Reference no: EM13929302
1. Which of the following statements about internal control is incorrect, based on the COSO framework?
a. Internal controls starts with a strong set of policies and procedures.
b. Risk assessment and control activities are two of the compoments of the COSO model. .
c. Internal control can be expected to provide only reasonable assurance that business objectives will be achieved.
d. Monitoring of a company's internal controls are acoomplished with ongoing supervision and independent reviews.
2. Which of the following are strategies that an organization can use to respond to risk?
I. Controlling it
II. Accepting it
III. Transferring it
IV. Avoiding it
a. I, II and III only
b. I, III and IV only
c. I, II, and IV only
d. I and III only
e. All four are valid strategies
3. When a senior manager accepts a level of residual risk that the CAE believes is unacceptable to the organization, the CAE
should:
a. Report the unacceptable risk level to the chairman of the audit committee and the external audit partner.
b. Resign from his/her job
c. Discuss the matter with other knowledgeable members of senior management and if not resolved take it to the audit
committee.
d. Notify the appropriate regulatory agency.
e. Accept senior management's position because it establishes the risk appetite for the organization.
4. Which of the following statements is not true regarding the Sarbanes Oxley Act for public
companies?
a. Requires companies to publicly report on its financial reporting controls
b. Requires public company to disclose wthether its audit committee has a member that is
a "financial expert"
c. Requires its internal auditors to test financial reporting controls.
d. Requires their external auditors to assess the company's financial reporting controls
5. As defined by COSO, which of the following are considered to be part of an organization's control
environment?
I. Establishing control consciousness within the organization
II. Setting realistic goals and objectives
III. Assigning authority and responsibility
IV. Distributing a written code of conduct
a. Only II and III are correct
b. Only III and IV are correct
c. Only I, II, and III are correct
d. I, II, III and IV are correct
6. Which of the following statements is not true about business objectives?
a. Business objectives represent targets of performance
b. Establishment of meaningful business objectives is a prerequisite to effective internal control.
c. Establishing meaning business objectives is a key component of the management process.
d. Business objectives are management's means of employing resources and assigning responsibilities.
7. Which of the following would not be considered a primary objectives of a closing conference?
a. To resolve conflicts.
b. To discuss the engagement observations and recommendations.
c. To identify concerns for future audit engagements.
d. To identify management's actions and responses to the engagement observations and
recommendations.
8. In which of the following situations does the internal auditor potentially lack objectivity?
a. A payroll accounting employee assists an internal auditor in verifying the physical inventory of small motors.
b. An internal auditor discusses a significant issue with the VP to whom the auditor reports prior to drafting the audit report.
c. An internal auditor recommends standards of controls and performance measures for a contract with a service organization
for the processing of payroll.
d. A former purchasing assistant performs a review or internal controls over purchasing four months after being transferred to
the internal audit department.
9. Which of the following is not an example of a risk-sharing strategy?
a. Outsourcing a non-core, high risk area.
b. Selling a non-strategic business unit.
c. Hedging against interest rate fluctuations
d. Buying an insurance policy to protect against adverse weather
10. The CAE is asked to conduct the enterprise risk assessment as part of a company's implementation of ERM. Which of the
following would be least effective in protecting the internal audit function's independence and the objectivity of its internal
auditors from perceived impairment?
a. A cross section of management is involved in assessing the impact and likelihood of each risk.
b. Risk owners are assigned responsibility for each key risk.
c. The IA function defers to management when decisions are made regarding how to best manage each key risk.
d. A member of senior management presents the results of the risk assessment to the board and that it represents the
organization's risk profile.
e. The IA function obtains assistance from an outside consultant in conducting the formal risk assessment session.
11. An internal audit engagement is considered a moderately high risk audit based on IA's risk model. It is currently on a 2
year cycle. Which of the following will likely have the greatest impact on the scope & approach of the engagement:
a. The activity involves the processing of a high volume of transactions
b. The process affect multiple accounts.
c. Certain components of the process are outsourced.
d. A new system was implement during the year, which changed how transactions are processed.
e. The total dollars processes in this area are material.
12. Which of the following is not generally considered the most critical as it relates to "general IT controls:
a. Information & Physical security controls.
b. Application based controls.
c. System change management controls.
d. Business Continuity & Disaster Recovery controls.
