ASSESSMENT TEST: ACCTG 023B

MULTIPLE CHOICE

AUDIT CYCLE RED FLAGS

1. These are examples of red flags in a revenue cycle except
a. Dubious write-offs of uncollected accounts
b. Slow collection of receivables
c. Unusual increases despite industry trends
d. Decreasing amount of receivables
e. Discrepancies between high shipments and low sales
SUPPLY CHAIN MANAGEMENT BUSINESS CYCLES
2. This is sometimes referred to as a logistics network and a global network used to deliver products and services from
raw materials to end customers through an engineered flow of information, physical distribution and cash.
a. Supply chain
b. Chain Management
c. Chain rule
d. Chain flows
3. The type of channel influences how many levels of organization to include in the channel and the specific kinds of
intermediaries. For example, an industrial products producer might choose between independent manufacturing
agents and a chain of distributors. What is not true as one of the several factors that can influence channel design:
a. End-user preferences, where customers want to purchase products or services.
b. Product or service characteristics e.g. complexity, features, service requirements
c. Manufacturer’s core capabilities and resources of which large producers will have more channel constraints
d. Availability, experience and skills of intermediaries.
e. Required functions which are necessary to move the product or service from the producer to the customer
such as storage, transportation and servicing.
BUSINESS PROCESS ANALYSIS
4. This is a collection of analytical techniques that examine and measure the basic elements of processes in order to
understand their activities, relationships and contributions to organizational goals
a. Business process analysis
b. Just process analysis
c. Business process review (BPR)
d. Any of the above
5. Tasks such as Identification of systems, processes, sub-processes, tasks and jobs of an organization; definition of
process boundaries that mark the entry points of the process inputs and the exit points of the process outputs;
Construction of process flow diagram (flowchart) that illustrates the various process activities and their
interrelationships; determination of the capacity of each step in the process; identification of the bottlenecks which
is the process activity with the least capacity; evaluation of further limitations in order to quantify the impact of the
bottleneck; and usage of the analysis to make operating decisions and to improve the process. This is called the-
a. CAATs – Computerized Assisted Auditing Techniques
b. BPATs – Business Process Analysis Techniques
c. EITs- Event Identification Techniques
d. None of the above
6. Bottleneck is a limiting factor, barrier, or constraint that slows down a product’s total cycle time. Process capacity
management is a critical part of achieving process improvement. Bottleneck or constrain management refers to the
following process-
a. Identify the process barriers (bottlenecks) -these are areas with the least capacity.
b. Analyze and understand the barriers.
c. Remove the barriers by balancing the flow of work through the process and configuring processes carefully
in order to maximize capacity.
d. All of the above
7. This is a systems management philosophy where it has at least one constraint (bottleneck or barrier) limiting its
output in pursuit of some goal. This slow down a product’s cycle time and limits the output of the entire system.
Effectively managing this is the key to the system’s overall success.
a. Theory of evolution
b. Theory of constraints
c. Theory of relativity
d. None of the above
8. These are the principles of theory of constraints except
a. It is important to concentrate on addressing specific constraints rather than trying to fix the entire system,
which may or may not have tangible results.
b. Constraints migrate to different components of a system, and continuous monitoring, identification and
improvement of new constraints is critical.
c. Each constraint limits the output of the entire system
d. There are so many constraints in a system

9. Business Process Reengineering (BPR) would mean the following EXCEPT-

a. A fundamental and dramatic rethinking of business processes in order to achieve profound improvements in
cost, quality, service, and speed.
 b. As a way to reduce the cost of management and operations in order to increase their strategic competitive
advantage by many organizations in light of global competition.
c. This promotes the idea that sometimes wiping the slate clean and organizing and redesigning an
organization is necessary to increase costs and increase the quality of a product or service.
d. This is a more radical approach to process improvement.
