance, similar to reasonable assurance, can be provided, not absolute assurance.
D . Expected assurance, similar to reasonable assurance, can be provided, not absolute assurance.
Question 14 of 38
Which of the following is the highest-ranked skill required at all levels of internal auditors?
A. Assertion skills
B. Career skills
C. Persuasion skills
D. Communication skills
Communication, whether it is written or oral, is ranked as the number 1 requirement at all levels of
internal auditors.
Question 15 of 38
Which of the following can help clear up major sources of conflict between internal auditors and their
audit clients?
Both assertion skills and listening skills help to clear up two major sources of conflict: errors and lack of
information.
Question 16 of 38
A. Collaboration skills
B. Communication skills
C. Critical thinking skills
D. Creativity skills
Audit teams and other types of teams need more collaboration skills because they work in cooperation
and coordination with each team member. In collaboration, face-to-face interaction is better than
person-to-machine interaction.
B . Communication skills are needed too but not as much as collaboration skills.
C . Critical thinking skills are needed too but not as much as collaboration skills.
D . Creativity skills are needed too but not as much as collaboration skills.
Question 17 of 38
Internal auditors ranging from staff auditor to audit director need most of which of the following
skills?
A. Technical skills
B. Business acumen skills
C. Social skills
D. Motivation skills
People who have business acumen skills possess knowledge of core business functions, such as
operations, marketing, and finance (functional skills); are committed to the company's mission and
vision; and are able to develop a grand strategy for the entire business and substrategies for each
business line; and more. Since internal auditors audit business functions and operations, they need
more business acumen skills.
Question 18 of 38
Internal auditors are often called on either to perform or to assist the external auditor in performing a
due diligence review. A due diligence review is:
This is a broad definition of due diligence reviews per IIA Standard 1210 – Proficiency.
A . Although the underwriter may use the reviews, the underwriter does not direct them.
According to the IIA Standards, the staff of a newly developed internal auditing department should
include:
A . The level of formal education will vary according to position requirements or departmental needs.
B . Some entry-level positions require less than two years' experience, which is one of the prerequisites
for many certification programs.
D . Some of the staff positions may not require previous audit experience.
20.The chief audit executive is concerned that a recently disclosed fraud was not uncovered during
the last audit of cash operations. A review of the working papers indicated that the fraudulent
transaction was not included in a properly designed statistical sample of transactions tested. Which
of the following applies to this situation?
A.Because cash operation is a high-risk area, 100% testing of transactions should have been performed.
B.The internal auditor acted with due professional care since an appropriate statistical sample of material
transactions was tested.
D.Extraordinary care is necessary in the performance of a cash operations audit, and the auditor should be
held responsible for the oversight.
It is the correct answer based on IIA Standard 1220 – Due Professional Care and IIA Standard 2320 –
Analysis and Evaluation, which state that the possibility of material irregularities or noncompliance
should be considered whenever the internal auditor undertakes an internal auditing assignment.
A.Incorrect. Due professional care requires the auditor to conduct examinations and verification to a
reasonable extent but does not require detailed audits of all transactions.
C.Incorrect. The internal auditor cannot give absolute assurance that noncompliance or irregularities do
not exist.
D.Incorrect. Due professional care implies reasonable care and competence, not infallibility or
extraordinary performance.
21.In the course of their work, internal auditors must be alert for fraud and other forms of white-
collar crime. The important characteristic that distinguishes fraud from other varieties of white-
collar crime is that:
A.Fraud encompasses an array of irregularities and illegal acts that involve intentional deception.
B.Unlike other white-collar crimes, fraud is always perpetrated against an outside party.
C.White-collar crime is usually perpetrated for the benefit of an organization, whereas fraud benefits an
individual.
It is the correct answer based on IIA Standard 1220 – Due Professional Care.
22.According to the IIA Standards, an internal auditor should possess proficiency in:
A.Management principles.
IIA Standard 1210 – Proficiency specifies, in the area of applying internal auditing standards, procedures,
and techniques that an internal auditor should possess, the ability to "apply knowledge to situations likely
to be encountered and to deal with them without extensive recourse to technical research and assistance.”
B.Incorrect. The Standards specify only an appreciation of the fundamentals of such subjects as
accounting, economics, and finance.
C.Incorrect. The Standards specify only an appreciation of the fundamentals of computerized information
systems.
23.The IIA Standards require an internal auditor to exercise due professional care in performing
internal audits. This includes:
A.Establishing direct communication between the director of internal auditing and the board of directors.
B.Evaluating established operating standards and determining whether those standards are acceptable and
are being met.
C.Accumulating sufficient evidence so that the auditor can give absolute assurance that irregularities do
not exist.
D.Establishing suitable criteria of education and experience for filling internal audit positions.
Standards include within the definition of due professional care the evaluation of operating standards for
acceptability and determining whether they are being met (IIA Standard 1220 – Due Professional Care).
A.Incorrect. Communication between the chief audit executive and the board of directors is part of the
Independence Standard, not the Due Professional Care Standard.
C.Incorrect. The amount of audit time and effort required to give absolute assurance that there are no
irregularities would be so great that the audit costs would exceed the benefits.
D.Incorrect. Criteria for filling internal audit positions relate to the Staffing Standard; they do not relate
directly to the performance of an audit.
24.According to the IIA Standards, internal auditors should possess the knowledge, skills, and
disciplines essential to the performance of internal auditing. This means that all internal auditors
should be proficient in applying:
B.Quantitative methods.
C.Management principles.
Auditors should have a proficiency in applying internal auditing standards (IIA Standard 1210 –
Proficiency).
25.Which of the following differs between assurance services and consulting services when
exercising due professional care?
B.Complexity of work.
C.Extent of work.
D.Materiality.
The Answer D is correct
Materiality is considered in assurance services and procedures but is not relevant to consulting services
(IIA Standard 1220 – Due Professional Care). The other three choices are the same in assurance services
and consulting services.
26.An auditor finds a situation where there is some suspicion, but no evidence, of potential
misstatement. The Due Professional Care Standard of would be violated if the auditor:
A.Identified potential ways in which an error could occur and ranked the items for audit investigation.
B.Informed the audit manager of the suspicions and asked for advice on how to proceed.
C.Did not test for possible misstatement because the audit program had already been approved by audit
management.
D.Expanded the audit program, without the auditee's approval, to address the highest ranked ways in
which a misstatement may have occurred.
This would violate IIA Standards because the auditor has not acted on audit evidence that indicated that
the audit should be expanded (IIA Standard 1220 – Due Professional Care; IIA Standard 2320 – Analysis
and Evaluation).
D.Incorrect. The auditor does not need the auditee's approval to expand the audit test.
27.The IIA Standards require an auditor to have the knowledge, skills, and disciplines essential to
perform an internal audit. Which of the following correctly describes the level of knowledge or skill
required by the Standards? Auditors must have:
A.Proficiency in applying knowledge of auditing standards and procedures to specific situations without
extensive recourse to technical research and assistance.
C.An understanding of broad techniques used in supporting and developing audit findings and the ability
to research the proper audit procedures to be used in any audit situation.
D.A broad appreciation for accounting principles and techniques when auditing the financial records and
reports of the organization.
Proficiency in the application of the Standards is required (IIA Standard 1210 – Proficiency).
B.Incorrect. An appreciation of, not proficiency in, accounting and computerized information systems is
required.
D.Incorrect. Proficiency, not a broad understanding, of accounting principles is required when auditing
financial records.
28.A professional engineer applied for a position in the internal auditing department of a high-
technology firm. The engineer became interested in the position after observing several internal
auditors while they were auditing the engineering department. The chief audit executive:
A.Should not hire the engineer because of the lack of knowledge of internal auditing standards.
B.May hire the engineer in spite of the lack of knowledge of internal auditing standards.
C.Should not hire the engineer because of the lack of knowledge of accounting and taxes.
D.May hire the engineer because of the knowledge of internal auditing gained in the previous position.
Internal auditing standards are required to be known by the department collectively. Individual internal
auditing staff members may, however, bring special skills to the department instead of specific knowledge
of internal auditing standards (IIA Standard 1210 – Proficiency).
A.Incorrect. Each new employee of an internal auditing department is not required to have knowledge of
internal auditing standards. It is required that the department collectively has this knowledge.
C.Incorrect. Each individual internal auditor is not required to have knowledge of accounting or taxes.
D.Incorrect. What knowledge that was acquired by observing is irrelevant to the skills necessary for
internal auditing.
29.According to the IIA Standards, internal auditors should possess all of the following except:
Internal auditors need only an appreciation of the broad nature and fundamentals of quantitative methods.
That does not suggest sufficient knowledge to teach the methods to others (IIA Standard 1210 –
Proficiency).
A.Incorrect. An internal auditor should possess a sound understanding of the nature of internal auditing,
including the Standards.
C.Incorrect. Internal auditors must possess the ability to communicate effectively; interpersonal skills are
an essential element of that ability.
30.While performing a construction audit, the auditor suspects that the structural steel used does
not conform to contract specifications. The internal auditing department does not have an engineer
on the staff. According to the IIA Standards, the appropriate course of action is to:
B.Ask a company or consulting engineer to determine whether the steel conforms to the contract
specifications.
IIA Standard 1210 – Proficiency requires the internal auditing department to collectively possess the
knowledge, skills, and disciplines necessary to carry out its audit responsibilities.
A.Incorrect. Dollar impact is only a part of the potential problem. The Standards on due professional care
and on sufficient knowledge, skills, and disciplines require further research.
C.Incorrect. Since the internal auditing department has no engineering expertise, there is no basis from
which to judge the accuracy of the superintendent's statements.
31.An internal auditing director is establishing the evaluation criteria for the selection of new
internal audit staff members. According to the IIA Standards, which of the following would be an
inappropriate item to list?
A.Incorrect. The Standards require only an appreciation of accounting unless the auditor is required to
work extensively with financial records and reports.
C.Incorrect. The Standards require knowledge beyond the ability to recognize deviations; thus a lesser
requirement would be acceptable.
32.“Due professional care implies reasonable care and competence, not infallibility or
extraordinary performance.” This statement makes which of the following unnecessary:
The IIA Standard 1220 – Due Professional Care does not require extensive and detailed audits of all
transactions.
33.The IIA Standards state that internal auditors are responsible for continuing their education in
order to maintain their proficiency. Which of the following is correct regarding the continuing
education requirements of the practicing internal auditor?
A.Internal auditors are required to obtain 40 hours of continuing professional development (CPD) each
year and a minimum of 120 hours over a three-year period.
B.Certified Internal Auditors have formal requirements that must be met in order to continue as a CIA.
C.Attendance, as an officer or committee member, at formal Institute of Internal Auditors meetings does
not meet the criterion of continuing professional development.
D.In-house programs meet continuing professional development requirements only if they have been
preapproved by the Institute of Internal Auditors.
In order to maintain the CIA designation, the CIA must commit to a formal program of continuing
professional development and report to the Certification Department of the IIA (IIA Standard 1230–
Continuing Professional Development).
A.Incorrect. There are no formal hour requirements for internal auditors contained in the Standards. The
intent of the Standards is to ensure that internal auditors maintain their technical competence.
C.Incorrect. Attendance at professional meetings does meet the criterion of continuing education.
D.Incorrect. Prior approval by the IIA is not necessary for continuing professional development courses.
34.An auditor has uncovered facts that could be interpreted as indicating unlawful activity on the
part of an auditee. The auditor decides not to inform senior management of these facts since he
cannot prove that an irregularity occurred. The auditor, however, decides that if questions are
raised regarding the omitted facts, he will answer fully and truthfully. In taking this action, the
auditor:
A.Has not violated the Code of Ethics or the Standards because confidentiality takes precedence over all
other standards.
B.Has not violated the Code of Ethics or the Standards because the auditor is committed to answering all
questions fully and truthfully.
C.Has violated the Code of Ethics because unlawful acts should have been reported to the appropriate
regulatory agency to avoid potential "aiding and abetting" by the auditor.
D.Has violated the Standards because the auditor should inform the appropriate authorities in the
organization if fraud may be indicated.
The Answer D is correct
IIA Standard 1220 – Due Professional Care indicates that the auditor should inform the appropriate
authorities in the organization if there are sufficient indicators of the commission of a fraud.
C.Incorrect. The action does violate the Code of Ethics, but the auditor should report the unlawful
activities to the appropriate personnel within the organization, not to a regulatory agency.
35.Internal auditing is unique in that its scope often encompasses all areas of an organization. Thus,
it is not possible for each internal auditor to possess detailed competence in all areas that might be
audited. Which of the following competencies is required by the IIA Standards for every internal
auditor?
.An understanding of management principles is required of all internal auditors (IIA Standard 1210 –
Proficiency).
A.Incorrect. Such skills should be included within the staff but are not required for each auditor.
B.Incorrect. Detailed knowledge of accounting is required only for those auditors who work extensively
with financial records and reports.
D.Incorrect. An appreciation of computerized information systems is required, but this is less expertise
than is needed for proficiency.
36.As a particular audit is being planned in a high-risk area, the chief audit executive (CAE)
determines that the available staff does not have the requisite skills to perform the assignment. The
best course of action consistent with audit planning standards would be to:
A.Not perform the audit, since the requisite skills are not available.
B.Use the audit as a training opportunity and let the auditors learn as the audit is performed.
C.Consider using external resources to supplement the needed knowledge, skills, and disciplines and
complete the assignment.
D.Perform the audit but limit the scope in light of the skill deficiency.
A.Incorrect. The CAE is responsible for staffing each assignment as needed to meet the audit
responsibilities.
B.Incorrect. Training is to be properly supervised, and the department does not have anyone with
knowledge in this area to provide supervision.
D.Incorrect. It is not the best course of action. If the requisite skills are not accessible through
supplementation, this might be necessary, but the resource constraint should be communicated to
management in an interim report.
37.As part of the process to improve auditor–auditee relations, it is very important to deal with how
internal auditing is perceived. Certain types of attitudes in the work performed will help create
these perceptions. From a management perspective, which attitude is likely to be the most
conducive to a positive perception?
A.Objective.
B.Investigative.
C.Interrogatory.
D.Consultative.
A.Incorrect. An objective attitude is desirable but by itself will not lead to a more positive relationship.
38.A service company is currently experiencing a significant downsizing and process reengineering.
Its board of directors has redefined the business goals and established initiatives using technology
developed in house to meet these goals. As a result, a more decentralized approach has been
adopted to run the business functions by empowering the business branch managers to make
decisions and perform functions traditionally done at a higher level.
The internal auditing staff is made up of the director, two managers, and five staff auditors, all with
financial background. In the past, the primary focus of successful audit activities has been the
service branches and the six regional division headquarters, which support the branches. These
division headquarters are the primary targets for possible elimination. The support functions, such
as human resources, accounting, and purchasing, will be brought into the national headquarters,
and technology will be enhanced to enable and augment these operations.
Branch managers view the internal auditing function as a watchdog for top management. What is
the best way for internal auditing to change this view to one that is more cooperative?
C.Incorrect. Participation and cooperation are paramount in trying to improve auditor–auditee relations,
especially in audits that require intense investigation.
PART 1 DOMAIN 4
Question 1 of 34
When selecting people to work in the internal audit department, the vetting process does not apply to
which of the following?
External assessors
Audit contractors
Guest auditors
Guest auditors are insiders, borrowed from nonaudit departments for a temporary work in the audit
department, and they go back to their departments after completing their work in the audit
department. Hence, guest auditors do not need to undergo a vetting process because they already have
gone through an internal hiring and screening process.
A . External assessors are outsiders who are carefully screened, selected, and hired (vetted) for a specific
audit work to ensure that they are qualified to do the work.
B . Audit contractors are outsiders who are carefully screened, selected, and hired (vetted) for a specific
audit work to ensure that they are qualified to do the work.
D . External service providers are outsiders who are carefully screened, selected, and hired (vetted) for a
specific audit work to ensure that they are qualified to do the work.
Question 2 of 34
Which of the following is the key performance indicator for an internal audit activity?
Similar to any other business function or activity, customer satisfaction is the key performance indicator,
and internal audit activity is no different. Audit clients are the customers of the internal audit activity,
and the more audit clients are satisfied, the better it is for the internal audit activity.
B . Audit recommendations may or may not be useful to audit clients.
Question 3 of 34
Which of the following provides assurance as the first line of defense over risks and exposures facing
an organization?
Internal auditors
Senior managers
Risk managers
Operations managers
Managers and employees working in operations departments or functions are responsible for providing
assurance as the first line of defense over risks and exposures. They work in a line function or front-line
operation.
A . Internal auditors act as risk evaluators and provide the third line of defense.
B . Senior managers act as executives and provide the second line of defense.
C . Risk managers act as a staff function and provide the second line of defense.
Question 4 of 34
A major drawback of an internal audit metric “Percentage of the internal audit plan completed” is
that it addresses:
Past risks.
Current risks
Future risks
Unique risks
A major drawback of the internal audit metric “Percentage of the internal audit plan completed” is that
it addresses past risks and does not address current, future, and unique risks. Past risks focus on looking
backward. Management cannot plan or react based on past risks as they become historical risks and are
used just for reference and review purposes only.
B . Current risks may not be the same as fast risks. The question reflects the past risks which could be
different from current risks. Current, future, and unique risks focus on looking forward while past risks
focus on looking backward. Unique risks are one-of-a-kind risks facing a specific business or an industry,
such as floods, fires, or volcanoes for an insurance company.
C . Future, current, and unique risks focus on looking forward while past risks focus on looking
backward. Unique risks are one-of-a-kind risks facing a specific business or an industry, such as floods,
fires, or volcanoes for an insurance company.
D . Unique, current, and future risks focus on looking forward while past risks focus on looking
backward. Unique risks are one-of-a-kind risks facing a specific business or an industry, such as floods,
fires, or volcanoes for an insurance company.
Question 5 of 34
Which of the following is not a contributing factor leading to internal audit failures?
Management gaps
Data gaps
Competency gaps
Communication gaps
Gaps are the differences between expected outcomes and actual outcomes. Data gaps identify problems
in data-quality attributes, such as accuracy, completeness, availability, timeliness, and usefulness of
data. As such, data gaps cannot contribute to internal audit failures.
A . Gaps are the differences between expected outcomes and actual outcomes. Management gaps
contribute to management's inability to plan, organize, direct (lead), or control business functions and
resources. Internal audit management gaps certainly contribute to internal audit failures.
C . Gaps are the differences between expected outcomes and actual outcomes. Competency gaps are
the differences between expected competencies in terms of knowledge, skills, and abilities (KSAs) and
actual KSAs. While management gaps can be traced to audit management only, competency gaps can be
traced equally to audit staff and audit management. Competency gaps can certainly lead to internal
audit failures.
D . Gaps are the differences between expected outcomes and actual outcomes. Communication gaps
result when the required communication is not delivered to the right parties at the right time.
Communication gaps can also occur when an internal audit activity's role, purpose, and scope is not
clearly communicated to company management. When combined with other gaps, communication gaps
can lead to internal audit failures.
