Wiley section.pptx

The IIA Standards define relevant evidence as:
• Factual, adequate, and convincing.
• Reliable and the best attainable through the use of
appropriate audit techniques.
• Consistent with the audit objectives and supports audit
observations and recommendations.
• Information that helps the organization meets its goals.
• You Answered Correctly!
• Correct. This defines relevant information per IIA
Standard 2310 – Identifying Information.

The chief audit executive (CAE) of a newly formed internal
auditing department is seeking management approval of a
charter. What is the authoritative source for seeking such
approval?
• The IIA Standards, which clearly place that responsibility on
the director.
• The appropriate practice advisories, which require the director
to take that course of action.
• The Code of Ethics, which requires internal auditors to
document company policy.
• According to the IIA Standards, no approval is necessary.
• Correct, per IIA Standard 1000 – Purpose, Authority, and
Responsibility.

All of the following are examples of consulting services except:
• Legal counsel engagement.
• System security engagement.
• Advice engagement.
• Facilitation engagement.
• Correct. System security engagement is a part of assurance
services while the other three choices are a part of consulting
services. The IIA Glossary defines consulting services as
“[a]dvisory and related client service activities, the nature and
scope of which are agreed with the client, are intended to add
value and improve an organization's governance, risk
management, and control processes without the internal
auditor assuming management responsibility. Examples
include counsel, advice, facilitation, and training.”

Risk registers document risks at which of the following levels?
• Below the technical level.
• Below the operational level.
• Below the functional level.
• Below the strategic level.
• Correct. Risk registers document the risks below the strategic
level and include inherent risks (high or higher) and
unchanged residual risks, lack of or ineffectiveness of key
internal controls, and lack of mitigating factors (e.g.,
contingency plans and monitoring activities) (IIA Standard
2010 – Planning; Practice Advisory 2010‐2).

The internal auditing department for a chain of retail stores recently concluded an
audit of sales adjustments in all stores in the southeast region. The audit revealed
that several stores are costing the company an estimated $85,000 per quarter in
duplicate credits to customers' charge accounts.
• The audit report, published eight weeks after the audit was concluded, included
the internal auditors' recommendations to store management that should prevent
duplicate credits to customers' accounts.
Which of the following Standards for reporting has been disregarded in the above
case?
• The follow‐up actions were not adequate.
• The auditors should have implemented appropriate corrective action as soon as
the duplicate credits were discovered.
• Auditor recommendations should not be included in the report.
• The report was not timely.
• Correct. The audit report, which was not published until eight weeks after the
audit was concluded, was not issued in a timely fashion, given the significance of
the findings and the need for prompt, effective action (IIA Standard 2420 –
Quality of Communications).

The IIA Practice Advisories do not contain which of the
following?
• Approaches.
• Considerations.
• Processes or procedures.
• Methodologies.
• Correct. Processes or procedures are part of practice guides,
not practice advisories. Practice advisories (PAs) assist
internal auditors in applying the definition of internal auditing,
the code of ethics, and the Standards and promoting good
practices. PAs address internal auditing's approach,
methodologies, and consideration but not detail processes or
procedures. They include practices relating to international,
country, or industry‐specific issues; specific types of
engagements; and legal or regulatory issues.

During a year‐end planning meeting with senior management, the chief audit executive (CAE)
learns that a recent draft audit report on one of the company's inventory costing systems had
provoked a discussion in the accounting area. The audit report proposed a relatively large
adjustment due to an error in the local inventory system. The auditor's conclusion stated that
six other production facilities using the same costing system would require similar inventory
adjustments. The total required adjustment for all seven locations represented a material
adjustment to the financial statements, according to the chief financial officer (CFO). The CFO
questioned the method used by the auditor to calculate the amount of the inventory adjustment
and asked the CAE to delay processing the audit report until all aspects of the finding had been
fully considered. The CAE reports directly to the CFO. The audit committee has not been
apprised of this audit because the audit report is still in draft stage awaiting management
comment.
• Which of the following actions should the CAE take?
• Schedule audits to review the inventory costing systems at all locations after year‐end.
• Recall all copies of the draft audit report sent out for management review and response.
• Tell the representatives of senior management that distorting financial reports is not
acceptable.
• Offer to review the basis for the conclusion about the inventory valuation at all locations.
• Correct. Because the case indicates that the amount of the inventory adjustment is in
question, this would be the appropriate step for the CAE to take (IIA Standard 1111 – Direct
Interaction with the Board).

While performing a construction audit, the auditor suspects that the
structural steel used does not conform to contract specifications. The
internal auditing department does not have an engineer on the staff.
According to the IIA Standards, the appropriate course of action is to:
• Assign a dollar value to the difference and prepare a deficiency
finding.
• Ask a company or consulting engineer to determine whether the
steel conforms to the contract specifications.
• Ask the construction superintendent to explain why there is a
difference.
• Require suspension of contract payments until the difference is
resolved.
• Correct. IIA Standard 1210 – Proficiency requires the internal
auditing department to collectively possess the knowledge, skills,
and disciplines necessary to carry out its audit responsibilities.

Which of the following situations would most likely be considered a violation of the
IIA Code of Ethics and thus the Standards?
• As chief audit executive (CAE), you are perplexed as to how to resolve a
particular disagreement between you and auditee management regarding the
finding and recommendation in a very sensitive audit area. Unsure as to what to
do, you discuss the details of the finding and your proposed recommendation
with a fellow CAE you know from your work in the local chapter of the Institute of
Internal Auditors.
• After researching and developing the proposed yearly audit plan, your company
audit charter requires that, as chief audit executive, you present the plan to the
audit committee for its approval and suggestions.
• Your audit manager has just removed your most significant finding and
recommendation from your audit report. Being the in‐charge auditor, you have
voiced your opposition to the removal and have explained that you know the
reported condition exists. Although you agree that, technically, the audit lacks
sufficient evidence to support the finding, management cannot explain the
condition and your audit finding is the only reasonable conclusion.
• Because your department lacks skill and knowledge in a specialty area, your
chief audit executive has engaged the services of an expert consultant. As audit
manager, you have been asked to review the expert's approach to the
assignment. You are knowledgeable regarding the area under review but are
hesitant to accept the assignment because you lack the expertise to judge the
validity of the expert's conclusion.
• Correct. The IIA Code of Ethics requires confidentiality.

The chief audit executive establishes a method for prioritizing all
of the following except:
• Business units with low risk levels.
• Branch or field office with low risk levels.
• Outstanding risk areas.
• Low inherent risk areas.
• Correct. A selection of lower risk level business unit, branch
type, or field office type audits need to be included periodically
in the internal audit activity's plan to give the audits coverage
and confirm that their risks have not changed. Also, the
internal audit activity establishes a method for prioritizing
outstanding risks not yet subject to an internal audit (IIA
Standard 2010 – Planning; Practice Advisory 2010‐2). High
inherent risk areas, not low inherent risk areas, are prioritized.

Which of the following is unique to ongoing internal assessment
of an internal audit's activity?
• Best practices.
• Cost recoveries.
• Benchmarking.
• Expected deliverables.
• Correct. The processes and tools used in ongoing internal
assessments include project budgets, timekeeping systems,
audit plan completion, and cost recoveries, among others.
Best practices and benchmarking are common to both internal
assessment and external assessments (IIA Standard 1311 –
Internal Assessments; Practice Advisory 1311‐1).