13. Which of the following is the least accurate statement regarding a well-documented business process
a. Contains key objectives for the process.
b. Identifies key risks and controls.
c. Prepared by control owners.
d. Defines areas of responsibilities e. Can use either method to complet
14. Which of the following control(s) is considered to be part of a company's IT "application"controls?
I. Program edit checks
II. Run-to-run totals
III. End user controls
IV. Field checks
a. Only I, II, and III are correct
b. Only I, II, and IV are correct
c. Only II and III are correct
d. I, II, III and IV are all correct.
15. Which of the following is considered to be the "least" reliable when an auditor is evaluating documentary evidence?
a. Inventory test counts by a third party
b. Written policy statements
c. Letter from outside attorneys
d. Vendor invoices
16. Which of the following is the least accurate statement regarding concepts as defined by the COSO framework?
a. Ethical values, delegation of authority and monitoring are part of a company's control environment
b. Control activities occur at two levels within an organization: Entity-wide and process level
c. Business objectives can be categorized into 3 groups-financial, operational & compliance
d. Monitoring occurs in two ways: ongoing activities and separate evaluations.
a. Organizational structure
b. Management's operating style
c. Commitment to competencyagement
d. Risk assessment
17. Which of the following components of IT contingency planning is most important?
a. Verification of systems routines
b. Security over the contingency site
c. Documentation of the plan
d. Integration of the business plans with the system plans.
18. g is not a domain as described in the CoBiT framework?
a. Plan & Organize
b. Deliver/support
c. Control activities
d. Monitor
19. Which of the following is not an effective method to help prevent procurement fraud?
a. Proper segregation of duties
b. Open competition
c. Rotating procurement staff and responsibilities
d. Analysis of unusual inventory levels
e. All of the above are appropriate preventive controls
20. Recommendations should be included in final audit communication to:
a. Provide management with options for addressing audit observations
b. Ensure that problems are resolved in the manner suggest by the auditor
c. Minimize the amount of time required to correct audit observations.
d. Guarantee that audit observations are addressed.
21. The primary reason for having formal audit engagement communications is to
a. Provide an opportunity for the engagement client to respond
b. Document the corrective actions required of management.
c. Provide a formal means by which the external auditor assesses potential reliance on
internal auditor's work
d. Record observations and recommended courses of actions
22. Which of the following is not considered part of a company's "Monitoring"activities (as defined by COSO)?
I. Regluar management & supervisory activities.
II. Comparison activities.
III. Fraud prevention & detection activities.
IV. Management self-control assessment
a. Only iV is not a part of monitoring activities.
b. Only I and III are not a part of monitoring activities.
c. Only II is not part of moiitoring activities.
d. None of the above (all listed activities are part of monitoring)
23. Which of the following is the least accurate regarding risk management?
a. Should consider impact and likelihood to determine "critical" risks
b. Is a fairly subjective process requiring sound judgment
c. Are typically not formally performed by operations management
d. Requires consideration of inherent risk factors and risk control analysis.
e. Residual risk is what remains of inherent risks after internal controls are put in place
24. Evaluation of ICFR includes which of the following financial reporting assertions (objectives):
I. Occurrence
II. Safeguarding
III Completeness
IV. Valuation
a. Only I, II and III are relevant
b. Only I, III and IV are relevant
c. Only II, III and IV are relevant
d. All of the above
25. A major purpose of the International Standards for the Professional Practice of Internal Auditing
is to:
a. Promote the coordination of internal and external audit efforts
b. Develop a consistency in internal audit practices.
c. Establish a basis for the evaluation of internal audit performance
d. Provide a codification of existing practices
26. Appropriate internal control for a multinational corporation's branch office that has a
department responsible for the transfer of money requires that:
a. The individual who initiates wire transfers does not reconcile the bank statement.
b. The branch manager receives all wire transfers.
c. Foreign currency rates be computed separately by two different employees
d. Corporate management approves the hiring of monetary transfer unit employees.
27. If all other factors specified in an attribute sampling plan remain constant, changing the
expected population deviation rate from 1% to 2% and changing the tolerable deviation rate from
7% to 6% would cause the required sample to;
a. Increase
b. Decrease
c. Remain the same
d. Change by 2%
28. The New York Stock Exahange does not requires listed companies to have an internal auditing function.
TRUE
FALSE
29. Sarbanes Oxley Act requires listed companies to disclose whether it has a "financial expert" on its audit committee
TRUE
FALSE
30. The IIA's Professional Practices Framework requires the CAE to periodically report to senior management and the board of
directors on internal audit's activities.
