Include in the audit program certain audit tests requested by audit client.

Summary
This question focuses on the appropriate and flexible approach an internal auditor should take when developing an engagement audit program. The program must be tailored to the specific objectives and risks of the current audit. While efficiency is important, the program should be a dynamic tool that can incorporate relevant input and be responsive to the audit client's legitimate concerns and information needs.

Correct Option

C. Include in the audit program certain audit tests requested by audit client.
This is an appropriate consideration. Collaboration with the audit client is a key part of the planning process. If management has specific concerns or areas they want tested (e.g., a new payroll system or a problematic recruitment process), incorporating these reasonable requests aligns the audit with areas of high client interest and potential risk, thereby increasing the audit's value and relevance.

Incorrect Option

A. State the work steps in the form of questions.
While audit procedures are designed to answer audit objectives (which are often phrased as questions), the specific work steps in an engagement program should be clear, executable directives (e.g., "Select a sample of 30 new hires and verify that background checks were completed."). Phrasing steps as questions introduces ambiguity.

B. Use standard audit program for HR from previous years.
Relying solely on a standard program from past years is not a best practice. It fails to consider changes in the organization's risks, processes, controls, or the external environment. Each audit program should be customized based on a current risk assessment.

D. Defer preparation of the audit program after the field work.
This is incorrect and violates fundamental audit standards. The engagement program must be prepared before fieldwork begins. It serves as the blueprint for the audit, guiding the work to be performed to ensure objectives are met efficiently and effectively.

Reference
The IIA's International Standards for the Professional Practice of Internal Auditing, specifically Standard 2240: Engagement Work Program, requires internal auditors to develop and document work programs that achieve the engagement objectives. The standard emphasizes that these programs must be established prior to the commencement of fieldwork. Furthermore, Standard 2210.A1 on engagement planning requires the internal auditor to consider the expectations of senior management and the board when planning engagements, which supports incorporating valid client requests.

Contract with an external certified fraud examiner with derivatives experience to perform
the investigation and subsequent reporting,with the chief audit executive approving the
scope of the investigation and evaluating the adequacy of the work performed.

Summary
This scenario presents a conflict between the obligation to perform a fraud investigation and the internal audit activity's lack of specific subject matter expertise. The Standards require that engagements be performed with proficiency and due professional care. The Chief Audit Executive (CAE) must ensure this standard is met, even if it requires seeking resources from outside the internal audit activity, while still maintaining overall responsibility for the engagement.

Correct Option

D. Contract with an external certified fraud examiner with derivatives experience to perform the investigation and subsequent reporting, with the chief audit executive approving the scope of the investigation and evaluating the adequacy of the work performed.
This is the correct course of action. It directly addresses the proficiency gap by bringing in an external expert with the necessary skills. Crucially, the CAE retains control by approving the scope and evaluating the work, ensuring the investigation meets the Standards and the needs of senior management. This complies with the requirement to ensure the engagement is performed with sufficient knowledge, skills, and competencies.

Incorrect Option

A. Engage the former head of the institution's derivatives trading desk...
This creates an unacceptable independence and objectivity impairment. A former department head may have been involved in, or have relationships with individuals involved in, the alleged fraud. The internal audit activity cannot rely on someone whose independence is fundamentally compromised.

B. Request that senior management allow a delay of the fraud investigation...
A delay in a fraud investigation is highly inappropriate. It could allow evidence to be destroyed, memories to fade, or the fraud to continue, causing further loss. The Standards require due professional care, which includes timeliness, especially for investigations.

C. Request that senior management exclude the internal audit activity from the investigation completely...
This abdicates the CAE's responsibility. The internal audit activity has been asked to investigate, and the CAE must ensure it is done properly. Completely handing over the engagement to an external party without any oversight or approval from the CAE does not comply with the Standards for managing the internal audit activity.

Reference
The IIA's International Standards for the Professional Practice of Internal Auditing provide clear guidance. Standard 1210: Proficiency requires internal auditors to possess the knowledge, skills, and other competencies needed to perform their responsibilities. Standard 1210.A1 states that if a CAE intends to rely on the work of an external service provider, the CAE must ensure the provider has the necessary knowledge, skills, and competencies. Furthermore, Standard 2050: Coordination and Standard 2130: Control dictate that the CAE is responsible for the overall quality assurance of the internal audit activity's work, including work performed by external service providers.

