Chapter 1: Definition, Characteristics, and A.

Employees
Guidance B. Competitors
C. Customers
1. Which of the following best
D. Creditors
defines operational auditing?
A. A compliance-focused review of 6. Which characteristic best describes
accounting procedures a risk-based audit?
B. A future-oriented, systematic, A. Focusing on financial
independent evaluation of compliance alone
activities B. Centered on testing all controls
C. A retrospective analysis of without prioritization
financial reporting accuracy C. Assessing risks and aligning
D. A review of tax obligations of an audits with organizational
organization objectives
D. Identifying outdated procedures
2. Independence in internal auditing
refers primarily to: 7. The primary role of operational
A. The ability to avoid conflicts of auditors is to:
interest in reporting A. Report tax irregularities to
B. The mindset of being skeptical regulators
of management B. Validate accounting procedures
C. Reporting directly to the highest only
level of governance C. Evaluate and improve risk
D. Auditors having no social management, control, and
relationships with employees governance processes
D. Produce financial statements
3. Internal audit provides what type
of assurance? 8. A key limitation of standardized
A. Absolute assurance checklists in auditing is:
B. Reasonable assurance A. They reduce independence
C. Guaranteed assurance B. They may hinder creativity and
D. Statistical assurance adaptability
C. They increase costs
4. Which of the following is NOT a
D. They fail to meet IIA standards
core component of the IIA
definition of internal auditing? 9. Which skill is ranked as the top
A. Objectivity general competency for auditors?
B. Independence A. IT programming skills
C. Consulting activity B. Report writing and
D. Profit maximization communication skills
C. Financial modeling skills
5. Stakeholders include all of the
D. Budgeting and forecasting
following EXCEPT:
10. Which of the following is NOT a C. Exclusive focus on compliance
behavioral skill for internal D. Reliance only on historical data
auditors?
15. Which stakeholder group is
A. Confidentiality
considered "primary/economic"?
B. Objectivity
A. Media
C. Team building
B. Activist groups
D. Aggressiveness
C. Customers
11. Which external event accelerated D. Local communities
changes in auditing during the
16. Which of the following is a
early 2000s?
secondary stakeholder?
A. The Asian Financial Crisis
A. Creditors
B. Sarbanes–Oxley Act of 2002
B. Employees
C. Global recession of 2008
C. Suppliers
D. Dot-com IPO boom
D. Activist groups
12. Which of the following best
17. Internal audit contributes to
describes consulting in auditing?
corporate governance by:
A. Providing absolute guarantees
A. Setting corporate strategy
on financial controls
directly
B. Giving advice to improve
B. Providing independent
organizational processes
assessments of governance
C. Preparing tax returns for the
structures
company
C. Replacing external audit entirely
D. Conducting compliance-only
D. Running management decisions
reviews
18. Which element is NOT part of the
13. Fiduciary responsibility refers to:
definition of internal auditing?
A. The duty of auditors to produce
A. Assurance
profits
B. Consulting
B. A legal duty to act solely in
C. Independence
another party’s interests
D. Sales maximization
C. A consulting engagement
requirement 19. Which risk is MOST associated with
D. The internal control system outdated auditing practices?
A. Operational inefficiency
14. The shift from control-based to
B. Tax noncompliance
risk-based audits implies:
C. Inflationary pressure
A. Less interaction with process
D. Interest rate fluctuations
owners
B. Greater emphasis on future 20. A hallmark of effective auditors is
threats and vulnerabilities their ability to:
A. Rely solely on standardized
 programs 25. Flowcharts in operational auditing
B. Communicate effectively across are used primarily to:
all levels A. Represent control failures
C. Avoid recommending changes B. Depict processes visually
D. Focus only on financial controls C. Replace audit reports
D. Document recommendations
only
Chapter 2: Objectives and Phases of
26. An Internal Control Questionnaire
Operational Audits
(ICQ) is used to:
21. Which of the following is NOT a A. Interview board members
key objective of operational B. Evaluate design of controls
audits? systematically
A. Evaluate internal controls C. Replace financial statements
B. Assess efficiency and D. Assess environmental risk
effectiveness
27. The final stage of the audit process
C. Identify tax evasion risks
is:
D. Improve operations
A. Planning
22. Which is the first phase of an B. Reporting
operational audit? C. Follow-up
A. Planning D. Evidence collection
B. Fieldwork
28. Which audit phase emphasizes
C. Reporting
professional skepticism?
D. Follow-up
A. Planning
23. Which type of audit evidence B. Fieldwork
involves observing activities as C. Reporting
they occur? D. Follow-up
A. Testimonial
29. Audit reporting should be:
B. Observation
A. Biased toward management’s
C. Document inspection
opinion
D. Reperformance
B. Objective, accurate, and timely
24. Which document is commonly C. Focused only on compliance
used to summarize audit testing D. Informal and verbal
results?
30. What is the purpose of electronic
A. Journal entries
workpapers?
B. Workpapers
A. To automate risk assessments
C. Board minutes
B. To replace staff auditors
D. Financial statements
C. To store, organize, and share
audit documentation
 D. To bypass reporting C. Excluded from electronic
requirements systems
D. Rewritten by management
31. Which type of evidence is
considered the strongest? 37. Which audit phase includes
A. Testimonial recalculation and reperformance?
B. Observation A. Planning
C. Documentary B. Fieldwork
D. Recalculation/Reperformance C. Reporting
D. Follow-up
32. Which is the primary purpose of
audit follow-up? 38. Which is the best description of
A. To reissue findings risk factors?
B. To verify corrective actions have A. Variables that may hinder audit
been implemented planning
C. To repeat audit testing B. Elements that can prevent
indefinitely objectives from being achieved
D. To close workpapers C. Only financial irregularities
D. All compliance rules
33. A metric in operational audits
typically measures: 39. Which stage requires the auditor
A. Control effectiveness only to communicate results to
B. People, processes, and stakeholders?
technology performance A. Planning
C. Board governance decisions B. Fieldwork
D. Tax compliance levels C. Reporting
D. Follow-up
34. Which activity is performed during
planning? 40. Which is a key challenge in follow-
A. Assess risk factors up audits?
B. Issue the audit report A. Gathering sufficient testimonial
C. Retest implemented controls evidence
D. Train staff on IT skills B. Ensuring recommendations are
implemented effectively
35. Which of the following is NOT a
C. Preparing flowcharts
type of audit evidence?
D. Conducting initial planning
A. Testimonial
interviews
B. Observation
C. Document inspection Chapter 3: Risk Assessments
D. Internal audit recommendations
41. Risk assessment primarily involves:
36. Workpapers must be: A. Evaluating external auditors’
A. Informal notes independence
B. Complete, accurate, and clear B. Identifying and measuring
 organizational risks A. Risk measurement
C. Preparing annual tax statements B. Risk identification
D. Reviewing past audit reports C. Control testing
only D. Audit reporting

