EMT Practice Test

1. Question Content...


Question List

Question1: If an internal auditor discloses confidential information in response to a lawsuit, the internal auditor has violated.

Question2: In which of the following situations would fishbone diagrams be most useful?

Question3: Inadequate risk assessment would have the strongest negative impact in which of the following phases of an audit engagement?

Question4: When planning an audit engagement, what should an internal auditor first consider when assessing the risk of fraud in the area to be audited?

Question5: In which of the following functions would fraud be most likely to occur?

Question6: Which of the following statements is true regarding the use of non-statistical sampling in auditing control tests?

Question7: According to IIA guidance, which of the following is least compliant with the requirements regarding an internal auditor's need for objectivity?

Question8: The work papers for an audit of hazardous-materials handling and disposal at an engineering research facility provide evidence that the following procedures were performed.
Drums of hazardous waste not yet shipped off-site were inventoried. The physical count agreed with

the company's inventory records.
A sample of hazardous-waste shipments received at the disposal site was compared to bills of lading

and company records. No errors were detected.
The audit staff observed engineering personnel during the handling of hazardous materials. No

company policy violations were noted.
The reconciliation of waste drums to the inventory records provides evidence that:

Question9: Which of the following elements should an auditor recommend for inclusion in an organization's code of ethics?
I. Ethics should vary with local customs in the organization's foreign operations.
II. Whistle-blowing should be discouraged because it can cause distrust among employees and false accusations which waste organizational resources on investigations.
III. Ethical behavior should not be incorporated into performance evaluations because it is too subjective and controversial.

Question10: Which of the following methods is not valid for completing continuing professional education hours?

Question11: The main reason to establish internal controls in an organization is to:

Question12: The chief audit executive (CAE) wants to ensure that there are sufficient resources available to fulfill the responsibilities of the internal audit activity in the coming year. Which statement describes the most logical sequence of events for the CAE to undertake in order to achieve this objective?

Question13: According to the Standards, for how long should internal auditors who have previously performed or had management responsibility for an operation wait to become involved in future internal audit activity with that same operation?

Question14: A candidate has applied for an entry level internal audit position. The candidate holds a CISA (Certified Information Systems Auditor) designation, and has six months of audit experience, but limited knowledge of accounting principles and techniques. According to the IIA guidance, which of the following is the most relevant reason for the chief audit executive to consider this candidate?

Question15: Internal auditors can benefit from a strong relationship with the external auditors because external auditors can:

Question16: According to the COSO framework, which of the following is not a principle of internal control?

Question17: The primary reason that a bank would maintain a separate compliance function is to:

Question18: An auditor plans to analyze customer satisfaction, including. (1) customer complaints recorded by the customer service department during the last three months; (2) merchandise returned in the last three months; and (3) responses to a survey of customers who made purchases in the last three months.
Which of the following statements regarding this audit approach is correct?

Question19: Which of the following factors should be considered when determining the appropriate combination of manual techniques and computer-assisted audit techniques (CAATs) to be used during an audit?
1. Acceptance of CAATs findings by entity management.
2. Computer knowledge and expertise of the auditor.
3. Time constraints.
4. Level of audit risk.

Question20: Which of the following is an example of a preventive control activity for risk related to pollution caused by waste disposal?

Question21: During an engagement, an internal auditor decided to use variance analysis as an auditing techniques.
Which of the following steps should the auditor pursue if he discovers unexpected deviations of actual results from budget?

Question22: An audit to test the system of controls over the purchase, distribution, and use of radioactive material is being conducted at a company's plants. The process is well documented, and employees in the safety department are very familiar with the department's procedures. Since the purchasing and facilities departments are involved in the process, the auditor is considering reviewing their radioactive material- handling procedures as well. The auditor should:

Question23: Which of the following policies exemplifies a control weakness in the approval and oversight of credit sales?

Question24: According to IIA guidance, which of the following statements about working papers is false?

Question25: When planning the work program for an assurance engagement, an internal auditor should first review the department's business objectives and then:

Question26: Which of the following statements, if true, could justify an auditor's decision not to report governance- related control deficiencies to the audit committee?

Question27: An internal auditor for a large retail chain suspects that a store manager has been stealing money from cash sales by listing the sales as accounts receivable and then writing off the accounts as bad debts.
Which of the following irregularities is the most likely cause of the auditor's suspicion?

Question28: According to IIA guidance, which of the following is the most likely obstacle to undertaking a quality assurance and improvement program by the internal audit activity?

Question29: Which of the following would provide the best assessment of an organization's ethical climate?

Question30: An internal auditor would most likely judge an error in an account balance to be material if the error involves:

Question31: Which of the following should be the first step that an internal auditor takes to establish data integrity when building an audit working copy of a large database?

Question32: A charitable organization provides substantial grants for important medical research. Assuming marginal controls are in place, which of the following possible frauds or misuses of organization assets should be considered the area of greatest risk?

Question33: An internal auditor wants to use ratio analysis to examine efficiencies in an organization's accounting department. Which of the following statements identifies a weakness of ratio analysis that should be considered by the auditor?

Question34: In a manufacturing company, which department would be the internal audit activity's most reliable source of information on the controls over minimizing defective goods?

Question35: Which of the following situations allows for the most objectivity on the part of an internal auditor?

Question36: Which of the following best contributes to the effectiveness of the internal audit activity in an organization?

Question37: During an internal audit, the internal auditor compares the employee turnover rate in the area being audited with the employee turnover rate in the organization as a whole.
This is an example of which of the following analytical auditing procedures?

Question38: Which of the following are typical management control activities?

Question39: Which of the following measurements could an auditor use in an audit of the efficiency of a motor vehicle inspection facility?

Question40: Which of the following is considered a common red flag indicator in helping to uncover fraud?

Question41: During an audit engagement, an internal auditor finds that management is not complying with previous commitments made to the external auditors. However, the auditor determines management's actions to be justified due to significant changes in the business. The best course of action for the auditor to take would be to:

Question42: Sometimes, internal audit staff may partner with operating managers to rank risks. Which of the following outcomes may be the most beneficial aspects of this strategy?
1. Reappraising risks levels.
2. Providing accurate information to management.
3. Marketing the internal audit activity.
4. Planning safeguards for assets in high-risk areas.

Question43: A company has entered into a $20, 000, 000 fixed-price contract with a general contractor for the construction of a new retail outlet. For this contract, which of the following would represent the greatest risk?

Question44: When performing benchmarking during the planning phase of a performance audit, an internal auditor should:

Question45: To determine if a new computer system is improving the use of a manufacturer's limited facilities in serving the largest number of customers, an auditor should compare.

Question46: Which of the following would be the most useful in developing an annual audit plan?

Question47: In order to provide the most useful information for an organization's risk management decisions, which of the following should be assessed?

Question48: An internal auditor is performing analytical reviews as part of an audit of a supermarket's merchandising department. Because the economy has declined since midyear, the auditor can expect to encounter which of the following?

Question49: When developing an effective risk-based plan to determine audit priorities, an internal audit activity should start by:

Question50: An internal audit team is performing an audit of workplace accident claims.
Which of the following actions by the audit team best demonstrates due professional care?

Question51: In order to be organizationally independent, the chief audit executive should report administratively to the
[List A] and functionally to the [List B].
[List A]
[List B]

Question52: Which of the following should an internal auditor possess in order to fulfill the responsibilities of the internal audit activity?

Question53: Which of the following actions would be a violation of the IIA Code of Ethics?

Question54: Which of the following activities most significantly increases the risk that a bank will make poor-quality loans to its customers?

Question55: The results of an internal control questionnaire revealed that all investment activity exceeding $10, 000 must be approved by the assistant treasurer. A sample of these transactions with a five-percent acceptable error rate found that 98 of the 100 items tested included the assistant treasurer's approval. Based on this data, the auditor should:

Question56: An internal audit activity's work schedule should always provide sufficient information to the audit committee to enable it to determine whether the proposed engagements:

Question57: An internal audit activity (IAA) provided assurance services for an activity it was responsible for during the preceding year.
As a result, which IIA Code of Ethics principle is presumed to be impaired?

Question58: Which of the following represents the most effective governance structure?
I.
Operating
Executive
Internal
Management
Management
Auditing
Responsibility for risk
Oversight role
Advisory role
II.
Oversight role
Responsibility for risk
Advisory role
III.
Responsibility for risk
Advisory role
Oversight role
IV.
Oversight role
Advisory role
Responsibility for risk

Question59: Which of the following is the most common method of fraud detection?

Question60: A daily log of treasury dealers who exceeded their authorized limits serves as a:

Question61: Which of the following best describes the underlying premise of the COSO enterprise risk management framework?

Question62: An internal auditor is planning an audit of an organization where temporary employees are suspected of receiving pay for hours they have not worked. Which of the following tasks should not be performed at this stage in the audit?

Question63: According to IIA guidance, which of the following is the best example of a system application control?

Question64: An organization's sales professionals are potentially abusing the use of cellular phones, resulting in an alarming increase in telephone expenses. Which of the following controls is least likely to curb this abuse?

Question65: If an engagement client disputes that a specific action or process is within the scope of the internal audit activity, what would be the most appropriate way for the internal audit activity (IAA) to respond?

Question66: If an engagement client's operating standards are vague and thus subject to interpretation, the auditor should:

Question67: When an internal auditor applies due professional care to perform an assurance engagement, which of the following must she consider?
1. Findings of the last audit engagement performed.
2. Probability of significant errors, irregularities, or noncompliance.
3. Extent of work needed to achieve engagement objectives.
4. Cost of the engagement versus the potential benefits.

Question68: Which of the following controls would most likely prevent the input of an unreasonable number of labor hours into a costing system?

Question69: It is important for a chief audit executive to seek formal approval from the board regarding an internal audit charter so that:

Question70: The chief audit executive (CAE) of a mid-sized pharmaceutical organization has operational responsibility for the regulatory compliance function. The audit committee requests an assessment of regulatory compliance. According to IIA guidance, which of the following is the CAE's best course of action?

Question71: A medical insurance provider uses an electronic claims-submission process and suspects that a number of physicians have submitted claims for treatments that were not performed. Which of the following control procedures would be most effective to detect this type of fraud?

Question72: Which of the following would not be considered part of preliminary survey of an engagement area?

Question73: Which of the following would be the least desirable criteria against which to judge current operations of a company's treasury function?

Question74: An internal auditor is reviewing employee travel data to identify opportunities to cut costs while ensuring adequate participation at conferences to support the organization's mission. Which of the following pieces of evidence would be sufficient for completing this task?

Question75: Which of the following combinations of conditions is most likely a red flag for fraud?