You are the chief audit executive of a parent company that has foreign subsidiaries.
Independent external audits performed for the parent company are not conducted
by the same firm that conducts the foreign subsidiary audits. Since your department
occasionally provides direct assistance to both external firms, you have copies of
audit programs and selected working papers produced by each firm.
• The foreign subsidiary's audit firm would like to rely on some of the work
performed by the parent company's audit firm, but it needs to review the working
papers first. It has asked you for copies of the parent company's audit firm
working papers. Select the most appropriate response to the foreign subsidiary's
auditors:
• Provide copies of the working papers without notifying the parent company's
audit firm.
• Notify the parent company's audit firm of the situation and request that either it
provides the working papers or authorize you to do so.
• Provide copies of the working papers and notify the parent company's audit firm
that you have done so.
• Refuse to provide the working papers under any circumstances.
• Correct. It is your responsibility to ensure proper coordination with external
auditors and minimize duplication of effort. However, you must also respect the
confidentiality of the external auditor's work (IIA Standard 2050 – Coordination).

PARAGRAPH 1: The production department has the newest production equipment available
because of a fire that required the replacement of all equipment.
• PARAGRAPH 2: The members of the production department have become completely
comfortable with the state‐of‐the‐art technology over the past year and a half. As a result,
the production department has become an industry leader in production efficiency and
effectiveness.
• PARAGRAPH 3: The production department produces an average of 25 units per worker
per shift. The defect rate is 1%.
• PARAGRAPH 4: The industry average productivity is 20 units per worker per shift. The
industry defect rate is 3%.
• Which paragraph would be characterized as the attribute described in the IIA Standards as
“Condition”?
•
• 1.
•
• 2.
•
• 3.
•
• 4.
• Correct. Paragraph 3 is the statement of "Condition” as per IIA Standard 2410 – Criteria for
Communicating.

During a purchasing audit, the internal auditor finds that the largest blanket
purchase order is for tires, which are expensed as vehicle maintenance items. The
fleet manager requisitions tires against the blanket order for the company's
400‐vehicle service fleet based on a visual inspection of the cars and trucks in the
parking lot each week. Sometimes the fleet manager picks up the tires but always
signs the receiving report for payment. Vehicle service data are entered into a
maintenance database by the mechanic after the tires are installed. Which would be
the best course of action for the auditor in these circumstances?
• Determine whether the number of tires purchased can be reconciled to
maintenance records.
• Count the number of tires on hand and trace them to the related receiving
reports.
• Select a judgmental sample of requisitions and verify that the fleet manager
signs each one.
• Compare the number of tires purchased under the blanket purchase order with
the number of tires purchased in the prior year for reasonableness.
• Correct. Based on the control weakness and the potential for fraud, the auditor
should look for other indicators of fraud or verify that no fraud has occurred (IIA
Standard 2130 – Control).

According to the IIA Standards, which of the following best
describes the nature of opinions that are appropriate for internal
audit reports?
• Opinions are generally the auditor's subjective judgments
concerning why deficiencies exist.
• Opinions are the auditor's evaluations of the effects of the
observations and recommendations on the activities reviewed.
• Opinions are conclusions that the auditor has reached
concerning the appropriateness of the auditee's objectives.
• Opinions should involve only the fairness of the auditee's
financial statements.
• Correct. This is the nature of opinions per IIA Standard 2410 –
Criteria for Communicating.

Risk registers describe direct links between which of the
following?
• Risk acceptance and risk avoidance.
• Risk categories and risk aspects.
• Risk assignment and risk sharing.
• Risk limitation and risk spreading.
• Correct. Risk registers provide direct links among risk
categories, risk aspects, audit universe, and internal
controls (IIA Standard 2010 – Planning; Practice Advisory
2010‐2).

A firm's code of ethics contains the following statement:
“Employees shall not accept gifts or gratuities over $50 in
value from persons or firms with whom our organization
does business.” This provision is designed to prevent:
• Diversion of the firm's securities by an employee.
• Excessive sales allowances granted by an employee.
• Failure by an employee to record cash collections.
• Participation by an employee in a working lunch funded
by one of the firm's suppliers.
• Correct. The direct beneficiary of excessive sales
allowances is the buyer.

According to the IIA Standards, the documentation required
to plan an internal auditing project should include evidence
that the:
• Expected findings were clearly identified.
• Internal auditing department's resources are effectively
and efficiently employed.
• Planned audit work will be completed on a timely basis.
• Resources needed to perform the audit have been
considered.
• Correct. The IIA Standard 2030 – Resource Management
requires that resources needed to perform the audit have
been considered.

A primary purpose for establishing a code of conduct within
a professional organization is to:
• Reduce the likelihood that members of the profession will
be sued for substandard work.
• Ensure that all members of the profession perform at
approximately the same level of competence.
• Demonstrate acceptance of responsibility to the interests
of those served by the profession.
• Require members of the profession to exhibit loyalty in all
matters pertaining to the affairs of their organization.
• Correct. This is a distinguishing mark of a profession.

A Certified Internal Auditor (CIA) is found to have committed a violation
of the Code of Ethics of the Institute of Internal Auditors. The violation is
not serious enough to warrant the maximum disciplinary action. The
most likely result is that the CIA will:
• Be required to take up to 24 hours of appropriate continuing
professional education courses.
• Lose his or her CIA designation permanently unless subsequent
reinstatement is approved by the board of directors of the IIA.
• Be prohibited from engaging in the practice of internal auditing for a
period not to exceed 60 days.
• Receive from the IIA board of directors a written censure that outlines
the consequences of repeated similar actions.
• Correct. Censure is the disciplinary action prescribed by the IIA
Bylaws and Administrative Directives for the least serious
misconduct cases.

During a year‐end planning meeting with senior management, the chief audit executive (CAE)
learns that a recent draft audit report on one of the company's inventory costing systems had
provoked a discussion in the accounting area. The audit report proposed a relatively large
adjustment due to an error in the local inventory system. The auditor's conclusion stated that
six other production facilities using the same costing system would require similar inventory
adjustments. The total required adjustment for all seven locations represented a material
adjustment to the financial statements, according to the chief financial officer (CFO). The CFO
questioned the method used by the auditor to calculate the amount of the inventory adjustment
and asked the CAE to delay processing the audit report until all aspects of the finding had been
fully considered. The CAE reports directly to the CFO. The audit committee has not been
apprised of this audit because the audit report is still in draft stage awaiting management
comment.
• Assuming that there is a meeting later the same day with the audit committee of the board,
which of the following is not a responsibility of the director of internal auditing?
• Inform the audit committee of senior management's decisions on all significant audit
findings.
• Highlight significant audit findings and recommendations and report on the approved audit
work schedule.
• Inform the audit committee of the outcome of earlier meetings with the CFO and the options
being considered for recording the inventory adjustment.
• Attempt to resolve the inventory issue before reporting the finding to the audit committee.
• Correct. There is no provision for the discussion of the meeting or the related options for
handling the necessary transaction in IIA Standard 1111 – Direct Interaction with the Board.