42. A risk matrix is used to: 47. Which of the following represents
A. Summarize financial ratios a technological risk?
B. Plot likelihood and impact of A. Delays in delivery
risks B. System failures and data
C. Document audit programs breaches
D. Compare internal vs. external C. Employee absenteeism
auditors D. Overproduction

43. Control Self-Assessments (CSAs) 48. A high-likelihood, high-impact risk

are important because: would fall into which matrix
A. They allow regulators to set category?
policies A. Low priority
B. They empower employees to B. Moderate concern
evaluate risks and controls C. Critical
C. They replace external audit D. Negligible
entirely
49. Which is an example of a
D. They eliminate the need for
preventive control?
documentation
A. Monthly bank reconciliation
44. Which of the following is NOT a B. System password requirements
type of control? C. Fraud investigation reports
A. Preventive D. Reviewing exception logs
B. Detective
50. Assessing risks helps auditors:
C. Corrective
A. Allocate resources effectively
D. Alternative investments
B. Avoid compliance entirely
45. Business activities with high risk C. Focus only on external factors
implications often include: D. Replace governance structures
A. Effective customer loyalty
51. Which control type focuses on
programs
discovering errors after they
B. Poor vendor relationships and
occur?
weak IT systems
A. Preventive
C. Corporate philanthropy
B. Detective
programs
C. Corrective
D. Stable economic environments
D. Proactive
46. Which is the first step in risk
52. Corrective controls are designed
assessment?
to:
 A. Prevent errors from occurring A. Risk-based auditing
B. Identify fraud after it happens B. Control-based auditing
C. Fix or mitigate problems once C. Integrated auditing
detected D. Compliance consulting
D. Ignore inefficiencies
58. Which element is NOT typically
53. A CSA session is MOST effective considered in a risk matrix?
when: A. Likelihood
A. Only auditors participate B. Impact
B. Employees and managers C. Frequency
collaborate to evaluate risks D. Employee salaries
C. Reports are not documented
59. The ultimate purpose of risk
D. External auditors lead it
assessment is to:
exclusively
A. Minimize audit costs
54. An auditor assessing "future B. Enhance achievement of
challenges" is demonstrating: organizational objectives
A. Compliance-based auditing C. Replace internal auditors with
B. Forward-looking risk consultants
management D. Improve financial statement
C. Control-based auditing design
D. Checklist auditing
60. Which is an example of
55. Which of the following is a environmental risk?
business risk? A. Weak IT password systems
A. Inefficient procurement process B. Unreliable electricity supply
B. Currency exchange rates C. High staff turnover
C. Personal employee conflicts D. Decline in customer loyalty
D. External lobbying

