CIA Part II : Internal Auditing Practice

Selected Topics: Managing the Internal Audit Function 1. Strategic Role of Internal Audit 2. Operational Role of Internal Audit 3. Establish Risk-Based Internal Audit Plan

1. Two major retail companies, both publicly traded and operating in the same geographic area, have recently merged. Both companies are approximately the same size and have audit departments. Company B has invested heavily in information technology and has electronic data interchange connections with its major vendors. The audit committee has asked the internal auditors from both companies to analyze risk areas that should be addressed after the merger. The director of internal auditing of Company B has suggested that the two audit groups have a planning meeting to share audit programs, scope of audit coverage, and copies of audit reports that were delivered to their audit committees. Management has also suggested that the auditors review the compatibility of the companies two computer systems and control philosophy for individual store operations. During the first meeting, a disagreement occurs over the approach taken regarding store compliance. The audit director for Company B questions Company As extensive use of store compliance testing, stating that the approach is neither responsive to materiality concepts nor an appropriate application of risk assessment. Company As audit director presents the following reasoning: I. II. III. You have misconstrued materiality. Materiality is not based only on the size of individual stores; it is also based on the control structure that affects the whole organization. Any deviation from a prescribed control procedure is, by definition, material. The only way to ensure that a material amount of the companys control structure is covered is to comprehensively audit all stores.

Which statement(s) by the audit director of Company A is (are) valid? A. I, II, and III. B. I only. C. III only. D. I and II only. ANSWER: B - Materiality is defined by the potential impact of an item on the organization and is not limited to items that can be assessed only in quantitative terms. 2. A company has two manufacturing facilities. Each facility has two manufacturing processes and a separate packaging process. The processes are similar at both facilities. Raw materials used include aluminum, materials to make plastic, various chemicals, and solvents. Pollution occurs at several operational stages, including raw materials handling and storage, process chemical use, finished goods handling, and disposal. Waste products produced during the manufacturing processes include several that are considered hazardous. The nonhazardous waste is transported to the local landfill. An outside waste vendor is used for the treatment, storage, and disposal of all hazardous waste. Management is aware of the need for compliance with environmental laws. The company recently developed an environmental policy that includes a statement that each employee is responsible for compliance with environmental laws. In many countries, the company generating hazardous waste is responsible for the waste from cradle to grave (creation to destruction). A potential risk to the company is the use of an outside vendor to process hazardous waste. Which of the following steps should be performed during a review of the waste vendor? I. Review the vendors documentation on hazardous material. II. Review the financial solvency of the vendor. III. Review the vendors emergency response planning. IV. I, II, and III A. B. C. D. I only. II only. III only. IV.

ANSWER: D All action must be accomplished

3. Successful consultative communication in an internal audit is partially based on feedback from auditees about auditors actions during the audit. This feedback: A. Should go to both management and the auditors to ensure business value is being added. B. Should go only to senior management as a means of reviewing the auditors. C. Should go only to the auditors to help them improve their audit performance. D. Will keep auditees on the defensive regarding the auditors. ANSWER: A - Both management and auditors should be involved in improving the image of internal audit in the organization. 4. The transportation department for a large manufacturing company maintains its vehicle inventory and maintenance records in a database on a stand-alone microcomputer in the fleet supervisors office. Which audit approach is most appropriate for evaluating the accuracy of the database information? A. Submit batches of test transactions through the current system and verify with expected results. B. Verify a sample of the records extracted from the database with supporting documentation. C. Use program tracing to show how, and in what sequence, program instructions are processed in the system. D. Simulate normal processing by using test programs. ANSWER: B - Verifying is the most often used technique in testing the accuracy of information maintained by a system, whether manual or automated. 5. Management is concerned with a recent increase in expenditures and lower profits at a division and has asked the internal audit department to perform an operational audit of the division. Management would like to have the audit completed as quickly as possible and has asked the internal audit department to allocate all possible resources to the task. The director of internal audit is concerned with the time pressure since the internal audit department is heavily involved in a major legal compliance audit that had been requested by the audit committee. Which of the following comments are correct regarding the assessment of risk associated with the two projects? I. II. III. Activities requested by the audit committee should always be considered higher risk than those requested by management. Activities with higher-dollar budgets should always be considered higher risk than those with lower-dollar budgets. Risk should always be measured by the potential dollar or adverse exposure to the organization. A. II only. B. III only. C. I and III. D. I only. ANSWER: B - This is the basic definition of risk given in the IIA Standards. 6. An element of authority that should be included in the charter of the internal auditing department is: A. Access to records, personnel, and physical properties relevant to the performance of audits. B. Access to the external auditors working papers. C. Identification of the types of disclosures that should be made to the audit committee. D. Identification of the operational departments that the audit department must audit. ANSWER: A - The auditor must have access to all audit evidence in order to fulfill his or her obligations and responsibilities.

