Practice of Internal Auditing - Managing

연번 문제 해설
A chief audit executive (CAE) is preparing his overall opinion on internal control for presentation to senior management and the According to the interpretation for Standard 2450, "Overall Opinions," the communication will
board. The CAE disregards a co-sourced service provider's opinion regarding several material internal control weaknesses include consideration of all related projects, including the reliance on other assurance providers.
related to information technology general controls. This is Since interpretations to the Standards are mandatory requirements, failure to consider the co-
○ a disservice to the chief information officer (CIO). sourced service provider's opinion is a violation of The IIA'S Standards and would not be
appropriate. Audit detection risk is caused by the auditor's failure to discover material internal
2303 ○ an example of audit detection risk. control weaknesses. In this case, the service provider identified the weaknesses but the CAE failed
○ a violation of The IIA's Standards. to consider this in his overall opinion. Failure to consider material IT general controls weaknesses
○ appropriate, if based on the CAE's professional judgment. would not necessarily be a disservice to the CIO, since the CIO may prefer that these weaknesses
are not considered or at least not disclosed to senior management and the board as part of an
overall opinion on internal control.
Which of the following is an example of an efficiency measure? Efficiency is the ratio of effective output to the input required to achieve it. Insurance claims
○ Goal of becoming a leading manufacturer processed per day compares the output (claims processed) to the input (a day's work).
2210 ○ Number of insurance claims processed per day
○ Rate of absenteeism
○ Rate of customer complaints
The internal auditor is considering performing a risk analysis as a basis for determining which areas of the organization ought to The auditor could appropriately consider the extent of management judgments and accounting
be examined. Which of the following statements is correct regarding risk analysis? estimates as a risk factor. Risk analysis should consider both the potential loss (or damages) and
○ The extent to which management judgments are required in an area could serve as a risk factor in assisting the auditor in the probability of occurrence.
making a comparative risk analysis.
2193
○ The highest risk analysis should always be assigned to the area with the largest potential loss.
○ The highest risk analysis should always be assigned to the area with the highest probability of risk occurrence.
○ Risk analysis must be reduced to quantitative terms in order to provide meaningful comparisons across an organization.

An operational assurance engagement may include an assessment of which of the following? In operational auditing, the internal audit activity should evaluate the adequacy and effectiveness
○ Assignment of responsibility and delegation of authority of controls encompassing the organization's governance, operations, and information systems. It
should go beyond traditional concerns and include reviews of policies, procedures, and systems,
2226 ○ Frequency of interaction between operating management and the board the quality of management, the use of resources to achieve organizational goals efficiently and
○ Reliability of financial statements effectively, and the safeguarding of assets.
○ Necessary quantity of output standards
A chief audit executive (CAE) has determined the need to transition from manual to electronic workpapers and has prepared a According to the interpretation for Standard 2060, "Reporting to Senior Management and the
software purchase, training budget, and detailed proposal to present to senior management. Which of the following is the CAE's Board," the chief audit executive's reporting and communication to senior management and the
best course of action? board must include information about resource requirements. The cost/benefit of transitioning to
○ Explain the details of the request for proposal to senior management as well as the pros and cons of each respondent. electronic workpapers must be evaluated and explained to senior management. All the other
2300 ○ Explain the professional development opportunities for improved understanding of IT risk and control through the audit answer choices may support the CAE's request for investment in software but are unrelated to the
software. Standards and, therefore, are not the best course of action.
○ Explain that similarly sized audit activities in the same industry have greatly enhanced audit efficiency through audit
software.
○ Explain the impact of not transitioning to electronic workpapers to senior management.
A consulting activity appropriately performed by the internal audit function is Reviewing systems, even before implementation, is an activity appropriately performed by the
○ installing systems of control. internal audit function, and it does not impair objectivity.
2262 ○ reviewing systems of control before implementation.
○ drafting procedures for systems of control.
○ designing systems of control.
 Which of the following poses the greatest risk in external business relationships? An overarching risk of external business partners is that the organization will be held responsible
○ External business partner's lack of confidentiality standards for the actions of its partners and perhaps even of the partners of those partners (i.e., third-tier
○ External business partner's lack of compliance metrics supply chain). Contractual provisions can help transfer some of this risk, but other risks, such as
2082 reputation risk, cannot be transferred. Lack of confidentiality standards and/or compliance metrics
○ Organization's responsibility for actions of its partners and/or inefficient processes would not pose risk as significant as the organization being
○ External business partner's inefficient business processes responsible for the actions of its partners.

When interviewing candidates for an internal auditing position, a manager prefers to ask questions about how the candidate
handled challenges in his or her previous position. This is an example of
○ situational interviewing.
2000 ○ structured interviewing.
○ initial screening.
○ behavioral interviewing.
Which would be the most effective tool for gathering reliable information about an organization's "tone at the top"?
○ Control self-assessment workshops with participants from many parts of the organization and various levels, including a
range of stakeholders
2248 ○ Analysis of articles on the subject in professional journals
○ Employee questionnaires asking for a ranking of specific characteristics as they apply to senior management
○ Focus groups with senior management
A communication of a chief audit executive's (CAE's) overall opinion on internal control
○ must consider the context of the regulatory environment.
2306 ○ must include reasons for an unfavorable overall opinion.
○ must discuss the impact of resource constraints on the opinion.
○ must include control weaknesses identified by external auditors.
Which would the chief audit executive (CAE) be required to report to senior management and/or the board?
○ The fact that an audit plan was approved by senior management and the board but that, subsequent to the approval, senior
management informed the audit director not to share information with other division managers because the division's activities
were very sensitive
○ Minor risk and control issues
2287 ○ The fact that subsequent to the completion of an audit but prior to the issuance of the audit report, the internal auditor
performing the audit was offered a permanent position in the auditee's department
○ Significant interim changes to the approved audit work schedule and financial budget
This is an example of behavioral interviewing, trying to predict future job performance based on
past behaviors. Situational interviewing is similar but is based on hypothetical questions such as
How would you handle the following situation?..."
Gathering information about soft controls such as "tone at the top" is best done through face-to-
face discussions that give informants a chance to hear explanations of complex or subtle matters
and to express themselves freely in response. (Confidentiality may be crucial in getting honest
answers.) Senior management's views on the subject are likely to be biased but would be worth
considering, among other sources.
According to the interpretation to Standard 2450, "Overall Opinions," the communication must
state the reasons for an unfavorable overall opinion. Neither mandatory nor non-mandatory
guidance from The IIA requires consideration of the regulatory environment, the impact of
resource constraints, or discussion of control weaknesses identified by external auditors in the
communication of the CAE's overall opinion on internal control.
Reporting on interim changes is a standard part of the required reporting to senior management
and the board per Standard 2060. Since the audit plan was approved by both senior management
and the board, the change dictated by senior management should be reported to the board. The job
offer would not have to be communicated. The CAE would have to determine that there was no
impairment of the independence of the auditor's work, but if there was none, the report could be
issued without reporting the personnel change. While significant risk and control issues should be
reported, reporting on minor issues are at the discretion of the CAE. Since the senior management
request was not to share information about the division with other operational managers rather
than an attempt to restrict information from the board, this is not an issue that needs to be shared
with the board.

Knowledge of controls gained from consulting engagements Implementation Standard 2130.C1 (Consulting Engagements) states, "Internal auditors must
○ must be incorporated into controls assessment engagements. incorporate knowledge of controls gained from consulting engagements into evaluation of the
○ should be communicated to senior management and the board. organization's control processes." Therefore, this knowledge should be considered during
2269 assurance engagements but doesn't necessarily need to be communicated to senior management
○ should not be considered during assurance engagements. and the board. Knowledge of controls gained from consulting engagements should not be
○ must be disregarded when internal controls are excluded from consulting engagement objectives. disregarded whether controls are included or excluded from consulting engagement objectives.

If a department outside of the internal audit activity is responsible for reviewing a function or process, the internal auditors Review and testing of the other department's procedures may reduce necessary audit coverage of
should the function or process.
2143 ○ yield the responsibility for assessing the function or process to the other department.
○ consider the work of the other department when assessing the function or process.
○ ignore the work of the other department and proceed with an independent audit.
○ reduce the scope of the audit, since the work has already been performed by the other department.
 In a top-down approach to new systems development, what should be reviewed before designing any system elements?
○ Computer equipment needed by the system
2105 ○ Types of processing systems used by competitors
○ Controls in place over the current system
○ Information needs of managers for planning and control
A chief audit executive (CAE) of a small community bank refreshes his risk assessment four months into the current audit plan
year. From the refresh, he decides it is necessary to adjust the audit plan by adding an assessment of a newly launched, high-risk
loan product that was urgently initiated by the vice president of lending due to competition from a local credit union. The CAE
should
2292 ○ substitute the high-risk loan product audit for other routine loan compliance work in the approved plan to stay on budget.
○ request a meeting with the vice president of lending for her approval of the new engagement objectives and scope.
○ notify regulatory authorities to understand their scheduled lending activity examinations for proper coordination of work.
○ communicate the significant audit plan change to the board and senior management for review and approval.
Which of the following statements is true of the role of internal audit in reporting on the effectiveness of the internal control and Internal audit is responsible for evaluating and reporting on all risk exposures relating to
risk management framework?
○ Internal audit should assess the adequacy of controls implemented based on findings from a consulting engagement
conducted by the activity.
2108
○ Internal audit should incorporate general observations based on experiences in consulting engagements.
○ Internal audit should restrict findings in consulting engagements to the engagement objectives.
○ Internal audit should assume responsibility for implementing controls if management fails to act.
Which procedure would be appropriate for testing whether cost overruns on a construction project were caused by the contractor
improperly accounting for costs related to contract change orders?
○ Verifying that the change orders were properly approved by management
2222 ○ Verifying that the contractor has not charged change orders with costs that have already been billed to the original contract
○ Determining if the contractor has already performed original contract work that was canceled as a result of change orders
○ Verifying that change orders were both necessary and addressed in the original project scope
An effective internal audit performance measurement process includes
○ monitoring all key performance indicators identified in The IIA's guidance titled "Measuring Internal Audit Effectiveness
and Efficiency."
○ identification of internal and external stakeholders and their needs and expectations.
2309 ○ regularly scheduled updates to the internal audit activity's policies and procedures.
○ an independent external quality assessment at least once every five years.
Which of the following is true of periodic review of the internal audit charter and its presentation to senior management and the
board for approval?
○ It is addressed in the IIA's optional guidance and the Practice Guide titled "Audit Committee and Internal Audit Activity
Charters."
2294 ○ It is optional for small internal audit activities as well as internal audit activities of public-sector and nonprofit organizations.
○ It is required so that internal audit activities can effectively coordinate work with external and internal assurance providers.
○ It indicates that the internal audit activity has the authority and backing of the board in carrying out its activities as long as it
conforms to the charter.
Users' information needs and objectives should be of primary concern. The other answer choices
may be irrelevant, unknown, or unimportant.
Performance Standard 2020, "Communication and Approval," states: "The chief audit executive
must communicate the internal audit activity's plans and resource requirements, including
significant interim changes, to senior management and the board for review and approval."
Eliminating previously approved engagements from the audit plan in favor of other work would
be considered a significant interim change. It is not appropriate for management of the audited
area to approve engagement objectives and scope; this is the CAE's role. Notification to regulatory
examiners regarding a new high-risk lending activity would not be appropriate.
governance, operations, and information systems.
Two important tests include verifying that the contractor is not double-billing through use of
change orders and determining if the contractor has billed for original contract work that was
canceled as a result of change orders. It is important to test whether the company agreed to the
work before it was done by the contractor, but this does not indicate whether the contractor
properly accounted for the costs related to the work, so this test is unrelated to the objective.
Determining if the changes were necessary is likewise important, but this would be part of the
change control process and of an audit of that function. Change orders by definition are not in the
original project scope.
According to The IIA's Practice Guide "Measuring Internal Audit Effectiveness and Efficiency,"
the second step in establishing an effective performance measurement process is to identify
internal and external stakeholders and their needs and expectations. The internal audit activity may
not need improvement in all areas identified in The IIA's guidance; monitoring all key
performance indicators identified may not be necessary. Regularly scheduled updates to internal
audit policies and procedures may not be necessary; audit activities generally update policies and
procedures as needed. While the external quality assessment may include a review of internal
audit's performance measurement process, the process itself does not include the external quality
assessment.
Periodic approval of the internal audit charter by senior management and the board demonstrates
that the internal audit activity has the authority and backing of the board in carrying out its
activities as long as it conforms to the charter. Such review and approval is not optional; it is
mandatory guidance articulated in Standard 1000, "Purpose, Authority, and Responsibility." The
IIA does not have a Practice Guide titled "Audit Committee and Internal Audit Activity Charters."
 Which of the following would most likely be a key performance indicator (KPI) for an internal audit activity? KPIs focus on "accomplishments or behaviors that are valued by the organization" and are valid
○ Implementation of new audit computer software indicators of performance (i.e., they measure the correct target). They must be understandable to
○ Frequency of meetings with the board members the internal audit staff, who then use them to guide and improve their performance. Of the options,
the percentage of completed continuing education hours is a measurable indicator of staff
○ Audit expenditures compared to financial budgets performance with a direct impact on their ability to perform their roles. The other answer choices
2308
○ Percentage of required continuing education hours completed are not KPIs. Expenditures-vs.-budgets data would not take into consideration other variables or
causation, implementation of new computer software is a recommendation, and the frequency of
board meetings doesn't provide a measurement that can improve performance.

What is the first thing an internal auditor should do regarding errors uncovered during a financial statement audit? The objective of external financial reporting is to prepare relevant and reliable financial statements
○ Inform the audit committee. that fairly and accurately represent the recent historical activities of the organization. The
○ Assess the risk of misrepresentation. objective of a financial audit is to provide assurance regarding the effectiveness of the processes
and procedures (controls) supporting the reliability, timeliness, transparency, and completeness of
○ Discuss the situation with the engagement client. the organization's financial reporting. After discovering errors during a financial statement audit,
2204
○ Report the material errors. the auditor must first assess the risk of misrepresentation of the data. Only then should he or she
discuss the issue with relevant stakeholders, as they will be able to provide appropriate
recommendations for a course of action.

A Certified Internal Auditor directs the audit function for a large city and is planning the audit schedule for the next year. The The auditor is determining that the participants have complied with the eligibility requirements.
city has a number of different funds, some that are restricted in use by government grants and some that require reports to the An operational audit would focus on the overall operations of the jobs retraining program. An
government. One of the programs for which the city has received a grant is job retraining and placement. The grant specifies economy and efficiency audit would address the cost of the program and compare it with the
certain conditions a participant in the program must meet in order to be eligible for the funding. The auditor randomly selects objectives achieved. A program audit is broader in context and would address the achievement of
participants in the job retraining program for the past year to verify that they met all the eligibility requirements. This type of the overall program objectives.
audit is best referred to as a(n)
2211
○ program audit.
○ economy and efficiency audit.
○ compliance audit.
○ operational audit.

A quality audit concludes that a manufacturing organization's quality and continuous improvement plans are adequate and are
being followed. This should mean that
○ minimum compliance with quality laws and regulations will be attained.
2235 ○ the organization's products will be substantially free from internal and external failure costs.
○ the desired quality will be attained.
○ the organization's products will be worth more to consumers, though they will cost more to produce.
While preparing his overall opinion on internal control for presentation to senior management of a large government agency, a
chief audit executive (CAE) notices a pervasive lack of accountability as the root cause for numerous internal control
weaknesses discussed in audit reports. The CAE should
○ make recommendations to enhance the control environment.
2304 ○ lead by example by ensuring that auditors are accountable for deadlines.
○ recognize this as a normal element of the complex bureaucracy.
○ consider progressive discipline policies in his risk assessment.
The purpose of quality audits is to provide assurance that an organization's quality plans,
activities, and operations are such that, if followed, the desired quality will be attained.
The implementation guidance for Standard 2130, "Control," states, "Internal auditors may make
recommendations that enhance the control environment." "Enforces accountability" is one of the
five COSO Internal Control—Integrated Framework principles related to the control environment
component. Progressive discipline policies may be considered in the scope of an audit engagement
but would not likely be assessed in an internal audit risk assessment. The CAE should not accept a
culture of lack of accountability as normal for the bureaucracy. While the CAE's posture of
leading by example may impact the audit activity, it will not address a pervasive lack of
accountability throughout the organization.
 A new chief audit executive (CAE) needs to establish reporting protocols for the frequency of communicating significant risk
and control issues to senior management and the board. To determine the frequency of reporting, the CAE should
○ collaborate with senior management and the board to establish appropriate reporting frequencies.
2137 ○ consider resource constraints impacting internal audit communications of significant risk and control matters.
○ consider the past results of and the timing and extent of planned external auditor testing.
○ collaborate with compliance, risk management, and other second line leadership on their reporting protocols.
Which of the following would be an internal audit responsibility during an information technology audit?
○ Providing oversight of corrective measures to resolve an information security breach
2237 ○ Implementing preventive, detective, and mitigating measures to ensure data privacy
○ Promoting an appropriate organizational mindset to reengineer traditional business processes
○ Evaluating metrics related to operating system capacity, resilience, and monitoring
Which of the following is the most important provision for an internal auditor from a start-up company to recommend for
inclusion in a contract for the third-party augmentation of the company's new customizable business application system?
○ Copyright clause
2203 ○ Limitation-of-liabilities clause
○ Right-to-audit clause
○ Source code escrow clause
Which is a required communication for the chief audit executive (CAE) to have with senior management and the board?
○ Impact of any resource limitations
2289 ○ Minor interim changes to plans and resources
○ Staffing needs analysis results
○ Audit client plans and resource requirements
A recent penetration test of information technology security vulnerabilities disclosed a significant control weakness related to
physical access to the organization's data center. Management has explained that due to budget and staffing constraints, it is
unable to resolve the control weakness for an indefinite period of time and will accept the risks associated with the vulnerability.
The chief audit executive's best course of action is to
○ ensure that the enterprise risk management team is aware of the vulnerability for inclusion in its risk assessment.
○ communicate the control weakness and IT management's response to senior management and the board.
2297
○ seek guidance from The IIA's Global Technology Audit Guide (GTAG) "Information Technology Risks and Controls."
○ accept the reality of resource constraints and include data center security in ongoing internal audit risk assessments.
Management at a university hospital has been releasing data on voluntary test subjects to university researchers after getting
consent and stripping out volunteers' names and replacing them with numeric codes. What is the most important question an
internal auditor can ask of an expert familiar with what is being released?
○ Could this information be combined with publicly available data to potentially identify the volunteers' identities?
2217
○ Do the university researchers have requirements not to disseminate the data to other parties?
○ Are the numeric codes truly random and unable to be associated with the individual?
○ Is senior management exercising proper oversight over the name replacement process to ensure that it is occurring?
The interpretation to Standard 2060, "Reporting to Senior Management and the Board," states,
"The frequency and content of reporting are determined collaboratively by the chief audit
executive, senior management, and the board." External auditor testing would not impact the
frequency of internal audit reporting. Resource constraints would not be a primary consideration
for establishing protocols for the frequency of internal audit reporting, and the frequency would
not be impacted by second line reporting protocols.
It would be a logical responsibility for an internal auditor to evaluate metrics related to operating
system capacity, resilience, and monitoring, as an operating system crash can have a severe impact
on many employees. Management owns the other responsibilities.
Source code is likely a start-up company's most valuable asset. Therefore, it is important to protect
the company's intellectual property (IP) in any external business relationship in which the
organization must share this confidential information. By using a third party, the company can
work easily with customers on older or retired products while never having to disclose proprietary
information and code. In third-party relationships, the third party has a right to audit the contractor
and will likely share liabilities.
Standard 2020, "Communication and Approval," states that the CAE "must communicate the
internal audit activity's plans and resource requirements, including significant interim changes, to
senior management and the board for review and approval. The chief audit executive must also
communicate the impact of resource limitations."
The interpretation for Standard 2060, "Reporting to Senior Management and the Board," states,
"The chief audit executive's reporting and communication to senior management and the board
must include information about management's response to risk that, in the chief audit executive's
judgment, may be unacceptable to the organization." While the chief audit executive may seek
guidance from GTAGs and other sources in planning and performing the audit engagement, doing
so after a significant control weakness has been identified and management has responded is too
late in the audit process. Lack of effective internal controls over data center security brings
significant risk to an organization; accepting the reality of resource constraints and deferring the
issue to future risk assessments would not be an appropriate course of action. While ensuring that
the enterprise risk management team is aware of the vulnerability is effective sharing of
risk/control information, this is not the best course of action.
Personal information generally refers to information that is associated with a specific individual or
that has identifying characteristics that, when combined with other information, can be associated
with a specific individual. For this reason, it is important to determine whether the data needs to
be further aggregated or have other processes applied to it to ensure that it cannot be traced to
specific individuals prior to release.
 Assume that your company is considering purchasing a small toxic waste disposal company. As an internal auditor, you are part
of the team doing a due diligence review for the acquisition. Your scope (as an auditor) would most likely include
○ a review of the waste company's procedures for acceptance of waste material and comparison with international toxic waste
disposal companies.
2227
○ analysis of the waste company's compliance with and disclosure of loan covenants.
○ an evaluation of the merit of lawsuits currently filed against the waste company.
○ assessment of the waste company's privacy policies to ensure that customer dropoffs do not generate negative publicity.
An internal auditor has been given the task of determining if a vendor is meeting its contract requirements. Which is a factor to
be considered?
○ Whether the vendor is outsourcing some of the production
2102 ○ Whether accounts payable is processing payments on or before the payment deadline
○ Whether the quality of the product meets specifications
○ Whether the vendor is going above and beyond minimum requirements
In designing a control self-assessment (CSA) workshop, which of the following elements merits the most serious attention?
○ Scheduling time for participants to review information and suggest improvements
2250 ○ Developing metrics to assess respondents' answers to pre-workshop questionnaires
○ Carefully briefing management to be certain to get higher-level commitment to the process
○ Designing carefully worded yes-no questions to ensure the gathering of precise information
Which of the following is the best reason for the chief audit executive to consider the strategic plan in developing the annual
audit plan?
○ To ensure that the internal audit plan supports the overall business objectives
2101 ○ To ensure that the internal audit plan will be approved by senior management
○ To make recommendations to improve the strategic plan
○ To emphasize the importance of the internal audit function
Internal auditing has been asked to help the marketing department of a health-care services company assess its performance and
identify areas for improvement. Which of the following types of benchmarking would be most useful to the internal auditor in
accomplishing this task?
○ Competitive
2253
○ Generic
○ Internal
○ Functional
A company recently acquired a small competitor organization because of its complementary line of business. Prior to the
acquisition, high regulatory and compliance risks had led the company's chief audit executive (CAE) to focus primarily on
compliance assurance, but she is now recognizing the enhanced operational and strategic risks associated with the acquisition.
Based on her updated risk assessment and resulting audit plan amendments, the CAE plans to communicate her resource
requirements to senior management and the board. She must also communicate information about
2299 ○ the ten Core Principles and how they are or are not evidenced in the culture of the acquired organization.
○ internal audit's needed strategies for favorably impacting the governance of the combined organization.
○ the needed changes to the audit charter and the audit activity's purpose, authority, and responsibility.
○ the acquired organization's adherence (or lack thereof) to the COSO Internal Control—Integrated Framework or other
control framework.
It is important to ensure that a prospective company is not at risk of default on loans. While the
procedures for acceptance of waste material are of interest, comparing them to those of
international companies would not have much relevance, as other countries would have different
laws and regulations. Rather, they should be compared against relevant laws and regulations of the
country in which the company operates. The merit of a lawsuit is a matter of legal judgment; it is
beyond the expertise of the internal audit activity. If the waste company is operating in compliance
with laws and regulations, it should be transparent rather than secretive.
In a contract audit, the internal auditor is concerned only with items specified in the actual
contract. Normally, this includes such things as the quality of the product and the correct quantity
and timing of deliverables rather than if the vendor is paid on time or correctly. Additional actions
may be identified that are not part of the contract; these actions might increase the efficiency and
effectiveness of the work being performed.
All of the answers identify valid concerns, but the essence of CSA is the involvement of staff and
management with a sense of ownership to be active process participants. Their knowledge and
experience in the process being discussed will enhance the opportunity for agreement on process
improvement.
Considering the strategic plan in the development of the internal audit plan will ensure that the
audit objectives support the overall business objectives stated in the strategic plan.
Since there are many businesses competing to provide health-care services, it would be feasible to
identify successful competitors and compare their skill sets, activities, and sophistication in
process with the client activity. Functional benchmarking would use performance in another
industry and might offer too many variables for easy comparison. Generic benchmarking would
probably yield data that is too general. Internal benchmarking, which might compare the current
marketing function with previous marketing functions in the organization, would not allow for the
introduction of new ideas being tried outside the organization.
According to Standard 2060, "Reporting to Senior Management and the Board," the CAE must
report periodically to senior management and the board on the internal audit activity's purpose,
authority, and responsibility. The interpretation for Standard 2060 states that the CAE's reporting
must include information about the audit charter. Since the CAE plans to shift focus from
primarily compliance assurance, adding operational and strategic risk elements to the audit plan,
the internal audit charter should be amended to reflect the expanded purpose and responsibility of
the audit activity. The ten Core Principles, as one element of mandatory guidance, apply to the
internal audit activity, not the culture of the organization. Adherence to a control framework is not
a mandated communication by the CAE. There is no mandate in internal audit guidance to
communicate strategies for impacting governance to senior management and the board.
 A service company is currently experiencing significant downsizing and process reengineering. Its board of directors has
redefined the business goals and established initiatives using internally developed technology to meet these goals. As a result, a
more decentralized approach has been adopted to run the business functions by empowering the business branch managers to
make decisions and perform functions traditionally done at a higher level. The internal auditing staff is made up of the chief
audit executive, two audit managers, and five staff auditors. Every staff auditor has a financial background. In the past, the
primary focus of successful audit activities has been the service branches and the six regional division headquarters that support
the branches. The division headquarters are the primary targets for possible elimination. The support functions—such as human Due to the focus on technology, audit time spent reviewing systems development should be
resources, accounting, and purchasing—will be brought into the national headquarters, and technology will be enhanced to increased. More testing of the same controls just because volume has increased is not a productive
2199 enable and augment these operations. Based on these changes and assuming that total audit resources remain the same, what use of time. While a small incremental increase in audit time may be feasible, the benefit derived
activities should the internal auditing department perform to best serve the organization? would be minimal. Changes to business goals, processes, and focus will also require proactive
○ Increase audit time in systems development. changes by the internal auditing department.
○ Increase audit time in service branches.
○ Increase audit time in functions being centralized.
○ Continue the allocation of audit time as before.

In evaluating the organization's privacy framework, internal audit performs compliance audits, including assessing practices,
processes, and controls. This level of involvement demonstrates which level of organizational maturity concerning privacy
protection? In a model with five levels of privacy protection maturity (initial, repeatable, defined, managed,
○ Managed optimizing), this would be the defined level. At this stage, the organization has demonstrated
2225 ○ Defined senior management commitment, complete privacy policy, and privacy organization. Leadership is
in place. Risk assessments have been performed, and consistent organization-wide controls are
○ Repeatable underway.
○ Optimizing

The costs of quality that are incurred to evaluate purchased materials, processes, products, and services to ensure conformance
to specifications are referred to as
○ prevention costs. Appraisal costs are those costs incurred to evaluate purchased materials, processes, products, and
2104 ○ internal failure costs. services to ensure conformance to specifications These costs include inspecting and testing raw
○ appraisal costs. materials and work-in-process inventory.
○ external failure costs.
While conducting a control self-assessment (CSA) project in an IT division, an internal auditor asks managers to rate the
severity of each identified risk and the strength of each related control. Which of the following represents the most significant In CSAs or reviews of management performance, audit data and evidence will be qualitative and
disadvantage of this exercise? subjective to some degree. In these cases, some way should be found to corroborate the
○ Subsequent audits of the division may not be conducted in a timely fashion. information. Because management may not be intimately involved in the processes and controls of
2244 the IT division, they may be unaware of certain important controls and their weaknesses.
○ Management may omit important control weaknesses. Alternatively, they may have their own biases in relation to this division and may omit weaknesses
○ The internal audit activity will be viewed as responsible for controls. and instead identify only how a division is supposed to work as opposed to how it actually does
○ Budget hours expended will likely exceed any tangible benefits. function.

The chief audit executive (CAE) is responsible for sharing information and coordinating activities with other internal and
external service providers to ensure proper coverage and minimize duplication of efforts. With the exception of the external
auditors responsible for auditing the organization's financial statements, which of the following coordination activities should be
limited to internal assurance and consulting providers? Reviews conducted by internal assurance and consulting providers and the external auditors
2273 ○ Exchange of organizational charts responsible for auditing the organization's financial statements typically address areas and issues
○ Common understanding of audit techniques, methods, and terminology that are relevant to internal auditing's scope of work.
○ Copies of regulatory reports relevant to audit engagements
○ Access to audit programs, working papers, and management letters
 If an internal auditor is verifying that financial consultants at a bank have met both the organization's and the industry's
requirements for training, what type of audit is being performed?
○ Performance
In this case, the auditor is determining if the consultants are in compliance with required
2234 ○ Operational
standards.
○ Financial
○ Compliance
Who has primary responsibility for providing information to the audit committee on the professional and organizational benefits According to Performance Standard 2050, the CAE should share information and coordinate
of coordinating internal audit assurance and consulting activities with other assurance and consulting activities? activities with other internal and external providers of assurance and consulting services to ensure
○ Chief executive officer (CEO) proper coverage and minimize duplication of efforts. Implementation Guide 2050 indicates that
2272 ○ Each assurance and consulting function oversight of the work of external auditors, including coordination with the internal audit activity,
○ External auditor is the responsibility of the board. Coordination of internal and external audit work is the
responsibility of the CAE. The CAE obtains the support of the board in coordinating audit work
○ Chief audit executive (CAE) effectively.
The chief audit executive (CAE) believes that the proposed organizational budget will not enable the activity to perform planned
risk management projects. What action should the CAE take? Interpretation of Standard 2000, "Managing the Internal Audit Activity," notes that the internal
○ Plan the annual audit schedule accordingly, performing as many risk management activities as possible within the budget. audit activity adds value to the organization when it "contributes to the effectiveness and
2301 ○ Arrange to co-fund risk management projects with other functions. efficiency of governance, risk management, and control processes." The CAE can effectively
○ Use time at a board meeting to educate senior management about the process and benefits of risk management. fulfill this role by educating the board and senior management on the benefits of risk management
to the organization.
○ Go around senior management and appeal directly to the board for the necessary budget.
Because of the nature of work at a company's plants, radiation safety is important. An audit to test the system of controls over
the purchase, distribution, and use of radioactive material is being conducted. The process is well documented, and employees in
the safety department are very familiar with the department's procedures. Since the purchasing and facilities departments are
involved in the process, the auditor is considering reviewing their procedures for handling radioactive material as well. The
auditor should
○ defer questions regarding purchasing, facilities, and other departments until audit projects can be scheduled for those
departments. The risk of having radioactive materials on site that are not accounted for in the facility's inventory
is sufficiently serious that all key controls should be identified and evaluated. The auditor is
2209 ○ test the controls identified within the safety department; if results are unfavorable, consider whether to involve the other
obliged to note that the risk extends beyond the safety department and should request resources to
departments.
finish this important work.
○ have confidence in the rigorous and detailed safety department procedures, since that department has the main responsibility
for radiation safety; the auditor should not use audit time to review other departments.
○ adjust the audit schedule and budget, if needed, and interview the appropriate individuals in purchasing and facilities to
ascertain whether additional controls exist that complement those identified within the safety department.