56. Why is risk measurement

Chapter 4: The 7 Es
important?
A. It quantifies the severity and 61. Effectiveness in auditing refers to:
likelihood of risks A. Achieving objectives
B. It reduces the need for internal B. Minimizing costs
controls C. Maximizing profits only
C. It focuses solely on past losses D. Producing more reports
D. It removes the need for risk
62. Efficiency refers to:
identification
A. Performing tasks with minimal
57. An auditor focusing only on waste
existing controls without linking B. Maximizing profits only
them to risks is practicing: C. Following compliance
 regulations 68. Which of the 7 Es focuses most
D. Avoiding ethical issues directly on sustainability?
A. Efficiency
63. Economy refers to:
B. Equity
A. Spending resources wisely and
C. Ecology
cost-effectively
D. Excellence
B. Increasing output without
controls 69. Which of the following best links
C. Corporate governance ethics and equity?
structures A. Both deal with profitability
D. Social activism B. Both address fairness and moral
responsibility
64. Excellence means:
C. Both reduce IT costs
A. Compliance with basic
D. Both eliminate compliance
standards only
needs
B. Striving to achieve superior
results beyond minimum 70. A company reducing waste to
expectations improve environmental
C. Reducing operations to cut costs responsibility is demonstrating:
D. Avoiding innovation A. Equity
B. Ecology
65. Ethics in operational auditing
C. Efficiency
relates to:
D. Economy
A. Applying strict financial ratios
B. Adhering to moral principles and 71. Which of the 7 Es is most closely
professional integrity aligned with cost-effectiveness?
C. Using only checklists for A. Economy
procedures B. Efficiency
D. Focusing solely on efficiency C. Effectiveness
D. Excellence
66. Equity refers to:
A. Treating stakeholders fairly 72. Excellence in audit
B. Increasing profitability recommendations implies:
C. Selling company shares A. Meeting the bare minimum
D. Maximizing control activities compliance level
B. Encouraging best practices and
67. Ecology in the 7 Es highlights:
continuous improvement
A. Financial accountability
C. Reducing ethical standards
B. Environmental and sustainability
D. Replacing governance processes
considerations
C. Shareholder voting power 73. A program that meets its
D. Employee training only objectives but wastes resources
lacks:
 A. Efficiency D. Focusing on accounting records
B. Effectiveness only
C. Economy
79. Which is an implication of the 7 Es
D. Excellence
for auditors?
74. Which E emphasizes reaching the A. Ensuring organizational
intended goals? activities align with efficiency,
A. Efficiency ethics, and sustainability
B. Effectiveness B. Limiting reports to compliance
C. Economy issues
D. Equity C. Ignoring equity considerations
D. Reducing stakeholder
75. Fair treatment of employees is
engagement
primarily linked to which E?
A. Efficiency 80. An organization focusing only on
B. Ethics profit and ignoring equity and
C. Equity ecology risks:
D. Ecology A. Improved stakeholder trust
B. Reputational damage
76. A government audit requiring
C. Increased employee loyalty
sustainable practices would
D. Compliance excellence
emphasize:
A. Ecology
B. Effectiveness
Chapter 5: Control Frameworks
C. Excellence
D. Ethics 81. Which is the most recognized
internal control framework?
77. When auditors consider fairness in
A. COSO
resource distribution, they are
B. COBIT
applying:
C. ISO
A. Economy
D. ITIL
B. Efficiency
C. Equity 82. COSO’s Internal Control
D. Excellence Framework includes which five
components?
78. Which of the following integrates
A. Planning, Fieldwork, Reporting,
multiple Es simultaneously?
Follow-up, Feedback
A. Meeting objectives while
B. Control Environment, Risk
minimizing costs fairly and
Assessment, Control Activities,
ethically
Information & Communication,
B. Reporting only on financial
Monitoring
compliance
C. Efficiency, Effectiveness, Ethics,
C. Avoiding long-term planning
Equity, Ecology
 D. Standards, Metrics, C. Monitoring audit performance
Workpapers, Flowcharts, Reporting D. Financial reporting standards

83. The control environment includes: 89. Which framework integrates

A. Tone at the top and ethical governance, risk, and compliance?
values A. COSO ERM
B. Audit reports only B. ISO 9000
C. Tax compliance requirements C. COBIT
D. Customer loyalty programs D. ITIL