Several members of senior management have questioned whether the internal
audit department should report to the newly established, quality audit function as
part of the total quality management process within the company. The chief audit
executive (CAE) has reviewed the quality standards and the programs that the
quality audit manager has proposed. The CAE's response to senior management
should include:
• Changing the applicable standards for internal auditing within the company to
provide compliance with quality audit standards.
• Changing the qualification requirements for new staff members to include quality
audit experience.
• Estimating departmental cost savings from eliminating the internal auditing
function.
• Identifying appropriate liaison activities with the quality audit function to ensure
coordination of audit schedules and overall audit responsibilities.
• Correct. Coordination of audit efforts and the efficiency of audit activities should
be primary responsibilities of the CAE (IIA Standard 1000 – Purpose, Authority,
and Responsibility)

When public servants or citizens possess knowledge of illegal or
unethical acts, appropriate laws or regulations require them to do which
of the following?
• Consider internal whistleblowing.
• Consider external whistleblowing.
• Inform public officials or ombudsman.
• Issue a special‐purpose report.
• Correct. Many jurisdictions have laws or regulations requiring public
servants with knowledge of illegal or unethical acts to inform an
inspector general, other public official, or ombudsman. Some laws
pertaining to whistleblowing actions protect citizens if they come
forward to disclose specific types of improper activities (IIA Standard
2440 – Disseminating Results; Practice Advisory 2440‐2).

Which of the following describes the nature of internal
auditing?
• IIA Attribute Standards.
• IIA Performance Standards.
• IIA Implementation Standards.
• Third‐party standards.
• Correct. The IIA Standards are divided into Attribute
Standards and Performance Standards. The
Performance Standards describe the nature of internal
auditing and provide quality criteria against which the
performance of these services can be measured.

According to the IIA Planning Standard, residual risk is also known as
which of the following?
• Audit risk.
• Pure risk.
• Current risk.
• Inherent risk.
• Correct. Residual risk is current risk, which is the risk remaining after
management takes action to reduce the impact and likelihood of an
adverse event, including control activities in responding to a risk. Audit
risk results when an auditor fails to detect a material error or event and
that an auditor may fail to detect significant error or weakness during an
examination. Pure risks are those in which there is a chance of loss or
no loss only. Inherent risk is a built‐in risk; an example is the
susceptibility of information or data to a material misstatement (IIA
Standard 2010 – Planning; Practice Advisory 2010‐2).

Which one of the following items can be a part of the other
items?
• Entity‐level controls.
• Manual controls.
• Fully automated controls.
• Partly automated controls.
• Correct. The key controls can be in the form of entity‐level
controls (e.g., employees are trained and take a test to confirm
their understanding of the code of conduct). The entity‐level
controls can be manual, fully automated, or partly automated.
Manual controls can exist within a business process (e.g., the
performance of a physical inventory). Fully automated controls
can exist within a business process (e.g., matching or
updating accounts in the general ledger). Partly automated
controls can exist within a business process (also called hybrid
or information technology–dependent controls), where an
otherwise manual control relies on application functionality
such as an exception report (IIA Standard 2200 – Engagement
Planning; Practice Advisory 2200‐2).

An auditor's objectivity could be compromised in all of the
following situations except:
• A conflict of interest.
• Auditee familiarity with auditor due to lack of rotation in
assignments.
• Auditor assumption of operational duties on a temporary
basis.
• Reliance on outside expert opinion when appropriate.
• Correct. Auditors sometimes must rely on outside
experts; the standards allow this reliance (Standard 1120
– Individual Objectivity).

The IIA Standards require that, in most cases, an internal
auditing department have documented policies and
procedures to ensure the consistency and quality of audit
work. The exception to this requirement is directly related
to:
• Departmentalization.
• Division of labor.
• Span of control.
• Authority.
• Correct. With a small audit department, substantial direct
supervision can be provided by the chief audit executive
(IIA Standard 2340 – Engagement Supervision).

Which of the following aspects of evaluating the performance of
staff members would be considered a violation of good
personnel management techniques?
• The evaluator should justify very high and very low evaluations
because of their impact on the employee.
• Evaluations should be made annually or more frequently to
provide the employee feedback about competence.
• The first evaluation should be made shortly after commencing
work to serve as an early guide to the new employee.
• Because there are so many employees whose performance is
completely satisfactory, it is preferable to use standard
evaluation comments.
• Correct. This impersonal technique degrades the evaluation
process and gives it an air of impersonality (IIA Standard 2030
– Resource Management).

The chief audit executive (CAE) of a company is aware of a material inventory
shortage caused by internal control deficiencies at one manufacturing plant. The
shortage and related causes are of sufficient magnitude to impact the external
auditor's report. Based on the IIA Code of Ethics, identify the CAE's most
appropriate course of action:
• Say nothing; guard against interfering with the independence of the external
auditors.
• Discuss the issue with management and take appropriate action to ensure that
the external auditors are informed.
• Inform the external auditors of the possibility of a shortage but allow them to
make an independent assessment of the amount.
• Report the shortages to the board of directors and allow them to report it to the
external auditor.
• Correct. The IIA Code of Ethics calls for compliance with the Standards, which
charge the CAE with coordination with external auditors and exchanging
information. In addition, the Code of Ethics requires that all material facts known
be revealed. Since coordination impacts the external auditor's work, in which the
internal auditors are participating, the situation must be divulged.

Which of the following actions by an auditor would violate
the IIA Code of Ethics?
• An audit of an activity managed by the auditor's spouse.
• A material financial investment in the company.
• Use of a company car.
• A significant ownership interest in a nonrelated business.
• Correct. Auditing a spouse may create a conflict of
interest and would prejudice the ability to carry out an
assignment objectively.

According to the IIA Standards, which of the following is the
correct listing of information that must be included in a fraud
report?
• Purpose, scope, results, and, where appropriate, an
expression of the auditor's opinion.
• Criteria, condition, cause and effect.
• Background, findings, and recommendations.
• Findings, conclusions, recommendations, and corrective
action.
• Correct. A written report should be issued at the conclusion of
the investigation phase. It should include all findings,
conclusions, recommendations, and corrective action taken.
This is the list provided by IIA Standard 2410 – Criteria for
Communicating.

An internal audit director initiated an audit of the corporate code of
ethics and the environment for ethical decision making. Which of the
following would most likely be considered inappropriate regarding the
scope and/or recommendations of the audit?
• A review of the corporate code of ethics and a comparison to other
corporate codes.
• A survey of corporate employees, asking general questions
regarding the ethical quality of corporate decision making.
• Administration of an anonymous "ethics test" to determine if
employees know of unethical behavior or have acted unethically
themselves.
• A survey of the Board of Directors to determine their level of support
for a corporate code of ethics.
• Correct. Not much benefit is gained by surveying the Board of
Directors since their views will be biased for this audit (IIA Standard
2220 – Engagement Scope).

Which of the following is unique to external assessment of an
internal audit's activity?
• Best practices.
• Cost recoveries.
• Benchmarking.
• Expected deliverables.
• Correct. The chief audit executive is to ensure the scope
clearly states the expected deliverables of the external
assessment in each case. Best practices and benchmarking
are common to both internal assessment and external
assessments. Cost recoveries are used in internal
assessments (IIA Standard 1312 – External Assessments;
Practice Advisory 1312‐1).

In recent years, which of the following two factors have changed the
relationship between internal auditors and external auditors so that
internal auditors are partners rather than subordinates?
• The increasing liability of external auditors and the increasing
professionalism of internal auditors.
• The increasing professionalism of internal auditors and the evolving
economics of external auditing.
• The increased reliance on computerized accounting systems and the
evolving economics of external auditing.
• The globalization of audit entities and the increased reliance on
computerized accounting systems.
• Correct. It is the correct answer because it includes the two primary
factors: (1) taking the Certified Internal Auditor exam increases the
professionalism of internal auditors and (2) reducing external audit
fees is becoming more critical than ever (IIA Standard 2050 –
Coordination).