Question 6 of 34
Which of the following is not a contributing factor to a false assurance coming from an internal audit
to others?
Measurement gaps
Communication gaps
Expectation gaps
Competency gaps
False assurance is a level of confidence or assurance based on perceptions or assumptions rather than
facts. False assurance has nothing to do with measurement gaps, which identify problems in measuring
something of importance (e.g., production counts, inventory counts, and claims counts).
B . Communication gaps contribute to false assurances and occur when an internal audit activity's role,
purpose, and scope are not clearly communicated to company management. Communication gaps also
result when the required communication is not delivered at the right time.
C . Expectation gaps contribute to false assurances and occur when company management has an
incorrect expectation of the internal audit function related to audit work results.
D . Competency gaps contribute to false assurances and occur when the auditor's actual competency
level is different from what the auditee's management requires or expects. Competency gaps are the
differences between the expected competencies in terms of knowledge, skills, and abilities (KSAs) and
actual KSAs.
Question 7 of 34
Which of the following is the common item causing overall risks to the internal audit function?
Management gaps
Competency gaps
Compliance gaps
Expectation gaps
A . Gaps are the differences between what is expected and what is real. When combined with
competency gaps and communication gaps, audit management gaps can lead to the risk of audit
failures, which are a category of overall risks to the internal audit function. Availability of day-to-day
guidance from internal audit management combined with compliance to professional audit standards
could reduce the risk of audit failures.
C . Gaps are the differences between what is expected and what is real. When combined with
competency gaps and audit brand gaps, compliance gaps can lead to audit reputation risk, which is a
category of overall risks to the internal audit function. Availability of day-to-day guidance from internal
audit management combined with compliance to professional audit standards could reduce the risk of
loss of reputation.
D . Gaps are the differences between what is expected and what is real. When combined with
competency gaps and communication gaps, expectation gaps can lead to the risk of audit false
assurance, which is a category of overall risks to the internal audit function. Availability of day-to-day
guidance from internal audit management combined with compliance to professional audit standards
could reduce the risk of audit's false assurance.
Question 8 of 34
Which of the following is not a leading practice to minimize the reputation risk of an internal audit
function?
Establishing an effective management review of audit findings is a leading practice in mitigating risks of
audit failures and does not itself minimize the reputation risk. This leading practice should make
company management review, accept, and own the audit findings.
A . Performing a risk assessment exercise is a part of leading practice to minimize the reputation risk of
an internal audit function.
B . Implementing a quality assurance program is a part of leading practice to minimize the reputation
risk of an internal audit function.
C . Protecting the internal audit brand is a part of leading practice to minimize the reputation risk of an
internal audit function.
Question 9 of 34
Which of the following will not help in identifying the overall risks to the internal audit function?
Barrier analysis
Root-cause analysis
Assurance maps
Risk maps
Barrier analysis, as it relates to the business activity of organizational change, identifies key
determinants (barriers) of human behavioral change in employees to help focus on their behaviors that
have not changed, despite management's repeated efforts to help them change. The four key
determinants of human behavior are self-efficacy, social norms, positive consequences, and negative
consequences. Hence, barrier analysis will not help in identifying the overall risks to the internal audit
function.
B . Root-cause analysis identifies the real reasons and specific situations leading to overall risks to the
internal audit function. Based on this analysis, changes can be made either in the internal audit process
or in the control environment of the organization or both. Hence, root-cause analysis will help in
identifying the overall risks to the internal audit function.
C . Assurance maps are organization-wide and coordinated exercises involving mapping assurance
coverage provided by multiple parties against the key risks facing the organization so that duplicate
efforts, missed risks, and potential gaps can be identified and monitored. Hence, assurance maps will
help in identifying overall risks to the internal audit function.
D . Risk maps involve profiling risk events to their sources (i.e., threats and vulnerabilities), determining
their impact levels (i.e., low, medium, or high), and evaluating the presence or lack of effective controls
to mitigate risks. Hence, risk maps will help in identifying overall risks to the internal audit function.
Question 10 of 34
The interpretation related to quality assurance given by the IIA Standards is that:
Quality assurance reviews can provide senior management and the audit committee with an assessment
of the internal auditing function.
Appropriate follow-up to an external review is the responsibility of the chief audit executive's immediate
supervisor.
The internal auditing department is primarily measured against the IIA Code of Ethics.
Continual supervision is limited to the planning, examination, evaluation report, and follow-up process.
It is the correct answer based on IIA Standard 1300 – Quality Assurance and Improvement Program.
B . Based on IIA Standard 2500 – Monitoring Progress, appropriate follow-up is the CAE's responsibility.
C . The key criterion should be an assessment of the department to the Attribute and Performance
Standards.
D . It also includes training, employee performance evaluations, time and expense control, and similar
administrative areas.
Question 11 of 34
Which of the following is not ordinarily an objective of a quality assurance review? To determine
compliance with:
It is the correct answer because this is not an objective of IIA Standard 1300 – Quality Assurance and
Improvement Program.
Question 12 of 34
Coordination of internal and external auditing can reduce the overall audit costs. According to the IIA
Standards, who is responsible for coordinating internal and external audit efforts?
Management.
IIA Standard 2050 – Coordination specifies that the chief audit executive is responsible for coordination.
Question 13 of 34
You have been asked to be a member of a peer review team. In assessing the independence of the
internal audit department being reviewed, you should consider all of the following factors except:
Access to and frequency of communications with the board of directors or its audit committee.
The criteria of education and experience considered necessary when filling vacant positions on the audit
staff.
The scope and depth of audit objectives for the audits included in the review.
These criteria are related to skill, not independence (IIA Standard 1311 – Internal Assessments).
C . The scope and depth of the audit objectives reflect on the department's independence.
Question 14 of 34
The scope of work in developing and maintaining a quality assurance and improvement program
(QAIP) includes which of the following processes?
I. Supervision
II. Internal assessment
III. Ongoing monitoring
IV. External assessment
I only.
I and II.
Question 15 of 34
In large or complex internal audit environments, which of the following administers and monitors the
activities needed for a successful quality assurance and improvement program (QAIP)?
In large or complex internal audit environments (e.g., numerous business units and/or locations), the
chief audit executive establishes a formal QAIP function—headed by an internal audit executive—
independent of the audit and consulting segments of the internal audit activity. This executive (and
limited staff) administers and monitors the activities needed for a successful QAIP (IIA Standard 1300 –
Quality Assurance and Improvement Program).
Question 16 of 34
Which of the following is not included in the ongoing and periodic assessment containing
measurements and analyses of performance metrics with respect to internal audit's quality assurance
and improvement program (QAIP)?
Customer satisfaction.
A QAIP is an ongoing and periodic assessment of the entire spectrum of audit and consulting work
performed by the internal audit activity. This periodic assessment includes ongoing measurements and
analyses of performance metrics (e.g., internal audit plan accomplishment, cycle time,
recommendations accepted, and customer satisfaction). Although an objective measure, money saved
from the audit work is not useful due to difficulties in quantifying savings and problems in agreement
with the auditees and organization's management (IIA Standard 1310 – Requirements of the Quality
Assurance and Improvement Program).
Question 17 of 34
The IIA Standards require the performance of periodic internal reviews by members of the internal
auditing staff. This function is designed to primarily serve the needs of:
Management.
Internal quality assurance reviews primarily serve the needs of the chief audit executive but can also
provide senior management and the board with an assessment of the internal auditing department. This
is specified in IIA Standard 1311 – Internal Assessments.
A . The audit committee is an indirect beneficiary by knowing the effectiveness of the overall internal
auditing function.
D . The audit staff also benefits (but is not a primary beneficiary) by having deficiencies addressed more
promptly.
Question 18 of 34
If the results of the assessment of the internal audit's quality assurance and improvement program
(QAIP) indicate areas for improvement, which of the following will implement such improvements?
Audit committee of the board.
External auditor.
A QAIP is an ongoing and periodic assessment of the entire spectrum of audit and consulting work
performed by the internal audit activity. If the assessment's results indicate areas for improvement by
the internal audit activity, the chief audit executive will implement the improvements through the QAIP
(IIA Standard 1310 – Requirements of the Quality Assurance and Improvement Program).
Question 19 of 34
All of the following stakeholders receive the results of internal and external quality program
assessment of internal audit's activity from the chief audit executive except:
Functional managers.
Senior managers.
Board of directors.
External auditor.
To provide accountability and transparency, the chief audit executive (CAE) communicates the results of
external and, as appropriate, internal quality program assessments to the various stakeholders of the
activity (such as senior management, the board, and external auditors). At least annually, the CAE
reports to senior management and the board on the quality program efforts and results. Functional
managers need not to know these results because there are too many of them to distribute and because
the scope of the quality program affects the entire organization, not just their individual business
function (IIA Standard 1310 – Requirements of the Quality Assurance and Improvement Program).
Question 20 of 34
Which of the following is unique to the external assessment of an internal audit's activity when
compared to internal assessment?
Findings.
Conclusions.
Recommendations.
Overall opinion.
External assessments of an internal audit activity contain an expressed opinion as to the entire spectrum
of assurance and consulting work performed (or that should have been performed based on the internal
audit charter) by the internal audit activity, including its conformance with the definition of internal
auditing, the code of ethics, and the standards and, as appropriate, includes recommendations for
improvement. Findings, conclusions, and recommendations are common with the internal assessments
(IIA Standard 1312 – External Assessments).
Question 21 of 34
Which of the following is unique to the external assessment of an internal audit's activity when
compared to internal assessment?
Follow-up.
Findings.
Recommendations.
Receiving written responses from the chief audit executive (CAE) that include an action plan and
implementation dates is unique to the external assessments. Here the CAE assumes the auditee role and
the external assessor assumes the auditor role. The other three choices (i.e., follow-up, findings, and
recommendations) are common with the internal assessments (IIA Standard 1312 – External
Assessments).
Question 22 of 34
Which of the following facilitates and reduces the cost of the external assessment of an internal
audit's activity?
A periodic internal assessment performed within a short time before an external assessment.
A periodic internal assessment performed within a long time before an external assessment.
A periodic internal assessment performed within a short time after an external assessment.
A periodic internal assessment performed within a short time before an external assessment can serve
to facilitate and reduce the cost of the external assessment (IIA Standard 1311 – Internal Assessments).
Question 23 of 34
Which of the following is unique to ongoing internal assessment of an internal audit's activity?
Best practices.
Cost recoveries.
Benchmarking.
Expected deliverables.
The processes and tools used in ongoing internal assessments include project budgets, timekeeping
systems, audit plan completion, and cost recoveries, among others. Best practices and benchmarking
are common to both internal assessment and external assessments (IIA Standard 1311 – Internal
Assessments).
Question 24 of 34
Best practices.
Cost recoveries.
Benchmarking.
Expected deliverables.
The chief audit executive is to ensure the scope clearly states the expected deliverables of the external
assessment in each case. Best practices and benchmarking are common to both internal assessment and
external assessments. Cost recoveries are used in internal assessments (IIA Standard 1312 – External
Assessments).
Question 25 of 34
Which of the following is common between internal assessment and external assessment of an
internal audit's activity?
Audit Standards.
Audit charter.
Code of ethics.
Question 26 of 34
Regarding communication of results of the external assessment of an internal audit's activity, the
difference between “conformance” and “partial conformance” is specifically related to which of the
following?
Audit Standards.
Audit charter.
Code of ethics.
The external assessor communicates the results of external assessment with an opinion on the internal
audit activity's conformance with various items as part of the engagement scope. “Partial conformance”
deals with complying with individual Standards whereas “conformance” deals with complying with all
Standards (IIA Standard 1312 – External Assessments).
Question 27 of 34
The scope of external assessment of an internal audit's activity should not be limited to which of the
following?
Assurance services.
Consulting services.
Leading practices.
Quality assurance and improvement program.
External assessments cover the entire spectrum of audit and consulting work performed by the internal
audit activity and should not be limited to assessing its quality assurance and improvement program. To
achieve optimum benefits from an external assessment, the scope of work should include
benchmarking, identification, and reporting of leading practices that could assist the internal audit
activity in becoming more efficient and/or effective (IIA Standard 1312 – External Assessments).
Question 28 of 34
Which of the following can be used by an independent external reviewer when establishing the scope
of the external assessment of an internal audit's activity?
Percentage of quality assurance and improvement program (QAIP) implemented by the internal audit.
Internal auditors are required to do a full self-assessment of QAIP. If internal auditors did not do this full
assessment, it will send a red flag to the external assessors. Assessment of QAIP is common between
internal assessments and external assessments. The QAIP assesses the efficiency and effectiveness of
the internal audit's activity and identifies opportunities for improvement. Since the QAIP is a part of
internal audit Standards, its conformity is very important as it will decide the breadth and depth of the
external assessment's scope of work (IIA Standard 1311 – Internal Assessments; IIA Standard 1312 –
External Assessments).
A . This choice is targeted at the auditees and the internal audit management, which are routine tasks,
but do not focus on the big picture of the assessment of the internal audit's activity.
B . This choice is targeted at the auditees and the internal audit management, which are routine tasks,
but do not focus on the big picture of the assessment of the internal audit's activity.
C . This choice is targeted at the auditees and the internal audit management, which are routine tasks,
but do not focus on the big picture of the assessment of the internal audit's activity.
Question 29 of 34
A quality assurance program of an internal audit department provides reasonable assurance that
audit work conforms to applicable standards. Which of the following activities are designed to provide
feedback on the effectiveness of an audit department?
I. Proper supervision
II. Proper training
III. Internal reviews
IV. External reviews
The purpose of a quality assurance program is to evaluate the operations of the internal audit
department (IIA Standard 1300 – Quality Assurance and Improvement Program). The IIA Standard notes
that a program should include supervision, internal reviews, and external reviews.
A . Proper training is an important component of maintaining a current staff but does not provide
feedback.
B . Proper training is an important component of maintaining a current staff but does not provide
feedback.
D . Proper training is an important component of maintaining a current staff but does not provide
feedback.
Question 30 of 34
A quality assurance program of an internal audit department provides reasonable assurance that
audit work conforms to applicable standards. Which of the following activities are designed to provide
feedback on the effectiveness of an audit department?
I. Proper supervision.
II. Proper training
III. Internal reviews
IV. External reviews
The purpose of a quality assurance program is to evaluate the operations of the internal audit
department. The IIA Standards note that a program should include supervision, internal reviews, and
external reviews.
A . Proper training is an important component of maintaining a current staff but does not provide
feedback.
B . Proper training is an important component of maintaining a current staff but does not provide
feedback.
D . Proper training is an important component of maintaining a current staff but does not provide
feedback.
Question 31 of 34
A quality assurance program of an internal audit department provides reasonable assurance that
audit work conforms to applicable standards. Which of the following activities are designed to provide
feedback on the effectiveness of an audit department?
I. Proper supervision.
II. Proper training.
III. Internal reviews.
IV. External reviews.
The purpose of a quality assurance program is to evaluate the operations of the internal audit
department. The IIA Standards note that a program should include supervision, internal reviews, and
external reviews (IIA Standard 1300—Quality Assurance and Improvement Program).
A . Proper training is an important component of maintaining a current staff but does not provide
feedback.
B . Proper training is an important component of maintaining a current staff but does not provide
feedback.
D . Proper training is an important component of maintaining a current staff but does not provide
feedback.
Question 32 of 34
Upon being appointed, a new director of internal auditing found an inexperienced audit staff that was
over budget on most audits. A detailed review of audit working papers revealed no evidence of
progressive reviews by audit supervisors. Additionally, there was no evidence that a quality assurance
program existed.
To properly evaluate the operations of an internal auditing department, a quality assurance program
should include:
Internal reviews, by other than the internal audit staff, to appraise the quality of department operations.
External reviews at least once every five years by qualified persons who are independent of the
organization.
External reviews should be conducted at least once every five years (IIA Standard 1300—Quality
Assurance and Improvement Program).
A . Supervision should be carried out continually, not just on a periodic test basis.
B . Internal reviews should be conducted by internal auditors and should focus on specific audit projects.
Question 33 of 34
The peer review process can be performed internally or externally. A distinguishing feature of the
external review is its objective to:
The external review process will provide independent evaluation for management and the audit
committee (IIA Standard 1300—Quality Assurance and Improvement Program).
A . The internal peer review process will identify things that can be done better.
B . The internal review process will assess if audit activities meet professional standards.
C . The internal review process will set forth recommendations for improvement.
Question 34 of 34
Audit planning documents, particularly those submitted to senior management and the audit
committee.
The cost/benefit of internal auditing is neither easily quantifiable nor the subject of an external review
(IIA Standard 1300—Quality Assurance and Improvement Program).
A . This is included in the evaluation of the performance of an internal auditing department per the IIA
Standards.
B . This is included in the evaluation of the performance of an internal auditing department per the IIA
Standards.
D . This is included in the evaluation of the performance of an internal auditing department per the IIA
Standards.
PART-1 DOMAIN 5
1.Which of the following can help determine whether an organization's risk management
framework is current and complete?
A.Risk volatility
B.Risk discovery
C.Risk maturity
D.Risk agility
Risk maturity deals with whether an organization is using a proper risk management framework to
manage organization's risks. It seeks to determine whether that framework is old or new, complete or
incomplete, mature or immature, fully implemented or partially implemented. Moreover, it asks
whether the current maturity fits with the current business.
A.Incorrect. Risk volatility means unexpected variations in risk outcomes with their associated severity
and unpredictability levels.
B.Incorrect. Risk discovery means determining how much of the risk universe is identified, unearthed,
or uncovered during a risk assessment exercise.
D.Incorrect. A business activity or function is said to be risk resilient or to possess risk agility when it
survives and sustains despite facing growing risks. Risk resilience means an activity is risk aware and
risk prepared.
2.A manager's or an investor's risk-on and risk-off concepts are related to which of the
following?
A.Incorrect. Risk agility and risk resilience are the same; they show how a firm can survive and sustain
despite growing risks it faces. This choice is not relevant.
B.Incorrect. Risk shifting and risk sharing deal with risk minimization.
C.Incorrect. Risk outcomes and risk severity deal with risk volatility.
3.Which of the following can help a corporation to identify its business assets with high-risk
concentrations?
A.Risk parity
B.Risk pyramid
C.Risk volatility
D.Risk matrix
The chief risk officer can develop a risk pyramid for a specific asset or a group of assets within his or
her own organization that identifies any assets with high risk concentrations. The pyramid will have
three sections: bottom (low risk), medium (medium risk), and top (high risk).
A.Incorrect. Risk parity is an investment portfolio allocation strategy using risk to determine how to
optimally diversify a portfolio of stocks and bonds among specified assets.
C.Incorrect. Risk volatility means unexpected variations in risk outcomes with their associated severity
and unpredictability levels.
D.Incorrect. A risk matrix is a tool for ranking and displaying risks with their maximum and minimum
values for consequences and likelihoods.
Upside risks are opportunities to benefit and downside risks are threats to success. The words
“strengths and opportunities” in SWOT are upside risks; the words “weaknesses and threats” in SWOT
are downside risks, which are called hybrid risks.