A company recently experienced substantially reduced net profit from sales of product line A, which is produced in a dedicated
machine shop. The internal auditors have been assigned the task of determining the cause of the reduced net profit. As a first
step, the in-charge auditor should Analysis of the elements of cost can point out problem areas. Testing material vouchers for
○ analyze scrap and surplus records. validity would not be best, since material is only one element of cost. Comparing production
2200 records with cost standards would not be the auditor's first step, as there is no assurance that the
○ compare production records with cost standards. standards are valid. Analyzing scrap and surplus records would point to only one element,
○ evaluate the elements of cost and compare them to those of prior periods. production inefficiencies.
○ test material vouchers for validity.
 A chief audit executive (CAE) has established a rotation program whereby interested, qualified business unit personnel work in
internal audit for two years and then rotate back out into a business unit, taking an enhanced understanding of governance, risk,
and control with them. Some business unit managers have criticized the CAE, saying that rotational auditors are not objective in
performing their work, since they "know where the skeletons are" and have relationships with former coworkers in the areas
they are auditing, in spite of the rotational auditors not working in the business units for at least one year. The CAE's best course
of action is to
2298 ○ consider stopping the rotation program in favor of other, more appropriate internal audit staffing options.
○ communicate to senior management and the board regarding action plans to address any issues of conformance to the Code
of Ethics.
○ communicate to the business about internal audit's independence and functional and administrative reporting lines.
○ refer business unit management to the internal audit activity's purpose, authority, and responsibility as defined in its charter.
To promote continuous improvement in control effectiveness, the internal audit activity may
○ establish a logical structure for documenting and analyzing the organization's design and operation of controls.
○ help management keep abreast of emerging issues, laws, and regulations related to control requirements.
2305
○ design internal controls to address residual risks related to operations, compliance, and reporting objectives.
○ implement management monitoring activities to ensure ongoing effectiveness of internal controls.
Before formally presenting a proposed risk-based audit plan to senior management and the board for review and approval, the
chief audit executive must
○ consult with senior management and the board to understand organizational strategies, business objectives, and risks.
○ refrain from consultation with operating management, in the interest of independence and objectivity.
2089 ○ provide senior management and the board with assurance regarding the adequacy and effectiveness of management's risk
assessment.
○ consult with regulators to understand significant compliance risks and opportunities for coordination of work.
As part of the internal audit activity's internal quality assurance program, periodic self-assessments should include
○ recommendations on use of information technology to enhance internal audit efficiency and effectiveness.
○ an independent evaluation of conformance to the Standards by a qualified external assessor.
2310
○ validation of continued conformance with the Standards and the Code of Ethics by a member of the internal audit activity.
○ reporting results to external stakeholders, such as regulatory examiners.
Which of the following should an internal auditor review to determine if a computer security system meets management
objectives?
○ Industry best practices for management objectives
2231 ○ Regression testing of the security system
○ Previous audit findings
○ Relevant publications concerning the latest technology for security systems
Which of the following costs of quality are incurred when defects are discovered before sending products to customers?
○ Appraisal costs
2103 ○ Prevention costs
○ Internal failure costs
○ External failure costs
The interpretation for Standard 2060, "Reporting to Senior Management and the Board," states
that the CAE's reporting and communication to senior management and the board must include
information about conformance with the Code of Ethics and action plans to address any significant
conformance issues. Since objectivity is one of the principles of the Code of Ethics, the CAE
should have appropriate policies and procedures in place to ensure internal auditor objectivity in
performing the work and, as such, could communicate this to concerned business unit
management. Communicating internal audit's independence and reporting lines or referring
business unit management to the internal audit charter will not address the assertion of lack of
auditor objectivity. Rotation is a best practice, and stopping this program would not be the best
course of action.
According to the implementation guidance for Standard 2130, "Control," the internal audit activity
may help management keep abreast of emerging issues, laws, and regulations related to control
requirements to promote continuous improvement in control effectiveness. Residual risks are
generally unmitigated. Nevertheless, management is responsible for internal control design, not
internal audit. Management, not internal audit, is responsible for establishing a structure for
documenting and analyzing controls and implementing management monitoring activities.
The interpretation to Standard 2010, "Planning," states, "To develop the risk-based plan, the chief
audit executive (CAE) consults with senior management and the board and obtains an
understanding of the organization's strategies, key business objectives, associated risks and risk
management processes." Consultation with regulators is not required for the CAE to understand
compliance risks; coordination of work is not a consideration of risk-based annual audit planning.
Providing assurance regarding management's risk assessment may be part of the proposed plan but
is not required prior to presentation of the plan. Consultation with operating management is not
prohibited by The IIA's guidance.
Validation of continued conformance with the Standards and the Code of Ethics by a member of
the internal audit activity is the substance of periodic self-assessments. Recommendations on use
of information technology may be but aren't necessarily an output of a periodic self-assessment.
The external assessor's evaluation of Standards conformance is part of the external quality
assessment activity, not internal periodic self-assessments. The results of periodic self-
assessments are reported to senior management and the board at an agreed-upon frequency.
Determining current and potential future standards for the industry enables an internal auditor to
decide if the current computer security system is adequate for the organization.
The internal failure costs of quality include handling and fixing defective products or disposing of
them and the opportunity cost of not being able to sell disposed-of products.
 In assessing organizational risk in a manufacturing environment, which of the following would have the most long-range impact
on the organization?
○ Advertising budget
Product quality is a long-range planning topic because it affects market positioning. The other
2004 ○ Inventory policy
answer choices are concerns, but they have less long-range impact than product quality.
○ Product quality
○ Production scheduling
Internal auditors can evaluate the management function of planning (as opposed to organizing, directing, or monitoring) by
determining Determining whether each plan carries a means of measuring its success is one way internal
○ what managers are responsible for and what they are authorized to do. auditors facilitate the management function of planning. Determining what managers are
responsible for and what they are authorized to do relates to the management function of
2153 ○ whether new standards of performance are established and disseminated when the old standards are inadequate or organizing. Determining whether employee compensation is consistent relates to the management
ineffective. function of directing. Determining whether new standards of performance are established and
○ whether employee compensation is consistent with the organization's specifications for compensation ranges by employee disseminated when the old standards are ineffective relates to the management functions of
grade. directing and monitoring.
○ whether each management plan carries a means of measuring its success.
In determining whether to conduct an audit of compliance with environmental regulations or a consulting engagement in the tax
department, the chief audit executive should give the lowest weight to which of the following considerations?
○ Management has expressed a desire for a tax audit.
○ Tax laws have recently changed in ways that may affect the organization's very substantial write-offs.
2003 ○ In the state where the organization is headquartered, a recently elected official campaigned on a promise to go after polluters Available resources should not be a major consideration in this decision.
in the organization's industry.
○ The audit staff has more expertise in taxation than in environmental compliance, necessitating reliance on outside
consultants for environmental audits.

The foundation of internal audit resource allocation should be the

If the chief audit executive has a strong understanding of organizational risks and how internal
○ risks and expectations of how internal audit can add value. audit can add value, he or she can then ensure that appropriate resources are available, whether in-
2169 ○ audit universe. sourced, co-sourced, or out-sourced. Existing internal audit resources or time and budget should
○ time and budget constraints. not be the primary focus and constraint in how the internal audit activity addresses organizational
○ existing skill sets of internal audit resources. risks.
An organization is considering establishing a B2B (business-to-business) e-commerce relationship with a new trading partner.
Which would be appropriate risk factors to consider when setting the objectives of an external business relationship assurance Privacy considerations are germane to a B2B e-commerce risk assessment and achieving an
engagement? acceptable level of comfort regarding B2B linkages with a current or prospective trading partner.
○ Redundancy and failover of trading partner systems (in relation to downtime tolerance) Trustworthiness is not something that can be easily assured. This objective would be better stated
2241
○ Assurance of trustworthiness in a different way, such as prior contract compliance, history of good faith dealing, and so on, so it
○ Channel security through appropriate controls (i.e., encryption) is not the best answer. The remaining answer choices are more technical in nature and are not
good objectives but could be inclusions in a subsequent investigation.
○ Privacy of data arrangements

A chief audit executive (CAE) decides to recruit independent contractors to augment the skill sets of his internal audit team in
order to accomplish the annual risk-based plan. The CAE should
○ ensure that the independent contractor arrangement is exclusive; contractors should not perform work for other audit
activities.
○ establish a process and criteria to determine whether the internal audit activity may rely on the work of independent
2177 contractors.
○ ensure that all contracted service providers are either Certified Internal Auditors (CIAs) or Certified Information Systems
Auditors (CISAs).
○ enhance the audit activity's training programs to build the lacking skill sets within the current internal audit team.
According to the implementation guidance for Standard 2050, "Coordination and Reliance," it is
essential that the CAE establish a consistent process and set of criteria to determine whether the
internal audit activity may rely on the work of another provider. Using independent contractors
who hold CIA or CISA certifications may or may not provide the needed skill sets. The CAE
should ensure that confidentiality expectations are upheld, but an exclusive relationship may not
be realistic or may require an employer-employee relationship, depending on employment and tax
laws in the jurisdiction. Training may not produce the required skill sets in a timely fashion, may
not be a substitute for necessary experience, or may be costly and therefore may not be a
reasonable solution.
 The chief audit executive (CAE) of a small community bank needs to recruit and hire three entry-level internal auditors, due to
the bank's rapid growth through mergers and acquisitions. The audit activity is currently staffed with a cohesive group of
experienced high performers. The CAE wants her team to gain supervisory and managerial skills through the development,
coaching, and mentoring of the three new staff members. While recruiting at a local university, which of the following is the
most effective interview approach for the CAE to use?
2163 ○ Behavioral
○ Structured
○ Situational
○ Stress
A primary purpose of establishing key performance indicators (KPIs) for the internal audit activity is
○ to establish a basis for quality improvement.
○ to demonstrate understanding of reporting, compliance, and operations objectives.
○ to set expectations for internal audit staff performance in conjunction with annual performance appraisals.
2144
○ to demonstrate the chief audit executive's capability in controlling the internal audit activity.
A health-care products company engages with the internal audit activity to map the manufacturing process for one of its major
products. The company wants to identify risks that would interrupt production and thereby endanger the company's financial
well-being. How could the business process mapping engagement help achieve this objective?
○ By eliminating redundancies in the manufacturing process
2254
○ By identifying interdependent components in the process
○ By improving relations with shareholders
○ By improving relations with external regulators
According to the Standards, internal audit must report to senior management and the board on its conformance
○ with the Standards and Implementation Guidance.
2296 ○ with the Mission Statement and the Core Principles.
○ with the Core Principles and the Code of Ethics.
○ with the Code of Ethics and the Standards.
A chief audit executive (CAE) of a large school district contracts with an external service provider to perform audits of internal
controls over financial reporting (ICFR) of the district's charter schools. Where reliance is placed on the external service
provider's work, the CAE
○ must provide appropriate supervision, including thorough reviews of service provider workpapers and auditor conclusions.
○ must evaluate the service provider's quality assurance and improvement program (QAIP), in accordance with The IIA's
2286 standards.
○ is still responsible for ensuring adequate support for conclusions and opinions reached by the internal audit activity.
○ should be certain that the service provider does not perform any other professional services for the school district.
The form and content of internal audit policies and procedures are
○ required by The IIA's Standards to be updated on an annual basis.
○ dependent upon the size and structure of the internal audit activity and the complexity of its work.
2157
○ specifically prescribed in The IIA's Standards.
○ mandated by The IIA's publication "Internal Audit Policies and Procedures."
In a structured interview, applicants are asked the same questions, with follow-up questions as
needed. A guide is developed to focus on necessary skills, knowledge, experience, and attitudes,
which helps ensure consistency and completeness in the interviewing process and also supports
legal compliance. This approach is appropriate for entry-level professional positions, such as
internal audit roles.
According to The IIA's Practice Guide Measuring Internal Audit Effectiveness and Efficiency
when establishing KPIs to monitor, measure, and report, the chief audit executive may consider
those areas that need improvement as identified by the quality assurance and improvement
program. KPIs for audit activity performance are not generally the same as those associated with
internal audit staff performance related to annual performance appraisals. Demonstrating the chief
audit executive's capability in controlling the internal audit activity is not a primary purpose of
establishing KPIs. Understanding the three categories of objectives of the COSO internal control
framework is unrelated to internal audit activity KPIs.
The process mapping activity should reveal sequences and requirements of each component in the
process as well as interdependencies, for example, the need to receive parts from internal or
external suppliers, analyses of purity, or certifications of equipment from external agencies. Risks
will have to be identified for each area and contingency strategies developed that account for these
interdependent tasks. While the process may also reveal redundancies, this is not a risk of
production interruption. It is instead an area for identifying cost-saving opportunities, so it would
be a different objective.
Standard 2060, "Reporting to Senior Management and the Board," states the following: "The chief
audit executive must report periodically to senior management and the board on its conformance
with the Code of Ethics and the Standards." The Standards do not include a requirement to report
on internal audit's conformance with the Mission Statement, the Core Principles, or
Implementation Guidance.
The interpretation of Standard 2050, "Coordination and Reliance," states, "Where reliance is
placed on the work of others, the CAE is still accountable and responsible for ensuring adequate
support for conclusions and opinions reached by the internal audit activity." The CAE is
responsible for establishing a consistent process for the basis of reliance on the work of others,
considering the competency, objectivity, and due professional care of the providers, which may or
may not require supervision of provider staff, including workpaper reviews and auditor
conclusions. The standards do not require the audit activity's evaluation of the service provider's
QAIP. The CAE should consider the service provider's objectivity and independence in
conducting internal audit services, which would include consideration of other professional
services provided to the organization by the service provider.
Interpretation of Performance Standard 2040 stipulates that "the form and content of policies and
procedures are dependent upon the size and structure of the internal audit activity and the
complexity of its work." Internal audit standards do not provide specific requirements regarding
the form and content of internal audit policies and procedures. The IIA does not have a publication
titled "Internal Audit Policies and Procedures." The IIA's Standards do not require that policies
and procedures be updated annually.
 An auditor reviews an organization's plan for developing a performance scorecard. Which of the following potential
performance measures should the auditor recommend including in the scorecard if not already present?
○ Employee participation
2307 ○ Product life cycle
○ Share price
○ Customer satisfaction
Reporting on the internal audit activity's performance relative to its risk-based annual audit plan
○ is a required performance metric for the chief audit executive.
○ is mandated by the Standards for all internal audit activities.
○ is a best practice for audit activities of public companies.
2293 ○ is essential for proper audit activity resource allocation.
A performance audit engagement typically involves
○ tests of compliance with policies, procedures, laws, and regulations.
2240 ○ a review of financial statement information, including the appropriateness of various accounting treatments.
○ an evaluation of organizational and departmental structures, including assessments of process flows.
○ an appraisal of the environment and comparison against established criteria.
Which of the following best describes the internal audit activity's role in supporting the board in enterprise-wide risk
assessment?
○ Oversee risk management processes to determine whether they are adequate and effective.
2174 ○ Examine, evaluate, report on, and recommend improvements on the adequacy and effectiveness of risk processes.
○ Ensure that sound risk management processes are in place and functioning.
○ Implement risk management methodologies and controls to address risks identified.
According to the Standards, internal audit reporting to senior management and the board must cover significant risk and control
issues, including
○ fraud risks.
2295 ○ strategic risks.
○ compliance risks.
○ operational risks.
Customer satisfaction is integral to performance and could be overlooked in favor of more
traditional financial measures. Share price is affected by multiple factors and can be problematic
to include, as managers have little control over it. A product life cycle and employee participation
are general concepts; something that is more specific to performance and is measurable would be
better.
According to Standard 2060, "Reporting to Senior Management and the Board," the chief audit
executive (CAE) has the responsibility to report periodically to senior management and the board
on the internal audit activity's purpose, authority, responsibility, and performance relative to its
plan. Reporting performance relative to plan may also be part of the audit activity's ongoing
monitoring related to its internal quality assurance and improvement program elements. Such
reporting is a best practice for all audit activities as it is required by Standard 2060. Internal audit
guidance does not mandate CAE performance metrics. While proper resource allocation may be
essential to achieving the audit plan, reporting on performance relative to plan is not essential to
proper resource allocation.
Performance audit engagements involve the review of performance against set criteria. The other
answer choices are part of financial, operational, or compliance audits.
Internal auditors are experts in understanding organizational risks and internal controls and are
engaged to help management protect their organizations from present and future risk exposure.
The internal audit activity assists both management and the oversight body in enterprise risk
management (ERM) by helping management to examine and evaluate governance, internal
controls, and risk management processes. After audit activities have been completed, the
auditor(s) will report their findings to the board and recommend relevant improvements.
Standard 2060, "Reporting to Senior Management and the Board," states the following:
"Reporting must also include significant risk and control issues, including fraud risks, governance
issues, and other matters that require the attention of senior management and/or the board." While
compliance, operational, and strategic risks may be reported to senior management and the board,
Standard 2060 specifically requires reporting significant fraud risks.
 A typical purpose of the internal audit manual is
○ to coordinate roles and responsibilities within audit and in relation to other internal and external bodies.
○ to provide the audit committee with evaluation criteria for chief audit executive (CAE) performance.
○ to provide guidance to internal auditors to support compliance with The IIA's position papers.
○ to provide evidence of a well-controlled internal audit activity for regulatory authorities and external auditors.
2136
The purpose of the audit manual is, in general, to:
Provide guidance that will support adherence to the profession's code of ethics and professional
standards.
Define a high level of performance expectations for staff.
Focus activity members on key objectives and values.
Coordinate roles and responsibilities within audit and in relation to other internal and external
bodies.
Codify critical processes.
Provide the basis on which to evaluate the internal auditing activity's performance.
An operating manual does not provide evidence of a well-controlled activity. Evaluation criteria
for CAE performance is likely established through performance metrics and/or other action plans,
goals, and objectives. The IIA's position papers are written for a broad audience of interested
parties; the audit manual would support internal audit compliance with The IIA's mandatory
guidance such as its Code of Ethics and Standards.

Which of the following is a valid method to use when performing a control self-assessment (CSA)?
○ Management-produced analyses CSAs can take the form of management-produced analyses. Although complaints may be
reviewed, investigated, and documented, the purpose of a CSA is to collect all information related
2232 ○ Walkthroughs
○ Observation to the nature and scope of the audit. The information gathered needs to be extensive, objective,
and specific.
○ Human resources complaint procedures
According to Implementation Guide 2050, what does the chief audit executive (CAE) need to do prior to coordinating with other
assurance and consulting service providers? Implementation Guide 2050 states: "The roles of assurance and consulting service providers vary
○ Get the permission of the board to start coordinating. by organization. Thus, to start the task of coordinating their efforts, the chief audit
2283 ○ Establish trust by indicating that the internal audit function can rely on their work. executive...identifies the various roles of existing...providers. The CAE meets with each of the
○ Establish rapport by informally socializing with them. providers to gather sufficient information so that the organization's assurance and consulting
activities may be coordinated."
○ Meet with the providers to understand their specific roles.

As part of an internal audit, a benchmark must be established for the defect rate for an innovative new production process. The
auditor can either use a large sample that is already available from other production processes in the same plant or draw a fresh
sample from the new process. However, a fresh sample would be expensive, time-consuming, and much smaller in size. Which
of the following is the best course of action for the auditor?
The first question that should always be asked concerning the use of historical data is how
2009 ○ The auditor should accept the large historical sample because analyses based on it will have high statistical power.
representative the process that generated it is compared to the process currently under study.
○ The auditor should draw a fresh sample and combine it with the old sample.
○ The auditor should accept the historical sample but use nonparametric statistics to analyze it.
○ The auditor should first determine how similar the new process is to the old process before deciding what to do.

Systems development audits include reviews at various points to ensure that development is properly controlled and managed.
What should the reviews include?
○ Conducting a technical feasibility study on the available hardware, software, and technical resources An important review step is to verify the use of controls and quality assurance techniques for
program development, conversion, and testing. A feasibility study should be conducted in the
○ Examining the level of user involvement during planning and systems design and checking that this appropriately tapers off
2106 systems analysis stage. User involvement should continue in later stages such as at
later implementation. Documentation should not be frozen at an early stage due to the need to
○ Determining if system, user, and operations documentation is frozen at an early stage incorporate changes made during later development stages.
○ Verifying the use of controls and quality assurance techniques for program development, conversion, and testing
 Having completed a thorough risk assessment process and selection of areas to audit, the internal audit activity should give first
priority to which of the following engagements?
○ Information technology, because network software has recently been upgraded by an external consultant
The first priority is to investigate the potential fraud in payables. A high ranking on particular
2142 ○ Payables, because an audit committee member has received an anonymous tip alleging that a staff member has been measures (the large potential loss, for example) is not necessarily of highest priority if other
directing payments to fictitious accounts measures of risk have been identified as significant.
○ Receivables, because they ranked highest in potential dollar loss
○ Financial statements, because the report had a qualified opinion on a recent external audit report

An approved risk-based internal audit plan should

○ be flexible to allow adjustment, as necessary, due to changes in business, programs, systems, controls, and emerging risks.
○ primarily consider cybersecurity and fraud risks, leaving things like brand and reputation risks to the enterprise risk
2291 management teams.
○ meet the generally accepted expectations of industry standards-setting bodies and regulatory compliance examiners.
○ be frozen once completed and monitored for actual performance, with results reported to the audit committee no less
frequently than monthly.
Implementation guidance for Standard 2010, "Planning," states, "The internal audit plan is flexible
enough to allow the CAE to review and adjust it as necessary in response to changes in the
organization's business, risks, operations, programs, systems, and controls." The IIA's guidance
does not prescribe the frequency of reporting actual performance compared to the audit plan.
Annual risk-based audit planning considers all significant risks to achieving organizational
objectives and strategies and considers input from many stakeholders.

A chief audit executive (CAE) performs an internal audit staff skills and experience analysis and then maps this analysis to
requirements of her proposed risk-based plan. The output of this gap analysis will enable the CAE
○ to eliminate those engagements from the plan for which the audit activity lacks the necessary skills and experience.
2290 ○ to justify an increased internal audit activity budget in order to obtain lacking skills and experience to fulfill plan
requirements.
○ to communicate the impact of identified resource limitations to senior management and the board.
○ to eliminate routine testing of internal controls over financial reporting for the external auditors in favor of other priorities.
In order to provide the board and senior management with an overall opinion on internal control, a chief audit executive (CAE)
is compiling the results of internal control evaluations accumulated from individual audit engagements. The CAE notes that
management consistently fails to correlate objectives, risks to objectives, and internal controls designed to address identified
risks. Which of the following is the CAE's best course of action?
2302 ○ Recommend that internal controls units be established for major lines of business, to support risk management activities.
○ Recommend that the audit committee review details of all internal audit reports rather than only executive summaries.
○ Recommend an organization-wide implementation of an internal control framework.
○ Recommend extensive internal controls training for all process owners and supervisors.
Standard 2020, "Communication and Approval," states, "The chief audit executive must also
communicate the impact of resource limitations." Eliminating engagements from the proposed
risk-based plan due to lack of skills and experience is inappropriate. While the analysis may
support an increased audit activity budget, the standard requires communicating the impact of
resource limitations. While eliminating external audit support activities may free up resources for
other audit engagements, it is inappropriate for the CAE to unilaterally make the decision to do so.
The implementation guidance for Standard 2130, "Control," states the following: "To promote
continuous improvement in maintaining effective controls, the internal audit activity typically
provides the board and senior management with an overall assessment or compiles the results of
control evaluations accumulated from individual audit engagements. The CAE may recommend
the implementation of a control framework if one is not already in place." None of the other
answer choices are likely to result in an understanding of the correlation between objectives, risks,
and controls.

As part of cash management procedures, the treasurer of a nonprofit organization has decided to invest in a variety of new
financial instruments. The audit committee has asked the internal audit department to conduct an audit of the adequacy of
controls over the new investing techniques. Which is an important part of such an audit?
○ Determining the nature of controls established by compliance professionals to monitor the risks in the investments
○ Determining the extent of management oversight of investments in sophisticated instruments
2218
○ Determining whether the treasurer is getting higher or lower rates of return on investments than are treasurers in comparable
organizations
○ Determining if policies exist that describe the risks the treasurer may take as long as there is no loss of principal balances in
stock market investments
It is important to determine the extent of management oversight of investments, especially for
sophisticated instruments. No control or policy can guarantee that a stock market investment will
not lose value. The treasurer is responsible for establishing controls over monitoring the risks in
investments. Although a comparative analysis of investment returns might be informational, there
is no need to benchmark investment returns against those of other organizations. Indeed, financial
investment scandals have shown that such comparisons can be highly misleading because high
returns can be due to taking on a high level of risk. Also, this is not a test of the adequacy of the
controls.

A chief audit executive invests considerable time in developing his annual and long-term budgets. The budgeting process is an
example of which basic function of internal audit management?
○ Directing
A well-developed budget is the key component of planning that enables the internal audit activity
2160 ○ Planning
to perform its mission on time and within established financial parameters.
○ Monitoring
○ Organizing
 Which of the following is a significant control weakness for a medical instruments company that outsources all component parts
manufacturing and performs all warehousing, assembly, sales, and distribution activities internally?
○ Failure to obtain and review SOC 1 and SOC 2 reports (SSAE 18) for all business partner manufacturers
○ Failure to require that cost reimbursement (cost-plus) contracts are used
2083 ○ Failure to require that direct manufacturing overhead be omitted from contract pricing
○ Failure to monitor external business partner performance according to contractual requirements
A company recently experienced substantially reduced net profit from sales of product line A, which is produced in a dedicated
machine shop. The internal auditors have been assigned the task of determining the cause of the reduced profit. Which of the
following would most likely identify the problem?
○ Review of prior audit results
2208
○ Analysis of the financial and operational reports
○ Walkthrough of the machine shop
○ Interviews with the staff engaged in the production of line A
Which activity is included in determining the audit schedule?
○ Getting new staff positions approved by the board
○ Planning workload requirements
2100 ○ Identifying auditable personnel
○ Developing audit programs
The audit universe for a large multinational corporation should focus on
○ opportunities for and threats to achieving the organization's strategic plan.
2175 ○ cultural norms and market practices that shape policies and procedures.
○ operating nuances of country and regional entities.
○ employment laws, codes, and practices applicable in each of the countries and regions.
What is a valid reason to omit some evidence from official audit communications related to an assurance engagement?
○ The evidence simply confirms that a control is operating correctly.
○ The evidence, while objective, required subjective analysis.
○ The information is irrelevant to the objectives.
2007
○ Legal counsel advises against disclosure due to privacy implications.
Ongoing monitoring typically includes
○ the audit activity's conformance with the list provided in The IIA's External Quality Assessment Manual.
○ periodic reporting to senior management and the board on internal audit key performance indicators and recommendations
for improvement.
2311 ○ the results of periodic self-assessments of the internal audit activity's conformance with the Core Principles.
○ the performance metrics used by similarly sized internal audit activities in the same industry.
Management monitoring of external business partner performance according to contractual
provisions (e.g., quality, timeliness, regulatory and/or ISO standards compliance, pricing) is an
essential control activity to mitigate the risk of producing substandard products. SOC 1 (internal
controls over financial reporting) and SOC 2 (data center security) reports relate to service
provider organizations and are for use by customers of a contracted service, not manufacturing
organizations. Unit-price or fixed-price contracts would more likely be used in this instance; cost
reimbursement contracts would not likely be used. Manufacturing overhead may or may not be
included in contract pricing; accepting the inclusion of this business partner cost would not be an
internal control weakness to the organization.
The analysis of these reports should identify where the problem lies.
The CAE must consider the organization's schedule, the schedule of individual internal auditors,
and the availability of auditable entities when generating the schedule for internal audit
engagements. This would include gaining an understanding of and planning workload
requirements for the planned engagements and the auditors to be assigned to them. The
development of specific audit programs occurs during the planning phase of an individual audit,
not during the development of the audit schedule. Note that management, not the board, typically
has the responsibility for approving new staff positions.
As noted in Implementation Guide 2010, the audit universe in a risk-based perspective should
encompass the organization's strategic plan. It should also consider the controls management has
in place to mitigate risks, achieve organizational goals and objectives, and ensure that customer
needs are being met. The other answer choices can influence opportunities for and threats to the
organization's strategic plan.
In cases where an organization's internal records include private or sensitive information on
individuals or other entities, the information is usually protected by confidentiality agreements
and/or government regulations. When in doubt about privacy implications, the auditor should have
legal counsel review the information before disclosing it as evidence in official audit
communications, especially if there may have been potential privacy violations. This will balance
the auditor's need to disclose findings against the counsel's legal requirement to defend the
organization. The Standards also allow irrelevant evidence to be omitted, but they prohibit
omission of any other types of evidence.
According to Implementation Guide 1320, ongoing monitoring typically includes reporting on
internal audit key performance indicators, and the CAE may provide an annual report to senior
management and the board regarding the results of ongoing monitoring and include any
recommendations for improvement. Results of periodic self-assessments of the internal audit
activity's conformance with the Core Principles is not part of ongoing monitoring. Ongoing
monitoring should be customized to the needs of the audit activity and the organization and should
not follow a generic list, such as provided in The IIA's guidance. Metrics used by other audit
activities in the same industry may be irrelevant to the needs of the organization's internal and
external stakeholders.
 Several members of an organization's senior management have questioned whether the internal audit activity should report to
the newly established quality audit function as part of the total quality management process within the organization. The chief
audit executive (CAE) has reviewed the quality audit standards and the programs that the quality audit manager has proposed.
The CAE's response to senior management should include which of the following? An internal auditor should always consider the added value of coordinating internal and external
○ Estimating departmental cost savings that would result from the elimination of the internal audit activity audit work to increase economy, efficiency, and effectiveness of the overall audit process—for
example, with other internal assurance functions, such as quality control. By coordinating, the two
2270 ○ Identifying appropriate liaison activities with the quality audit function to ensure coordination of audit schedules and overall
audit responsibilities functions can provide support for each other and potentially make the audit process more efficient.
○ Changing the qualification requirements for new staff members to include quality audit experience Therefore, when responding to management in this scenario, the CAE should identify ways in
which he or she believes working with the quality audit function can enhance the audit function.
○ Changing the applicable standards for internal auditing within the organization to provide compliance with quality audit
tandards

A Certified Internal Auditor directs the audit function for a large city and is planning the audit schedule for the next year. The
city has a number of different funds, some that are restricted in use by government grants and some that require reports to the
government. One of the programs for which the city has received a grant is job retraining and placement. The grant specifies
certain conditions a participant in the program must meet in order to be eligible for the funding. The auditor plans an audit of the
job retraining program to verify that the program complies with applicable grant provisions. One of the provisions is that the
city adopt a budget for the program and subsequently follow procedures to ensure that the budget is adhered to and that only The overall regulation provides that the city establish a budget in a manner consistent with the
allowable costs are charged to the program. In performing an audit of compliance with this provision, which is a valid procedure objectives of the program. The requirements do not state that the agency must approve the budget,
the auditor can perform? only that the entity develop a reporting mechanism to provide assurance of compliance with the
2212 ○ Verify that all funds used include reports to the government. objectives of the grant and the applicable laws and regulations. Not all funds necessarily require
○ Compare actual results with budgeted results and determine the reason for deviations; then determine if such deviations have reports to the government, so only the relevant funds sources would carry this requirement. While
been approved by appropriate officials. information on job retraining and placement success rates is important, it is not necessarily
required for compliance. This may be part of a performance audit.
○ Determine whether the budget was reviewed and approved by supervisory personnel within the granting agency.
○ Select a sample of graduates from the training and placement program and survey them to determine if they have been
successful after their training.

An internal audit department is asked to perform an audit to determine whether the organization is in compliance with a
particular set of laws and regulations. The audit does not reveal any issues of noncompliance but does reveal that the
organization does not have an established system to ensure such compliance. The auditor's responsibility is to
○ get management approval to establish a system to ensure compliance with applicable laws and regulations. The auditor's responsibility includes reporting on significant deficiencies in controls (or the lack of
○ report that one significant compliance issue was noted related to the lack of a compliance system. controls, in this case), reporting the findings of the current audit (including the control deficiency),
2221
○ report that the organization has no issues of noncompliance and inform the chief audit executive that a consulting project to meeting with management to determine what follow-up action will be taken, and providing
design a compliance monitoring system should be recommended. follow-up work to determine if sufficient actions have been taken.
○ report that the organization has a significant control deficiency because management has not established a system to manage
compliance.

What is the highest level of approval that should be obtained for any significant changes to the internal audit activity plan of
engagements?
The internal audit activity plan of engagements should be approved by the board and
○ Chief audit executive
communicated to the audit committee. As indicated in Implementation Guide 2020,
2107 ○ Board of directors
"Communication and Approval," significant interim changes should be submitted to the board for
○ Senior management approval and information.
○ Chief executive officer
답

2
3

2
4

4
4

1
1

1
2

3
1

4
4

3
2

3
3

2
2

2
4

1
1

4
2

2
4

2
2

2
 Practice of Internal Auditing - Planning

연번 문제 해설
During an audit of the service department, the internal auditor notes that the service department manager has become more There may be many reasons, including personal problems, for the service manager's actions
confrontational, is irritable in answering audit questions, and continually complains about being audited by a "bunch of auditors toward the audit staff. The audit supervisor should begin by directly addressing the nature of the
barely out of diapers." The behavior of the service manager is beginning to adversely affect the auditors assigned to the audit. problem and the effect of the manager's actions and attitudes on the audit engagement.
The audit manager should
○ ask the service manager to sit down with the audit staff to explain the rationale for the feelings toward the staff; group
interaction has been shown to significantly improve communications and should be used here.
2329 ○ discuss the purposes of the audit with the service manager and indicate that common professional courtesy expressed both
ways will improve the timeliness and contribution of the audit.
○ directly confront the service manager to understand the basis for the biases expressed and address them directly; indicate that
continued intimidation of the staff will not be tolerated and will be reported to the audit committee.
○ request the director of internal auditing to assign more experienced staff to the audit.

An internal auditor is conducting a preliminary survey to prepare for an assurance audit of the information technology area in a According to Implementation Standard 2210.A2, the objectives of an assurance engagement
financial services company. Area management has provided a list of probable risks and associated controls to assist internal should not be limited to entity risk assessment. Probable risk exposures must be considered when
auditing. In the course of conducting a physical survey of the offices, the internal auditor notices several places where terminal developing engagement objectives. If the client refuses to address an identified risk, internal
screens are easily visible to those outside the secure area. This risk has not been identified by the client. What should the internal auditing would be justified in bringing this matter to the attention of senior management.
auditor do?
2320 ○ Incorporate this observed risk into the engagement objectives.
○ Note the condition for discussion during the next regularly scheduled audit engagement.
○ Refrain from assessing this risk since it is outside the engagement scope.
○ Report the situation to senior management.