7. During an operational audit, the auditor compares the current staffing of a department with established industry standards in order to: A. Identify bogus employees on the departments payroll. B. Assess the current performance of the department and make appropriate recommendations for improvement. C. Evaluate the adequacy of the established internal controls for the department. D. Determine whether the department has complied with all laws and regulations governing its personnel. ANSWER: B - The goal of an operational audit is to assess current performance and make any recommendations for improvement. 8. Which of the following auditable activities represents the greatest risk to a postmerger manufacturing corporation and would therefore most likely be subjected to an audit? A. B. C. D. Combining imprest funds. Combining marketing functions. Combining purchasing functions. Combining legal functions.

ANSWER: C - Of all the four choices, the purchasing function typically represents significant risk for a manufacturing operation. In a merger of two manufacturers purchasing functions, that auditable area can be a source of even more significant risk. 9. Which audit planning tool is general in nature and used to ensure adequate audit coverage over time? A. B. C. D. The audit program. The department charter. The department budget. The long-range schedule.

ANSWER: D - The long-range schedule gives evidence of coverage of key functions at planned intervals. 10. Following a negative performance evaluation by a supervisor, a staff auditor went to the audit director to seek a change in the evaluation. The director was familiar with the auditors performance and agreed with the evaluation. The director agreed to meet and discuss the situation. Which of the following is the best course of action for the director to take? A. Meet privately with the employee. Encourage discussion by asking for the employees side of the issue and disclaiming any agreement with the supervisor. B. Have a human resources administrator present to ensure that improper statements are not made. C. Have the supervisor participate in the meeting, so that there is no misunderstanding about the facts. D. Meet privately with the employee. Tell the employee of the directors agreement with the performance evaluation and express interest in any additional facts the employee may wish to present. ANSWER: D - A private conversation signals to the employee that the director is interested in what he or she has to say and will not be measuring his or her words against those of another. However, the director must establish a position and show support for the supervisor. There may be more than one valid viewpoint, but that does not necessarily mean that the employees is valid.

11. Passwords for microcomputer software programs are designed to prevent: A. B. C. D. Inaccurate processing of data. Unauthorized use of the software. Unauthorized access to the computer. Incomplete updating of data files.

ANSWER: B - Passwords protect access to the software and/or data. 12. Employees using personal computers have been reporting occupational injuries and claiming substantial workers compensation benefits. Working papers of an operational audit to determine the extent of company exposure to such personal injury liability should include: A. B. C. D. Listings of all personal computers in use and the employees who are assigned to use them. Reviews of documentation supporting purchases of personal computers. Analysis of claims by type of equipment and extensiveness of use by individual employees. Confirmations from insurance carriers as to claims paid under workers compensation policies in force.

ANSWER: C - Claims analysis is an appropriate inclusion since it enables identification of the importance of the two key factors (equipment in use and time spent by employees at such equipment) in leading to claims. 13. The advantage attributed to the establishment of internal auditing field offices for work at remote locations is best described as: A. B. C. D. The increased ease of maintaining uniform company-wide standards. The possibility of increased objectivity of personnel assigned to a field office. More contact with senior audit personnel leading to an increase in control. A reduction of travel time and related travel expense.

ANSWER: D - This is the advantage of a field office. 14. A company uses a local area network (LAN) to connect its four city area sales offices to the headquarter office. Sales information such as credit approval and other customer information, prices, account information, and so on is maintained at headquarters. This office also houses the inventory and shipping functions. Each area office is connected to the headquarters office computer, and messages/information between the area offices pass through the headquarters computer. This communication configuration allows for real-time confirmation of shipments as well as billing and account status. The company is concerned about the accuracy and sensitivity of its information and has implemented controls to protect the database used by the area offices. (1) The data are modeled after a tree structure, with each record type having any number of lower-level dependent records. The relationship is a one-to-many rather than a many-to-many relationship. When a user enters the system, a series of questions is asked of the user. These (2) questions include a name and mothers birth date. The headquarters computer maintains a (3) matrix of user names and the files/programs the user can access as well as what the user can do to/with the file or program. A recent addition to the system controls involves a lockout procedure. This procedure (4) locks out a particular record to other sales offices while a particular sales office is using the record. This control ensures that each transaction has the most recent and accurate information available when the sales office is processing the event. The database system described in (1) above is an example of which type of database model? A. B. C. D. Distributed. Hierarchical. Network. Relational.

ANSWER: B - Tree structure and one-to-many relationships describe a hierarchical database system.

15. Internal audit staff members should be afforded an appropriate means through which they can discuss problems and receive updates regarding departmental policies. The most appropriate forum for this objective is: A. B. C. D. Intradepartment memoranda. Employee evaluation conferences. Staff meetings. The departments informal communication lines.

ANSWER: C - Formal staff meetings provide the best opportunity for ensuring that issues are addressed timely and efficiently. 16. An information technology (IT) auditor overheard talk about a flaw in system design of a new computer-based application system development project. What should the auditor do first? A. Immediately schedule an audit of the new system. B. Talk to the system development project team. C. Discuss the issue with audit management. D. Do nothing since it is hearsay. ANSWER: C - In situations of hearsay, the auditor should handle the matter very carefully so as not to be criticized for using insufficient evidence. First, the auditor should discuss the issue with audit management to see if it knows something about the situation. The audit management should move the case forward. 17. In some cultures and organizations, managers insist that the internal auditing function is not needed to provide a critical assessment of the organizations operations. A management attitude such as this will most probably have an adverse effect on the internal auditing functions: A. B. C. D. Operating budget variance. Effectiveness. Performance appraisals. Policies and procedures.