Risk registers do not show which of the following?
• High inherent risks.
• High audit risks.
• Inaction by management.
• Inaction by internal audit.
• Correct. High audit risks are not shown in risk registers. Some
organizations may identify several high (or higher) inherent risk
areas. While these risks may warrant the internal audit activity's
attention, it is not always possible to review all of them. Where the
risk register shows a high, or above, ranking for inherent risk in a
particular area, and the residual risk remains largely unchanged and
no action by management or the internal audit activity is planned, the
CAE reports those areas separately to the board with details of the
risk analysis and reasons for the lack of or ineffectiveness of internal
controls (IIA Standard 2010 – Planning; Practice Advisory 2010‐2).

Consulting engagement objectives must be consistent with
all of the following except:
• Organization's goals.
• Organization's values.
• Organization's strategies.
• Organization's objectives.
• Correct. Goals are short term in nature while objectives
are long term in nature. Hence, consulting engagement
objectives must be consistent with the organization's
values, strategies, and objectives (IIA Standard 2210 –
Engagement Objectives).

An internal audit department is currently undergoing its first external quality assurance review
since its formation three years ago. From interviews with a few of the staff auditors, the review
team is informed of certain auditor activities that occurred over the past year. Which of the
following activities could affect the quality assurance review team's evaluation of the objectivity
of the internal audit department?
• One internal auditor told the review team that during the payroll audit, the payroll manager
approached him. The manager indicated he was looking for an accountant to prepare his
financial statements for his part‐time business. The internal auditor agreed to perform this
work for a reduced fee during nonwork hours.
• During the audit of the company's construction of a building addition to the corporate office,
the Vice‐President of Facilities Management gave the auditor a commemorative mug with
the company's logo. These mugs were distributed to all employees present at the
groundbreaking ceremony.
• After reviewing the installation of a data processing system, the auditor made
recommendations on standards of control. Three months after completing the audit, the
auditee requested the auditor's review of certain procedures for adequacy. The auditor
agreed and performed this review.
• An auditor's participation was requested on a task force to reduce the company's inventory
losses from theft and shrinkage. This is the first consulting assignment undertaken by the
audit department. The auditor's role is to advise the task force on appropriate control
techniques.
• Correct. According to IIA Standard 1130 – Impairment to Independence or Objectivity and
IIA Standard 1312 – External Assessments, internal auditors should be independent of the
activities they audit. Accepting a fee or gift from an auditee would impair the auditor's
objectivity. As a result, the auditor might feel obligated to render a more favorable result
than would be warranted if the auditor maintained professional objectivity.

The chief audit executive may do which of the following based on an
existing report or information to make the report suitable for
dissemination outside the organization?
• Consider internal whistleblowing.
• Consider external whistleblowing.
• Inform public officials or ombudsman.
• Issue a special‐purpose report.
• Correct. The internal audit activity's charter, the board's charter,
organizational policies, or the engagement agreement may contain
guidance related to reporting information outside the organization. In
certain situations, it may be possible to create a special‐purpose
report based on an existing report or information to make the report
suitable for dissemination outside the organization (IIA Standard
2440 – Disseminating Results; Practice Advisory 2440‐2).

According to the IIA Standards, internal auditors must be objective in performing
audits. Assume that the chief audit executive (CAE) received an annual bonus as
part of that individual's compensation package. The bonus may impair the CAE's
objectivity if:
• The bonus is administered by the board of directors or its salary administration
committee.
• The bonus is based on dollar recoveries or recommended future savings as a
result of audits.
• The scope of internal auditing work is reviewing control rather than account
balances.
• All of the above.
• I.
• II.
• III.
• IV.
• Correct. According to IIA Standard 1130 – Impairment to Independence or
Objectivity, objectivity may be impaired if the bonus is based on dollar recoveries
or recommended future savings as a result of audits. A bonus based on either of
these criteria could unduly influence the type of audits performed or the
recommendations made.

he internal audit charter normally requires the internal audit
activity to focus on areas consisting of which of the following?
• High inherent risk and high residual risk.
• High audit risk and high current risk.
• Low inherent risk and low audit risk.
• Low inherent risk and high outstanding risk.
• Correct. The internal audit charter normally requires the
internal audit activity to focus on areas of high risk, including
both inherent and residual risk. The internal audit activity
needs to identify areas of high inherent risk, high residual
risks, and the key control systems upon which the organization
is most reliant (IIA Standard 2010 – Planning; Practice
Advisory 2010‐2).

A new staff auditor has been assigned to an audit of the cash management
operations of the organization. The staff auditor has no background in cash
management, and this is the auditor's first audit. Under which of the
following conditions would the internal auditing department be in
compliance with the Standards regarding knowledge and skills?
• The senior auditor is skilled in the area and closely supervises the
staff auditor.
• The staff auditor performs the work and prepares a report that is
reviewed in detail by the director of audit.
• Not enough information is given.
• None of the above.
• I.
• II.
• III.
• IV.
• Correct. The internal audit department would, in composite, have the
requisite skills to perform the audit. The other key element is that the
staff auditor is carefully supervised such that significant deviations from
good business practices would be noted. This would be consistent with
IIA Standard 2340 – Engagement Supervision.

According to the IIA Standards, internal auditing has a
responsibility for helping to deter fraud. Which of the
following best describes how this responsibility is generally
met?
• By coordinating with security personnel and law
enforcement agencies in the investigation of possible
frauds.
• By testing for fraud in every audit and following up as
appropriate.
• By assisting in the design of control systems to prevent
fraud.
• By evaluating the adequacy and effectiveness of controls
in light of the potential exposure or risk.
• Correct. This is how the responsibility is met according to
IIA Standard 2210 – Engagement Objectives.

The IIA Code of Ethics includes which of the following two essential components?
• Definitions of internal auditing and administrative directives.
• Principles and rules of conduct.
• Integrity and objectivity.
• Confidentiality and competency.
• Correct. The IIA Code of Ethics extends beyond the definition of internal auditing to include
two essential components:
• Principles that are relevant to the profession and practice of internal auditing.
• Rules of conduct that describe behavior norms expected of internal auditors. These rules
are an aid to interpreting the principles into practical applications and are intended to guide
the ethical conduct of internal auditors.
• Note that the IIA bylaws and administrative directives are applicable to IIA members and
Certified Internal Auditor designation holders. Integrity, objectivity, confidentiality, and
competency are part of the principles and the rules of conduct (IIA Code of Ethics; IIA
Standard 1200 – Proficiency and Due Professional Care).

Internal auditors' failure to do the right audits, failure to test the real
risks, and failure to use the right controls can lead to which of the
following?
• Business risk.
• Audit failures.
• Audit false assurance.
• Audit reputation risk.
• Correct. Every organization will experience control breakdowns,
some resulting in audit failures. The internal audit activity could be a
contributing factor due to (1) lack of an effective risk assessment
process to identify key audit areas during the strategic risk
assessment as well as areas of high risk during the planning of
individual audits—as a result, failure to do the right audits and/or time
wasted on the wrong audits and (2) failure to design effective internal
audit procedures to test the “real” risks and the right controls (IIA
Standard 2120 – Risk Management; Practice Advisory 2120‐2).