Compare the proportion of erroneous medication orders before and after system
installation for similar periods.

Summary
This question asks for the most effective method to measure the improvement in the percentage of medication orders containing errors. The key is to isolate the effect of the new system by using a normalized metric (a proportion or rate) that accounts for changes in the underlying volume of activity. This ensures the comparison is fair and focuses on the rate of errors, not just the raw count.

Correct Option

A. Compare the proportion of erroneous medication orders before and after system installation for similar periods.
This is the most effective method. A proportion (e.g., erroneous orders / total orders) directly measures the error rate, which is the percentage the question asks about. By comparing this rate from similar time periods (e.g., one month before vs. one month after), it controls for seasonal variations and focuses the analysis on the change in quality and accuracy attributable to the new system, independent of how many orders were placed.

Incorrect Option

B. Compare the number of errors before and after system installation for similar periods.
This is ineffective because it uses raw numbers. If the number of patients or orders changed, a simple count could be misleading. A decrease in raw errors could be due to fewer patients, not a better system. It does not measure the percentage of errors.

C. Compare, after adjusting for the number of patients, the proportion of erroneous medication orders...
This is redundant and less precise. The denominator of the proportion is "orders," not "patients." Adjusting for the number of patients is an unnecessary step. The proportion of erroneous orders already inherently normalizes the data by the total number of orders, which is the most direct and accurate denominator.

D. Compare, after adjusting for the number of patients, the number of errors...
This is flawed for two reasons. First, it uses the raw number of errors, which is not a percentage. Second, it incorrectly uses "patients" as an adjustment factor instead of using "total medication orders" as the direct denominator for calculating the error rate.

Reference
This question tests the application of analytical procedures as required by the IIA's Standard 2320: Analysis and Evaluation. This standard requires internal auditors to conduct analytical procedures. Effective analysis requires using appropriate comparative data and metrics, such as ratios and proportions, to form logical conclusions about changes in performance or effectiveness. Using a proportion (a ratio) is the correct analytical technique for this scenario.

Summary
This scenario describes a situation where established controls (policies on allowable expenses) are being overridden by management's tolerance of noncompliance. The core issue is not a lack of control activities (which likely exist on paper), but a failure in the organizational culture and tone at the top, where enforcement is sacrificed for short-term business results.

Correct Option

B. Control environment.
The control environment is the foundation of all other internal control components. It encompasses the integrity, ethical values, and competence of the entity's people, particularly management's philosophy and operating style. By knowingly allowing policy violations, line management is demonstrating a weak ethical culture and a lack of commitment to enforcing controls. This "tone at the top" (or in this case, the "tone from the middle") has the greatest negative impact by eroding the overall effectiveness of the entire internal control system.

Incorrect Option:

A. Monitoring:
Monitoring involves the ongoing assessment of internal control quality. While the situation indicates a monitoring failure (the violations are known), the greatest impact is on the environment that allows this failure to persist. The environment is the cause; the poor monitoring is a symptom.

C. Information and communication:
This component deals with the identification and sharing of relevant information. In this case, the information about the violations is known and communicated to management. The problem is not a failure to communicate, but a failure to act on that information, which stems from the control environment.

D. Control activities:
Control activities are the specific policies and procedures (like expense report reviews and approval hierarchies) designed to mitigate risks. The policies likely exist, but they are being rendered ineffective because management is overriding them. The failure of the control activities is a direct result of the weak control environment.

Reference
The IIA's IPPF aligns with the COSO Internal Control Framework, which is the basis for evaluating controls. The COSO Framework defines the Control Environment as the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. It is the foundation for all other components. A situation where management overrides controls for perceived business needs is a classic indicator of a deficient control environment.

None of the above.

Summary
This question tests the application of specific IIA Standards to common audit scenarios. It requires evaluating whether each action violates the core principles of objectivity, independence, or proper prioritization. The analysis shows that collaborating with clients on report drafts, consulting on controls during system development, and using risk analysis to allocate resources are all recognized as acceptable and often recommended practices.

Correct Option

D. None of the above.
None of the listed actions violate The IIA's Standards. Each action is aligned with the guidance for effective and value-adding internal audit practices, including collaboration, consulting, and risk-based planning.

Incorrect Option

A. II only:
This is incorrect because participating in a system development team in an advisory capacity to review controls is a recognized consulting engagement, which is permitted and encouraged under the Standards, provided the auditor does not assume management responsibility.

