4. Which of the following are components of the definition of internal auditing?

A. Independence and objectivity

B. A systematic and disciplined approach
C. Helping the organization accomplish its objectives
D. All of the answers
5. Assurance, Insight, and Objectivity comprise
A. The mission of internal auditing
B. The three lines of defense model
C. The value proposition
D. The objectives of internal auditing
6. Independent outside auditors provide financial reporting assurance services primarily for
A. The benefit of third parties
B. Management
C. Board of directors
D. The CEO
7. AVF Company's new CFO has asked the company's CAE to meet with him to * discuss
the role of the internal audit function. The CAE should inform the CFO that the overall responsibility
of internal audit is to
A. Review the integrity of financial and operating information and the methods used to accumulate and
report information
B. Determine whether the company's system of internal controls provides reasonable assurance that
information is effectively and eficiently communicated to management
C. Serve as an independent assurance and consulting activity designed to add value and improve the
company's operations
D. Assess the company's methods for safeguarding its assets and, as appropriate, verify the existence
ofthe assets
8. Which of the following statements is not true about business objectives
A. Business objectives represent targets of performance
B. Establishing meaningful business objectives is a key component of the management process
C. Establishing meaningful business objectives is a prerequisite to effective internal control
D. Business objectives are management's means of employing resources and assigning responsibilities
9. Within the context of internal auditing, assurance services are best defined as
A. Professional activities that measure and communicate financial and business data
B. Advisory services intended to add value and improve an organization's operations
C. Objective examinations of evidence for the purpose of providing independent assessments
D. Objective evaluations of compliance with policies, plans, procedures, laws, and regulations
10. Which of the following is mandatory guidance within the IPPF
A. Implementation guidance
B. Supplemental guidance
C. The value proposition
D. The core principles
11. While planning an internal audit, the internal auditor obtains knowledge about the auditee to,
among other things
A. Develop an understanding of the auditee's objectives and risks
B. Develop an attitude of professional skepticism about management's assertions
C. Make constructive suggestions to management concerning internal control improvements.
D. Evaluate whether misstatements in the auditee's performance reports should be communicated to
senior management and the audit committee.
12. Which of the following is the premier certification sponsored by The IIA
A. Certification in Control Self-Assessment
B. Certified Internal Auditor
C. Certification in Risk Management Assessment
D. Certified Information Systems Auditor
13. Which of the following is the ultimate position of a career internal auditor?
A. CEO
B. CFO
C. CRO
D. CAE
14. Growing the organization's market share, by acquiring complementary businesses, is a specific
business objective of which of the following
A. Reporting objective
B. Operations objective
C. Strategic objective
D. Compliance objective
15. Ship all orders no later than 48 hours after receiving the orders, is a specific business objective
of which of the following?
A. Reporting objective
B. Operations objective
C. Strategic objective
D. Compliance objective
16. Record only valid sales transactions is a specific business objective of which of the following?
A. Reporting objective
B. Operations objective
C. Strategic objective
D. Compliance objective
17. Which of the following best describes an internal auditor's purpose in reviewing the organization's
existing governance, risk management, and control processes?
A. To help determine the nature, timing, and extent of tests necessary to achieve engagement objectives
B. To ensure that weaknesses in the internal control system are corrected.
C. To provide reasonable assurance that the processes will enable the organization's objectives and goals
to be met eficiently and economically.
D. To determine whether the processes ensure that the accounting records are correct and that financial
statements are fairly stated
18. Which of the following is not an appropriate governance role for an organization's board of
directors
A. Evaluating and approving strategic objectives. Influencing the organization's risk-taking
philosophy
B. Providing assurance directly to third parties that the organization's governance processes are effective
C. Establishing broad boundaries of conduct, outside of which the organization should
19. Who is responsible for establishing the strategic objectives of an organization?
A. The board of directors.
B. Consensus among all levels of management.
C. Senior management.
D. The board and senior management jointly
20. Who is ultimately responsible for identifying new or emerging key risk areas that should be
covered by the organization's governance process?
A. The board of directors.
B. Risk owners.
C. Senior management.
D. The internal audit function