During the course of an audit, an auditor discovers that a
clerk is embezzling company funds. Although this is the first
embezzlement ever encountered and the organization has
a security department, the auditor decides to personally
interrogate the suspect. If the auditor is violating the IIA
Code of Ethics, the rule violated is most likely:
• Failing to show due diligence.
• Lack of loyalty to the organization.
• Lack of competence in this area.
• Failing to comply with the law.
• Correct. Competency (Rules of Conduct) of the IIA Code
of Ethics requires members and Certified Internal
Auditors to refrain from undertaking services that cannot
be reasonably completed with professional competence.

When evaluating the independence of an internal audit
department, a quality review team considers several
factors. Which of the following factors has the least amount
of influence when judging an internal audit department's
independence?
• Criteria used in making auditors assignments.
• The extent of auditor training in communications skills.
• Relationship between audit working papers and audit
report.
• Impartial and unbiased audit judgments.
• Correct. Training is a factor of skill, not independence (IIA
Standard 1110 – Organizational Independence; IIA
Standard 1312 – External Assessments).

A company's management accountants prepared a set of reports
for top management. These reports detail the funds expended
and the expenses incurred by each department for the current
reporting period. The function of internal auditing would be to:
• Ensure against any and all noncompliance of reporting
procedures.
• Review the expenditure items and match each item with the
expenses incurred.
• Determine if there are any employees expending funds without
authorization.
• Identify inadequate controls that increase the likelihood of
unauthorized expenditures.
• Correct. Internal auditors are responsible for identifying
inadequate controls, for appraising managerial effectiveness,
and for pinpointing common risks (IIA Standard 2130 –
Control).

Which of the following primarily differentiates assurance services from
consulting services
• The process owner.
• The internal auditor.
• The user.
• The engagement client.
• Correct. Generally three parties are involved in assurance services:
(1) the person or group directly involved with the entity, operation,
function, process, system, or other subject matter—the process
owner; (2) the person or group making the assessment—the internal
auditor; and (3) the person or group using the assessment—the user.
• Consulting services are advisory in nature and generally are
performed at the specific request of an engagement client. The
nature and scope of the consulting engagement are subject to
agreement with the engagement client. Consulting services generally
involve two parties: (1) the person or group offering the advice—the
internal auditor and (2) the person or group seeking and receiving
the advice—the engagement client.

The IIA Standards define “competent information” as:
• Supporting the audit observations and being consistent
with the audit objectives.
• Assisting the organization in meeting prescribed goals.
• Factual, adequate, and convincing so that a prudent
person would reach the same conclusion as auditor.
• Reliable and the best available through the use of
appropriate audit techniques.
• Correct. Competent information is reliable and the best
available through the use of appropriate audit techniques
(IIA Standard 2310 – Identifying Information).

In large or complex internal audit environments, which of the following
administers and monitors the activities needed for a successful quality
assurance and improvement program (QAIP)?
• Chief audit executive.
• Internal audit executive.
• Assurance services executive.
• Consulting services executive.
• Correct. In large or complex internal audit environments (e.g.,
numerous business units and/or locations), the chief audit executive
establishes a formal QAIP function—headed by an internal audit
executive—independent of the audit and consulting segments of the
internal audit activity. This executive (and limited staff) administers
and monitors the activities needed for a successful QAIP (IIA
Standard 1300 – Quality Assurance and Improvement Program;
Practice Advisory 1300‐1).

Which of the following risk concepts can be assumed to have no
mitigating controls?
• Business risk.
• Residual risk.
• Inherent risk.
• Current risk.
• Correct. Two fundamental risk concepts are inherent risk and
residual risk (also known as current risk). Inherent risk is a built‐in
risk. Financial/external auditors have long had a concept of inherent
risk that can be summarized as the susceptibility of information or
data to a material misstatement, assuming that there are no related
mitigating controls. Inherent risk is the susceptibility of a
management assertion to a material misstatement. Business risk is
total risk facing an organization. Residual risk is current risk (IIA
Standard 2010 – Planning; Practice Advisory 2010‐2).

A charter is being drafted for a newly formed internal auditing
department. Which of the following best describes the
appropriate organizational status that should be incorporated
into the charter?
• The chief audit executive should report to the chief executive
officer but have access to the board of directors.
• The chief audit executive should be a member of the audit
committee of the board of directors.
• The chief audit executive should be a staff officer reporting to
the chief financial officer.
• The chief audit executive should report to an administrative
vice president.
• Correct. This arrangement provides for the most operating
flexibility and independence (IIA Standard 1000 – Purpose,
Authority, and Responsibility).

The IIA Practice Guides do not contain which of the
following?
• Good practices
• Tools and techniques.
• Programs.
• Deliverables.
• Correct. Good practices are part of practice advisories,
not practice guides. Practice guides (PGs) provide
detailed guidance for conducting internal audit activities.
PGs include detailed processes and procedures, such as
tools and techniques, programs, and step‐by‐step
approaches as well as examples of deliverables.

After using the same public accounting firm for several years, the board of
directors retained another public accounting firm to perform the annual
financial audit in order to reduce the annual audit fee. The new firm has
now proposed a one‐time audit of the cost effectiveness of the various
operations of the business. The chief audit executive has been asked to
advise management in making a decision on the proposal.
• Additional criteria that should be considered by management in
evaluating the proposal would include all the following except:
•
• Existing expertise of internal auditing staff.
•
• Overall cost of the proposed audit.
•
• The need to develop in‐house expertise.
•
• The external auditor's required adherence to the single audit concept.
• Correct. The single audit concept is not always pertinent (IIA Standard
2050 – Coordination).

You are the chief audit executive of a parent company that has foreign
subsidiaries. Independent external audits performed for the parent
company are not conducted by the same firm that conducts the foreign
subsidiary audits. Since your department occasionally provides direct
assistance to both external firms, you have copies of audit programs and
selected working papers produced by each firm.
• The foreign subsidiary's audit firm wants to rely on an audit of a function
at the parent company. The audit was conducted by the internal auditing
department. To place reliance on the work performed, the foreign
subsidiary's auditors have requested copies of the working papers.
Select the most appropriate response to the foreign subsidiary's
auditors:
• Provide copies of the working papers.
• Ask the parent company's audit firm if it is appropriate to release the
working papers.
• Ask the audit committee for permission to release the working papers.
• Refuse to provide the working papers under any circumstances.
• Correct. The working papers are the property of your company. It is your
responsibility as internal audit director to ensure proper coordination
with external auditors and minimize duplication of effort (IIA Standard
2050 – Coordination).

Which of the following can be used by an independent external
reviewer when establishing the scope of the external assessment of an
internal audit's activity?
• Percentage of audit plan completed in a year by the internal audit.
• Number of findings reported in a year by the internal audit.
• Percentage of quality assurance and improvement program (QAIP)
implemented by the internal audit.
• Number of audit recommendations accepted in a year by the
auditees.
• Correct. Internal auditors are required to do a full self‐assessment of
QAIP. If internal auditors did not do this full assessment, it will send a
red flag to the external assessors. Assessment of QAIP is common
between internal assessments and external assessments. The QAIP
assesses the efficiency and effectiveness of the internal audit's
activity and identifies opportunities for improvement. Since the QAIP
is a part of internal audit Standards, its conformity is very important
as it will decide the breadth and depth of the external assessment's
scope of work (IIA Standard 1311 – Internal Assessments; IIA
Standard 1312 – External Assessments; Practice Advisory 1312‐1).