If the annual audit plan does not allow for adequate review of compliance with all material regulations affecting the company,
the internal audit activity should
○ ensure that the board of directors and senior management are aware of the limitation.
2109 ○ document that regulations not included will be reviewed in the subsequent year.
○ decrease the scope of operational and financial audits to make additional audit time available.
○ include a memo with the audit planning file listing the reasons for the lack of coverage.
The internal auditors are determining the engagement resource allocation for an upcoming audit engagement. What is the
primary goal of this determination?
○ To determine the appropriate and sufficient resources to complete the engagement within the time allotted as documented in
the annual audit plan
2414 ○ To determine the appropriate and sufficient resources to achieve the engagement objectives
○ To determine the appropriate and sufficient resources needed to complete the engagement in order to evaluate the need for
assistance from the audit client personnel as guest auditors
○To determine the appropriate and sufficient resources to develop and cross-train the various auditors working in the
department
Senior management and the board of directors should be informed of the implications of gaps in
audit coverage, including the review of compliance with applicable laws and regulations. The
knowledge of incomplete audit coverage should not be known only to the internal audit activity.
Audit coverage in other areas should not be automatically reduced. The internal audit activity may
require additional resources to provide adequate coverage of risks.
Standard 2230, "Engagement Resource Allocation," states that internal auditors must determine
appropriate and sufficient resources to achieve engagement objectives based on an evaluation of
the nature and complexity of each engagement, time constraints, and available resources.
According to interpretation of the standard, appropriate refers to the mix of knowledge, skills, and
other competencies needed to perform the engagement. Sufficient refers to the quality of resources
needed to accomplish the engagement with due professional care.
 Which of the following is an example of an internal audit engagement objective related to external non-financial reporting?
○ Validate the accuracy and timeliness of productivity reports for each key performance indicator by manufacturing division.
○ Validate the accuracy and timeliness of quarterly U.S. Occupational Safety and Health Administration (OSHA) lost-time
2084 injury reports.
○ Confirm the accuracy and timeliness of subsidiary reporting for consolidated financial statement reporting.
○ Confirm the accuracy of the number of compensated overtime hours by product line, by quarter, for fiscal year-end (FYE)
3/31/XX.
An auditor has developed objectives for an upcoming engagement. However, the chief audit executive (CAE) has instructed the Per Standard 2210.A1, internal auditors must conduct a preliminary assessment of the risks
auditor to make a preliminary assessment of risks relevant to the activity under review and to include the results of this relevant to the activity under review. Engagement objectives must reflect the results of this
assessment in the engagement objectives. Why is the CAE requiring this? assessment.
○ Risks relevant to the activity are more important than other inputs to the engagement objectives.
2341
○ Risks relevant to the activity provide a more comprehensive review and enhance the value of the audit engagement.
○ The CAE wants the auditor to perform a longer audit.
○ Risks relevant to the activity are important just to comply with the Standards.
A specific objective of an audit of a company's expenditure cycle is to determine if all goods paid for have been received and
charged to the correct account. This objective would address which of the following primary objectives?
○ To determine the effectiveness and efficiency of operations
○ To determine the reliability and integrity of financial and operational information
○ To evaluate the preservation of asset values
2313
○ To determine compliance with laws, regulations, and contracts
An organization has stated that its values include providing the least-cost products to its customers possible, and part of this
philosophy is reflected in a refusal to adopt a corporate social responsibility program. When setting objectives for a requested
consulting engagement on how to reduce labor costs, which represents the best engagement objective listed to present to
management for discussion and approval?
2333 ○ Evaluate whether adoption of a corporate social responsibility program would reduce long-term labor costs
○ Determine whether workers make a living wage and if this is adequate for purposes of morale.
○ Evaluate the use of contractors to avoid payment of benefits.
○ Evaluate salaries against the local labor market to find areas of overcompensation.
An internal auditor is performing a due diligence engagement in connection with the possible acquisition of a small business. An
audit objective is to validate large customer accounts receivable balances. Which of the following is the most relevant and
reliable audit evidence of the small business's largest customers' accounts receivable balance?
○ Original reconciliation of the accounts receivable subsidiary ledger to the general ledger, certified by the controller and
reviewed by the internal auditor
○ Detailed cash receipt listing, accompanied by check copies, showing a payment on the account receivable made by the large
2085 customer
○ Positive confirmation of the customer's balance that matches the subsidiary ledger exactly, received directly by the internal
auditor from the customer
○ Detailed sales invoices that total to the accounts receivable balance, sent via an email attachment from the accounting
manager directly to the internal auditor
An example of an internal audit engagement objective is to validate the accuracy and timeliness of
OSHA lost-time injury reports, which would be an external non-financial regulatory compliance
reporting requirement. Confirming the accuracy and timeliness of subsidiary reporting for
consolidated financial statement reporting is an audit objective related to financial reporting.
Validation and/or confirmation of accuracy and timeliness of productivity reports and/or the
accuracy of compensated overtime hours for a fiscal year-end are internal audit objectives related
to internal non-financial reporting.
Implementation Standard 2130.A1 states, "The internal audit activity must evaluate the adequacy
and effectiveness of controls in responding to the risks within the organization's governance,
operations, and information systems regarding the achievement of the organization's strategic
objectives; reliability and integrity of financial and operational information; effectiveness and
efficiency of operations and programs; safeguarding of assets; and compliance with laws,
regulations, policies, procedures and contracts." The specific engagement objective of determining
if goods are charged to the appropriate account would address the objective regarding the
reliability and integrity of information; the specific objective of determining if all goods paid for
have been received would address the objective regarding the safeguarding of assets (not
preservation of asset values).
Implementation Standard 2210.C2 states: "Consulting engagement objectives must be consistent
with the organization's values, strategies, and objectives." The internal auditor should not use the
consulting engagement to suggest policies that would be at odds with this corporation's values.
However, suggesting the use of contractors to avoid paying benefits could create a legal liability,
because many countries have laws and regulations to prevent this.
The direct customer confirmation of the balance is reliable, as it comes from a credible source and
the auditor obtained the evidence directly. This is also relevant to the audit objective to validate
the accounts receivable balance. The detailed sales invoices totaling to the accounts receivable
balance may be relevant, but they are not reliable as they were sent via an email attachment and
electronic documents may be falsified, forged, or altered. A certified reconciliation is not relevant
to the audit objective, nor is it reliable audit evidence to validate the accounts receivable balance.
A subsequent payment from the customer is not relevant audit evidence for the audit objective, but
it may be reliable in regard to evidence that the customer owes an account receivable of some
amount.
 Which of the following is an example of an adequate criterion for an internal audit? Audit criteria should provide benchmarks against which audit objectives can be measured;
○ Level of employee job satisfaction therefore, items like compliance rates and measures of performance or attitude would be
○ Individually determined time ranges for department tasks reasonable criteria. Criteria may be generated internally if no meaningful external criteria exist to
2317 evaluate the objective, but each individual should not determine his or her own acceptable time
○ Management cooperation with audit procedures ranges. While management cooperation may be measured, it is probably not aligned with an audit
○ Living up to the spirit of travel booking principles objective. Travel booking should have specific procedures that could be the subject of a criterion.

The internal auditors are planning a consulting engagement in which they will use data analytics software to assist management Per Standard 2201.C1, internal auditors must establish an understanding with consulting
in a payables recovery audit. The goal of the project is to identify duplicate payments, unused credits, and other monies due to engagement clients about objectives, scope, respective responsibilities, and other client
the organization. What requirements do the internal auditors have in establishing an understanding with accounts payable expectations. For significant engagements, this understanding must be documented.
management?
○ The internal auditors must establish an understanding with accounts payable management about objectives, scope, and other
management expectations. If this is considered a significant engagement, this understanding must be documented.
○ The internal auditors are not required to establish an understanding with accounts payable management about objectives,
2353 scope, respective responsibilities, or other management expectations. These are necessary only for assurance engagements.
○ The internal auditors must establish an understanding with accounts payable management about objectives, scope, respective
responsibilities, and other management expectations. For consulting engagements of any size, documentation of this
understanding is not required.
○ The internal auditors must establish an understanding with accounts payable management about objectives, scope, respective
responsibilities, and other management expectations. If this is considered a significant engagement, this understanding must be
documented.

The chief audit executive for a city has just completed a quarterly meeting with the audit committee. The committee has Performance and results are more easily identified and measured than a personal feeling such as
expressed two major concerns it would like the audit department to examine as part of its operational audits during the next morale. Objective tests are available to measure things like morale; such measures are not left
year: merely to subjective evaluation from observation. Auditors do not gather only the most easily
collected evidence; ease of collection should not be the sole criterion of evidence selection.
v Is the downsizing that the city has been going through resulting in the right-sizing of staff for the city? The audit committee
has suggested that a review of a few areas might be appropriate and could provide some preliminary evidence in addressing the
committee's concerns.
v Is the city making suboptimal long-range decisions in an effort to improve short-range cash flow? In particular, the audit
committee has suggested that the internal audit department perform an operational audit of the transportation department, which
is responsible for the operation of the city bus line.

During a meeting with staff auditors to discuss the possibility of doing such an audit, a staff member suggests that the
department ought to gather some statistics on employee morale and potential changes in employee absenteeism. Another staff
2111 member asserts that such criteria are not important because they are not measurable and not relevant—only results are relevant.
With respect to the debate, which of the following statements is true?

○ Because employee absenteeism is more readily measurable than employee morale, the auditor should gather evidence only
on absenteeism.
○ Absenteeism and employee morale cannot be objectively measured, but they should be subjectively assessed by auditor
walkthroughs.
○ Job performance and results are more easily and accurately measured than employee morale, but objective tests can be
created to measure morale.
○ The audit should focus entirely on the objectives expressed by the committee's two major concerns and spend no time on
morale or absenteeism since they are off subject.
 Which of the following criteria for measuring the quality of employee performance would be appropriate for use with a group of Cost, capital, and revenue are uncontrollable by the faculty members and are therefore excluded.
non-sales professionals, such as a college faculty?
○ Quantity, quality, and timeliness of output
2334 ○ Quantity and quality of output, cost
○ Cost, capital requirements, and revenue produced
○ Quantity, quality, and timeliness of output; cost; capital requirements; revenue produced
A standardized internal audit engagement program would be appropriate for which of the following situations? A standardized engagement program would not be appropriate for a complex or changing
○ Multiple branches with similar operations operating environment because the engagement objectives and related work steps might no longer
have relevance.
2385 ○ Complex or changing operating environment
○ Stable operating environment undergoing only change in management
○ Subsequent inventory audit engagements performed at locations with material shrinkage
Inventory levels for a packing facility are controlled by the use of just-in-time techniques. If the auditor's objective is to evaluate Shipping requirements and timing would be recomputed to verify the just-in-time standards used
ordering and stocking standards, which of the following procedures would be relevant? for quality control. Sales adjustments would meet product quality objectives, not stocking
○ Reviewing sales records for defective returns standards. Actual stocking levels would meet the objective of achieving just-in-time standards, not
2023 ○ Reviewing shipping records to ensure that the result is stable inventory levels throughout the year establishing them. There are no industry averages for just-in-time (zero balance) techniques, and,
rather than creating stable inventory levels throughout the year, the objective would be to have the
○ Using audit software to compute the number of shipping crates used per day minimum needed amounts of inventory, which could be zero.
○ Comparing actual stocking levels to industry averages
Corporate management has just implemented a policy that every department must downsize by immediately cutting 10% of its Reprioritizing risks and reducing audit engagements is the preferred response. This should enable
staff and budget. The chief audit executive (CAE) has reacted to these plans by notifying the audit managers that the time the auditor to develop an optimum plan to cover the maximum amount of risk with the more
allocated for all jobs must be cut by 10%. Which of the following statements is true of the CAE's and the potential managers' limited resources. Cutting all jobs by 10% does not necessarily mean that the risks addressed will
actions? drop by 10%. A uniform 10% reduction in audit procedures or audit scope may result in gathering
○ The CAE's action should result in approximately the same amount of risk coverage as the previous audit plan but reduced by insufficient evidence across a number of audit areas.
10%.
2025 ○ The CAE should have reprioritized risks and cut out specific audit engagements rather than cutting 10% across the board.
○ The CAE should have informed corporate management that the audit department is not subject to this 10% cut in staff and
budget.
○ Individual audit managers can attain 90% of the previously defined audit coverage by uniformly cutting audit procedures by
10%.

Which of the following documents would provide the best evidence that a purchase transaction has actually occurred? The receiving memorandum indicates that the goods were received; therefore, a purchase
○ Cancelled check issued in payment of the procured goods transaction has occurred.
2112 ○ Ordering department's original requisition for the goods
○ Supplier's invoice for the procured goods
○ Receiving memorandum documenting the receipt of the goods
 Management and the board have established governance, risk management, and controls criteria to determine whether objectives Standard 2210.A3 states that adequate criteria are needed to evaluate governance, risk
and goals have been accomplished. However, the internal auditors have ascertained that these criteria are inadequate. Who is management, and controls. Internal auditors must ascertain the extent to which management
responsible for identifying adequate criteria? and/or the board has established adequate criteria to determine whether objectives and goals have
○ The Institute of Internal Auditors. If management's criteria are determined to be inadequate, The Institute of Internal been accomplished. If adequate, internal auditors must use such criteria in their evaluation. If
Auditors will provide appropriate evaluation criteria to preserve the working relationship between the internal auditors and inadequate, internal auditors must identify appropriate evaluation criteria through discussion with
management. management and/or the board.
2371 ○ The external auditors. If management's criteria are determined to be inadequate, the external auditors must determine the
appropriate evaluation criteria, as this would impact the opinion that can be rendered on the audited financial statements.
○ The internal auditors. The internal auditors must identify appropriate evaluation criteria through discussion with
management and/or the board.
○ Management and/or the board. The internal auditors cannot identify the appropriate evaluation criteria, as this would leave
them in the position of auditing their own work.
The director of purchasing has requested the internal auditors to perform a consulting engagement of purchasing practices to Standard 2210.C2 states that consulting engagement objectives must be consistent with the
save additional money in the competitive bidding process. The director is planning to do away with the current sealed-bid organization's values, strategies, and objectives. While saving money can help the organization to
process (where the lowest bid initially submitted wins the contract) in favor of an open-bid process. He wants to go back to the provide low-cost products, this approach (in addition to being unfair and ethically questionable),
vendors and give them the lower bids submitted to drive each vendor to lower their bid even further. This process would be could impact quality and long-term vendor relations for short-term gain. The question of why the
repeated several times. Additionally, the director would like to use false bids (that he makes up himself) to drive the actual director of purchasing wants internal audit to review and approve this approach should also be
vendor bids "to the absolute rock bottom." The director wants the internal auditors to review and endorse his money-saving plan concerning to the auditors.
and approach. The organization does have "fair and honest dealings with our vendors" as a core value on its website, but it also
has a mission "to be the preferred, high-quality, low-cost supplier of our products." What should the internal auditors do with
regard to this consulting engagement?
○ The internal auditors should accept this consulting engagement. Consulting engagements are at the request of management,
2377
and management sets the scope of the engagement.
○ The internal auditors should not accept this consulting engagement. The director of purchasing has already decided what he
wants to do and is only looking for the internal auditors to endorse his idea.
○ The internal auditors should not accept this consulting engagement. Consulting engagement objectives must be consistent
with the organization's values, strategies, and objectives.
○ The internal auditors should accept this consulting engagement. Saving money and keeping the organization competitive
help the organization to fulfill its mission "to be the preferred high-quality, low cost supplier of...products."

Based on a risk assessment, the audit committee of an insurance company has requested that the annual internal audit plan
include an engagement to review the company's actuarial claims reserves and supporting actuarial policies and procedures. If the
internal audit activity currently lacks actuarial expertise, which of the following would be the chief audit executive's best
response?
2418 ○ Decline the engagement due to a lack of actuarial expertise.
○ Postpone the engagement until the internal audit activity has acquired actuarial expertise.
○ Accept the engagement and plan to use the services of an external actuary.
○ Accept the engagement and plan to use an in-house actuary as part of the audit team.
An internal auditing manager is assembling an audit team to conduct an assurance audit of the data processing center for a credit
card company. Which individual would be the most problematic choice for inclusion on the team, assuming that there is a
moderate risk that specialized fraud and IT experience will be necessary?
○ Moderately experienced internal auditor with expertise in using fraud detection software
○ Moderately experienced internal auditor who has special knowledge of the client because she worked there before joining
2403 internal auditing
○ External auditor skilled in information technology security but not fraud auditing
○ Newly hired internal auditor skilled in internal auditing practices but not knowledgeable about the organization or its
departments
According to Implementation Guide 2230, it is important for internal auditors to inventory not
only staff resources but also available technology that may be helpful or necessary to perform a
quality engagement. They may also consider whether additional outside resources or technology is
necessary to complete the engagement. The external actuary is independent and capable of
providing the necessary level of actuarial proficiency to assist in completing the engagement. The
CAE will need to ensure that such work is supervised and reviewed and consistent with the
engagement.
Appointing an internal auditor who might have personal connections with the department would
be inappropriate, since it might lead to loss of objectivity. It is appropriate to include those with
special expertise—even if they must be hired from an external organization—and those who need
training and experience. Hiring a new internal auditor is also appropriate since not all team
members need IT expertise or specialized fraud expertise. Rather, the team as a whole needs these
competencies.
 At the kickoff meeting for an internal audit of regulatory compliance aspects of a high-risk biotech research activity, the lead
auditor learns that the client's key contact person will be out on family leave for the duration of planned fieldwork. The lead
auditor should
○ coordinate fieldwork through qualified compliance department personnel in lieu of the client's key contact.
2412 ○ explain the necessity of completing the annual audit plan within the current fiscal year and proceed with planned fieldwork.
○ address the matter with the chief audit executive and consider delaying fieldwork until the return of the client's key contact.
○ discuss the importance of cross-training and rotating duties during staff vacations and other absences as an internal control.
For a compliance engagement of a high-risk biotech research activity, the presence of the client's
key contact person would likely be essential to a successful audit. Coordinating fieldwork through
compliance department personnel is impractical and would not likely be effective. Proceeding
with fieldwork in the absence of the client's key contact person in an attempt to complete the
annual audit plan would be inappropriate. Discussing the importance of cross-training and rotating
duties during staff vacations and other absences (as an internal control), as an answer to the
client's key contact person's absence during planned fieldwork, would be inappropriate during the
engagement kickoff meeting.

The auditor-in-charge for a financial audit of a global organization has assigned specific tasks to team members and reserved for The most efficient way to manage this situation is to avoid it through better planning. In this case,
himself the responsibility of maintaining contact with the managers of financial departments in eight countries. In reviewing the the knowledge and skills of audit team members should have been considered before making
workpapers of one auditor, the auditor-in-charge notes that some of the work is incomplete. The auditor explains that she is assignments. The auditor in question might have been assigned to a different country or might
unfamiliar with the accounting practices and software systems used in this country and that this has slowed her work have been teamed with an auditor more familiar with the country's practices and technology. The
considerably. How could the auditor-in-charge have managed this situation in a more efficient, effective manner? other answer choices are not efficient solutions.
2410 ○ By allowing more time in the schedule for the auditor to become familiar with local practice and technology
○ By aligning auditor skills and knowledge with area needs before making assignments
○ By working more closely with the audit client to secure support for the assigned auditor
○ By building enough slack into the schedule to deal with the types of problems that are likely to occur in a global project

What are the internal auditors' responsibilities with regard to planning a consulting engagement? Per Standard 2201.C1, internal auditors must establish an understanding with consulting
○ The internal auditors must establish an understanding with consulting engagement clients about objectives, scope, respective engagement clients about objectives, scope, respective responsibilities, and other client
responsibilities, and other client expectations. For consulting engagements of any size, documentation of this understanding is expectations. For significant engagements, this understanding must be documented.
not required.
○ The internal auditors must establish an understanding with consulting engagement clients about objectives, scope, respective
2352 responsibilities, and other client expectations. For consulting engagements of any size, this understanding must be documented.
○ The internal auditors are not required to establish an understanding with consulting engagement clients about objectives,
scope, respective responsibilities, or other client expectations. These are necessary only for assurance engagements.
○ The internal auditors must establish an understanding with consulting engagement clients about objectives, scope, respective
responsibilities, and other client expectations. For significant engagements, this understanding must be documented.

The internal audit function is performing a consulting engagement with the order fulfillment area of an online retailer to define Implementation Standard 2210.C1 states that the consulting audit engagement should address
weaknesses in the workflow that might increase the amount of time between order receipt and customer delivery. During a risks to the extent agreed upon by the client. If the client is willing to revise the agreement with
preliminary survey of the area conducted to create a workflow diagram, the internal auditor notes that company internal auditing, assessing this new risk might be added as an objective. Since this is not an
recommendations designed to reduce injuries from repetitive stress have not been implemented. What is the best course of assurance engagement, the internal auditor should not include this risk without the client's
action for the internal auditor? agreement. However, the risk would be communicated informally to management as an area
○ Alert the human resources department. needing attention, and the observation would be documented in the audit working papers.
2020
○ Document the condition in audit working papers, but do not report it to the client.
○ Discuss the matter with area management, but do not add it to the engagement objectives unless the client agrees to revise
the project objective.
○ Add the probable risk to the engagement objectives since it represents considerable economic risk to the organization.

A risk-based approach to engagement-level planning requires internal auditors to first understand A risk-based approach requires internal auditors to first understand the entity and its environment
○ the detailed processes being audited. in order to identify risks. Evaluating impact, likelihood, and velocity is essential to risk
assessment, which occurs after gaining an understanding of the organization and its environment
2343 ○ the motivations of process owners being audited. and risk identification. Gaining an understanding of detailed processes and motivations of process
○ the impact, likelihood, and velocity of risks. owners occurs after the other activities described.
○ the organization and its environment.
 Can internal auditors deviate from management's established criteria for governance, risk management, and controls? Standard 2210.A3 states that adequate criteria are needed to evaluate governance, risk
○ No. Internal auditors must use management's established criteria. management, and controls. Internal auditors must ascertain the extent to which management
○ Yes. Internal auditors have no requirement to use management's criteria. These criteria are set by the Public Company and/or the board has established adequate criteria to determine whether objectives and goals have
2370 Accounting Oversight Board (PCAOB). been accomplished. If adequate, internal auditors must use such criteria in their evaluation. If
inadequate, internal auditors must identify appropriate evaluation criteria through discussion with
○ Yes, but only if management's criteria are considered to be inadequate. management and/or the board.
○ No. The internal audit activity establishes these criteria.
The internal auditors are performing an assurance engagement of the backup data storage facility. The backup data storage is Per Standard 2201.A1, when planning an engagement for parties outside the organization, internal
maintained by an outside company. What must the internal auditors do when planning this assurance engagement? auditors must establish a written understanding with them about objectives, scope, respective
○ The internal auditors must not provide a written understanding or notify the outside company in advance of the audit, as this responsibilities, and other expectations, including restrictions on distribution of the results of the
will allow the company the opportunity to hide control deficiencies and skew the results of the assurance engagement. engagement and access to engagement records.
○ The internal auditors must submit a written request for the outside company's most recent SSAE SOC 1 report, which will
detail all the relevant controls applicable to this engagement. The internal auditors are not permitted to perform an assurance
2351 engagement of parties outside the organization.
○ The internal auditors cannot perform an assurance engagement of parties outside the organization. Engagements with outside
parties must be consulting engagements that are performed under the direction of applicable organization management.
○ The internal auditors must establish a written understanding with the outside company about objectives, scope, respective
responsibilities, and other expectations. This written understanding must also include restrictions on distribution of the results of
the engagement and access to engagement records.

Should internal audit focus on the risks relevant to the activity under review? Per Standard 2210.A1, internal auditors must conduct a preliminary assessment of the risks
○ Yes. Risks relevant to the activity are on topic, and knowing about them helps avoid scope creep. relevant to the activity under review. Engagement objectives must reflect the results of this
assessment.
2338 ○ Yes. However, internal audit should also focus on all organizational risks for every audit.
○ Yes. Risks relevant to the activity under review also include all risks to the organization.
○ Yes. Risks relevant to the activity should also include risks from other related processes
An internal auditor has drafted an engagement work program for an assurance audit of a financial operations area and submitted Internal auditors develop and obtain documented approval of work programs before commencing
it to the audit manager for review. They agree that some portions of the program will probably have to be changed later, and the the internal audit engagement. The work program includes methodologies to be used per
manager believes that another objective should be added about evaluating the procedure used to place a monetary value on Implementation Guide 2240. Modifications to the work program as the engagement proceeds are
vacant land owned by the organization. The manager states that with the addition of the new objective and a few other specified to be expected. Obtaining input from the client or senior management regarding new objectives is
revisions, the program looks acceptable. By the time the internal auditor has revised the work program, the manager has left to an ongoing practice in many organizations, but seeking the approval of the client or senior
attend a series of meetings that will take several weeks. The internal auditor had planned the engagement schedule to start management would violate auditor independence and objectivity.
immediately, but, not having obtained written approval from the manager, the auditor revises the engagement schedule so that it
2022 can be initiated after the manager returns. Which aspect of this scenario is in violation of the Standards and/or their associated
Implementation Guides?
○ Seeking approval from the client or senior management on the new objective
○ Submitting the draft program to the audit manager for review and approval
○ Waiting for documented approval to begin the engagement
○ Accepting a program that both the audit manager and the internal auditor know will have to be modified

Writing an audit program occurs at which stage of the audit process? Planning must include writing the audit program (Implementation Standard 2201.A1).
○ As the audit is performed
2110 ○ At the end of each audit (The standard audit program is revised for the next audit to ensure coverage of noted problem
areas.)
○ During the planning stage
○ Subsequent to testing internal controls, to determine whether to rely on the controls or audit around them
 An electric utility company records capital and maintenance expenditures through the use of a computerized project tracking Determining if someone has provided a signature upon delivery of the reports is the only
system. Labor, material, and overhead are charged to the applicable project number. Monthly reports are produced that detail procedure that would provide information on report access.
individual charges for each project, and expenditure totals are provided for the current month, fiscal year, and project life to
date. An auditor is reviewing monthly reports distributed by management information system personnel to determine if access to
confidential information is limited to project supervisors. Which of the following steps should the auditor perform?
2381 ○ Determine if someone has provided a signature upon delivery of the reports.
○ Verify that the correct transaction file was used.
○ Review the operating system job control language (JCL) code for abend (abnormal end) conditions.
○ Review a sample of report end-of-job indicators.

It would be most appropriate for internal auditing departments to use consultants with expertise in health-care benefits when the
department is
○ conducting an audit of the organization's estimate of its liability for post-retirement pension plans. A consultant with expertise in health-care benefits would be most useful in a situation where
2407 ○ training its staff to conduct an audit of absenteeism in a major division of the organization. benefit plans are being assessed and/or compared against benchmarks. The other answer choices
○ comparing the cost of the organization's health-care program with that of other programs offered in the industry. are less applicable or health-care benefits would play only a minor role.
○ auditing the organization's health and wellness programs for their effectiveness.
Management has requested an audit of promotional expenses. The sales department has been giving away expensive items in
conjunction with new product sales to stimulate demand. The promotion seems successful, but management believes that the
cost may be too high. Which of the following engagement procedures would be the most useful to determine the effectiveness of Engagement procedures are the means to attain engagement objectives, so it is important to
the promotion? determine which procedures apply to which engagement objectives. The challenge is to address
○ Performing an analysis of marginal revenue and marginal cost for the promotion period compared to the period before the the effectiveness of the promotion. An analysis of marginal revenue and marginal cost tests
whether the benefits of the promotion outweigh the costs. Reviewing sales incentives and bonuses
2021 promotion
○ Comparing product sales during the promotion period with sales during a prior promotion period that offered a substantial could be a good engagement procedure for a different audit objective. Comparing one sale to a
discount different sale would not provide a good baseline for analysis. Instead, the promotion period should
be compared to a non-promotional period (perhaps in the same season if there is seasonality).
○ Comparing the unit cost of the products sold before and during the promotion period
There is no indication that the cost of the products sold has changed.
○ Performing a review of the sales department's incentives and bonuses for making sales

The internal auditors are performing an assurance engagement focusing on the treasury process. The audit team prepares an
engagement work program during the planning stage of the audit, and this program is reviewed and approved by the audit
manager in accordance with the audit operations manual prior to the commencement of fieldwork. During the first few days of
fieldwork, the audit team discovers information that relates to concerns not currently addressed by the engagement work
program. The lead auditor assigned to the engagement is aware of the standard requiring work programs to be approved prior to
their implementation. How should this issue be addressed by the lead auditor?
○ The lead auditor should develop adjustments to the engagement work program to address the new concerns identified and
should contact the audit manager immediately to review and approve these adjustments. Work programs for assurance
engagements can be adjusted after implementation if the adjustments are approved promptly.
○ The lead auditor should make note of the concerns identified but continue with the engagement as planned using the
Per Standard 2240.A1, work programs must include the procedures for identifying, analyzing,
approved work program. Work programs for assurance engagements must be approved prior to implementation and cannot be
2399 evaluating, and documenting information during the engagement. The work program must be
adjusted once approved.
approved prior to its implementation and any adjustments approved promptly.
○ The lead auditor should discuss the concerns identified with the audit client. If the client wishes, a consulting engagement
work program can be developed and the issues can be examined as a separate consulting engagement. Work programs for
assurance engagements must be approved prior to implementation and cannot be adjusted once approved.
○ The lead auditor should develop adjustments to the engagement work program to address the new concerns identified. These
adjustments can be reviewed and approved by the audit manager at the completion of the audit fieldwork. Work programs for
assurance engagements can be adjusted after implementation if the adjustments are approved prior to completion of the audit
engagement.
 The internal auditors are performing a consulting engagement focusing on the treasury process. During the engagement, the
internal auditors become aware of possible significant control issues. However, these issues are outside the scope of the
engagement. What should the internal auditors do?
○ They should proceed with the engagement as planned, since there is no requirement to be alert for significant control issues
outside the scope of the consulting engagement.
○ They should cancel the consulting engagement and switch to an assurance engagement to more properly address the Per Standard 2220.C2, internal auditors must address controls consistent with a consulting
2395 significant control issues identified.
engagement's objectives and be alert to significant control issues.
○ They should amend the scope of the consulting engagement to review the possible significant control issues. These issues
should be communicated to management as part of the consulting engagement.
○ They should proceed with the engagement as planned, since the significant control issues are not part of the consulting
engagement. A separate assurance engagement should be performed to address these issues at a later date.

Which of the following is the best example of an assurance engagement objective related to auditable governance activities?
○ To assess compliance with cultural expectations
○ To evaluate the design adequacy of organizational training
2332 ○ To determine the operating effectiveness of the whistleblower process
○ To determine customer satisfaction with shareholder communications
The internal auditors are determining the engagement resource allocation for an upcoming audit engagement. What criteria need
to be evaluated in order to ensure that appropriate and sufficient resources are available to achieve the engagement objectives?
○ Nature and complexity of the engagement, time constraints, and available resources
○ Risk appetite of audit client management, familiarity of audit client management with the audit process, and level of
formality required in the final audit report
2415
○ Total years of experience possessed by the internal auditors assigned to the engagement, technology tools required to
efficiently perform the testing, and level of cooperation expected from audit client personnel
○ Level of executives directly affected by the audit engagement, level of significance of anticipated issues, and importance of
the engagement to senior executives and the board
The IPPF Glossary defines engagement objectives as "broad statements developed by internal
auditors that define intended engagement accomplishments." "To determine the operating
effectiveness of the whistleblower process" is a broad statement and is pertinent to a likely risk
related to governance. Customer satisfaction is more related to marketing effectiveness than
auditable governance activities. Organizational training is much more broad than just being a
governance activity. Training of senior management or the board would be more appropriate.
Cultural expectations would not be subject to compliance and would be difficult to test.
Standard 2230, "Engagement Resource Allocation," states that internal auditors must determine
appropriate and sufficient resources to achieve engagement objectives based on an evaluation of
the nature and complexity of each engagement, time constraints, and available resources.
According to interpretation of the standard, appropriate refers to the mix of knowledge, skills, and
other competencies needed to perform the engagement. Sufficient refers to the quality of resources
needed to accomplish the engagement with due professional care.

Internal auditing is conducting an assurance audit of the implementation of a quality assurance program in a manufacturing
facility. Which of the following sources might be used to generate effective criteria to evaluate program implementation?
○ Industry journal articles on comparable quality initiatives
2318 ○ Quality benchmarks for a retail sales business
○ Texts written by experts in the field of quality purchasing criteria
○ Historical data on administrative waste and rejected applicants
Criteria should yield specific information about performance useful to the client. Industry journals
might provide examples of criteria used in other organizations. Historical data could be used to
measure improvement, but the historical data described here is off subject. Quality texts might
suggest areas for evaluation and ways to measure the implementation of processes, but these are
about purchasing quality rather than manufacturing quality. Criteria from an unrelated industry or
business area will not yield useful information.

A preformatted numeric data entry field in a user interface would be characterized as which of the following control types?
○ Hybrid, input, and detective
2080 ○ Application, process-level, and active
○ Application, input, and preventive
○ Processing, corrective, and passive
If the auditor determines that criteria related to management goals and objectives are inadequate or nonexistent, which action
would be appropriate?
○ Recommend alternative sources of criteria, such as acceptable industry standards, to management.
2319 ○ Perform the audit in the absence of such criteria or use the criteria he or she does have.
○ Formulate criteria he or she believes to be adequate, and perform the audit and report in relationship to the alternative
criteria.
○ Tell management to develop such criteria, and wait for this to be done before auditing that area.
Input controls verify the integrity of data as it is entered into a system, and they are a subset of
application controls, which are process- or transaction-level controls specific to an application.
Preventive controls are proactive and deter undesirable events from occurring, such as entering
alpha characters as an abbreviation for a month, which could cause problems in the database. A
pre-formatted numeric data entry field is an example of all three types.
When there are no generally accepted criteria consistent with the audit engagement objectives, the
lead internal auditor will need to identify the criteria suitable for the engagement through
consultation with client management. If management doesn't create a set of criteria, internal
auditors should develop some for use in the audit. These can be provided to management for
discussion and their own use, if desired.
 The internal auditors are determining the engagement resource allocation for an upcoming audit engagement. The internal
auditors need to determine that appropriate and sufficient resources are available to achieve the engagement objectives. What is
meant by "appropriate" in this context?
○ Mix of knowledge, skills, and other competencies needed to perform the engagement
2416
○ Mix of knowledge and mastery of the governance, risk management, and control processes related to the engagement
○ Level of audit management overseeing and evaluating the assigned internal auditors and the completion of the engagement
○ Determination that auditors assigned to the engagement are both independent and objective
Standard 2230, "Engagement Resource Allocation," states that internal auditors must determine
appropriate and sufficient resources to achieve engagement objectives based on an evaluation of
the nature and complexity of each engagement, time constraints, and available resources.
According to interpretation of the standard, appropriate refers to the mix of knowledge, skills, and
other competencies needed to perform the engagement. Sufficient refers to the quality of resources
needed to accomplish the engagement with due professional care.

The internal audit activity of a large corporation has established its operating plan and budget for the coming year. The operating
plan is restricted to the following categories: a prioritized listing of all engagements, staffing, a detailed expense budget, and the
commencement date of each engagement. Which of the following best describes the major deficiency of this operating plan?
○ Knowledge, skills, and disciplines required to perform work are ignored.
2113
○ Measurability criteria and targeted dates of completion are not provided.
○ Opportunities to achieve operating benefits are ignored.
○ Requests by management for special projects are not considered.
The goals of the internal audit activity, as stated in specific operating plans and budgets, should
include measurability criteria and targeted dates of accomplishment. Requests for special projects
would be considered while prioritizing the engagements. By reviewing staffing, prioritization of
engagements, and expenses, operating benefits can be achieved. Staffing for each engagement
would include the consideration of knowledge, skills, and disciplines required.