ANSWER: B - In this type of situation, management is highly averse to analysis or possible criticism of its actions and will inhibit the internal audit departments effectiveness. 18. Which of the following features of a large manufacturing companys organization structure would be a control weakness? A. The chief financial officer is a vice president who reports to the chief executive officer. B. The IT department is headed by a vice president who reports directly to the president. C. The audit committee of the board consists of the chief executive officer, the chief financial officer, and a major stockholder. D. The controller and treasurer report to the chief financial officer. ANSWER: C - The audit committee should be made up of independent directors.

19. Upon being appointed, a new director of internal auditing found an inexperienced audit staff that was over budget on most audits. A detailed review of audit working papers revealed no evidence of progressive reviews by audit supervisors. Additionally, there was no evidence that a quality assurance program existed. Determining that audit objectives have been met is part of the overall supervision of an audit assignment and is the ultimate responsibility of the A. B. C. D. Staff internal auditor. Audit committee. Director of internal auditing. Internal auditing supervisor.

ANSWER: C - The director of internal auditing is responsible for supervision, including determining that audit objectives are being met. 20. In planning an audit, the internal auditor should design audit objectives and procedures to address the risk associated with the activity. Risk is defined as: A. The failure to accomplish established objectives and goals for operations or programs. B. The failure to adhere to organizational policies, plans, and procedures, or not complying with relevant laws and regulations. C. The risk that the balance or class of transactions and related assertions contain misstatements that could be material to the financial statements. D. The probability that an event or action may adversely affect the activity under audit. ANSWER: D - The IIA Standards specifically define risk as the probability that an event or action may adversely affect the activity under audit. 21. Once the information technology auditor becomes reasonably certain about a case of fraud, what should the auditor do next? A. B. C. D. Say nothing now since it should be kept secret. Report it to law enforcement officials. Discuss it with the employee suspected of fraud. Report it to the company management.

ANSWER: D - In fraud situations, the auditor should proceed with caution. When the auditor is certain about a fraud, he or she should report it to company management, not to external organizations. 22. The audit team leader is least likely to have a primary role in: A. B. C. D. Allocating budget audit hours among assigned staff. Preparing the critique sheet for the audit. Reviewing the working papers. Updating the permanent files.

ANSWER: D - This is a task most likely performed by the audit staff. 23. Audit committees are responsible for: A. B. C. D. Reviewing and approving the internal audit charter. Selecting the independent accountants. Developing the internal auditing plan and budget. Selecting the director of internal auditing.

ANSWER: A - This is an oversight activity. It will ensure that internal auditors are carrying out their responsibilities.

24. During a computer risk assessment process, which of the following would not be considered an auditable activity? A. B. C. D. Print software. Telecommunications software. Application software. Systems software.

ANSWER: A - The audit resources should be allocated to those areas where the risk level is the highest. Print software is low risk compared to the other three types of software to be reviewed by an auditor. 25. Two major retail companies, both publicly traded and operating in the same geographic area, have recently merged. Both companies are approximately the same size and have audit departments. Company B has invested heavily in information technology and has electronic data interchange (EDI) connections with its major vendors. The audit committee has asked the internal auditors from both companies to analyze risk areas that should be addressed after the merger. The director of internal auditing of Company B has suggested that the two audit groups have a planning meeting to share audit programs, scope of audit coverage, and copies of audit reports that were delivered to their audit committees. Management has also suggested that the auditors review the compatibility of the companies two computer systems and control philosophy for individual store operations. Which of the following would be the least important risk factor when considering the ability to integrate the two companies computer systems? A. The size of company databases and the number of database servers used. B. The number of programmers and systems analysts employed by each company. C. The compatibility of existing operating systems and database structures. D. The extent of EDI connections with vendors. ANSWER: B - This is the least risky area because the number of analysts and programmers may be more of a reflection of operating philosophy (buying new applications versus developing them). This philosophy is unlikely to affect the probability of the event adversely affecting the operations. See IIA Standards for a description of risk and materiality concepts. 26. When gathering data, an audit team identified both subjective and objective criteria for measuring audit risk. Which one of the following risk factors is most objective? A. B. C. D. Changes in staff, systems, or the environment. Comfort with operating management. Prior audit findings. Size of the audit unit.

ANSWER: D - The IIA Standards state that objective reports are factual. Sawyer states, Every categorical statement, every figure, every reference must be based on hard evidence. (Lawrence B. Sawyer, Mortimer A. Dittenhofer, and James H. Scheiner, Sawyers Internal Auditing: The Practice of Modern Internal Auditing, 5th ed., Altamonte Springs, FL: Institute of Internal Auditors, 2003). The size of the audit unit is a fact and is not affected by the auditors impressions and feelings.