Which of the following differs between assurance services
and consulting services when exercising due professional
care?
• Costs and benefits.
• Complexity of work.
• Extent of work.
• Materiality.
• Correct. Materiality is considered in assurance services
and procedures but is not relevant to consulting services
(IIA Standard 1220 – Due Professional Care). The other
three choices are the same in assurance services and
consulting services.

Which of the following internal audit assessments belong to specific
governance processes?
• Whistleblower process.
• Risk management audit process.
• Internal control over financial reporting.
• Fraud risks.
• Correct. Internal audit assessments regarding governance processes
are likely to be based on information obtained from numerous audit
assignments over time. The internal auditor should consider (1) the
results of audits of specific governance processes (e.g., the
whistleblower process, the strategy management process) and (2)
governance issues arising from audits that are not specifically
focused on governance (e.g., audits of the risk management
process, internal control over financial reporting, and fraud risks) (IIA
Standard 2110 – Governance; Practice Advisory 2110‐3).

Clearly communicating the scope inclusions and exclusions in the audit
risk assessment, internal audit plan, and audit engagement can
mitigate the risk which of the following?
• Business risk.
• Audit failures.
• Correct. Frequent and clear communication is a key strategy to
manage false assurance. Some leading practices include (1)
proactively communicating the role and the mandate of the internal
audit activity to the audit committee, senior management, and other
key stakeholders; (2) clearly communicating what is covered in the
risk assessment, internal audit plan and internal audit engagement;
and (3) explicitly communicating what is not in the scope of the risk
assessment and internal audit plan (IIA Standard 2120 – Risk
Management; Practice Advisory 2120‐2).

Residual risk is calculated as which of the following?
• Known risks minus unknown risks.
• Actual risks minus probable risks
• Probable risks minus possible risks.
• Potential risks minus covered risks.
• Correct. Potential risks include all possible and probable
risks. Countermeasures cover some but not all risks.
Therefore, the residual risk is potential risks minus
covered risks (IIA Standard 2010 – Planning; Practice
Advisory 2010–2).

The scope of external assessment of an internal audit's activity should
not be limited to which of the following?
• Assurance services.
• Consulting services
• Leading practices
• Quality assurance and improvement program.
• Correct. External assessments cover the entire spectrum of audit
and consulting work performed by the internal audit activity and
should not be limited to assessing its quality assurance and
improvement program. To achieve optimum benefits from an external
assessment, the scope of work should include benchmarking,
identification, and reporting of leading practices that could assist the
internal audit activity in becoming more efficient and/or effective (IIA

When an organization is involved in a string of financial
restatements and regulatory investigations, this would negatively
impact which of the following?
• Business risk.
• Audit failures.
• Correct. A string of significant financial restatements and
regulatory investigations would negatively impact the
reputation of the internal audit activity. The audit committee
and the board might ask if the internal audit activity has the
right talent and quality assurance and improvement program
to support the organization (IIA Standard 2120 – Risk

Based on the IIA Standards, an internal auditing
department's staff development program will be deficient if
individual employees are:
• Given a large variety of tasks to perform.
• Expected to study current events on an independent
basis.
• Assigned to a different supervisor on each job.
• Formally evaluated once every two years.
• Correct. IIA Standard 2030 – Resource Management
states that each auditor must be formally evaluated at
least annually.

A significant part of the auditor's working papers will be the conclusions reached by the auditor
regarding the audit area. In some situations, the supervisor might not agree with the
conclusions and will ask the staff auditor to perform more work. Assume that after subsequent
work is performed, the staff auditor and the supervisor continue to disagree on the conclusions
documented in the working paper developed by the staff auditor. Which of the following audit
department responses would not be appropriate?
• Both the staff auditor and the supervisor document their reasons for reaching different
conclusions. Retain the rationale of both parties in the working papers.
• Note the disagreement and retain the notice of disagreement and follow‐up work in the audit
working papers.
• Present both conclusions to the chief audit executive (CAE) for resolution. The CAE may
resolve the matter.
• Present both conclusions in the audit report and let management and the auditee react to
both.
• Correct. This would not be an appropriate response per IIA Standard 2330 – Documenting
Information. The CAE should determine the most reasonable conclusion and present that to
the auditee and management. The issue of disagreements on the working papers should
not necessarily affect the reporting to management unless the CAE believes that both
conclusions are equally appropriate and that management's understanding would be
enhanced if it were presented with both.

Which of the following statements is true regarding coordination
of internal and external audit efforts?
• The chief audit executive (CAE) should not give information
about illegal acts to an external auditor because external
auditors may be required to report the matter to the Board
and/or regulatory agencies.
• Ownership and the confidentiality of the external auditor's
working papers prohibit their review by internal auditors.
• The CAE should determine that appropriate follow‐up and
corrective action was taken by management where required
on matters discussed in the external auditor's management
letter.
• If internal auditors provide assistance to the external auditors
in connection with the annual audit, the audit work is not
subject to the International Standards for the Professional
Practice of Internal Auditing.
• Correct. Standards place the responsibility for the evaluation
of corrective action on the director of internal audit (IIA
Standard 2050 – Coordination).

Which of the following is closely linked to risk acceptance?
• Risk detection.
• Risk prevention
• Risk tolerance.
• Risk correction.
• Correct. Risk tolerance is the level of risk that an entity or
a manager is willing to assume or accept in order to
achieve a potential desired result. Some managers
accept more risk than others do due to their personal
affinity toward risk (IIA Standard 2010 – Planning;
Practice Advisory 2010–2).

During the year‐end physical inventory process, the auditor observed over $1.2
million worth of items staged in the shipping area and marked "Sold—Do Not
Inventory." The customer had been on credit hold for three months because of
bankruptcy proceedings, but the sales manager had ordered the shipping
supervisor to treat the inventory as sold for physical inventory purposes. The auditor
noted the terms of sale were "FOB Warehouse." After confirming no change in
corporate policy, the auditor should:
• Recommend that the inventory staged in the shipping area be counted and
included along with the rest of the physical inventory results.
• Make test counts and trace the results to appropriate records to ensure that the
cost is properly relieved from inventory.
• Follow up with appropriate procedures to ensure that the inventory staged in the
shipping area appears on related invoicing documentation.
• Request copies of the signed bills of lading to include with working papers for
this physical inventory.
• Correct. Given these circumstances, excluding the inventory from the physical
count would inflate revenues and profitability for the current period. The physical
inventory process is a periodic control to ensure that sales‐related controls are
effective (IIA Standard 2120 – Risk Management; IIA Standard 2130 – Control).

Which of the following is unique to the external assessment of an
internal audit's activity when compared to internal assessment?
• Findings.
• Conclusions.
• Recommendations.
• Overall opinion.
• Correct. External assessments of an internal audit activity contain an
expressed opinion as to the entire spectrum of assurance and
consulting work performed (or that should have been performed
based on the internal audit charter) by the internal audit activity,
including its conformance with the definition of internal auditing, the
code of ethics, and the standards and, as appropriate, includes
recommendations for improvement. Findings, conclusions, and
recommendations are common with the internal assessments (IIA

Which of the following is not included in the ongoing and periodic
assessment containing measurements and analyses of performance
metrics with respect to internal audit's quality assurance and improvement
program (QAIP)?
• Money saved from the audit work
• Number of recommendations accepted.
• Customer satisfaction.
• Audit cycle time.
• Correct. A QAIP is an ongoing and periodic assessment of the entire
spectrum of audit and consulting work performed by the internal audit
activity. This periodic assessment includes ongoing measurements and
analyses of performance metrics (e.g., internal audit plan
accomplishment, cycle time, recommendations accepted, and customer
satisfaction). Although an objective measure, money saved from the
audit work is not useful due to difficulties in quantifying savings and
problems in agreement with the auditees and organization's
management (IIA Standard 1310 – Requirements of the Quality
Assurance and Improvement Program; Practice Advisory 1310‐1).