A.Marketing surveys
B.Economic analysis
C.Sales prospecting
D.Test marketing
Upside risks are opportunities to benefit, and downside risks are threats to success. Economic analysis
shows both good news and bad news at a point in time, meaning both upside and downside risks (i.e.,
hybrid risks).
6.Which of the following risk response accepts increased risk to achieve increased performance?
A.Pursue
B.Accept
C.Share
D.Transfer
The “Pursue” response means management takes action that accepts increased risk to achieve increased
performance by adopting aggressive growth strategies (e.g., introducing new products and services and
expanding facilities and operations). This increased performance can result from a greater change in
organizational strategies, policies, procedures, practices, and programs.
B. The “Accept” response means no management action is taken to reduce the severity of the risk as
long as the accepted risk is within the risk appetite. This choice is not related to increased performance.
C.Incorrect. The “Share” response means management takes action to reduce the severity of the risk by
sharing a portion of the risk with others through outsourcing a service or buying an insurance policy.
Sharing and transferring are the same. This choice is not related to increased performance.
D.Incorrect. The “Transfer” response means management takes action to reduce the severity of the risk
by transferring a portion of the risk to others through outsourcing a service or buying an insurance
policy. Transferring and sharing are the same. This choice is not related to increased performance.
Threat analysis
Technological analysis
Environmental analysis
Upside risks are opportunities to benefit, and downside risks are threats to success. Threat analysis is a
downside risk.
B.Incorrect. Business continuity planning is a hybrid risk containing both upside and downside risks.
C.Incorrect. Technological analysis is a hybrid risk containing both upside and downside risks.
D.Incorrect. Environmental analysis is a hybrid risk containing both upside and downside risks.
8.Risk is not based on:
A.Probabilities.
B.Chances.
C.Certainties.
D.Likelihoods.
Risk is not based on certainties; a risk might occur or might not occur. Its occurrence is uncertain.
9.According to the IIA Standard 2100: Nature of Work, which of the following is a form of
self-insurance?
Captive insurance
Derivatives
Reinsurance
Co-insurance
Captive insurance is a form of self-insurance where a noninsurance firm is created for the purpose of
accepting the risk of the parent firm that owns an insurer.
B.Incorrect. Derivatives are financial instruments, such as future contracts, forward contracts, options,
and swaps.
C.Incorrect. Reinsurance is a financial arrangement between two insurers (primary and secondary)
where losses between the two insurers are shared based on the agreement.
D.Incorrect. Co-insurance is a type of insurance in which the insured (i.e., an eligible person with an
insurance policy) pays a share of the payment made against an insurance claim.
10.When planning a risk management audit, internal auditors focus primarily on which of the
following first?
Focusing first on the risk management framework is like separating trees from the forest, which gives a
big-picture perspective on the entire risk management program. The framework is the primary focus for
internal auditors.
Residual risks
Current risks
Unchanged risks
Strategic risks
Risk registers do not document risks at the strategic level (high level) because risk registers deal with
low-level risks, including operational-level and functional-level risks.
B.Incorrect. Risk registers document current risks and inherent risks (built-in risks).
C.Incorrect. Risk registers document unchanged risks, stubborn risks, or sticky risks.
Risk monitors.
Risk overseers.
Risk creators.
Risk evaluators
Risk creators are risk owners because, based on their risk appetite, they take more or less risk to run
their business function or operation.
A.Incorrect. Risk monitors are risk officers, compliance officers, ethics officers, and governance
officers.
B.Incorrect. Risk overseers are risk officers, compliance officers, ethics officers, and governance
officers.
D.Incorrect. Risk evaluators are internal auditors; they review risk levels and evaluate the impact of
those risk levels on their organization.
13.Regarding risk management, which of the following should be the least concern to a chief risk
officer (CRO) of an organization?
A.Risk immunity
C.Derisking efforts
D.Value-at-risk amounts
Risk immunity is of least concern to the CRO. It raises a question whether a particular business
function, activity, or operation is subject to risk, exposure, threat, or vulnerability. Two possible
outcomes can occur: immune to risk (risk resistant) or not immune to risk (risk prone). Note that no
business function is immune to risk.
B.Incorrect. Key risk indicators (KRIs) should be of great concern to CROs due to their higher
importance and visibility. KRIs are vital measurements of the relationship between risk and volatility.
C.Incorrect. Derisking is one of the greatest concerns of CROs. Derisking efforts are risk-lessening and
risk-modifying efforts that reduce the overall current level of risks to less than before.
D.Incorrect. Value-at-risk amounts are of great concern to CROs. Value-at-risk amounts are the
amounts of money at risk as calculated by the CRO and staff for an organization's major assets.
A.Mitigated risks.
B.Unmanaged risks.
C.Net risks.
D.Unaddressed risks.
16.Regarding a board's awareness of organizational culture, surveys found that board members
have the least understanding of culture at which of the following levels?
Board members have the least understanding of an organization's culture at the bottom level because
board members are far removed from frontline employees working in frontline functions or operations.
Usually board members do not visit frontline offices, retail stores, warehouses, distribution centers, or
factories; or they may visit only infrequently. In a way, board members are disconnected from the
frontline employees, thus they would not know or understand the culture of lower-level employees.
Surveys are one of the ways to obtain this understanding.
A.Usually board members have the most understanding of the tone at the top due to their higher-level
job functions working with senior managers.
B.Usually the board members have the most understanding of the culture at the top due to their
higher-level job functions working with senior managers.
C.Generally board members have a moderate understanding of the culture at the middle level because
of their intermittent connection with functional managers.
17.Which one of the following item considers all the other three items in concert?
A.Vulnerabilities
B.Threats
C.Risks
D.Controls
A.Uncovered risks.
B.Untreated risks.
C.Uncommitted risks.
D.Unknown risks.
Residual risks are risks that are known to both auditors and managers.
I. Residual value
B.III only
C.II and IV
D.III and IV
Residual risk and residual data are the most risky situations. Residual risk is leftover, unmanaged, or
unaddressed risk that still remains after all controls and mitigations are applied. It can be most risky if
it is big in size. Residual data is leftover data remaining on storage media after it is erased. Since
residual data can be recovered by hackers, additional disposal techniques should be applied to protect
the sensitive electronic data in storage. Until then, residual data can be most risky.
A.This choice is not relevant. Residual value is the estimated value at the end of a lease term on a
leased equipment. There is little or no risk in residual value. Residual interests are financial assets of an
individual person or beneficiaries in a company that were created by a transfer that qualifies as a sale of
financial assets. There is a little or no risk in residual interests.
A.Risk sharing
B.Incorporation
C.Risk transfer
D.Risk reduction
Incorporation is a legal term in use when an individual wants to register a business in a state to conduct
business. Organizations can also incorporate to do their business. Incorporation is a legal tool for
derisking.
A.Incorrect. Risk sharing involves spreading risks with other divisions of the same organization. This is
not a legal tool for derisking.
C.Incorrect. Risk transfer means pushing a potential risk from one party to another party. This is not a
legal tool for derisking.
D.Incorrect. Risk reduction is achieved through installing appropriate and timely controls that are
effective and efficient in operation. This is not a legal form of derisking.
A.Hold-harmless agreements
B.New contracts
C.Recontracting
D.Risk shifting
Risk shifting is risk transferring from one party to another, but the risk still remains. This is not a legal
tool for derisking.
A.Hold-harmless agreements mean risk is lessened (derisked) due to a previous agreement. This is a
legal tool for derisking.
B.Incorrect. New contracts can be drawn to reduce risks. This is a legal tool for derisking.
C.Incorrect. Existing contracts can be canceled and recontracted with modifications. This is a legal tool
for derisking.
A.Downsizing risks.
B.Postponing risks.
C.Ignoring risks
D.Eliminating risks
C.Ignoring risks does not decrease risks. Risks stay the same or increase.
23.Which of the following type of organization would have the highest amount of de-risking to
do?
A.Proprietorship
B.Partnership
C.Public corporation
D.Private corporation
A proprietorship poses a high risk because the owner is legally responsible for all risks. Hence,
de-risking amount would be higher.
B.A partnership poses a low risk because partners share all risks.
C.A public corporation poses a low risk because a government shares all risks.
D.A private corporation poses a low risk because its shareholders share all risks.
A.Risk volatility.
B.Risk securitization
C.Rik diversification
D.Risk modification
Risk volatility increases risks due to unexpected variations in risk outcomes. It is not a good method of
derisking.
B.Risk securitization decreases risks and is a good method of derisking.
25.Which of the following is the best way to link de-risking opportunity to an organization's
structure?
Legal structure.
Capital structure
Tall structure
Flat structure
A legal structure such as incorporation provides derisking opportunities aligned with an organization's
structure. For example, a public corporation is less risky than a private corporation.
B.Incorrect. Capital structure refers to the amount of debt and equity in a corporation's balance sheet.
C.Incorrect. Tall structure refers to how many management levels exist in an organization.
D.Incorrect. Flat structure refers to how many management levels exist in an organization.
26.Which of the following is the most important element of corporate social responsibility?
A.Legal responsibilities
B.Sustainability responsibilities
C.Economic responsibilities
D.Ethical responsibilities
Sustainability responsibilities deal with issues related to environment, social, and governance affecting
an entire organization.
A.Incorrect. Legal responsibilities deal with knowing what legal or illegal actions are.
D.Incorrect. Ethical responsibilities deal with knowing what ethical or unethical actions are.
27.Which of the following deals with issues related to outside of a corporation's boundaries?
Governance audit
Control audit
Sustainability audit
A sustainability audit deals with issues outside a corporation's boundaries, such as environment, social,
and governance affecting an entire organization.
A.Incorrect. A governance audit deals with issues inside a corporation's boundaries, such as oversight,
fiduciary, and stewardship.
B.Incorrect. A risk management audit deals with issues inside a corporation's boundaries, such as risk
appetite and risk mitigation.
C.Incorrect. A control audit deals with issues inside a corporation's boundaries, such as control design,
development, and implementation.
28.From an internal auditing viewpoint, which of the following is referred to when the board
members and senior managers are focusing on improving environmental, social, and governance
issues?
A.Environmental audit
B.Social audit
C.Governance audit
D.Sustainability audit
The Answer D is Correct
A sustainability audit addresses the full scope of environmental, social, and governance issues.
A.Incorrect. An environmental audit addresses a partial scope of the full sustainability audit.
B.Incorrect. A social audit addresses a partial scope of the full sustainability audit.
C.Incorrect. A governance audit addresses a partial scope of the full sustainability audit.
A.Environmental risks
B.Standard risks
C.Social risks
D.Governance risks
An insurance company can label a person as a standard risk saying that she is insurable at a standard
rate. Risk management will address standard risks, not shareholders, because they are not interested in
standard risks.
A.Incorrect. Shareholders are interested in investing to address environmental risks because that is one
of their stated investment goals.
C.Incorrect. Shareholders are interested in investing to address social risks because that is one of their
stated investment goals.
D.Incorrect. Shareholders are interested in investing to address the governance risks because that is one
of their stated investment goals.
30.How can conducting a SWOT (strengths, weaknesses, opportunities, and threats) analysis is
an example of which of the following type of risks?
A.Upside risks
B.Downside risks
C.Hybrid risks
D.Wrong-way risks
Upside risks are opportunities to benefit, and downside risks are threats to success. SWOT analysis
deals with both upside risks (i.e., strengths and opportunities) and downside risks (i.e., weaknesses and
threats). Hence, it represents hybrid risks.
A.Incorrect. SWOT analysis deals with upside risks (i.e., strengths and opportunities). Upside risks are
opportunities to benefit, and downside risks are threats to success.
B.Incorrect. SWOT analysis deals with downside risks (i.e., weaknesses and threats). Upside risks are
opportunities to benefit, and downside risks are threats to success.
D.Incorrect. Wrong-way risk occurs when an entity's exposure to risk is positively correlated with the
entity's probability of loss.
31.In risk management, expenditures on research and development projects are examples of
which of the following?
A.Upside risk
B.Downside risk
C.Cross risk
D.Add-on risk
Spending money on research and development (R&D) projects is a strength and opportunity, leading to
an upside risk. This is the major goal of R&D projects. Upside risks are opportunities to benefit, and
downside risks are threats to success.
B.Incorrect. Downside risk refers to weaknesses and threats. Some R&D projects can lead to downside
risks. Upside risks are opportunities to benefit, and downside risks are threats to success.
C.Incorrect. Cross risk falls between upside side and downside risk.
D.Incorrect. Add-on risk is additional risk incurred from selling a new product or service.
B.Downside risk
C.Cross risk
D.Add-on risk
Downside risks are negative things happening to organizations. Vulnerabilities are negative things
because they lead to threats, which, in turn, lead to risks. Upside risks are opportunities to benefit, and
downside risks are threats to success.
A.Incorrect. Upside risks are positive things happening to organizations. Vulnerabilities are negative
things. Upside risks are opportunities to benefit, and downside risks are threats to success.
C.Incorrect. Cross risk falls between upside side and downside risk.
D.Incorrect. Add-on risk is additional risk incurred from selling a new product or service.
33.Relatively speaking, which of the following should be a major concern for internal auditors?
Governance risk indicators should be of a major concern to internal auditors because these risk
indicators affect the entire organization as they show the board of directors’ effectiveness or
ineffectiveness in performing their oversight functions and fulfilling their fiduciary duties. Audit risk
indicators become a part of governance risk indicators.
A.Incorrect. Audit risk indicators are audit failures, audit false assurances, and audit reputation risk.
Although these represent major concerns to internal auditors, they become minor concerns in relation
to the governance risk indicators.
B.Incorrect. Risk management risk indicators are risk and volatility. They should be a major concern
for chief risk officer.
C.Incorrect. Finance risk indicators are insufficient cash to pay debts as they come due, low earnings
per share, low price for a company's stock, and declining sales and profits. They should be a major
concern for chief financial officer.
A.Board of directors
B.Shareholders
C.Finance committee
D.Compensation committee
Shareholders and investors are voicing their concerns about excessive executive compensation through
the say-on-pay theme via the proxy process. The goal is to influence, modify, and decrease executives’
total compensation packages.
A.Incorrect. The choice is not relevant because the board of directors may not want to control
executive compensation or become members of the say-on-pay theme.
C.Incorrect. The choice is not relevant because the finance committee may not want to control
executive compensation or become members of the say-on-pay theme.
D.Incorrect. The choice is not relevant because the compensation committee may not want to control
executive compensation or become members of the say-on-pay theme.
A.Vulnerabilities
B.Threats
C.Risks
D.Controls
Question 36
A better way of determining whether the board of directors or audit committee members are
independent of management is which of the following?
Even though all the four choices indicate independence of directors and audit committee members
from management to some extent, the real indication is their ability to ask difficult and probing
questions of management (i.e., a hard factor). This is in contrast to asking easy and superficial
questions and rubber-stamping everything management says and acts (i.e., a soft factor).
Indicative factors include the board or audit committee's independence from management,
experience and stature of its members, extent of its involvement and scrutiny of activities, and
appropriateness of its actions. Another factor is the degree to which difficult questions are raised and
pursued with management regarding plans or performance levels. Interaction of the board or audit
committee with internal and external auditors is another factor affecting the control environment.
A . This choice alone cannot indicate the independence of the directors or the audit committee from
management as this choice reflects a soft factor. A hard factor is needed.
B . This choice alone cannot indicate the independence of the directors or the audit committee from
management as this choice reflects a soft factor. A hard factor is needed.
D . This choice alone cannot indicate the independence of the directors or the audit committee from
management the choice reflects a soft factor. A hard factor is needed.
Question 37
A control weakness is said to exist when the audit committee of the board consists of which of the
following?
The audit committee of the board should be independent of management. It is control weakness
when the audit committee of the board consists of the CEO, the chief financial officer, and a major
stockholder. A retired CEO of the same company can be assumed to be independent of the company
because he or she has no stake in the company. A major stockholder is not independent of the
company because he or she has a stake in the company.
Question 38
The chief risk officer of an organization has compiled the following data on four major assets with
their associated probability of ruin.
a) Asset 1
b) Asset 2
c) Asset 3
d) Asset 4
The probability of ruin is the likelihood of liabilities exceeding assets of an organization for a given
time period. This means that an asset with the highest probability of ruin is exposed to the greatest
value at risk (VAR: i.e., an asset's value is reduced). The VAR is equal to 100 minus the probability of
ruin. For Asset 1, the VAR is 99.00 (i.e., 100 – 1.00), which is the lowest asset value.
B . The probability of ruin is the likelihood of liabilities exceeding assets of an organization for a given
time period. This means that an asset with the highest probability of ruin is exposed to the greatest
value at risk (VAR; i.e., an asset's value is reduced). The VAR is equal to 100 minus the probability of
ruin. For Asset 2, the VAR is 99.75 (i.e., 100 –0.25), which is not the lowest asset value.
C . The probability of ruin is the likelihood of liabilities exceeding assets of an organization for a given
time period. This means that an asset with the highest probability of ruin is exposed to the greatest
value at risk (VAR; i.e., an asset's value is reduced). The VAR is equal to 100 minus the probability of
ruin. For Asset 3, the VAR is 99.25 (i.e., 100 – 0.75), which is not the lowest asset value.
D . The probability of ruin is the likelihood of liabilities exceeding assets of an organization for a given
time period. This means that an asset with the highest probability of ruin is exposed to the greatest
value at risk (VAR; i.e., an asset's value is reduced). The VAR is equal to 100 minus the probability of
ruin. For Asset 4, the VAR is 99.50 (i.e., 100 – 0.50), which is not the lowest asset value.
Question 39
Which of the following statements is not true about risk registers and risk profiles?
This choice is not a true statement because both risk registers and risk profiles change over a time
period due to changes in business conditions.
A . Risk profiles do provide a mechanism for prioritizing risk treatment efforts based on ratings given
to each risk category.
C . Risk registers do show current risks comprised of residual risks (i.e., accepted risks) and risks
planned to be eliminated or mitigated.
D . Risk ownership is derived from risk profiles where each risk type has an owner and a champion for
responsibility and accountability purposes.
Question 40
Risk mitigation.
Risk transfer.
Risk avoidance.
Risk acceptance.
Residual risk means risk acceptance or risk retention. It is a deliberate action taken by senior or
functional (operational) management to accept the remaining risk (i.e., residual risk). Whether to
accept the residual risk really depends on the potential impact of the risk to the delivery of critical
services to customers or clients.
A . Organizations may choose to handle risk in different ways, as, for example, mitigating the risk with
controls.
B . Organizations may choose to handle risk in different ways, as, for example, transferring the risk to
an insurance company by purchasing an insurance policy.
C . Organizations may choose to handle risk in different ways, as, for example, avoiding risk with
controls or with risk-lessening methods.
Question 41
I. Risk pursuance
II. Risk acceptance
III. Risk sharing
IV. Risk transferring
I only
II only
I and II
III and IV
Risk pursuance and risk acceptance increase the residual risk. Risk pursuance seeks increased
performance. When that performance did not materialize, residual risk can increase. By definition,
risk acceptance means residual risk and move in the same direction.