21. The internal audit function should not:

A. Assess the organization’s governance and risk management processes
B. Provide advice about how to improve the organization’s governance and risk management processes.
C. Oversee the organization’s governance and risk management processes.
D. Coordinate its governance and risk management-related activities with those of the independent
outside auditor.
22. Which of the following would not be considered a first line of defense in the Three Lines of
Defense model
A. A divisional controller conducts a peer review of compliance with financial control standards.
B. An accounts payable clerk reviews supporting documents before processing an invoice for payment.
C. An accounting supervisor conducts a monthly review to ensure all reconciliations were completed
properly.
D. A production line worker inspects finished goods to ensure the company’s quality standards are met
23. Which of the following would be considered a first line of defense in the Three Lines of Defense
model
A. An accounts payable supervisor conducting a weekly review to ensure all payments were issued by
the required payment date
B. A divisional compliance and ethics oficer conducting a review of employee training records to ensure
that all marketing and sales staff have completed the required FCPA training
C. The external audit team observes the counting of inventory on December 31
D. An internal audit team conducting an engagement to provide assurance on the company’s Sarbanes-
Oxley compliance with internal controls over financial reporting
24. Which of the following would be considered a second line of defense in the Three Lines of
Defense model?
A. An accounts payable supervisor conducting a weekly review to ensure all payments were issued by
the required payment date.
B. A divisional compliance and ethics oficer conducting a review of employee training records to ensure
that all marketing and sales staff have completed the required FCPA training
C. A shift supervisor inspecting a sample of finished goods to ensure quality standards are met.
D. An internal audit team conducting an engagement to provide assurance on the company’s Sarbanes-
Oxley compliance with internal controls over financial reporting
25. What are the major components of governance?
1. Strategic direction
2. Oversight
3. Regulations
4. Ethics
A. 1 and 2 only.
B. 1, 2 and 4 only.
C. 2 and 4 only.
D. 3 and 4 only.
26. Governance should help ensure that the objectives of an entity's stakeholders are met.
Stakeholders include
A. Employees and Customers
B. Regulators and Suppliers
C. Suppliers, Regulators and Customers
D. Employees, Suppliers, Regulators and Customers
27. Which of the following is not a goal of corporate governance?
A. Complying with society's legal and regulatory rules
B. Providing an overall benefit to society
C. Reporting fully and truthfully to stakeholders
D. Maximizing executive compensation
28. The internal audit activity most directly contributes to an organization's governance process by
A. Identifying significant exposures to risk
B. Evaluating the design of ethics-related activities
C. Evaluating the effectiveness of internal control over financial reporting
D. Promoting continuous improvement of controls
29. According to COSO ERM, which of the following is not an inherent challenge that arises as
part of establishing strategy and business objectives?
A. Ensuring culture is clearly articulated by the board.
B. Possibility of strategy not aligning
C. Implications from the strategy chosen
D. Risk to achieving the strategy
30. Who has primary responsibility for the monitoring component of internal control?
A. The organization's independent outside auditor.
B. The organization's internal audit function.
C. The organization's management.
D. The organization's board of directors
31. Which of the following is not an example of a risk sharing strategy?
A. Outsourcing a noncore, high-risk area
B. Hedging against interest rate fluctuations
C. Selling a nonstrategic business unit
D. Buying an insurance policy to protect against adverse weather
32. After business risks have been identified, they should be assessed in terms of their inherent
A. Impact and likelihood
B. Likelihood and probability
C. Significance and severity
D. Significance and control effectiveness
33. Which of the following risk management activities is out of sequence in terms of timing?
A. Identify, assess, and prioritize risks
B. Develop risk responses/treatments
C. Determine key organizational objectives
D. Monitor the effectiveness ofrisk responses/treatments
34. Who is responsible for implementing ERM?
A. The chief financial oficer
B. The chief audit executive
C. The chief compliance oficer
D. Management throughout the organization
35. Which of the following is not a potential value driver for implementing ERM?
A. Financial results will improve in the short run
B. There will be fewer surprises from year to year
C. There will be better information available to make risk decisions.
D. An organization's risk appetite can be aligned with strategic planning
36. Which of the following is the best reason for the CAE to consider the organization's strategic
plan in developing the annual internal audit plan?
A. To emphasize the importance of the internal audit function to the organization.
B. To ensure that the internal audit plan will be approved by senior management
C. To make recommendations to improve the strategic plan
D. To ensure that the internal audit plan supports the overall business objectives
37. Which of the following is not a goal of corporate governance?
A. Complying with the society's legal and regulatory rules
B. Providing an overall benefit to society
C. Earning a profit.
D. Reporting fully and truthfully to stakeholders
38. What risk response option are being applied by the organization: “Action is taken to reduce the
risk impact, likelihood, or both. This involves a myriad of everyday business decisions, such as
implementing controls"
A. Acceptance
B. Avoidance
C. Pursuit
D. Reduction
E. Sharing
39. COSO's Internal Control Framework consists of five internal control components and 17
principles for achieving effective internal control. Which of the following is/are (a) principle(s)?