Question76: Which of the following sources of evidence would be least persuasive regarding potential waste and inefficiency on the part of a contractor?

Question77: A dental insurance provider has implemented an electronic claim submission process and is concerned that dentists are submitting claims for services that were not provided. Which of the following control procedures would be most effective in preventing this type of fraud?

Question78: An objective for an audit of a medical research corporation is to evaluate management's controls to ensure that timely reports are submitted to sponsors of contracted research projects. In planning the audit to achieve this objective, the auditor should begin by:

Question79: The internal audit activity is planning a procurement audit and needs to obtain a thorough understanding of the subcontracting process, which can involve multiple individuals in multiple countries.
Which of the following internal audit tools would be most effective to document the process and the key controls?

Question80: A new chief audit executive (CAE) of a large internal audit activity (IAA) is dissatisfied with the current amount and quality of training being provided to the staff and wishes to implement improvements.
According to IIA guidance, which of the following actions would best help the CAE reach this objective?

Question81: Which of the following is an advantage of email surveys compared to face-to-face interviews?

Question82: What is the primary purpose of a fishbone diagram?

Question83: Which the following activities should be performed by the internal audit activity to facilitate an effective relationship with the audit committee?
1. Periodically report about the accounting standards followed by the organization.
2. Provide assurance to the audit committee that its charter, activities, and processes are appropriate.
3. Ensure that the role and activities of the internal audit activity are clearly understood and responsive to the needs of the audit committee.
4. Maintain open and effective communications with the audit committee.

Question84: Regarding an organization's decision to retain an external audit firm, the chief audit executive (CAE) should:

Question85: The audit process used by the internal audit activity of a large wholesale clothing company does not include an engagement letter or project approval document. The most serious consequence of this deficiency in the process is that the:

Question86: A member of the IT department transfers to the internal audit department. A few months after transferring, the new auditor volunteers to assist in an assurance engagement for the IT department. According to the Standards, how should the chief audit executive respond?

Question87: Which type of control is designed to directly mitigate internal and external risks at the organization wide level, furthering the achievement of many overall organizational objectives?

Question88: The chief audit executive (CAE) is planning to conduct an internal assessment of the internal audit activity (IAA). Part of this assessment will include benchmarking. According to IIA guidance, which of the following qualitative metrics would be appropriate for the CAE to use?
1. Average client customer satisfaction score for a given year.
2. Client survey comments on how to improve the IAA.
3. Auditor interviews once an audit has been completed.
4. Percentage of audits completed within 90 days.

Question89: When a risk assessment process has been used to construct an audit engagement schedule, which of the following should receive attention first?

Question90: To enhance the independence of both the internal and external audit functions, audit committees should be composed of:

Question91: During the planning phase of an audit of suspected overbilling on contracts for security services, an auditor should perform all of the following except:

Question92: While conducting fieldwork, an internal auditor decides to utilize standard operating procedure (SOP) questionnaires to gather information about a human resources department. Which of the following is an advantage of this method?

Question93: According to the IIA Code of Ethics, the deliberate omission of relevant information from an audit report would violate which principle?

Question94: What information should the internal quality assessment of the internal audit activity communicate to the chief audit executive?

Question95: Which of the following components influences the risk consciousness of an organization's people and is the basis for all other components of enterprise risk management?

Question96: Which of the following is true of a horizontal flowchart as compared to a vertical flowchart?

Question97: Which of the following is the responsibility of an internal auditor?
1. Assist operating management in implementing audit recommendations.
2. Provide management with value-added analysis to improve operations.
3. Become an advocate for changes to the internal audit activity charter.
4. Disclose non-financial risks that may be identified during the course of an engagement.

Question98: An organization receives the most value from an internal audit activity's enterprise-wide risk assessment when the auditor:

Question99: A computer system automatically locks a user's account after three unsuccessful attempts to log on.
Which type of control does this scenario represent?

Question100: A credit card company detects potential errors in credit card numbers by checking whether all entered numbers contain the correct amount of digits. This is an example of which of the following IT controls?

Question101: Which of the following topics would a chief audit executive most likely include with their report to the board?

Question102: Which of the following does not need to be defined in the internal audit charter?

Question103: The chairperson of an organization's audit committee has obtained a risk management report that identifies significant industry concerns that impact the organization. The chairperson has asked the chief audit executive (CAE) to review these concerns and advise if they are relevant to the organization. How should the CAE respond?

Question104: Which of the following actions by a chief audit executive would be most effective in preventing fraud?

Question105: A chief audit executive (CAE) submits internal audit activity (IAA) plans and information about significant interim changes to senior management and the board for review. Which other piece of information should the CAE provide to senior management and the board?

Question106: An organization's external auditor has prepared a list of risks and issues and has recommended to senior management that the internal audit activity focus on these items. Senior management has forwarded the list to the chief audit executive (CAE). The CAE should:

Question107: In addition to data protection, which of the following is a control that is typically used by companies to safeguard the privacy rights of their customers?
I. End-user computing.
II. Encryption of data.
III. Spyware.
IV. Intrusion detection.

Question108: In the annual audit of the financial statements of a company with high inherent risk and a very strong control system, the external auditor may be able to allow detection risk to rise because.

Question109: An organization has a policy requiring two signatures on all checks written for amounts in excess of $10,
000. When evaluating controls over disbursements, an auditor would conclude that a greater risk exists if.

Question110: According to IIA guidance, which of the following best describes acceptable methods for internal auditors to obtain qualified continuing professional education hours?

Question111: Which of the following techniques would best assist an internal auditor in evaluating the efficiency of a wholesale grocery distributor`s process to fill and package orders for shipping?

Question112: Faced with a complex, highly technical construction audit engagement, the chief audit executive (CAE) considered complementing the current internal audit resources by engaging the services of a civil engineer.
Which of the following should the CAE consider in determining whether the engineer possesses the necessary skills to perform the engagement?
1. Professional certification, license, or other recognition of the engineer's competence in the relevant discipline.
2. Experience of the engineer in the type of work being considered.
3. Compensation or other incentives that the engineer may receive.
4. The extent of other ongoing services that the engineer may be performing for the organization.

Question113: Which of the following is not a typical objective of any training plan developed for internal audit activity staff?

Question114: To develop greater internal auditing expertise, the chief audit executive (CAE) has been assigning the same relatively inexperienced team of internal auditors to a series of engagements spanning several months. Is this practice consistent with the Standards?

Question115: Which of the following is a component of the internal audit value proposition endorsed by IIA guidance?

Question116: A senior manager asks the chief audit executive (CAE) to explain why statistical sampling is the best method to use in conducting an internal audit. Which advantages should the CAE point to in order to justify the internal audit activity's (IAA) use of statistical sampling?

Question117: In which of the following scenarios would a customer service hotline receive a high volume of complaints regarding payments not being applied to customers' accounts?

Question118: An internal auditor wants to sample data to test an audit theory in a cost-effective way. Which of the following sampling strategies should she use?

Question119: All of the following would normally be involved in preparing for and carrying out the internal audit activity's annual plan except:

Question120: Which of the following statements best explains why internal auditors map processes?
1. To obtain audit evidence to support auditor's observations.
2. To determine scope and objectives of the audit.
3. To facilitate the identification of ownership and responsibility for key risks.
4. To identify potential efficiency improvements.

Question121: Which of the following actions would have the greatest impact on the effectiveness of the internal audit activity?

Question122: Which of the following actions would be considered a violation of the Standards?
I. Drafts of engagement communications were reviewed with the audit client to obtain input. The client's comments were considered when developing the engagement final communication.
II. An auditor participated as part of a development team to review the control procedures to be incorporated into a major computer application under development.
III. Given limited resources, the chief audit executive performed a risk analysis to determine which functions to audit.

Question123: Which of the following best describes the misdirection of payments on accounts receivable to an employee's bank account?

Question124: During a review of a division's operations, an internal auditor notes that sales and customer base are unchanged, while inventory and gross margin have increased significantly. Which of the following audit procedures would be most relevant in substantiating management's assertion that the gross margin increase is due to increased efficiency in manufacturing operations?

Question125: The primary objective of risk-based auditing is to assess the:

Question126: In order to use "Conducted in accordance with the International Standards for the Professional Practice of Internal Auditing, " an internal audit activity must:

Question127: An auditor in charge was reviewing the workpapers submitted by a newly hired internal auditor. She noted that the new auditor's analytical work did not include any rating or quantification of the risk assessment results, and she returned the workpapers for correction. Which section of the workpapers will the new auditor need to modify?

Question128: Which of the following is accomplished by the internal audit charter?

Question129: Which of the following internal control weaknesses would an auditor most likely detect while reviewing a flowchart that depicts the purchasing function of an organization?

Question130: After being terminated due to downsizing, an internal auditor finds a different job with an organization in the same industry. Which of the following actions would violate the IIA Code of Ethics?

Question131: Which of the following is not a standard technique that the chief audit executive (CAE) would use to provide evidence of supervisory review of working papers?

Question132: Which of the following risk assessment tools would best facilitate the matching of controls to risks?

Question133: Which segregation of duties would best reduce the risk of payroll fraud?

Question134: An internal quality assessment of the internal audit activity should provide the chief audit executive with.

Question135: An auditor is using audit software to check inventory accuracy. Which of the following would be an indicator of poor input edit controls?

Question136: An internal auditor would like to identify the involvement of various organizational units in handling employee travel reimbursement claims. Which of the following methods would be most effective and efficient in completing this task?

Question137: When developing the organization's first risk universe, which of the following would the chief audit executive be least likely to consider?

Question138: An audit of the quality control department is being planned. Which of the following would least likely be used in the preparation of a preliminary survey questionnaire?

Question139: Internal auditors exercise judgment about the type and amount of information to be collected. The primary purpose of this judgment is to:

Question140: Which of the following would be a violation of the objectivity of a certified internal auditor?
1. Accepting a motivational book from a major vendor.
2. Attending a professional sporting event as the guest of a corporate supplier.
3. Performing an internal audit engagement for a division 18 months after having controllership responsibility for that division.
4. Designing and implementing a corporate-wide utilities cost containment program.

Question141: According to the Standards, the organizational status of the internal audit activity:

Question142: The primary reason that a chief audit executive (CAE) reviews external audit management letters and management response is to:

Question143: Which of the following factors would cause an internal auditor to judge an account balance error to be material?

Question144: Which of the following is not an appropriate activity for internal auditors to perform?