Engagement objectives should reflect which of the following?

○ Results of the preliminary assessment of risks relevant to the activity under review
2337 ○ Results of laws and regulations imposed by statutory bodies
○ Results of management's determination of the potential impact of the risk
○ Results of the assessment of the organization's governance, risk management, and control processes
If a department's operating standards are vague and thus subject to interpretation, an auditor should
○ seek agreement with the departmental manager as to the criteria needed to measure operating performance.
○ interpret the standards in their strictest sense, because standards are otherwise only minimum measures of acceptance.
2327 ○ omit any comments on standards and the department's performance in relationship to those standards, because such an
analysis would be inappropriate.
○ determine best practices in the area and use them as the standard.
Per Standard 2210.A1, internal auditors must conduct a preliminary assessment of the risks
relevant to the activity under review. Engagement objectives must reflect the results of this
assessment.
If the internal auditor finds that the area's standards are vague or the engagement objectives are
unclear, time is usually spent working with operational management to develop appropriate ones.
The auditor should first seek to gain an understanding with the departmental manager on the
appropriate standards and how they are applied to the organization. If internal auditors must
interpret standards, they should seek agreement with the engagement client. Best practices may
produce overly high standards.

The internal auditors are performing an assurance engagement focusing on the inventory for a dealership location. During a
review of the engagement scope, management informs the auditors that a significant amount of the dealership inventory is
housed on consignment at several customer locations. What should the internal auditors do with regard to inventory maintained
at customer locations?
○ The engagement scope should not include a review of inventory on consignment at customer locations. Management does
not have control of this inventory and thus is not accountable for it. Additionally, customers are third parties and thus outside the Per Standard 2220.A1, the scope of the engagement must include consideration of relevant
2391 scope of an audit engagement. systems, records, personnel, and physical properties, including those under the control of third
○ The engagement should focus solely on this portion of the inventory, as it is at the highest risk for theft and fraud. parties.
○ The engagement scope should not include a review of inventory on consignment at customer locations. This inventory is no
longer the property of the dealership and should be excluded from the inventory population.
○ The engagement scope should include a review of inventory on consignment at customer locations. These inventory amounts
are significant and thus relevant to the audit of dealership inventory, regardless of location.
 An internal auditing manager confides to another senior member of the function that the manager's assigned assurance
engagement may exceed its budget. Additional software had to be installed to implement planned procedures, and learning to
use the new software took more time than anticipated. The manager is wondering what to do at this point. Should the team
reduce the amount of work they have scheduled for the rest of the engagement? They might be able to save time and enough
money to cover the software expenses. What is the best advice the colleague could give the manager? Creating budgets and schedules during the planning phase is based on best estimates, and
○ "Don't change course. If your engagement plan was sound, you should execute it." judgment must be used if, for any reason, those estimates are not matched. Proceeding as planned
2405 ○ "Ask the manager of the department you're auditing to explain in writing why the additional steps you took were may not be a good use of resources if procedures could be altered without affecting the integrity of
reasonable." the internal audit. Similarly, altering procedures just to meet budgets may compromise the audit's
○ "Deadlines and budgets are critical to the organization, our department, and our clients. Do what you have to in order to objectives. The decision belongs to the leader of the internal audit team.
meet your budgets."
○ "Take a risk management approach to your own project. Consider the organization's goals, the engagement objectives, and
the risks of altering the procedures."
Audit engagement programs testing internal controls should
○ be generalized to fit all situations without regard to departmental lines. A tailored program is more relevant to an operation than a generalized program. Every aspect of
2326 ○ be tailored for the audit of each operation. an operation need not be examined—only those aspects likely to conceal problems and
○ be generalized in order to be usable at the various international locations of an organization. difficulties.
○ reduce costly duplication of effort by ensuring that every aspect of an operation is examined.
If the internal auditor believes the organization has risk exposure that is outside the organization's risk appetite, the internal
auditor should According to The IIA's implementation guidance for Standard 2060, "Reporting to Senior
Management and the Board," if the chief audit executive (CAE) believes that senior management
○ discuss the matter with the audit committee chair, who will directly address the issue with the chief executive officer. has accepted a level of risk that the organization would consider unacceptable, the CAE should
2081 ○ discuss the matter with management and escalate it to enterprise risk management and/or the legal department, if necessary. first discuss the matter with senior management. If the CAE and senior management cannot
○ discuss the matter with the audit committee chair, who will evaluate the issue according to his/her oversight responsibilities. resolve the matter, the CAE should communicate the matter to the board. If such issues are too
○ discuss the matter with management and escalate it to senior management and the board, if appropriate. urgent to wait until a scheduled board meeting (e.g., a major fraud), the CAE would be well
advised to make arrangements to communicate sooner.
What should be included in the internal audit scope for an assurance engagement with purchasing?
Standard 1110.A1 states: "The internal audit activity must be free from interference in determining
○ Manual but not automated procedures the scope of internal auditing, performing work, and communicating results." Management input
2321 ○ Purchasing management input could potentially thwart internal audit from fulfilling the intended scope. Internal audit might
○ Duties performed by purchasing interface with receiving or accounts payable, not shipping or accounts receivable, to verify the
○ Interface with other functions such as shipping or accounts receivable as deemed appropriate to verify the quality of controls existence of controls. Automated procedures should not be omitted from scope.
A company has two manufacturing facilities. Each facility has two manufacturing processes and a separate packaging process.
The processes are similar at both facilities. Raw materials used include aluminum, plastic pellets, various chemicals, and
solvents. Pollution occurs at several operational stages, including raw materials handling and storage, process chemical use,
finished goods handling, and disposal. Waste products produced during the manufacturing processes include several that are
considered hazardous. The nonhazardous waste is transported to the local landfill. An outside waste vendor is used for the
treatment, storage, and disposal of all hazardous waste. Management is aware of the need for compliance with environmental
laws. The company recently developed an environmental policy, which includes a statement that each employee is responsible If the internal auditing activity is given the task of environmental audits, the first action that
2409 for compliance with environmental laws. If the internal auditing activity is assigned the responsibility of conducting an should be accomplished is training auditors to give them the technical expertise needed to identify
environmental audit, which of the following actions should be performed first? and recommend corrective actions for environmental issues.
○ Review company policies and procedures.
○ Review the environmental management system.
○ Provide the assigned audit staff with technical training.
○ Conduct risk assessments for each site.
 Which of the following is an appropriate audit engagement objective?
○ To observe the physical inventory count
2312 ○ To search for the existence of obsolete inventory by computing inventory turnover by product line
○ To include information about stockouts in the engagement final communication
○ To determine whether inventory levels are sufficient to meet projected sales
The internal auditors are planning an engagement focusing on the organization's hiring process. Which of the following must be
considered when planning the engagement?
○ Significant risks to the hiring process objectives, resources, and operations. However, the internal auditors have no
responsibility to consider the means by which the potential impact of these risks is kept to an acceptable level.
○ Significant risks to the hiring process objectives, resources, and operations. The internal auditors should also consider the
means by which the potential impact of these risks is kept to an acceptable level.
2347
○ Significant risks to the hiring process objectives, but not the resources and operations. These are management decisions and
thus outside the scope of an audit engagement.
○ Significant risks to the hiring process objectives and operations but not the resources. Resources are a management decision
and thus outside the scope of an audit engagement.
Internal audit is conducting risk assessment in engagement planning. Management has already created an assessment of risk as
part of an enterprise risk management framework. The internal audit function should do which of the following related to the
management assessment?
○ Avoid using the management assessment because its objectives differ significantly from those of an audit risk assessment.
2357
○ Adopt the management assessment without reservations to avoid duplication of effort.
○ Assess the reliability of the management assessment prior to adopting it.
○ Avoid using the management assessment because adopting it would hinder independence and objectivity.
The transportation department for a large manufacturing company maintains its vehicle inventory and maintenance records in a
database on a stand-alone computer in the fleet supervisor's office. Which audit approach is most appropriate for evaluating the
accuracy of the database information?
○ Submitting batches of test transactions through the current system and verifying with expected results
2382
○ Using program tracing to show how and in what sequence program instructions are processed in the system
○ Simulating normal processing by using test programs
○ Verifying a sample of records extracted from the database with supporting documentation
Management has requested an audit of an activity but has not identified the objectives of the engagement. What action should
internal audit take?
○ Work with management to develop the objectives after commencing the engagement.
2339 ○ Work with management to develop the objectives prior to commencing the engagement.
○ Proceed with the testing requested by management without establishing objectives.
○ Work within the audit team to develop objectives for the engagement without management input.
Engagement objectives are "broad statements developed by internal auditors that define intended
engagement accomplishments." "To determine whether inventory levels are sufficient to meet
projected sales" is a statement of what the audit engagement is to accomplish. It is also specific,
since it ties the inventory balance to the criterion of meeting projected customer needs. The other
answer choices are engagement program steps.
Per Standard 2201, "Planning Considerations," internal auditors must consider these factors in
planning an engagement:
The strategies and objectives of the activity being reviewed and the means by which the activity
controls its performance
The significant risk to the activity's objectives, resources, and operations and the means by which
the potential impact of the risk is kept to an acceptable level
The adequacy and effectiveness of the activity's governance, risk management, and control
processes compared to a relevant framework or model
The opportunities for making significant improvements to the activity's governance, risk
management, and control processes
Implementation Guide 2210, "Engagement Objectives," states, "It is helpful for internal auditors
to determine whether a risk assessment was performed during the engagement's planning phase
and to attain a thorough understanding of the risks of both the organization and the area or process
under review. In addition, it is critical to understand the expectations of stakeholders including
senior management and the board." The internal auditor also considers the reliability of
management's acceptance of risk.
Verifying is the most common technique in testing the accuracy of information maintained by a
system, whether manual or automated. Test decking of a database and simulating normal
processing will test the program but not the accuracy of data in the database. Tracing would
require that additional coding be inserted into the database system programs.
According to Standard 2210, "Engagement Objectives," objectives must be established for each
engagement.
 According to the Standards, which of the following would be considered a scope limitation?
○ Divisional management indicates that since the division is in the process of converting a major computer system, the
information systems portion of a planned audit will have to be postponed until next year.
○ An audit committee reviews the audit plan for the year and deletes an audit that the chief audit executive thinks is important.
○ Senior management requests a performance audit of a cellular manufacturing area; the chief audit executive agrees but also
2323 decides to omit performance audits from the planned assurance engagement in that area.
○ A sales manager indicates that certain customers should be contacted with a certain sensitivity because the organization is in
the process of negotiating long-term contracts with them.
Standard 1110.A1 states: "The internal audit activity must be free from interference in determining
the scope of internal auditing, performing work, and communicating results. The chief audit
executive [CAE] must disclose such interference to the board and discuss the implications." Being
told not to audit an information system that would otherwise be part of a planned audit is therefore
a scope limitation. The case of the CAE determining the scope of the cellular manufacturing
division audit is the CAE's own decision and is related to avoiding duplication of efforts. Project
review and approval by the audit committee is not a scope limitation; rather, it is the audit
committee's responsibility to review and approve the planned scope of activities for the year.
While being asked not to contact certain customers would be a scope limitation, the sales
manager's request to not damage pending business relationships is reasonable.

Internal auditing is conducting a consulting engagement for the project management area of a global company that has become
frustrated with project delays. The client has asked internal auditing to evaluate the ability of its multinational teams to
communicate successfully, stay on schedule, and resolve differences and also to suggest ways in which the teams' abilities might
be improved. In the course of meeting with managers to define the scope of the project, the internal auditor becomes convinced According to Implementation Standard 2220.C1, if internal auditing develops reservations
that while the project teams could probably improve, their ability to function is not the most serious risk facing the organization. regarding whether the scope of work will accomplish the client's objective, internal auditing must
A more serious risk is a lack of commitment by various departments to the organization's business strategies. What should discuss the issue with the client and determine whether to proceed with the engagement. In this
2322 internal auditing do with this observation?
case, internal auditing could be focusing on the wrong part of the equation for the problem. The
○ The chief audit executive must meet with senior management to report this newly discovered risk to the organization. management of this area should have the opportunity to address this risk before the matter is
○ Schedule a meeting with the audit client to discuss a possible expansion of the scope of the engagement. brought to senior management.
○ Maintain the privacy of the interviews, and proceed with the scope of work as originally defined.
○ Do not change the scope of work, but include these observations in the audit report.
The chief financial officer (CFO) has requested the internal auditors to perform a consulting engagement of accounting practices
related to the efficiency and effectiveness of the month-end close process. What responsibilities (if any) do the internal auditors
have in addressing the governance, risk management, and control processes for this engagement?
○ The internal auditors must address governance, risk management, and controls for the month-end close process to the extent
agreed upon with the CFO.
○ The internal auditors must address the governance, risk management, and controls of the month-end close process, since Standard 2210.C1 states that consulting engagement objectives must address governance, risk
2376 ignoring these would lead to an ineffective consulting engagement.
management, and control processes to the extent agreed upon with the client.
○ The internal auditors must not address the governance, risk management, and controls of the month-end close process, as
this would change the nature of the engagement from a consulting engagement to an assurance engagement.
○ The internal auditors must not address the governance, risk management, and controls of the month-end close process, as
they are prohibited to do this by the Standards.

Which of the following procedures would provide the best evidence of the effectiveness of a credit-granting function?
○ Observing the process The purpose of the credit-granting function is to minimize write-offs while at the same time
2379 ○ Asking the credit manager about the effectiveness of the function accepting sales likely to result in collection. Reviewing the trend in write-offs will provide some
○ Checking for evidence of credit approval on a sample of customer orders insight concerning the minimization of write-offs.
○ Reviewing the trend in receivables write-offs
Which of the following describes the risk and control matrix?
○ Must be used for engagement-level planning, according to The IIA's Performance Standards
The risk and control matrix is a useful, but not required, tool that may be used for completing risk
2145 ○ Developed exclusively by the internal auditor, without client involvement, to ensure internal auditor objectivity
assessments as part of engagement planning.
○ Useful tool for internal auditors to help ensure significant risks are identified and subsequently addressed during fieldwork
○ Most widely adopted framework for enterprise-wide risk assessment
 Are risks relevant to the activity under review an important consideration when determining engagement objectives?
○ No. Risks relevant to the activity can be vague and cause the auditors to waste time on unnecessary testing.
2340 ○ Yes. A preliminary assessment of relevant risks can have a significant impact on the engagement objectives.
○ No. Risks relevant to the activity may be outside the engagement objectives and lead to scope creep.
○ Yes. Risks relevant to the activity are more important than any other consideration in determining the engagement
objectives.
In planning internal audit engagements, internal auditors must consider
○ the significant risks to the activity's objectives, resources, and operations.
○ the cost-benefit of performing a detailed engagement-level risk assessment.
2138 ○ the key controls over external financial reporting for U.S. public companies.
○ management requests related to the objectives of the engagement established by the internal auditor.
After conducting a risk-based assessment and establishing an audit schedule, with appropriate review and approval, the internal
audit activity begins work on the high-priority audits. The auditors quickly discover that one of the assurance engagements will
require more technical expertise than originally anticipated. Which of the following would be the most appropriate response of
the chief audit executive?
○ Continue with the engagement and schedule weekend or after-hours training sessions for the internal auditors initially
2024 assigned to the engagement.
○ Cancel the engagement and inform the audit committee that it will be rescheduled when resources permit.
○ Rely upon the technical expertise of staff members in the area being audited.
○ Bring in technical help from an appropriate source, such as an independent consulting firm or a university.
Which of the following is a possible assurance engagement objective related to the purchasing function?
○ To review and authorize purchases eligible for competitive bids
2324 ○ To run background checks on unauthorized vendors
○ To get external auditors to verify receiving reports
○ To ensure that goods received are properly reflected in purchasing records
The internal auditors are determining the engagement resource allocation for an upcoming audit engagement. The internal
auditors need to determine that appropriate and sufficient resources are available to achieve the engagement objectives. What is
meant by "sufficient" in this context?
○ It refers to the knowledge, skills, and other competencies needed to perform the engagement.
2417
○ It refers to the complexity of the systematic, disciplined approach needed to complete the engagement.
○ It refers to the level of technology experience needed to adequately evaluate the critical systems applicable to the
engagement.
○ It refers to the quantity of resources needed to accomplish the engagement with due professional care.
An internal audit function is charged with measuring the compliance of the organization's human resources area with applicable
laws, regulations, and internal policies. Which of the following objectives would be appropriate for this engagement plan?
○ To question recently hired employees to assess compliance with the interviewing process
○ To assess the process used by human resources to respond to employee complaints
2331
○ To establish proof of citizenship by requiring a birth certificate
○ To ensure that applicant pools represent a fair cross section of the population
According to Standard 2210.A1, internal auditors must conduct a preliminary assessment of the
risks relevant to the activity under review. Engagement objectives must reflect the results of this
assessment.
According to Standard 2201, "Planning Considerations," in planning the engagement, internal
auditors must consider the significant risks to the activity's objectives, resources, and operations
and the means by which the potential impact of risk is kept to an acceptable level. Internal auditors
are not required to consider management requests related to engagements. Internal auditors are not
required to consider key controls over reporting; engagement objectives may be primarily related
to compliance, operational, and or other business objectives. Internal auditors are not required to
consider the cost-benefit of performing an engagement-level risk assessment.
The most appropriate response is to acquire the expertise from an independent source. The least
appropriate response is to drop scheduled engagements; they were selected because of their
assessed risks.
Engagement objectives may be stated in various ways, but it should be clear what assurances
internal audit will provide. If the audit is intended to consider potential unauthorized vendors, an
appropriate objective might be to determine if vendors are authorized in accordance with
management criteria. The other answer choices also make it unclear what internal auditing will
provide or improperly create a task for external auditors.
Standard 2230, "Engagement Resource Allocation," states that internal auditors must determine
appropriate and sufficient resources to achieve engagement objectives based on an evaluation of
the nature and complexity of each engagement, time constraints, and available resources.
According to interpretation of the standard, appropriate refers to the mix of knowledge, skills, and
other competencies needed to perform the engagement. Sufficient refers to the quality of resources
needed to accomplish the engagement with due professional care.
An engagement objective is a broad statement intended to define the engagement's
accomplishments. This might include evaluating such items of compliance as documentation of
proof of residency and complaint response processes. Ensuring that applicants represent a cross
section of the population would be an operational objective for human resources rather than an
engagement objective for internal auditing. It might also be an objective to evaluate compliance of
the interview process with laws, regulations, and policies, but the objective would not specify the
manner of accomplishing it (e.g., by interviewing recently hired employees or requiring a birth
certificate).
 The first phase of the risk assessment process is to identify and catalog the auditable activities of the organization. Which is an
auditable activity?
○ Computerized audit tools and techniques
2355 ○ Pending statutory laws and regulations as they affect the organization's lobbying efforts
○ Agenda established by the audit committee for one of its quarterly meetings
○ General ledger account balances
The internal auditors are planning an engagement focusing on the marketing process. Which of the following must be
considered when planning the engagement?
○ Strategies and objectives of the marketing process and the means by which marketing controls its performance
○ Marketing ad revenue volume and the percentage increase in sales per ad dollar spent
○ Strategy and objectives of the production department and their ability to support the marketing claims as advertised
2346 ○ Consistency of marketing materials across product lines and the accuracy of advertising claims listed in the materials
The audit committee's agenda for an audit committee meeting and computerized audit tools and
techniques would not be auditable activities (also called auditable units), as the audit function
cannot audit itself. Pending laws and regulations are not auditable until they become enforceable,
so the internal audit activity could not audit how those pending laws and regulations affect the
organization's lobbying efforts. The lobbying efforts themselves could be audited, however.
Per Standard 2201, "Planning Considerations," internal auditors must consider these factors in
planning an engagement:
The strategies and objectives of the activity being reviewed and the means by which the activity
controls its performance
The significant risk to the activity's objectives, resources, and operations and the means by which
the potential impact of the risk is kept to an acceptable level
The adequacy and effectiveness of the activity's governance, risk management, and control
processes compared to a relevant framework or model
The opportunities for making significant improvements to the activity's governance, risk
management, and control processes

While conducting a risk assessment, internal auditors may use a number of criteria. Which would be considered subjective
rather than objective?
Measures of quality and significance are inherently subjective (or qualitative). Market share,
○ Change in size of market share
market values of regularly traded derivatives such as futures, and benchmarks are all measurable
2356 ○ Priority ranking of organizational objectives
quantitatively, so they can be considered objectively (although the importance of achieving a
○ Market value of oil futures the organization owns benchmark or a particular percentage of market share is subjective).
○ Productivity ranked against industry benchmarks
답

2
2

3
1

3
1

4
3

2
3

4
3

3
1

1
3

3
1

4
4

3
4

2
1

3
2

2
4

2
 Practice of Internal Auditing - Performing

연번 문제 해설
Which of the following is the best rationale for conducting a preliminary survey when preparing for an internal audit? Preliminary surveys are recommended to gain more detailed information about the activity that
○ To provide a general level of familiarization with the activity for internal auditors who may not have worked in this area can be used to refine or clarify (rather than create) the objectives of both the engagement and the
before activity and to determine the processes to be audited, the internal auditing resources that will be
2114 ○ To create the engagement objectives required to achieve the objectives, and the audit scope. A preliminary survey should provide more
than a general familiarization. While a preliminary survey does demonstrate professionalism, this
○ To provide more specific information about the activity being audited that can help refine the audit testing is not the most important rationale for conducting one.
○ To demonstrate commitment and thoroughness to the client

The following is the text of a finding: The statement identifies the condition (rising costs), the criteria (management's objective), and the
cause (insufficient monitoring of choices), but it does not specify the consequence (effect).
We find that due to inadequate monitoring of cost-effective transportation and hotel options, the department's travel budget has
increased steadily by a total of 1% per quarter, thus failing to achieve management's objective of reducing travel-related
expenses by 1% over the same time period.

2673 Which of the following elements is missing from this finding?

○ Cause
○ Criteria
○ Condition
○ Consequence

Management answers yes to every question when filling out an internal control questionnaire and states that all listed Self-audit questionnaires provide indirect evidence that must be confirmed.
requirements and control activities are part of their procedures. An internal auditor retrieves this questionnaire from
management during the preliminary survey visit but does not review the responses with management while on site. The auditor's
supervisor should be critical of the above procedure based on the fact that
2464 ○ the questionnaire was not designed to address accounting operations and controls.
○ internal control questionnaires cannot be relied upon.
○ the auditors were not present while the questionnaire was being filled out.
○ audit information must be corroborated in some way.

Which of the following characterizes relevant and useful audit evidence in an assurance engagement?
○ It helps to achieve management's goals and objectives.
○ It provides enough information to make valid engagement observations and recommendations.
2573 ○ It is obtained directly from external sources (benchmarking, for example).
○ It is consistent with the objectives of the engagement
Audit evidence is considered to be more persuasive if it is
○ obtained under conditions of weak rather than strong controls.
2566 ○ known by an auditor's personal intuition rather than from third-party confirmation.
○ obtained from an external rather than internal source, even if it does not pertain to an audit objective.
○ verified by written inquiry of a third party rather than by internally maintained documents.
Information should be sufficient, competent, relevant, and useful to provide a sound basis for
engagement observations and recommendations. Relevant information supports engagement
observations and recommendations and is consistent with the objectives of the engagement (rather
than management's objectives, which would apply to a consulting engagement). Useful
information helps the organization meet its goals. Providing enough information to make valid
engagement observations and recommendations describes the quality of sufficient information.
Benchmarking may be part of a consulting engagement and is not associated with assurance
services.
Written inquiry/confirmation obtained from outside third parties is more persuasive than internal
company documents. An internal auditor's knowledge or observation of facts can be more
persuasive than third-party confirmation because it is more likely to be credible, but intuition,
while it might help start up the right lines of inquiry, is not evidence in itself.
 문제가 길어서 패스
If the data is correct, which of the following conclusions reached by an auditor is justified?
○ The number of service calls made at customer locations seems to be more closely related to the number of technicians than
2667 the number of customer complaints.
○ The average sale of complementary services has remained about the same per customer.
○ The rate of customer complaints logged is increasing.
○ The department should be used as a model for other departments due to its trend of cost reductions.
Which of the following would be considered an obstacle to overcome when installing generalized audit software (GAS)?
○ Increased time required to complete audits due to GAS complexity
2563 ○ Requirement to develop sophisticated sampling strategies to use with GAS
○ Problems due to the fact that GAS extracts read-only files from client databases
○ Client concerns about GAS compatibility with current software
Which is an effective interview technique?
○ Showing lack of interest and giving verbal feedback to show objectivity
○ Setting expectations at the start about the interview purpose and the topics to be covered
2425
○ Letting the interview subject control the structure and time frame for the interview
○ Recording the interview after telling the client that this is department protocol
The rate of customer complaints (customer complaints/number of customers) has decreased each
year, from approximately 3.4% in year one to 3.0% in year three. However, the number of service
calls appears to be more closely related to the number of technicians (seven in the last two years
but only six in the first year). The technicians average four service calls per day over a 360-day
year.
Although GAS reduces audit time and may allow the review of every item in a population rather
than sampling, clients may resist its use because of concerns about compatibility between the GAS
and existing software. To help overcome this obstacle, the audit activity can emphasize the ability
of the GAS program to provide management with an entirely new approach to save the internal
audit activity time in auditing the operation.
It is important to set explicit expectations, to show interest (rather than lack of interest) and give
verbal feedback to encourage discussion, and to control the structure and time frame of the
interview (rather than abdicating this role). Interviews may be recorded, but only if the client
agrees. Likewise, a computer may be used to take notes during an interview. However, recording a
discussion or typing notes can be intimidating and can inhibit an individual's openness and
willingness to fully disclose information.

An internal auditor develops a vertical flowchart of a process. The value to the auditor is to Flowcharts allow internal auditors to document their understanding of a process, evaluate
○ generate a permanent record demonstrating how work activities were performed at a specific moment in time. efficiency, determine areas of primary concern, and identify key risks and controls. Flowcharts
can be used to support an auditor's overall assessment of risk and control in an engagement.
2606 ○ validate baseline performance data collected before recommending control improvements.
○ depict inputs, activities, workflows, and interactions with other processes and outputs.
○ assess the level of compliance against a standard.
Which of the following is an example of the most appropriate comment used to give feedback in a face-to-face performance Performance appraisal feedback should be specific. Generalizations don't help an employee
appraisal? maintain or improve specific or measurable performance.
○ "You could improve the way you relate to other staff."
2686 ○ "Engagement clients seem to like you."
○ "I like the way you relate to clients during engagements."
○ "Your customer satisfaction index is rated 8.4."
A compliance assurance engagement report for an internal audit of a university's environmental waste disposal activities states, A qualified opinion is characterized by specific findings that contradict ("qualify") the overall
"Internal controls over the university's environmental waste disposal are satisfactory, with the exception of the chemistry labs, opinion. This type of opinion can be useful in situations where there is an exception to the general
where significant improvement is needed." This is an example of which of the following types of opinions? opinion.
○ Qualified opinion
2677
○ Positive opinion
○ Marginal opinion
○ Negative opinion

The internal audit department has designed a transferable spreadsheet file to assess a particular type of process that occurs at This is an example of a template. A cell is the area where data or formulas can be entered. A
several geographic locations. Which of the following terms describes this file, which has no specific data but contains column macro is a program written in the language of the spreadsheet. A screen is the display area that
headings, formulas, and formatting instructions? shows the spreadsheet.
○ Cell
2565
○ Template
○ Macro
○ Screen
 An internal auditor is planning a compliance audit in a unit with a number of branches dispersed across several states. Which of Questionnaires (typically with yes/no questions plus a comment line) are considered especially
the following would be the most effective method to use in the preliminary information-gathering phase? appropriate for regulatory audits and for use when respondents are numerous and scattered among
○ Individual interviews conducted in the branches branches. This is because yes/no answers are sufficient for gathering this type of information and
○ Group session at a central location because on-site interviews are much more expensive. Group sessions are not an efficient venue for
2473 yes/no questioning.
○ Questionnaires sent by email
○ Group interview conducted in a teleconference

An auditor for a major retail company suspects that inventory fraud is occurring at three stores that have a high cost of goods If this type of fraud were occurring, it would result in inventory shrinkage. The surprise inventory
sold. Which of the following audit activities would provide the most persuasive evidence that fraud is occurring? count would be an effective audit technique. The other answer choices do not address the problem.
○ Selecting a sample of individual store prices and comparing them with the sales entered on the cash register for the same
items
2596 ○ Using an integrated test facility to compare individual sales transactions with test transactions submitted through the facility
and investigating all differences
○ Scheduling a surprise inventory audit to include a physical inventory and then investigating areas of inventory shrinkage
○ Interviewing the three individual store managers to determine if their explanations about the observed differences are the
same and then comparing their explanations to that of the section manager
Activities such as making inquiries of the floor manager, observing inventory-counting procedures, and inspecting warehouse Gathering evidence about the operation's performance would take place in the fieldwork phase of
equipment to determine whether or not management's goals are being met would be performed in which of the following audit the audit, after audit objectives and procedures have been established in relation to management's
phases? goals.
○ Conducting the preliminary survey
2461
○ Conducting fieldwork
○ Establishing audit objectives
○ Developing the audit program

New credit policies have been implemented in an automated order entry system to control collectability. These policies prevent An advantage of feedback control is that managers can use the information on past performance to
entering any new sales order that would cause the customer's accounts receivable balance to exceed average sales for any two- improve future performance. Because the argument is apparently supported in the data, the auditor
month period in the prior 12 months. Divisional sales management has compiled over a dozen examples that show decreased should consider the sales management data relevant. The sales management data shows that
sales and delayed order entry. They contend that these examples are a direct result of the new credit policy constraints. Sales automated controls have, in fact, been successful in meeting the stated objective. The data is not
management's data and information provides framed to present statistically valid information and is biased to show negative results.
○ irrelevant argumentative information.
2567
○ a statistically valid conclusion about the impact on customer goodwill concerning the credit policy.
○ evidence that the new credit policy is not meeting the stated corporate objective to control the collectability of new sales
volume.
○ feedback control data on the new corporate credit policy.
 An audit manager is conducting the annual meeting with manufacturing division management to discuss proposed audit plans A specific advantage of an SOP questionnaire is that it may be used by local management to
and activities for the next year. After some discussion about the past year's audit activity at 12 plants in the division, the periodically ensure that employee practices remain current with relevant, valid, and up-to-date
divisional vice president agrees that all significant recommendations made by the audit staff refer to key controls and related SOPs. This improves the overall level of control and the control environment when follow-up is
operating activities that are correctly described for local management in the standard operating procedures (SOPs) for the included to ensure performance. However, independent verification is still needed, at least in the
division. The vice president proposes to transcribe key control activities from the division's extensive written procedures to a first year of using such questionnaires. If they succeed in significantly reducing exceptions, audit
self-audit SOP questionnaire. What significance should the audit manager attach to such SOP questionnaires in relation to the activity might be reduced by some extent in future years.
proposed audit schedule for the next year?
○ The SOP questionnaire should improve control adequacy, but the auditors need to verify that controls are working as
2467 documented in the SOPs.
○ SOP questionnaires must be mailed and controlled by the internal auditing department to be considered in relation to the
proposed audit schedule.
○ Audit activity can be reduced if the vice president agrees to require internal auditing department approval on all divisional
SOPs.
○ Adding this control should eliminate significant audit recommendations in the coming year, so the scope of audit activities
can be reduced accordingly.

An auditor is considering the potential sources of evidence regarding the effectiveness of a division's total quality management Employee morale is important and often is a side benefit of TQM programs. However, employee
(TQM) program. Assume that all comparisons are for similar time periods and durations and current items are compared with morale is not a sufficient reason to implement TQM. There should be some evidence of greater
similar items before the implementation of the TQM program. The least persuasive evidence would be a comparison over the customer satisfaction or reduced costs.
two time periods of
2119 ○ manufacturing and distribution costs per unit.
○ customer returns.
○ employee morale.
○ scrap and rework costs.

During a walkthrough, an internal auditor observes a worker attempting to execute a control but failing to do so with the proper
procedure. The procedure the worker uses accomplishes the same control result. After discussing the procedure with the worker,
the internal auditor is satisfied that the worker understands the purpose for the control and believes it to be important and
necessary. Which is the most appropriate recommendation in this instance?
○ That the worker's method and the official method be compared to see which is more efficient and the more efficient one be
2090 adopted
○ That the worker's supervisor adopt better monitoring and control over procedures followed by subordinates
○ That the worker be secretly observed to determine how the procedure is conducted
○ That the worker be retrained on the official procedure
This may be a case in which the procedure does not work well in practice despite being
theoretically sound, either because the environment has changed or because the worker had no
input in control design and it is impractical to implement as written. Since the control in question
is effective (it accomplishes the intended control result), the only question is whether the process
being used is more efficient than the written procedure. If it is proven more efficient, it may be a
best practice that can be adopted as the official procedure in this area.