B. I and III only:
This is incorrect because both actions I and III are compliant. Reviewing draft reports with clients for factual accuracy is a best practice, and using risk analysis to allocate limited resources is a fundamental requirement for the CAE.

C. I, II, and III:
This is incorrect because all three actions are consistent with the Standards. There is no violation in any of the described scenarios.

Explanation of Each Action:

Action I:
This does not violate the Standards. Standard 2420: Quality of Communications states that communications should be accurate, objective, clear, concise, constructive, complete, and timely. Reviewing drafts with clients to obtain input and verify factual accuracy is a recommended practice to achieve these qualities, particularly accuracy and objectivity. The auditor maintains final authority over the content.

Action II:
This does not violate the Standards. This is an example of a consulting engagement as defined by the IPPF. Standard 1130.A2 explicitly allows internal auditors to provide consulting services related to systems under development, provided they do not assume management responsibility. Their role is to advise on control design, not to implement or manage the system.

Action III:
This does not violate the Standards. In fact, it is a direct requirement. Standard 2010: Planning mandates that the chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity. Performing a risk analysis to allocate limited resources is the core of fulfilling this standard.

Reference
The IIA's International Professional Practices Framework (IPPF), specifically:

Standard 2420: Quality of Communications (supports Action I).

Standard 1130.A2: Impairment to Independence or Objectivity and the definition of Consulting Services (supports Action II).

Standard 2010: Planning and Standard 2010.A1 (supports Action III).

Summary:
This question asks which tool is most useful for the high-level, strategic process of developing an annual audit plan. The annual audit plan is fundamentally a risk-based document that prioritizes audit engagements based on their relative risk to the organization. Therefore, the most useful tool is one that directly supports the systematic identification, analysis, and ranking of these risks.

Correct Option:

D. Risk assessment software:
This is the most useful tool because the core of developing an annual audit plan is conducting a comprehensive risk assessment. Risk assessment software is specifically designed to help the CAE systematically gather data, quantify risks based on impact and likelihood, and model different risk scenarios. This provides an objective and defensible basis for prioritizing which areas to audit, ensuring the plan focuses on the most significant risks to the organization.

Incorrect Option:

A. General purpose audit software:
Tools like ACL or IDEA are extremely useful for executing specific audits (e.g., testing transactions, sampling data). However, they are operational tools used during fieldwork, not for the high-level, strategic planning of the entire annual audit universe.

B. Voting software and hardware:
This technology is used for collaborative decision-making, such as during audit committee meetings. While it could be used to finalize a plan, it does not provide the analytical foundation for developing the plan based on risk analysis.

C. Flowcharting and data capture software:
These are valuable tools used during the planning and fieldwork of individual engagements to document processes and controls. They are too granular and focused on specific process-level audits to be the primary tool for developing the organization-wide annual audit plan.

Reference:
The IIA's International Standards for the Professional Practice of Internal Auditing, specifically Standard 2010: Planning, which states, "The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals." This makes a risk-based approach, supported by risk assessment techniques and tools, the cornerstone of audit plan development.

Summary
This question focuses on identifying the best control to prevent unauthorized or inaccurate changes to a critical master data file—the pay rate table. The key risk is that an individual with system access could make an improper change. The most effective control is one that combines segregation of duties (preventing the same person from initiating and approving a change) with an independent verification against an authorized source document.

Correct Option:

B. Require a supervisor in the department, who does not have the ability to change the table, to compare the changes to a signed management authorization.
This is the best control because it establishes a strong segregation of duties and an independent verification step. The person who enters the data (has access to change the table) is different from the person who reviews and approves the change. The supervisor, who lacks the ability to make the change, independently verifies that each update in the system matches a pre-approved, signed authorization from management. This directly prevents unauthorized or erroneous updates.

Incorrect Option:

A. Limit access to the data table to management and line supervisors...
This is a good access control but is insufficient on its own. It prevents unauthorized users from making changes, but it does nothing to prevent errors or fraud by the authorized managers and supervisors themselves. They could still make an incorrect or self-serving change without a second set of eyes verifying it against official authorization.

C. Ensure that adequate edit and reasonableness checks are built into the automated system.
Edit checks (e.g., preventing a pay rate from being 1000% higher) are a good complementary control for detecting data entry errors or extreme outliers. However, they cannot detect a change that is within a "reasonable" range but is still unauthorized or incorrect (e.g., giving a 15% raise when only 5% was approved).