D . Risk sharing and risk transferring reduce the residual risk. Sharing and transferring the risk to
others reduce residual risk.
Question 42
Which of the following risk responses can bring new risks to an organization?
Avoid
Share
Transfer
Shift
Avoiding risks means removing the risk, which, in turn, means forgoing business opportunities, such
as entering into new markets with new products and services and expanding facilities and operations.
Risk avoidance increases lost business opportunities in sales, revenues, and profits, thus introducing
new risks to an organization.
B . Sharing risks reduces the risks to an organization by sharing those risks with others.
Question 43
A production manager of a manufacturing company has submitted a funding request for a capital
investment project to purchase new machinery in the plant with associated cost savings and
increased productivity. The total cost of the new machinery including its installation exceeds the
capital budget amount and the company's risk appetite level. Which of the following should
approve the funding request for this investment project?
A senior manager
This capital investment project can increase overall risks to the company if the new machinery does
not work as expected. Before accepting a major risk that is outside the company's risk appetite level,
the production manager needs to obtain approval from the board of directors and no one else.
A . A senior manager is not the right person to approve this capital investment project because the
risk is higher than this person's approval authority.
B . The chief executive officer is not the right person to approve this capital investment project
because the risk is higher than the CEO's approval authority.
D . The chief financial officer is not the right person to approve this capital investment project
because the risk is higher than the CFO's approval authority.
Question 44
I. Insurance policy
II. Hedging
III. Outsourcing
IV. Risk sharing
I only
I and III
III only
A . An insurance policy is a partial answer; it reduces the severity of a risk because it covers some risk.
B . Hedging is a partial answer, and it reduces the severity of a risk. Hedging is taking a position
opposite to the exposure or risk (e.g., financial derivatives, future and forward contracts, options, and
swaps).
C . Outsourcing is a partial answer, and it reduces the severity of a risk. Outsourcing includes
contracting with outsiders to acquire services and products (e.g., suppliers and manufacturers).
Question 45
A management director
A guest director
A visiting director
A loaned director
A management director is a member of the board of directors of an organization who also holds
management responsibilities within the organization. Hence, a management director is not an
independent director because of his or her dual responsibilities as a board member and as a
management person. Therefore, a management director represents a major risk to a corporation.
B . A guest director represents a minor risk to a corporation due to his or her limited time on the job.
C . A visiting director represents a minor risk to a corporation due to his or her limited time on the job.
D . A loaned director represents a minor risk to a corporation due to his or her limited time on the job.
Question 46
Which of the following is an uncommon attribute of the board of directors and the internal
auditors?
Experience
Independence
Objectivity
Reputation
The experience attribute between the board of directors and the internal auditors is very uncommon
and very different due to the nature of their jobs.
B . The independence attribute is very common because both directors and auditors care much about
their independence in mind and in appearance.
C . The objectivity attribute is very common because both directors and auditors care much about
their objectivity in thinking and doing.
D . The reputation attribute is very common because both directors and auditors care much about
their personal and professional reputation in the eyes of others.
Question 47
Which of the following scenarios of a publicly held corporation's board of directors creates a minor
risk?
An interlocking director is the one working on several other company boards, thus representing a
conflict-of-interest situation. This choice poses a minor risk compared to the other three choices.
B . A majority shareholder has a big stake in the company and would try to influence the market price
of the company's stock for her own financial benefit. This choice poses a major risk.
C . When the chief executive officer (CEO) is also the chairperson of the board, the CEO loses
independence and objectivity, and there is no separation of power between the CEO and the board.
This choice poses a major risk.
D . When the chief audit executive (CAE) is also the chairperson of the audit committee, the CAE loses
independence and objectivity, and there is no separation of power between the CAE and the audit
committee. This choice poses a major risk.
Question 48
Corporate attorneys
Corporate accountants
Corporate management
External auditors
A . Corporate attorneys are gatekeepers of a corporation. Gatekeepers are in a way police officers
who prevent corporate management wrongdoing, such as manipulating earnings (earnings
management), financial restatements and misstatements, capitalizing expenses, deferring or
misclassifying expenses, hiding liabilities, engaging in off-balance sheet transactions, and involvement
in other types of financial fraud to increase stock market price and to receive big bonuses by
corporate management. Gatekeepers watch management for actions or inactions and intervene
when necessary with advice to protect them.
B . Corporate accountants are gatekeepers of a corporation. Gatekeepers are in a way police officers
who prevent corporate management wrongdoing, such as manipulating earnings (earnings
management), financial restatements and misstatements, capitalizing expenses, deferring or
misclassifying expenses, hiding liabilities, engaging in off-balance sheet transactions, and involvement
in other types of financial fraud to increase stock market price and to receive big bonuses by
corporate management. Gatekeepers watch management for actions or inactions and intervene
when necessary with advice to protect them.
D . External auditors are gatekeepers of a corporation. Gatekeepers are in a way police officers who
prevent corporate management wrongdoing, such as manipulating earnings (earnings management),
financial restatements and misstatements, capitalizing expenses, deferring or misclassifying expenses,
hiding liabilities, engaging in off-balance sheet transactions, and involvement in other types of
financial fraud to increase stock market price and to receive big bonuses by corporate management.
Gatekeepers watch management for actions or inactions and intervene when necessary with advice
to protect them.
Question 49
Which of the following scenarios can pose little or no risk to a publicly-held corporation?
Onboarding poses a little or no risk to a corporation. An onboarding program for the first-time
directors and new directors is an educational and training program with the essential information
needed to understand a company and start contributing value to the company. It is an orientation
program.
A . Over-boarding poses a risk to a corporation. Over-boarding refers to the board of directors where
a board member provides simultaneous service on too many other company's boards that can
interfere with a director's ability to satisfy her responsibilities and the ability to serve any one board
effectively as a director. The same thing applies to the audit committee members and senior
management. Major concerns include constrained time and limited commitment.
C . Over-boarding poses a risk to a corporation. Over-boarding refers to the board of directors where
a board member provides simultaneous service on too many other company's boards that can
interfere with a director's ability to satisfy her responsibilities and the ability to serve any one board
effectively as a director. The same thing applies to the audit committee members and senior
management. Major concerns include constrained time and limited commitment.
D . Over-boarding poses a risk to a corporation. Over-boarding refers to the board of directors where
a board member provides simultaneous service on too many other company's boards that can
interfere with a director's ability to satisfy her responsibilities and the ability to serve any one board
effectively as a director. The same thing applies to the audit committee members and senior
management. Major concerns include constrained time and limited commitment.
Question 50
Which of the following paired items have a direct relationship with each other?
Risk appetite and value-at-risk have a direct relationship with each other. As the risk appetite
increases, the value-at-risk increases.
A . Sampling errors and confidence level have an inverse relationship with each other. Sampling error
is (1 minus confidence level), meaning as the sampling error increases, the confidence level
decreases.
C . Sampling risk and reliability level have an inverse relationship with each other. Sampling risk is (1
minus reliability level), meaning as the sampling risk increases, the reliability level decreases.
D . Audit risk and audit assurance have an inverse relationship with each other. As the audit risk
increases, the audit assurance decreases.
Question 51
Which of the following paired items have an inverse relationship with each other?
A . Audit reliance and audit assurance have a direct relationship with each other. As the audit reliance
increases, the audit assurance increases.
B . Risk and return have a direct relationship with each other. As the risk increases, the return
increases.
D . Risk agility and risk resiliency have a direct relationship with each other. As the risk agility
increases, the risk resiliency increases.
Question 52
Which of the following paired items have a direct relationship with each other?
Time-to-contain and cost of data breach have a direct relationship with each other. As the
time-to-contain a data breach increases, the cost of data breach increases.
A . De-risking and residual risk have an inverse relationship with each other. As the de-risking
increases, the residual risk decreases.
B . Sample size and sampling risk have an inverse relationship with each other. As the sample size
increases, the sampling risk decreases.
C . Probability of ruin and value of an asset have an inverse relationship with each other. As the
probability of ruin increases, the value of an asset decreases.
Question 53
Which of the following paired items have an inverse relationship with each other?
Click fraud rate and click-to-conversion time have an inverse relationship with each other. As the click
fraud rate increases, the click-to-conversion time decreases.
B . Risk universe and audit universe have a direct relationship with each other. As the risk universe
increases, the audit universe increases.
C . Competence and judgment have a direct relationship with each other. As the competence
increases, the judgment increases.
D . Proficiency and competence have a direct relationship with each other. As the proficiency
increases, the competence increases.
Question 54
Which of the following paired items have a direct relationship with each other?
Production volume and production costs have a direct relationship with each other. As the production
volume increases, the associated production costs would also increase.
B . Audit risk scores and audit cycle frequency have an inverse relationship with each other. As the
audit risk scores increase, the audit cycle frequency gets decreased (i.e., shorter time intervals
between audits to address higher risk areas).
C . Tolerable error and sample size have an inverse relationship with each other. The lower the
tolerance for error, the larger the number of items that needs to be selected in a sample (i.e., need a
larger sample size).
D . Precision limits and sample size have an inverse relationship with each other. The smaller the
precision limits, the larger the size of the sample selected.
Question 55
The cost of not protecting information is the best way to quantify the information value at risk
because it will indicate what the consequences would be if the information is not protected at all.
Examples of these consequences are greater vulnerability to threats and attacks and increased
damages resulting from such attacks. These damages could be financial, physical (buildings,
equipment, and inventory), non-physical (e.g., loss of intellectual property), and human (death
resulting from wrongly prescribed and dispensed medication based on incorrect medical records).
A . The cost of using information is not relevant here because it does not matter whether the
protected information is used or not. Protection is more important than use.
B . The cost of protecting information is important and can be calculated from adding up all the costs
incurred to acquire and install hardware and software and the costs to hire staff. The cost of
information protection, which represents a one-side of a coin, can become a routine and mechanical
exercise and can become a discretionary spending amount. To get a big-picture perspective, the cost
of protecting information should be compared with the cost of not protecting information, which is
the other side of the coin.
C . The cost of not using information is not relevant because it does not matter whether the protected
information is used or not.
Question 56
charter of a newly formed internal auditing department contains the following statement: “The
organizational status of the internal auditing department will be sufficient to permit the
accomplishment of its audit responsibilities.” Select the best reporting lines from the following
relationships, which would promote the accomplishment of the intended organizational status.
Solid line to:
Direct reporting to top executive and dotted line reporting to board is called dual reporting (IIA
Standard 1110 – Organizational Independence).
Question 57
According to the IIA Standards, the purpose of an internal auditor's review for effectiveness of the
system of internal control is to ascertain if:
IIA Standard 2130 – Control states that effectiveness of the system of internal control is to ascertain
whether the system is functioning as intended.
B . It defines the purpose of the review for adequacy of the system of internal control.
Question 58
According to the IIA Standards, the role of internal auditing in the investigation of fraud includes all
of the following except:
Assessing the probable level and extent of complicity in the fraud within the organization.
Designing the procedures to follow in attempting to identify the perpetrators, extent of the fraud,
techniques used, and cause of the fraud.
Coordinating activities with management personnel, legal counsel, and other appropriate specialists
throughout the investigation.
Internal auditors normally are not trained in the interrogation of suspected perpetrators and
therefore should leave such activity to security or law enforcement specialists (IIA Standard 1220 –
Due Professional Care; IIA Standard 2210 – Engagement Objectives).
A . This can be critical to ensuring that internal auditors avoid providing information to or obtaining
misleading information from persons who may be involved.
B . This is a responsibility assigned by the Standards and will be useful when determining what
controls to recommend preventing future occurrences of similar fraud.
C . This is a responsibility assigned by the Standards and will tend to ensure a complete and thorough
investigation.
Question 59
According to the IIA Standards, internal auditors should review the means of physically
safeguarding assets from losses arising from:
A . Misapplication of accounting principles relates to the reliability of information and not physical
safeguards.
Question 60
As an internal auditor for a multinational chemical company, you have been assigned to perform an
operational audit at a local plant. This plant is similar in age, sizing, and construction to two other
company plants that have been recently cited for discharge of hazardous wastes. In addition, you
are aware that chemicals manufactured at the plant release toxic by‑products.
You are responsible for ensuring compliance with company policies and procedures.
Operational audits do not require a determination of compliance with laws and regulations.
You are required by the Standards to determine compliance with laws and regulations.
Determination of compliance is required by IIA Standard 2120 – Risk Management and IIA Standard
2130 – Control.
B . The Standards specify compliance with all laws and regulations having a significant impact.
Question 61
Management has planned and organized in a manner that provides reasonable assurance that the
organization's objectives will be achieved efficiently and effectively.
Management has exercised due professional care in the design of operating and functional systems.
Operating and functional systems are designed, installed, and implemented in compliance with law.
Management has designed, installed, and implemented efficient operating and functional systems.
Answer (A) is Correct.
The purpose of the review for adequacy of the system of internal control is to ascertain whether the
system established provides reasonable assurance that the organization's objectives and goals will
benefit efficiently and effectively (IIA Standard 2130 – Control).
B . Due professional care of the design of a system does not necessarily provide adequate control.
C . Compliance with law and policy is just one aspect of the scope of activity covered by controls.
Question 62
A company's management accountants prepared a set of reports for top management. These
reports detail the funds expended and the expenses incurred by each department for the current
reporting period. The function of internal auditing would be to:
Review the expenditure items and match each item with the expenses incurred.
Internal auditors are responsible for identifying inadequate controls, for appraising managerial
effectiveness, and for pinpointing common risks (IIA Standard 2130 – Control).
A . The Standards do not require internal auditors to be omniscient or to be ensurers against any and
all noncompliance of reporting procedures.
B . There is no expected match of funds flows with expense items in a single time period.
Question 63
During the year-end physical inventory process, the auditor observed over $1.2 million worth of
items staged in the shipping area and marked "Sold—Do Not Inventory." The customer had been on
credit hold for three months because of bankruptcy proceedings, but the sales manager had
ordered the shipping supervisor to treat the inventory as sold for physical inventory purposes. The
auditor noted the terms of sale were "FOB Warehouse." After confirming no change in corporate
policy, the auditor should:
Recommend that the inventory staged in the shipping area be counted and included along with the
rest of the physical inventory results.
Make test counts and trace the results to appropriate records to ensure that the cost is properly
relieved from inventory.
Follow up with appropriate procedures to ensure that the inventory staged in the shipping area
appears on related invoicing documentation.
Request copies of the signed bills of lading to include with working papers for this physical inventory.
Given these circumstances, excluding the inventory from the physical count would inflate revenues
and profitability for the current period. The physical inventory process is a periodic control to ensure
that sales-related controls are effective (IIA Standard 2120 – Risk Management; IIA Standard 2130 –
Control).
B . The inventory has not been sold and transacted according to established procedures.
C . The inventory has not been sold and transacted according to established procedures.
D . The inventory has not been sold and transacted according to established procedures.
Question 64
All of the following provide effective relationship in the organization's governance framework
except:
Organizational processes.
Governance.
Risk management.
Internal controls.
Governance does not exist as a set of distinct and separate organizational processes and structures.
Rather, there are effective relationships among governance, risk management, and internal controls
(IIA Standard 2110 – Governance).
Question 65
Which of the following internal audit assessments belong to specific governance processes?
Whistleblower process.
Fraud risks.
Internal audit assessments regarding governance processes are likely to be based on information
obtained from numerous audit assignments over time. The internal auditor should consider (1) the
results of audits of specific governance processes (e.g., the whistleblower process, the strategy
management process) and (2) governance issues arising from audits that are not specifically focused
on governance (e.g., audits of the risk management process, internal control over financial reporting,
and fraud risks) (IIA Standard 2110 – Governance).
Question 66
Internal auditors' failure to do the right audits, failure to test the real risks, and failure to use the
right controls can lead to which of the following?
Business risk.
Audit failures.
Every organization will experience control breakdowns, some resulting in audit failures. The internal
audit activity could be a contributing factor due to (1) lack of an effective risk assessment process to
identify key audit areas during the strategic risk assessment as well as areas of high risk during the
planning of individual audits—as a result, failure to do the right audits and/or time wasted on the
wrong audits and (2) failure to design effective internal audit procedures to test the “real” risks and
the right controls (IIA Standard 2120 – Risk Management).
A . This choice is not relevant because it is not a part of total audit risk.
Question 67
Ensuring internal audit teams have the right competencies with right level of work experience and
designing effective internal audit procedures can reduce the risk of which of the following?
Business risk.
Audit failures.
Audit failures result due to (1) failure to evaluate both the design adequacy and the control
effectiveness as part of internal audit procedures and (2) use of audit teams that do not have the
appropriate level of competence based on experience or knowledge of high-risk areas (IIA Standard
2120 – Risk Management).
A . This choice is not relevant because it is not a part of total audit risk.
Question 68
If internal auditors are used as “loaned resources” to a business unit, this could lead to which of the
following?
Business risk.
Audit failures.
Using internal auditors as “loaned” resources may create false assurance. If internal auditors are used
to augment the staffing of a project or initiative, document their role and scope of their involvement
as well as future objectivity and independence issues (IIA Standard 2120 – Risk Management).
A . This choice is not relevant because it is not a part of total audit risk.
Question 69
Reinforcing the code of conduct and ethical behavior standards for all internal auditors can protect
which of the following?
Business risk.
Audit failures.
A leading practice to protect the reputation of internal audit's “brand” name is to reinforce the code
of conduct and ethical behavior standards for all internal auditors (IIA Standard 2120 – Risk
Management).
A . This choice is not relevant because it is not a part of total audit risk.
B . This choice does not protect the reputation of internal audits "brand" name.
C . This choice does not protect the reputation of internal audit's "brand" name.
Question 70
Clearly communicating the scope inclusions and exclusions in the audit risk assessment, internal
audit plan, and audit engagement can mitigate the risk which of the following?
Business risk.
Audit failures.
Frequent and clear communication is a key strategy to manage false assurance. Some leading
practices include (1) proactively communicating the role and the mandate of the internal audit
activity to the audit committee, senior management, and other key stakeholders; (2) clearly
communicating what is covered in the risk assessment, internal audit plan and internal audit
engagement; and (3) explicitly communicating what is not in the scope of the risk assessment and
internal audit plan (IIA Standard 2120 – Risk Management).
Question 71
Requiring a “project acceptance” process in place when internal auditors are involved in a business
unit's project can mitigate the risk which of the following?
Business risk.
Audit failures.
A project acceptance process can mitigate the risk of false assurance. Require a “project acceptance”
process to assess the level of risk related to each project and internal audit's role in the project. The
assessment may consider: scope of the project, role of the internal audit activity, reporting
expectations, competencies required, and independence of internal auditors (IIA Standard 2120 – Risk
Management).
Business risk.
Audit failures.
A string of significant financial restatements and regulatory investigations would negatively impact
the reputation of the internal audit activity. The audit committee and the board might ask if the
internal audit activity has the right talent and quality assurance and improvement program to support
the organization (IIA Standard 2120 – Risk Management).