When conducting interviews during the early stages of an internal audit, it is most effective to Individuals feel more important being asked "people" questions versus "control" questions. This
○ ask people about their jobs. will help build the important interpersonal part of the audit relationship.
2433 ○ ask for specific answers that can be quantified.
○ ask surprise questions about daily procedures.
○ take advantage of the fact that fear is an important part of the audit.
An accounting clerk has developed a scheme to input fraudulent invoices for nonexistent vendors. All the payments are sent to Generalized audit software could check the mailing addresses of vendors and detect common
the same address. The auditor suspects a possible fraud. The most effective computer audit technique to investigate the fraud addresses or other commonalities of the billings.
would be to
○ use generalized audit software to compare addresses across multiple files and print out duplicates for investigation.
2564
○ use test data for multiple vendors and investigate unexpected results.
○ perform a complete audit of computer program changes.
○ test application controls though an integrated test facility and investigate unexpected results.
 Which of the following would provide the best evidence that a building's security system meets management's stated The strongest evidence is direct evidence, such as the auditor's firsthand report on observing a
requirements? successful trial of the system.
○ Independent evaluation of the installed type of system testifying that it is superior to similarly priced competitors
2148 ○ Building manager's written assurance that the system has been tested and approved by knowledgeable staff
○ Internal auditor's direct observation of a trial of the system
○ Documentation from the installer that the system has been properly installed and tested
An auditor has recognized that a problem exists because the organizational unit has been too narrow in its definition of goals. The auditor is responsible to the organization, not just the audit client, and should therefore report
The goals of the unit focus on profits, but the overall organizational goals are much broader. The auditor also recognizes that the the problem to the audit client. Subtly mixing the suggested solution with the problem definition
audit client will resist any recommendations about adopting broader goals. The best course of action would be to might be a strategy to get buy-in from the client, but it will not be suitable in every case and can
○ identify the broader organizational goals and present a set of recommendations that attempt to meet both the organizational easily be seen as manipulative.
and audit client goals.
2058 ○ report only the conditions found and leave the rest of the analysis to the audit clients.
○ avoid conflict and present only those goals that are consistent with the audit client's views, since all others will be ignored.
○ subtly mix the suggested solution with the problem definition so that the audit client will identify the solution apparently
independently of the auditor.

An auditor has taken an attribute sample of a bank's existing loan portfolio. Out of a sample of 60 loans, the auditor finds: These findings represent a large percentage of the samples and so are significant. However, there
is not sufficient evidence to conclude fraudulent activity on the part of the bank's lending officers.
Four that are not properly collateralized. There must be intent to deceive for some personal gain to infer fraud. In addition, the financial
Five that are not in compliance with bank policies (other than lack of collateralization). statements will not necessarily be incorrect as long as the bank can determine that the loans
Four that are part of a related-party group but have been set up as separate loan entities. receivable are properly classified as to term and are carried at their net realizable value. The
Of the 60 loans selected in the sample, these errors are noted on a total of ten loans since several loans have multiple problems. question did not provide the expected error rate or the tolerable error rate. The 16.7% is the
observed error rate for the sample.
2666 Which of the following conclusions can the auditor reach from these findings?
○ The financial statements will be misstated as a result of these actions.
○ There is sufficient evidence that fraudulent activity is taking place by one or more of the bank's lending officers.
○ There are significant noncompliance audit findings that should be reported.
○ The expected error rate on loans is 16.7%.

While performing analytical procedures related to an audit of a social services agency of a government entity, the auditor notes Using generalized audit software to sort payments would be an efficient way to determine if there
that there is an unusually large increase in payments to individual recipients who are under the direction of a particular social are any easily seen fraudulent patterns associated with the payments under the control of the social
worker in the agency. Which of the following audit procedures would be the best procedure to investigate this observation? worker.
○ Implement an integrated test facility and monitor transactions throughout the year to identify unusual items.
○ Use generalized audit software to sort payments to recipients by social worker and then sort the payments by common
2042 addresses and names.
○ Use generalized audit software to take a random sample of recipients and investigate by sending confirmations to each
recipient to determine if they had received proper payments.
○ Implement the snapshot approach and tag transactions that are related to the social worker identified with the unusually large
increases.

The most persuasive evidence that an organization's pollution control equipment is (or is not) adequate would be provided by An external expert with the least reason to be biased, such as an environmental engineer from a
testimony from which of the following sources? university or other outside source, provides the most persuasive testimony. The objectivity of a
○ Environmental engineer from a university engineering department scientist from a lobbying organization might be questioned, especially if the scientist suggests that
2586 ○ Mechanical engineer employed by the organization the equipment is inadequate. An environmental lawyer might be persuasive if the matter at hand
were compliance with environmental regulations rather than proper functioning.
○ Established scientist representing an environmental lobbying organization (such as the Sierra Club)
○ Independent attorney with a background in environmental law
 Management of a property and casualty insurance company has two major concerns about the efficiency and effectiveness of The major problem is that the auditor was too oriented to the questionnaire and failed to
claims-processing activities: appropriately consider the other information that was offered. Questionnaires may be limited, but
the auditor needs to be flexible enough to gather other information when it is offered.
Some claims are being paid that should not be paid or are being paid in amounts in excess of the policy.
Many claims are not being paid on a timely basis.
In preparing for an audit of the area, the internal auditor decides to perform a preliminary survey to gather more information
about the nature of processing and potential problems. The auditor uses a questionnaire during interviews to gather this
2463 information. Unfortunately, the questionnaire does not cover some of the information offered by the persons being interviewed.
Consequently, the auditor does not document the potential problems for further audit investigation. The primary deficiency with
this process is that
○ questionnaires do not allow for opportunities to document other information.
○ the auditor used a questionnaire in a situation where a structured interview should have been used.
○ management objectives were defined too narrowly.
○ the auditor failed to consider the importance of the information offered.

Which of the following is a benefit of using IT to solve audit problems? Audit-related computer programs can enable auditors to review large amounts of data in a timely
○ It improves the audit engagement budget. fashion but do not play a role in improving auditor judgment. IT tools also allow auditors to
○ It reduces audit opportunities. analyze an entire population of data rather than just a sample. IT tools can help reduce audit risk—
2550 for example, by identifying errors and irregularities as they happen—and also present
○ It improves the auditor's judgment. opportunities for further examination. Using IT improves the timeliness of the audit engagement
○ It helps reduce audit risk. but may or may not improve the budget, especially if IT costs are included to provide the needed
capabilities.
The most persuasive evidence regarding the asset value of newly acquired computers for the sales department would be Documentation of the purchase provides persuasive evidence regarding the cost of the asset.
○ documentation prepared externally. Unsubstantiated inquiry of management is generally considered the least persuasive evidence.
Observation of procedures for acquisition would not be as persuasive as documents showing the
2577 ○ inquiry of management. cost of the asset. Physical examination reveals only limited information as to the asset's value.
○ physical examination.
○ observation of auditee's procedures.
The greatest impact information technology has had on the audit process is Computer-assisted techniques have had the greatest impact on the audit process. They have
○ its use in the audit reporting process such as automated workpaper packages. changed audit scope and test procedures, etc.
2554 ○ its use to track personnel performance and development of audit staff.
○ its use to conduct audits using various computer-assisted techniques.
○ its use as a strategic tool to develop the audit plan.
Most commonly, audit evidence is derived from Documentation, such as letters, memos, emails, invoices, accounting records, program listings,
○ people. activity and control logs, and systems development documentation, is the most common form of
audit evidence.
2568 ○ documentation.
○ electronic databases.
○ operations.
One of the steps of an audit program is to review the quality of questionnaire design. Which of the following is a common error Overlapping categories frequently cause difficulty for respondents.
made in designing multiple-choice questions in a survey questionnaire?
○ Likert scaling is used instead of semantic differential scaling.
2465 ○ The alternative response categories for the questions are not mutually exclusive.
○ Unipolar rather than bipolar labels are used for the response categories.
○ The questions use terms that are very familiar to the respondent.
 An auditor wants to understand the actual flow of data in cash processing. The most convincing evidence would be obtained by
○ reviewing the systems flowchart.
Performing a walkthrough and obtaining copies of documents is the most persuasive evidence
2589 ○ reviewing the programming flowchart for evidence of control procedures placed in the computer programs.
○ performing a walkthrough of the processing and obtaining copies of all documents used. because the auditor reviews the documents and finds out what personnel actually do with them.
○ interviewing the treasurer.
A flowchart of process activities and controls may provide
○ no information related to fraud prevention.
By indicating control weaknesses, flowcharts show where fraud may occur. They do not provide
2608 ○ information on where fraud could occur.
any evidence as to the extent of the fraud or where it has already occurred.
○ information on the extent of a past fraud.
○ an indication of where fraud has occurred in a process.
Which of the following would be considered an obstacle to overcome when installing generalized audit software (GAS)?
○ Problems due to the fact that GAS extracts read-only files from client databases
2563 ○ Client concerns about GAS compatibility with current software
○ Increased time required to complete audits due to GAS complexity
○ Requirement to develop sophisticated sampling strategies to use with GAS
An engagement objective is to evaluate the design adequacy and control effectiveness for cash disbursements at a company.
Computer-assisted audit techniques (CAATs) are required because of the large volume of data. Which of the following data
analysis tests would be inappropriate to conduct during engagement planning? A goal during a preliminary survey is to identify control weaknesses that warrant further
○ Tracing of purchase orders to the accounts payable control account examination. Tracing of purchase orders to the accounts payable control account is more likely to
2547
○ Percentage of payments made before or after the due date be conducted during performance of the engagement rather than the planning phase. Depending
○ Stratification of payment amounts upon the results, a series of fraud evidence collection steps might be executed.
○ Number of manual checks

A new internal staff auditor has been assigned to audit the cash management operations of the organization. The auditor has no
background in cash management, and this is the auditor's first audit engagement. Under which of the following conditions
would the internal audit activity best be in conformance with the Standards regarding knowledge and skills?
○ The staff auditor adheres to the prior year's audit program for the project.
2698
○ The staff auditor performs the work and prepares a report, which is reviewed in detail by the chief audit executive.
○ The staff auditor carefully studies the organization's cash management policies.
○ The senior auditor is skilled in the area and closely supervises the staff auditor.
The interpretation for Standard 2340 describes that the extent of supervision required will depend
on the proficiency and experience of internal auditors and the complexity of the engagement. The
chief audit executive has overall responsibility for supervising the engagement, whether
performed by or for the internal audit activity, but may designate appropriately experienced
members of the internal audit activity to perform the review. Appropriate evidence of supervision
is documented and retained.

Which is a realistic benefit of proper engagement supervision?

○ Ability to right-size engagement scope during an engagement without approval delays Supervision is a key part of an internal audit engagement. It helps ensure that all elements of the
process are executed properly, but it does not necessarily enhance the assurance provided to
2126 ○ Appropriate communication of doing the right things in the right way
management. Implementation Guide 2340 offers several suggestions for what proper supervision
○ Stronger assurance about key control activities
might include.
○ Proper focus on risks over adding value to the organization
The internal auditor has a recommendation to change operations that could potentially increase profits by U.S. $50,000. The best
way to sell this recommendation to management is to
This approach will lead to the best recommendation, because it includes input from the people
○ carefully work out the details of implementation before presenting it to auditee management.
directly involved in the activity. Also, working up the chain of command prevents anyone from
2116 ○ bring it to the audit manager, who should bring it immediately to senior management's attention.
feeling left out of the decision. The resentment that might cause could diminish the chances of
○ not discuss it with anyone until the exit conference, so the meeting can start with a pleasant surprise. successful implementation.
○ discuss it with operating management who are directly affected by the change and then with department management.
 The internal audit department is performing a financial audit of a division. A secondary objective of the audit is to make
recommendations leading to more efficient operations. The best way to achieve the secondary objective is to
○ provide staff members with positive feedback when they develop efficiency recommendations.
○ review working papers as completed, writing a reminder comment on each working paper that does not present an efficiency
Positive feedback after recommendations is an example of timely positive reinforcement, the best
2694 recommendation.
method for modifying behavior.
○ challenge the audit team to develop ten good efficiency recommendations.
○ state that each auditor's performance appraisal for this audit will be heavily dependent on the number and quality of
efficiency recommendations developed.

An organization has grown rapidly and has just automated its human resource system. The organization has developed a large
database that tracks employees, employee benefits, payroll deductions, job classifications, ethnic code, age, insurance, medical
protection, and other similar information. Management has asked the internal auditing department to review the new system. In
order to test whether data currently in the automated system is correct, the auditor should
○ use generalized audit software to provide a print-out of all employees with invalid job descriptions and investigate the causes
2556 of the problems.
○ take a sample of data to be entered for a few days and trace the data to the updated database to determine the correctness of
the updates.
○ use generalized audit software to select a sample of employees from the database and verify the data fields.
○ use test data and determine whether all the data entered is captured correctly in the updated database.
Using generalized audit software to select a sample of employees from the database and verifying
the data fields is the only procedure that would address the correctness of data already contained
in the database. Using test data or taking a sample of data from a few days would provide
evidence only about the correctness of processing—at the single point in time that it is used—and
would not provide information on the correctness of data already in the database. Having a print-
out of all employees with invalid job descriptions would provide only partial information on one
field of the data. The auditor needs a more comprehensive test.

When determining the competence of audit evidence, an auditor would look for which of the following qualities?
○ Freedom from error and bias
To be judged competent, evidence should be reliable; therefore, it should be reasonably free from
2575 ○ Inherent persuasiveness of the evidence
error and obtained from an unbiased source.
○ Degree of consistency with engagement objectives
○ Relevance to meeting the organization's goals
In a set of audit working papers, an internal auditor notes the following:

The company has 80 remote warehouses, and each warehouse contains from 100 to 500 stockkeeping units (SKUs). For
distribution requirements planning purposes, the same item at a different warehouse counts as two different SKUs. Seventy-nine warehouses could contain 100 SKUs and one could have 500 SKUs, resulting in
8,400 SKUs (79 x 100 = 7,900 + 500 = 8,400 SKUs). This would be the minimum. Obviously, the
What can the internal auditor conclude from this note? actual number is likely much higher. Just because each warehouse has no more than 500 SKUs
2671 does not mean that each warehouse has the same set of SKUs, so the organization could have
○ The average inventory level in each warehouse is 250 units. more than 500 distinct products. All of the warehouses but one could have less than 250 products.
○ The organization sells no more than 500 distinct products. The average level of inventory in the warehouses cannot be computed from the information given,
○ The majority of the warehouses have more than 250 SKUs. since each SKU is just a category and there can be zero or more units in inventory for each SKU.
○ The total number of SKUs contained in all the warehouses is at least 8,400.

Confirmation would be most effective in addressing the existence assertion for

○ the granting of a patent for a special process developed by the organization. Internal auditors solicit and obtain written verification of the accuracy of information from an
2597 ○ inventory held on consignment. independent third party. This method would be reasonable to confirm inventory held on
○ sales of merchandise during the regular course of business. consignment.
○ the addition of a milling machine to a machine shop.
 Which of the following statements best describes how the review of workpapers may aid in the professional development of
internal audit staff?
Proper review of the workpapers provides the supervisor (or other designated reviewer) an
○ It ensures that engagement objectives are met.
opportunity to see that the internal auditors did, in fact, have the knowledge, skills, and
2685 ○ It ensures that any changes to the approved engagement program are justified and authorized.
competence required to perform the engagement. It also provides an opportunity to coach the
○ It validates that the work completed could be re-performed by another internal auditor. auditors to improve their competence.
○ It demonstrates whether designated auditors were collectively competent to perform the engagement.
Of the following, which is the most efficient source for an auditor to use to evaluate a company's overall control system?
Flowcharting is an efficient and comprehensive method of describing relatively complex
○ Narrative describing departmental history, activities, and forms use activities, especially those involving several departments. Copies of procedures and related forms
○ Industry operating standards do not efficiently overview the processing activities. A narrative review covering the history and
2047
○ Flowchart forms use of the department is not as efficient or comprehensive as flowcharting for
○ Standard operating procedures communicating relevant information about controls. Industry standards do not provide a picture of
existing practices for subsequent audit activity.
The most persuasive evidence of the existence of newly acquired computers for the sales department would be
Examination of the asset is generally considered one of the most persuasive types of evidence—if
○ physical examination. not the most persuasive—for the existence assertion. Unsubstantiated inquiry of management is
2576 ○ documentation prepared externally. generally considered the least persuasive evidence. Observation of procedures for acquisition
○ inquiry of management. would not be as persuasive as examination of the asset. Documentation is less relevant for
○ observation of auditee's procedures. existence than is physical examination.
Analysis of budget data for hiring finds a sudden and unexpected jump in recruitment costs during a period when hiring patterns
—the number of new hires and pay levels—remain constant. Which of the following actions would be the internal auditor's best
next step?
○ Developing a regression analysis of the long-term relationship of recruitment spending and number of new hires In response to an unexpected relationship in the data, the auditor should conduct further inquiries
2460 to find the explanation before taking steps such as developing a recommendation or reporting
○ Informing management that fraud may be involved and starting a fraud investigation suspected fraud to management.
○ Conducting interviews with the supervisor responsible for recruiting new hires
○ Developing a recommendation for a new recruitment process for the final report

The chief audit executive (CAE) of a midsized internal auditing organization is concerned that management might outsource the
internal auditing function. Therefore, the CAE adopts an aggressive program to promote the internal auditing department in the
organization. The CAE plans to present the results to management and the audit committee and recommend modification of the
internal audit charter after using the new program. The CAE proposes a number of changes, and one is, in order to save time,
that the CAE no longer requires that a standard internal control questionnaire (ICQ) be completed for each audit. Would this
change be a violation of the Standards? Auditors are not required to fill out standard ICQs. Internal control evaluations are not required on
2474
○ Yes. Internal control should be evaluated on every audit engagement, and the ICQ is the most efficient method to do so. every audit. Auditors cannot omit necessary procedures because of time constraints.
○ No. Auditors may omit necessary procedures if there is a time constraint. It is a matter of audit judgment.
○ No. Auditors are not required to fill out ICQs on every audit.
○ No. Internal control should be evaluated in every audit, but the ICQ is not the mandated approach to evaluate the controls.

An audit of environmental controls, including regulatory compliance, has been concluded. Possible corrective actions are being
discussed at a closing conference. The environmental manager proposes a minimal approach that will safely manage waste as
well as keep the company in compliance with applicable regulations. The auditor prefers an approach that would correct the
deficiencies but also enhance operations, believing that the company has an obligation to go beyond compliance. How should
the auditor resolve this difference?
It is management's responsibility to determine policy and set performance goals; the auditor is not
2680 ○ Report management's inadequate action to the audit committee. necessarily in a position to insist on actions that may be perceived as extraordinary by operations
○ Accept the proposed corrective action. management.
○ Accept the corrective action as satisfactory in the short term, but insist that the environmental manager agree to adopt the
auditor's approach as soon as it is feasible.
○ Elevate this issue to senior management, citing benchmarking studies in support of the auditor's position.
 During a review of a division's operations, an auditor notes that:

Sales revenue has remained the same.

The customer base is unchanged.
Inventory has increased significantly. Gross profit margin is the difference between revenue and the cost of goods sold expressed as a
The gross profit margin has increased significantly. percentage. Reducing manufacturing costs would reduce the cost of goods sold and increase the
gross margin. Other factors that could explain it include an increase in the sales price per unit. If
2121 Which of the following statements, if true, could explain the change noted in gross profit margin?
sales in units have increased while sales revenue has remained the same, the gross profit margin
○ Sales commissions have been reduced. would decrease, since the sales price per unit must have decreased. Sales commissions have no
○ Sales price per unit has decreased. effect on the gross profit margin because they are not included in the cost of goods sold.
○ Manufacturing processes have become more efficient.
○ Sales in units have increased.

Which of the following is true of embedded audit modules?

○ They aid in debugging application systems.
2557 ○ They enable continuous monitoring of transaction processing. Embedded audit modules can be continuously monitored or specifically activated.
○ They analyze the efficiency of programming.
○ They identify unexecuted computer code.
A manager supervising internal auditing staff will be most likely to attain long-term positive results with which of the following
behaviors?
○ Holding weekly meetings during which internal auditing staff are reminded of work procedures and are praised for the
week's accomplishments
Variable schedules of reinforcement lead to higher performance. Employees are more alert
2096 ○ Praising staff on a random schedule and linking rewards to performance
because of the uncertainty involved, and performance and reward are connected.
○ Disciplining staff members immediately for undesirable behaviors, using oral reprimands, written warnings, and temporary
suspensions
○ Telling staff members that working overtime now will result in a better performance review in six months

An auditor prepares questionnaires made up of a series of questions that use the same response categories: "strongly agree,"
"agree," "neither agree nor disagree," "disagree," "strongly disagree." The auditor mixes up the order of the questions for
different respondents and sometimes reverses the orientation of the endpoints of the scale (e.g., "strongly agree" on the right and
"strongly disagree" on the left). Is there a good reason for this type of questionnaire variation? There are many known effects of the sequence and format of questions. One method for dealing
2466 ○ No, it creates variation and complexity where there should be uniformity and simplicity. with unintentional bias is to use questionnaire variations that cause these biases to average out
○ Yes, it can eliminate the effects of pattern response tendencies. across the sample.
○ No, it will fail to eliminate intentional misrepresentations.
○ Yes, it can make it possible to get information about more than one population parameter using the same questions.

Which of the following statements, if true, would justify a chief audit executive's decision not to report certain control concerns
regarding derivatives trading in a report to the audit committee?
○ Management plans to initiate corrective action.
○ Derivatives are complex, so the auditor needs to rely on management's analysis of the extent of the problem.
2669
○ The amounts of trading and the potential risks associated with the derivatives trading are not material to the overall
organization.
○ The board has a separate committee to make recommendations on trading issues.
Following the completion of an audit engagement, reported observations and recommendations
are based on, among other things, the level of risk/exposure the organization might encounter as a
result of an identified concern. Internal auditors would consider the impact their engagement
observations and recommendations may have on the organization's operations and financial
statements. If the auditor deduces that a condition does not result in an unacceptable level of
business risk—for example, if the risks associated with the derivatives trading are minimal—then
an auditor may consider not reporting it.
 During an interview with a data input clerk to discuss a computerized system used to track employee training requirements and
compliance, an auditor identifies a potentially significant weakness in the system. The auditor should
Indirect questions may allow the auditor to obtain some information without making the clerk feel
○ ask the clerk about the weakness and determine immediately if the finding should be reported.
accused. The auditor has an obligation to obtain information. The auditor should learn as much as
2450 ○ conduct a second interview after determining whether the weakness actually exists.
possible from this interview, speak to others who may have additional information, and return to
○ not mention the weakness, directly or indirectly, to avoid making the clerk uncomfortable. this clerk only if needed to clarify something specific about this employee's duties.
○ ask indirect questions that will help get more factual information relating to the potential weakness.
Which is a typical characteristic of an annual performance review for an internal auditor?
Performance reviews should take place on a dual schedule. The first track consists of the annual
○ It focuses on audit client opinions of the auditor. review by the chief audit executive that focuses on all engagements performed in that year. The
○ It is conducted by human resources personnel. second track consists of reviews that take place after each audit in which the internal auditor
2687
○ There should be agreement on the appraisal ratings. participates. The annual review should roll up the results of post-audit reviews. It should focus on
○ It puts the most weight on the most recent engagement performed by the auditor. competencies and a performance improvement plan that will help the auditor meet organizational,
departmental, and/or individual goals.
Who is responsible for establishing adequate criteria to determine whether objectives and goals have been accomplished?
Standard 2210.A3 states that adequate criteria are needed to evaluate governance, risk
○ Chief technology officer management, and controls. Internal auditors must ascertain the extent to which management
○ Management and/or the board and/or the board has established adequate criteria to determine whether objectives and goals have
2099
○ Chief risk officer been accomplished. If adequate, internal auditors must use such criteria in their evaluation. If
○ Chief audit executive inadequate, internal auditors must identify appropriate evaluation criteria through discussion with
management and/or the board.
An auditor assessing a division's training program to enhance sales determines that 15% of the sales force received the
designated training during each quarter of the preceding year and that per-person sales productivity was up by 2.5% per quarter
on average for the sales representatives who successfully completed the training. Which of the following statements represents
an appropriate conclusion based upon the findings?
Without knowing the goals of the program, the auditor cannot base a conclusion on the findings
2674 ○ The organization needs to increase the number of training offerings each quarter to reach its goals.
about the training initiative.
○ The training program is proceeding successfully.
○ More information is needed to assess the performance in relation to goals.
○ The increase in performance does not justify the training program.

A standardized internal audit engagement program would be appropriate for which of the following situations?
○ Stable operating environment undergoing only change in management A standardized engagement program would not be appropriate for a complex or changing
2548 ○ Multiple branches with similar operations operating environment because the engagement objectives and related work steps might no longer
○ Subsequent inventory audit engagements performed at locations with material shrinkage have relevance.
○ Complex or changing operating environment
Recommendations should be included in audit reports in order to
○ minimize the amount of time required to correct audit findings. Recommendations represent options that are available to management. Problems must be resolved
in the manner deemed appropriate by management, not the auditor. Providing recommendations
2676 ○ provide management with options for addressing audit findings.
may enable management to reduce the costs and time of addressing audit findings, but there is no
○ guarantee that audit findings are addressed, regardless of cost.
guarantee of this.
○ ensure that problems are resolved in the manner suggested by the auditor.
Which audit procedure would be most effective to detect whether a particular employee may have been involved in the
submission of payments to false vendors?
Some embedded audit modules, running alongside data-recording software, can monitor
○ Send confirmations to a sample of vendors to determine whether they received proper payments.
transactions as they happen. By checking incoming data against pre-selected criteria—for
2551 ○ Implement the snapshot approach to tag unusually large increases related to the employee.
example, addresses, names, employee numbers—irregularities can be flagged in near real time for
○ Use generalized audit software to sort payments by employee and then by common addresses and names. review and investigation.
○ Implement an integrated test facility and monitor transactions throughout the year to identify unusual items.
 An internal auditor is assigned to audit activities at a group of retail stores. In one store, the auditor notes an unusually high
number of instances where there have been end-of-day discrepancies between store receipts and cash and credit card charges
deposited. After examining employee time sheets and time cards, the auditor narrows suspicion to three employees. Since this is
a potentially serious charge, the auditor wants to confirm these suspicions and possibly narrow them even further by talking
with the individuals. Which of the following would be the most effective way in which to conduct the interview?
2434 ○ Speak individually with the employees in the manager's office or in a break room, if private.
○ Bring the most likely suspect to a local private security office for an individual interview.
○ Speak individually with each employee on the floor of the store, by the register in question.
○ Gather the employees together in a public eating area, and discuss the matter casually.
An audit director reviews the performance of senior auditors as a basis for the annual staff performance appraisal. The audit
director notes that auditor A has consistently completed audit engagements in less than the budgeted time and has gotten along
well with audit clients but has not offered much in suggested improvements for auditees. Auditor B consistently exceeds the
time budgeted for audits but also consistently identifies recommendations that should lead to cost savings for the audit client and
the organization. Assume that both auditors have conducted audits that meet the organization's standards and that audit
assignments are rotated. In evaluating the auditors, and considering only the facts identified above, which of the following
2691 would most likely explain the differences in auditor performance?
○ Auditor B has been assigned to more difficult audits than has auditor A.
○ Auditor A performs less control procedure compliance testing than does auditor B.
○ The audit director has not clearly communicated staff evaluation criteria to the senior auditors.
○ Auditor A is more efficient than auditor B.
An auditor becomes concerned that fraud, in the form of payments to nonexistent companies, may exist. Buyers, who are
responsible for all purchases for specific product lines, are able to approve expenditures up to U.S. $50,000 without any other
approval. Which of the following audit procedures would be most effective in addressing the auditor's concerns?
○ Developing a snapshot technique to trace all transactions by suspected buyers
○ Using generalized audit software to list all purchases over U.S. $50,000 to determine whether they were properly approved
2555 ○ Using generalized audit software to take a random sample of all expenditures under U.S. $50,000 to determine whether they
were properly approved
○ Using generalized audit software to list all major vendors by product line; selecting a sample of paid invoices to new
vendors and examining evidence that shows that services or goods were received
While performing a consulting engagement to explore adoption of a systems development life cycle (SDLC) methodology with
an organization's IT department, an auditor becomes aware of a significant weakness in IT governance. The internal audit
activity must
○ escalate the matter to senior management and the board.
○ ensure that IT governance assurance is included in the next annual audit plan.
2678 ○ incorporate this knowledge into evaluation of the organization's control processes.
○ work directly with the chief information security officer (CISO) to determine the root cause of the weakness.
At this stage, the setting chosen should create an open and forthcoming conversation that will
yield the desired background information. Confidentiality should be maintained throughout this
stage, both to protect innocent individuals and to avoid alerting those committing fraud. Busy
public spaces do not provide sufficient quiet and privacy, and a security office is likely to make
the employees guarded and defensive.
Given only the facts stated in the question, it is most likely that the audit director has not clearly
communicated the evaluation criteria, since the performance differences are consistently found
over the year. Auditor A believes that getting jobs done in less than the budgeted time and
maintaining good employee relations are more important than making recommendations. Auditor
B believes that making cost-saving recommendations is more important than getting the audit
done within the time budget. There is not sufficient evidence to support the conclusion that auditor
A is more efficient than auditor B.
The most effective approach would be to use generalized audit software (GAS) to identify major
vendors, concentrate on new vendors, and search for underlying support that goods or services
were provided by the vendor. Using GAS to list purchases above U.S. $50,000 would provide
evidence only on a subset of all purchases that must be approved by someone other than the buyer.
Using a snapshot technique would provide information only on whether the transactions that were
authorized by the buyer were properly processed, not on whether the transaction should have been
processed. Doing a random sample would provide information on whether transactions under
$50,000 contained the buyer's authorization. That is not the question here, however. The question
is whether there is support for the expenditure. Further, this procedure is limited because it is not
directed to the specific indicators that a fraud might exist.
Standard 2130.C1 states, Internal auditors must incorporate knowledge of controls gained from
consulting engagements into evaluation of the organization's control processes. The chief audit
executive (CAE) must discuss the matter with senior management, and, if the CAE determines
that the matter has not been resolved, the he or she must communicate the matter to the board, if
the CAE concludes that management has accepted a level of risk that may be unacceptable to the
organization (Standard 2600). If the auditor becomes aware of a significant IT governance internal
control weakness during the course of an SDLC consulting engagement, the auditor does not
automatically expand the scope of work to identify the root cause of the governance issue. The
internal auditor would more likely address an IT governance weakness with the chief information
officer, not the CISO. Depending on risk assessment results, IT governance may or may not be
included in the next annual audit plan.
 Which of the following is optimal to provide a summary-level description of a complex new computer system?
A flowchart is a graphical representation of the actual or ideal path followed by a service or
○ Detailed narrative product. Flowcharts provide an easy-to-understand visual sequence of process steps, illustrate the
○ System flowchart relationship between parts, and identify what the process does or should do. In this scenario, using
2600
○ Control flowchart a flowchart will allow an auditor to present a narrative of how a complex new computer system
○ Program code checking and flowchart verification will affect operations in a manner that someone not conversant with complex IT concepts can
easily digest and understand.
Which of the following is true of a horizontal flowchart as compared to a vertical flowchart?
○ A horizontal flowchart brings the assignment of duties and independent checks on performance into sharper focus. By emphasizing the flow of processing between departments and/or people, a horizontal flowchart
2607 ○ A horizontal flowchart does not provide a broad, at-a-glance picture. more clearly shows any inappropriate separation of duties and lack of independent checks on
○ A horizontal flowchart provides more room for written descriptions that parallel the symbols. performance.
○ A horizontal flowchart is usually longer.
The best source of evidence to determine if former employees continue to have access to a company's automated databases is
○ reconciling current payroll lists with database access lists.
The comparison represents analytical evidence that should identify former employees who are
2584 ○ reviewing access control software to determine whether the most current version is implemented.
accessing the databases.
○ discussing the password removal process with the database administrator.
○ reviewing computer logs of access attempts.
An auditor reviews a retirement benefits plan and determines that the pension and medical benefits have been changed several
times in the past 10 years. The auditor wants to determine whether there is justification to perform further audit investigation.
The most appropriate audit procedure would be to
○ use generalized audit software to take an attributes sample of retirement pay and perform detailed testing to determine
whether each person chosen has been given the proper benefits.
○ review the reasonableness of retirement pay and medical expenses on a per-person basis stratified by which plan was in The analytical review of the reasonableness of retirement pay and medical expenses would be the
2599 effect when the employee retired. best procedure, because it is done on a per-person basis consistent with the changes in the pension
○ use generalized audit software to take a dollar-unit sample of retirement pay and determine whether each retired employee is plans.
paid correctly.
○ review the trend of overall retirement expense over the last 10 years. If the retirement expense increased, it would indicate
the need for further investigation.

An auditor must weigh the cost of an audit procedure against the persuasiveness of the evidence to be gathered. Observation is
one audit procedure that involves cost/benefit tradeoffs. Which of the following statements regarding observation as an audit
technique is correct?
○ Observation is effective in providing evidence on how the company's processes differ from that specified by written policies. Observation provides a good oversight of the nature of processing. One of the limitations of
2452 ○ Observation is useful because individuals tend to do the same things when being observed as when they are not observed. observation is that individuals may act differently when observed than they do normally.
○ When testing financial statement balances, observation is more persuasive for the completeness assertion than it is for the Observation is more persuasive for the existence assertion than the completeness assertion.
existence assertion.
○ When doing a preliminary survey, observation is the best way to get a step-by-step demonstration of a complex process.
 It is important that an auditor be able to think logically. In which of the following scenarios has the auditor reached an illogical
conclusion?
○ The internal auditor uses generalized audit software to select a sample of items for confirmation. Based on the confirmation
responses, the auditor concludes that accounts receivable exist as recorded.
○ The auditor examines sales transactions recorded during January 2018 and finds that none of them represent 2017 sales. The
auditor concludes that 2017 sales are recorded properly. The auditor has examined transactions from 2018 and concluded that 2017 sales are correctly
2664 ○ The auditor observes the client's physical inventory process and records test counts of inventory. The test counts are traced
stated. This is an incorrect inference.
to the year-end inventory compilation and count tags are reconciled to the compilation. No exceptions are noted. The auditor
concludes that the compiled inventory exists.
○ The internal auditor performs analytical review procedures to estimate the accuracy of the sales account balance. No material
differences are noted. Based on this, the auditor assumes that the underlying record keeping must be correct.

Which constitutes evidence of proper supervision of audit engagements?