84. Entity-level controls are: 90. Control activities include:

A. Controls affecting the entire A. Policies and procedures
organization ensuring directives are carried out
B. Limited to one department B. Stakeholder analysis
C. Focused only on IT security C. Sustainability reports
D. Primarily for financial reporting D. Employee ethics training

85. Tone in the middle emphasizes: 91. Which control principle

A. Ethical conduct across middle emphasizes communication and
management consistency?
B. Board of directors’ A. Control activities
responsibilities only B. Risk assessment
C. Employee turnover C. Control environment
D. Cost-cutting programs D. Monitoring

86. COBIT is a framework specifically 92. Monitoring activities involve:

for: A. Continuous evaluation of
A. IT governance and control internal control performance
B. Environmental audits B. Setting organizational strategy
C. Equity and ethics C. Reviewing stakeholder equity
D. Manufacturing productivity D. Developing sustainability
reports
87. ISO frameworks typically
emphasize: 93. Which risk type is MOST associated
A. International standards for with IT frameworks like COBIT?
quality and risk management A. Customer satisfaction risk
B. U.S.-only compliance systems B. Information and technological
C. Equity principles risk
D. Excellence in marketing C. Environmental risk
D. Governance risk
88. ITIL is designed for:
A. IT service management best 94. Form over substance in control
practices frameworks warns against:
B. Control environment evaluation A. Focusing on documentation
 without real implementation 98. Which framework is most
B. Overusing IT resources applicable to IT service delivery
C. Ignoring sustainability improvement?
D. Prioritizing ethics above A. ISO
compliance B. ITIL
C. COSO ERM
95. Which framework helps assess
D. CMMI
organizational maturity levels?
A. ITIL 99. Which COSO element directly
B. COBIT relates to policies and procedures?
C. ISO A. Control activities
D. CMMI B. Risk assessment
C. Monitoring
96. Risk assessment in COSO focuses
D. Control environment
on:
A. Identifying and analyzing 100. The ultimate goal of control
relevant risks frameworks is to:
B. Checking compliance with tax A. Ensure profits are maximized
codes B. Strengthen internal control
C. Validating only equity concerns systems to achieve organizational
D. Ensuring excellence standards objectives
C. Eliminate all risks completely
97. Information and communication in
D. Replace external auditors
COSO emphasize:
A. Effective flow of relevant, timely,
and accurate data
B. Ethical fairness to employees
C. Environmental sustainability
D. Stakeholder activism
Answer Key 26. B 52. C 78. A

1. B 27. C 53. B 79. A

2. C 28. B 54. B 80. B

3. B 29. B 55. A 81. A

4. D 30. C 56. A 82. B

5. B 31. D 57. B 83. A

6. C 32. B 58. D 84. A

7. C 33. B 59. B 85. A

8. B 34. A 60. B 86. A

9. B 35. D 61. A 87. A

10. D 36. B 62. A 88. A

11. B 37. B 63. A 89. A

12. B 38. B 64. B 90. A

13. B 39. C 65. B 91. C

14. B 40. B 66. A 92. A

15. C 41. B 67. B 93. B

16. D 42. B 68. C 94. A

17. B 43. B 69. B 95. D

18. D 44. D 70. B 96. A

19. A 45. B 71. A 97. A

20. B 46. B 72. B 98. B

21. C 47. B 73. A 99. A

22. A 48. C 74. B 100. B

23. B 49. B 75. C

24. B 50. A 76. A

25. B 51. B 77. C

Chapter 1: Definition, Characteristics, and B. Social interaction vs. objectivity
Guidance C. Competence vs. communication
D. Compliance vs. assurance
1. An auditor notices that
management insists on following 5. A multinational company struggles
outdated approval processes even with high turnover because
though the ERP system already auditors still expect headquarters
provides adequate segregation of to approve all transactions. This
duties. What risk does this demonstrates a failure to adapt to:
illustrate? A. Stakeholder analysis
A. Independence risk B. Globalization and
B. Operational inefficiency decentralization
C. Fraudulent reporting C. COSO risk framework
D. Lack of compliance D. CSA practices