10. The following are quality process improvement approach that focuses on the customer experience by reducing the
number of defects in a process until they approach statistical insignificance-
a. Just in time Manufacturing
b. Lean Manufacturing
c. Six sigma
d. All of the above
11. Six Sigma is a quality process improvement which offers tools for developing solutions for processes that measurably
fail to meet customer requirements by producing more than 3.4 defects for million opportunities. It has five phases
known as in this following order-
I. DEFINE the nature of the problem; MEASURE existing performance and begin recording the data and facts
that provide information about the underlying causes of the problem.
II. IMPROVE the process by effecting solutions to the problem;
III. CONTROL the process until the solutions become ingrained.
IV. MEASURE existing performance
V. ANALYZE the information to determine the root cause of the problem;
a. II, V, IV, III, I
b. I, IV, V, II, III
c. III, I, II, IV, V
d. I, II, III, IV, V
INVENTORY MANAGEMENT TECHNIQUES AND CONCEPTS
12. The following are challenges in inventory management which auditors must have thorough knowledge include-
I. Reducing variability in the quality, amount and timing of supply deliveries.
II. Balancing the cost of holding more inventory and the cost of holding less
III. Increasing production cycles times.
IV. Maintaining production equipment.
V. Improving demand forecasting.
a. I, II, III, IV
b. II, III, IV, V
c. I, II, IV, V
d. II, V, IV, III
13. One model that is widely used in inventory management to help determine how much of something to order. This is
a control auditor should evaluate as to its effectiveness-
a. Economic order quantity
b. Bar code system
c. Radio frequency identification system
d. Perpetual inventory system
ELECTRONIC FUND TRANSFER
14. This is the transfer of monetary value and financial data from one bank to another, thus it cannot involve other
parties-
a. Check payment
b. Cash payment
c. Electronic fund transfer
d. None of the above
15. Electronic funds transfer presents potential risks to enterprises that use this technology. Therefore, internal
auditors should be prepared to assess these risks by evaluating the adequacy and effectiveness of the controls
applied. These include EXCEPT-
a. Logic controls that restrict unauthorized access to EFT system.
b. Program change management controls to ensure that only approved changes are made to the EFT system.
c. Application controls to help ensure transaction accuracy.
d. Physical controls to ensure that EFT terminals, software and media continue to perform as designed.
ELECTRONIC DATA INTERCHANGE
16. Electronic data interchange has three basic layers of control-
a. Administrative, Physical and Software
b. General, Application, and Physical
c. Administrative, Physical and Hardware
d. Application, Hardware, Software
17. Internal control for EDI risks caused by data integrity loss due to lack of paper audit trail-
a. Acknowledgment protocol
b. Computer log, reconcile with production and receipts
c. Segregation of duties, graded access levels
d. Digital signature or notarization
18. Internal Control for unauthorized user access by HACKERS is by way of strengthening access control on-
a. Signal meters, leakage protectors, electromagnetic shielding, penetration-resistant conduits
 b. Secured message routing, cable protection. Fiber optics, confidential electronic envelope, numerical
sequencing
c. ID/password, dial-back mechanisms, storage lockout, graded access levels
d. None of the above
E-COMMERCE
19. E-commerce assessment efforts will be an aspect of the annual audit plan in many organizations. Major component
of E-commerce audits include the following EXCEPT-
a. Assessing the control infrastructure, including the tone set by senior management.
b. Providing absolute assurance that goals and objectives can be achieved.
c. Determining if the risks are acceptable.
d. Evaluating the business continuity and disaster recovery plans.
20. When auditing e-commerce activities, internal auditors should look for-
a. Network security controls (e.g. firewalls encryption, virus protection policies, communication of security
standards within and outside the enterprise) and intrusion detection systems.
b. User identification systems (e.g. digital signatures)
c. Application change management controls
d. All of the above
BUSINESS DEVELOPMENT CYCLES
21. Businesses and products have a life cycle, starting with emergence (also called the embryonic or introduction phase)
and then going on to-
a. Growth, maturity and decline
b. Decline, growth and maturity
c. Maturity, growth and decline
d. Growth, decline and maturity
THE INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO) FRAMEWORK
22. To receive ISO 9001 certification, an organization must implement a new quality management system that meets
the criteria set forth in ISO 9001 or compare its current system to identify and address possible gaps. When the
system has been fully implemented-
a. The organization conducts an internal audit to ensure compliance with all ISO requirements.