27. The consultative approach to auditing emphasizes: A. B. C. D. Participation with auditees to improve methods. Implementation of policies and procedures. Fraud investigation. Imposition of corrective measures.

ANSWER: A - Since auditors alone cannot implement audit recommendations, auditee participation and involvement makes improvements better. 28. The requirements for staffing level, education and training, and audit research should be included in A. B. C. D. The internal auditing departments charter. Job descriptions for the various staff positions. The annual plan for the internal auditing department. The internal auditing departments policies and procedures manual.

ANSWER: C - The annual plan should be comprised of both an audit schedule and a budget and, as such, should include all of these issues. 29. Internal auditors are often called on either to perform or to assist the external auditor in performing a due diligence review. A due diligence review is: A. A review of interim financial statements as directed by an underwriting firm. B. A review of financial statements and related disclosures in conjunction with a potential acquisition. C. An operational audit of a division of a company to determine if divisional management is complying with laws and regulations. D. A review of operations as requested by the audit committee to determine whether the operations comply with audit committee and organizational policies. ANSWER: B - This is a broad definition of due diligence reviews per the IIA Standards 30. The major reason for the internal auditors involvement in information technology (IT) system development is for the internal auditor to: A. B. C. D. Help ensure that systems have adequate control procedures. Propose enhancements for subsequent development and implementation. Help minimize the cost and development time for new systems. Gain familiarity with systems for use in subsequent reviews.

ANSWER: A - This is the major reason for the internal auditors involvement in IT system development. 31. Factors that should be considered when evaluating audit risk in a functional area include: 1. Volume of transactions. 2. Degree of system integration. 3. Years since last audit. 4. Significant management turnover. 5. (Dollar) value of assets at risk. 6. Average value per transaction. 7. Results of last audit. Factors that best define materiality of audit risk are: A. 1 through 7. B. 3, 4, and 6.

C. 2, 4, and 7. D. 1, 5, and 6. ANSWER: D - Factors 1, 5, and 6 can all be quantified into values, which can be measured into materiality. 32. A company recently entered into a cost-plus contract to build a new and larger manufacturing plant. Which of the following auditing procedures would be of most importance to the auditor reviewing this contract? A. Review the contract to ascertain that it contains a provision for the right of system review and cost audits of the contractor. B. Review the business integrity of the contractor through direct inquiry. C. Review the contract for a specific date of completion. D. Review the contract and all of the related bids received to ascertain that the company selected the contractor with the lowest bid. ANSWER: A - Of the four auditing procedures given, this would be the most important because a cost-plus contract is not self-policed with an incentive for efficiency or economy. Without such a provision for system review and cost audits, the company would be at the mercy of the contractor. 33. A professional engineer applied for a position in the internal auditing department of a high-technology firm. The engineer became interested in the position after observing several internal auditors while they were auditing the engineering department. The director of internal auditing: A. B. C. D. May hire the engineer in spite of the lack of knowledge of internal auditing standards. Should not hire the engineer because of the lack of knowledge of accounting and taxes. Should not hire the engineer because of the lack of knowledge of internal auditing standards. May hire the engineer because of the knowledge of internal auditing gained in the previous position.

ANSWER: A - Internal auditing standards are required to be known by the department collectively. Individual internal auditing staff members may, however, bring special skills to the department instead of specific knowledge of internal auditing standards. 34. Internal auditing is responsible for reporting fraud to senior management or the board when: A. B. C. D. Suspicious activities have been reported to internal auditing. Irregular transactions have been identified and are under investigation. The incidence of fraud of a material amount has been established to a reasonable certainty. The review of all suspected fraud-related transactions is complete.

ANSWER: C - If the incidence of significant fraud has been established with reasonable certainty, the auditor is responsible for reporting such to senior management or the board. 35. The director of internal auditing was reviewing recent reports that had recommended additional audits because of risk and exposure to the company. Which of the following represents the greatest risk to the company and should be the next assignment? A. B. C. D. Payment had been made for routine inventory items without a purchase order or receiving report. Several times cash receipts had been held over an extra day before depositing. Several purchase orders were issued without purchase requisitions. Three prenumbered receiving reports were missing.

ANSWER: A - There is a great risk when cash payments can be made with no authorization. Several possible types of fraud could be occurring.

36. Backup and recovery controls are crucial to ensuring the reliability of a teleprocessing network. When reviewing the controls over backup and recovery, which of the following would not be included? A. Review of use and adequacy of encryption processes. B. Review of adequacy of documents/manuals informing all personnel of their backup and recovery responsibilities. C. Review of controls over hardware and software failures. D. Review of adequacy of user data file backups on the local area network (LAN). ANSWER: A - Encryption is a communication control for security and not related to backup and recovery. 37. What should the audit strategy be? A. B. C. D. It should be cycle based. It should be risk based. It should be knowledge based. It should be request based.