Question145: A manufacturing firm uses hazardous materials in the production of its products. An audit of the firm's processes related to hazardous materials should include.
I. Recommending an environmental management system as part of policies and procedures.
II. Verifying the existence of tracking records for these materials from creation to destruction.
III. Using consultants to avoid self-incrimination of the firm in the event illegalities were detected in an environmental audit.
IV. Evaluating the cost provided for in an environmental liability accrual account.

Question146: An internal audit activity has made a preliminary determination that a division of the organization has employed improper accounting practices.
Upon being informed, the head of the organization instructs the chief audit executive (CAE) to cease the investigation and to withhold the information from external auditors.
Which course of action should the CAE follow?

Question147: An engagement manager is reviewing the results of sampling work performed by staff internal auditors.
Which interim report statement should immediately give the engagement manager cause for concern about the nature and quality of the sampling procedure?

Question148: An internal auditor is preparing a draft observation based on her assessment of an accounts payable process. Which of the following is a process recommendation?

Question149: Which of the following is not an appropriate control related to sales in a manufacturing company?

Question150: Which of the following is not a role of the internal audit activity in facilitating risk identification and evaluation?

Question151: Which of the following is not an appropriate type of coordination between the internal audit activity and regulatory auditors?

Question152: According to the Standards, which of the following statements best describes the required content of the chief audit executive's (CAE) report to senior management and the board on the internal audit activity (IAA)?

Question153: Risk within an internal audit engagement is defined as the:

Question154: A manufacturing organization discovers that the waste water released has failed to meet permitted limits.
Which control function will be least effective in correcting the issue?

Question155: Which of the following is not true with regard to the internal audit charter?

Question156: Which of the following statements is true regarding assurance services provided to clients outside of the organization?

Question157: New credit policies have been implemented in an automated order-entry system to improve the collection of receivables. Sales management has compiled several examples that show decreased sales and delayed order entry, and contends that these examples are a direct result of the new credit-policy constraints. Sales management's data and information provide:

Question158: During the planning phase of an audit of suspected overbilling on contracts for security services, an internal auditor should perform all of the following except:

Question159: Which of the following audit findings would have the least impact (either positive or negative) on a department's control environment?

Question160: Risk assessments can vary in format, but generally include.
I. A description of identified risks.
II. Tests of audit controls.
III. A system of rating risks.
IV. Sample size identification.

Question161: Which of the following factors is not likely to affect the level of inherent risk associated with an application system?

Question162: Which of the following lists the audit activities in the order in which they would generally be completed during a preliminary survey?
I. Write detailed audit procedures.
II. Identify client objectives, goals, and standards.
III. Identify risks and controls intended to prevent associated losses.
IV. Determine relevant engagement objectives.

Question163: An employee is more likely to commit fraud if which of the following red flags are present?
1. The employee believes that he is being underpaid and deserves a higher salary.
2. The employee is close to retirement and has expressed a desire to take an expensive trip around the world.
3. The employee has personal financial problems and seems very unhappy.
4. The employee is spending much more time at the office than usual and has been asking about opportunities for professional advancement.

Question164: Which of the following is correct regarding the implementation of a quality assurance and improvement program for the internal audit function?

Question165: While conducting an audit, an internal auditor notices an unusual increase in sales among a small number of units within the organization. The units also experienced persistent negative cash flows despite reported earnings and earnings growth. Which type of fraud do the auditor's findings most likely indicate?

Question166: The internal audit activity's role in the risk assessment and management processes of an organization is determined by the:

Question167: In developing an appropriate work program for an audit engagement, the most important factor for an audit supervisor to consider is the:

Question168: Which of the following is true regarding the purpose of the COSO enterprise risk management framework?
1. It is a process that is ongoing and flows throughout the organization.
2. It contributes to the formulation of the organization's mission and vision.
3. It enables internal audit to provide reasonable assurance to an organization's management and the board.
4. It enables the management of risks within an organization's risk appetite.

Question169: Which of the following scenarios exemplifies a potential internal control weakness?

Question170: An internal auditor is using a spreadsheet application to review a cash flow forecast prepared by management.
Which of the following correctly identifies the type of evidence this information represents?

Question171: In order to exercise due professional care as defined in the International Professional Practices Framework, an internal auditor should:
I. Consider the probability of significant noncompliance in each audit engagement.
II. Perform assurance procedures with sufficient care to ensure that all risks are identified.
III. Weigh the cost of assurance against the benefits.

Question172: An assurance mapping exercise helps an organization do which of the following?
1. Provide assurance to stakeholders that risks are managed and reported, and regulatory and legal obligations are met.
2. Fulfill best practices in the industry.
3. Identify and address any gaps in the risk management process.
4. Identify fraud.

Question173: Which of the following would be the best example of a monitoring control for a chain of restaurants?

Question174: A chief audit executive (CAE) is obtaining information required by a regulatory oversight body and discovers a situation that requires management to take immediate corrective action. What is the best course of action for the CAE to take?

Question175: When reviewing operational risk for a department whose manager adopts a laissez-faire style of leadership, it is most important for the internal auditor to verify that:

Question176: A major difference between enterprise risk management and traditional risk management lies in the narrow focus of traditional risk management on:
I. Property and liability risks.
II. Risks with insurance solutions.
III. Risks impacting organizational objectives.

Question177: Which of the following actions should an internal auditor take to exercise due professional care?
1. Consider the probability of significant noncompliance in each audit engagement.
2. Weigh the cost of assurance against the benefits.
3. Perform assurance procedures with sufficient care to ensure that all risks are identified.

Question178: A production division received 45 responses to a customer-service survey distributed to 100 purchasing departments randomly selected from all customers who made purchases in the prior 12 months. Which of the following is the most likely reason that the division manager would be concerned about nonresponse bias in this situation?

Question179: When developing the annual audit plan and reviewing risk assessment priorities, a chief audit executive should always identify the:

Question180: Which of the following are appropriate responsibilities of the audit committee in relation to the chief audit executive (CAE)?
1. Approving the internal audit charter.
2. Approving decisions regarding the appointment and removal of the CAE.
3. Approving the risk management strategy for the organization.
4. Making appropriate inquiries of management and the CAE to determine whether there are inappropriate scope and resource limitations.

Question181: What type of risk management strategy is being employed when an organization installs two firewalls to provide protection from unauthorized access to the network?

Question182: An organization has implemented a software system that requires a supervisor to approve transactions that would cause treasury dealers to exceed their authorized limit. This is an example of which of the following types of controls?

Question183: According to IIA guidance, the results of a formal quality assessment should be reported to which of the following groups?

Question184: An internal auditor is reviewing a new automated human resources system. The system contains a table of pay rates which are matched to the employee job classifications. The best control to ensure that the table is updated correctly for only valid pay changes would be to:

Question185: Which of the following would most likely be considered a red flag for fraud?

Question186: Which of the following enhances the independence of the internal audit activity?

Question187: In which of the following circumstances would an internal auditor not need to search for other signs of fraud?

Question188: An internal auditor is testing the controls of a large and complex food production process where quality assurance is critical. Management provides process charts and documentation, but the auditor quickly determines that this information is incomplete and out of date. Which of the following would be the most appropriate course of action for the auditor to follow?

Question189: Which of the following situations would most likely result in the auditor in charge (AIC) recommending that the staff auditor further investigate non-compliant items?

Question190: During a routine audit of a customer service hotline, an internal auditor noticed that an unusually high number of customer complaints pertained to payments not being applied to the customers' accounts.
Which of the following would most likely be the reason for the high volume of complaints?

Question191: Reportable audit findings must be:
I. Documented by facts.
II. Supported by relevant evidence.
III. Agreed to by management of the audited area.
IV. Convincing enough to compel corrective action.

Question192: In publicly held companies, management often requires the internal audit activity's involvement with quarterly financial statements that are made public and used internally. Which of the following is generally not a reason for such involvement?

Question193: Which of the following is an appropriate consideration by the auditor when preparing an engagement program for a human resource audit?

Question194: A bank uses a risk analysis matrix to quantify the relative risk of auditable entities. The analysis involves rating auditable entities on risk factors using a scale of 1 to 10, with 10 representing the greatest risk. A partial list of risk factors and the ratings given to three of the bank's departments is provided below:
Department
Risk Factor
A
B
C
Control structure
9
5
7
Nature of assets in department
2
7
9
Dollar value of assets
6
6
8
Complexity of transactions
3
4
8
Which of the following statements regarding risk in the departments is true?

Question195: Which of the following statements describes a control failure that is not directly attributable to a customer billing application?
1. End users have raised a number of concerns regarding data integrity.
2. An untested program change is transferred from the test environment to production.
3. Purchase history does not reconcile with accounts receivable for some customers.
4. End user security is inadvertently granted to an unauthorized individual by management.

Question196: The first stage in the development of a crisis management program is to:

Question197: Which of the following internal control weaknesses would an internal auditor most likely detect while reviewing a flowchart that depicts the purchasing function of an organization?

Question198: Which of the following would be outside the scope of acquiring and developing human resources for an internal audit department?

Question199: Which of the following reporting relationships results in the greatest impairment to the independence of the chief audit executive (CAE)?

Question200: Which of the following is the most appropriate outcome measure for assessing safety operations?

Question201: Which of the following statements describes impairment to the internal auditor's objectivity?

Question202: In order to effectively handle conflict between audit team members, an audit team leader should:

Question203: An internal auditor is gathering evidence for an organization's internal audit engagement and requests a sample of vendor invoices from the organization. Which of the following is true regarding the reliability of this evidence?

Question204: Which of the following is most likely to function as a directive control?

Question205: Click the Exhibit.

Internal auditors are asked to keep track of how many hours per day they spend planning the audit, conducting the engagement, and writing the audit report. The data for two days has been collected as follows:
Day 1
Day 2
Planning the audit
2 hours
3 hours
Conducting the engagement
1 hour
1 hour
Writing the audit report
2 hours
4 hours
Which of the following graphs depicts the data accurately?

Question206: Which of the following controls could an internal auditor reasonably conclude is effective by observing the physical controls of a large server room?

Question207: Which of the following results from computer assisted audit techniques provides the most significant indication that additional audit work is needed?

Question208: Non-statistical sampling does not require which of the following?

Question209: During an audit of financial contracts, an auditor learns that a relative has a substantial loan with the organization. The auditor should:

Question210: Which of the following decisions made during the testing phase of a compliance audit requires the most judgment by an internal auditor?

Question211: Which of the following statements about risk assessment is true?

Question212: During the course of an audit, an internal auditor discovers that a valuable employee in the research department has been patenting new developments in the employee's name that are unrelated to the basic business of the organization.
The organization does not have a policy addressing this specific issue, but does have a general policy that all important new discoveries by employees are the property of the organization.
Division management views the employee's actions as extra incentive to retain the employee.
A decision to include the employee's action in the engagement final communication would be:
1. A violation of the IIA Code of Ethics.
2. A violation of the reporting requirements in the Standards.
3. Justified and necessary, according to the IIA Code of Ethics and Standards.