b. A certified external auditor reviews the system.
c. A certified external auditor issues a compliant system, a certificate
d. All of the above
OUT-SOURCING/CO-SOURCING INTERNAL AUDIT ACTIVITY
23. Out-sourcing is considered for an internal audit activity when –
a. An organization lacks an internal audit function and the board of directors, audit committee, and/or senior
management recognize the need for it.
b. An organization lacks an external audit function and the board of directors, audit committee, and/or senior
management recognize the need for it.
c. An organization lacks an operations audit function and the board of directors, audit committee, and/or
senior management recognize the need for it.
d. An organization lacks an computer audit function and the board of directors, audit committee, and/or senior
management recognize the need for it.
ORGANIZATIONAL DYNAMICS
24. This refers to the ways individuals and groups interact and cooperate in an organization.
a. Organizational communication
b. Organizational system
c. Organizational dynamics
d. None of the above
IMPACT OF COMPUTERIZATION ON COMMUNICATION
25. Computerization and other workplace support tools have increased communication capabilities. A key advantage is
the speed at which communication moves within the organization and across the globe. As many organizations have
experienced advantages, there are disadvantages EXCEPT-
a. E-mail message communication mistakes
b. Employee and customer resistance to new technology
c. Relationship misunderstandings, given less face-to-face contact
d. Laptop computers and mobile devices provide the ability for employees to travel and work anywhere and
anytime.
STAKEHOLDER RELATIONSHIPS
26. In 2010, an Institute of Internal Auditing (IIA) task force delivered its recommendations regarding how the modern
internal audit activity adds value to an organization. The IIA’s board approved the following value proposition with
this equation: INTERNAL AUDITING = Assurance, Insight, and Objectivity which means
a. Governance bodies and senior management rely on internal auditing for objective assurance and insight on
the effectiveness and efficiency of governance, risk management and internal control processes.
b. Risk Management bodies and senior management rely on internal auditing for objective assurance and
insight on the effectiveness and efficiency of governance, risk management and internal control processes.
c. Risk management bodies and CEO rely on internal auditing for objective assurance and insight on the
effectiveness and efficiency of governance, risk management and internal control processes.
d. Governance bodies and CEOrely on internal auditing for objective assurance and insight on the effectiveness
and efficiency of governance, risk management and internal control processes.
27. Internal audit is a ___________ for improving an organization’s effectiveness and efficiency by providing insight and
recommendations based on analyses and assessments of data and business processes.
a. Anticatalyst
b. Catalyst
c. Innovator
d. None of the above
28. This is an end product or result from internal audit’s assurance and consulting work.
a. Audit report
b. Audit recommendations
c. Insight
d. Evidence
STRATEGIC MANAGEMENT
29. This is a quality tool and techniques, the methodology in which the organization compares its practices with internal
best practices/goals/historical data or the best practices of other organizations and adapts these best practices for
its own use.
a. Six sigma
b. Gap analysis
c. Benchmarking
d. Quality audits
30. This is an in-depth review of a company’s processes and strategy from a quality standpoint, including analysis of best
and worst practices.
a. Process-flow analysis
b. Cause and effect diagrams
c. Run Charts
d. Quality audits
31. This analysis tool and techniques frequently follows a quality audit in order to identify specific problems and set
distinct targets for improvements between the organization and the benchmark competitor that has the best quality
in the industry.
a. Process flow analysis
b. Gap analysis
c. Benchmarking
d. Control charts
32. This is a method of analyzing operations for efficiency and control where two dimensional graphic representation of
an operation in terms of the flow of activity through the process.
a. Gap analysis
b. Process flow analysis
c. Benchmarking
d. Six Sigma
33. This is too and techniques which is also called fishbone or Ishikawa diagram which uses visual to map out a list of
factors that are thought to affect a problem or a desired outcome. An audit team might use such to determine the
root cause of a process with many problem elements.