Question 73
An internal auditor is auditing the financial operations of an organization. Which of the following is
not specified by the IIA Standards for inclusion in the scope of the audit?
Reviewing the compliance with laws, regulations, policies, procedures, and contracts.
This element of the audit is not included in IIA Standard 2130 – Control.
A . Reviewing the reliability and integrity of financial information is the basic element of the audit.
B . The statement includes compliance, and there are compliance aspects in financial operations.
C . The auditor would review the economy, efficiency, and effectiveness of the financial functions.
Question 74
Risk is the possibility of an event occurring that will have an impact on the achievement of objectives.
Risk is measured in terms of impact and likelihood (IIA Standard 2120—Risk Management).
Question 75
In publicly held companies, management often requires the internal auditing department's
involvement with quarterly financial statements that are made public and/or used internally.
Which one of the following is generally not a reason for such involvement?
Management may be concerned about potential penalties that could occur if quarterly financial
statements that are made public are misstated.
The Standards state that internal auditors should be involved with reviewing quarterly financial
statements.
Management may perceive that having quarterly financial information examined by the internal
auditors enhances its value for internal decision making.
This choice does not exist in IIA Standard 2100 – Nature of Work.
Question 76
During a purchasing audit, the internal auditor finds that the largest blanket purchase order is for
tires, which are expensed as vehicle maintenance items. The fleet manager requisitions tires
against the blanket order for the company's 400-vehicle service fleet based on a visual inspection of
the cars and trucks in the parking lot each week. Sometimes the fleet manager picks up the tires but
always signs the receiving report for payment. Vehicle service data are entered into a maintenance
database by the mechanic after the tires are installed. Which would be the best course of action for
the auditor in these circumstances?
Determine whether the number of tires purchased can be reconciled to maintenance records.
Count the number of tires on hand and trace them to the related receiving reports.
Select a judgmental sample of requisitions and verify that the fleet manager signs each one.
Compare the number of tires purchased under the blanket purchase order with the number of tires
purchased in the prior year for reasonableness.
Based on the control weakness and the potential for fraud, the auditor should look for other
indicators of fraud or verify that no fraud has occurred (IIA Standard 2130 – Control).
B . Tracing the tires on hand to the receiving reports would not reveal a fraud since the manager signs
the receiving report.
C . Testing for signed requisitions would not necessarily reveal whether fraud is present. The manager
is the signor.
D . While the comparison may provide useful information, it would be less conclusive than the correct
answer. If a fraud existed, it could have occurred last year also. The need for tires may vary.
Question 77
Which of the following management control systems measures performance in terms of operating
profits minus the cost of capital invested in tangible assets?
The economic value-added system is a new system to measure corporate performance in terms of
operating profits minus the cost of capital invested in tangible assets (IIA Standard 2130—Control).
A . The open-book management system focuses on sharing a company's financial information to all
employees.
C . The activity-based costing system identifies various activities needed to produce a product or
service and determines the cost of those activities.
D . The market value-added system determines the market value of a firm based on its market
capitalization rate.
Question 78
Control has been described as a closed system consisting of six elements. Identify one of the six
elements.
Setting performance standards is one of the six elements (IIA Standard 2130—Control).
B . Securing data files is not one of the elements of a closed control system.
D . Establishing the audit function is not one of the closed system control elements.
Question 79
An organization’s policies and procedures are part of its overall system of internal controls. The
control function performed by policies and procedures is:
Feed-forward control.
Implementation control.
Feedback control.
Application control.
Answer(A) is Correct.
Policies and procedures provide guidance on how an activity should be performed to best ensure that
an objective is achieved (i.e., feed-forward). (IIA Standard 2130—Control.)
C . Policies and procedures provide primary guidance before and during the performance of some task
rather than give feedback on its accomplishment.
Question 80
The comment card filled out by a customer in a restaurant is a control device used by management
to improve the level of service and the quality of food. Controls of this type are classified as:
Feed-forward controls.
Steering controls.
Concurrent controls.
Feedback controls.
Controls that evaluate the final product or output are feedback controls (IIA Standard 2130—Control).
A . Feed-forward controls precede the production of the product or delivery of the service. Inspection
of raw material would be a feed-forward control.
B . Steering controls is another name for feed-forward controls.
C . Concurrent controls are controls that occur during the process. An example might be the
inspection of component parts.
Question 81
These are the three basic components of a control system (IIA Standard 2130—Control).
B . These three terms are all used to describe subsystems of a control system.
C . These three terms are used to describe either a subsystem of a control process or a tool used in a
control system.
D . Although “objectives” is a correct answer, the other two are incorrect. “Inputs” is a good distracter
because it is part of the “input-process-output” relationship used to describe a system.
Question 82
The internal auditing function of an organization is an integral part of the organization’s overall
system of internal control. Select the type of control provided when an auditing function conducts a
systems development review.
Feedback control.
Strategic plans.
Feed-forward control.
A feed-forward control provides information on potential problems so that corrective action can be
taken in anticipation of rather than as a result of a problem (IIA Standard 2130—Control).
B . Strategic plans are developed by senior management and provide a long-range path for the
organization.
C . Policies and procedures are developed by management and are the most basic control subsystem
of an organization.
Question 83
The internal auditing function of an organization is an integral part of the organization’s overall
system of internal control. Select the type of control emphasized by an operational audit.
Feedback control.
Strategic plans.
Feed-forward control.
A feed-forward control provides information on potential problems so that corrective action can be
taken in anticipation of rather than as a result of a problem (IIA Standard 2130—Control).
B . Strategic plans are developed by senior management and provide a long-range path of the
organization.
C . Policies and procedures are developed by management and are the most basic control subsystem
of an organization.
Question 84
Internal auditors can evaluate the management function of controlling by determining if:
Employee turnover rates are analyzed for trends and investigations are made for adverse trends.
Anticipated problems are discussed, identified, and evaluated with possible solutions provided.
Verifying that the prompt feedback on variances is provided to management is one way internal
auditors facilitate the management function of controlling (IIA Standard 2130—Control).
Question 85
When planning the controls review of the end user computing (EUC) application, the internal
auditor chose to include the general control environment in the scope. Which one of the following
statements regarding general controls is the auditor most likely to find true?
The need for specific general controls is relatively constant across EUC environments.
General controls must be in place before application controls can be relied on.
The relationship between the application controls and the general controls is such that general
controls are needed to support the functioning of application controls, and both are needed to ensure
complete and accurate information processing (IIA Standard 2130—Control).
B . In an EUC environment, responsibility for general controls may be shared by several individuals in
different departments or locations.
C . The need for specific general controls varies with the complexity and importance of the
application.
Question 86
A payroll clerk with authorized access to the local area network (LAN) was able to directly update
personnel files independent of the application programs. The best control to prevent a clerk from
doing this would be to:
Restrict access to LAN workstations by such means as automatic lockup after a predefined period of
keyboard inactivity.
Restrict access to and monitor installation of software products or tools having powerful update
capabilities.
Use password security to authenticate users as they attempt to log on to the LAN.
Establish a security policy for the department that prohibits direct updating of data files.
Sophisticated software packages may inadvertently threaten data security by allowing users to bypass
existing system level security (IIA Standard 2130—Control).
A . Restricting access to LAN workstations is a control to prevent unauthorized persons from gaining
access to the network.
C . Password security when logging on may not prevent authorized users of the LAN from accessing
unauthorized functions.
D . A security policy may establish responsibility but will not prevent inappropriate update of
information.
Question 87
The auditor used the reporting capabilities of the fourth-generation (4GL) to analyze the data files
for unusual activity such as excessive overtime hours, unusual fluctuations in pay rates, or excessive
vacation time. The application controls being verified by this analysis are:
Edit or validation routines should be present in the application to reject or flag these unusual items
(IIA Standard 2130—Control).
B . Rejected and suspense item controls are relevant only if the data are first subject to edit and
validation checks.
C . Controls over update access to the database are general controls rather than application controls.
D . Programmed balancing controls are designed to identify errors in the processing of data rather
than in the data itself.
Question 88
A comprehensive management control system that considers both financial and nonfinancial
measures relating to a company’s critical success factors is called a(n):
The balanced scorecard system is a comprehensive management control system that balances the
traditional accounting (financial) measures with the operational (nonfinancial) measures (IIA Standard
2130—Control).
B . The economic value added system is a new system to measure corporate performance in terms of
operating profits minus the cost of capital invested in tangible assets.
C . The activity based costing system identifies various activities needed to produce a product or
service and determines the cost of those activities.
D . The market value added system determines the market value of a firm based on market
capitalization of its stock.
Question 89
Which of the following input controls or edit checks would catch certain types of errors within the
payment amount field of a transaction?
Record count.
Echo check.
Check digit.
Limit check.
A limit test is a test of whether a field amount fits within a predetermined upper and/or lower limit. It
can catch only certain errors (i.e., those that exceed the acceptable range). (IIA Standard
2130—Control.)
C . A self-checking number contains digits that are a formula of the other digits. Account numbers
with a self-checking digit reduce data input errors.
Question 90
When assessing application controls, which one of the following input controls or edit checks is
most likely to be used to detect a data input error in the customer account number field?
Limit check.
Validity check.
Control total.
Hash total.
A validity test can compare the value of a customer account number field with a master file
containing valid customer accounts (IIA Standard 2130—Control).
A . A limit test is a test of whether a field amount fits within a predetermined upper and/or lower limit.
It can catch only certain errors (i.e., those that exceed the acceptable range).
D . A hash total is the number obtained from totaling the same field value for each transaction in a
batch. The total has no meaning or value other than as a comparison with another hash total.
Question 91
An internal auditor is reviewing the adequacy of existing policies and procedures concerning end
user computing activities. The auditor is testing:
An application control.
An organizational control.
An environmental control.
A system control.
Policies and procedures are part of the administration of end user computing, which is defined at an
organizational level (IIA Standard 2130—Control).
Question 92
To ensure the completeness of a file update, the user department retains copies of all unnumbered
documents submitted for processing and checks these off individually against a report of
transactions processed. This is an example of the use of:
One-for-one checking.
Computer matching.
D . Computer matching is performed under program control and not by the user.
Question 93
Programmed checks.
Batch controls.
Implementation controls.
One-for-one checking.
A . Programmed checks are used to check the potential accuracy of input data (e.g., a range check).
B . Batch control is used to ensure the completeness and accuracy of input and update.
D . One-for-one checking is a technique used to check individual documents for accuracy and
completeness of data input or update.
Question 94
The best control for detecting processed data totals that do not agree with input totals is:
Run-to-run checking.
Existence checking.
Key verification.
Prerecorded inputs.
During each program run in a series, the computer accumulates the totals of transactions that have
been processed and reconciles them with the totals forwarded from the previous program run (IIA
Standard 2130—Control).
B . Existence checking ensures that individual data codes agree with valid codes held in a file or a
program.
C . Key verification ensures the completeness and accuracy of selected fields on individual documents.
D . Prerecorded input (turnaround document) is used to ensure accuracy and completeness of input.
Question 95
To ensure that goods received are the same as those shown on the purchase invoice, a
computerized system should:
Computer matching of fields such as goods received number, product code, supplier code, and
quantity assures agreement between goods received and goods invoiced (IIA Standard
2130—Control).
Question 96
Which of the following controls would be most efficient in reducing common data input errors?
Keystroke verification.
Batch totals.
A combination of edit checks, resulting in exception reports, would be the most efficient way of
reducing errors (IIA Standard 2130—Control).
A . Keystroke verification (a labor-intensive procedure) consists of entering data a second time, with
differences detected by a mechanical signal.
C . Balancing and reconciliation make tests of equality and analyze differences and is laborious.
D . Batch totals are used to control input via agreement of preestablished totals and are better suited
for completeness control.
Question 97
To ensure that a computer file is accurately updated in total for a particular field, the best control
is:
Computer matching.
Check digit.
Transaction log.
Run-to-run totals.
Run-to-run totals are used to ensure completeness of update (IIA Standard 2130—Control).
B . Check digits are used to determine if a number has been keyed incorrectly.
C . A transaction log is used in conjunction with special programs to reperform processing and
compare results.
Question 98
To ensure that a particular data field is properly maintained, manual postings of batch totals for
that field to a control account:
Are of no value in file maintenance.
To be of benefit, manual postings of batch totals must be agreed to the master file (IIA Standard
2130—Control).
C . Unless agreed or reconciled, batch totals in a control account do not serve as a control.
Question 99
Preventive control.
Detective control.
Corrective control.
Directive control.
A . This choice is not applicable because preventative controls do not identify exceptions.
B . This choice is not applicable because detective controls do not apply to reporting exceptions.
D . This choice is not applicable because directive controls are management controls, hence, do not
identify exceptions.
Question 100
A new auditor is being briefed on various types of audits by the audit supervisor. The supervisor
states that some areas within the organization are more difficult to audit because the controls
generally are not as clearly defined as in other departments. Select the type of control that is
usually most difficult to assess.
Operational.
Hardware.
Accounting.
Physical security.
Operational controls frequently are not supported by clear criteria or standards. There is no firm
external procedural framework for operational controls such as generally accepted accounting
principles provide for accounting controls (IIA Standard 2130—Control).
D . Physical controls, and the objectives, are apparent. They are not subject to any significant degree
of misinterpretation.
DOMAIN 6
1.Which of the following can help determine whether an organization's risk management
framework is current and complete?
A.Risk volatility
B.Risk discovery
C.Risk maturity
D.Risk agility
Risk maturity deals with whether an organization is using a proper risk management framework to
manage organization's risks. It seeks to determine whether that framework is old or new, complete or
incomplete, mature or immature, fully implemented or partially implemented. Moreover, it asks
whether the current maturity fits with the current business.
A.Incorrect. Risk volatility means unexpected variations in risk outcomes with their associated severity
and unpredictability levels.
B.Incorrect. Risk discovery means determining how much of the risk universe is identified, unearthed,
or uncovered during a risk assessment exercise.
D.Incorrect. A business activity or function is said to be risk resilient or to possess risk agility when it
survives and sustains despite facing growing risks. Risk resilience means an activity is risk aware and
risk prepared.
2.A manager's or an investor's risk-on and risk-off concepts are related to which of the
following?
A.Incorrect. Risk agility and risk resilience are the same; they show how a firm can survive and sustain
despite growing risks it faces. This choice is not relevant.
B.Incorrect. Risk shifting and risk sharing deal with risk minimization.
C.Incorrect. Risk outcomes and risk severity deal with risk volatility.
3.Which of the following can help a corporation to identify its business assets with high-risk
concentrations?
A.Risk parity
B.Risk pyramid
C.Risk volatility
D.Risk matrix
The chief risk officer can develop a risk pyramid for a specific asset or a group of assets within his or
her own organization that identifies any assets with high risk concentrations. The pyramid will have
three sections: bottom (low risk), medium (medium risk), and top (high risk).
A.Incorrect. Risk parity is an investment portfolio allocation strategy using risk to determine how to
optimally diversify a portfolio of stocks and bonds among specified assets.
C.Incorrect. Risk volatility means unexpected variations in risk outcomes with their associated severity
and unpredictability levels.
D.Incorrect. A risk matrix is a tool for ranking and displaying risks with their maximum and minimum
values for consequences and likelihoods.
Upside risks are opportunities to benefit and downside risks are threats to success. The words
“strengths and opportunities” in SWOT are upside risks; the words “weaknesses and threats” in SWOT
are downside risks, which are called hybrid risks.
Marketing surveys
Economic analysis
Sales prospecting
Test marketing
Upside risks are opportunities to benefit, and downside risks are threats to success. Economic analysis
shows both good news and bad news at a point in time, meaning both upside and downside risks (i.e.,
hybrid risks).
6.Which of the following risk response accepts increased risk to achieve increased performance?
A.Pursue
B.Accept
C.Share
D.Transfer
The “Pursue” response means management takes action that accepts increased risk to achieve increased
performance by adopting aggressive growth strategies (e.g., introducing new products and services and
expanding facilities and operations). This increased performance can result from a greater change in
organizational strategies, policies, procedures, practices, and programs.
B.The “Accept” response means no management action is taken to reduce the severity of the risk as
long as the accepted risk is within the risk appetite. This choice is not related to increased performance.
C.Incorrect. The “Share” response means management takes action to reduce the severity of the risk by
sharing a portion of the risk with others through outsourcing a service or buying an insurance policy.
Sharing and transferring are the same. This choice is not related to increased performance.
D.Incorrect. The “Transfer” response means management takes action to reduce the severity of the risk
by transferring a portion of the risk to others through outsourcing a service or buying an insurance
policy. Transferring and sharing are the same. This choice is not related to increased performance.
A.Threat analysis
C.Technological analysis
D.Environmental analysis
Upside risks are opportunities to benefit, and downside risks are threats to success. Threat analysis is a
downside risk.
B.Incorrect. Business continuity planning is a hybrid risk containing both upside and downside risks.
C.Incorrect. Technological analysis is a hybrid risk containing both upside and downside risks.
D.Incorrect. Environmental analysis is a hybrid risk containing both upside and downside risks.
B.Chances.
C.Certainties.
D.Likelihoods.
Risk is not based on certainties; a risk might occur or might not occur. Its occurrence is uncertain.
9.According to the IIA Standard 2100: Nature of Work, which of the following is a form of
self-insurance?
A.Captive insurance
B.Derivatives
C.Reinsurance
D.Co-insurance
Captive insurance is a form of self-insurance where a noninsurance firm is created for the purpose of
accepting the risk of the parent firm that owns an insurer.
B.Incorrect. Derivatives are financial instruments, such as future contracts, forward contracts, options,
and swaps.
C.Incorrect. Reinsurance is a financial arrangement between two insurers (primary and secondary)
where losses between the two insurers are shared based on the agreement.
D.Incorrect. Co-insurance is a type of insurance in which the insured (i.e., an eligible person with an
insurance policy) pays a share of the payment made against an insurance claim.
10.When planning a risk management audit, internal auditors focus primarily on which of the
following first?
A.Risk management framework
Focusing first on the risk management framework is like separating trees from the forest, which gives a
big-picture perspective on the entire risk management program. The framework is the primary focus for
internal auditors.
A.Residual risks
B.Current risks
C.Unchanged risks
D.Strategic risks
Risk registers do not document risks at the strategic level (high level) because risk registers deal with
low-level risks, including operational-level and functional-level risks.
B.Incorrect. Risk registers document current risks and inherent risks (built-in risks).
C.Incorrect. Risk registers document unchanged risks, stubborn risks, or sticky risks.
Risk overseers.
Risk creators.
Risk evaluators
Risk creators are risk owners because, based on their risk appetite, they take more or less risk to run
their business function or operation.
A.Incorrect. Risk monitors are risk officers, compliance officers, ethics officers, and governance
officers.
B.Incorrect. Risk overseers are risk officers, compliance officers, ethics officers, and governance
officers.
D.Incorrect. Risk evaluators are internal auditors; they review risk levels and evaluate the impact of
those risk levels on their organization.
13.Regarding risk management, which of the following should be the least concern to a chief risk
officer (CRO) of an organization?