D. Require that all pay changes be signed by the employee...
This is not an effective control for ensuring the accuracy or authorization of the pay rate. An employee will almost always sign for a pay increase, regardless of whether it matches the officially authorized amount. This does not verify the change against the source management authorization.

Reference
The IIA's IPPF guidance on internal controls consistently emphasizes the importance of segregation of duties as a fundamental preventive control. This scenario is a classic application of separating the custody of an asset (or critical data) from the record-keeping and reconciliation functions. The control described in option B embodies this principle.

Summary
This question addresses the appropriate action for an internal auditor when the criteria (operating standards) for evaluating an activity are unclear. The IIA Standards require that engagement objectives and criteria be agreed upon with the client. When criteria are vague, the auditor's responsibility is to seek clarity and mutual understanding to ensure the engagement findings are based on a fair and objective basis that is accepted by the client.

Correct Option

A. Seek agreement with the client as to the standards to be used to measure operating performance.
This is the correct and most professional approach. It directly aligns with the IIA's requirement that the internal auditor and the client must agree upon the criteria for evaluation. By seeking agreement, the auditor ensures the engagement is based on a clear, objective, and mutually understood benchmark. This prevents future disputes over the findings and increases the likelihood that the client will accept and act upon the audit results.

Incorrect Option

B. Determine best practices in the area and use them as the standard.
While best practices are a useful reference, unilaterally imposing an external standard without the client's agreement is inappropriate. The criteria must be relevant and appropriate to the specific client's operations and objectives, not just an industry ideal they may not be striving for.

C. Interpret the standards in their strictest sense...
This approach is adversarial and lacks objectivity. Imposing a strict interpretation without client consultation is arbitrary and can lead to unfair conclusions. The goal of internal auditing is to add value and improve operations, not to penalize the client using an unagreed-upon standard.

D. Omit any comments on standards and the client's performance...
This is an abdication of the auditor's responsibility. The engagement's purpose is to assess performance against criteria. If the criteria are vague, the auditor must work to define them, not avoid the core objective of the audit. Issuing a report without a basis for evaluation would be meaningless and unprofessional.

Reference
The IIA's International Standards for the Professional Practice of Internal Auditing, specifically Standard 2210.A1, which states: "Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment." Furthermore, Standard 2210.A2 requires that "Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives." This necessitates establishing clear, agreed-upon criteria to assess these risks effectively. Seeking client agreement on vague standards is a direct application of this requirement.

Summary
This question asks about the direct operational benefit of reducing the amount of testing in one part of an audit. Audit work is constrained by time and resources. When testing in one area is reduced, either because risks are low or controls are strong, the immediate effect is that audit hours are freed up. These saved resources can then be reallocated to other, higher-risk areas within the same engagement.

Correct Option

D. Additional audit hours are available for pursuing other engagement objectives.
This is the primary and most direct benefit. An audit engagement has a finite budget of hours. If testing in Phase A is reduced (e.g., because controls are effective), the hours originally allocated to that phase are now available. The audit team can use these hours to expand testing in Phase B, investigate unexpected findings, or pursue other objectives of the same engagement, leading to a more efficient and effective overall audit.

Incorrect Option

A. The size of the internal audit activity can be reduced.
Reduced testing on a single engagement does not justify reducing the size of the entire department. The overall audit plan is risk-based and covers the entire organization. Efficiency gains on one audit free up resources for other audits, but do not necessarily mean the department needs fewer auditors.

B. There is less concern about assessing inherent risk.
Inherent risk is the risk that exists before any controls are considered. It is a fundamental part of audit planning and is assessed independently. Reducing testing in a phase does not change the inherent risk; it is a response to the assessment of risk (e.g., because control risk is low).

C. The level of planned audit risk is lowered.
Planned audit risk is the acceptable level of risk that an auditor is willing to take that an opinion or conclusion may be incorrect. This is a pre-determined, professional judgment. Reducing testing is a method to achieve the planned level of audit risk, not a benefit that lowers it further. The level of audit risk is set during planning and guides the amount of testing required.

Reference
This concept is rooted in the efficient execution of the audit engagement as guided by the IIA's Standard 2230: Engagement Resource Allocation, which states that internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on an evaluation of risk, time, and resource requirements. Reducing testing in a low-risk area is an application of this standard, as it allows for the reallocation of resources to higher-risk areas.