Question213: According to IIA guidance, which of the following is not a responsibility of the chief audit executive pertaining to documenting information to support internal audit engagement results and conclusions?

Question214: In selecting a team to perform an internal audit of a purchasing operation, which of the following characteristics would not preclude an auditor from being selected?
1. The auditor's spouse is employed by the clerical section of the purchasing records unit.
2. The auditor had been a purchasing agent five years earlier.
3. The auditor's family owns a business that regularly sells goods to the organization.
4. The auditor has received a desk calendar as a promotional gift from a vendor.

Question215: The best reason for separating the cash-receiving function from the related record-keeping function is to:

Question216: Which of the following should be incorporated in a risk management policy?
I. Boundaries and limit structures.
II. Requirements for reporting risk.
III. Risk authorities.

Question217: In an audit engagement, a group of internal auditors used an integrated test facility to test payroll processing. The auditors identified the key controls and processing steps in the computer software, and then developed test data. Over the course of 24 months, they submitted test transactions on a regular basis but did not find any differences between payroll processing and integrated test facility results. Based on the data, what can the auditors conclude?

Question218: A chief audit executive (CAE) of a major retailer has engaged an independent firm of information security specialists to perform specialized internal audit activities. The CAE can rely on the specialists' work only if it is:

Question219: In a well-developed management environment, the internal audit activity would.

Question220: Which of the following is a role of the board of directors in the governance process?

Question221: According to IIA guidance, which of the following is an area in which the internal auditor should be proficient?

Question222: Which of the following control methods is effective in reducing the risk of purchasing-scheme fraud?
1. Periodically reviewing the vendor list for unusual vendors and addresses.
2. Segregating duties for amount purchasing, receiving, shipping, and accounting.
3. Validating sequential integrity of purchase orders.
4. Verifying the validity of invoices with post office box addresses.

Question223: Which of the following techniques would provide the most compelling evidence that a safety hazard exists within a manufacturing facility?

Question224: Which of the following roles, if undertaken by an internal auditor, would have the greatest potential for conflict with the Standards regarding objectivity?

Question225: Which of the following risk factors is most subjective?

Question226: According to IIA guidance, which of the following statements is true regarding the reporting of results from a quality assurance and improvement program review of the internal audit activity?

Question227: According to IIA guidance, which of the following individuals would best be considered independent for the purpose of participating in an external assessment of the quality assurance and improvement program for an internal audit activity (IAA)?

Question228: While performing an internal audit engagement, an auditor reviews a flowchart of the organization's purchasing function. Which of the following internal control weaknesses would the auditor be able to identify in the chart?

Question229: A small not-for-profit organization with limited resources is unable to adequately maintain appropriate segregation of duties. Considering the organization's resource constraints, which type of controls would best mitigate segregation of duty risks?

Question230: Internal control processes in an organization require that all investments exceeding $20, 000 receive authorization from both the president and treasurer. After conducting a sample of these transactions, an auditor determined that 10 of the 500 investments in the sample had not included both required authorizations. The sample has a five percent acceptable error rate. Based on this sample, which of the following actions should the auditor take?

Question231: Which of the following definitions best describes enterprise risk management?

Question232: Which of the following best ensures the independence of the internal audit activity?
1. The CEO and audit committee review and endorse any changes to the approved audit plan on an annual basis.
2. The audit committee reviews the performance of the chief audit executive (CAE) periodically.
3. The internal audit charter requires the CAE to report functionally to the audit committee.

Question233: An organization's chief audit executive (CAE) has been asked to monitor and report on any violations of the organization's code of conduct. The CAE should:

Question234: Which of the following tools would provide the most useful depiction of a process flow that spans multiple departments in an organization?

Question235: The percentage of orders that are rush orders and the percentage of returns to total orders are examples of which of the following types of control activities?

Question236: A high-volume retailer of consumer goods has used point-of-sale data to record sales and update inventory records for several years. When price changes are scheduled, corporate headquarters downloads a price change file to a computer server system at each store. Each store's assistant manager is responsible for checking the server for downloads and running the program that updates the store's price file at the authorized price update time. In comparison with having headquarters initiate the price update centrally, this approach to price updating will most likely:

Question237: Which of the following is a common error made in designing multiple-choice questions in a survey questionnaire?

Question238: The chief audit executive should periodically report the internal audit activity's purpose, authority, responsibility, and performance, as well as significant risk exposures and control issues, to which of the following?
I. Board of directors.
II. Senior management.
III. Shareholders.
IV. External auditors.

Question239: While attending a conference, an internal auditor won an all-expense paid trip sponsored by a vendor of the internal auditor's organization.
Which of the following actions are most appropriate for the auditor to take?

Question240: A product manager occasionally overrides established purchasing policies in order to expedite the introduction of new products in a competitive industry. The manager's overrides are:

Question241: During an audit of a major contract, an internal auditor finds that actual hours and dollars billed are consistently at or near budgeted amounts. This condition is a red flag for which of the following procurement fraud schemes?

Question242: Auditors 1, 2, and 3 work out of various offices. Each must be assigned to one, and only one, of three audit locations (A, B, or C). The cost of sending each auditor to each location is listed below:
Audit Locations
Auditor 1
A
B
C
Auditor 2
$200
$300
$400
Auditor 3
$400
$300
$600
Auditor 4
$200
$200
$500
The minimum cost with which this assignment can be accomplished is:

Question243: A code of business conduct provides?

Question244: Which of the following is an appropriate role for the board in governance?

Question245: To identify those components of a telecommunications system that present the greatest risk, an internal auditor should first:

Question246: When internal auditors perform consulting services that add value and improve an organization's operations, these services:

Question247: What is the primary purpose of a risk management program?

Question248: The last quality assessment of the internal audit activity identified three areas for improvement: the achievement of audit engagement objectives, quality of work, and staff development. According to IIA guidance, which of the following should be the chief audit executive's primary focus to achieve these recommended improvements?

Question249: What conclusion can be reached by comparing a random sample of vendor invoices to purchase orders?

Question250: Which of the following describes a control weakness?

Question251: A chief audit executive (CAE) for a specialty retailer is asked by management to review the controls in place to manage their electronic funds transfer process. The internal audit activity has no experience with similar engagements. What is the most appropriate course of action for the CAE to take?

Question252: According to IIA guidance, which of the following statements is true?

Question253: According to IIA guidance, which of the following risk management process evaluation findings would the internal audit activity consider most effective?

Question254: Which of the following statements is not true?

Question255: Feedback on engagements from audit clients, annual benchmarking of the internal audit activity's (IAA's) performance against best practice, and analyses of project budgets and audit plan completion are all tools that can best be used by the IAA for which purpose?

Question256: Which of the following would provide the best guidance to a chief audit executive who is setting internal audit staff requirements?

Question257: Which of the following controls is not appropriate for sales in a manufacturing organization?

Question258: Which of the following audit techniques is used to evaluate control design while also embodying auditing's analytical process?

Question259: Which of the following statements is not true about red flags?

Question260: Which of the following is the best method for testing the accuracy of a computer program's calculation of shipping charges?

Question261: This chief audit executive (CAE) engaged an internal auditor to consult on an organization's complex information technology system. Shortly after beginning the engagement, the auditor unexpectedly resigned. Unfortunately, this auditor was the only available auditor with the necessary expertise. The CAE will not be able to hire someone with similar expertise in time to meet a regulatory deadline.
Which of the following would be the best course of action for the CAE to take?

Question262: An organization that outsources much of its internal audit work to an external service provider is planning for an external quality assessment. Which of the following options would accomplish this task and be in conformance with the Standards?

Question263: The primary role of the internal audit activity in regard to an organization's ethical climate is to:

Question264: An organization references a customer order with an approved customer file and credit limit before accepting an order. Which type of control does this process exemplify?

Question265: The chief audit executive (CAE) routinely provides activity reports to the board during quarterly board meetings. Senior management has asked to review the CAE's board presentation before each board meeting so that any issues or questions can be discussed beforehand. The CAE should:

Question266: According to IIA guidance, which of the following must internal auditors consider to conform with the requirements for due professional care during a consulting engagement?
1. The cost of the engagement, as it pertains to audit time and expenses in relation to the potential benefits.
2. The needs and expectation of clients, including the nature, timing, and communication of engagement results.
3. The application of technology-based audit and other data analysis techniques, where appropriate.
4. The relative complexity and extent of work needed to achieve the engagement's objectives.

Question267: A chief audit executive (CAE) is planning to issue an annual report concluding on the overall effectiveness of the organization's internal control system. According to the Standards, which of the following is likely the most significant challenge facing the CAE when creating the report?

Question268: The audit committee has asked the chief audit executive (CAE) to assist in the selection of a new external audit firm. Which of the following is an appropriate action by the CAE?

Question269: According to the International Professional Practices Framework, internal auditors should possess which of the following competencies?
I. Proficiency in applying internal auditing standards, procedures, and techniques.
II. Proficiency in accounting principles and techniques.
III. An understanding of management principles.
IV. An understanding of the fundamentals of economics, commercial law, taxation, finance, and quantitative methods.

Question270: Suspecting fraud, the chief financial officer (CFO) asked the internal audit activity to investigate a significant increase in travel related expenditures. Work was performed by a qualified internal auditor.
Following the completion of the engagement, the chief audit executive (CAE) reported to the CFO that no violations were found and no fraud had occurred.
According to the Standards, which of the following principles did the CAE violate?

Question271: The audit committee is concerned that the small size of the internal audit activity (IAA) makes it impractical to achieve full conformance with the Standards. To address this concern, which of the following actions is most appropriate for the CAE to take?

Question272: The internal audit staff lacks the expertise to perform a specific activity when auditing an organization.
Which of the following individuals is not an appropriate choice to perform this task?

Question273: Which of the following is the primary advantage of using a computer assisted audit technique (CAAT) to provide a higher level of assurance?

Question274: According to the International Professional Practices Framework, which of the following is the appropriate division of responsibilities for the coordination of internal and external audit efforts?
I. Oversight of Work
Coordination of Activities
Chief audit executive
Senior management
II. Board
Chief audit executive
III. Chief financial officer
Chief audit executive
IV. Board
Chief financial officer

Question275: Which of the following would be an appropriate outcome of a quality assurance and improvement program in an internal audit activity?
1. Modification of resources.
2. Corrections to procedures.
3. Changes in processes.
4. Implementation of new technology.