Risk immunity
Derisking efforts
Value-at-risk amounts
Risk immunity is of least concern to the CRO. It raises a question whether a particular business
function, activity, or operation is subject to risk, exposure, threat, or vulnerability. Two possible
outcomes can occur: immune to risk (risk resistant) or not immune to risk (risk prone). Note that no
business function is immune to risk.
B.Incorrect. Key risk indicators (KRIs) should be of great concern to CROs due to their higher
importance and visibility. KRIs are vital measurements of the relationship between risk and volatility.
C.Incorrect. Derisking is one of the greatest concerns of CROs. Derisking efforts are risk-lessening and
risk-modifying efforts that reduce the overall current level of risks to less than before.
D.Incorrect. Value-at-risk amounts are of great concern to CROs. Value-at-risk amounts are the
amounts of money at risk as calculated by the CRO and staff for an organization's major assets.
A.Mitigated risks.
B.Unmanaged risks.
C.Net risks.
D.Unaddressed risks.
This not a true statement. Residual risks are those risks that are identified and ignored because
management do not want to manage, address, or control them.
B.Incorrect. This is a true statement.
16.Regarding a board's awareness of organizational culture, surveys found that board members
have the least understanding of culture at which of the following levels?
Board members have the least understanding of an organization's culture at the bottom level because
board members are far removed from frontline employees working in frontline functions or operations.
Usually board members do not visit frontline offices, retail stores, warehouses, distribution centers, or
factories; or they may visit only infrequently. In a way, board members are disconnected from the
frontline employees, thus they would not know or understand the culture of lower-level employees.
Surveys are one of the ways to obtain this understanding.
A.Incorrect. Usually board members have the most understanding of the tone at the top due to their
higher-level job functions working with senior managers.
B.Incorrect. Usually the board members have the most understanding of the culture at the top due to
their higher-level job functions working with senior managers.
C.Incorrect. Generally board members have a moderate understanding of the culture at the middle level
because of their intermittent connection with functional managers.
17.Which one of the following item considers all the other three items in concert?
A.Vulnerabilities
B.Threats
C.Risks
D.Controls
The Answer D is Correct.
A.Uncovered risks.
B.Untreated risks.
C.Uncommitted risks.
D.Unknown risks.
Residual risks are risks that are known to both auditors and managers.
I. Residual value
A.I and II
B.III only
C.II and IV
D.III and IV
Residual risk and residual data are the most risky situations. Residual risk is leftover, unmanaged, or
unaddressed risk that still remains after all controls and mitigations are applied. It can be most risky if
it is big in size. Residual data is leftover data remaining on storage media after it is erased. Since
residual data can be recovered by hackers, additional disposal techniques should be applied to protect
the sensitive electronic data in storage. Until then, residual data can be most risky.
A.Incorrect. This choice is not relevant. Residual value is the estimated value at the end of a lease term
on a leased equipment. There is little or no risk in residual value. Residual interests are financial assets
of an individual person or beneficiaries in a company that were created by a transfer that qualifies as a
sale of financial assets. There is a little or no risk in residual interests.
A.Risk sharing
B.Incorporation
C.Risk transfer
D.Risk reduction
Incorporation is a legal term in use when an individual wants to register a business in a state to conduct
business. Organizations can also incorporate to do their business. Incorporation is a legal tool for
derisking.
A.Incorrect. Risk sharing involves spreading risks with other divisions of the same organization. This is
not a legal tool for derisking.
C.Incorrect. Risk transfer means pushing a potential risk from one party to another party. This is not a
legal tool for derisking.
D.Incorrect. Risk reduction is achieved through installing appropriate and timely controls that are
effective and efficient in operation. This is not a legal form of derisking.
New contracts
Recontracting
Risk shifting
Risk shifting is risk transferring from one party to another, but the risk still remains. This is not a legal
tool for derisking.
A.Incorrect. Hold-harmless agreements mean risk is lessened (derisked) due to a previous agreement.
This is a legal tool for derisking.
B.Incorrect. New contracts can be drawn to reduce risks. This is a legal tool for derisking.
C.Incorrect. Existing contracts can be canceled and recontracted with modifications. This is a legal tool
for derisking.
A.Downsizing risks.
B.Postponing risks.
C.Ignoring risks
D.Eliminating risks
B.Incorrect. Postponing risks does not decrease risks. Risks stay the same or increase.
C.Incorrect. Ignoring risks does not decrease risks. Risks stay the same or increase.
23.Which of the following type of organization would have the highest amount of de-risking to
do?
A.Proprietorship
B.Partnership
C.Public corporation
D.Private corporation
A proprietorship poses a high risk because the owner is legally responsible for all risks. Hence,
de-risking amount would be higher.
B.Incorrect. A partnership poses a low risk because partners share all risks.
C.Incorrect. A public corporation poses a low risk because a government shares all risks.
D.Incorrect. A private corporation poses a low risk because its shareholders share all risks.
A.Risk volatility.
B.Risk securitization
C.Rik diversification
D.Risk modification
Risk volatility increases risks due to unexpected variations in risk outcomes. It is not a good method of
derisking.
25.Which of the following is the best way to link de-risking opportunity to an organization's
structure?
Legal structure.
Capital structure
Tall structure
Flat structure
A legal structure such as incorporation provides derisking opportunities aligned with an organization's
structure. For example, a public corporation is less risky than a private corporation.
B.Incorrect. Capital structure refers to the amount of debt and equity in a corporation's balance sheet.
C.Incorrect. Tall structure refers to how many management levels exist in an organization.
D.Incorrect. Flat structure refers to how many management levels exist in an organization.
26.Which of the following is the most important element of corporate social responsibility?
A.Legal responsibilities
B.Sustainability responsibilities
C.Economic responsibilities
D.Ethical responsibilities
Sustainability responsibilities deal with issues related to environment, social, and governance affecting
an entire organization.
A.Incorrect. Legal responsibilities deal with knowing what legal or illegal actions are.
D.Incorrect. Ethical responsibilities deal with knowing what ethical or unethical actions are.
27.Which of the following deals with issues related to outside of a corporation's boundaries?
Governance audit
Control audit
Sustainability audit
A sustainability audit deals with issues outside a corporation's boundaries, such as environment, social,
and governance affecting an entire organization.
A.Incorrect. A governance audit deals with issues inside a corporation's boundaries, such as oversight,
fiduciary, and stewardship.
B.Incorrect. A risk management audit deals with issues inside a corporation's boundaries, such as risk
appetite and risk mitigation.
C.Incorrect. A control audit deals with issues inside a corporation's boundaries, such as control design,
development, and implementation.
28.From an internal auditing viewpoint, which of the following is referred to when the board
members and senior managers are focusing on improving environmental, social, and governance
issues?
A.Environmental audit
B.Social audit
C.Governance audit
D.Sustainability audit
A sustainability audit addresses the full scope of environmental, social, and governance issues.
A.Incorrect. An environmental audit addresses a partial scope of the full sustainability audit.
B.Incorrect. A social audit addresses a partial scope of the full sustainability audit.
C.Incorrect. A governance audit addresses a partial scope of the full sustainability audit.
B.Standard risks
C.Social risks
D.Governance risks
An insurance company can label a person as a standard risk saying that she is insurable at a standard
rate. Risk management will address standard risks, not shareholders, because they are not interested in
standard risks.
A.Incorrect. Shareholders are interested in investing to address environmental risks because that is one
of their stated investment goals.
C.Incorrect. Shareholders are interested in investing to address social risks because that is one of their
stated investment goals.
D.Incorrect. Shareholders are interested in investing to address the governance risks because that is one
of their stated investment goals.
30.How can conducting a SWOT (strengths, weaknesses, opportunities, and threats) analysis is
an example of which of the following type of risks?
A.Upside risks
B.Downside risks
C.Hybrid risks
D.Wrong-way risks
Upside risks are opportunities to benefit, and downside risks are threats to success. SWOT analysis
deals with both upside risks (i.e., strengths and opportunities) and downside risks (i.e., weaknesses and
threats). Hence, it represents hybrid risks.
A.Incorrect. SWOT analysis deals with upside risks (i.e., strengths and opportunities). Upside risks are
opportunities to benefit, and downside risks are threats to success.
B.Incorrect. SWOT analysis deals with downside risks (i.e., weaknesses and threats). Upside risks are
opportunities to benefit, and downside risks are threats to success.
D.Incorrect. Wrong-way risk occurs when an entity's exposure to risk is positively correlated with the
entity's probability of loss.
31.In risk management, expenditures on research and development projects are examples of
which of the following?
A.Upside risk
B.Downside risk
C.Cross risk
D.Add-on risk
Spending money on research and development (R&D) projects is a strength and opportunity, leading to
an upside risk. This is the major goal of R&D projects. Upside risks are opportunities to benefit, and
downside risks are threats to success.
B.Incorrect. Downside risk refers to weaknesses and threats. Some R&D projects can lead to downside
risks. Upside risks are opportunities to benefit, and downside risks are threats to success.
C.Incorrect. Cross risk falls between upside side and downside risk.
D.Incorrect. Add-on risk is additional risk incurred from selling a new product or service.
A.Upside risk
B.Downside risk
C.Cross risk
D.Add-on risk
A.Incorrect. Upside risks are positive things happening to organizations. Vulnerabilities are negative
things. Upside risks are opportunities to benefit, and downside risks are threats to success.
C.Incorrect. Cross risk falls between upside side and downside risk.
D.Incorrect. Add-on risk is additional risk incurred from selling a new product or service.
33.Relatively speaking, which of the following should be a major concern for internal auditors?
Governance risk indicators should be of a major concern to internal auditors because these risk
indicators affect the entire organization as they show the board of directors’ effectiveness or
ineffectiveness in performing their oversight functions and fulfilling their fiduciary duties. Audit risk
indicators become a part of governance risk indicators.
A.Incorrect. Audit risk indicators are audit failures, audit false assurances, and audit reputation risk.
Although these represent major concerns to internal auditors, they become minor concerns in relation
to the governance risk indicators.
B.Incorrect. Risk management risk indicators are risk and volatility. They should be a major concern
for chief risk officer.
C.Incorrect. Finance risk indicators are insufficient cash to pay debts as they come due, low earnings
per share, low price for a company's stock, and declining sales and profits. They should be a major
concern for chief financial officer.
A.Board of directors
B.Shareholders
C.Finance committee
D.Compensation committee
Shareholders and investors are voicing their concerns about excessive executive compensation through
the say-on-pay theme via the proxy process. The goal is to influence, modify, and decrease executives’
total compensation packages.
A.Incorrect. The choice is not relevant because the board of directors may not want to control
executive compensation or become members of the say-on-pay theme.
C.Incorrect. The choice is not relevant because the finance committee may not want to control
executive compensation or become members of the say-on-pay theme.
D.Incorrect. The choice is not relevant because the compensation committee may not want to control
executive compensation or become members of the say-on-pay theme.
A.Vulnerabilities
B.Threats
C.Risks
D.Controls
Risk appetites vary with each company or organization. A company's risk appetite is related to its size,
complexity, and management's risk tolerance and has nothing to do with a competitor's risk
aggressiveness. The larger the size of a company, the greater its complexity; the higher management's
risk tolerance, the bigger the risk appetite, and vice versa.
37.Financially distressed companies most frequently use which of the following that can be risky?
A.Risk management
B.Risk shifting
C.Risk avoidance
D.Risk sharing
Risk shifting is the diverting or transferring of risk from one party to another party. It is used most
frequently by companies facing a situation of financial distress. For example, a company taking large
amount of debt now can shift risk from shareholders to debt holders so that the latter face more risk
than the former.
A.Incorrect. Using proper risk management techniques could prevent a company from getting into a
situation of financial distress. These techniques include increasing risk-control and risk-financing
methods and reducing risk concentrations to monitor material risks.
C.Incorrect. Risk avoidance is eliminating risk causes and their consequences, such as adding controls
to prevent that risk from occurring. Risk avoidance can prevent a situation of financial distress.
D.Incorrect. Risk sharing involves moving risks from one division of a company to another division of
the same company (i.e., risk spreading). Risk sharing can prevent a situation of financial distress. Note
that risk shifting is not risk sharing.
38.Which of the following risk elements must be aligned for effective enterprise risk management
(ERM)?
The risk appetite of an organization is the total amount of or level of risk that it is willing to accept.
Risk tolerance is the maximum amount of or the rate of risk that an organization is willing to accept
before changing its mind. The level and the amount of risk that is accepted must be aligned with each
other due to their common goal of containing and managing risk.
39.Which of the following is very useful in developing succession plans for executives and senior
management of a corporation?
A.Depth charts
B.Organization charts
C.Responsibility charts
D.Accountability charts
Depth charts provide snapshots of available internal management staff and their readiness to take on
increased leadership roles when the time comes. So, depth charts are very useful in succession plans of
key management positions.
B.Incorrect. Organization charts show who reports to whom in management's chain of command.
Strategy to performance
Strategy to mission
Strategy to objectives
Strategy to goals
Linking strategy to performance is the ultimate end outcome of any management strategies and
programs. ERM is no different; strategy is the starting point and performance is the ending point.
Performance is counted in terms of measurable outcomes.
B.Incorrect. Linking strategy to mission is good. It is an intermediate outcome, not the final outcome.
C.Incorrect. Linking strategy to objectives is good. It is an intermediate outcome, not the final
outcome.
D.Incorrect. Linking strategy to goals is good. It is an intermediate outcome, not the final outcome.
Risk appetite should be equal to or less than risk tolerance and they should be less than or equal to risk
universe. This is a valid and meaningful relationship. In other words, risk universe is the upper limit
and risk appetite cannot be greater than the risk universe.
B.Incorrect. This is an invalid and meaningless relationship in risk management.
42.An organization's risk management framework or risk model is not complete until it
addresses which of the following?
Root causes can indicate what things or activities can increase or decrease risks. Root causes show a
solid link between causes and effects that can improve and complete a risk model.
B.Incorrect. The role of chief risk officer is holding a management-level position dealing with
administrative duties; hence, it may not influence the risk management framework or risk models.
C.Incorrect. The role of risk specialists is holding a low-level position dealing with administrative
duties; hence, it may not influence the risk management framework or risk models.
D.Incorrect. The role of risk generalists is holding a low-level position dealing with administrative
duties; hence, it may not influence the risk management framework or risk models.
44.The chairperson of the board of directors of a publicly held corporation should be concerned
most about with which of the following?
A.Shadow suppliers
B.Shadow contractors
C.Shadow vendors
D.Shadow directors
A shadow director is an outsider who does not sit on the board but exerts considerable influence over
the board's outcomes, such as strategies, plans, policies, programs, procedures, and practices. Shadow
directors work in the background and behind the scenes. Example of shadow directors include lobbyists,
activists, consultants, investors, creditors, friends, and family members. This is a major concern.
A.Conflicts of interest
B.Lack of experience
C.Lack of knowledge
D.Overcommitment of time
46.What is the real reason for the shortage of board of directors in the United States?
Boards of directors in the United States have a major challenge in dealing with complex laws, rules,
and regulations dealing with governance issues and addressing stakeholder issues. Because the
corporate landscape is big and complex, boards of directors are afraid of possible legal liabilities and
potential lawsuits against them, which is the real reason for the shortage of directors.
47.The highest standards of independence apply to which of the following committee members?
A.Compensation committee
B.Audit committee
C.Nominating committee
D.Governance committee
The Answer B is Correct.
A board's standards require that fully independent directors serve on the audit, compensation,
nominating, and governance committees. Moreover, the highest standards of independence specifically
apply to the audit committee due to its work dealing with financial statements and internal controls.
This means that the audit committee should consist of all independent directors.
48.U.S. corporate directors are most concerned about with which of the following:
Due to intense legal and ethical environments that exist in U.S. corporations, board members are most
concerned about their own personal reputation risk associated with lawsuits and misconduct
allegations.
B.Incorrect. Corporate reputation risk is the least concern to corporate directors compared to their own
personal reputation risk.
C.Incorrect. Product reputation risk is the least concern to corporate directors compared to their own
personal reputation risk.
D.Incorrect. Service reputation risk is the least concern to corporate directors compared to their own
personal reputation risk.
49.Items below represent both assets and liabilities of a company. Which of the following poses a
highest risk to the company if it is a liability?
A.Culture
B.Board of directors
C.Policies
D.Procedures
Because the board of directors are at the highest level of a corporation due to their oversight, fiduciary,
and stewardship roles, all stakeholders expect board members to be the greatest asset of the corporation.
The risk is highest if the board is a liability as it affects the entire functioning of the corporation.
50.Which of the following should be the long-term strategy for enterprise risk management
(ERM) at the board level?
Resilience is the ability to anticipate and respond to changes. This is shown as: Risks → Change →
Strategy. As the scope and nature of risks change, so does the strategy. Risk agility is the resilience to
manage risks.
A.Incorrect. This is an example of incompatible integration because managers can increase risk taking
when incentives are higher.
B.Incorrect. This is an example of incompatible integration because managers can increase risk taking
when remuneration is higher.
C.Incorrect. This is an example of incompatible integration because managers can increase risk taking
when job promotion is offered.
Question 51
Randy and John had known each other for many years. They had become best friends in college,
where they both majored in accounting. After graduation, Randy took over the family business
from his father. His family had been in the grocery business for several generations. When John had
difficulty finding a job, Randy offered him a job in the family store. John proved to be a very
capable employee. As John demonstrated his abilities, Randy began delegating more and more
responsibility to him. After a period of time, John was doing all of the general accounting and
authorization functions for checks, cash, inventories, documents, records, and bank statement
reconciliations. (I) John was trusted completely and handled all financial functions. No one checked
his work.
Randy decided to expand the business and opened several new stores. (II) Randy was always
handling the most urgent problem … crisis management is what his college professors had termed it.
John assisted with the problems when his other duties allowed him time. Although successful at
work, John had (III) difficulties with personal financial problems.
At first, the amounts John stole were small. He did not even worry about making the accounts
balance. But John became greedy. “How easy it is to take the money,” he said. He felt that he was a
critical member of the business team, (IV) and that he contributed much more to the success of the
company than was represented by his salary. It would take two or three people to replace me, he
often thought to himself. As the amounts became larger and larger, (V) he made the books balance.
Because of these activities, John was able to purchase an expensive car and take his family on
several trips each year. (VI) He also joined an expensive country club. Things were changing at
home, however. (VII) John's family observed that he was often argumentative and at other times
very depressed.
The fraud continued for six years. Each year the business performed more and more poorly. In the
last year the stores lost over $200,000. Randy's bank required an audit. John confessed when he
thought the auditors had discovered his embezzlements. When discussing frauds, the pressures,
opportunities, and rationalizations that cause/allow a perpetrator to commit the fraud are often
identified. Symptoms of fraud are also studied.
Identify the numbered and italicized factors (from the case) as being one of the symptoms,
pressures, opportunities, or rationalizations given.
a) Rationalization.
b) Lifestyle symptom.
c) Behavioral symptom.
d) Physical symptom.