2. While performing an audit, you 6. During a board meeting, a director

discover that you are being asked asks the CAE whether the audit
to report to the manager of the team provides “absolute
department under review. Which assurance.” How should the CAE
independence principle is at risk? respond?
A. Independence of fact A. “Yes, absolute assurance is
B. Independence of appearance always possible.”
C. Objectivity B. “No, auditors only provide
D. Governance reasonable assurance.”
C. “Auditors only provide financial
3. An audit team insists on using the
assurance.”
same checklist year after year
D. “Assurance depends on external
without adapting to organizational
auditors.”
changes. What weakness is MOST
likely? 7. An auditor notices employees
A. Reduced independence doing repetitive tasks “because
B. Loss of creativity and relevance that’s how we’ve always done it.”
C. Higher audit costs What critical audit question should
D. Failure to detect fraud be asked?
A. Who
4. A new internal auditor avoids
B. Why
joining company social gatherings
C. When
to protect objectivity, but this
D. How
leads to employees being reluctant
to share information. What 8. A company releases a
balance is being tested? sustainability report to attract
A. Confidentiality vs. investors. Which key stakeholder
independence interest is being addressed?
 A. Efficiency C. Auditor performs risk-based
B. Transparency planning
C. Profitability D. Auditor questions internal
D. Compliance controls

9. A manufacturing audit reveals 13. The audit committee wants

management is reluctant to auditors to investigate whether
implement recommendations, controls align with organizational
even after risks are identified. objectives. Which approach should
What is the auditor’s best next auditors use?
step? A. Controls-based auditing
A. Escalate concerns to the audit B. Risk-based auditing
committee C. Compliance-only auditing
B. Stop the audit immediately D. Financial auditing
C. Revise the findings to satisfy
14. A company adds excessive controls
management
after every audit. What
D. Focus on financial risks only
unintended risk could this create?
10. In an interview, employees are A. Bureaucracy and inefficiency
unclear about company policies. B. Reduced objectivity
Which definition element of C. Lack of independence
internal auditing is MOST relevant? D. Financial misstatement
A. Adding value
15. A new auditor with a background
B. Consulting
in nursing joins the team. Why
C. Governance
might this be valuable?
D. Systematic evaluation
A. They understand IT systems
11. A company executive complains deeply
that auditors “don’t add value.” B. They bring diverse perspectives
Which response BEST aligns with on operational risks
the IIA definition? C. They know international tax law
A. “We ensure compliance only.” D. They can replace external
B. “We improve operations and auditors
governance effectiveness.”
16. Which example demonstrates
C. “We prepare your tax reports.”
fiduciary responsibility?
D. “We prevent fraud absolutely.”
A. A manager prioritizes
12. Which scenario shows a threat to shareholder interests over
auditor objectivity? personal gain
A. Auditor accepts a small gift from B. An auditor refuses to report
a client fraud to avoid conflict
B. Auditor attends training on risk C. A department head reduces
frameworks costs by cutting compliance
 D. An auditor accepts a bonus from Chapter 2: Objectives and Phases of
a vendor Operational Audits