Question276: Which of the following is most likely to be an element of an effective compliance program?

Question277: Which type of documentary evidence gathered by an organization's internal auditors has the highest level of reliability?

Question278: Which of the following is the most important limitation on the effectiveness of audit committees?

Question279: A manufacturer uses a materials requirements planning (MRP) system to track inventory, orders, and raw materials requirements. What condition should an auditor search for in the MRP database if a preliminary assessment indicated that inventory is understated?
I. Item cost set at zero.
II. Negative quantities on hand.
III. Order quantity exceeding requirements.
IV. Inventory lead times exceeding delivery schedule.

Question280: An internal auditor is planning an operational audit of the accounts payable function. Which of the following best mitigates the risk of the organization being a victim of disbursement fraud by employees?

Question281: A large trucking organization wants to reduce traffic accidents by improving its system of internal controls.
Which of the following controls is correctly classified?
1. Review of speeding violations to identify repetitive locations and drivers is an example of a preventive control.
2. Defensive driver training is an example of a directive control.
3. The installation of tracking devices in delivery vehicles is an example of a corrective control.
4. Providing a vehicle driver handbook is an example of a detective control.

Question282: Which of the following best describes how the increased use of computerization may impact an auditor's assessment of the risk of fraud?

Question283: Which of the following is not an appropriate role for internal auditors after a disaster occurs?

Question284: An internal auditor has been engaged to assess fraud risks associated with a new financial software system.
Which competency would best help the auditor complete the task?

Question285: Risk assessments are valuable to the internal audit activity's planning process because they assist in:

Question286: An organization that outsources much of its internal audit work to an external service provider is planning for an external quality assessment. Which of the following options would accomplish this task and be in conformance with the Standards?

Question287: An organization has implemented a new automated payroll system that contains a table of pay rates that are matched to employee job classifications. Which control should an internal auditor suggest in order to ensure that the table is updated correctly, and is used only for valid pay changes?

Question288: Which of the following audit activities is within the scope of assurance activities as stated in the International Professional Practices Framework?

Question289: Which of the following is the best example of a strategic objective?

Question290: Management of a publicly-held organization requires the internal audit activity to be involved with quarterly financial statements, which are made public and used internally. Which of the following explanations of management's decision is least plausible?

Question291: The top three sales representatives for a company consistently include non-allowable charges on their expense reports. Line management is reluctant to deny reimbursement of the charges for fear of losing the sales representatives. This situation has the greatest negative impact on which of the following internal control components?

Question292: Some of an organization's payroll transactions were batch posted to the payroll file but were not uploaded correctly to the general ledger file on the mainframe. The best control to detect this type of error would be:

Question293: Which of the following statements regarding segregation of duties is true?

Question294: While reviewing the workpapers of a new auditor, the auditor in charge discovered that additional audit procedures might be necessary. According to IIA guidance, which of the following would be most relevant for the auditor in charge to consider when making this decision?

Question295: In developing an appropriate work program for an audit engagement, the most important factor for an audit supervisor to consider is the:

Question296: To promote a positive image within an organization, a chief audit executive (CAE) adjusted the audit plan to focus on assurance engagements that highlighted potential costs to be saved. Negative observations were to be omitted from engagement final communications. Which action taken by the CAE would be considered a violation of the Standards?
I. The focus of the audit function was changed without modifying the audit charter or notifying the audit committee.
II. Negative observations were omitted from the engagement final communications.
III. Cost savings and recommendations were highlighted in the engagement final communications.

Question297: During an interview with a data-entry clerk in the human resources department, an internal auditor recognizes a potentially significant weakness with a database system used to track employee performance ratings. Which of the following actions should the auditor take after discovering the weakness?

Question298: Which of the following would provide the best evidence of compliance with an airline's standard of having aircraft refueled and cleaned within a specified time of arrival at an airport?

Question299: During an audit engagement in an insurance company, an internal auditor discovered that senior management had purposely misclassified $200, 000 in assets on financial statements submitted to regulatory authorities in order to avoid significant statutory penalties. To remain in compliance with the IIA Code of Ethics, what would be the most appropriate action for the auditor to take?

Question300: Which of the following are core responsibilities to be included in the internal audit charter?
1. Review reliability and integrity of financial and operating information and the means used to identify, measure, classify, and report such information.
2. Determine the adequacy and effectiveness of the organization's systems of internal accounting and operating controls.
3. Participate in the planning and performance of audits of potential acquisitions with the organization's outside accountants and other members of the corporate staff.
4. Report to those members of management who should be informed of results of audit examinations, the audit opinions formed, and the recommendations made.

Question301: Company A has a formal comprehensive corporate code of ethics while company B does not. Which of the following statements regarding the existence of the code of ethics in company A can be logically inferred?
1. Company A exhibits a higher standard of ethical behavior than does company B.
2. Company A has established objective criteria by which an employee's actions can be evaluated.
3. The absence of a formal corporate code of ethics in company B would prevent a successful audit of ethical behavior in that company.

Question302: Which of the following actions indicates a lack of due professional care by an internal auditor performing an audit of a store's cash function?

Question303: An internal audit activity encounters a scope limitation from senior management that will affect its ability to meet its goals and objectives for a potential engagement client. The nature of the scope limitation should be.

Question304: A company has established its environmental audit activity as part of its legal department rather than part of its internal audit activity, which reports to the audit committee. The board has requested that the chief audit executive (CAE) provide an annual opinion on whether environmental risks are being properly addressed. In these circumstances, the CAE should recommend to the audit committee that the internal audit activity:

Question305: Management has requested that an internal auditor serve as member of a task force that will review current receivables practices and make recommendations to improve processes. Which of the following is the most appropriate response by the internal auditor?

Question306: Which of the following actions would compromise an internal auditor's objectivity?

Question307: Why is a code of ethics for the internal audit profession necessary?

Question308: Which of the following would provide the most reliable information on the risk associated with an auditable activity?

Question309: Which of the following lists these audit steps in the correct chronological order?
I. Create the engagement work program.
II. Conduct the exit conference.
III. Perform fieldwork.
IV. Schedule the audit engagement.
Issue a summary report of audit findings.

Question310: Within the internal audit process, which of the following is not a significant advantage of employing a control model?

Question311: Which of the following elements is important for an internal auditor to consider when performing a privacy risk assessment of an organization?
I. Areas where personal information is collected, used, stored, and disseminated.
II. Inherent risk.
III. Privacy practices of competitors.
IV. Third-party recipients of information.

Question312: Which of the following factors related to an organization's performance management system would not contribute to the organization's success?

Question313: A tax consultancy agency retains sensitive personal information regarding its clients. Which of the following is a violation of acceptable privacy practices?

Question314: Which of the following is the most significant disadvantage of using checklists to evaluate internal controls?

Question315: The chief audit executive's responsibility regarding control processes includes:

Question316: According to IIA guidance, which of the following must the internal auditor consider to meet the requirements for due professional care?

Question317: In order to ensure that the internal auditors have the objectivity required by the Standards, the chief audit executive should:

Question318: Which of the following procedures would be most effective in detecting fraud in electronically-submitted claims to insurance companies?

Question319: If management has not established a risk management process, the internal audit activity could.

Question320: Performing a monthly analysis of potential duplicate invoices paid to suppliers is an example of which type of fraud control?

Question321: Which of the following processes or tools can be used as ongoing internal assessments of the performance of the internal audit activity?
1. Analyses of audit plan completion and cost recoveries.
2. Selective peer reviews of work papers by staff involved in the respective audits.
3. Self-assessment of the internal audit activity with on-site validation by a qualified independent reviewer.
4. Feedback from audit customers and stakeholders.

Question322: Which of the following is not an advantage of face-to-face interviews over electronic surveys?

Question323: Which of the following is not an objective of internal control?

Question324: Which of the following are appropriate ways to obtain continuous professional education?
1. Instructing at a local IIA training event.
2. Attending internal audit conferences and seminars.
3. Practicing specialized audit and consulting work.
4. Participating in research projects in internal auditing.

Question325: Which two of the following are preventive controls in a check disbursement process?
1. Daily reconciliation of the bank account used for check disbursements and prompt follow-up of un- reconciled items.
2. Segregation of the following duties: establishing new vendors, approving checks, and reconciling the bank account.
3. An activity report detailing who accesses the check disbursement system and the nature of any action taken in the system.
4. Evidence of strong access controls ensuring that authorized individuals have access only to the functions related to their responsibilities.

Question326: Which of the following would not be a factor for senior management to consider when determining the internal audit activity's role in an organization's risk management process?

Question327: Which of the following examples best describes how an internal auditor should behave while listening to an engagement client talk about human resource process problems?

Question328: Which of the following would provide the best evidence of errors in the quantities of items received from suppliers?

Question329: Which of the following would be the most effective action for an internal audit activity to take in order to assist in improving an organization's ethical climate?
I. Review formal and informal processes within the organization that could promote unethical behavior.
II. Conduct surveys of employees, suppliers, and customers regarding ethics.
III. Assess the employees' knowledge of and compliance with the organization's code of conduct.

Question330: During a payroll audit of a large organization, an auditor noted that the assistant personnel director is responsible for many aspects of the computerized payroll system, including adding new employees in the system; entering direct-deposit information for employees; approving and entering all payroll changes; and providing training for system users. After discussions with the director of personnel, the auditor concluded that the director was not comfortable dealing with information technology issues and felt obliged to support all actions taken by the assistant director. The auditor should:

Question331: Which fraudulent act is designed primarily to benefit the organization?

Question332: Which of the following would have the least impact (either positive or negative) on an assessment of a department's control environment?

Question333: Which of the following best describes an appropriate form of working paper standardization?

Question334: According to the Standards, a review team must express an opinion on which of the following when performing an external assessment of an internal audit activity?
1. Conformance with the Standards and IIA Code of Ethics.
2. Effectiveness of continuous improvement activities.
3. Feedback from internal audit customers and other stakeholder groups.
4. Efficiency and effectiveness of the internal audit activity's administration processes.

Question335: An auditor identifies three errors in the sample of 25 entries selected for review (a 12 percent error rate).
Based on this result, the auditor assumes that approximately 59 of the total population of 492 entries are incorrect. To reach this assumption, the auditor has used a technique known as which of the following?

Question336: One of an organization's quality objectives is to reduce the amount of rework needed in the production cycle.
Which of the following controls would be the least effective in achieving this objective?

Question337: A receiving department receives copies of purchase orders for use in identifying and recording inventory receipts.
The purchase orders list the name of the vendor and the quantities of the materials ordered.
A possible error that this system could allow is:

Question338: During an account receivables audit, an internal auditor found a significant number of input errors resulting in a $500, 000 balance understatement.
Which of the following is the most important question the internal auditor should ask to develop an appropriate recommendation for this finding?