ANSWER: B - Audits should be planned and conducted according to the risk level; that is, high-risk auditable areas should be reviewed first, followed by medium-risk areas, which are followed by low-risk areas. The medium- and low-risk auditable areas should be reviewed only when audit resources are available. 38. In planning a system of internal operating controls, the role of the internal auditor is to: A. B. C. D. Appraise the effectiveness of the controls. Establish the policies for controls. Design the controls. Create the procedures for the planning process.

ANSWER: A - This is the proper role of the internal auditor, who reports the results to management. 39. An internal auditor is examining a production facility shortly after the close of the fiscal year. Each question consists of a specific audit procedure and a choice of four different audit findings. Which of the errors or questionable practices is most likely to be detected by the audit procedure specified? The internal auditor tours the production facility. A. B. C. D. Depreciation expense on fully depreciated machinery has been recognized. Overhead has been overapplied. Insurance coverage on the facility has lapsed. Necessary facility maintenance has not been performed.

ANSWER: D - Items such as broken doors, lack of paint, and leaking and broken machinery can be determined by a tour of the facility. 40. A manager prepared and signed checks payable to a fictitious supplier and deposited the checks into a personal bank account. Which of the following internal controls would most likely have prevented, or at least detected, the embezzlement? A. Use of competitive bids for all purchases. B. A check signer other than the manager must sign checks only when approved invoices are presented with the completed, unsigned check. C. Payments to suppliers must be made by certified check. D. A responsible employee must account for the numerical sequence of checks on a regular basis. ANSWER: B - Since the manager is preparing checks for fake suppliers, there would be no supporting invoice for the payment.

41. Accepting the concept that internal auditing should be an integral part of an organization can involve a major change of attitude on the part of top management. Which of the following would be the best way for internal auditors to convince management of the need for and benefits of internal auditing? A. Negotiating with top management to provide them with rewards, such as favorable audits. B. Involving top management in deciding which audit findings will be reported. C. Persuading top managers to accept the idea of internal audits by contacting company shareholders and regulatory agencies. D. Educating top managers about the benefits and communicating with them on a regular basis. ANSWER: D - Education and communication, although lengthy and costly, are the only way to achieve long-term results. 42. Which one of the following items includes the other three items? A. B. C. D. Audit risk. Detection risk. Inherent risk. Control risk.

ANSWER: A - Audit risk is the risk that the auditor may unknowingly fail to appropriately modify his or her opinion on financial statements that are materially misstated. It is the product of the other three risks: It is equal to inherent risk multiplied by control risk, which is multiplied by detection risk. Audit risk is an all-inclusive term here. 43. Internal auditors sometimes express opinions in audit reports in addition to stating facts. Due professional care requires that the auditors opinions be: A. B. C. D. Based on sufficient factual evidence that warrants the expression of the opinions. Expressed only when requested by the auditee or executive management. Limited to the effectiveness of controls and the appropriateness of accounting treatments. Based on experience and not biased in any manner.

ANSWER: A - This is what is required by the IIA Code of Ethics. 44. Risk models or risk analysis is often used in conjunction with development of long-range audit schedules. The key input in the evaluation of risk is: A. B. C. D. Management concerns and preferences. Previous audit results. Judgment of the internal auditor. Specific requirements of the IIA Standards.

ANSWER: C - In assessing the magnitude of risk associated with any factor in a risk model, informed judgment by the auditor is required. 45. External review of an internal auditing department is not likely to evaluate: A. B. C. D. Compliance with the IIA Standards Adherence to the internal auditing departments charter. Audit planning documents, particularly those submitted to senior management and the audit committee. Detailed costbenefit analysis of the internal auditing department.

ANSWER: D - The cost benefit of internal auditing is neither easily quantifiable nor the subject of an external review.

46. Upon being appointed, a new director of internal auditing found an inexperienced audit staff that was over budget on most audits. A detailed review of audit working papers revealed no evidence of progressive reviews by audit supervisors. Additionally, there was no evidence that a quality assurance program existed. To properly evaluate the operations of an internal auditing department, a quality assurance program should include: A. Periodic rotation of audit managers. B. Internal reviews, by other than the internal audit staff, to appraise the quality of department operations. C. External reviews at least once every three years by qualified persons who are independent of the organization. D. Periodic supervision of internal audit work on a sample basis. ANSWER: C - External reviews should be conducted at least once every three years. 47. The internal auditor can participate in the review of the systems development process at varying intervals, including continuous involvement, only at the end of discrete stages, or after implementation of the system. The advantages of continuous internal audit involvement include all of the following except: A. B. C. D. Reduced overall internal audit expense when compared to the other intervals. The opportunity to provide significant suggestions to the design team. Improved design and specification of controls. Reduced need for subsequent rework of controls.

ANSWER: A - This is not trueaudit involvement on a continuous basis is significantly more expensive in audit resources than any of the other interval choices. 48. Directors may use a tool called risk analysis in preparing work schedules. Which of the following would not be considered in performing a risk analysis? A. B. C. D. Skills available on the audit staff. Financial exposure and potential loss. Results of prior audits. Major operating changes.

ANSWER: A - This does not involve risk associated with potential auditees. 49. Which of the following would not be an appropriate member of an audit committee? A. B. C. D. The vice president of the local bank used by the company. An academic specializing in business administration. A retired executive of a firm that had been associated with the corporation. The firms vice president of operations.