a. Cause and effect diagrams
b. Process flow analysis
c. Histograms
d. Six Sigma
34. SWOT Analysis uses techniques from decision analysis which presented an SO and a WO as _________________
identified while ST and WT strategy for each ____________________ identified-
a. Threat; opportunity
b. Opportunity; Threat
c. Either a or b
d. None of the above
ORGANIZATIONAL BEHAVIOUR
35. Internal Auditors need to understand organizational behavior because different methods of control work better in
different organizations. Also, the root cause of a control deficiency may lie in –
a. Functional organizational behavior
b. Conventional organizational behavior
c. Dysfunctional organizational behavior
d. Any of the above
PROJECT MANAGEMENT TECHNIQUE
36. Monitoring and control in a project life cycle include the following project tasks in the following order:
I. Analyze impact
II. Compare actual and predicted outcomes.
III. Track progress, especially during execution but also during planning.
IV. Make adjustments to meet project objectives and acceptance criteria.
a. I, II, III and IV
b. II, III, IV and I
c. III, IV, IV, and I
d. III, II, I, and IV
IT/BUSINESS CONTINUITY
37. To identify and assess the control of IT risks properly, an internal auditor must understand the challenges of IT
Auditing:
I. Understand the purpose of an IT control, what type of control it is and what it is meant to accomplish
II. Identify which individuals or positions are responsible for performing what tasks.
III. Remain current with methodologies and business objectives.
IV. Balance the risk posed with the requirements of creating a control.
V. Appreciate the significance of the control to the enterprise-both the benefits that accrue to the enterprise
through the control (e.g. legal, compliance or competitive advantage) and the damage that a weak or
nonexistent control can cause.
VI. Implement an appropriate control framework and auditing plan.
a. I, II, VI, IV, V, and III
b. I, V, II, IV, VI and III
c. II, VI, V, IV, III, and I
d. II, I, III, IV, VI, and V
38. The Chief Audit Executive is responsible for ensuring a good fit between the enterprise and its IT controls and proper
implementation of a control framework. This involves:
I. Communicating IT risks and controls
II. Establishing appropriate metrics for control success and policies for communicating with management.
III. Identifying all internal and external monitoring processes.
IV. Developing and implementing an appropriate risk assessment process.
V. Defining and assigning appropriate roles related to IT controls for the entire organization.
VI. Being aware of all legal and regulatory requirements.
VII. Understanding the organization’s IT control environment.
a. I, II, III, IV, V, VI, and VII
b. I, III, V, VII, II, IV and VI
c. VII, VI, V, IV, III, II, and I
d. VII, V, III, I, VI, IV and II
SECURITY
39. The internal audit activity can report to management and the board on the level of compliance with-
a. Security rules, significant violations and their disposition.
b. Systems that do not meet security criteria.
c. Violation in segregation of duties
d. None of the above
40. Effective IT General Controls are measured by the number of:
I. Violations in segregation of duties.
II. Incidents that damage the enterprise’s public reputation.
III. Systems that do not meet security criteria.
a. I only
b. I and II
c. II and III
d. II, I and III
41. Physical security controls include the following. This are the real world means of preventing access to an asset such
as locks and/or key cards preventing access to the building, to data centers and to key operational areas.
a. Physical access controls
b. Environmental hazard controls
c. Fire and flood protection
d. All of the above
42. The following are types of hardware controls EXCEPT:
a. Echo check- Received data is returned to the sender for comparison
b. Equipment check- These are circuitry controls that detect hardware errors
c. Duplicate process check- A process is done once and not compared.
d. Redundant character check- Each transmitted data element receives an additional bit (character) of data
mathematically to the data. Abnormal changes will void the mathematical relationship.