Question339: An employee who recently transferred into the internal audit activity has been assigned to audit the accounts payable system.
Which function, if previously performed by the auditor, would represent a conflict of interest?

Question340: An internal auditor obtains spreadsheets created by the finance department of an organization. The internal auditor contacts a third party about the source data that was utilized to create the spreadsheets before going on to perform a ratio analysis and a comparison of budget versus actual data. What is the most likely reason that the internal auditor involved a third party before performing further analysis?

Question341: Which of the following represents the most useful function of inventory turnover analysis?

Question342: Which of the following are acceptable resources for a chief audit executive to use when developing a staffing plan?
1. Co-sourcing arrangements.
2. Employees from other areas of the organization.
3. The organization's external auditors.
4. The organization's audit committee members.

Question343: An organization is beginning to implement an enterprise risk management program. One of the first steps is to develop a common risk language. Which of the following statements about a common risk language is true?

Question344: Which of the following is characteristic of embezzlement?

Question345: Management should be included in the development of the audit plan in order to:

Question346: The director of purchasing, a certified internal auditor (CIA), signs a contract to procure a large order from a supplier whose products provide the best price, quality, and performance. A few days after signing the contract, the supplier presents the CIA with $1, 000 as a gift. Which statement regarding acceptance of the money is correct?

Question347: Which of the following statements is true about visual observation during an audit engagement?
1. Visual observations should not be documented as the facts have not been substantiated.
2. Complex conditions observed should be verified prior to communicating observations to management.
3. Visual observations can be used to detect ineffective controls, idle resources, and safety hazards.
4. Visual observation can be used during both preliminary survey and fieldwork stages of the audit engagement.

Question348: An internal auditor finds during an engagement that payment for the organization's general insurance policy is two months overdue. The issue is informally mentioned to the finance department which immediately submits the invoice for payment. The auditor decides to exclude this finding from the final audit report as the oversight was immediately corrected and there were no consequences because of this late payment.
Which of the following rules of conduct as described in the IIA Code of Ethics, did the auditor fail to uphold?

Question349: When auditing the award of a major contract, which of the following should an internal auditor suspect as a red flag for a bidding fraud scheme?
1. Subsequent change orders increase requirements for low-bid items.
2. Material contract requirements are different on the actual contract than on the request for bids.
3. A high percentage of employees are charged to indirect accounts.
4. Losing bidders are hired as subcontractors.

Question350: Which of the following, other than the internal audit charter, is most likely to define the purpose, authority, and responsibility of the internal audit activity (IAA)?

Question351: Which of the following is a common type of payroll fraud?

Question352: An accounts receivable clerk receives cash payments, posts the payments to customer accounts, and prepares the daily cash deposit.
The clerk has been stealing some cash and manipulating the customer payments to hide the theft.
This fraud could be detected with which of the following controls?

Question353: Which of the following is a key performance indicator for an internal audit function?

Question354: According to the International Professional Practices Framework, a review team must express an opinion on which of the following when performing an external assessment of an internal audit activity?
I. Conformance with the Standards and IIA Code of Ethics.
II. Effectiveness of continuous improvement activities.
III. Feedback from internal audit customers and other stakeholder groups.
IV. Efficiency and effectiveness of the internal audit activity's administration processes.

Question355: Due to urgent requests from management, a busy internal audit activity finds that it can no longer meet all of its commitments contained in the annual audit plan. The best course of action for the chief audit executive to take would be to:

Question356: In a manufacturing organization, all sales prices are determined centrally and are electronically sent to the distribution centers to update their sales price tables. Any pricing deviations must be approved by central headquarters. To determine how this process is functioning, an internal auditor should:

Question357: Which of the following data collection strategies systematically tests the effects of various factors on an outcome?

Question358: According to IIA guidance, which of the following are considerations of due professional care when an internal auditor conducts a formal consulting engagement?
1. The complexity of the work required.
2. The needs and expectations of the client.
3. The potential value of the engagement compared to the effort.
4. Information regarding assumptions and procedures to be employed.

Question359: According to IIA guidance, which of the following statements is false regarding continuing professional education for the internal audit activity (IAA)?

Question360: Which statement most accurately describes how criteria are established for use by internal auditors in determining whether goals and objectives have been accomplished?

Question361: An auditor for a large wholesaler is evaluating the controls over the approval and oversight of credit sales.
Which of the following procedures would be a control weakness?

Question362: Which of the following best describes the procedures used by the representatives of an organization's stakeholders to provide oversight of the processes administered by management?

Question363: According to the Standards, which of the following best describes why initial audit test results should be reported to the auditor-in-charge prior to advising management?

Question364: Which of the following is least likely to be considered material in an audit of a medium-sized organization?

Question365: Which of the following activities would be most likely to impair the objectivity of an internal auditor?

Question366: A retail sales company has discontinued a product that normally sold for $100. During the first month of a sale of the product, a 20 percent discount was given. Later that sale price was reduced by an additional 40 percent. What was the overall discount from the original selling price?

Question367: According to the Standards, which of the following statements about effective governance is not true?

Question368: A manufacturing organization's multi-step sales and shipping process starts when the organization's headquarters receives the sales order. Headquarters then shares that data with the individual manufacturing facility that compiles the shipment. Finally, the individual manufacturing facility sends the shipments to the customer. Which method should the internal auditor use to document this process in a flowchart?

Question369: An employee who recently transferred into the internal audit activity has been assigned to audit the accounts payable system. Which function, if previously performed by this employee, would represent a conflict of interest?

Question370: A government agency's policy states that board members' travel and hospitality expenses must be audited annually. Which of following people or groups is most appropriate to perform this audit?

Question371: It would be appropriate for an internal audit activity to use consultants with expertise in health-care benefits when the internal audit activity is:
I. Conducting an audit of the organization's estimate of its liability for post retirement benefits, which include health care benefits.
II. Comparing the cost of the organization's health care program with that of other programs offered in the industry.
III. Training its staff to conduct an audit of health care costs in a major division of the organization.

Question372: A quantitative risk assessment model has all of the following advantages except:

Question373: An internal audit charter describes the mission and scope of the internal audit activity (IAA), responsibilities of the IAA, accountability of the chief audit executive, independence of the IAA, and standards followed by the IAA. Which of the following also should be included in the charter?

Question374: Which of the following activities best reflects the scope and status of the internal audit activity as defined in the internal audit policy statement?

Question375: Which of the following controls within a spreadsheet would address the risk of logic errors?
1. The spreadsheet contains formulas that foot and cross-foot data.
2. The spreadsheet is locked to protect cell formulas from being inadvertently changed.
3. Spreadsheets are included in nightly backup processes.
4. Check-in and check-out software is used to manage version control.

Question376: Which of the following is the primary concern of an internal auditor in a comprehensive audit of an organization?

Question377: Line management of a manufacturing operation requests an operational audit. They are seeking recommendations for policies and procedures to enhance control over the operation. What should the internal audit activity do?

Question378: According to IIA guidance, which of the following best describes processes and tools typically used in ongoing internal assessments?

Question379: With regard to external assessments of an internal audit activity (IAA), which of the following is the chief audit executive required to discuss with the board?

Question380: Which of the following is the best way to detect fraud?

Question381: Which of the following represents the correct order of the risk management process?

Question382: Fraud is most frequently detected by:

Question383: When conducting an interview, an internal auditor is most likely to ask open-ended questions in order to:

Question384: If earnings on financial statements for internal use only have been manipulated in the past, an internal auditor is likely to focus on which of the following?

Question385: Which of the following actions by a chief audit executive is most likely to prevent exaggerated sales reports by division management?
I. Hire a new internal auditor who has fraud investigation credentials.
II. Assist the controller in developing and monitoring a series of business process indicators which are historically correlated with, but independent of, sales.
III. Announce a series of internal audit engagements focusing on compliance with corporate sales- reporting policies.
IV. Ask the president and the board to issue a statement of corporate policy stressing the importance of accurate management reporting and the negative consequences of intentional misreporting.

Question386: Which of the following is a benefit from reduced testing during a particular phase of an audit engagement?

Question387: Why is it important for the chief audit executive to periodically review the audit charter and present the results to senior management and the board?

Question388: An internal auditor has taken an attributes sample of a bank's existing loan portfolio. Out of a sample of 60 loans, the auditor found:
Four that were not properly collateralized.

Five that were not in compliance with bank policies (other than lack of collateralization).

Four that were part of a related-party group, but were set up as separate loan entities.

Of the 60 loans selected in the sample, these errors were noted on a total of 10 loans.

Several loans had multiple problems.

Which of the following conclusions can the auditor reach from these observations?
1. There is sufficient evidence that fraudulent activity is taking place by one or more of the bank's lending officers.
2. The financial statements will be misstated as a result of these actions.
3. There are significant noncompliance audit findings that should be reported.

Question389: Which of the following statements best describes the competency requirement for an auditor regarding fraud risks encountered in an engagement execution?

Question390: Which of the following internal auditor attributes are affected by a conflict of interest?

Question391: Which of the following is not one of the 10 core competencies identified in the IIA Competency Framework?

Question392: A company produces a product that consists of materials X, Y, and.
The product is mixed so that:
The quantity of material X used is one-third more than that of material Y.

The quantity of material Y used is one-fourth less than that of material Z.

If the company used 24, 000 units of material Z during a period, what is a reasonable estimate of the amount of material X used?

Question393: An internal audit charter should do which of the following?

Question394: A major corporation is considering significant organizational changes. Which of the following groups would not be responsible for implementing these changes?

Question395: An internal auditor makes a series of observations when performing an analytical review of division operations. The auditor notes the following things: the current ratio is increasing and the quick ratio is decreasing, sales and current liabilities have remained constant, and the number of day sales in inventory is increasing. Which conclusion should the auditor draw from this data?

Question396: Which of the following is not a benefit of using information technology in solving audit problems?

Question397: Why is the concept of residual risk important?

Question398: An internal auditor is assigned to conduct an audit of security for a local area network (LAN) in the finance department of the organization. Investment decisions, including the use of hedging strategies and financial derivatives, use data and financial models which run on the LAN. The LAN is also used to download data from the mainframe to assist in decisions. Which of the following should be considered outside the scope of this security audit engagement?

Question399: A former line supervisor from the Financial Services Department has completed six months of a two-year development opportunity with the internal audit activity (IAA). She is assigned to a team that will audit the organization's payroll function, which is managed by the Human Resources Department. Which of the following statements is most relevant regarding her independence and objectivity with respect to the payroll audit?