ANSWER: D - Audits may be conducted in the members area of control and responsibility. Thus, the potential member is not independent of the audit function. The potential member is also not an outside director. 50. The peer review process can be performed internally or externally. A distinguishing feature of the external review is its objective to: A. B. C. D. Determine if audit activities meet professional standards. Set forth the recommendations for improvement. Identify tasks that can be performed better. Provide an independent evaluation.

ANSWER: D - External review process will provide independent evaluation for management and the audit committee.

51. Computer output from a large mainframe system should be distributed in accordance with current processing instructions and only after a review of processing results by the: A. B. C. D. Application programmers. Data processing manager. Control section. Computer operators.

ANSWER: C - The control section should be satisfied that processing was properly completed prior to output distribution. 52. An internal auditor is preparing a report that discusses the possibility of employee fraud by a specific named employee. The auditor should be careful that distribution of the report be limited on a need-to-know basis. Failure to follow this caveat may result in the auditor and/or the employer being found liable for: A. B. C. D. Malicious prosecution. Libel. Compounding a felony. Slander.

ANSWER: B - Libel is a written or printed statement of a defamatory nature that causes damage to the person libeled. Reports that are necessary under the circumstances for the performanc e of the auditors legitimate duties are considered privileged communications and are exempt from libel rules. 53. Management is concerned with a recent increase in expenditures and lower profits at a division and has asked the internal audit department to perform an operational audit of the division. Management would like to have the audit completed as quickly as possible and has asked the internal audit department to allocate all possible resources to the task. The director of internal audit is concerned with the time pressure since the internal audit department is heavily involved in a major legal compliance audit that had been requested by the audit committee. Which of the following factors would be considered the least important in deciding whether existing internal audit resources should be moved from the ongoing legal compliance audit to the management-requested division audit? A. B. C. D. A financial audit of the division by the external auditor a year ago. The increase in expenditures at the division for the past year. The potential of fraud associated with the legal compliance audit. The potential for significant regulatory fines associated with the legal compliance audit.

ANSWER: A - The results of a financial audit would be the least relevant factor in prioritizing the auditors tasks because the financial audit will not resolve the question asked by management. Also, the financial audit was prior to the recent problems. 54. A quality assurance program of an internal audit department provides reasonable assurance that audit work conforms to applicable standards. Which of the following activities are designed to provide feedback on the effectiveness of an audit department? I. II. III. IV. Proper supervision Proper training Internal reviews External reviews A. B. C. D. I, II, III, and IV. I, III, and IV. II, III, and IV. I, II, and III.

ANSWER: B - The purpose of a quality assurance program is to evaluate the operations of the internal audit department. The IIA Standards note that a program should include supervision, internal reviews, and external reviews. 55. The first phase of the risk assessment process is to identify and catalog the auditable activities of the organization. Which of the following would not be considered an auditable activity? A. B. C. D. Statutory laws and regulations as they affect the organization. General ledger account balances. Computerized information systems. The agenda established by the audit committee for one of its quarterly meetings.

ANSWER: D - The audit committees agenda for an audit committee meeting would not be an auditable activity but may contain audit activities conducted by the audit function. 56. New credit policies have been implemented in the automated entry order system to control collectability. These policies prevent entering any new sales order that would cause customers accounts receivable balance to exceed average sales for any two-month period in the prior 12-month period. Divisional sales management has compiled over a dozen examples that show decreased sales and delayed order entry. Division management contends these examples are a direct result of the new credit policy constraints. Sales managements data and information provide: A. A statistically valid conclusion about the impact on customer goodwill concerning the credit policy. B. Evidence that the new credit policy is not meeting the stated corporate objective to control the collectability of new sales volume. C. Irrelevant argumentative information. D. Feedback control data on the new corporate credit policy. ANSWER: D - An advantage of feedback control is that managers can use the information on past performance to improve future performance. 57. As part of the process to improve auditorauditee relations, it is very important to deal with how internal auditing is perceived. Certain types of attitudes in the work performed will help create these perceptions. From a management perspective, which attitude is likely to be the most conducive to a positive perception? A. B. C. D. Investigative. Objective. Interrogatory. Consultative.

ANSWER: D - A consultative attitude leads to two-way communication. 58. A perpetual inventory system uses a minimum quantity on hand to initiate purchase-ordering procedures for restocking. In reviewing the appropriateness of the minimum quantity level established by the stores department, the auditor would be least likely to consider: A. B. C. D. Stock-out costs, including lost customers. Optimal order sizes determined by the economic order quantity model. Seasonal variations in forecasting inventory demand. Available storage space and potential obsolescence.

ANSWER: B - Economic order quantity does not affect minimum stocking levels.

59. Successful consultative communication in an internal audit is partially based on feedback from auditees about auditors actions during the audit. This feedback: A. B. C. D. Should go to both management and the auditors to ensure business value is being added. Should go only to the auditors to help them improve their audit performance. Should go only to senior management as a means of reviewing the auditors. Will keep auditees on the defensive regarding the auditors.