17. An organization ignores activist 21. During the planning phase, an

group concerns about unethical auditor learns that the department
practices. Which stakeholder group recently changed its leadership
is being neglected? and several new systems were
A. Primary implemented. What should the
B. Secondary auditor do first?
C. Economic A. Use last year’s audit plan
D. Internal unchanged
B. Update the risk assessment to
18. Management accuses auditors of
reflect current conditions
being “corporate cops.” Which role
C. Postpone the audit
should auditors emphasize
D. Skip directly to reporting
instead?
A. Compliance enforcers 22. An auditor interviews staff and
B. Value-adding business advisors notices inconsistent responses
C. Accounting technicians about workflow. Which audit
D. Tax consultants technique is most appropriate
next?
19. A risk-based audit identifies poor
A. Document inspection
customer service as a major threat.
B. Flowcharting the process
What type of risk is this?
C. Ratio analysis
A. Financial
D. Tax compliance testing
B. Operational
C. Environmental 23. A company implements a new
D. Strategic payroll system. Which type of
evidence is most reliable to test its
20. During planning, auditors ask: “If
accuracy?
you were running this department,
A. Employee testimony
what would you do differently?”
B. Observation of the system in use
What is the purpose?
C. Recalculation of payroll outputs
A. Detect fraud only
D. Management assurances
B. Encourage ownership and
identify improvements 24. An auditor documents a process in
C. Focus on tax implications detail, including steps, control
D. Avoid writing recommendations points, and responsible parties.
What is being developed?
A. Audit workpaper
I’ll pause here at 20 situational B. Audit objective
questions (Chapter 1). C. Financial statement note
D. Compliance checklist
25. After issuing the report, C. Controls are strong
management delays corrective D. Audit risk is low
actions. What is the auditor’s
29. During fieldwork, an auditor
responsibility?
discovers management overstates
A. Close the file and ignore it
compliance with company policies.
B. Follow up to verify
Which audit skill is critical here?
implementation of
A. Technical IT skill
recommendations
B. Professional skepticism
C. Re-perform all fieldwork
C. Tax analysis
D. Reassign the audit to external
D. Financial modeling
auditors
30. An auditor finds a significant gap in
26. During an operational audit, an
segregation of duties but no fraud
auditor discovers serious fraud
has occurred yet. What should the
indicators. What is the best
report emphasize?
immediate action?
A. No action required since fraud is
A. Stop the audit and leave quietly
absent
B. Report the issue promptly to
B. Potential risk due to weak
appropriate authority levels
control environment
C. Ignore it until follow-up
C. Praise for avoiding fraud
D. Handle it in the final summary
D. Tax implications only
only
31. A department head argues the
27. A team finds that employees know
auditor’s recommendations are
procedures but fail to follow them.
too costly. What should the auditor
Which control weakness is
do?
indicated?
A. Withdraw the recommendation
A. Design deficiency
B. Justify the recommendation by
B. Operating effectiveness
showing cost-benefit analysis
deficiency
C. Refuse to discuss costs
C. Monitoring deficiency
D. Revise the report to please
D. Control environment weakness
management
28. An auditor notices that flowcharts
32. Management requests that
and ICQs do not match actual
findings be presented in a meeting
practices. What should the auditor
before the report is issued. This
conclude?
practice is:
A. Documentation is outdated or
A. Acceptable, as long as
inaccurate
independence is maintained
B. Evidence collection is
B. Prohibited
unnecessary
C. Required by IIA Standards
D. Replaces the written report
33. If an auditor fails to document evidence
evidence properly in workpapers, C. Independence failure
which risk is greatest? D. Excessive cost
A. Weak communication with
38. An organization wants to measure
management
whether resources were used
B. Inability to support findings
wisely. Which objective of
C. Stronger independence
operational auditing applies?
D. Faster audit closure
A. Efficiency
34. During a follow-up, the auditor B. Effectiveness
finds partial implementation of C. Economy
recommendations. What is the D. Excellence
best reporting approach?
39. In preparing the report, an auditor
A. State implementation is
includes only positive findings.
complete
Which quality of audit reporting is
B. Indicate partial progress and
violated?
remaining risks
A. Timeliness
C. Ignore changes
B. Objectivity and balance
D. Repeat all fieldwork
C. Conciseness
35. When testing control reliability, D. Formatting
auditors re-perform a sample of
40. A CAE is asked why audits are
transactions. This provides:
performed annually. What is the
A. Compliance evidence only
most accurate reply?
B. High assurance about control
A. “Audits are based on risk
effectiveness
assessments, not just the
C. Limited assurance
calendar.”
D. No audit value
B. “Audits must always be yearly.”
36. An auditor reports that C. “Audits are scheduled to match
management ignored a high-risk fiscal year closing.”
area during planning. Which audit D. “External auditors set the
objective is compromised? frequency.”
A. Efficiency
B. Risk-based prioritization
C. Consulting role Chapter 3: Risk Assessments
D. Evidence collection
41. A purchasing department fails to
37. If an auditor gathers evidence only review vendor contracts, leading to
from management interviews, inflated prices. What type of risk is
what weakness exists? this?
A. Lack of objectivity A. Financial risk
B. Over-reliance on testimonial B. Operational risk
 C. Compliance risk C. Technological risk
D. Strategic risk D. Compliance risk

42. An auditor creates a heat map 47. A risk with low likelihood but
plotting risks by likelihood and extremely high impact should be
impact. What tool is being used? classified as:
A. Control matrix A. Negligible
B. Risk matrix B. Critical
C. CSA workshop C. Moderate
D. Flowchart D. Acceptable