Question 52
Randy and John had known each other for many years. They had become best friends in college,
where they both majored in accounting. After graduation, Randy took over the family business
from his father. His family had been in the grocery business for several generations. When John had
difficulty finding a job, Randy offered him a job in the family store. John proved to be a very
capable employee. As John demonstrated his abilities, Randy began delegating more and more
responsibility to him. After a period of time, John was doing all of the general accounting and
authorization functions for checks, cash, inventories, documents, records, and bank statement
reconciliations. (I) John was trusted completely and handled all financial functions. No one checked
his work.
Randy decided to expand the business and opened several new stores. (II) Randy was always
handling the most urgent problem … crisis management is what his college professors had termed it.
John assisted with the problems when his other duties allowed him time. Although successful at
work, John had (III) difficulties with personal financial problems.
At first, the amounts John stole were small. He did not even worry about making the accounts
balance. But John became greedy. “How easy it is to take the money,” he said. He felt that he was a
critical member of the business team, (IV) and that he contributed much more to the success of the
company than was represented by his salary. It would take two or three people to replace me, he
often thought to himself. As the amounts became larger and larger, (V) he made the books balance.
Because of these activities, John was able to purchase an expensive car and take his family on
several trips each year. (VI) He also joined an expensive country club. Things were changing at
home, however. (VII) John's family observed that he was often argumentative and at other times
very depressed.
The fraud continued for six years. Each year the business performed more and more poorly. In the
last year the stores lost over $200,000. Randy's bank required an audit. John confessed when he
thought the auditors had discovered his embezzlements. When discussing frauds, often the
pressures, opportunities, and rationalizations that cause/allow a perpetrator to commit the fraud
are identified. Symptoms of fraud are also studied.
Identify the numbered and italicized factors (from the case) as being one of the symptoms,
pressures, opportunities, or rationalizations given.
Number VII, “John's family observed that he was often argumentative …,” is an example of a:
a) Rationalization.
b) Lifestyle symptom.
c) Behavioral symptom.
d) Physical symptom.
Question 53
a) Cash receipts, net of the amounts used to pay petty cash–type expenditures, are
deposited in the bank daily.
b) The same employee who maintains the perpetual inventory records performs the
monthly bank statement reconciliation.
c) The same person maintains the accounts receivable subsidiary ledger and accounts
payable subsidiary ledger.
d) One person, acting alone, has sole access to the petty cash fund (except for a
provision for occasional surprise counts by a supervisor or auditor).
Paying petty cash–type expenditures from cash receipts facilitates the unauthorized removal of
cash before deposit. All cash receipts should be deposited intact daily. Petty cash–type
expenditures should be handled through an imprest fund.
B . The monthly bank reconciliation should not be performed by a person who makes deposits or
writes checks, but there is no problem with the inventory clerk doing it.
C . There is no direct relationship between the transactions posted to the accounts receivable and
accounts payable subsidiary ledgers; having the same person maintain both does not create a
control weakness.
D . In order to pinpoint responsibility for petty cash, it is desirable that only one person has
access to the fund.
Question 54
When following up on a $200,000 increase in maintenance supplies during the past year, a
purchasing agent explained to the auditor that the main reason for the increase was painting
services and supplies. The auditor found a blanket purchase order without the normal bid or
quote documentation. The blanket purchase order had been signed by the general manager
and named the general manager's father as the sole contractor for painting services on
company projects. The auditor also found a number of large invoices authorized for payment
by the general manager that showed the general manager's father as the person who signed
for receipt of the material at the supplier.
B . The scenario refers to normal and appropriate procedures that are suspended for these
transactions.
Question 55
When following up on a $200,000 increase in maintenance supplies during the past year, a
purchasing agent explained to the auditor that the main reason for the increase was painting
services and supplies. The auditor found a blanket purchase order without the normal bid or quote
documentation. The blanket purchase order had been signed by the general manager and named
the general manager’s father as the sole contractor for painting services on company projects. The
auditor also found a number of large invoices authorized for payment by the general manager that
showed the general manager’s father as the person who signed for receipt of the material at the
supplier. The common indicator of fraud recognized by the auditor in this scenario is that:
The indicators include an extraordinary change in account balances as discovered during analytical
review procedures.
C . The purchasing agent is fulfilling this responsibility in accordance with the authority of a
purchasing agent’s position.
Question 56
Jane Jackson had been the regional sales manager for a company over ten years. During this time
she had become a very close friend with Frank Hansen, an internal audit manager. In addition to
being neighbors, Jane and Frank had many of the same interests and belonged to the same tennis
club. They trusted each other. Frank had helped Jane solve some sales problems, and Jane had
given Frank some information that led to significant audit findings during the past three audits.
Below are selected analytical data from the company that have led staff auditors to believe that
there has been a financial statement fraud. The perpetrator appears to have falsified sales
information for the past two years. Frank is concerned because he recently completed an audit in
the area and accepted Jane's explanation for differences in the analytical data. Frank is now certain
that Jane is involved in the fraud.
Which combination of the following analytical data provides the strongest indication of the
possibility of the fraud?
Inventory turnover 5 4
5 3.5 4
One would expect rapid increases in gross margin percentage if sales were fictitious; the large
increase in returns is also symptomatic of falsified sales.
A . The increase in percentage change in sales is not unreasonable, and given the constant increase,
one might expect increases in inventory that could keep turnover constant.
C . The turnover and return figures, when taken together, are not indications of sales overstatements.
D . If the increase in sales was due to a market sales price increase, one might expect these results.
Question 57
Jane Jackson had been the regional sales manager for a company over ten years. During this time
she had become a very close friend with Frank Hansen, an internal audit manager. In addition to
being neighbors, Jane and Frank had many of the same interests and belonged to the same tennis
club. They trusted each other. Frank had helped Jane solve some sales problems, and Jane had
given Frank some information that led to significant audit findings during the past three audits.
Below are selected analytical data from the company that have led staff auditors to believe that
there has been a financial statement fraud. The perpetrator appears to have falsified sales
information for the past two years. Frank is concerned because he recently completed an audit in
the area and accepted Jane's explanation for differences in the analytical data. Frank is now certain
that Jane is involved in the fraud.
The current dilemma in which Frank finds himself was least likely caused by:
From the information given, it appears Frank found the analytic data but accepted management's
explanation of the findings.
A . Failure to rotate assignments and close personal friendships seem to have contributed to Frank's
decision to accept management's explanation for the analytic findings.
B . Failure to rotate assignments and close personal friendships seem to have contributed to Frank's
decision to accept management's explanation for the analytic findings.
Question 58
Internal auditors would be more likely to detect fraud if they developed/strengthened their ability
to:
D . Documentation of operating systems is not within the scope of internal auditing, and would do
little to enhance fraud detection skills.
Question 59
According to the IIA Standards, which of the following best describes the two general categories or
types of fraud that concern most internal auditors?
Fraud designed to benefit the organization and fraud perpetrated to the detriment of the
organization.
A . These are examples of kinds of fraud within the two general categories or types given in the
Standards.
C . These are examples of kinds of fraud within the two general categories or types given in the
Standards.
D . These are examples of kinds of fraud within the two general categories or types given in the
Standards.
Question 60
A company hired a highly qualified accounts payable manager who had been terminated from
another company for alleged wrongdoing. Six months later the manager diverted $12,000 by
sending duplicate payments of invoices to a relative. A control that might have prevented this
situation would be to:
B . Individuals in their declining years may be forced to accept jobs below their full capabilities.
Question 61
Red flags are conditions that indicate a higher likelihood of fraud. Which of the following would not
be considered a red flag?
a) Management has delegated the authority to make purchases under a certain dollar
limit to subordinates.
b) An individual has held the same cash-handling job for an extended period without
any rotation of duties.
c) An individual handling marketable securities is responsible for making the
purchases, recording the purchases, and reporting any discrepancies and
gains/losses to senior management.
d) The assignment of responsibility and accountability in the accounts receivable
department is not clear.
This is an acceptable control procedure aimed at limiting risk while promoting efficiency. It is not, by
itself, considered a red flag.
B . Lack of rotation of duties or cross-training for sensitive jobs is one of the red-flag list factors.
C . This would be an example of an inappropriate segregation of duties, which is an identified red flag.
Question 62
Internal auditors and management have become increasingly concerned about computer fraud.
Which of the following control procedures would be least important in preventing computer fraud?
Program change control that requires a distinction between production programs and test programs.
Segregation of duties between the applications programmer and the program librarian function.
B . Testing of new applications by users is one of the most important controls to help prevent
computer fraud.
C . An adequate control structure over program changes is one of the most important control
procedures in a computerized environment.
Question 63
During a regularly scheduled information technology (IT) audit of a major division, the IT auditor
discovers a complicated programming algorithm that adds costs to a cost-plus program billing the
government. The amount added accounted for 95% of the net income for the division for the most
recent year. Upon further investigation, the IT auditor finds that only the marketing manager, the
divisional manager, and the programmer know of the algorithm.
The company has a separate section to investigate fraud. The auditor communicates with
management and the special investigation section, and the investigation is turned over to that
group. However, after a month, it becomes apparent that senior management has instructed the
group to not make waves and to drop the investigation. The internal audit department should:
a) Immediately report the circumstances and the IT auditor's findings to the audit
committee.
b) Immediately report the circumstances and the IT auditor's findings to the
appropriate governmental regulatory agency because the auditor cannot knowingly
be a party to an illegal act.
c) Take no further action. The nature of the fraud has been reported to the proper
authorities within the company and the auditor has no power to pursue the
investigation further.
d) Report the findings to the external auditor because the external auditor should be
aware of any material misstatement of account balances.
The auditor cannot knowingly be a party to any illegal act. If the auditor does not do anything, he or
she might be perceived as a party. The auditor should report the problem directly to the audit
committee and await its decision as to further action to be taken.
B . Although the action recommended is necessary to ultimately disassociate the auditor from the
fraud, alternatives within the organization should be pursued first. That alternative is represented in
the correct answer.
C . Doing nothing is not acceptable. The auditor could be perceived as a party to the fraud if no action
is taken.
D . The auditor is not required to report the finding to the external auditor but should be free to
communicate the problem if the external auditor makes an inquiry.
Question 64
Which of the following statements correctly characterize(s) the red flags literature that has recently
developed in the auditing profession?
I. Red flags are items or actions that have been associated with fraudulent conduct.
II. The auditor should document all red flags that may have been noted on an audit
engagement.
III. Many red flags are subjective in nature and might not come to the auditor's attention
during the course of an audit that is properly planned and conducted in accordance
with the Standards.
a) I and II
b) I and III
c) II and III
d) III only
Red flags are associated with fraudulent conduct. However, many red flags are personal in nature and
would not necessarily come to the attention of the auditor. These would include items such as an
excessive living style by a manager, excessive gambling, and so on.
A . The auditor is to be alert to red flags and should investigate any situations that might include
potential fraud. But the auditor is not required to document all personal red flags—for example,
excessive gambling debts or an excessive living style. The requirement to document these red flags is
pertinent only when the auditor continues a fraud investigation or the item is pertinent to a particular
audit finding.
A programmed computer output notification identifying unusual entries would identify the write‐off
of the payee’s account to suspense as an unusual item immediately when it occurs.
C . The annual internal audit may detect the fraud, but it is unlikely to do so because of the small
amount involved. In any case, the timing of the internal audit may delay discovery.
D . Regular reconciliation of the suspense account would occur at a date later than the computer
output notification.
Question 66
Fraud hotlines may identify areas where existing internal controls need to be modified or enhanced.
A . Performance measures focus on reducing the total costs of the company as a whole.
B . Responsibility accounting is concerned with measuring how well organizational members are
achieving the organization’s goals.
D . Management by exception concentrates on areas that deserve attention and places less attention
on areas operating as expected.
Question 67
A programmer accumulating round‐off errors into one account that is later accessed by the
programmer is a type of computer fraud. The best way to prevent this type of fraud is to:
a) Build in judgment with reasonableness tests.
b) Independently test programs during development and limit access to the programs.
c) Segregate duties of systems development and programming.
d) Use control totals and check the results of the computer.
The accumulation of round‐off errors into one person’s account is a procedure written into the
program. Independent testing of a program will lead to discovery of this programmed fraud. If access
to programs was not limited, it would be possible for a programmer to change a program without
approval.
A . Reasonableness tests will not overcome this error, since in this particular type of fraud, all the
amounts will balance.
C . Segregation of duties between systems development and programming generally would not
prevent this type of error, since programmers possess the skills required to construct the program.
Unless the controls outlined in the correct answer are present, the fraud would go undetected.
D . Since the particular fraud results in a balanced entry, control totals would not detect the fraud.
Question 68
Which of the following statements is (are) correct regarding the deterrence of fraud?
I. The primary means of deterring fraud is through an effective control system initiated by
top management.
II. Internal auditors are responsible for assisting in the deterrence of fraud by examining
and evaluating the adequacy of the control system.
III. Internal auditors should determine whether communication channels provide
management with adequate and reliable information regarding the effectiveness of
the control system and the occurrence of unusual transactions.
I only
I and II only
II only
All three items are correct statements according to the IIA Standards.
Question 69
A significant employee fraud took place shortly after an internal audit. The internal auditor may not
have properly fulfilled the responsibility for the deterrence of fraud by failing to note and report
that:
Policies, practices, and procedures to monitor activities and safeguard assets were less extensive in
low-risk areas than in high-risk areas.
A system of control that depended on separation of duties could be circumvented by collusion among
three employees.
There were no written policies describing prohibited activities and the action required whenever
violations are discovered.
Divisional employees had not been properly trained to distinguish between bona fide signatures and
cleverly forged ones on authorization forms.
In carrying out its responsibility for the deterrence of fraud, internal auditing should determine
whether such written policy statements exist
A . On a cost/benefit basis, it is entirely reasonable to have more extensive control policies, practices,
and procedures in high-risk areas.
B . Often even the best of internal control systems can be circumvented by collusion.
D . Forgeries, like collusion, can circumvent even the best of internal control systems.
Question 70
Fraudulent use of corporate credit cards would be minimized by which of the following internal
control procedures?
Reviewing the validity of credit card need at executive and operating levels on a periodic basis.
Reconciling the monthly statement from the credit card company with the submitted copies of the
cardholders’ charge slips.
Subjecting credit card charges to the same expense controls as those used on regular company
expense forms.
Subjecting credit card expenses to the same controls used in processing similar expense reports. In
this way, per diems and authorization limits would be reviewed.
A . Establishing a corporate policy on the issuance of credit cards does nothing to prevent fraudulent
usage by those authorized to use company cards.
B . This procedure helps ensure the validity of issuance rather than usage within prescribed
limitations.
C . Reconciling the monthly statement with the cardholders’ charge slips would determine that the
amount of the separate charge items and the vendor codes were in agreement. However, amounts
charged may exceed authorized limits and amounts incurred may not be business related. The same
expense controls should be applied to charge transactions as those applied to currency.
Question 71
A fraud was perpetrated in a moderate-size company when the accounting clerk was delegated too
much responsibility. During the year, the company switched suppliers of a service to a new vendor.
The accounting clerk continued to submit fraudulent invoices from the old supplier. Because
contracting for services and approval of supplier invoices had been delegated to the clerk, it was
possible for her to continue billings from the old supplier and deposit the subsequent checks, which
she was responsible to mail, into a new account she opened in the name of the old supplier. The
clerk was considered an excellent employee and eventually was improperly given the added
responsibility of preparing the department budgets. This added responsibility allowed her to
actually budget for the amount of the fraudulent payments.
Analytical tests can be useful in detecting frauds. Which of the following analytical procedures
would most likely have signaled the existence of the fraud?
Period-to-period analysis of expenses would have shown a sudden increase in material costs.
A . Comparison of production totals would not provide information concerning suppliers or the
amount of materials used.
C . At the time the fraud was uncovered, the amount taken was included in the organization's budget.
D . The service may not have been part of cost of goods sold but, if so, comparison to industry
averages is not as likely to reveal the extra cost as is comparison of company data period to period.
Question 72
A fraud was perpetrated in a moderate-size company when the accounting clerk was delegated too
much responsibility. During the year, the company switched suppliers of a service to a new vendor.
The accounting clerk continued to submit fraudulent invoices from the old supplier. Because
contracting for services and approval of supplier invoices had been delegated to the clerk, it was
possible for her to continue billings from the old supplier and deposit the subsequent checks, which
she was responsible to mail, into a new account she opened in the name of the old supplier. The
clerk was considered an excellent employee and eventually was improperly given the added
responsibility of preparing the department budgets. This added responsibility allowed her to
actually budget for the amount of the fraudulent payments.
Which of the following controls would be least likely to prevent or detect the fraud described
above?
a) Require authorization of payments by someone other than the clerk negotiating the
contract
b) Comparison by person signing checks of invoices to an independent verification of
services rendered
c) Budget preparation by someone other than person signing contract and approving
payment
d) Mailing of check by someone other than person responsible for check signing or
invoice approval
Once invoices have been approved and checks are prepared and signed, the mailing of the check by
an independent person provides no means of preventing improper payments.
A . Separating contracting for service and approval of invoices would have prevented the fraud.
B . An independent verification of services received, reviewed by the check signor, would have
prevented payment for services not received.
C . Independent budget preparation would have allowed an actual to budget comparison to detect
the payments.
Question 73
A fraud was perpetrated in a moderate-size company when the accounting clerk was delegated too
much responsibility. During the year, the company switched suppliers of a service to a new vendor.
The accounting clerk continued to submit fraudulent invoices from the old supplier. Because
contracting for services and approval of supplier invoices had been delegated to the clerk, it was
possible for her to continue billings from the old supplier and deposit the subsequent checks, which
she was responsible to mail, into a new account she opened in the name of the old supplier. The
clerk was considered an excellent employee and eventually was improperly given the added
responsibility of preparing the department budgets. This added responsibility allowed her to
actually budget for the amount of the fraudulent payments.
Which of the following audit procedures would most likely lead to the detection of the fraud?
Confirming with the using department the receipt of services that have been paid for would uncover
the fraud.
B . The clerk approved the fraudulent invoices and an “approved” invoice would therefore support
each check.
C . Bank statement reconciliations do not test the validity of the cash payments.
D . The test begins with valid receiving reports; the fraudulent payments would not be detected.
Question 74
A production manager for a moderate-size manufacturing company began ordering excessive raw
materials and had them delivered to a wholesale company he runs as a side business. He falsified
receiving documents and approved the invoices for payment. Which of the following audit
procedures would most likely detect this fraud?
Take a sample of cash disbursements; compare purchase orders, receiving reports, invoices, and
check copies.
Take a sample and confirm the amount purchased, purchase price, and date of shipment with the
vendors.
Observe the receiving dock and count material received; compare your counts to receiving reports
completed by receiving personnel.
Prepare analytical tests, comparing production, material purchased, and raw material inventory levels,
and investigate differences.
Because materials are shipped and used in another business, the analytic comparisons would show an
unexplained increase in materials used.
A . Because documents are falsified, all supporting documents would match for each cash
disbursement.