ANSWER: A - Both management and auditors should be involved in improving the image of internal audit in the organization. 60. The key factor to the success of an audit organizations human resources program is: A. B. C. D. A compensation plan based on years of experience. A well-developed set of selection criteria. A program for recognizing the special interests of individual staff members. An informal program for developing and counseling staff.

ANSWER: B - Selection of individuals with the attributes and education needed for internal auditing is essential if the staff is to develop properly. In any organization, whether it is audit or nonaudit function, a well-developed set of selection criteria is important. 61. Audit committees are most likely to participate in approving: A. B. C. D. Staff promotions and salary increases. Audit work schedules. Appointment of the internal audit director. Internal audit report findings and recommendations.

ANSWER: C - The independence of the internal auditing department is enhanced when the audit committee participates in naming its director. 62. Exit conferences serve to ensure the accuracy of the information used by an internal auditor. A secondary purpose of an exit conference is to: A. Agree to the appropriate distribution of the final report. B. Brief senior management on the results of the audit. C. Get immediate action on a recommendation. D. Improve relations with auditees. ANSWER: D - The exit conference can be used to allow operating management to air their views and to present any operational objections to specific recommendations. 63. A Certified Internal Auditor (CIA) directs the audit function for a large city and is planning the audit schedule for the next year. The city has a number of different funds, some that are restricted in use by government grants and some that require compliance reports to the government. One of the programs for which the city has received a grant is job retraining and placement. The grant specifies certain conditions a participant in the program must meet in order to be eligible for the funding. In some countries, governmental units have established audit standards. For example, in the United States, the General Accounting Office has developed standards for the conduct of governmental audits, particularly those that relate to compliance with government grants. In performing governmental grant compliance audits, the auditor should: A. Be guided only by the governmental standards. B. Be guided by the more general standards that have been issued by the public accounting profession.

C. Be guided only by the IIA Standards because they are more encompassing. D. Follow both the IIA Standards and any additional governmental standards. ANSWER: D - Members and CIAs are required to follow the IIA Standards. Additional governmental audit standards should also be followed on governmental grant audits. 64.Which of the following represent(s) appropriate internal audit action in response to the risk assessment process? I. The low-risk areas may be delegated to the external auditor, but the high-risk areas should be performed by the internal auditing function. II. The high-risk areas should be integrated into an audit plan along with the high-priority requests of management and the audit committee. III. The risk analysis should be used in determining an annual audit work plan; therefore, the risk analysis should be performed only on an annual basis. A. II only. B. III only. C. I only. D. I and III only. ANSWER: A - The annual audit plan should integrate the risk analysis with requests from management and the audit committee. 65. Having been given the task of developing a performance appraisal system for evaluating the audit performance of a large internal auditing staff, you should: A. Provide primarily for the evaluation of specific accomplishments directly related to the performance of the audit program. B. Provide general information concerning the frequency of evaluations and the way evaluations will be performed without specifying their timing and uses. C. Provide for an explanation of the appraisal criteria methods at the time the appraisal results are discussed with the internal auditor. D. Provide primarily for the evaluation of criteria such as diligence, initiative, and tact. ANSWER: A - The appraisal of audit performance should deal primarily with specific accomplishments related to audits. This provides a more objective appraisal than focusing on traits, which are largely subjective . 66. The internal auditing department of a large corporation has established its operating plan and budget for the coming year. The operating plan is restricted to these categories: a prioritized listing of all audits, staffing, a detailed expense budget, and the commencement date of each audit. Which of the following best describes the major deficiency of this operating plan? A. B. C. D. Opportunities to achieve operating benefits are ignored. Measurability criteria and targeted dates of completion are not provided. Knowledge, skills, and disciplines required to perform work are ignored. Requests by management for special projects are not considered.

ANSWER: B - This is a requirement of the Standards. 67. According to the IIA Standards, a fraud report is required: A. B. C. D. At the conclusion of both the detection and the investigation phases. Neither at the conclusion of the detection phase nor at the conclusion of the investigation phase. At the conclusion of the detection phase. At the conclusion of the investigation phase.

ANSWER: D - A fraud report is required at the conclusion of the investigation phase. 68. A manufacturing firm uses large quantities of small inexpensive items, such as nuts, bolts, washers, and gloves, in the production process. As these goods are purchased, they are recorded in inventory in bulk amounts. Bins are located on the shop floor to provide timely access to these items. When necessary, the bins are refilled from inventory, and the cost of the items is charged to a consumable supplies account, which is part of shop overhead. Which of the following would be an appropriate improvement to controls in this environment? A. B. C. D. None of the above controls is needed for items of minor cost and size. Require management review of reports on the cost of consumable items used in relation to budget. Lock the bins during normal working hours. Relocate bins to the inventory warehouse.

ANSWER: B - Management review of expenditures would provide control over the level of expenditures for small material items. 69. The status of the internal auditing function should be free from the impact of irresponsible policy changes by management. The most effective way to ensure that freedom is to: A. B. C. D. Establish an audit committee within the board of directors. Develop written policies and procedures to serve as standards of performance for the department. Have the internal auditing charter approved by both management and the board of directors. Adopt policies for the functioning of the auditing department.