○ An audit manager approves the audit program and gives instructions to subordinates at the outset of the audit and
continuously thereafter. The manager is available for consultation but does not actively participate in the conduct of audit
procedures.
The chief audit executive or designee provides appropriate engagement supervision. While active
○ An audit manager is not involved in an audit, but the manager does review the initial plan to determine that all audit participation is not needed, approval of the plan at the onset to ensure that the procedures should
objectives are included. result in all audit objectives being met and review of the evidence in support of the conclusions
2692 ○ A senior auditor continuously deviates from the approved audit plan but consistently gets the audit done within the approved
are both needed. All deviations from the planned audit program should be approved by a
time budget. The time budget is approved by the audit manager, and compliance with the time budget is reviewed by the audit supervisor. See Implementation Guide 2340 of the International Professional Practices
manager. Framework.
○ The audit manager performs all analytical procedures during the preliminary planning for an audit engagement and makes
conclusions.

The chief audit executive (CAE) for a city has just completed a quarterly meeting with the audit committee. The committee has
expressed a major concern it would like the audit department to examine as part of its operational audits during the next year: Is
the downsizing that the city has been going through resulting in right-sizing of staff for the city? The audit committee has
suggested that a review of a few areas might be appropriate and could provide some preliminary evidence in addressing the
committee's concerns. In spite of all the arguments, the CAE decides to go ahead and perform a preliminary investigation in two
areas to address the audit committee's concern. Which procedure would be appropriate in performing the preliminary
investigation? If criteria exist to determine the right size of departments, these would form a baseline for the rest
of the analysis. Misstatement of account balances is not the objective of the audit. More
2419 ○ Develop a productivity ratio that can be used to gather objective information on employee morale.
appropriately, the auditor should look for departments that have experienced large reductions in
○ Interview executive management to determine whether or not criteria exist to determine the right size of departments.
size.
○ Interview departmental managers to determine the approaches they would use to select the areas needing to be audited the
most.
○ Use risk analysis and select the two departments that would hold the largest risk of potential misstatement of account
balances.

Given that photographic evidence is increasingly subject to dispute, which of the following would be considered the most
reliable documentary evidence of a physical condition the auditor considers to be deficient?
○ Competent oral statement supported by another employee who heard another person say the same thing
○ Medium-resolution photographic print corroborated by competent testimony
2583 ○ High-resolution photographic print
○ Photograph still in the storage medium of a digital camera
Traditional skepticism about the reliability of photographic evidence has become even more
pronounced with the advent of computer software such as Photoshop with which photographs can
be easily altered. Therefore, photographs are considered to be hearsay and should be corroborated
by competent testimony. Audit conclusions should be supported by the most reliable evidence that
is available to the auditor. The other types of photographic evidence have no corroboration
regardless of their quality levels. A person hearing someone else say something is hearsay, and the
auditor would need to interview the person who supposedly made the statement and get him or her
to repeat it.
 As part of a test of the effectiveness of a disaster recovery plan, an auditor plans to interview five employees from each of five
different departments—25 employees in all. What would be the best way for the auditor to remain attentive after the first few
interviews? Changing the wording of the questions and the sequence in which they are asked may eliminate
○ Ask the questions in a slightly different format and in a different sequence. some of the tedium associated with a series of interviews while allowing the auditor to ask the
2426
○ Interview the remaining employees in groups of four or five. same questions of all interviewees and maintain consistency. The auditor can ask follow-up
○ Make up completely different questions. questions, and interviewees avoid group pressure.
○ Have the rest of the employees write down their responses.
The chief audit executive (CAE) has delegated the review of engagement working papers to the lead internal auditor. During the
review, what types of information should the lead auditor look for in the working papers?
Working papers should contain sufficient information for an internal auditor, other than the one
○ Internal auditor's judgment of evidence validity and reliability
who performed the work, to be able to re-perform it, such as an explanation of the tick marks
2682 ○ Whether the information helps the organization meet goals and objectives
used. Working papers should be as concise as possible and should not contain any more
○ Opinions of the quality of the leadership of the CAE information than necessary.
○ Appropriate index or reference number
An auditor performing an operational audit of a division observes that an unusually large quantity of goods are on hand in the
shipping and materials rework areas. The items are labeled as re-ship items. Upon inquiry, the auditor is told that they are goods
that have been returned by customers and have either been repaired and shipped back to the original customer or repaired and
shipped out as new products because they are fully warranted. The auditor has not yet performed any detailed audit work. Based
on the information given, the most appropriate action for the auditor to take would be to
○ take an inventory of the goods on hand so the dollar amount can be included in the audit report along with the explanation of
the problem.
This procedure would assist the auditor in understanding the details of the transactions and should
2422 ○ write the finding up, but do not perform any additional work without the approval of the director of internal auditing,
be pursued before taking any further action.
because it is clearly a scope expansion.
○ report the items to divisional management and ask for their explanation before determining whether to include the findings
in an audit report.
○ take a sample of the items on hand and trace them to the underlying documents, such as receiving reports and sales orders, to
determine how the goods have been handled.

Which of the following is an advantage of face-to-face interviews as compared to mail surveys?

○ Interview designers can use a wider variety of types of questions so different people get different questions.
2423 ○ Interviews are less expensive overall since mailing costs are avoided and fewer people are contacted.
○ Interviewers can increase a respondent's comprehension of questions.
○ The responses in interviews are easier to interpret and analyze.
An internal auditor has been asked to review the treasury department's compliance with corporate policy related to the use of
forward trading to manage currency valuation risk. The auditor finds no related policies in the corporate policy manual but does
discover that the department is following a policy developed by the company's bank. Which of the following would be the most
appropriate response from the auditor?
○ Postpone the audit engagement until a corporate policy can be established.
2668 ○ Perform no further audit work and report the lack of a corporate policy as an audit observation.
○ Withdraw from the audit engagement, because there is nothing to audit due to the lack of a corporate policy.
○ Use the bank's policy as the audit criteria and determine whether formal adoption should be recommended in the
engagement final communication.
An advantage of face-to-face interviews is that if a person does not understand a question, the
interviewer can ask the question in a different way or explain. One of the principal advantages of
mail surveys is their cost efficiency; mailing costs are less than interview labor costs.
As part of the control assurance provision of an auditor's role, it is imperative that the internal
audit activity evaluates the adequacy and effectiveness of existing controls and, where possible,
provides recommendations to the organization on how to improve its control processes. If a
department has no official policy for a specific kind of compliance—internal or external—then it
is the responsibility of the auditor to make recommendations to address this oversight. In the
example in this question, the auditor would evaluate the bank's policy to assess its effectiveness
and adequacy in relation to the treasury department's activities. If the auditor thinks the policy is
appropriate, then official adoption should be recommended.
 During an engagement, an internal auditor asks the auditor-in-charge many questions about matters the internal auditor seems to
understand well enough. The auditor-in-charge determines that the internal auditor thus demonstrates a serious lack of self-
confidence. Which of the following would be the best approach for the auditor-in-charge to take in this situation?
○ Politely decline to answer the questions.
○ Continue answering the questions and assume that the internal auditor will either develop confidence over time or find a new
Traits such as self-confidence are important to the internal auditor and should be encouraged on
2693 career.
the job and made a subject of post-audit, as well as annual, appraisals.
○ Don't confront the auditor, but make a note of the behavior to give to the chief audit executive to discuss with the auditor
during his or her annual appraisal.
○ For the remainder of the engagement, encourage the auditor to trust himself or herself; during the post-audit appraisal, help
the auditor develop a plan for improvement.

When is it best to use a narrative instead of a flowchart during engagement planning?

○ When the internal auditor needs to understand if a process and individual tasks are operating within prescribed tolerances Situations arise in which the internal auditor believes it may be more appropriate to use a narrative
write-up to document a process instead of detailed symbols or keys. Similar to a flowchart, the
2601 ○ When a visual depiction will not be of significant value because the process is simple
purpose of a narrative is to identify the key controls and cases of under- or over-control and
○ When the internal auditor thinks the dialogue is necessary to further build rapport with client personnel
processing redundancy.
○ When it will be easier to identify potential fraud risk scenarios
High-level flowcharts of a process created during the engagement planning phase
○ provide a frame of reference for identifying key subprocesses and systems to be considered for the engagement scope. A flowchart eliminates abstractions about how work flows through a system. During the planning
phase of an engagement, flowcharts can be used to confirm the internal auditor's understanding of
2605 ○ preclude the need for documents or communications from the process owner or outside sources.
a process with the process owner and help determine which areas or subprocesses are within the
○ identify other people or tasks that are necessary to the effective and timely completion of the process.
scope for subsequent engagement activities.
○ identify potential process-level fraud risks that occur due to the inherent nature of the process.
To be sufficient, audit evidence should be
○ based on references that are considered reliable.
Sufficient evidence is convincing enough for a prudent person to reach the same conclusion as the
2587 ○ directly related to the engagement observation and should include all the elements of an engagement observation.
auditor.
○ well-documented and cross-referenced in the working papers.
○ convincing enough for a prudent person to reach the same conclusion as the auditor.
Which of the following factors might best indicate the possibility of fraudulent activity in the production process?
The absence of scrap income, even though scrap is known to be generated, might indicate the
○ Employee overtime has increased 50% during the past year. existence of fraudulent activity. To identify fraudulent activity, an auditor would therefore
○ Inventory has decreased at the same time that the cost of goods sold has increased. examine data related to scrap production (collected from physical, documentary, and analytical
2570 ○ Interviews with employees indicate that they have general dissatisfaction with management and believe that productivity evidence) and determine what becomes of the scrap generated during the production process. An
could be greatly improved if management listened to the employees. increase in employee overtime can result from a number of legitimate variables, employee
○ Although scrap is generated, there is no income reported from scrap sales. dissatisfaction does not necessarily translate into the existence of fraud (although it is not ideal),
and inventory levels are not necessarily linked to any increases in the cost of goods sold.
A internal auditor at a bank wants to determine whether all loans are supported by sufficient collateral, properly aged regarding
current payments, and accurately categorized as current or noncurrent. What would be the best audit procedure to accomplish
these objectives?
○ Select a block sample of all loans in excess of a specified dollar limit and determine if they are current and properly
categorized. For each loan approved, verify aging and categorization. Using generalized audit software is the best procedure, because it takes a sample from the total
2552 ○ Use generalized audit software to read the total loan file, age the file by last payment due, and extract a statistical sample loan file and tests it to determine that the loans are properly categorized as well as properly
stratified by the current and aged population. Examine each loan selected for proper collateralization and aging. collateralized and aged.
○ Select a discovery sample of all loan applications to determine whether each application contains a statement of collateral.
○ Select a sample of payments made on the loan portfolio and trace them to loans to see if the payments are properly applied.
Then, for each loan identified, examine the loan application to determine that the loan has proper collateralization.
 The current audit of disbursement activities shows that a significant number of errors have been made during the accounts
payable vouchering process, and this has resulted in lost discounts and an extraordinary number of adjustments and credit
memos. Audit hours are already over budget in this section because of the number of exceptions that have had to be analyzed.
Audit staff has had time to:

Observe the operations performed by each of the voucher clerks.

Sample and analyze transaction documents in the accounts payable, purchasing, and receiving departments.
Obtain system statistics that show transaction volume, error-correction transactions, and lost-discount summaries.
To date, the causes have not been fully identified for all types of errors noted during detail testing, observation, and analysis of Methods of gathering feedback include observing, analyzing, and questioning. In this situation,
2424
exceptions in accounts payable, purchasing, and receiving. The most appropriate course of action for the lead auditor to use in the auditor should question the personnel and others affected.
determining the causes of these errors is to
○ concentrate on audit program requirements for cash disbursements testing to discover any related information from those
tests.
○ expand sample sizes for attributes already tested in transactions entered by accounts payable, purchasing, and receiving.
○ question and get the opinions of the accounts payable clerks and those involved in processing these transactions.
○ describe the transaction-related problems identified to date in a special report to management without expressing a cause or a
conclusion about the situation.
Which of the following statements regarding the review of workpapers is true?
○ Engagement workpapers should be approved by the client after completion. A reviewer can provide acceptable evidence of workpaper review in a number of ways.
Implementation Guide 2340 states that evidence can include workpapers "initialed and dated by
2681 ○ Workpaper review notes should be retained for all engagements.
the engagement supervisor (if documented manually) or electronically approved (if documented
○ Workpapers that pertain to legal issues should be reviewed to ensure that all audit opinions and details are recorded.
within a workpaper software system)."
○ Workpapers should be initialed and dated by the reviewer as evidence of supervisory review.
An internal auditor is using an internal control questionnaire (ICQ) as part of a preliminary survey. Which of the following is
the best reason for the auditor to interview management regarding the questionnaire responses? ICQs are pre-constructed questionnaires used to elicit key information about internal controls, and
○ Interviews are the most efficient way to upgrade the information to the level of objective evidence. they are especially useful when documenting initial responses to questions about such controls.
2462 ○ Interviewing is the least costly audit technique when a large amount of information is involved. ICQs do not allow for follow-up questions, nor for the observation of behavioral cues. If an
○ Interviews provide the opportunity to insert questions to probe promising areas. auditor wishes to probe deeper into certain responses or patterns after conducting an ICQ, he or
she might consider interviewing management about their responses.
○ Interviewing is the only audit procedure that does not require confirmation of the information obtained.

An overall opinion on the state of the organization's governance, risk management, and control processes
○ must consider the expectations of senior management, the board, and other stakeholders.
○ may be provided only when the evaluation criteria used is the COSO Internal Control—Integrated Framework.
2679
○ must specify that management has responsibility for the establishment of an enterprise risk management function.
○ must be provided to senior management and the board annually or more frequently.
Which would be the best way listed to depict a high-level decision-making process that requires experience and judgment more
than procedure and can indicate some nuance to the range of consequences that can result from the decision?
○ RACI charts
2604 ○ Block diagrams
○ Spaghetti maps
○ Flowcharts
Standard 2450, "Overall Opinions," states, "When an overall opinion is issued, it must take into
account the strategies, objectives, and risks of the organization; and the expectations of senior
management, the board and other stakeholders." The Standards do not require overall opinions.
There is no requirement to state that management has responsibility for the establishment of an
enterprise risk management function when an overall opinion is issued. The Standards do not
specify the use of a particular internal control framework.
A block diagram is a pictorial representation of a process or activity, typically including a series of
boxes and connecting lines to indicate association and direction/order. Block diagrams are useful
for high-level representations. In this case, due to the nuance and judgment required, a flowchart
would be less appropriate than a block diagram because a block diagram can show alternatives
and describe various consequences without making decisions seem like they are simple yes/no
decision points.
 What is needed to ensure that the observation process is as effective as it can be?
○ Keeping an open mind, noticing facts, and recording them on a mental blank slate Effective observation goes beyond merely noticing facts and recording them on a mental blank
○ Knowing what to look for slate. The inspector who is prepared knows what to look for. Observations gain significance when
the auditor puts them into context. This may mean mentally comparing an observed fact to past
○ Looking to confirm a hypothesis observations, to claims made by the audit client, to industry standards, to regulations, and so on.
2459 ○ Understanding of management outcome desires
The more an auditor knows from experience, from study, and from preparation for the current
assignment, the better able he or she is to make mental comparisons between what is and what
ought to be. Disciplined observation notices what is missing as well as what is present: the lack of
necessary safety devices, the absence of a necessary inspector, equipment present but not in use.

Developing an audit finding involves comparing the condition to the relevant standard or criterion. Which of the following
choices represents an appropriate standard or criterion to support a finding?
○ Quality standard operating procedure (including number and date) for the department
2672 ○ Citation of an internal accounting control principle as long as it is not from a public accounting reference
○ Sound business practice based on the internal auditor's knowledge and experience, even if the individual being audited
disagrees with it
○ Productivity levels achieved by the most productive department in the organization
A quality standard operating procedure is an example of an acceptable standard or criterion,
provided that the individual being audited agrees with it. Other acceptable standards or criteria
would be sound business practice based on the internal auditor's knowledge and experience
obtained during many audit assignments in the company and internal accounting control principles
cited and copied from a public accounting reference. Different departments in an organization may
have very different productivity levels, and so it may be unfair to use this as a standard or criterion
for another department.

During an interview to identify controls over the quality of waste water discharge, the auditee refers only to a department
procedure to ensure that samples are collected and analyzed. In the auditor's experience, such operations should maintain a log
to record all samples, the types of analyses performed, and whether results should be reported to management or regulatory
agencies. For some reason, this employee is reluctant to discuss detailed responsibilities in this area. The best thing for the
auditor to do in this case is to
2451 ○ interview the supervisor of the employee and discuss the auditee's duties in detail.
The auditor is always interested in determining what the auditee does to fulfill responsibilities, so
○ relate what the auditor has seen at other facilities and tell the employee that the log is necessary. it is important to be patient and let the auditee describe activities in detail.
○ accept the information as given and write a finding that adequate controls are not in place.
○ continue the interview and discuss other elements of the employee's duties, returning periodically to the samples and
analytical results.

A major home supply retailer installs an automated checkout system in selected stores with the objective of improving the
quality of customers' checkout experience. In auditing the new system to determine its success in meeting management's
objective, the internal auditor would find which of the following to be the most useful evidence?
○ Comparison of numbers of customers processed per week through comparable stores with and without automated checkout The specific objective of improving quality can best be measured by focus group testimony. The
2428 retailer will also want to measure the impact on revenues and the efficiency of the checkout
○ Focus group interviews with customers who have used the automated checkout system system, but those are not the objectives in this instance.
○ Comparison of sales revenues in comparable stores with and without automated checkout
○ Timed observations of customers passing through automated checkout counters

An auditor is considering developing a questionnaire to research employee attitudes toward control procedures. Which of the
following represents criteria that should be considered in designing the questionnaire?
The items on a questionnaire should be worded in such a way as to ensure a valid interpretation by
○ Questions must be worded to ensure a valid interpretation by the respondents.
the respondents. Questions should use multiple-choice, fill-in-the-blank, essay, rating scale, etc.,
2472 ○ Questions should be worded such that a "no" answer indicates a problem.
formats, and they should be short enough to increase the response rate. Questions should not have
○ Questions should have internal cues to help respondents reveal information pertinent to the objectives. internal cues.
○ The questionnaire should be long enough to ensure comprehensive coverage.
 An audit manager responsible for the supervision and review of other auditors needs the necessary skills and knowledge. Which
describes a skill necessary to supervise a particular audit assignment?
○ Providing the board and senior management with an overall assessment of control effectiveness accumulated from individual
audit engagements
○ Using risk assessment and other judgmental processes to develop an audit plan and schedule for the department and Among the supervisory skills required of an audit manager is the ability to review and analyze an
2690 presenting the plan to the audit committee audit program to determine if the audit will result in relevant evidence. The other answer choices
are requirements of the chief audit executive, not the audit manager.
○ Getting approval from the board if the scope of the audit engagement needs to be altered in a material way
○ Reviewing and analyzing an audit program to determine if the proposed audit procedures will result in evidence relevant to
the audit's objectives

Internal auditing is conducting an assurance audit of a regional office. The audit team does not suspect fraud, but it has found
significant gaps in controls that could create opportunity for fraud (for example, allowing the same individual to send invoices
and receive payments) and laxity in record keeping. Some documentation of expenses is missing, but the internal auditors have
obtained documentation from vendors. Furniture appears to be missing. It may have been stolen, but it is equally possible that it
was discarded. The audit team has completed a report listing the various issues, explaining the potential for loss and fraud that
these issues have created and citing company policies and procedures. Management of the office responds to the report via
email. It says that it believes the recommendations are unwarranted, that the report questions the honesty of loyal employees,
and that implementation of the recommendations would be an unnecessary waste of the office's time. However, to satisfy These findings are significant because the conditions involve control weaknesses. Laxness in
2665 concerns about invoicing and billing, the manager promises to review the paperwork weekly. Which of the following best record keeping may also be creating opportunity for fraudulent activity, even though none may
characterizes the nature of these findings? have occurred yet.
○ The findings are not significant because no allegations of fraud are being made.
○ The findings do not describe conditions that could result in serious loss but are primarily procedural in nature.
○ The findings represent significant violations of company policy.
○ The findings are significant because they are control weaknesses that could be indicators of further problems.

Observation is considered a reliable audit procedure but one that is limited in usefulness. However, it is used in a number of
different audit situations. Which of the following statements is true of observation as an audit technique?
○ It is rarely sufficient to satisfy any audit assertion other than existence.
2430 ○ It is the most effective audit methodology to use in filling out internal control questionnaires. Observation is good for verifying existence but has limited value in addressing other assertions.
○ It is the most persuasive methodology to learn how transactions are really processed during the period under audit.
○ It is the most persuasive audit technique for determining if fraud has occurred.
Which of the following represents appropriate evidence of supervisory review of engagement workpapers?
○ Supervisor's initials on each workpaper, engagement workpaper review checklist, and memorandum specifying the nature,
extent, and results of the supervisory review of workpapers Acceptable approaches for documenting supervisory review of engagement workpapers include
○ Tick marks next to all auditable items on each workpaper page along with a legend that explains the nature of all supervisory the supervisor's initials on each workpaper, an engagement workpaper review checklist, and a
2683 tick marks and includes a final supervisor signature memorandum specifying the nature, extent, and results of the review. Although performance
○ Supervisor's initials on the final workpaper and on the engagement workpaper review checklist appraisals might mention reviews of workpapers, they do not represent sufficient evidence of
○ Performance appraisals that assess the quality of workpapers prepared by auditors and memoranda specifying the nature, review. Tick marks are used by the internal auditor performing the work.
extent, and results of the supervisory review of workpapers

Determining that engagement objectives have been met is ultimately the responsibility of the
○ audit committee. Per Implementation Guide 2340, the chief audit executive or designee provides appropriate
2695 ○ chief audit executive. engagement supervision. Supervision is a process that begins with planning and continues
○ internal audit supervisor. throughout the engagement, including determining that engagement objectives are being met.
○ internal auditor.
 According to the International Professional Practices Framework, which of the following are part of the minimum requirements
for an engagement final communication?
○ Purpose of the engagement, results of the engagement, and summaries Implementation Guide 2410 states that engagement final communications should contain, at a
2675 ○ Background information, engagement scope, and results of the engagement minimum, the purpose, scope, and results of the engagement. Background information and
○ Purpose of the engagement, engagement scope, and results of the engagement summaries are not required elements of an engagement final communication.
○ Background information, purpose of the engagement, and engagement scope
Which of the following audit procedures would provide the least relevant evidence in determining that payroll payments were
made to bona fide employees?
○ Examining canceled checks for proper endorsement and comparing them to personnel records
A payroll account proof would test for completeness but not for validity of cash flow to bona fide
2585 ○ Testing the payroll account bank reconciliation by tracing outstanding checks to the payroll register
employees.
○ Testing for segregation of the authorization for payment from the hired or fired authorization
○ Reconciling time cards in use to employees on the job
An organization provides credit cards to selected employees for business use. The credit card company provides a computer file
of all transactions by employees of the organization. An auditor plans to use generalized audit software (GAS) to select relevant
transactions for testing. Which of the following would be readily identified using GAS?
○ Suppliers used by each cardholder and the dollar value of transactions It is highly unlikely that the accounts payable system would contain sufficient evidence of
2561
○ Fraudulent transactions in which the supplier is an employee's account fraudulent transactions. GAS could be used to explore red flags, but it would not identify them.
○ High-dollar transactions that exceed market value for the type of purchase
○ Transactions for specific cardholders that indicate collusion with the supplier

In advance of a preliminary survey, an audit director sends a memorandum and questionnaire to the supervisors of the
department to be audited. This approach will most likely generate which of the following results? Having advanced knowledge of an upcoming audit helps to remove some of the apprehension
○ It will create apprehension among members of the department to be audited. about the audit, involves the supervisors of the audit client's department, and encourages a more
2470 ○ It will help only for audits of distant locations. collegial approach to the audit. In addition, it will normally be more economical, whether the audit
○ It will not help obtain useful information. is for a local or distant location, since the legwork will be done by those most competent to do it
rapidly.
○ It will involve the audit client's supervisors in the audit.
What is a key requirement for information to be considered reliable?
○ It must come from a credible source.
Reliable information is the best attainable information through the use of appropriate engagement
2590 ○ It must have two or more different but related pieces of evidence.
techniques. Reliability implies that the evidence comes from a credible source.
○ It must be original documentary evidence.
○ It must be germane to the audit objective.
Which of the following tools would best give a manufacturing work center helpful information on how to streamline its
workflow and produce units more efficiently?
Spaghetti maps are Six Sigma diagrams limited in scope to a particular area. One might visually
○ Control chart
map, on graph paper, the actual steps an operator takes in one instance of a normal operation (not
2120 ○ Spaghetti map
the idealized process or unusual situations). A before version and an after version with
○ RACI diagram simplifications or other improvements can help show how to make the process more efficient.
○ Histogram
 During an audit of cash controls, an auditor compares a sample of cash receipts lists with the total of daily cash receipts journal
entries and daily bank deposit slip amounts. The comparison reveals that

Each cash receipts list equals cash journal entry totals but not daily bank deposit amounts.
Totals for cash receipts lists equal bank deposit totals over time.
The evidence is sufficient (factual, adequate, and convincing), reliable (the best attainable through
2591 To support a finding that cash receipts are not deposited intact daily, the above evidence is
appropriate audit techniques), and relevant (consistent with audit objectives).
○ sufficient, reliable, and relevant.
○ not sufficient, reliable, or relevant.
○ relevant but not sufficient or reliable.
○ sufficient but not reliable or relevant.

Generalized audit software is designed to allow auditors to

○ insert special audit routines into regular application programs.
Generalized audit software allows auditors to select sample data from files and check
2118 ○ select sample data from files and check computations.
computations.
○ monitor the execution of application programs.
○ process test data against master files that contain real and fictitious entities.
A preliminary survey indicates that severe staff reductions at an audit location have resulted in extensive amounts of overtime
among accounting staff. Department members are visibly stressed and very vocal about the effects of the cutbacks. Accounting
payrolls are nearly equal to those of prior years, and many key controls, such as segregation of duties, are no longer in place.
The accounting supervisor now performs all operations in the cash receipts and posting process, and the supervisor has no time
to review and approve transactions generated by the remaining members of the department. Journal entries for the last six
months since the staff reductions show increasing numbers of prior-month adjustments and corrections, including revenues, cost
of sales, and accruals that had been misstated or forgotten during month-end closing activity. The auditor should It is not clear at this point what additional audit work will be necessary. Additional planning is
2432 ○ suspend further audit work because the findings are obvious, and issue the audit report. necessary to align the audit effort to the circumstances and address the responsibilities of the audit
○ discuss these findings with audit management to determine whether further audit work would be an efficient use of audit department.
resources at this time.
○ research temporary help agencies, and evaluate the costs and benefits of outsourcing needed services.
○ proceed with the scheduled audit, but add audit personnel based on the expected number of findings and anticipated lack of
assistance from local accounting management.

When verifying an employee's reimbursed air travel expenses for a meeting with clients, an auditor would find which of the
following to be sufficient?
○ List of meeting attendees, with employee's name initialed by the external client's management Printed tickets plus boarding passes constitute sufficient evidence that the employee booked the
2578 ○ Printed tickets in the employee's name for the designated flights from the home city to the client location but no related
flight and took it. Tickets in the form of emails would still be considered sufficient. However,
boarding passes without boarding passes, the employee could conceivably cash in expensive tickets and find
○ Boarding passes for the designated flights between the home city and the client location plus emails with related tickets cheaper transportation.
○ Oral testimony from clients who observed the employee's presence at the client location

What computer-assisted auditing technique would an auditor use to identify a fictitious employee or a terminated employee still
in the system?
○ Tagging and tracing of payroll tax-rate changes
Exception testing can identify employees who have no deductions. This is important, because
2553 ○ Parallel simulation of payroll calculations
fictitious or terminated employees will generally not have any deductions.
○ Exception testing for payroll deductions
○ Recalculations of net pay
 Which of the following would be the best tool that operating personnel could provide to internal auditors so that they could
"see" the operations in order to identify inefficiencies, ineffective steps, and control weaknesses?
○ Process flowchart Operating personnel are concerned with operations, and a process flowchart shows operations.
2603 ○ Gantt chart CPM and Gantt charts are for project management. Six Sigma DMAIC refers to the phases of this
○ Six Sigma DMAIC chart quality improvement plan.
○ Critical path method (CPM) chart

An operational audit is being performed to evaluate the productivity of telephone sales representatives relative to last year. The
organization sells two similar products, one of which is priced 20% higher than the other. Prices did not change during the two
years subject to the audit, and the gross profit percentage is the same for both products. The sales representatives are paid a base
salary plus a commission. Which of the following represents the best evidence that the organization's sales representatives are Revenue per representative measures productivity because it relates an output to an input. The
more productive this year than last year? number of sales calls does not measure output. The higher ratio could be achieved even if unit
2581 ○ Unit sales have increased at a higher rate this year than last year. sales, revenue, and gross profit declined and the number of sales representatives increased. The
○ The number of sales calls is higher this year than last year. unit sales increase could be achieved by an uneconomic addition of sales representatives and
would not necessarily result in higher revenue.
○ The revenue per representative is higher this year than last year.
○ The ratio of the number of new customers to the number of prospects contacted is higher this year than last year.

An internal auditor will not be able to remember everything that is said in an interview aimed at gaining information. The most
effective way to record interview information for later use is to
○ record the interview to capture everything that everyone says; then enter the notes in a computer program for documentation.
○ write notes quickly, trying to write down everything in detail as it is said; then highlight important points after the meeting.
2454 ○ hire a professional secretary to take notes, allowing complete concentration on the interview; then delete unimportant points
after the meeting.
○ organize notes around topics in the interview plan and note responses in the appropriate area, reviewing the notes after the
meeting to make additions.
In an audit of travel expenses for salespeople, the auditor calculates average travel expenses per day traveled for all salespeople
and then examines detailed receipts for salespeople with high averages. This represents the use of which types of audit
evidence?
2582 ○ Documentary and analytical evidence
○ Analytical and physical evidence
○ Documentary and physical evidence
○ Physical and testimonial evidence
The chief audit executive (CAE) is trying to explain the range of responsibilities a senior internal auditor will be assuming as
supervisor of an upcoming engagement that will employ a team of internal auditors. Which of the following would be an
example that the CAE might mention?
○ Assuming accountability for adequate supervision during the engagement
2684
○ Telling audit staff to have regular, thorough, and timely intercommunication of necessary information
○ Training less-experienced team members in correct audit procedures
○ Assigning team members to choose their own specific roles and procedures
Organizing note taking ahead of time allows time during the interview to listen and evaluate the
responses and reactions of the respondent. Extensive note taking may interfere with
communication with the respondent, since the listener cannot maintain eye contact or notice
nonverbal signals as well when occupied with his or her own notes. Recording might be used for
controversial material, but it generally will not elicit positive feelings from the respondent. For
most organizational purposes, exact quotes, the major benefit of a recording, are not needed.
Hiring a secretary would also not work. Aside from cost, there are confidentiality issues, and there
may be a negative reaction from the respondent. This interview is the auditor's job, not someone
else's.
Receipts supporting travel expenses are documentary evidence. Calculating travel expenses per
day represents analytical evidence.
It is an accountability of the CAE to ensure that engagements are adequately supervised. It may
fall to the individual providing supervision to assemble and train the team, make assignments
(rather than abdicating this duty to the staff), ensure that logistical support is in place, review
working papers, and establish a process to ensure regular, thorough, and timely communication of
necessary information among team members. Telling people to communicate well without putting
a process in place could result in failure of communications.

Data gathered in support of an audit conclusion can be rated on a continuum of reliability. The most reliable form of evidence
would be
○ an internal document that has been circulated through an outside party.
2579 ○ an internal document subject to rigorous internal review procedures. An external document obtained directly from its source cannot be altered by the auditee.
○ an external document obtained directly from an outside source.
○ an internal document obtained from the auditee.
 An internal auditing manager is leading a three-person auditing team assigned to an assurance engagement of airport locations
for a car rental company. The team members are all experienced. In planning his own work schedule, the manager believes that
it will be necessary to allow time to supervise the team during the execution phase as well as during the planning process and
the creation of the internal audit report. Is the manager taking the correct approach? Why?
Performance Standard 2340 states that all engagements must be properly supervised to ensure that
○ Yes. All engagements should be closely supervised in the same manner. objectives are achieved, quality is assured, and staff is developed. This necessitates some degree
2696 ○ No. When a team is expert, supervision throughout the engagement is an unnecessary expense for the function.
of attention throughout an engagement, although the degree and type of supervision differ
○ No. Once planning is completed, the most critical supervisory task is review of working papers. depending on the particular engagement situation.
○ Yes. Supervisory decisions will have to be made during all phases of the internal audit, no matter what the experience level
of the team members may be.

Internal audit is conducting a supply chain audit of the company cafeteria. During the initial client meeting, the internal auditor
should attempt to obtain knowledge about the
Once the internal auditor has a draft of the engagement plan, pertinent management parties should
○ criteria for vendor selection.
be briefed about the upcoming audit. Implementation Guide 2200 states that topics of discussion
2420 ○ validity of management assertions in a pending sexual harassment lawsuit.
may include planned engagement objectives and the scope of work as well as concerns or requests
○ misstatements in recent sales revenue reports. from management. The other items are inappropriate for the initial meeting.
○ client's objectives and risks.

An audit team has developed a questionnaire for a preliminary survey with the following response choices:

Likely not a problem

Possibly a problem
Likely a problem
This questionnaire illustrates the use of
2468 The auditors are using a rating scale.
○ trend analysis.
○ rating scales.
○ unobtrusive measures or observations.
○ ratio analysis.

An audit team is conducting a complex IT audit, and the auditor-in-charge has assigned performance of specific tests to different
team members. The team member assigned to draft findings related to compliance objectives reports that she is unable to
proceed because the auditor reviewing logs is only half finished with this task. There is no other task the report writer can shift
to. She will simply have to wait. How could this situation have been prevented in an efficient manner?
2127 ○ By ensuring that the schedule allows enough time to complete each subtask
○ By assigning multiple auditors to the compliance test
○ By flowcharting the sequence resulting in the report output
○ By using a Gantt chart that visualizes sequencing and the lengths of subtasks
This situation has resulted from weak staff scheduling. It could have been prevented by
identifying the subtasks necessary to complete the compliance report and by then scheduling the
subtasks to run concurrently if possible or sequencing them to ensure that the outputs for each
subtask are available for the next step. A Gantt chart is frequently used to visualize the schedule. It
shows activities sequenced horizontally against defined project milestones or deadlines.