Which of the following is not ordinarily an objective of a
quality assurance review? To determine compliance with:
• Applicable laws and regulations.
• The Attribute Standards for the professional practice of
internal auditing.
• The Performance Standards for the professional practice
of internal auditing.
• The goals of the internal audit function.
• Correct. It is the correct answer because this is not an
objective of IIA Standard 1300 – Quality Assurance and
Improvement Program.

Which of the following is unique to the external assessment of an
internal audit's activity when compared to internal assessment?
• Follow‐up.
• Findings.
• Responses from the chief audit executive.
• Recommendations.
• Correct. Receiving written responses from the chief audit
executive (CAE) that include an action plan and
implementation dates is unique to the external assessments.
Here the CAE assumes the auditee role and the external
assessor assumes the auditor role. The other three choices
(i.e., follow‐up, findings, and recommendations) are common
with the internal assessments (IIA Standard 1312 – External
Assessments; Practice Advisory 1312‐1).

• Ensuring internal audit teams have the right competencies
with right level of work experience and designing effective
internal audit procedures can reduce the risk of which of the
following?
• Business risk.
• Audit failures.
• Correct. Audit failures result due to (1) failure to evaluate both
the design adequacy and the control effectiveness as part of
internal audit procedures and (2) use of audit teams that do
not have the appropriate level of competence based on
experience or knowledge of high‐risk areas (IIA Standard 2120
– Risk Management; Practice Advisory 2120‐2).

Which of the following most seriously compromises the
independence of the internal auditing department?
• Internal auditors frequently draft revised procedures for
departments whose procedures they have criticized in an
audit report.
• The chief audit executive has dual reporting responsibility
to the firm's top executive and the board of directors.
• The internal auditing department and the firm's external
auditors engage in joint planning of total audit coverage
to avoid duplicating each other's work.
• The internal auditing department is included in the review
cycle of the firm's contracts with other firms before the
contracts are executed.
• Correct. If the auditing department drafts procedures, it
will be in the position of auditing its own work during the
next audit cycle (IIA Standard 1120 – Individual

Which of the following is the major purpose of performing
analytical procedures in internal audits?
• To perform additional audit procedures.
• To plan the audit engagement.
• To obtain audit evidence.
• To study relationships among elements of information.
• Correct. Analytical procedures often provide the internal
auditor with an efficient and effective means of obtaining
audit evidence. The assessment results from comparing
information with expectations identified or developed by
the internal auditor.

As an internal auditor for a multinational chemical company, you have
been assigned to perform an operational audit at a local plant. This
plant is similar in age, sizing, and construction to two other company
plants that have been recently cited for discharge of hazardous wastes.
In addition, you are aware that chemicals manufactured at the plant
release toxic by-products.
• Identify your responsibility for detection of a hazardous waste
discharge problem.
• You have no responsibility; it is the concern of the appropriate
governmental agency.
• You are responsible for ensuring compliance with company policies
and procedures.
• Operational audits do not require a determination of compliance with
laws and regulations.
• You are required by the Standards to determine compliance with
laws and regulations.
• Correct. Determination of compliance is required by IIA Standard
2120 – Risk Management and IIA Standard 2130 – Control.

Which of the following statements is not true regarding risk assessment as the term
is used in internal auditing?
• Risk assessment is a judgmental process of assigning dollar values to the
perceived level of risk found in an auditable activity. These values allow directors
to select the auditees most likely to result in identifiable audit savings.
• The chief audit executive should incorporate information from a variety of
sources into the risk assessment process, including discussions with the board,
management, external auditors, and review of regulations, and analysis of
financial/operating data.
• Risk assessment is a systematic process of assessing and integrating
professional judgments about probable adverse conditions and/or events,
providing a means of organizing an internal audit schedule.
• As a result of an audit or preliminary survey, the chief audit executive may revise
the level of assessed risk of an auditee at any time, making appropriate
adjustments to the work schedule.
• Correct. Risk assessment does not necessarily involve the assignment of dollar
values and is not intended to identify the audit area with the greatest dollar
savings (IIA Standard 2010 – Planning; IIA Standard 2120 – Risk Management).

An audit supervisor would challenge whether audit evidence is
sufficient to support the conclusion that journal entries are
properly prepared and approved if the working papers included:
• A note stating the controller's assurance those journal entries
are always looked at by the accounting supervisor before entry
into the computer system.
• A copy of a handwritten schedule of standard and appended
nonstandard journal entries for the most recent month showing
the initials of the preparer for each entry and the summary
approval of the controller at the top.
• A copy of a computer‐generated list of automated and
nonstandard journal entries initialed by the controller showing
the auditor's references to system reports and monthly
reconciliations.
• A cross‐reference to another section of the working papers
containing sufficient evidence for this conclusion.
• Correct. This evidence suggests that the auditor did not
confirm this information or follow up with testing (IIA Standard
2340 – Engagement Supervision).

What should be done when internal auditors are prohibited by law or regulation from using certain parts of the
IIA Standards and/or the IIA Standards are used in conjunction with standards issued by other authoritative
bodies (i.e., other standards)?
• If prohibited by law or regulation, disclose conformance with all other parts of the IIA Standards in the
audit report.
• If prohibited by law or regulation, do not disclose conformance with the IIA Standards in the audit report.
• If the IIA Standards are used in conjunction with other standards, document the use of other standards
in audit working papers.
• If inconsistencies exist between the IIA Standards and the other standards used in conjunction, conform
to the IIA Standards and conform to the other standards only when the other standards are more
restrictive.
•
• I and III.
•
• II and III.
•
• II and IV.
•
• I and IV.
• Correct. If internal auditors or the internal audit activity is prohibited by law or regulation from conformance
with certain parts of the IIA Standards, conformance with all other parts of the IIA Standards and
appropriate disclosures are needed. If the IIA Standards are used in conjunction with standards issued by
other authoritative bodies, internal audit communications may also cite the use of other standards, as
appropriate. In such a case, if inconsistencies exist between the IIA Standards and other standards,
internal auditors and the internal audit activity must conform with the IIA Standards and may conform with
the other standards if they are more restrictive.

According to the IIA Organizational Independence Standard, which of the following
is not a part of administrative reporting to organization's management?
• Human resource administration.
• Annual confirmation of the audit's organizational independence.
• Management accounting.
• Audit policies and procedures.
• Correct. The chief audit executive, reporting functionally to the board and
administratively to the organization's chief executive officer, facilitates
organizational independence. Administrative reporting is the reporting
relationship within the organization's management structure that facilitates the
day‐to‐day operations of the internal audit activity. Administrative reporting
typically includes management accounting; human resource administration,
including personnel evaluations and compensation; administration of the internal
audit activity's policies and procedures; and other things (IIA Standard 1110 –
Organizational Independence; Practice Advisory 1110‐1). Annual confirmation of
the internal audit activity's organizational independence belongs to the functional
reporting to the board.