ANSWER: C - Approval of the charter by the board of directors will protect the internal auditing function from management actions, which could weaken the status of the internal auditing department 70. You have been selected to develop an internal auditing department for your company. Your approach would most likely be to hire: A. Degreed accountants since most audit work is accounting related. B. Internal auditors who collectively have the knowledge and skills needed to complete all internal audit assignments. C. Inexperienced personnel and train them the way the company wants them trained. D. Internal auditors each of whom possesses all the skills required to handle all audit assignments. ANSWER: B - Having a collective mix of knowledge and skills is an integral part of the IIA Standards. No internal audit department can have a credible program without this mix. 71. The director of a newly formed internal auditing department is in the process of drafting a formal written charter for the department. Which one of the following items, related to the operational effectiveness of the internal audit department, should be included in the charter? A. The frequency of the audits to be performed. B. The internal auditors unlimited access to those records, personnel, and physical properties that are relevant to the performance of the audits. C. The procedures that the internal auditors will employ in investigating and reporting fraud. D. The manner by which audit findings will be reported. ANSWER: B - The IIA Standards state that the charter should include the internal auditors access to those records, personnel, and physical properties that are relevant to their work. Having limitations on such access would impact the operational effectiveness of the internal audit department because the internal auditor would not be able to conduct the audit in the proper approach that he or she designed it.

72. A primary audit concern of a multinational corporations foreign branch money transfer operations located at international headquarters is: A. B. C. D. Ensuring compliance with foreign government money transfer regulations. Monitoring the security of foreign property, plant, and equipment. Reconciling the foreign branchs petty cash accounts. Evaluating the exchange rate in effect when foreign fixed assets were purchased

ANSWER: A - The company must protect itself against possible criminal or civil penalties from noncompliance with foreign governmental regulations regarding blocked currencies and multiple exchange rates. 73. Which of the following would not be considered in performing a risk analysis exercise? A. B. C. D. System complexity. System changes. Results of prior audits. Auditor skills.

ANSWER: D - Auditor skills become a consideration during audit scheduling. Risk analysis is done prior to the start of an audit, where factors such as system complexity, system changes, and results of prior audit are very important to consider. These factors determine whether an auditable area is high risk, medium risk, or low risk. 74. The director of internal auditing is preparing the work schedule for the next budget year and has limited audit resources. In deciding whether to schedule the purchasing or the personnel department for an audit, which of the following would be the least important factor? A. B. C. D. There have been major changes in operations in one of the departments. The potential for loss is significantly greater in one department than the other. There are more opportunities to achieve operating benefits in one of the departments than in the other. The audit staff has recently added an individual with expertise in one of the areas.

ANSWER: D - Audit needs, not auditor skill availability, should drive audit schedules. 75. In which of the following duties would the audit director least likely have a primary role? A. B. C. D. Determine the need for expanded testing. Organize and draft the audit report. Select or approve team members. Review the summary findings sheet.

ANSWER: B - It is a task most likely performed by the team leader. 76. To ensure the completeness of a file update, the user department retains copies of all unnumbered documents submitted for processing and checks these off individually against a report of transactions processed. This is an example of the use of: A. Computer sequence checks. B. Established batch totals. C. Computer matching. D. One-for-one checking. ANSWER: D - This is the definition of one-for-one checking.

77. Which of the following is not a benefit of using information technology in solving audit problems? A. It increases audit opportunities. B. It improves the auditors judgment. C. It helps reduce audit risk. D. It improves the timeliness of the audit. ANSWER: B - Auditor judgment is a personal characteristic, not a function of the quality of the information. 78. Which of the following factors serves as a direct input to the internal auditing departments financial budget? A. Audit work schedules. B. Past effectiveness of the internal auditing department in identifying cost savings. C. Auditing departments charter. D. Activity reports. ANSWER: A - As specified in the IIA Standards, audit work schedules determine both staffing plans and financial budgets. 79. The internal auditor is considering performing risk analysis as a basis for determining which areas of the organization ought to be examined. Which one of the following statements is correct regarding risk analysis? A. The extent to which management judgments are required in an area could serve as a risk factor in assisting the auditor in making a comparative risk analysis. B. The highest risk assessment should always be assigned to the area with highest probability of occurrence. C. Risk analysis must be reduced to quantitative terms in order to provide meaningful comparisons across an organization. D. The highest risk assessment should always be assigned to the area with the largest potential loss. ANSWER: A - According to the IIA Standards, the auditor could appropriately consider the extent of management judgments and accounting estimates as a risk factor. 80. In an audit of a purchasing department, which of the following generally would be considered a risk factor? A. B. C. D. There is a failure to rotate purchases among suppliers included on an approved vendor list. Purchase specifications are developed by the department requesting the material. Purchases are made from parties related to buyers or other company officials. Purchases are made against blanket or open purchase orders for certain types of items.

ANSWER: C - This invariably involves high risk.