I. The organization demonstrates a commitment to integrity and ethical values.

II. A level of assurance that is supported by generally accepted auditing procedures and judgments.

III. A body of guiding principles that form a template against which organizations can evaluate a
multitude of business practices.

IV. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain
whether the components of internal control are present and functioning.

A. I only
B. I and IV only
C. II and IV only
D. I, II, III, and IV

40. When assessing the risk associated with an activity, an internal auditor should:
A.Determine how the risk should best be managed
B.Provide assurance on the management of the risk
C.Update the risk management process based on risk exposures
D.Design controls to mitigate the identified risks
41. Internal auditors provide their financial reporting assurance services primarily for the benefit
of: (Select all correct answers)
A. Third parties
B. Management
C. Board of directors
D. Employees
42. An effective system of internal controls is most likely to detect a fraud perpetrated by a:
A. Group of employees in collusion
B. Single employee
C. Group of managers in collusion
D. Single manager
43. Enterprise risk management
A. Guarantees achievement of business objectives
B. Requires establishment of risk and control activities by internal auditors
C. Includes selection of best risk response for the organization
D. Involves the identification of events with negative impacts on business objectives.
44. What is residual risk?
A. Impact of risk.
B. Risk that is under control
C. Underlying risk in the environment
D. Risk that is not managed.
45. Which of the following best describes an internal auditor’s purpose in reviewing the
organization’s existing governance, risk management, and control processes?
A. To help determine the nature, timing, and extent of tests necessary to achieve engagement objectives.
B. To ensure that weaknesses in the internal control system are corrected.
C. To provide reasonable assurance that the processes will enable the organization’s objectives and goals
to be met eficiently and economically.
D. To determine whether the processes ensure that the accounting records are correct and that financial
statements are fairly stated
46. Which of the following is a preventive control?
A.credit check before approving a sale on account
B.bank reconciliation
C.physical inventory count
D.comparing the accounts receivable subsidiary
47. The bank reconciliation uncovered a transposition error in the books. This is an example of a
A. detective control
B. preventive control
C. corrective control
D. feedforward control
48. Reasonable assurance, as it pertains to internal control, means that:
A. The objectives of internal control vary depending on the method of data processing used
B. A well-designed system of internal controls will prevent or detect all errors and fraud
C. Inherent limitations of internal control preclude a system of internal control from providing absolute
assurance that objectives will be achieved
D. Management cannot override controls, and employees cannot circumvent controls through collusion
49. Which of the following best exemplifies a control activity referred to as independent
verification?
A. Reconciliation of bank accounts by someone who does not handle cash or record cash transactions
B. Identification badges and security codes used to restrict entry to the production facility
C. Accounting records and documents that provide a trail of sales and cash receipt transactions
D. Separating the physical custody of inventory from inventory accounting
50. The risk assessment component of internal control involves the:
A. Independent outside auditor’s assessment of residual risk.
B. Internal audit function’s assessment of control deficiencies.
C. Organization’s identification and analysis of the risks that threaten the achievement of its objectives.
D. Organization’s monitoring of financial information for potential material misstatements.
51. Which of the following is not an element of the internal control environment?
A. management philosophy and operating style
B. organizational structure of the firm
C. well-designed documents and records
D. the functioning of the board of directors and the audit committee
52. Which of the following is not an internal control procedure?
A. authorization
B. management's operating style
C. independent verification
D. physical control
53. Which of the following is NOT a risk response strategy for a positive risk?
A. Exploiting
B. Enhancing
C. Transferring
D. Acceptance
54. According to COSO, the difference between inherent risk and residual risk is management's?
A. inability to reduce the inherent risk
B. actions to reduce the inherent risk
C. inability to share the residual risk
D. actions to reduce the residual risk
55. Management has careful evaluated the likelihood and impact of events on its foreign operations.
In the event 3% variation in exchange rate, the impact is estimated at $10 million without any action
taken by management and $6 million if the company purchases a hedge instrument. The impact of the
residual risk of changes in foreign currency exchange on achieving company's business objectives is:
A. $10 M
B. $16 M
C. $6 M
D. $4 M
56. According to COSO ERM, which of the following is not an inherent challenge that arises as
part of establishing strategy and business objectives?
A. Ensuring culture is clearly articulated by the board.
B. Possibility of strategy not aligning.
C. Implications from the strategy chosen.
D. Risk to achieving the strategy
57. Which of the following is one of the 5 Cs essential to success as an internal auditor?