TRUE
FALSE
31. In audits of a business process, there is little value in testing the operating effectiveness of controls that are inadeuately
designed
TRUE
FALSE
32. Which of the following statements about internal control is incorrect, based on the COSO framework?
a. Internal controls starts with a strong set of policies and procedures.
b. Risk assessment and control activities are two of the compoments of the COSO model. .
c. Internal control can be expected to provide only reasonable assurance that business objectives will be achieved.
d. Monitoring of a company's internal controls are acoomplished with ongoing supervision and independent reviews.
33. Which of the following are strategies that an organization can use to respond to risk?
I. Controlling it
II. Accepting it
III. Transferring it
IV. Avoiding it
a. I, II and III only
b. I, III and IV only
c. I, II, and IV only
d. I and III only
e. All four are valid strategies
34. When a senior manager accepts a level of residual risk that the CAE believes is unacceptable to the organization, the CAE
should:
a. Report the unacceptable risk level to the chairman of the audit committee and the external audit partner.
b. Resign from his/her job
c. Discuss the matter with other knowledgeable members of senior management and if not resolved take it to the audit
committee.
d. Notify the appropriate regulatory agency.
e. Accept senior management's position because it establishes the risk appetite for the organization.
35. Which of the following statements is not true regarding the Sarbanes Oxley Act for public companies?
a. Requires companies to publicly report on its financial reporting controls
b. Requires public company to disclose wthether its audit committee has a member that is
a "financial expert"
c. Requires its internal auditors to test financial reporting controls.
d. Requires their external auditors to assess the company's financial reporting controls
36. As defined by COSO, which of the following are considered to be part of an organization's control environment?
I. Establishing control consciousness within the organization
II. Setting realistic goals and objectives
III. Assigning authority and responsibility
IV. Distributing a written code of conduct
a. Only II and III are correct
b. Only III and IV are correct
c. Only I, II, and III are correct
d. I, II, III and IV are correct
37. Which of the following statements is not true about business objectives?
a. Business objectives represent targets of performance
b. Establishment of meaningful business objectives is a prerequisite to effective internal control.
c. Establishing meaning business objectives is a key component of the management process.
d. Business objectives are management's means of employing resources and assigning responsibilities.
38. Which of the following would not be considered a primary objectives of a closing conference?
a. To resolve conflicts.
b. To discuss the engagement observations and recommendations.
c. To identify concerns for future audit engagements.
d. To identify management's actions and responses to the engagement observations and recommendations.
39. In which of the following situations does the internal auditor potentially lack objectivity?
a. A payroll accounting employee assists an internal auditor in verifying the physical inventory of small motors.
b. An internal auditor discusses a significant issue with the VP to whom the auditor reports prior to drafting the audit report.
c. An internal auditor recommends standards of controls and performance measures for a contract with a service organization
for the processing of payroll.
d. A former purchasing assistant performs a review or internal controls over purchasing four months after being transferred to
the internal audit department.
40. Which of the following is not an example of a risk-sharing strategy?
a. Outsourcing a non-core, high risk area.
b. Selling a non-strategic business unit.
c. Hedging against interest rate fluctuations
d. Buying an insurance policy to protect against adverse weather
41. The CAE is asked to conduct the enterprise risk assessment as part of a company's implementation of ERM. Which of the
following would be least effective in protecting the internal audit function's independence and the objectivity of its internal
auditors from perceived impairment?
a. A cross section of management is involved in assessing the impact and likelihood of each risk.
b. Risk owners are assigned responsibility for each key risk.
c. The IA function defers to management when decisions are made regarding how to best manage each key risk.
d. A member of senior management presents the results of the risk assessment to the board and that it represents the
organization's risk profile.
e. The IA function obtains assistance from an outside consultant in conducting the formal risk assessment session.
42. An internal audit engagement is considered a moderately high risk audit based on IA's risk model. It is currently on a 2
year cycle. Which of the following will likely have the greatest impact on the scope & approach of the engagement:
a. The activity involves the processing of a high volume of transactions
b. The process affect multiple accounts.
c. Certain components of the process are outsourced.
d. A new system was implement during the year, which changed how transactions are processed.
e. The total dollars processes in this area are material.
43. Which of the following is not generally considered the most critical as it relates to "general IT controls:
a. Information & Physical security controls.
b. Application based controls.
c. System change management controls.
d. Business Continuity & Disaster Recovery controls.