Question400: Which of the following statements is correct regarding risk analysis?

Question401: When an external auditor unknowingly fails to modify an opinion on financial statements that are materially misstated, this is an example of:

Question402: Which domain of the COBIT framework addresses the maintenance and change management of existing systems to ensure alignment with business needs and objectives?

Question403: In an assurance engagement of treasury operations, an internal auditor is required to consider all of the following issues except:

Question404: An organization has developed a model to determine the most profitable rate of production. The organization varies the cost of labor in the model to determine how much the changes affect the optimal production level. Which type of analysis does this scenario demonstrate?

Question405: Which type of objectives can best be described as broad goals that promote the effective and efficient use of resources?

Question406: Which of the following items of evidence is most valid to support a finding that a public utility's repair crews are sometimes required to work under unsafe conditions?

Question407: Which of the following is a limitation of using observation as a manual audit procedure?

Question408: Senior management at a financial institution has received allegations of fraud at its derivatives trading desk and has asked the internal audit activity to investigate and issue a report concerning the allegations. The internal audit activity has not yet developed sufficient proficiency regarding derivatives trading to conduct a thorough fraud investigation in this area. Which of the following courses of action should the chief audit executive (CAE) take to comply with the Standards?

Question409: An organization's accounts payable function improved its internal controls significantly after it received an unsatisfactory audit report.
When planning a follow-up audit of the function, what level of detection risk should be expected if the audit and sampling procedures used are unchanged from the prior audit?

Question410: Noncompliance with which of the following would cause a control deficiency related to privacy protection practices?
I. An organization's internal privacy policies.
II. Financial accounting standards.
III. Privacy laws and regulations.
IV. The Standards.

Question411: Which of the following is a second line of defense in effective risk management and control?

Question412: Allegations have been made that an organization's share price has been manipulated.
Which of the following would provide an internal auditor with the most objective evidence in this case?

Question413: Which of the following audit procedures would provide the most relevant information to identify discrepancies between budgeted versus actual raw material consumption in a production facility?

Question414: The internal audit supervisor is reviewing the workpapers prepared by the staff. According to the Standards, which of the following statements regarding workpaper supervision is not true?

Question415: Which source of audit evidence would provide the least value in flowcharting an organization's purchasing process?

Question416: An organization's chief audit executive (CAE) determines that the internal audit staff does not have the requisite skills to conduct an audit of the financial derivatives area. Which of the following would be the best course of action for the CAE to follow?

Question417: The chief audit executive (CAE) has been asked to manage the regulatory compliance function for the organization's retail store operations. Store operations are included in the annual audit plan.
Which of the following strategies best fulfills the requirements of the Standards regarding these audits?

Question418: Which of the following corporate travel policies is least likely to be cost-effective?

Question419: A chief audit executive (CAE) is selecting an internal audit team to perform an audit engagement that requires a high level of knowledge in the areas of finance, investment portfolio management, and taxation.
If neither the CAE nor the existing internal audit staff possess the required knowledge, which of the following actions should the CAE take?

Question420: An internal auditor audited a department store's cash function. Which of the following actions would indicate a lack of due professional care by the auditor?

Question421: Why are preventative controls generally preferred to detective controls?

Question422: How should management obtain assurance that employees are complying with the organization's security policy?

Question423: Organizations that use a highly structured command-and-control management approach are at greater risk of:

Question424: According to the Standards, which of the following is not a responsibility of the audit committee?

Question425: Which of the following might alert an internal auditor to the possibility of fraud in a division?
1. The division is not scheduled for an external audit this year.
2. Sales have increased by 10 percent.
3. A significant portion of management's compensation is directly tied to reported net income of the division.

Question426: An internal auditor is researching the laws and regulations related to a city's grant program. Which of the following procedures is least relevant to this task?

Question427: Which of the following would most likely function as a detective control?

Question428: According to the IIA guidance, who is responsible for periodically assessing the internal audit activity?

Question429: In preparing for an audit of the footwear division of a major retail organization, an internal auditor gathered the following information about the organization's stores:

In addition to labor costs, the other costs associated with each store are leasing and maintenance expenses. Which of the following is a valid conclusion?

Question430: During an internal audit, an organization's processing department is found to have incidences of both duplicate invoices and notices from customers that purchased goods were not received. The department under review insists that some of these reports are false and that others were isolated oversights due to understaffing.
Which of the following tests would best help the internal auditor detect fraudulent activity?

Question431: A company's chief audit executive determines that the internal audit staff does not have the requisite skills to conduct an audit of the financial derivatives area. Which of the following actions would be the least acceptable?

Question432: When internal auditors are preparing workpapers for the testing stage of an engagement, which of the following guidelines should be observed?
1. Include copies of all client files that were reviewed for the audit.
2. Avoid the use of professional, industry-appropriate jargon and technical terms.
3. Indicate the original sources of all data and information used in the workpapers.
4. Leave blank space for cross-references to be completed during the post-audit process.

Question433: An external quality assurance review which was authorized by the chief audit executive (CAE) indicated significant findings from the Standards. To whom should the final results of the quality assurance review be reported?

Question434: Which of the following is not considered one of the most common red flags for perpetrators of fraud?

Question435: Which of the following statements is correct regarding corporate compensation systems and related bonuses?
I. A bonus system should be considered part of the control environment of an organization and should be considered in formulating a report on internal control.
II. Compensation systems are not part of an organization's control system and should not be reported as such.
III. An audit of an organization's compensation system should be performed independently of an audit of the control system over other functions that impact corporate bonuses.

Question436: A bakery chain has a statistical model that can be used to predict daily sales at individual stores based on a direct relationship to the cost of ingredients used and an inverse relationship to rainy days. What conditions would an auditor look for as an indicator of employee theft of food from a specific store?

Question437: An internal auditor is conducting an engagement in the accounts payable department, which includes expressing an opinion at the micro level. According to IIA guidance, which of the following statements is true regarding micro-level opinions?
1. They are most effective when using a combination of current and prior engagement findings to draw conclusions.
2. They typically are based on defined procedures such as those found in an accounts payable reconciliation process.
3. They are discrete and not normally shared with senior management or the board.
4. They can rely on evidence taken from the work of other assurance activities across the organization.

Question438: An organization's chief audit executive (CAE) has been asked to conduct an assurance engagement for an information technology system that was subject to a consulting engagement in the prior year. How should the CAE respond?

Question439: According to the International Professional Practices Framework, a primary purpose of evaluating the adequacy of an organization's risk management, control, and governance processes is to determine if it:

Question440: Human resources and payroll are separate departments. Which of the following combinations would provide the best segregation of duties?

Question441: Which of the following is not part of the five-attribute approach to developing documentation for an audit observation?

Question442: Which of the following is an activity that an internal auditor must not perform?

Question443: A chief audit executive would most likely use risk assessment for audit planning because it provides:

Question444: According to IIA guidance, which of the following statements is correct concerning the knowledge, skills, and competencies required to fulfill the responsibilities of the internal audit activity (IAA)?

Question445: Which of the following, if observed, would not indicate the need to extend the search for other indicators of fraud in a purchasing department?

Question446: Management has decided to invest significant capital in a new and innovative large computer system. They understand that they are one of the first organizations to implement this system, but they believe the benefits outweigh the uncertainty over the performance and reliability of the software. This decision best describes which aspect of risk management?

Question447: While reviewing first quarter sales transactions, an internal auditor discovered that 10 invoices for a new customer had not been posted into the accounts receivable subsidiary ledger. Those 10 invoices were listed in an error report automatically generated by the sales processing system. The system had rejected the invoices because the customer's account number was not found in the customer master file. In this scenario, which of the following controls was lacking?

Question448: The chief audit executive for an organization has just completed a risk assessment process, identified the areas with the highest risk, and assigned an audit priority to each. Which of the following statements is true and consistent with the International Professional Practices Framework?
I. Items should be ranked in the order of quantifiable dollar exposure to the organization.
II. The audit priorities should be in order of major control deficiencies.
III. The risk assessment, though quantified, is the result of professional judgments about both exposures and probability of occurrences.

Question449: Internal auditors must exercise due professional care by considering which of the following?
1. Cost of assurance in relation to potential benefits.
2. Adequacy and effectiveness of governance, risk management, and control processes.
3. Management's competency level in the area being evaluated.
4. Probability of significant errors, fraud, or noncompliance.

Question450: Which of the following is true with respect to the risk assessment process?

Question451: An internal auditor for a large bank is reviewing the collectability of a loan that is secured by real property.
The best evidence of the loan's collectability would be:

Question452: Which of the following scenarios would represent the greatest threat to the authority of the internal audit activity (IAA)?

Question453: A chief audit executive (CAE) learns that the brother-in-law of a senior auditor who audits the procurement process was hired as the head of the procurement department six months prior. Which of the following is the most appropriate action for the CAE to take?

Question454: Management has asked the chief audit executive (CAE) to provide assurance on the organization's automated control system related to financial data. The current audit staff does not have the expertise needed to conduct this type of engagement. Which of the following would be the best response by the CAE?

Question455: Which of the following would be most effective in determining if the percentage of medication orders containing errors improved after a hospital installed a computerized medication-tracking system?

Question456: An internal audit manager of a furniture manufacturing organization is planning an audit of the procurement process for kiln-dried wood. The procurement department maintains six procurement officers to manage
24 different suppliers used by the organization.
Which of the following controls would best mitigate the risk of employees receiving kickbacks from suppliers?

Question457: After completing a net present value (NPV) calculation on a proposed project, an analyst explores the change in NPV with changes in the interest rate. This additional analysis is referred to as:

Question458: Which of the following best describes the most important criteria when assigning responsibility for specific tasks required in an audit engagement?

Question459: An internal auditor is assessing the risk of employees falsifying reimbursement requests for business- related meals or travel. Which of the following procedures would the internal auditor most likely perform first?

Question460: According to IIA guidance, which of the following statements regarding the internal audit charter is true?

Question461: Which of the following types of information would an internal auditor expect to find in the supporting documentation for a high-level accounts payable process flowchart?

Question462: An internal auditor in a small broadcasting organization was assigned to review the revenue collection process. The auditor discovered that some checks from three customers were never recorded in the organization's financial records. Which of the following documents would be the least useful for the auditor to verify the finding?

Question463: In selecting an instructional strategy for developing internal audit staff, a chief audit executive should first review the:

Question464: A new director was hired to lead the internal audit activity at a small start-up company. Which of the following assignments would impair the director's independence?

Question465: During the planning phase of an audit, an internal auditor preliminarily concluded that the controls for a process were adequately designed to manage the associated risk. Under what conditions might this preliminary assessment subsequently prove to be unreliable?