(1) Courage.

(2) Collaboration.

(3) Candidness.

(4) Competence
A. (1) and (2) only
B. (1) and (4) only
C. (3) and (4) only
D. (1), (2), (3) and (4)

58. Governance should help ensure that the objectives of an entity's stakeholders are met.
Stakeholders include

1. Employees

2. Regulators

3. Suppliers

4. Customers
A. (1) and (4) only
B. (2) and (3) only
C. (2), (3) and (4) only
D. (1), (2), (3) and (4)
59. Which of the following is not a goal of corporate governance
A. Complying with society's legal and regulatory rules
B. Providing an overall benefit to society
C. Maximizing executive compensation
D. Reporting fully and truthfully to stakeholders
60. The internal audit activity most directly contributes to an organization's governance process by
A. Identifying significant exposures to risk
B. Evaluating the effectiveness of internal control over financial reporting.
C. Evaluating the design of ethics-related activities.
D. Promoting continuous improvement of controls.
61. Who is responsible for implementing ERM?
A. The chief financial oficer
B. The chief audit executive
C. Management throughout the organization
D. The chief compliance oficer
62. Which of the following is not a potential value driver for implementing ERM?
A. Financial results will improve in the short run.
B. The chief audit executive
C. There will be fewer surprises from year to year.
D. An organization's risk appetite can be aligned with strategic planning
63. When assessing the risk associated with an activity, an internal auditor should
A. Determine how the risk should best be managed.
B. Provide assurance on the management of the risk.
C. Update the risk management process based on risk exposures.
D. Design controls to mitigate the identified risks.
64. From an organization's standpoint, because internal auditors are seen tobe "internal control
experts," they also are:
a. Fraud risk management process owners, and hence, the first and mostimportant line of defense
against fraudulent financial reporting or assetmisappropriation.
b. The best resource for audit committees, management, and others toconsult in-house when
setting up anti-fraud programs and controls, evenif they may not have any fraud investigation
experience.
c. The best candidates to lead an investigation of a fraud incidentinvolving the potential violation
of laws and regulations.
d. The primary decision-maker in terms of determining punishment orother consequences for
fraud perpetrators.
65. An organization that manufactures and sells computers is trying to boost salesbetween now and the
end of the year. It decides to offer its salesrepresentatives a bonus based on the number of units they
deliver to customersbefore the end of the year. The price of all computers is determined by the
vicepresident of sales and cannot be changed by sales representatives. Which of thefollowing presents
the greatest reason a sales representative may commit fraudwith this incentive program?
A. Sales representative may sell units that have a lower margin than other units.
B. Customers have the right to return a laptop for up to 90 days after purchase.
C. The units delivered may be defective.
D. The customers may not pay for the computers timely
66. A payroll clerk increased the hourly pay rate of a friend and shared theresulting overpayment with
the friend. Which of the following controlswould have best served to prevent this fraud?
A. Requiring that all changes to pay records be recorded on a standardform.
B. Limiting the ability to make changes in payroll system personnelinformation to authorized
HR department supervisors.
C. Periodically reconciling pay rates per personnel records with those ofthe payroll system.
D. Monitoring payroll costs by department supervisors monthly
67. The internal audit function's responsibilities with respect to fraud are limited to:
A. The organization's operational and compliance activities only becausefinancial reporting
matters are the responsibility of the independent outsideauditor.
B. Monitoring any calls received through the organization's whistleblowerhotline but not
necessarily conducting a follow-up investigation.
C. Being aware of fraud indicators, including those relating to financialreporting fraud, but
not necessarily possessing the expertise of a fraudinvestigation specialist.
D. Ensuring that all employees have received adequate fraud awareness training
68. Which of the following types of companies would most likelyneed the strongest anti-fraud controls?
A. A manufacturer of popular athletic shoes.
B. A grocery store.
C. A bank.
D. An internet-based electronics retailer