44. Which of the following is the least accurate statement regarding a well-documented business process
a. Contains key objectives for the process.
b. Identifies key risks and controls.
c. Prepared by control owners.
d. Defines areas of responsibilities e. Can use either method to complet
45. Which of the following control(s) is considered to be part of a company's IT "application" controls?
I. Program edit checks
II. Run-to-run totals
III. End user controls
IV. Field checks
a. Only I, II, and III are correct
b. Only I, II, and IV are correct
c. Only II and III are correct
d. I, II, III and IV are all correct.
46. Which of the following is considered to be the "least" reliable when an auditor is evaluating documentary evidence?
a. Inventory test counts by a third party
b. Written policy statements
c. Letter from outside attorneys
d. Vendor invoices
47. Which of the following is the least accurate statement regarding concepts as defined by the COSO framework?
a. Ethical values, delegation of authority and monitoring are part of a company's control environment
b. Control activities occur at two levels within an organization: Entity-wide and process level
c. Business objectives can be categorized into 3 groups-financial, operational & compliance
d. Monitoring occurs in two ways: ongoing activities and separate evaluations.
a. Organizational structure
b. Management's operating style
c. Commitment to competencyagement
d. Risk assessment
48. Which of the following components of IT contingency planning is most important?
a. Verification of systems routines
b. Security over the contingency site
c. Documentation of the plan
d. Integration of the business plans with the system plans.
49. g is not a domain as described in the CoBiT framework?
a. Plan & Organize
b. Deliver/support
c. Control activities
d. Monitor
50. Which of the following is not an effective method to help prevent procurement fraud?
a. Proper segregation of duties
b. Open competition
c. Rotating procurement staff and responsibilities
d. Analysis of unusual inventory levels
e. All of the above are appropriate preventive controls
51. Recommendations should be included in final audit communication to:
a. Provide management with options for addressing audit observations
b. Ensure that problems are resolved in the manner suggest by the auditor
c. Minimize the amount of time required to correct audit observations.
d. Guarantee that audit observations are addressed.
52. The primary reason for having formal audit engagement communications is to
a. Provide an opportunity for the engagement client to respond
b. Document the corrective actions required of management.
c. Provide a formal means by which the external auditor assesses potential reliance on
internal auditor's work
d. Record observations and recommended courses of actions
53. Which of the following is not considered part of a company's "Monitoring"activities (as defined by COSO)?
I. Regluar management & supervisory activities.
II. Comparison activities.
III. Fraud prevention & detection activities.
IV. Management self-control assessment
a. Only iV is not a part of monitoring activities.
b. Only I and III are not a part of monitoring activities.
c. Only II is not part of moiitoring activities.
d. None of the above (all listed activities are part of monitoring)
54. Which of the following is the least accurate regarding risk management?
a. Should consider impact and likelihood to determine "critical" risks
b. Is a fairly subjective process requiring sound judgment
c. Are typically not formally performed by operations management
d. Requires consideration of inherent risk factors and risk control analysis.
e. Residual risk is what remains of inherent risks after internal controls are put in place
55. Evaluation of ICFR includes which of the following financial reporting assertions (objectives):
I. Occurrence
II. Safeguarding
III Completeness
IV. Valuation
a. Only I, II and III are relevant
b. Only I, III and IV are relevant
c. Only II, III and IV are relevant
d. All of the above
56. A major purpose of the International Standards for the Professional Practice of Internal Auditing
is to:
a. Promote the coordination of internal and external audit efforts
b. Develop a consistency in internal audit practices.
c. Establish a basis for the evaluation of internal audit performance
d. Provide a codification of existing practices
57. Appropriate internal control for a multinational corporation's branch office that has a
department responsible for the transfer of money requires that:
a. The individual who initiates wire transfers does not reconcile the bank statement.
b. The branch manager receives all wire transfers.
c. Foreign currency rates be computed separately by two different employees
d. Corporate management approves the hiring of monetary transfer unit employees.
58. If all other factors specified in an attribute sampling plan remain constant, changing the
expected population deviation rate from 1% to 2% and changing the tolerable deviation rate from
7% to 6% would cause the required sample to;
a. Increase
b. Decrease
c. Remain the same
d. Change by 2%
59. The New York Stock Exahange does not requires listed companies to have an internal auditing
function.
TRUE
FALSE
60. Sarbanes Oxley Act requires listed companies to disclose whether it has a "financial expert" on
its audit committee
TRUE
FALSE
61. The IIA's Professional Practices Framework requires the CAE to periodically report to senior
management and the board of directors on internal audit's activities.
TRUE
FALSE
62. In audits of a business process, there is little value in testing the operating effectiveness of
controls that are inadeuately designed
TRUE
FALSE