B . Vendors would confirm all transactions, because all have been made.
C . Fraudulent orders are shipped to another location; the receiving dock procedures would appear
correct.
Question 75
A purchasing agent acquired items for personal use with company funds. The company allowed
designated employees to purchase as much as $250 per day in merchandise under open‐ended
contracts. Supervisory approval of the purchases was required, but that information was not
communicated to the vendor. Instead of reviewing and authorizing each purchase order,
supervisors routinely signed the authorization sheet at the end of the month without reviewing any
of the supporting documentation. Since purchases of this nature were not subject to normal
company receiving policies, the dishonest employee picked up the supplies at the vendor’s
warehouse. All purchases were for items routinely ordered by the company. During the past year,
the employee amassed enough merchandise to start a printing and photography business. Which of
the following internal controls would have been most effective in preventing this fraud?
If the supplies in question had been sent to the company and a receiving report had been signed by
an employee other than the one ordering them, the fraud could not have occurred.
A . There is nothing suggesting inappropriate actions by the vendor or collusion between the vendor
and the dishonest employee.
B . Purchase orders are being issued by the dishonest employee, who has the authority to do so. They
may be prenumbered—that would not prevent him from engaging in this fraud.
C . This control is to prevent the same document from being used to support two identical payments;
that is not the case here.
Question 76
A purchasing agent acquired items for personal use with company funds. The company allowed
designated employees to purchase as much as $250 per day in merchandise under open‐ended
contracts. Supervisory approval of the purchases was required, but that information was not
communicated to the vendor. Instead of reviewing and authorizing each purchase order,
supervisors routinely signed the authorization sheet at the end of the month without reviewing any
of the supporting documentation. Since purchases of this nature were not subject to normal
company receiving policies, the dishonest employee picked up the supplies at the vendor’s
warehouse. All purchases were for items routinely ordered by the company. During the past year,
the employee amassed enough merchandise to start a printing and photography business. Which of
the following audit procedures performed by the internal auditor would be most effective in
leading to the discovery of this fraud?
a) Tracing selected canceled checks to the cash payments journal and to the related
vendors’ invoices.
b) Performing a trend analysis of printing supplies expenses for a two‐year period.
c) Tracing prices and quantities on selected vendors’ invoices to the related purchase
orders.
d) Recomputing the clerical accuracy of selected vendors’ invoices, including discounts
and sales taxes.
A . There is a legitimate vendor’s invoice for each cash payment related to this fraud.
C . There is nothing in this scenario that would cause the invoice prices or quantities to be different
from those on the purchase order prepared by the dishonest employee.
D . Recomputations prove accuracy of invoices but do not detect fraud.
Question 77
A purchasing agent acquired items for personal use with company funds. The company allowed
designated employees to purchase as much as $250 per day in merchandise under open‐ended
contracts. Supervisory approval of the purchases was required, but that information was not
communicated to the vendor. Instead of reviewing and authorizing each purchase order,
supervisors routinely signed the authorization sheet at the end of the month without reviewing any
of the supporting documentation. Since purchases of this nature were not subject to normal
company receiving policies, the dishonest employee picked up the supplies at the vendor’s
warehouse. All purchases were for items routinely ordered by the company. During the past year,
the employee amassed enough merchandise to start a printing and photography business. Once the
internal auditor becomes reasonably certain that this defalcation is taking place, what should the
auditor do next?
a) Immediately report the matter to the appropriate law enforcement official, since a
potential felony is involved.
b) Say nothing now, but include a description of the suspected defalcation in the audit.
c) Immediately report the matter to the appropriate level of management.
d) Immediately discuss the matter with the employee suspected of the defalcation in
order to confirm the audit findings.
The IIA Standards state: “When an internal auditor suspects wrongdoing, the appropriate authorities
within the organization should be informed.”
A . The Standards state that “internal auditors are not responsible for notifying outside authorities of
suspected wrongdoing.”
B . A delay in reporting the suspected defalcation will allow it to continue and/or give the suspected
dishonest employee time to destroy or conceal important evidence.
D . Once the dishonest employee knows that he or she is suspected, the person has an opportunity to
destroy or to conceal important evidence or to flee to avoid apprehension.
Question 78
Management discovers that a supervisor at one of their restaurant locations removes excess cash
and resets sales totals throughout the day on the point-of-sale (POS) system. At closing, the
supervisor deposits cash equal to the recorded sales on the POS system and keeps the rest.
The supervisor forwards the close-of-day POS reports from the POS system along with a copy of the
bank deposit slip to the company's revenue accounting department. The revenue accounting
department records the sales and the cash for the location in the general ledger and verifies the
deposit slip to the bank statement. Any differences between sales and deposits are recorded in an
over/short account and, if necessary, followed up with the location supervisor. The customer food
order checks are serially numbered, and it is the supervisor's responsibility to see that they are
accounted for at the end of each day. Customer checks and the transaction journal tapes from the
POS system are kept by the supervisor for one week at the location and then destroyed.
Which of the following control procedures allowed the fraud to occur?
An inappropriate segregation of duties was created when responsibility for accounting for customer
food checks and the depositing of receipts was given to the supervisor.
B . The depositing of receipts by the supervisor by itself is not the problem; it is the access to cash and
ability to reset POS totals throughout the day that allowed the fraud.
Question 79
Management discovers that a supervisor at one of their restaurant locations removes excess cash
and resets sales totals throughout the day on the point-of-sale (POS) system. At closing, the
supervisor deposits cash equal to the recorded sales on the POS system and keeps the rest.
The supervisor forwards the close-of-day POS reports from the POS system along with a copy of the
bank deposit slip to the company's revenue accounting department. The revenue accounting
department records the sales and the cash for the location in the general ledger and verifies the
deposit slip to the bank statement. Any differences between sales and deposits are recorded in an
over/short account and, if necessary, followed up with the location supervisor. The customer food
order checks are serially numbered, and it is the supervisor's responsibility to see that they are
accounted for at the end of each day. Customer checks and the transaction journal tapes from the
POS system are kept by the supervisor for one week at the location and then destroyed.
Which of the following audit procedures would have detected the fraud?
Using the total of the customer food checks as a confirmation of sales would have detected the
shortage in the bank deposit.
A . The fraud involved receipts, not deposits.
B . The fraud involved altering the amounts on the close-of-day POS reports by resetting the POS
system totals to zero.
C . The accounting for individual customer food checks would not have detected the fraud because it
did not involve manipulation of these devices.
Question 80
The IIA Standards require internal auditors to have knowledge about factors (red flags) that have
proven to be associated with management fraud. Which of the following factors have generally not
been associated with management fraud?
Regular actual to budget comparisons encourage performance and detect problems before they
become too large.
A . Generous reward systems can lead managers to falsify records so that rewards can be achieved.
B . Domineering management causes managers to falsify records so as to meet the demands of upper
management.
D . Preoccupation with increased financial performance can cause management to falsify records to
show increased performance.
Question 81
A personnel department is responsible for processing placement agency fees for new hires. A
recruiter established some bogus placement agencies. When interviewing walk‐in applicants, the
recruiter would list one of the bogus agencies as referring the candidate. A possible means of
detection or deterrence is to:
a) Process all personnel agency invoices via a purchase order through the purchasing
department.
b) Verify new vendors to firms listed in a professional association catalog and/or verify
the vendor name and address through the telephone book.
c) Monitor the closeness of the relationships of recruiters with specific vendors.
d) Require all employees to sign an annual conflict‐of‐interest statement.
This type of checking would prove that the agency is a genuine one.
A . Invoices being processed through purchasing will not add any additional controls. Purchasing
would have to make an independent source selection of the vendor.
C . This is not practical for all employees. The degree of closeness in itself is not a conflict nor might it
be subject to scrutiny.
D . If a person was unethical, he or she probably would not disclose any illegal activity that the person
is processing through the company.
Question 82
Experience has shown that certain conditions in an organization are symptoms of possible
management fraud. Which of the following conditions would not be considered an indicator of
possible fraud?
Question 83
Which of the following is an indicator of possible financial reporting fraud being perpetrated by
management of a manufacturer?
1. A trend analysis discloses (1) sales increases of 50% and (2) cost of goods sold
increases of 25%.
2. A ratio analysis discloses (1) sales of $50 million and (2) cost of goods sold of $25
million.
3. A cross‐sectional analysis of common size statements discloses: (1) the firm’s ratio of
cost of goods sold to sales is 0.4 and (2) the industry average ratio of cost of goods
sold to sales is 0.5.
4. A cross‐sectional analysis of common size statements discloses: (1) the firm’s ratio of
cost of goods sold to sales is 0.5 and (2) the industry average ratio of cost of goods
sold to sales is 0.4.
A 50% increase in sales supported by a 25% increase in cost of goods sold is either fortuitous or
fraudulent. Increases in sales usually are accompanied by close to proportional increases in cost of
goods sold. Examples of situation in which increases in sales can be disproportionately larger than
increases in cost of goods sold include: (1) operations within the realm of economies of scale
(increasing returns to scale) and (2) the introduction of a highly accepted fashion item. Cases where
disproportionately large sales increases indicate fraudulent conduct include: (1) collusion by the host
firm’s sales personnel and the buying firm’s purchasing personnel and (2) collusion by members of
two departments within the host firm, such as sales and transportation. Since the internal auditor
would not know whether the disproportionately large increase in sales is legitimate, the auditor
should view this as an indicator of possible fraud.
B . Sales of $50 million and cost of goods sold of $25 million yield a gross profit margin (GPM) of 50%.
Manufacturers can expect a range of 40% to 60% on this ratio.
C . These data indicate an industry GPM of 0.5 and host firm GPM of 0.4. The greater GPM realized by
the host firm may result from any number of reasonable causes. These include: (1) greater efficiencies
exercised by the host firm, (2) greater sales effort (or a more highly accepted product), and (3)
measurement errors.
D . These data indicate an industry GPM of 0.4 and a host firm GPM of 0.5. The lower GPM realized by
the host firm may result from such causes as: (1) host firm inefficiencies, (2) less acceptance of host
firm product or less sales effort, and (3) measurement errors.
Question 84
Which of the following might be considered a red flag indicating possible fraud in a large
manufacturing company with several subsidiaries?
Experience shows that such transfers are often used in fraud schemes. This is the only red flag among
the options..
Question 85
A subsidiary president terminated a controller and hired a replacement without the required
corporate approvals. The new controller and president then manipulated sales, cash flow, and
profit statistics via accelerated depreciation and sale of capital assets to obtain larger performance
bonuses for themselves. An approach that might detect this fraudulent activity would be:
A . Analysis of segregation of duties will not detect fraudulent activity; it only shows areas where
opportunity exists.
B . Exit interviews are not as effective at the officer level, since most individuals will not want to
compromise severance arrangements.
C . Changing outside auditor’s coverage of divisions will not mandate better due diligence reviews.
Question 86
Bank management suspects that a bank loan officer frequently made loans to fictitious companies,
disbursed loan proceeds to personally established accounts, and then let the loans go into default.
Some pertinent facts about the loan officer include:
A high standard of living, explained as the result of sound investments and not
taking vacations.
An expensive personal car obtained through business contacts.
Gasoline and repair bills submitted for an assigned company car that are higher
than company average (mileage logs were submitted on a quarterly basis).
Marked annoyance with questions from auditors.
In this situation, typical indicators of the suspected fraud would include all of the following except:
Question 87
Bank management suspects that a bank loan officer frequently made loans to fictitious companies,
disbursed loan proceeds to personally established accounts, and then let the loans go into default.
Some pertinent facts about the loan officer include:
A high standard of living, explained as the result of sound investments and not
taking vacations.
An expensive personal car obtained through business contacts.
Gasoline and repair bills submitted for an assigned company car that are higher
than company average (mileage logs were submitted on a quarterly basis).
Marked annoyance with questions from auditors.
The most appropriate trend analysis to indicate this potential fraud is:
Trend analysis would detect an increase in the default rate due to bogus loans.
C . Although trend analysis could detect higher-than-average expenses for operation of the company
car, it has no relationship to suspected fraudulent loans.
D . The total dollar value of loans made would not correlate to fraudulent loans.
Question 88
Bank management suspects that a bank loan officer frequently made loans to fictitious companies,
disbursed loan proceeds to personally established accounts, and then let the loans go into default.
Some pertinent facts about the loan officer include:
A high standard of living, explained as the result of sound investments and not
taking vacations.
An expensive personal car obtained through business contacts.
Gasoline and repair bills submitted for an assigned company car that are higher
than company average (mileage logs were submitted on a quarterly basis).
Marked annoyance with questions from auditors.
The extent of loans made to fictitious borrowers by the loan officer could best be determined by:
A . A compliance audit would not show which loans were made to fictitious borrowers.
C . The loan officer's level of activity might be higher or lower whether fraudulent activity existed or
not.
Question 89
Bank management suspects that a bank loan officer frequently made loans to fictitious companies,
disbursed loan proceeds to personally established accounts, and then let the loans go into default.
Some pertinent facts about the loan officer include:
A high standard of living, explained as the result of sound investments and not
taking vacations.
An expensive personal car obtained through business contacts.
Gasoline and repair bills submitted for an assigned company car that are higher
than company average (mileage logs were submitted on a quarterly basis).
Marked annoyance with questions from auditors.
Reconciling outstanding loans to the general ledger would be least likely to discover this fraud.
Question 90
Which of the following policies is most likely to result in an environment conducive to the
occurrence of fraud?
a) Budget preparation input by the employees who are responsible for meeting the
budget.
b) Unreasonable sales and production goals.
c) A division hiring process that frequently results in the rejection of adequately
trained applicants.
d) The application of some accounting controls on a sample basis.
A prod to achieve an unrealistically high sales or production quota can become a prod to falsify the
records so that it appears the quota has been met.
A . Participatory budgeting can reduce antagonism to budgets and reduce the likelihood of
inappropriate means of meeting the budget.
C . First, hiring policies should be based on factors other than adequate training—such as the
applicants’ personal integrity. Second, in many labor markets, the large number of applicants may
cause rejection of qualified ones to be unavoidable.
D . Under the reasonable assurance concept, the cost of controls should not exceed their benefits. It
is quite possible that, in some areas, the additional cost of applying controls to all relevant
transactions, rather than just a sample of them, may be greater than the resultant savings.
Question 91
Internal auditors must exercise due care if they are to meet their responsibilities for fraud detection.
Thus, the existence of certain conditions should raise red flags and arouse auditors' professional
skepticism concerning possible fraud. Which of the following is most likely to be considered an
indication of possible fraud?
Question 92
In order for internal auditors to be able to recognize potential fraud, they must be aware of the
basic characteristics of fraud. Which of the following is not a characteristic of fraud?
a) Intentional deception.
b) Taking unfair or dishonest advantage.
c) Perpetration for the benefit or detriment of the organization.
d) Negligence on the part of executive management.
Question 93
Auditors have been advised to look at red flags to determine whether management is involved in a
fraud. Which of the following does not represent a difficulty in using the red flags as fraud
indicators?
a) Many common red flags are also associated with situations where no fraud exists.
b) Some red flags are difficult to quantify or to evaluate.
c) Red flag information is not gathered as a normal part of an audit engagement.
d) The red flags literature is not well enough established to have a positive impact on
auditing.
This is not a difficulty. The red flags literature is well established. Although red flags will be refined in
the future as research is done, this does not preclude their effective use.
A . This is a difficulty in using red flags. Red flags are developed through correlation analysis, not
necessarily causation analysis.
C . When performing an audit, internal auditors should be alert to the possibility of intentional
wrongdoing, errors, omissions, inefficiency, waste, ineffectiveness, and conflicts of interest.
Question 94
Management of a nonprofit organization has been monitoring spending and is concerned because
payments to some vendors appear to be unusually high. Most purchases are made through the
purchasing function, which is organized around three buyers, each with defined purchasing areas.
The purchasing agents place the purchase orders and receive copies of receiving reports to ensure
goods are received. They review the reports and compare them with the purchase orders before
sending the items to accounts payable with their approval for payment. All vendor invoices are sent
directly to accounts payable even though receiving reports first go through the purchasing agents.
The organization has a policy of requiring three bids on all purchases that exceed $10,000.
Which of the following, if observed, would not indicate the need to search for other indicators of
fraud?
a) The standard of living of one of the purchasing agents has increased.
b) The internal control structure has significant weaknesses.
c) Management, at the purchasing agents' request, has adopted a policy of paying
vendors on a more timely basis to avoid incurring penalty charges.
d) The cost of goods procured seems to be excessive in comparison with previous
years.
This, by itself, would not be considered a red flag. It represents a valid business reason for more
timely payment.
A . This is generally considered a red flag, which is most indicative of possible fraud.
B . Significant deficiencies are one of the major factors associated with fraud.
Question 95
Management of a nonprofit organization has been monitoring spending and is concerned because
payments to some vendors appear to be unusually high. Most purchases are made through the
purchasing function, which is organized around three buyers, each with defined purchasing areas.
The purchasing agents place the purchase orders and receive copies of receiving reports to ensure
goods are received. They review the reports and compare them with the purchase orders before
sending the items to accounts payable with their approval for payment. All vendor invoices are sent
directly to accounts payable even though receiving reports first go through the purchasing agents.
The organization has a policy of requiring three bids on all purchases that exceed $10,000.
Which of the following statements regarding the internal auditor's responsibility for detecting fraud
in the environment described in the scenario above is not correct? The auditor should:
The presence of red flags does not make the auditor responsible for detecting fraud.
The internal auditor's responsibility for the prevention of fraud would include all of the following
except:
The auditor is not responsible for acting as an ensurer or guarantor against fraud (IIA Standard
1220—Due Professional Care).
Question 97
When an auditor's sampling objective is to obtain a measurable assurance that a sample will
contain at least one occurrence of a specific critical exception existing in a population, the sampling
approach to use is:
a) Random.
b) Discovery.
c) Probability proportional to size.
d) Variables.
Discovery sampling is structured to measure the probability of at least one exception occurring in a
sample if there are a minimum number of errors in the population.
A . Random sampling deals only with the technique used to choose the sample.
C .Probability‐proportional‐to‐size sampling deals with the technique used to select items but does
not apply when attempting to discover critical occurrences.
D . Variables sampling need not include at least one exception of a critical occurrence.
Question 98
A salami technique is a theft of small amounts of assets and money from a number of sources (e.g.,
bank accounts, inventory accounts, and accounts payable and receivable accounts). It is also using the
rounding-down concept, where a fraction of money is taken from bank accounts.
Question 99
a) Access controls.
b) Program change controls.
c) Rapid correction of data.
d) Integrity checking.
Data diddling can be prevented by limiting access to data and programs and limiting the methods
used to perform modification to such data and programs. Integrity checking also helps in prevention.
Rapid detection is needed—the sooner the better—because correcting data diddling is expensive.
Question 100
Superzapping leaves no evidence of file changes, and the only reliable way to detect this activity is by
comparing current data files with previous generations of the same file.
D . It is very difficult to find, let alone review, undocumented transactions. Even if these transactions
are found, there is no assurance that the task is complete.