43. IT operational controls include –
I. Planning controls;
II. Policies, standards and procedures;
III. Data and program security;
IV. Insurance and continuity planning;
V. Controls over security providers
a. I and II only
b. I, III, and V
c. II, IV, V
d. V, IV, III, II and I
44. Data Security must be maintained EXCEPT:
a. During end-users training
b. On site
c. During transmission
d. When stored on third-party systems
45.This is a scientific discovery process applied to computer records, needed for information to be admissible evidence
 in a court. Properly trained auditors on this discipline must be used to avoid corrupting the data that needs to be
studied-
a. Computer forensics
b. E-discovery
c. Either Computer forensics or E-discovery
d. None of the above
INFORMATION PROTECTION
45. There are three universally accepted elements of information security-
a. Confidentiality, integrity and availability
b. Confidentiality, integrity and completeness
c. Confidentiality, integrity and authenticity
d. Confidentiality, integrity and collectiveness
46. Part of IT internal audit is an assessment of information vulnerabilities and recommendation for improvements. The
following are indicators of poor vulnerability management Except:
a. An inability to assess risks associated with vulnerabilities and to prioritize mitigation efforts.
b. Lack of an asset management system
c. Adequately identify IT vulnerabilities systematically, resulting to proper management thus no exposure of critical
assets
d. Poor working relationships between IT management and IT security.
47. This is a malicious software designed to gain access to a computer system without the the owner’s permission for
the purpose of controlling or damaging the system or stealing data-
a. Trojan horse
b. Malware
c. Hackers
d. Worms
48. These are malicious programs disguised to be innocuous or using social engineering. Social engineering is a set of
rhetorical techniques used to make fraudulent messages seem inviting and is initiated through deceptive emails,
instant messages or phone contact.
a. Trojan horses
b. Malware
c. Worms
d. Hackers
49. This poses three fundamental questions whose answers should inform access decisions and management:
Who has access to what information? Is the access appropriate for the job being performed? Are the access and
activity monitored, logged and reported appropriately?
a. Identity and Access Management
b. Risk Management
c. IT Management
d. None of the above
50. Auditors evaluates encryption by-
a. evaluating physical controls over computers that have password keys
b. testing policies to see if they are being followed
c. implementing and monitoring logic controls
d. All of the above
51. Audits of application development can EXCEPT-
a. A pre-implementation consulting review
b. Can take the form of participative consulting during a project
c. A post-implementation assurance review once a project is complete
d. An assurance review of the general application development process.
52. This is where end-users are given the freedom to develop their own simple programs or analytical tools using
commonly available software tools such as spreadsheets and database tools.
a. Cloud computing
b. End-user computing
c. Electronic Vaulting
d. None of the above
53. Some safeguards are available to control the risks of end-user computing
I. Strong manual controls when PCs process transactions (manual review of reports)
II. Commercial backup software
III. Encryption of stored data
IV. Use of master versions of software installed on all departments (or related) PCs
V. Security cards that ask for passwords and store information about time of use.
a. I, II, IV and III
b. III, I, IV and V
c. I, II, III, IV, and V
d. I, V, IV, and II
54. These are intended to prevent computer errors by controlling data as it manually or electronically enters the system.
Internal auditors should emphasize tests of these controls. Garbage-in, garbage-out.
a. Output controls
b. Processing controls
 c. Input controls
d. None of the above
55. These are automated error checks built into computer processing as well as segregation of duties such as controlling
programmers, access to files and records. Auditors should examine restart procedures and verify that reconstructed
files have accuracy checks.
a. Output controls
b. Processing controls
c. Input controls
d. Any of the above
56. These are detective controls that find error and verify the accuracy and reasonableness of output data after
processing is complete. The auditor can manually produce control samples and compare them to the system inputs
and the system outputs.
a. Output controls
b. Processing controls
c. Input controls
d. None of the above
57. Auditing when ERP implementation use business reengineering. Once the methodologies have been designed, an
internal auditor must, among other things:
I. Evaluate the technology environment, including complexity and efficiency.
II. Decide if a legacy system is still being used for any part of the process.
III. Have a detailed understanding of the ERP approach, including the specific modules or controls are clearly
defined and understood.
a. I only
b. II only
c. I, II and III
d. II and III
58. Senior management determines the degree of the internal auditors’ involvement in the business continuity and
disaster recovery management processes considering their-
a. Knowledge, skills, independence and objectivity
b. Knowledge, skills, professional skeptiscm and objectivity
c. Knowledge, skills, integrity and objectivity
d. Knowledge, skills, integrity and honesty