An auditor is concerned that a computer program is not properly calculating the amount of freight to be added to shipments of
merchandise ordered through the catalog. Management considers the occurrence of any freight costing errors to be critical. In
considering how to examine the freight charges on invoices to customers, the auditor is considering both sampling techniques
and the use of computer audit tools. Which of the following sampling or computer audit approaches would provide the greatest
assurance as to the correctness of the freight charge computations at the current time? The major concern is whether the computer program is properly calculating the freight charges.
2549 ○ Using discovery sampling to select transactions from invoices that should have freight charges Test data or parallel simulation would allow a comprehensive test of the computer program at this
○ Using either test data or parallel simulation to test the computer application point in time and would provide more evidence than sampling procedures.
○ Using generalized audit software to select a monetary-unit sample of invoices that have been billed to customers
○ Using difference estimation by selecting transactions from invoices that should have freight charges
 Which of the following examples of audit evidence is the most persuasive?
○ Vendor invoices filed by the accounting department
Real estate deeds are information that is generated by external parties and does not pass through
2595 ○ Canceled checks written by the treasurer and returned from a bank
○ Time cards for employees that are stored by a manager the operations of the audited area. This type of information has the greatest evidentiary weight.
○ Real estate deeds that have been properly recorded with a government agency
While testing a division's compliance with company affirmative action policies, an auditor finds the following:

Five percent of the employees are from minority groups.

No one from a minority group has been hired in the past year.

The most appropriate conclusion for the auditor to reach is that Without knowledge of guidelines for compliance, a reasonable conclusion cannot be reached. The
2045 fact that no minority has been hired this year is irrelevant without knowing the total hires for the
○ with 5% of its employees from minority groups, the division is effectively complying. period. An affirmative action policy is clearly auditable.
○ the division is violating the company's policies.
○ the company's policies cannot be audited and hence cannot be enforced.
○ insufficient evidence exists of compliance with affirmative action policies.

An internal auditor needs to flowchart a process that overlaps two functional areas and provides deliverables to accounting. The
auditor gathers knowledgeable people from the two functional areas and facilitates a session to develop a vertical flowchart. By
the end of the session, everyone agrees that the process is as drawn. Which of the following describes a potential pitfall in this
People who actually are involved in the process should construct the flowchart, so there is no need
scenario?
for a technical expert. However, not all the stakeholders were involved. Accounting personnel
2602 ○ The flowchart may be too complex to be useful. should have participated in the process or been able to review the flowchart to see if they agree
○ The representation may be flawed. that the process as drawn is accurate. If a flowchart fails to accurately represent a process, it may
○ A vertical flowchart requires multiple sessions to develop. actually hamper the internal auditor by taking a line of thinking the wrong way.
○ A technical expert should have been involved to draw the flowchart.

A significant part of the auditor's working papers will be the conclusions reached by the auditor regarding the audit area. In
some situations, the supervisor might not agree with the conclusions and will ask the staff auditor to perform more work.
Assume that after subsequent work is performed, the staff auditor and the supervisor continue to disagree on the conclusions
documented in the working papers developed by the staff auditor. Which of the following audit department responses would be The CAE should determine the most reasonable conclusion and present that to the auditee and
appropriate? management. The issue of disagreements on the working papers should not necessarily affect
reporting to management unless the CAE believes that both conclusions are equally appropriate
2670 ○ Both the staff auditor and the supervisor document their reasons for reaching different conclusions. The rationale of both and it would enhance management's understanding to be presented with both. Both the staff
parties is retained in the final report, but only one unified recommendation is provided. auditor and the supervisor document their reasons for reaching different conclusions, and this
○ The disagreement is discussed in person, and the decision reached is retained in the audit working papers and in the final information should be noted in the working papers. Two opinions should not be presented in the
draft of the report. final report.
○ Both conclusions are presented in the audit report, and management and the auditee can then react to both.
○ Both conclusions are presented to the chief audit executive (CAE) for resolution, and the CAE resolves the matter.
The Standards specify that supervision of the work of internal auditors be "carried out continuously." Which of the following
statements regarding supervision is correct?
○ The extent and nature of supervision is documented separately from the working papers for engagements.
○ "Continuously" means that the supervisor needs to take a hands-on approach to developing plans, conducting fieldwork, According to Implementation Guide 2340 of the International Professional Practices Framework,
2697 analyzing evidence, coaching auditors, developing report drafts, and following up. supervision occurs through all stages of an audit and its follow-up. It does include training and
○ "Supervision" does not include training, time reporting, expense control, or other similar administrative matters. administrative tasks. The nature and extent of supervision are documented in the working papers.
○ "Continuously" indicates that supervision should be performed throughout the planning, examination, evaluation, report, and
follow-up stages of the audit.
 Which of the following characterizes internal audit findings?
○ Findings should be classified and labeled (such as positive or good, negative, or critical).
2125 ○ Findings represent the internal auditor's professional judgment concerning the activities reviewed.
○ Findings should be sorted as qualitative or quantitative data.
○ Findings organize the facts the internal auditor discovers during audit work.
During an examination of a time-and-attendance system, an internal auditor determines that control over the time card system is
excellent, all employees record their vacation time on weekly time cards, and each time card is properly reviewed and signed by
a plant supervisor. The auditor also discovers one worker with no vacation time recorded on any time card for the period
audited. Which of the following is reasonable for the auditor to conclude?
2663 ○ The one employee took no time off for vacation during the period audited.
○ There was an error in the time cards for the one employee.
○ Organizational policy requires plant workers to take vacation time each year.
○ There were errors in the time cards for other employees.
Findings organize the facts discovered during audit research—the facts that the auditor thinks the
audit client should know about and, most likely, act upon. A finding is generally considered to
have five parts, commonly referred to as the five Cs: criteria, condition, cause, effect (or cause for
concern), and recommendation/action plan (or corrective action). A conclusion represents the
auditor's professional judgment concerning the activities reviewed in the engagement.
Given what the auditor knows about the organization's time-and-attendance system, the auditor
should draw on his or her competency in critical thinking, business acumen, and communication
to ascertain what has resulted in this supposed deviation. With an understanding of management
principles and good business practices, the auditor will be able to identify and evaluate deviations.
Given that the auditor judges the time-and-attendance system to be excellently and correctly run,
the natural conclusion is that an employee took no time off or vacation time.

Which of the following is the best way to determine whether a control procedure to limit the amount of purchases for a
particular product line has been working properly?
○ Use parallel simulation techniques to compute the amount of purchases authorized and compare it with the amount actually
purchased.
○ Use generalized audit software to prepare a list of purchases by product line and then compare the amounts with the amounts
The use of generalized audit software would indicate any instances where the total purchases
2558 authorized by the marketing manager.
exceeded the authorized limits and would show if the control procedure was not working properly.
○ Implement a snapshot audit approach that will tag selected transactions and print them out with a listing of items arranged by
purchasing agent.
○ Submit test data to the program controlling purchases in which the amount of data entered exceeds the authorized purchases
and examine the computer output.

As part of an audit of safety management programs, an auditor interviews the individual responsible for writing, issuing, and
maintaining safety procedures. While the auditor's primary interest is in identifying the controls that ensure that procedures are
kept current, the individual has a tremendous amount of information and seems intent on telling the auditor most of it. What
might the auditor do to guard against missing what is important?
○ The auditor can write down everything the individual says. If the auditor gets behind, he or she can ask for a pause and catch Anticipating the approach of a point of critical interest is one way the auditor can maintain focus
2427 up. After the interview, the auditor can sift through the notes and be confident of finding the key information. during a far-ranging discussion. It assumes that the auditor has done some homework and is
○ The auditor can record the interview and later extract the relevant information. prepared to listen intelligently.
○ The auditor should not sort through extraneous information. He or she should instead revisit the topic with the individual's
supervisor and get any needed information at that time.
○ During the conversation, the auditor can make an effort to anticipate the approach of a point of critical interest.

Documentary evidence contained in IT systems may need to be corroborated for what reason?
○ Documentary evidence is considered the least reliable of the various forms of evidence.
○ IT systems provide an incomplete record of an event, and representations such as physical counts of inventory are needed.
○ Analytical experiments must be conducted on any form of documentary evidence to show root cause.
2593 ○ Records contained in IT systems are only as reliable as the controls over those records.
Records contained in IT systems are only as reliable as the IT controls over such records.
Someone could manipulate them, or they could contain processing errors. Testing controls and
audit trails are ways to address such risks, and obtaining external evidence is a way to corroborate
internal documentation, especially when the internal auditor initiates contact with the outside
sources to prevent situations such as supplying a false invoice from a false vendor. However,
representations and testimonial evidence, not documentary evidence, are considered the weakest
form of audit evidence. Representations also do not include physical counts of inventory; this is
considered physical evidence. Analytical experiments may help corroborate some—but not all—
forms of documentary evidence.
 An internal auditor is discussing an audit problem with an auditee. While listening to the auditee, the internal auditor should
○ prepare a response to the auditee.
○ make sure that all details, as well as the main ideas of the auditee, are remembered.
○ take mental notes on the speaker's nonverbal communication, as it is more important than what is being said.
2453 ○ integrate the incoming information from the auditee with information that is already known.
Since the mind can process information three times as fast as most people speak, the listener
should use the extra "brain" time to sort out the speaker's important points and integrate the new
information with what is already known. After having done this to absorb the information, the
listener is in a better position to respond to the speaker later. If the listener is planning a reply
before hearing the speaker out, he or she is likely to miss an important point or assume
information the speaker does not say. Thinking about a reply does not facilitate listening. To listen
effectively, the listener needs to shift the main ideas from the details and try to remember the
important points. The listener should not be distracted by interesting details, as oral
communication is hard to remember.

An internal auditor develops a script for use in a computer-assisted auditing technique (CAAT) to look for duplicate invoices for
the same purchase. The audit test does not turn up any fraudulent invoices but does find a number of vendor accounts that are
duplicated in slightly different formats, such as the same vendor with a different name abbreviation. This may be resulting in
foregone bulk discounts in some instances. Assuming that this finding is unrelated to the scope of the current assurance Internal auditors may develop scripts for data extraction for use in CAATs, and, in some cases,
engagement, if the internal auditor were to turn over this script to management, it would be auditors might make those extraction scripts available to management as a value-added service,
2562 ○ impossible for them to use, since only auditors have access to CAAT software. that is, to help management identify opportunities to turn data into meaningful business
○ seen as undisciplined, since the list of duplicate vendors could have been presented for immediate benefit. information. While the list of duplicate vendors can also be provided, if management has access to
this script, they can use it to periodically maintain database integrity.
○ a value-added service.
○ a violation of the Standards.

Which of the following is an advantage of sending an internal control questionnaire to the client prior to an audit engagement?
○ The engagement client can use the questionnaire for self-evaluation prior to the auditor's visit.
○ The questionnaire will help the engagement client go above and beyond the scope of the engagement. Self-evaluation can help the client determine improvement areas. Additional information is useful
2469 ○ Preparing the questionnaire will help the auditor reduce the scope of the engagement and get the same things done with
to the auditor. The questionnaire is not intended to be used to reduce the scope.
better efficiency.
○ The engagement client will respond only to the questions asked, without volunteering additional information.
The auditor wants to understand the actual flow of data regarding cash processing. The most convincing evidence would be
obtained by
○ reviewing the programming flowchart for evidence of control procedures placed into the computer programs.
This is the most persuasive evidence because the auditor reviews actual documents and finds out
2115 ○ reviewing the systems flowchart.
what personnel actually do with the documents.
○ performing a walkthrough of the processing and obtaining copies of all documents used.
○ interviewing the treasurer.
Which of the following should be avoided during a preliminary survey?
○ Conducting tests to confirm objectives and develop a work program
A test plan may be created, but in-depth testing is not done during a preliminary survey. If
○ Identifying key control activities appropriate, internal auditors conduct a survey to become familiar with the activities, risks, and
2457 ○ Determining if one control activity mitigates multiple risks and/or if multiple controls are needed to mitigate one risk
controls to identify areas for engagement emphasis and to invite comments and suggestions from
effectively engagement clients.
○ Performing analytical reviews
Which of the following represents the most competent evidence that trade receivables actually exist?
○ Sales invoices
Competence, or reliability, of audit information depends in part upon the type of evidence. In this
2094 ○ Receiving reports
situation, a confirmation from a customer is the most reliable evidence that a receivable exists.
○ Positive confirmations
○ Bills of lading
 During a post-audit performance assessment, the reviewer should include a focus on which of the following traits or actions of
the internal auditor?
○ Ability to execute audit procedures according to the International Professional Practices Framework The post-audit review should focus on all the factors that pertain to the internal auditor's
2689 ○ Ability to remain independent and avoid gaining too much general business knowledge performance, including "people" skills, general business knowledge, and general grasp of audit
○ Those skills that can be rated without subjectivity like computational accuracy procedures.
○ "People" skills
Government auditors have been increasingly called upon to perform audits to determine whether individuals are getting extra
social welfare payments. One common type of welfare fraud is individuals receiving more than one payment. This is often
accomplished by filing multiple claims under multiple names but using the same address. Which of the following computer
audit tools and techniques would be most helpful in identifying the existence of this type of fraud?
Generalized audit software could be used to develop a list of multiple recipients at one address.
2559 ○ Generalized audit software
The list could then be investigated further to determine the possibility of fraud.
○ Integrated test facility
○ Spreadsheet analysis
○ Tagging and tracing

A company maintains production data on personal computers connected by a local area network (LAN) and uses the data to
generate automatic purchases via electronic data interchange. Purchases are made from authorized vendors based on production
plans for the next month and on an authorized material requirements plan that identifies the parts needed for each unit of
production. The production line has experienced shutdowns because needed production parts have not been on hand. Which of
the following audit procedures would best identify the cause of the parts shortages?
○ Selecting a random sample of production information for selected days and then tracing input into the production database
maintained on the LAN An analysis of the parts shortages that caused the production shutdowns would establish the cause
2560 ○ Selecting a random sample of parts on hand per the personal computer databases and then comparing it with actual parts on of the problem. The other answer choices may provide useful information, but that information
hand would not be as comprehensive as the analysis could provide.
○ Determining if access controls are sufficient to restrict the input of incorrect data into the production database
○ Using generalized audit software to develop a complete list of the parts shortages that caused each of the production
shutdowns and then analyzing this data

Of the items listed, what factors contribute to making audit evidence sufficient?
○ Large sample sizes, corroboration, and testimony only
2574 ○ Large sample sizes and corroboration only
○ Provision by independent third parties and corroboration only
○ Large sample sizes and provision by independent third parties only
Which of the following characteristics are true of inspections?
○ They can replace the need for an audit when performed with large samples.
○ They are best used to measure something against a standard of performance.
2588 ○ They reflect the auditor's level of expertise and constitute direct evidence.
○ They prove existence, and so documentation such as a title of ownership would be unnecessary to prove existence.
Information should be sufficient, reliable, relevant, and useful to provide a sound basis for
engagement observations and recommendations. Sufficient information is factual, adequate, and
convincing so that a prudent, informed person would reach the same conclusion as the auditor.
Corroborated evidence is more sufficient than uncorroborated or contradictory evidence. Larger
sample sizes produce more sufficient evidence than smaller samples.
Inspection involves studying documents or records and physically examining tangible resources. It
can provide the internal auditor with direct personal knowledge of the resources' existence and
physical condition. Inspection generally reflects internal auditors' level of expertise—their
capacity to comprehend what they read and see. Inspections never replace an internal audit, nor
would an internal audit preclude the need for an inspection. While an asset that can be seen
definitely exists, it may or may not be owned by the organization, so the documentation is still
needed for corroboration.
 Behavioral research has established that most humans process information sequentially. As a consequence, the decision-making
process often suffers from a "recency effect," where the most recent information is given disproportionate weight. Which is a
way this tendency can be appropriately controlled in auditing?
○ Require auditors to document the evidence but not the reasoning process used in reaching audit conclusions.
2580
○ Use expert systems to ensure the appropriate weighting of all important information.
○ Require the most important audit steps to be performed last.
○ Use expert systems to do independent reviews of results and conclusions.
Which of the following is true regarding Standard 2410, "Criteria for Communicating"?
○ Communications must include the effects (consequences) aspects of findings.
2140 ○ Communications must include the engagement's objectives, scope, and results.
○ Communications must include the internal auditor's rating or opinion.
○ Communications must include the root causes of all findings if they can be determined.
Expert systems are not subject to the recency bias. Auditors should document both evidence and
their reasoning process and their results, and conclusions should be independently reviewed by
supervisors. Audit procedures are organized in a manner to achieve audit efficiency and ensure
that sufficient audit evidence is gathered. The results of intermediate steps may dictate changes in
the rest of the audit, but the most important procedures are not designed to be performed last in
most audit engagements.
Standard 2410, "Criteria for Communicating," states, "Communications must include the
engagement's objectives, scope and results." The interpretation to Standard 2410 states that
opinions at the engagement level may be ratings, conclusions, or other descriptions of the results.
Communication of root cause and/or the effects aspects of findings are not requirements of the
Standards.
답

4
1

2
3

4
1

1
3

1
4

2
3

4
1

2
4

2
3

3
4

3
1

3
2

1
2

2
1

4
4

2
3

2
2

1
4

2
3

2
1

3
1

3
4

2
4

4
4

4
4

3
4

3
2

2
 Practice of Internal Auditing - Communication
연번 문제
What is a prerequisite for an internal auditor formulating recommendations?
○ Intuitive feeling that the recommendations will lead to positive business results
2730 ○ Attitude of professional trust toward audit client staff as long as they are in good standing
○ Request from the assurance client that the audit conclude with recommendations
○ Professional evaluation that the evidence is sufficient and appropriate to form such recommendations
Which of the following describes the most appropriate action to be taken concerning a repeated observation of violations of
company policy pertaining to competitive bidding?
○ During the exit interview, management should be made aware that the violation has not been corrected.
2747 ○ The chief audit executive should determine whether management or the board has assumed the risk of not taking corrective
action.
○ The engagement final communication should note that this same condition had been reported in the prior engagement.
○ The chief audit executive should determine whether this condition should be reported to the external auditor and any
regulatory agency.
An audit finds that the cost of some materials installed on capital projects has been transferred to the inventory account because
the capital budget had been exceeded. Which of the following would be an appropriate technique for the internal audit activity to
use to monitor this situation?
○ Comparing inventory receipts with debits to the inventory account and investigating discrepancies
2134 ○ Reviewing journal entries that transfer costs from capital to inventory accounts
○ Analyzing a sample of capital transactions each quarter to detect instances in which installed material was transferred to
inventory
○ Identifying variances between amounts capitalized each month and the capital budget
Which is a mandatory responsibility of the chief audit executive (CAE)?
○ Discussing with senior management his or her conclusion that the risk tolerance is higher than the residual risk
○ Following up on whether appropriate management actions have been taken for significant reported risks
○ Overseeing the establishment, administration, and assessment of the organization's risk management processes
○ Communicating the internal audit activity's overall opinion of risk to senior management and the board for review and
approval
2745
해설
Implementation Guide 2030 states in part: "At each step in the engagement process, [internal
auditors] apply professional experience and professional skepticism to evaluate whether evidence
is sufficient and appropriate to formulate conclusions and/or recommendations." Internal auditors
can give recommendations on assurance engagements without specifically being asked to provide
them. Logical conclusions rather than intuition are needed to develop recommendations.
Management may decide to assume the risk of not correcting a reported condition because of the
cost or other considerations.
Reviewing journal entries that transfer costs from capital to inventory accounts would focus on the
problem of inappropriate transfers.
Performance Standard 2600, "Communicating the Acceptance of Risks," states: "When the chief
audit executive concludes that management has accepted a level of risk that may be unacceptable
to the organization, the chief audit executive must discuss the matter with senior management. If
the chief audit executive determines that the matter has not been resolved, the chief audit
executive must communicate the matter to the board." While discussing risk levels is appropriate,
the parties do not formally approve or reject this opinion. However, if risk tolerance is higher than
the residual risk, this means that the level of risk is acceptable to the organization. Implementation
Guide 2120 states that risk management is a key responsibility of senior management and the
board, not the CAE. To achieve its business objectives, management ensures that sound risk
management processes are in place and functioning. Boards have an oversight role in determining
that appropriate risk management processes are in place and that these processes are adequate and
effective. In this role, they may direct the internal audit activity to assist them by examining,
evaluating, reporting on, and/or recommending improvements to the adequacy and effectiveness
of management's risk processes.
 Based on the acceptance of cost-saving audits and the scarcity of internal audit resources, an audit manager decides that follow- The Standards require follow-up action. Lack of resources is not a sufficient reason. Follow-up
up action is not needed. The manager reasons that cost savings should be sufficient to motivate the audit client to implement the allows the auditor to see that actions are taken, not just that the auditor's recommendations have
auditor's recommendations. Does the audit manager's decision violate the Standards? been implemented.
○ No. When there is evidence of sufficient motivation by the auditee, there is no need for follow-up action.
2750 ○ No. The Standards do not specify whether follow-up is needed.
○ Yes. Scarcity of resources is not a sufficient reason to omit follow-up action.
○ Yes. The Standards require the auditors to determine whether the auditee has appropriately implemented all of the auditor's
recommendations.

An audit committee is concerned that management is not addressing all internal audit observations and recommendations. What The chief audit executive is responsible for establishing appropriate procedures for monitoring the
should the audit committee do to address this situation? progress by management on all internal audit observations and recommendations. This
○ Require the chief executive officer to report why action has not been taken. responsibility should be written into its charter by the audit committee, and progress should be
2766 ○ Require all managers to confirm when they have taken action. reported at each audit committee meeting. Managers are responsible for ensuring action on all
internal audit observations and recommendations, but some actions may take time to complete and
○ Require the chief audit executive to establish procedures to monitor progress. it is not practical to expect that all will be resolved when an audit committee meets.
○ Require managers to provide detailed action plans with specific dates for addressing audit observations and
recommendations.
A bank's audit report categorizes findings as "deficiencies" for major problems and "other areas for improvement" for less- Incurring unnecessary postage costs appears to be more a matter of operating efficiency than an
serious problems. Which of the following would properly be included under the "other areas for improvement"? internal control weakness or a violation of bank policy.
○ At one branch, a large amount of cash was placed on a portable table behind the teller lines.
2087 ○ Many secured loans do not contain hazard insurance coverage for tangible property collateral.
○ The bank is incurring unnecessary postage costs by not combining certain special mailings to checking account customers
with the monthly mailing of their statements.
○ Loan officers prepare the cashier's checks for disbursement of loan proceeds.

Which of the following best describes the primary purpose of exit conferences?
○ To validate audit findings and conclusions
2734 ○ To elicit audit client concerns
○ To present audit results
○ To preview the audit report
During the planning phase of an internal audit engagement, a primary objective of the initial client meeting is
○ to communicate the audit activity's authority and right to unrestricted access to data, locations, and personnel.
○ to establish rapport, build trust and the relationship, and set the tone for the upcoming audit.
2700 ○ to explain the three lines of defense and, more specifically, the client's responsibility for internal control.
○ to inform the client of the internal audit activity's direct reporting line to the audit committee of the board of directors.
The exit conference is the final act of an audit. Its purpose is to communicate the results of the
audit: to discuss conclusions and recommendations, reach agreements on solutions to problems,
and so forth. The other answer choices should all have been conducted prior to the composition of
the final audit report.
Initial client communications often set the tone for the audit. Establishing trust and building
relationships early on can be key to positive, open communications for the duration of the
engagement. Communicating internal audit's authority, right to unrestricted access, and/or its
direct reporting line to the audit committee (as a primary goal of the initial client meeting) may be
intimidating and detrimental to building trust, rapport, and the relationship with the client.
Explaining the three lines of defense and the client's responsibility for internal control would not
be an appropriate objective of the initial client meeting.

The internal audit department's responsibility for performing follow-up activities to ensure that corrective action has taken place Responsibility for follow-up should be defined in the internal auditing department's written
for certain findings should be defined in the charter.
○ mission statement of the audit committee.
2077 ○ internal auditing department's written charter.
○ purpose statement in applicable audit reports.
○ engagement memo issued prior to each audit assignment.
 Which are the primary areas of focus for internal audit report recommendations?
○ Condition and cause
2274 ○ Criteria and condition
○ Cause and consequence
○ Condition and consequence
An audit of accounts payable finds that the individuals responsible for maintaining the vendor master file can also enter vendor
invoices into the accounts payable system. During the exit conference, management agrees to correct this problem. When
performing a follow-up engagement of accounts payable, the auditor should expect to find that management has
○ modified the accounts payable system to prevent individuals who maintain the vendor master file from entering invoices.
○ transferred the individuals who maintained the vendor master file to another department to ensure that responsibilities are
2076 appropriately segregated.
○ compared the vendor and employee master files to determine if any unauthorized vendors have been added to the vendor
master file.
○ modified the access control system to prevent employees from both entering invoices and approving payments.
Internal audit discovers that a vendor is in violation of regional privacy directives. There are further concerns that the company
has weak information security. In spite of internal audit's recommendation to management that the relationship poses an elevated
level of concern, management believes the benefits of continuing with this vendor outweigh the risks. What should the chief
audit executive (CAE) do in this situation?
2746 ○ Track the problem, but have management report to the audit committee on future privacy-related matters with the vendor.
○ Schedule follow-up activities to be part of the next engagement.
○ Assist management in a consulting engagement by serving as a change agent and locating potential new vendors.
○ Bring the perceived unacceptable risk to the attention of senior management and the board, repeatedly if necessary.
An internal auditor develops an agenda for a preliminary meeting with a client, which includes, among other items, the topics
for discussion listed below. Which item is inappropriate for this meeting?
○ Review and sign-off practices
2066 ○ Names of those involved from the audited function
○ Explanation of the analytical processes internal auditing will use to establish benchmarks for assessing function activities
○ Names of those involved from internal auditing
Assume that an auditor's findings are so serious that, in the auditor's view, they require immediate action by management.
Which of the following statements regarding the auditor's responsibility with respect to reporting and follow-up is correct?
○ The conditions should be actively monitored by management but not by internal auditing until corrected.
○ The initial findings should be communicated to senior management and the audit committee even if the audit of the activities
2768 is not complete.
○ The internal auditor should indicate whether or not management took immediate action and, if not, recommend that the
board issue a reprimand.
○ The auditor should test the actions implemented by management to determine if they are more efficient than prior processes.
Internal audit report recommendations should address the root cause of the gap between the
criteria and the condition, with a focus on the current state that needs to change (the condition).
The condition is the current state as evidenced by internal audit test results and evaluation.
Modifying the accounts payable system to prevent those who maintain the vendor master file from
entering invoices is the only option that will correct the deficiency identified during the audit.
Transferring the employees is not necessary and would not resolve the control problem.
Comparing vendor and employee master files may help detect prior problems, but it does not
create a control to address future problems. Modifying the access control system for employees
would not address the problem because it does not involve the vendor master file.
Management has the responsibility for deciding how to address reported engagement observations
and recommendations in a timely manner. An elevated rating implies that prompt management
attention is necessary. It is incumbent on the CAE to follow up and escalate the matter. Standard
2600 states, "When the chief audit executive concludes that management has accepted a level of
risk that may be unacceptable to the organization, the chief audit executive must discuss the matter
with senior management. If the chief audit executive determines that the matter has not been
resolved, the chief audit executive must communicate the matter to the board."
Establishing the names of those who will be involved both in internal auditing and in the audited
function is necessary at the preliminary meeting stage. While the client should understand what
reports will be generated and to whom they will be delivered, it is not necessary to discuss with
the client processes developed by internal auditing to complete its work, such as specific
analytical approaches. However, the client may be involved in reviewing and signing off on the
results of testing (except when fraud is detected). Discussing this requirement is appropriate in this
meeting.
The initial findings should be communicated to senior management and the audit committee even
if the audit of the activities is not complete. The conditions should be actively monitored by the
internal auditor until corrected. The auditor should test the actions implemented by management to
determine if they remedy the problem.
 A national fast-food restaurant chain has a zero-tolerance policy related to food spoilage and is known for having the highest
fresh food quality standards in the industry. A recent internal audit identified numerous incidents of store management failing to
monitor refrigeration systems according to policy, in three different regions. Each of the three regional managers agreed to
implement corrective actions within 45 days. As part of its monitoring responsibility, internal audit performed unannounced
follow-up visits to each violating store two months later and found that only two of the stores were now following monitoring
procedures for refrigeration units. The chief audit executive should
2088
○ ensure that this high-risk internal audit is performed annually.
○ seek the agreement of the remaining two regional managers to remediate the issue within 90 days.
○ schedule another unannounced follow-up visit in one month.
○ escalate the matter to senior management and then the board, if necessary.
What is the most likely outcome when a chief audit executive and internal auditors become familiar with the organization's
business objectives and processes?
○ The internal audit activity will have added value to the organization.
2723 ○ The annual audit plan will contain a greater proportion of assurance engagements.
○ The annual audit plan will be able to accommodate a greater number of engagements.
○ Line managers will resist interference with their unit objectives.
When conducting an audit follow-up of a finding related to cash management routines, which of the following needs to be
considered?
○ Whether benefits have accrued to the entity as a result of resolving the condition
2135 ○ Whether inherent risk has been eliminated as a result of resolution of the condition
○ Whether controls have been implemented to eliminate the possibility of a recurrence of the finding
○ Whether the steps being taken consider eliminating the use of cash as a payment option
Providing useful and timely information and promoting improvements in operations are goals of internal auditors. To
accomplish this in their reports, auditors should
○ provide information in written form before it is discussed with the audit client.
2709 ○ provide top management with reports that emphasize the operational details of defective conditions.
○ provide operating management with reports that emphasize general concerns and risks.
○ provide reports that meet the expectations and perceptions of both operational and top management.
Which of the following situations is most likely to be the subject of a written interim report to the engagement client?
○ Open burning at a subsidiary plant poses a prospective violation of pollution regulations.
2717 ○ Seventy percent of the planned audit work has been completed with no significant adverse observations.
○ The auditors have decided to substitute survey procedures for some of the planned detailed review of certain records.
○ The engagement program has been expanded because of indications of possible fraud.
An audit of payment activities related to an accounts payable function identifies no significant internal control weaknesses.
However, accounts payable procedures related to vendor ACH (automated clearinghouse) payments, which are housed in the
organization's policies and procedures intranet portal, need updating. Which of the following is the most appropriate follow-up
procedure for this issue?
○ Fix responsibility for follow-up with the process owner.
2086 ○ Have an internal auditor conduct a targeted follow-up review.
○ Schedule a follow-up engagement after allowing significant time for corrective action.
○ No follow-up is necessary, since no significant internal control weaknesses were identified.
According to the implementation guidance for Standard 2600, Communicating the Acceptance of
Risks in monitoring the disposition of results and associated corrective actions, the chief audit
executive may become aware of high-risk observations that are not corrected in a timely fashion
or may represent more risk than the organization would normally tolerate and are therefore
unacceptable to the organization. These matters should be escalated to senior management and
then the board, if necessary. Failure to monitor refrigeration systems could result in substandard
food quality and even food spoilage, in turn resulting in reputation damage, noncompliance with
health department regulations, and/or legal risk. Based on the zero-tolerance policy and the failure
of two regional managers to remediate this high-risk audit issue in a timely manner, the other three
answer choices are not the best solution.
As the internal audit activity gains understanding of the organization's processes and the way in
which the organization's separate functions are aligned to achieve strategic objectives, it grows in
value to the organization. It is more able to provide practical, business-oriented recommendations
to senior management and engagement clients.
It is appropriate to assess whether steps being taken are resolving the condition, appropriate
controls have been implemented to deter or detect the condition, and benefits have accrued to the
entity. It is not necessary, however, to ensure that inherent risk has been eliminated. (This could be
accomplished only by eliminating the use of cash, which is unrealistic.)
The audit report needs to address the expectations and perceptions of both top management and
operating management; it needs general concepts for top management as well as details of
operations. Some reports will contain information regarding satisfactory operations as well as
opportunities for improvement.
According to Implementation Guide 2410, an interim report can address a situation that requires
immediate attention.
Making the process owner responsible for following up minimizes the required schedule time and
involvement of the internal auditor and may be structured by specifying a reporting frequency and
requiring written documentation on the action item. The process owner could simply notify
internal audit when the procedures have been updated, and an internal auditor could look at the
intranet portal to verify the updates. A targeted follow-up review is typically for action items of
high priority related to significant risks. A follow-up engagement is the most involved type of
follow-up and may involve spending more time than needed on less-critical items; process owners
could view this as being bureaucratic. A targeted follow-up review or follow-up engagement
should not be necessary in this instance. Limited follow-up, as described above, would be
appropriate in this circumstance, even though no significant internal control weaknesses were
identified.
 The internal audit activity's responsibility to follow up on reported audit findings should be defined in which of the following? The internal audit activity's responsibility to follow up on reported audit findings is defined in the
○ Purpose statement within the applicable audit report written audit charter. The charter may specify that a particular type of follow-up must be used, or
○ Engagement memo issued prior to each audit assignment it may allow the chief audit executive to determine the nature, timing, and extent of follow-up.
2760 This latter method allows internal auditors greater flexibility to select follow-up procedures based
○ Mission statement of audit committee on the recommendations' significance, level of effort required, time period required, expected
○ Internal audit activity's written charter impact, and so forth.