43. A company relies on one IT 48. Password policies that require

administrator with full system regular updates are an example of
access. What risk does this create? which control type?
A. Independence risk A. Detective
B. Single point of failure and fraud B. Preventive
risk C. Corrective
C. External compliance risk D. Compensating
D. Environmental risk
49. A payroll system error is detected
44. An auditor notes repeated system by reconciling payroll accounts
outages disrupting production. monthly. What control type is this?
This is BEST classified as: A. Detective
A. Compliance risk B. Preventive
B. Technological risk C. Corrective
C. Financial risk D. Monitoring
D. Reputational risk
50. After detecting fraud,
45. During a CSA, employees identify management revises policies to
risks management had overlooked. prevent recurrence. What control
What benefit does this show? type is applied?
A. Reduced auditor independence A. Preventive
B. Enhanced ownership and B. Detective
awareness of risks C. Corrective
C. Increased external costs D. Ineffective
D. Decreased audit reliability
51. An auditor ignores risk assessment
46. Which risk is MOST likely in an and selects audit areas randomly.
organization with poor succession Which audit weakness results?
planning? A. Biased reporting
A. Strategic and operational risk B. Inefficient resource use
B. Environmental risk C. Increased auditor independence
D. Reduced compliance
52. A risk assessment shows high fraud D. Elimination is the sole audit
risk in procurement. Where should objective
auditors focus?
57. A risk matrix classifies a risk as
A. Vendor selection and payment
“critical.” What should auditors
processes
recommend?
B. Marketing campaigns
A. Immediate attention and strong
C. Customer loyalty programs
controls
D. Media relations
B. No further action
53. If risk measurement focuses only C. Annual monitoring only
on past losses, what limitation D. Ignoring the issue
arises?
58. An auditor finds controls are in
A. Failure to anticipate future risks
place but not aligned to key risks.
B. Over-reliance on external
This indicates:
auditors
A. Control-based auditing
C. Excessive monitoring
B. Misaligned risk management
D. Ineffective preventive controls
C. Excellent governance
54. A high-risk process lacks D. Strong efficiency
monitoring. Which COSO
59. A company sets risk tolerance at
component is weakest?
5% error rate in transactions. This
A. Control environment
represents:
B. Monitoring activities
A. Risk appetite
C. Risk assessment
B. Risk avoidance
D. Control activities
C. Risk identification
55. Which situation illustrates D. Control environment
environmental risk?
60. A natural disaster destroys a data
A. Earthquake disrupting
center. Which type of control
operations
would have minimized loss?
B. Supplier fraud
A. Preventive
C. Employee theft
B. Detective
D. Cyberattack
C. Corrective (e.g., disaster
56. Management insists that risks recovery)
cannot be eliminated completely. D. Equity
The auditor should respond by
emphasizing:
A. Controls reduce risks to Chapter 4: The 7 Es
acceptable levels
61. An audit finds that a program
B. Risks must always be eliminated
achieved its targets but wasted
C. Risk management is optional
resources. Which E is lacking?
 A. Effectiveness B. Ecology
B. Efficiency C. Efficiency
C. Economy D. Excellence
D. Ethics
67. A government program achieves
62. A department cuts costs but objectives but at double the
purchases poor-quality materials intended cost. Which E is absent?
that hurt operations. Which E is A. Effectiveness
compromised? B. Economy
A. Economy C. Excellence
B. Efficiency D. Ethics
C. Excellence
68. An auditor recommends that the
D. Ecology
company adopt global best
63. A training program exceeds its practices instead of minimum
objectives and builds strong standards. Which E does this
employee loyalty. Which E is promote?
demonstrated? A. Equity
A. Ethics B. Excellence
B. Equity C. Ethics
C. Excellence D. Efficiency
D. Effectiveness
69. If auditors emphasize
64. A company reduces waste disposal environmental sustainability, which
costs by recycling. Which Es are E is being addressed?
achieved simultaneously? A. Ethics
A. Efficiency and Ecology B. Equity
B. Equity and Ethics C. Ecology
C. Economy and Excellence D. Effectiveness
D. Effectiveness and Equity
70. Employees are treated fairly
65. Employees complain about unfair regardless of rank. Which E is
promotions. Which E is most reflected?
relevant? A. Equity
A. Ethics B. Economy
B. Equity C. Ecology
C. Ecology D. Excellence
D. Economy
71. A project is under budget but fails
66. Management meets goals but to meet key goals. Which Es are
ignores sustainability concerns. absent?
Which E is neglected? A. Effectiveness and Efficiency
A. Effectiveness B. Effectiveness and Excellence
 C. Equity and Ethics B. Effectiveness
D. Ecology and Efficiency C. Ethics
D. Ecology
72. Which E requires auditors to assess
moral conduct of managers? 78. Which E emphasizes
A. Ethics environmental protection in
B. Equity auditing?
C. Efficiency A. Ecology
D. Effectiveness B. Efficiency
C. Excellence
73. A program achieves objectives
D. Equity
efficiently but treats employees
unfairly. Which E is absent? 79. A company invests in employee
A. Ecology wellness to improve morale and
B. Ethics performance. Which E is reflected?
C. Equity A. Efficiency
D. Economy B. Ethics
C. Excellence
74. A company implements advanced
D. Equity
systems not just to comply but to
be an industry leader. Which E is 80. Which combination of Es is most
this? likely to build long-term
A. Excellence stakeholder trust?
B. Effectiveness A. Efficiency, Effectiveness, Ethics,
C. Equity and Equity
D. Economy B. Economy, Ecology, and
Excellence only
75. A program saves costs by using
C. Effectiveness and Efficiency only
child labor. Which Es are violated?
D. Ethics and Ecology only
A. Ethics and Equity
B. Ecology and Effectiveness
C. Excellence and Efficiency
Chapter 5: Control Frameworks
D. Economy and Ecology
81. A company establishes a strong
76. Which E is best measured by
“tone at the top.” Which COSO
comparing inputs to outputs?
component is emphasized?
A. Efficiency
A. Control environment
B. Effectiveness
B. Risk assessment
C. Economy
C. Control activities
D. Equity
D. Monitoring
77. Which E focuses on achieving
82. An auditor evaluates whether
intended goals regardless of cost?
policies are consistently applied
A. Efficiency
 across departments. Which COSO A. Quality management and
component is reviewed? standardization
A. Monitoring B. IT governance
B. Control environment C. Control self-assessment
C. Information and communication D. Risk appetite
D. Control activities
88. ITIL is most useful for organizations
83. Management sets up dual focusing on:
authorization for all payments A. IT service delivery and support
above $50,000. What type of B. Financial controls
control activity is this? C. Stakeholder equity
A. Detective D. Environmental reporting
B. Preventive
89. COSO ERM framework differs from
C. Corrective
COSO IC by emphasizing:
D. Monitoring
A. Enterprise-wide risk
84. A company implements continuous management integration
monitoring dashboards. Which B. Narrow focus on financial
COSO element is this? reporting
A. Monitoring activities C. Elimination of all risks
B. Risk assessment D. Reduction of IT audit costs
C. Control environment
90. An organization tests whether
D. Information and communication
financial reports are complete and
85. An audit finds managers lack accurate. Which COSO component
awareness of the organization’s is this?
code of ethics. Which framework A. Information and communication
element is weak? B. Control activities
A. Control environment C. Monitoring
B. Risk assessment D. Control environment
C. Monitoring
91. “Tone in the middle” emphasizes
D. Control activities
ethical leadership at which level?
86. A company uses COBIT to align IT A. Board
goals with business strategy. What B. Middle management
is COBIT’s main focus? C. Staff
A. IT governance and control D. Shareholders
B. Financial reporting
92. An auditor finds control
C. Environmental auditing
documentation is excellent but not
D. Risk appetite
followed in practice. What issue
87. ISO 9001 certification primarily exists?
demonstrates: A. Form over substance
 B. Strong governance 98. A firm uses performance reviews
C. Risk-based focus to identify control weaknesses.
D. Excellence in execution Which COSO component applies?
A. Monitoring activities
93. Which framework helps assess IT
B. Control environment
risks specifically?
C. Control activities
A. COBIT
D. Risk assessment
B. ITIL
C. COSO ERM 99. An audit identifies gaps in
D. ISO 9001 communication between IT and
operations. Which COSO
94. An organization fails to
component should be
communicate audit findings to
strengthened?
staff. Which COSO component is
A. Information and communication
weak?
B. Control environment
A. Control activities
C. Risk assessment
B. Information and communication
D. Monitoring
C. Monitoring
D. Control environment 100. What is the ultimate goal of
control frameworks?
95. Which control activity helps ensure
A. Strengthen controls to support
policies are carried out?
achievement of objectives
A. Authorization procedures
B. Eliminate all risks completely
B. Corporate strategy
C. Maximize profits at all costs
C. Governance codes
D. Replace external auditors
D. Stakeholder equity