Which of the following actions by an internal auditor would
violate the IIA Code of Ethics?
• Attendance at an educational program offered by an
auditee to all employees.
• Acceptance of airline tickets from an auditee.
• Disclosure, in an audit opinion, of all material facts
relevant to the audit area.
• Disposal of stock in the company prior to learning of a
business downturn.
• Correct. Without consent by appropriate senior
management, acceptance of any gift is prohibited.

The IIA board of directors has been informed that a Certified
Internal Auditor (CIA) was tried and convicted of tax evasion.
The probable consequences for this person are:
• Immediate revocation of the CIA designation by the Internal
Auditing Standards Board.
• Nothing; the act was performed outside of the normal line of
work.
• Censure by the director of Professional Practices of the
Institute.
• Review by the board of directors and forfeiture of the CIA
designation.
• Correct. The sanction must be imposed by the IIA Board under
Administrative Directives. This act is probably severe enough
to warrant forfeiture of the CIA designation.

The internal audit activity's plan will focus on which of the following
areas?
• Where the difference between the current risk and the business risk
is great.
• Where the difference between the planned risk and the performance
risk is great.
• Where the difference between the absolute risk and the relative risk
is great.
• Where the difference between the inherent risk and the residual risk
is great.
• Correct. An internal audit activity's plan normally focuses on areas
where the differential is great between inherent risk and residual risk.
Business risk is total risk. Current risk is residual risk. Performance
risk results from human failure of individuals who could not complete
their assigned

Which of the following is not a requirement of a long‐range
plan for the internal auditing department?
• To be consistent with the department's charter.
• To be capable of being accomplished.
• To include a list of auditable activities.
• To include the basics of the audit program.
• Correct. This item is an element of the planning of the
audit, not a requirement of the long‐range plan (IIA
Standard 2010 – Planning).

An auditor, nearly finished with an audit, discovers that the director of
marketing has a gambling habit. The gambling issue is not directly
related to the existing audit, and there is pressure to complete the
current audit. The auditor notes the problem and passes the
information on to the chief audit executive but does no further follow‐up.
The auditor's actions would:
• Be in violation of the IIA Code of Ethics for withholding meaningful
information.
• Be in violation of the Standards because the auditor did not properly
follow‐up on a red flag that might indicate the existence of fraud.
• Not be in violation of either the IIA Code of Ethics or Standards.
• Not enough information is given.
• Correct. There is no violation of either the Code of Ethics or the
Standards (IIA Standard 2431 – Engagement Disclosure of
Nonconformance).

Requiring a “project acceptance” process in place when internal
auditors are involved in a business unit's project can mitigate the risk
which of the following?
• Business risk.
• Audit failures.
• Correct. A project acceptance process can mitigate the risk of false
assurance. Require a “project acceptance” process to assess the
level of risk related to each project and internal audit's role in the
project. The assessment may consider: scope of the project, role of
the internal audit activity, reporting expectations, competencies
required, and independence of internal auditors (IIA Standard 2120 –
Risk Management; Practice Advisory 2120‐2).

Which of the following is driving the need for assurance maps?
• Risk managers.
• Board members.
• Internal auditors.
• Compliance practitioners.
• Correct. The chief audit executive (CAE), senior management,
and the board need assurance maps to ensure proper
coordination among diverse risk activities. Assurance maps
are usually driven by the board due to its oversight
responsibility (IIA Standard 2050 – Coordination and Practice
Advisory 2050‐2).

If internal auditors are used as “loaned resources” to a business
unit, this could lead to which of the following?
• Business risk.
• Audit failures.
• Correct. Using internal auditors as “loaned” resources may
create false assurance. If internal auditors are used to
augment the staffing of a project or initiative, document their
role and scope of their involvement as well as future objectivity
and independence issues (IIA Standard 2120 – Risk

Reinforcing the code of conduct and ethical behavior
standards for all internal auditors can protect which of the
following?
• Business risk.
• Audit failures.
• Correct. A leading practice to protect the reputation of
internal audit's “brand” name is to reinforce the code of
conduct and ethical behavior standards for all internal
auditors (IIA Standard 2120 – Risk Management;
Practice Advisory 2120‐–2).

During testing of the effectiveness of inventory controls, the auditor
makes a note in the working papers that most of the cycle count
adjustments for the facility involved transactions of the machining
department. The machining department also had generated an
extraordinary number of cycle count adjustments in comparison to
other departments last year. The auditor should:
• Interview management and apply other audit techniques to
determine whether transaction controls and procedures within the
machining department are adequate.
• Do no further work because the concern was not identified by the
analytical procedures designed in the audit program.
• Notify internal audit management that fraud is suspected.
• Place a note in the working papers to review this matter in detail
during the next review.
• Correct. The IIA Standard 2320 – Analysis and Evaluation calls for
follow‐up when analytical procedures identify unexpected results.

As the chief audit executive for your organization, you have
developed a plan that includes a detailed schedule of areas to
be audited during the coming year, an estimate of the time
required for each audit, and the approximate starting date of
each audit. The scheduling of specific audits was based on the
time elapsed since the last audit in each area. The plan is
inadequate because it fails to:
• Cite authoritative support, such as the IIA Standards, for such
a plan.
• Consider factors such as risk, exposure, and potential loss to
the organization
• State whether all audit resources had been committed to the
plan.
• Seek management approval of the plan.
• Correct. IIA Standard 2010 – Planning states that audit
priorities should be based on financial exposure, potential loss
and risk, requests from management, and opportunities to
achieve operating benefits as well as the date and results of
the last audit.

According to the IIA Organizational Independence Standard,
which of the following is not a part of functional reporting to the
board?
• Audit charter.
• Audit risk assessment.
• Audit budgets.
• Audit plan.
• Correct. The chief audit executive, reporting functionally to the
board and administratively to the organization's chief executive
officer, facilitates organizational independence (IIA Standard
1110 – Organizational Independence and Practice Advisory
1110‐1). Functional reporting to the board typically involves the
board approving the internal audit activity's overall charter and
approving the internal audit risk assessment and related audit
plan. Administrative reporting is the reporting relationship
within the organization's management structure that facilitates
the day‐to‐day operations of the internal audit activity.
Administrative reporting typically includes audit budgets
among other things.

• PARAGRAPH 1: The production department has the newest production equipment available
because of a fire that required the replacement of all equipment.
• PARAGRAPH 2: The members of the production department have become completely
comfortable with the state‐of‐the‐art technology over the past year and a half. As a result,
the production department has become an industry leader in production efficiency and
effectiveness.
• PARAGRAPH 3: The production department produces an average of 25 units per worker
per shift. The defect rate is 1%.
• PARAGRAPH 4: The industry average productivity is 20 units per worker per shift. The
industry defect rate is 3%.
• Which paragraph would be characterized as the attribute described in the IIA Standards as
“Criteria”?
• 1.
• 2.
• 3.
• 4.
• Correct. Paragraph 4 describes the standard by which the production department is
measured. This is the "Criteria," and it is the standards, measures, or expectations used in
making an evaluation and/or verification (what should exist) as per IIA Standard 2410 –
Criteria for Communicating.

Wiley section.pptx

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Wiley section.pptx

Ähnlich wie Wiley section.pptx (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Wiley section.pptx