Which of the following statements is true of approval of engagement reports?
○ The signature of the chief audit executive is not required on engagement reports under the Standards.
2737 ○ Both the chief audit executive and the auditor-in-charge must sign the engagement report.
○ Any member of the audit team may sign the engagement report once it has been reviewed by the chief audit executive.
○ Chief audit executive approval of reports for consulting engagements is not required.
Several levels of management are interested in the results of a marketing department audit. What is the best method of
communicating the results of the audit?
○ Write detailed reports for each level of management.
○ Discuss results with all levels of management.
2738 ○ Write a report to the marketing management and give summary reports to other management levels.
○ Discuss results with marketing management and issue a summary report to top management.
The Standards do not require the chief audit executive (CAE) to sign the engagement report, only
to review and approve it. The auditor-in-charge, supervisor, or lead auditor may sign the report on
behalf of the CAE. The CAE may be required to report results to senior management if they
include significant information about governance, risk management, or controls.
A written report should be issued after completion of an audit. The report should be addressed to
the level of management capable of agreeing to and correcting the deficiencies noted in the report.
Top management should be aware of internal audit's activities and any major deficiencies noted.
This could be accomplished in a discussion or in a summary report. Writing detailed reports for
each level of management is not an efficient use of an auditor's time. A summary report for top
management could be issued along with a detailed report for the appropriate operational level of
management. Conclusions and recommendations should be discussed with the appropriate levels
of management, but an audit report should still be issued.

During the course of a bank audit, the auditors discover that one loan officer has approved loans to a number of related but Informing management of the issues is the most appropriate response. The auditors should report
separate organizations in violation of regulatory policies. The loan officer indicates that it was an oversight and will not happen all information that represents major breakdowns in control and possible fraud to management on
again. However, the auditors believe it may have been intentional, because the loan officer is related to one of the primary a timely basis so management can take timely corrective and follow-up action. All important
owners of the corporate group that controls the related organizations. The auditors should breakdowns in controls should be reported—even if the audit client agrees to correct the problem.
○ expand the audit work to determine if there may be fraudulent activity on the part of the loan officer and report the findings
to management when the follow-up investigation is complete.
2716 ○ inform management of the conflict of interest and the violation of the regulatory requirements and suggest further
investigation.
○ report the violation to the appropriate regulatory agency because it constitutes a significant breakdown of the bank's control
structure.
○ not report the violation if the loan officer agrees to take corrective action.

While conducting an audit of payables in an overseas branch of a U.S. organization, an internal auditor finds solid evidence that The IIA's Standards and U.S. laws such as the Foreign Corrupt Practices Act apply to the payment
payments not on the books have been made to local officials in return for market access—an acceptable way of doing business of bribes wherever it happens. The auditor must report the situation to management and develop
in that region. Which of the following best describes the auditor's duty in this situation? recommendations to bring the organization into compliance with laws and the Standards.
○ Send or communicate an immediate report to senior management in the U.S. headquarters and recommend an appropriate
investigation to determine the extent of the problem.
2719 ○ Accept the inevitability of the practice, since ending it would damage the organization's ability to do business in that region.
○ Make no recommendation, but follow all applicable Standards and include a disclaimer in the final report.
○ Document the evidence in the working papers and develop a recommendation that controls be developed to ensure that all
transactions are properly recorded.
 During a consulting engagement involving the development of a new accounts payable system, an internal auditor identifies a It is the auditor's responsibility to provide the internal audit's assessment of controls, including the
control weakness. The weakness is reported to the manager of the systems development project, but the manager decides to design or model, to the audit committee. This includes follow-up on previously reported audit
accept the risk because, in the manager's opinion, the risk is not significant. Six months after implementation of the new system, findings and recommendations. Even though management owns the responsibility for the risk
the disbursements process is audited by another internal auditor who determines that the control weakness has impacted taken, it is nevertheless the responsibility of the auditor to provide a full report. Because the
payment processing. The auditor reviewing the disbursements process should do which of the following? weakness remains, it must be reported.
2759 ○ Report the control weakness to management and the audit committee.
○ Disregard the control weakness because management previously decided to accept the risk.
○ Discuss the control weakness with the manager of the accounting system but do not report the finding.
○ Request that the manager of the systems development project fix the system.

Which of the following would be most likely to improve an auditor's chances of giving a successful presentation of a final audit
report?
○ Put negative findings first so you end on a positive note.
2710 ○ Place as little emphasis as possible on the harm that management's current practices could cause the client.
○ Engage the client's attention by beginning with specifics rather than general statements.
○ Treat the client as a willing partner who is on your side.
An internal audit report on accounts receivable for a group pediatric medical practice includes the following finding:
The accounts receivable aging as of March 31, 20XX, reflects 3,912 accounts totaling U.S. $956,784 that are more than one
year delinquent. This has grown from 2,437 accounts totaling U.S. $532,019 that were more than one year delinquent one year
previously. Lack of criteria for write-offs of uncollectible accounts receivable may result in an overstated accounts receivable
balance.
2727 Which of the following is the most appropriate recommendation?
○ Establish a policy to refer one-year delinquent accounts receivable to a collection agency.
○ Establish a policy to require write-offs of accounts receivable that become one year delinquent.
○ Establish criteria for the adequacy of the allowance for doubtful accounts based on industry standards.
○ Establish criteria for review and approval of write-offs of delinquent accounts receivable at various stages of aging.
The internal auditor is more likely to inspire a positive response to recommendations by treating
the client as a partner who is willing to cooperate in solving problems rather than by assuming that
the client is an adversary who will resist change. The purpose of internal audits is to help
management identify opportunities to enhance performance and better achieve organizational
objectives.
A recommendation to establish criteria for review and approval of write-offs of delinquent
accounts receivable at various stages of aging would be most appropriate. Recommending a policy
to write off accounts receivable that are one year delinquent may not be appropriate. Considering
the industry and billing and collections activities of residual balances remaining after insurance
payments, writing off one-year delinquent accounts may result in foregoing collectible accounts
receivable. A recommendation to refer one-year delinquent accounts receivable to a collection
agency is inappropriate, as this also may result in foregoing collectible receivables.
Recommending that management establish criteria for the adequacy of the allowance for doubtful
accounts may resolve the issue of a potentially overstated accounts receivable balance, but it will
not address the issue of increased aging of accounts receivable that may be uncollectible.

Which best describes a communication that is free from errors and distortions and is faithful to the underlying facts? The question describes accurate communications per interpretation of Performance Standard 2420.
○ Objective
2704 ○ Accurate
○ Clear
○ Complete
An exit conference can include which of the following?
○ Listing of fees for internal audit services
2735 ○ Opportunity for the engagement client to determine what should and should not be reported
○ Verbal presentation without documentation that includes an expression of thanks to the engagement client
○ Signatures of participants on a written document acknowledging findings
 An internal audit report includes a rating that requires immediate management attention. Control weaknesses have been noted in Boards are not involved in daily management activities; monitoring follow-up is an important
a manufacturing process, and the results could damage the organization's reputation. What is the appropriate follow-up process responsibility that management and internal auditing perform on behalf of the board. In this case,
for this assurance engagement? the rating indicates control deficiencies that warrant significant and immediate corrective action.
○ Scheduling follow-up to be part of the next engagement Because of the effect the condition could have on the organization, the reported observations and
2762 recommended actions should be monitored by the internal audit activity until corrected.
○ Having management report progress directly to the board
○ Monitoring by the internal audit activity to the extent agreed upon with the client at the exit interview
○ Monitoring by the internal audit activity until corrected

An audit of an organization's claims department determines that a large number of duplicate payments have been issued due to
problems in the claims-processing system. During the exit conference, the vice president of the claims department informs the
auditors that attempts to recover the duplicate payments will be initiated immediately and that the claims-processing system will
be enhanced within six months to correct the problems. Based on this response, the chief audit executive should
○ adjust the scope of the next regularly scheduled audit of the claims department to assess controls in the claims-processing The internal audit activity should monitor the status of the corrective action. A follow-up
2754 system. engagement should be scheduled when changes to the claims-processing system have been
○ monitor the status of corrective action and schedule a follow-up engagement when appropriate. sufficiently completed to allow for testing of adequacy and effectiveness.
○ schedule a follow-up engagement within six months to assess the status of corrective action.
○ discuss the findings with the audit committee and ask the committee to determine the appropriate follow-up action.

Which of the following statements best characterizes an audit recommendation?

○ Auditor's opinion of the single most cost-effective way to address a problem defined during the audit
The auditor's role is to recommend options for the client to consider in addressing problems
○ Auditor's opinion of the most profitable plan of action that management should pursue in addressing a problem defined defined during the audit, not simply to assess performance. Management's decisions about
2131 during the audit
implementing recommendations should balance considerations of cost and optimal results to
○ Auditor's suggested approaches to improve performance based on audit findings resolve audit findings.
○ Auditor's critical appraisals of the client's performance in areas reviewed during the audit
When making internal audit report recommendations to management, internal auditors should be particularly mindful of
Once an internal auditor feels a sense of responsibility for management decisions based on his or
○ the internal auditor's independence.
her ownership of audit recommendations, objectivity for future related engagements may be of
○ the objectivity principle. concern. Internal auditors should maintain their objectivity when drawing conclusions and
○ encroaching on second line responsibilities. offering advice to management. Internal auditor independence is more related to functional and
2729
○ being perceived as a trusted advisor. administrative reporting lines than maintaining objectivity when making recommendations. The
perception of internal audit as a trusted advisor is desired; objectivity is of primary importance
relative to audit recommendations. As the third line, internal audit should not be concerned with
encroaching on second line responsibilities when making recommendations to management.

Which of the following would be included in the statement of scope in an audit report?
○ Audit objectives The statement of scope lists the period to be covered, the activities not audited (those that might be
assumed to be included if not explicitly communicated here), and the nature and extent of the
2707 ○ Statement that the audit can cover any period as needed
auditing performed. Audit objectives should be included in the section of the audit report that
○ Activities not audited
describes the engagement purpose.
○ Nature and extent of auditor skill levels
Which of the following activities would be inappropriate for a new internal auditor with minimal experience to perform during
an audit engagement of a new system implementation?
Performing tests, verifying test results, and preparing test documentation take place during the
○ Preparing supporting test documentation
audit engagement and before results are communicated to the audit client. Communication of test
2702 ○ Verifying test results
results to the audit client would take place after the audit and is the responsibility of the chief audit
○ Communicating test results to the audit client officer—i.e., it is not an activity for a new audit team member with minimal experience.
○ Performing tests
 An internal audit director has noticed that staff auditors are presenting more oral reports to supplement written reports. The best
reason for the increased use of oral reports by the auditors is that they
○ reduce the amount of testing required to support audit findings. Oral reports permit auditors to counter arguments and provide additional information that the
2739 ○ permit auditors to counter arguments and provide additional information that the audience may require. audience may require. Since oral reports evoke face-to-face responses, the auditors can provide an
○ can be delivered in an informal manner without preparation. immediate response to any auditee objections or provide additional information as appropriate.
○ can be prepared using a flexible format, thereby increasing overall audit efficiency.
Which of the following would be an incorrect use of an interim report?
○ To inform management of significant matters, even those that are unrelated to the engagement Interim reports can be used to communicate changes in scope, to report progress during a long
engagement, and to inform management of significant matters even if they are not related to
2130 ○ To communicate a change in engagement scope
engagement objectives. Some smaller matters resolved during the audit may be excluded from the
○ To update management on progress during a long engagement
final report, but all matters should be documented in the working papers.
○ To address audit findings that will be excluded from the final report
Which of the following combinations of participants would be most appropriate to attend an exit conference?
○ Director of internal auditing and the executive in charge of the activity or function audited
○ Staff auditors who conducted the fieldwork and the executive in charge of the activity or function audited As suggested by the Implementation Guides, exit conference participants should include the
2736 ○ Responsible internal auditor, representatives from management who are knowledgeable about detailed operations, and those responsible internal auditor, representatives from management who are knowledgeable about
who can authorize implementation of corrective action detailed operations, and those who can authorize implementation of corrective action.
○ Staff auditors who conducted the fieldwork and operating personnel in charge of the daily performance of the activity or
function audited

Which of the following is a major purpose of an audit report?

○ To assign accountability
Purposes of audit reports include to inform, to persuade, and to get results. Directing and
2706 ○ To direct
assigning responsibility and accountability are functions of management.
○ To assign responsibility
○ To get results
The auditor of a construction company that builds foundations for bridges and large buildings performs a review of the expense
accounts for augers, which are used to drill holes in rocks to set the foundations for the buildings. During the review, the auditor
notes that the expenses related to some of the auger accounts increased dramatically during the year. The auditor asks the
construction manager about this, and the manager offers the explanation that the augers last two to three years and are expensed
when purchased. Thus, the auditor should see a decrease in the expense accounts for these augers in the next year but an
increase in the expenses of other augers. The auditor also finds out that the construction manager is responsible for the
inventorying and receiving of the augers and is a part owner of a company that supplies augers to the company. The supplier
was approved by the president of the company to improve the quality of equipment. Assume that the auditor did not find a
satisfactory explanation for the results of the analytical procedures performed and has conducted the appropriate follow-up
procedures. The audit of the area is otherwise complete. Which of the following would be the most appropriate action to take? Results or relationships from applying analytical auditing procedures that are not sufficiently
2079
○ Report the findings, as they are, to management and recommend an investigation for possible irregularities. explained should be communicated to the appropriate levels of management.
○ Note the actions and follow up next year. Defer the reporting to management until a satisfactory explanation can be
obtained.
○ Expand audit procedures by observing the receipt of all augers during a reasonable period of time and tracing the receipts to
the appropriate accounts. Determine causes of any discrepancies.
○ Report the findings to the construction manager and insist that appropriate internal controls such as independent receiving
reports be implemented. Follow up to see if the controls are properly implemented.
 Internal auditing notes that a large number of trucks in the company's fleet use the same relatively new model of engine. If the
model fails, it might mean the disabling of most of the fleet and severe disruptions to the movement of materials. Internal
auditing recommends that transportation management address this potential risk. Transportation management refuses to take
action, citing the high costs involved in replacing new equipment and its belief that the risk is minimal. Which of the following
would be the best response for the chief audit executive (CAE)?
2749 ○ Bring the matter to the attention of senior management immediately.
○ Do not press management for a further response, since the situation does not provide grounds for further action by the CAE.
○ Accept management's response because it appears reasonable, and remove the item from findings.
○ Negotiate with management to identify an acceptable way to control the risk, and then monitor for implementation of this
plan.
If a client has responded to audit observations before the engagement final communication has been issued, which of the
following is true regarding the responses?
○ They should be reflected in the engagement final communication.
○ They do not need to be included in the audit file.
2714 ○ They should be tested immediately for accuracy.
○ They do not need to be signed.
Why is the initial client meeting for an environmental audit important?
○ It provides a forum for rapport building for all parties.
2128 ○ It helps the auditor to better understand general trends in recent audits.
○ It allows the auditor to explain the importance of continuous monitoring.
○ It allows management to provide preliminary proof of regulatory compliance.
A university has adopted the following as part of its risk appetite statement:
The university's lowest risk appetite relates to health and safety objectives for students and employees while we have a
marginally higher risk appetite toward our operations and reporting objectives.
Based on the university's risk appetite statement, which of the following issues identified during an internal audit is most likely pose an unacceptable level of residual risk. Failure to properly identify, containerize, label, store,
to pose an unacceptable level of residual risk, requiring escalation to university senior leadership?
2743 ○ Lack of warning signage resulting in several slip and fall incidents on icy campus walkways and parking area surfaces
○ Lack of policies requiring protective safety equipment (i.e., helmets, steel-toed boots, hearing and vision protection) for
construction workers contracted for special projects
○ Lack of professor training on university procedures and lack of management monitoring related to hazardous waste in
chemical and biology laboratories and the university medical center
○ Lack of end-to-end testing of the university's "active shooter" response plan; a tabletop exercise with communication testing unacceptable level of residual risk.
is performed biannually instead
While the matter has serious implications to the company, management's concern about the cost of
the control is reasonable. It is possible that the CAE and management may be able to develop a
cost-effective way to address the risk. Internal auditing may then monitor for implementation of
this plan. This kind of internal audit and business decision might be an appropriate part of the
regular communication with the board. Such regular communication includes audit findings and
decisions for resolution of findings and is delivered to senior management and the audit committee
or board.
Implementation Guide 2410, "Criteria for Communicating," states: "Communication with
management is an ongoing process throughout the engagement. The internal audit activity adds
value by developing communications (both verbal and written) that effect positive change in the
organization." Furthermore, Sawyer recommends the use of interim reports to the client, because
they can improve relations and information flow and understanding. In turn, including findings
from interim reports can enhance the quality of final reports by providing extra detail and also
because they can result in greater client buy-in to recommendations. Only resolved findings from
an interim report might be discarded in the final report.
The first meeting often sets the tone for the upcoming internal audit. It provides a chance to
discuss the purpose and approach of the audit as well as an opportunity for the internal auditor to
gain insights into management in the area being audited. Handled professionally, the preliminary
client contact can encourage positive, open communications for the duration of the engagement.
Based on the university's risk appetite related to health and safety objectives, lack of training on
university procedures and lack of management monitoring related to hazardous waste would likely
and dispose of biohazardous waste (i.e., human bodily fluids, tissue) and laboratory hazardous
waste (i.e., formaldehyde, rags used for chemical spill clean-up) can be highly hazardous to
student and employee health and safety and, if not properly attended to, can result in significant
compliance, legal, financial, and reputation risk. Protective safety equipment policies would be
owned by the employer of the contracted construction workers. Warning signage would more
likely be one of several internal controls designed to address the inherent risk of slippery surfaces.
The type and frequency of disaster response plan testing is a management decision; failure to
perform end-to-end testing of the plan in favor of other effective approaches doesn't create an
 Which of the following is the best strategy to manage operational residual risk?
Residual risk is the level of risk that remains after management executes its risk responses to
○ Hold management accountable for financial performance.
address inherent risks. Operational residual risks might be effectively reduced by sharing risk
○ Purchase insurance or share risk with outsourcing partners. through the purchase of insurance or transferring risk to outsourced business partners.
○ Increase acceptable risk tolerance levels. Management accountability for financial performance is not directly related to operational residual
2742
○ Ensure that policies and procedures are periodically updated. risk. Increasing risk tolerance levels may not be a realistic solution to addressing operational
residual risks; these risks may still need to be addressed and contained. Periodic updates to
policies and procedures, related training, management monitoring, and other internal controls
would be more relevant to addressing inherent risks.

An internal audit team completes an audit of a company's compliance with its lease-versus-purchase policy concerning company
automobiles. The audit report notes that the basis for several decisions to lease was not documented and is not auditable. The
report contains a recommendation that operating management ensure that such lease agreements not be executed without proper
documentation of the basis for the lease-versus-purchase decision. The internal auditors are about to perform follow-up work on
this audit report. Senior management says they have decided to accept the risk involved in failure to document the basis for
lease-versus-purchase decisions involving company automobiles. In such a case, what would be the auditors' reporting
obligation? When senior management has assumed such risk, reporting to the board is required only for
2741 ○ The auditors should issue a follow-up report to management clearly stating the rationale for the recommendation that the significant findings. There is no indication that the failure to document several decisions is
significant enough to report to the board.
basis for lease-versus-purchase decisions be properly documented.
○ Management's decision and the auditors' concern should be reported to the company's board of directors.
○ The auditors should inform the external auditor and any responsible regulatory agency that no action has been taken on the
finding in question.
○ The auditors have no further reporting responsibility.

In a well-developed management environment, the internal audit activity would

○ report the results of an audit engagement to line management as well as senior management.
○ interface primarily with senior management, minimizing interactions with the line managers who are the subjects of internal In a well-developed management system, the internal auditing function is used to provide a more
2701 audit work. direct benefit to line operations by providing feedback to operating management as well as to
○ focus primarily on asset management and report results to the audit committee. senior management. Emphasis should be placed on the audits of proposed products and systems.
○ conduct initial audits of new computer systems after they have begun operating.
Internal audit recommendations
Recommendations are based on the internal auditor's observations and conclusions, and the
○ should be rooted in process owner and management experience with internal controls for effective risk mitigation. auditor should obtain agreement on any action plans for improvement. Process owner and
○ are based on the internal auditor's observations and conclusions, in consultation with the audit client. management experience may be inadequate to formulate an effective action plan without the
2726 ○ are a required element of internal audit reports, according to the Standards. internal auditor's guidance. Internal auditors may recommend a general course of action, rather
○ should provide specific criteria and detailed processes to remediate risks. than specific criteria or activities, or may suggest further investigation or study. The Standards do
not require recommendations as a mandatory element of internal audit reports; an audit report may
not include any findings and, therefore, would not have recommendations for improvement.
During a review of purchasing operations, an auditor finds that procedures in use do not agree with stated company procedures.
However, audit tests reveal that the procedures in use represent an increase in efficiency and a decrease in processing time
without a discernible decrease in control. The auditor should
○ develop a flowchart of the new procedures and include it in the report to management. The auditor has identified a change in process that should be brought to the attention of
2132
○ report the change and suggest that the change in procedures be documented. management and documented.
○ report the lack of adherence to documented procedures as an operational deficiency.
○ suspend the completion of the engagement until the engagement client documents the new procedures.
 The Standards state, "Communications should include the engagement's objectives and scope as well as applicable conclusions,
recommendations, and action plans." Which of the following would be a valid justification for omitting recommendations in an
audit report?
○ The auditor may not always understand the true cause of the finding being reported. The true cause of a finding may require additional expertise and may be determinable only
2732
○ The auditor can avoid the confrontation by letting management solve its own problems. through additional management study.
○ The auditor does not have sufficient time to formulate a recommendation due to audit budget pressures.
○ The auditor may lose independence by being perceived as making operational decisions.

Word selection can have an impact on the recipient when presenting an internal audit report in either written or oral form. In a
presentation in which the auditor's objective is to persuade an individual to accept the recommendations, using words with a
strong or emotional connotation rather than words with a low connotation
○ may move the recipient deliberately in the direction of the audit recommendation. If the auditor's words misfire, the recipient may move away from the audit recommendation. To
2708 achieve more predictable results, the auditor should use words that will mean the same thing to the
○ would cause the recipient to accept the audit recommendations quickly with no reservations. recipient(s) as they do to the auditor.
○ may misfire quickly, moving the recipient away from the audit recommendation.
○ would have no impact whatsoever on the recipient.

During an assurance engagement regarding health and safety policies, the internal auditor concludes that injuries are too high in
relation to management objectives and recommends alternative policies that would conform to those objectives as well as to
Occupational Safety and Health Administration requirements. Arguing that making the recommended changes would be too
costly, the client describes alternate measures the auditor considers inadequate. Which of the following would be the best
approach for the internal auditor to take?
○ Delay the completion of the audit pending resolution of the disagreement by senior management or the audit committee.
In matters of compliance with safety regulations, the internal auditor should take disagreements to
2133 ○ Since the auditor's job is to audit, not to manage, encourage the client to draft a substitute recommendation based on his or
the highest level necessary to seek resolution.
her position.
○ Assume that the client will not act on the recommendation in any case and drop it from the final report.
○ Include both the recommendation and the client's reasons for disagreement in the final report without resolving the
disagreement.

An internal audit of internal controls over accounts receivable has been performed at a closely held family business where the
president-owner's daughter is the chief accountant. A non-family-member employee, the customer relationship manager (CRM),
is responsible for credit approval and customer relationship management. An internal audit report observation states: Those who update customer accounts receivable balances and record journal entries should not
have access to cash receipts. When this segregation of duties is lacking, there is opportunity for
The chief accountant receives and opens the customer mail, deposits customer checks in the bank, posts journal entries to the theft of customer payments. Delegating the preparation and sending of customer statements to
cash receipts journal, updates customer accounts receivable, and prepares and sends monthly statements to customers. another employee and having the president receive bank statements and perform bank
reconciliations will not eliminate the opportunity for theft of customer payments by the chief
2728 Which of the following is the most appropriate recommendation? accountant, nor would having a mail room employee receive, open, and distribute the mail prevent
○ The chief accountant should delegate preparing and sending monthly customer statements to the CRM. the theft of customer payments if the payments are given to the chief accountant. A preferred
○ The president-owner should receive bank statements directly from the bank and perform monthly bank reconciliations in a control would be to have the mail room employee prepare a remittance listing of all checks
timely manner. received and forward it to another employee (not the chief accountant), who would prepare a
○ The duties of recording accounts receivable and journal entries and handling customer payments should be separated. deposit slip and deposit the checks in the bank. The remittance listing would be forwarded to the
chief accountant for posting to customer accounts receivable.
○ Consider hiring a mail room employee, whose duties would include receiving, opening, and distributing all company mail.

Which of the following could be combined with the statement of scope (located in the same general area) but still needs to be
clearly distinct from the statement of scope in an engagement final communication?
While the scope statement may be combined with the objectives, it is a distinct component of the
○ Engagement objectives
final report. The scope statement identifies the activities audited. In addition, it may also specify
2705 ○ Period covered by the review
activities excluded from the audit, if there is a chance that readers would expect to find coverage
○ Nature and extent of the engagement work performed of those activities. The scope statement may also include the time period reviewed.
○ Related activities excluded from the review
 Which of the following would be considered a primary objective of a closing or exit conference?
○ Identifying concerns for future audit engagements Objectives of the closing or exit conference include resolving conflicts if possible, discussing the
engagement observations and recommendations, and identifying management's actions and
2149 ○ Resolving conflicts
responses to the engagement observations and recommendations. Identifying concerns for future
○ Identifying internal audit actions and responses to management observations and recommendations
engagements is not a primary objective of the exit conference.
○ Requiring adherence to the engagement observations
One of the audit objectives for a manufacturing company is to verify that all rework is reviewed by the production engineer.
Which of the following audit procedures would provide the best evidence for meeting this objective?
The best evidence of all work performed is the set of rework order forms, and the best evidence of
○ Trace a sample of rework orders to entries in the rework log.
what was reviewed are the entries in the review log. To determine whether all rework was
2146 ○ Trace a sample of rework orders to entries in the review log.
reviewed, the auditor needs to start with the population of all the rework that was performed (that
○ Trace a sample of entries in the review log to rework orders. is, rework order forms) and trace to evidence that it was reviewed (that is, review log).
○ Trace a sample of entries in the rework log to remedial action taken.
An auditor completes work on a segment of an audit program. It is clear that a problem exists that will require a modification of
the organization's distribution procedures. The audit client agrees and implements revised procedures. The internal auditor
should
Crediting the audit client's determination and implementation of the corrective action will appeal
2129 ○ work with the client to develop and report on an appropriate recommendation.
to the audit client's esteem.
○ research the problem and recommend in the audit report measures that should be taken.
○ indicate in the audit report that the audit client has determined and implemented corrective action.
○ report the problem and assume that management will take appropriate action.
An example of important audit engagement information that may require interim communications with management includes
which of the following? Implementation guidance for Standard 2410, "Criteria for Communicating," states that deviations
○ More efficient sampling approach due to new audit software from the planned engagement scope and objectives are typically communicated during the
2722 ○ Resignation of an audit committee member engagement. A change in audit staff assigned to the engagement, the resignation of an audit
○ Change in engagement scope committee member, and adoption of a more efficient sampling approach would not likely require
interim communication.
○ Change in audit staff assigned to the engagement
The auditor wants to determine if purchasing requirements have been updated for changes in production techniques. Which of
the following audit procedures would be most effective in addressing the auditor's objective?
○ Recalculating parts needed based on current production estimates and on the materials requirements planning for the revised Recalculating parts needed and comparing them to purchase orders is the most appropriate
production techniques, and then comparing these needs with purchase orders generated from the system for the same period procedure because:
○ Using generalized audit software to develop a report of excess inventory, and then comparing the inventory with current
2141 production volume The auditor has already determined that there is a concern.
○ Developing test data to input into the local area network, and then comparing purchase orders generated from test data with This procedure results in a direct comparison of current parts requirements with purchase orders
purchase orders generated from production data being generated.
○ Taking a sample of production estimates and materials requirements planning data for several periods, and then tracing them Differences can be identified and corrective action taken.
into the system to determine that input is accurate

After a product recall becomes necessary, the operations manager sets a goal: "We need to do much better than before." What is
true of this goal?
○ It needs to describe the process by which the goal will be achieved. An effective goal should be SMART: specific, measurable, action-oriented, realistic, and timely.
2731 ○ It is more of a strategy than a goal but should be effective at motivating individual efforts. A goal does not need to describe how it will be achieved, since many methods can be used to get
○ It does not state specific, measurable, action-oriented, realistic, and timely objectives. to the same result.
○ It is a motivating goal because it does not point blame but allows individuals to determine for themselves how to improve.
 Final internal audit communications (i.e., the engagement report) may include which optional information?
○ Background information and client's response(s) to engagement's conclusions and recommendations
2712 ○ Executive summary and engagement's results
○ Engagement's results and client's response(s) to engagement's conclusions and recommendations
○ Internal audit planning methodology and engagement objectives
According to the Standards, when business unit management is willing to accept a level of risk that may be unacceptable to the
organization, the internal auditor
○ must escalate the matter to senior management and, if still unresolved, to the board.
○ should consult with enterprise risk management on acceptable solutions.
2139 ○ must advise business unit management of its responsibilities for managing risks and internal control.
○ must communicate the issue verbally in addition to including the matter in the internal audit report.
According to Standard 2410, Criteria for Communicating communications must include the
engagement's objectives, scope, and results as well as other optional information such as
background information, summaries, client accomplishments, and client views.
Standard 2600, "Communicating the Acceptance of Risks," states that when the chief audit
executive (CAE) concludes that management has accepted a level of risk that may be unacceptable
to the organization, the CAE must discuss the matter with senior management and, if the CAE
determines that the matter has not been resolved, he or she must communicate the matter to the
board. The Standards do not specify a required communication medium for internal audit
communications. Advising business unit management of its responsibilities for managing risks
and internal control when management is willing to accept a level of risk that may be unacceptable
to the organization is not required by the Standards. Consultation with enterprise risk management
is not required by the Standards.

Which of the following exemplifies highly significant risks that a chief audit executive might judge to be beyond the
organization's tolerance level?
○ Risks that may result in erroneous internal management reporting According to the implementation guidance for Standard 2600, "Communicating the Acceptance of
2744 ○ Risks that may harm the organization's reputation Risks," highly significant risks may include those that may harm the organization's reputation. The
○ Risks that may harm management-employee relationships other answer choices are not likely to be beyond the organization's tolerance level.
○ Risks that may result in numerous immaterial contractual violations
With the final report on an operations audit due in three weeks, the internal auditor notices a violation of fire safety codes.
Which of the following describes the best course of action the auditor could take?
○ Report the finding immediately to the client's maintenance department, and assume they will fix the problem and inform Serious problems, whether related to the audit objectives or not, should be reported immediately to
responsible management. management in an interim report, which can be either written or oral. The audit working papers
2098
○ Document the condition and plan to discuss it with management in the exit interview. and final report should document the communication and the evaluation of the immediate
○ Notify the local fire department. elimination of the fire safety code violation.
○ Alert responsible management immediately with a written or an oral interim report.

Successful communication between the auditor and the audit client partially depends on achieving appropriate emphasis so both
parties are aware of the most important points in their discussion. Which of the following approaches would provide the most
emphasis in an audit report?
○ Graphics, repetition, and itemization Graphic illustrations, oral and written repetition such as summaries, and itemized lists (bulleted or
2097 numbered) are good ways of emphasizing information in a report. The other answer choices may
○ Solid paragraphs and detailed appendices serve to bury or lose important information due to lack of emphasis.
○ Key points embedded in discussion
○ Calm discussion in a conversational tone
 An internal auditor of a U.S.-based global organization is performing a review of internal controls over vendor approval and
onboarding. Vendor approval is decentralized to nine geographic regions. One vendor manager disclosed during his audit
interview that his team members periodically accept vendor invitations to resort getaways that include air transportation, live
entertainment, food and beverages, and souvenir gifts. The internal auditor determines that the organization lacks a conflict-of-
interest policy. The internal auditor should
○ include the matter in the audit report and recommend that a modest U.S. $50 threshold be established as the maximum value
2725 for anything received by employees from business partners.
○ include the matter in the audit report and recommend adoption of a code of conduct and a conflict-of-interest policy.
○ not report the matter, as it is isolated to only one of nine regions where vendor managers were interviewed.
○ report the illegal activity to U.S. government authorities, due to the Foreign Corrupt Practices Act (FCPA) and the integrity
principle of The IIA's Code of Ethics.
According to IIA guidance, when an engagement final communication contains a significant error, the chief audit executive
(CAE) is required to do which of the following?
○ Communicate corrected information to all individuals who received the original communication.
2733 ○ Issue a written report to the audit committee and senior management.
○ Communicate corrected information to all those who might have relied on the original communication.
○ Issue a written report to individuals who can ensure that engagement results are given due consideration.
According to Standard 2420, "Quality of Communications," constructive communications
○ are opportune and expedient.
2711 ○ lack nothing that is essential to the target audience.
○ are easily understood and logical.
○ are helpful to the client, leading to improvements where needed.
Acceptance of vendor invitations to resort getaways would likely be considered inappropriate, as it
may impact vendor team members' judgment contrary to the best interests of the organization and
may be considered an FCPA violation. Lack of an appropriate code of conduct and conflict-of-
interest policy with regular training, employee sign-offs, whistleblower hotlines, and other internal
controls leaves the organization more vulnerable to fraud and other inappropriate activities by
employees. The matter should be addressed in the audit report, along with an appropriate
recommendation(s). Isolation to just one of nine regions would not preclude this lack of internal
control from needing to be addressed. Recommending that a modest threshold be established is
inadequate to address the condition. Making the decision to report the situation to U.S. authorities,
and actually doing so, is a management responsibility.
It is the responsibility of the CAE to communicate the final result of an audit to the appropriate
individuals who can give the results due consideration. If a report is discovered to have been
distributed with errors, and if substantive corrections need to be made, then the CAE should issue
a new report that clearly highlights the changes and ensure that it is distributed to all those
recipients who received the original report.
According to the interpretation to Standard 2420, "constructive communications are helpful to the
engagement client and the organization and lead to improvements where needed."
답

2
3

2
1

2
4

1
4

1
1

3
4

3
2

1
4

3
2

2
1

1
2

3
1

1
2