Question466: An internal auditor used a questionnaire during an interview to gather information about the nature of credit sales processing. The questionnaire did not cover some pertinent information offered by the person being interviewed, and the auditor did not document the potential problems for further investigation. The primary deficiency with the above process is that:

Question467: Some of a company's payroll transactions were batch posted to the payroll file but were not uploaded correctly to the general ledger file on the mainframe. The best control to detect this type of error would be.

Question468: After several years in the engineering department, an engineer was transferred to the internal audit department. One month later, the new auditor was assigned to an assurance engagement for the engineering department. When the auditor's former engineering supervisor suggested a change in the sample selection method, the auditor consulted with the audit supervisor. They determined that the suggested method would not be as representative and that the original selection method should be used.
In this situation, the auditor:

Question469: An internal auditor is designing a sampling plan to test the accuracy of daily production reports over the past three years. All of the reports contain the same information except that Friday reports also contain weekly totals and are prepared by managers rather than by supervisors. Production normally peaks near the end of a month. If the auditor wants to select two reports per month using an interval sampling plan, which of the following techniques reduces the likelihood of bias in the sample?

Question470: Overall audit efficiency is enhanced between the internal and external audit functions when:

Question471: Which of the following should be the primary objective of an audit of an entity's business continuity plan?

Question472: A fast-food company is developing a computer simu-lation involving arrival time at a drive-through restaurant. The distribution for arrival times is:
Time
Single-Digit Random
Between Arrivals
Probability
Number Assigned
2 minutes
0.1
0
3 minutes
0.2
1, 2
4 minutes
0.3
3, 4, 5
5 minutes
0.4
6, 7, 8, 9
Six random numbers are selected to represent the arrival of six cars: 1, 6, 9, 0, 5, 6.
What is the mean time between arrivals in this run of the simu-lation model?

Question473: Internal auditors who are concerned with potential risks due to the mishandling of records or transactions should take into consideration:

Question474: Once the cause of a problem has been identified, the next step is to:

Question475: An internal auditor notes that employees are able to download files from the internet. According to IIA guidance, which of the following strategies would best protect the organization from the risk of copyright infringement and licensing violations resulting from this practice?

Question476: A daily report which lists unsuccessful attempts to log on to a computer system is A.

Question477: Forty-five percent of an organization's customer payments are submitted online. Eight percent of online payments are rejected. Executive management decides to outsource its online payment services to a contractor that will assume 75 percent of the total value of rejected payments. The organization estimates
$1.25 million customer payments due during the contract period.
Which of the following represents the organization's residual risk for online customer payments due?

Question478: What would a chief audit executive most likely recommend that an internal auditor do to prepare for an increased demand in advisory services?

Question479: A chief audit executive used risk assessment to prepare the audit work schedule. Which of the following would be the least appropriate reason to modify the schedule?

Question480: Two individuals are being considered for an audit team that is to perform a highly technical review.
Which of the following situations would preclude selection of the individual for the audit due to an objectivity concern?
I. Person A is a member of the internal audit staff and has the required technical skills. Person A participated in a controls review of the system to be audited when it was being developed.
II. Person B is a technical specialist who understands the audit area but is not a member of the internal audit staff. Although person B has personal credibility in the information systems department to be audited, person B works for another department in the organization.

Question481: When using a risk assessment model to develop audit plans, it is essential that the chief audit executive take into account the:

Question482: An organization invests its savings in a volatile stock with the potential for high gains rather than a mutual fund with a lower expected return and lower volatility. This best describes which of the following risk concepts?

Question483: An internal auditor is using mean-per-unit sampling to estimate the value of health benefit claims for a period. The auditor's desired precision is $20, 000. If the achieved precision is $10, 000, which of the following conditions is implied?

Question484: An internal auditor is testing whether payments to outside contractors have been charged to the proper account. Which of the following sampling methods would be most useful in completing this task?

Question485: Which of the following would not be a red flag for fraud?

Question486: According to COSO, which of the following is not considered one of the components of an organization's internal environment?

Question487: For a bank handling large amounts of cash, which of the following types of control would be the most effective to use?

Question488: To ensure that due professional care has been taken during an audit engagement, an internal auditor should always:

Question489: When reviewing management reports to the board of directors, the internal audit activity should:

Question490: The results of an internal audit activity's (IAA) quality assurance and improvement program are favorable and an external assessment was completed within the last five years. Which of the following statements may the IAA use to describe its work?

Question491: Which of the following actions does not violate the IIA Code of Ethics or Standards?

Question492: An internal auditor prepared a workpaper that consisted of a list of employee names and identification numbers as well as the following statement:
"A statistical sample of 40 employee personnel files was selected to verify that they contain all

documents required by company policy 501 (copy attached). No exceptions were noted." The auditor did not place any audit verification symbols on this workpaper.

Which of the following changes would most improve the auditor's workpaper?

Question493: According to the Standards, which of the following must an internal auditor take into consideration when performing an assurance engagement of treasury operations?
I. The audit committee has requested assurance of the treasury department's compliance with a new policy on the use of financial instruments.
II. Treasury management has not instituted any risk management policies.
III. Due to the recent sale of a division, the amount of cash and marketable securities managed by the treasury department has increased by 350 percent.
IV. The external auditors have indicated some difficulties in obtaining account confirmations.

Question494: In order to save time, an audit manager no longer required that a standard internal control questionnaire be completed for each audit engagement. Does this represent a violation of the Standards?

Question495: Which of the following best describes the trait that an internal auditor exercises when considering the extent of work needed to achieve the engagement's objectives?

Question496: An internal auditor plans to use an analytical review to verify the correctness of various operating expenses in a division. The use of an analytical review as a verification technique would not be a preferred approach if.

Question497: According to the Standards, which of the following is not a consideration when exercising due professional care for an assurance engagement?

Question498: The chief commodity trader for a large energy company learns from a friend that a competitor will likely fail its upcoming regulatory audit and will be forced to temporarily decrease production. If the information is true, the trader has short-term opportunities to make trades that will financially benefit the trader's company and will lead to a substantial increase in the trader's performance bonus. However, if the information is not true, making the trades will significantly increase the company's risk of being caught in a long position. From an ethical perspective, which of the following would be the most appropriate course of action for the trader to take?

Question499: Which of the following would be most relevant regarding the internal control environment?

Question500: Which of the following statements regarding organizational governance is not correct?

Question501: Which of the following is not an appropriate role of the internal audit activity in governance activities?

Question502: At the beginning of fieldwork in an audit of investments, an internal auditor noted that the interest rate had declined significantly since the engagement work program was created. The auditor should:

Question503: Which of the following conditions is the most likely indicator of fraud?

Question504: During a review of data center physical security and environmental controls, an auditor should ensure that:
I. Visitors are accompanied by authorized personnel at all times.
II. Only developers and operators have access to the data center.
III. Fire suppression equipment is tested periodically.
IV. Fire and water detectors have been installed.

Question505: Which of the following statements correctly describes how workpaper standards can improve the efficiency of internal audit operations?

Question506: Which of the following is a weakness of observation as audit evidence?

Question507: Which of the following best describes the assessment of risks?

Question508: Which of the following is a preventive control?

Question509: Which of the following are components of the COSO enterprise risk management framework?
1. Objective setting.
2. External environment.
3. Data collection.
4. Control activities.

Question510: Which of the following would be a violation of the IIA Code of Ethics?

Question511: Which of the following would be the best source of information for a chief audit executive to use in planning future audit staff requirements?

Question512: To assure that the technical proficiency of internal auditors is appropriate for the audit engagements to be performed, a chief audit executive should:

Question513: During an audit of financial contracts, an internal auditor learns that a relative has a substantial loan with the organization. The auditor should:

Question514: Which of the following procedures would provide the best evidence of the effectiveness of a credit-granting function?

Question515: What role, if any, should the internal audit activity have in the process of following up on observations and recommendations made by the external auditors?

Question516: COBIT is primarily designed to:

Question517: Using the internal audit department to coordinate regulatory examiners' efforts is beneficial to the organization because internal auditors can:

Question518: The chief audit executive (CAE) of a small internal audit activity (IAA) performs all high-risk engagements on the annual audit plan to make use of his knowledge and experience and to maximize the efficient use of audit resources. Which of the following statements is most relevant regarding this practice?

Question519: Reviewing prior audit reports and supporting workpapers before an engagement starts enables an internal auditor to do which of the following?
1. To understand better the activity and processes that will be audited.
2. To identify the audit procedures that will be used during the engagement.
3. To ensure that matters of greatest vulnerability will be addressed.
4. To use the information obtained as evidence in the current engagement.

Question520: Which of the following statements is correct with regard to risk management?

Question521: Which of the following is the most effective strategy to manage the risk of foreign exchange losses due to sales to foreign customers?

Question522: Which of the following is least likely to enhance the independence of an internal audit activity?

Question523: Which of the following characteristics could indicate high risk?

Question524: A manufacturer uses improved linkage between order entry, production, and shipping to reduce raw materials and work-in-process inventory. Which type of fraud will these changes likely reduce?

Question525: Continuing Professional Education (CPE) hours for Certified Internal Auditors may be achieved by:

Question526: In assessing the independence of the internal audit activity, a member of a peer review team should consider all of the following factors except:

Question527: Which of the following statements regarding an internal auditor's responsibility for detecting fraud is not correct?

Question528: Which of the following would be considered a preventive control?

Question529: When comparing an organization's current performance to that of the prior year, an internal auditor found that:
Total labor costs had increased.

More overtime costs had been incurred.

The total number of workers had increased.

Net income was 10 percent lower.

Based solely on this information, which of the following is a valid conclusion?

Question530: Which of the following is an example of a transaction-level control?

Question531: According to the COSO Enterprise Risk Management - Integrated Framework, which of the following statements is true regarding the role of risk appetite in an organization?

Question532: Which of the following steps would not be included in a program of selecting and developing human resources for an internal audit department?

Question533: Which of the following internal controls is likely to prevent pollution from waste disposal before it occurs, rather than detect it after it occurs?

Question534: An internal auditor uses a predefined macro provided in a popular spreadsheet application to verify the present value of the organization's investments. Which of the following is the most appropriate course of action regarding the auditor's use of this functionality?

Question535: A staff auditor, nearly finished with an audit engagement, discovers that the director of marketing has a gambling habit. The gambling issue is not directly related to the existing engagement, and there is pressure to complete the current engagement. The auditor notes the problem and forwards the information to the chief audit executive, but performs no further follow-up.
Which of the following statements is true about the auditor's actions?

Question536: What is audit risk?