96. A multinational integrates risk

appetite into strategy-setting.
Which framework is this aligned
with?
A. COSO ERM
B. ISO 9001
C. COBIT
D. ITIL

97. A control is implemented to back

up data daily. What type is this?
A. Preventive
B. Detective
C. Corrective
D. Monitoring
Answer Key 26. B 52. A 78. A

1. B 27. B 53. A 79. D

2. B 28. A 54. B 80. A

3. B 29. B 55. A 81. A

4. B 30. B 56. A 82. D

5. B 31. B 57. A 83. B

6. B 32. A 58. B 84. A

7. B 33. B 59. A 85. A

8. B 34. B 60. C 86. A

9. A 35. B 61. B 87. A

10. D 36. B 62. A 88. A

11. B 37. B 63. C 89. A

12. A 38. C 64. A 90. A

13. B 39. B 65. B 91. B

14. A 40. A 66. B 92. A

15. B 41. B 67. B 93. A

16. A 42. B 68. B 94. B

17. B 43. B 69. C 95. A

18. B 44. B 70. A 96. A

19. B 45. B 71. B 97. C

20. B 46. A 72. A 98. A

21. B 47. B 73. C 99. A

22. B 48. B 74. A 100. A

23. C 49. A 75. A

24. A 50. C 76. A

25. B 51. B 77. B