CHAPTER 6 QUIZ

Select the best answer for each of the following questions.

1. Which of the following best describes an internal auditor’s purpose in reviewing the
organization’s existing governance, risk management, and control processes?
c. To provide reasonable assurance that the processes will enable the organization’s objectives
and goals to be met efficiently and economically.
Answer A is incorrect because it is a purpose of audit planning. Answer B is incor-rect because
correcting control weaknesses is a function of management, not of the internal auditor. Answer
D is incorrect because it is a basic objective from a financial accounting and auditing perspec-
tive, but it is not broad enough to cover the internal auditor’s entire purpose for review.
2. What is residual risk?
c. Risk that is not managed.
Residual risk is the risk that is left over after all controls and risk management techniques have
been applied. Answer A is incorrect because the impact of risk is its consequence. Answer B is
incorrect because risk that is under control is managed risk. Answer D is incorrect because the
underlying risk is the absolute risk.
3. The requirement that purchases be made from suppliers on an approved vendor list is an
example of a:
a. Preventive control.
Preventive controls are actions taken prior to the occurrence of transactions with the intent of
stopping errors from occurring. Use of an approved vendor list is a control to prevent the use of
unacceptable suppliers. Answer B is incorrect because a detective control identifies errors after
they have occurred. Answer C is incorrect because compensating controls are designed to
supplement key controls that are either ineffective or cannot fully mitigate risks by themselves to
acceptable levels. Answer D is incorrect because monitoring controls are designed to ensure the
quality of the control system’s performance over time.
4. An effective system of internal controls is most likely to detect a fraud perpetrated by a:
b. Single employee.
An effective system of internal controls is likely to expose a fraud if it is perpe-trated by one
employee without the aid of others. Answer A is incorrect because a group has a better chance
of successfully perpetrating an irregularity than does an individual employee. Answers C and D
are incorrect because management can often override controls, singularly or in groups.
5. The control that would most likely ensure that payroll checks are written only for authorized
amounts is to:
c. Require supervisory approval of employee time cards.
The employee’s supervisor would be in the best position to ensure payment of the proper
amount. Answer A is incorrect because employees may be properly included on payroll, but the
amounts paid may be unauthorized. Answer B is incorrect because undelivered checks provide
no evi-dence regarding validity of the amounts. Answer D is incorrect because witnessing a
payroll distribu-tion would not assure that amounts paid are authorized.
6. An internal auditor plans to conduct an audit of the adequacy of controls over investments in
new financial instruments. Which of the following would not be required as part of such an
engagement?
c. Determine whether the treasurer is getting higher or lower rates of return on investments
than treasurers in comparable organizations.
Although this might be informational, there is no need to develop a comparison of investment
returns with other organizations. Indeed, some financial investment scandals show that such
 comparisons can be highly misleading because high returns were due to taking on a high level of
risk. Also, this is not a test of the adequacy of the controls.
7. Appropriate internal control for a multinational corporation’s branch office that has a
department responsible for the transfer of money requires that:
a. The individual who initiates wire transfers does not reconcile the bank statement.
Independent reconciliation of bank accounts is necessary for good internal control.
8. Who has primary responsibility for the monitoring component of internal control?
c. The organization’s management.
The organization’s management has primary responsibility for the monitoring component of
internal control.
9. Reasonable assurance, as it pertains to internal control, means that:
c. Inherent limitations of internal control preclude a system of internal control from providing
absolute assurance that objectives will be achieved.
Inherent limitations of internal control do, in fact, preclude a system of inter-nal control from
providing absolute assurance that objectives will be achieved.
10. Which of the following best exemplifies a control activity referred to as independent verification?
a. Reconciliation of bank accounts by someone who does not handle cash or record cash
transactions.
A reconciliation performed by someone not otherwise involved in processing a transaction is an
example of an independent verification control activity.
11. The risk assessment component of internal control involves the:
c. Organization’s identification and analysis of the risks that threaten the achievement of its
objectives.
The risk assessment component of internal control involves an organization’s identification and
analysis of the risk that threaten the achievement its objectives.
12. COSO’s Internal Control Framework consists of five internal control components and 17
principles for achieving effective internal control. Which of the following is/are (a) principle(s)?
I. The organization demonstrates a commitment to integrity and ethical values.
II. Monitoring activities.
III. A level of assurance that is supported by generally accepted auditing procedures and
judgments.
IV. A body of guiding principles that form a template against which organizations can evaluate a
multitude of business practices.
V. The organization selects, develops, and performs ongoing and/or separate evaluations to
ascertain whether the components of internal control are present and functioning.
b. I and V only.
I is principle 1 under Control Environment. V is principle 16 under Monitoring Activities. II is one
of the five elements. III is the definition of reasonable assurance. IV is the definition of a
framework.
13. When assessing the risk associated with an activity, an internal auditor should:
b. Provide assurance on the management of the risk.
The other choices reflect activities that should be performed by management.
14. Determining that engagement objectives have been met is ultimately the responsibility of the:
d. CAE.
The CAE has ultimate responsibility for all activities performed by the internal audit function.
Internal auditors and internal audit supervisors do not have the same level of responsi-bility as
the CAE. The audit committee doesn’t have this level of responsibility.
15. An adequate system of internal controls is most likely to detect an irregularity perpetrated by a:
b. Single employee.
To be designed adequately and operating effectively, ICFR should address the concepts of
initiation, authorization, recording, processing, and reporting. Seeking is not addressed by ICFR