Summary
This question focuses on the Chief Audit Executive's (CAE) responsibility for ensuring the internal audit activity collectively possesses the technical proficiency required by its audit universe. The key is for the CAE to take a strategic, forward-looking approach to staffing and skills management, aligning the department's human resources with its overall responsibilities and risk-based plan, rather than focusing on individual mandates or interests.

Correct Option

A. Consider the scope of work and level of responsibility when establishing criteria for education and experience in filling internal auditing positions.
This is the correct, strategic approach. The CAE is responsible for the overall proficiency of the internal audit activity. By defining job requirements based on the department's mandated scope of work and the responsibilities of each position, the CAE ensures that new hires possess the necessary skills and experience from the start. This builds a team whose collective proficiency is appropriate for the audits it is expected to perform.

Incorrect Option

B. Ensure that each newly hired auditor is qualified in all of the disciplines needed to accomplish the department's audit mission.
This is impractical and unrealistic. The "department's audit mission" covers a wide range of disciplines (IT, finance, operations, etc.). It is not feasible to find individual auditors who are experts in all areas. The CAE should build a team with a diverse set of skills, not expect every individual to be a universal expert.

C. Oversee a training program that matches the actual training provided with the interests of individual auditors.
While considering auditor career interests is good for morale, the primary driver for training must be the needs of the internal audit activity as defined by its audit plan and risk assessment. Training should first address skill gaps required to perform planned audits, not primarily align with personal interests.

D. Require all of the audit staff to pursue a minimum number of continuing professional education hours each year.
While continuing professional education (CPE) is a requirement of the IIA for Certified Internal Auditors and is a good practice, mandating a generic number of hours for everyone is a compliance-focused tactic. It does not ensure the specific technical proficiency needed for the engagements to be performed. A strategic training plan based on skill gaps is more effective than a one-size-fits-all CPE requirement.

Reference
The IIA's International Standards for the Professional Practice of Internal Auditing, specifically Standard 1230: Continuing Professional Development, which states that internal auditors must enhance their knowledge, skills, and other competencies through continuing professional development. More fundamentally, Standard 2030: Resource Management requires that the chief audit executive must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan. This begins with establishing the right criteria for the skills and experience required when hiring staff.

Summary
This question addresses the Chief Audit Executive's (CAE) proactive role in safeguarding the objectivity of the internal audit activity. Objectivity is an independent mental attitude that requires auditors to be free from conflicts of interest and undue influence. The CAE must establish policies and procedures to identify and mitigate threats to objectivity before an audit begins, rather than relying on after-the-fact attestations or appraisals.

Correct Option

C. Carefully assign personnel to individual audit engagements and require auditors to disclose all conflicts of interest.
This is the most effective and proactive measure. The CAE ensures objectivity by strategically assigning staff to avoid conflicts (e.g., not assigning an auditor to audit an area they recently worked in). Furthermore, requiring formal disclosure of potential conflicts of interest allows the CAE to identify and mitigate threats before they can compromise an audit. This is a direct, preventive control mandated by the Standards.

Incorrect Option

A. Demonstrate willingness to include in engagement final communications all matters believed to be important.
While this demonstrates integrity and supports the principle of open communication, it does not directly ensure the objectivity of the auditors performing the work. It is a behavior related to reporting results, not a safeguard for the unbiased mindset during the audit process itself.
B. Require all auditors to sign statements attesting to their independent mental attitudes...
This is a ceremonial or compliance-based action that provides little practical assurance. An auditor with a conflict of interest is unlikely to be deterred by a statement they must sign. Objectivity is managed through structural safeguards and policies, not just attestations.

D. Appraise each auditor's performance on each audit assignment.
Performance appraisals are important for competence and quality but are not the primary tool for ensuring objectivity. An appraisal occurs after the work is done. Objectivity must be safeguarded before and during the engagement through proper assignment and conflict disclosure.

Reference
The IIA's International Standards for the Professional Practice of Internal Auditing, specifically Standard 1130.A1: "Internal auditors must refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year." This standard directly leads to the requirement for the CAE to implement policies for managing conflicts of interest and careful assignment of staff, as described in option C.

Summary
This question concerns the appropriate role of the Chief Audit Executive (CAE) in the selection and retention of the external audit firm. The CAE must maintain objectivity and support the oversight role of the audit committee. The CAE's function is to provide support, information, and process facilitation to the board/audit committee, who are responsible for the final decision, not to make the decision themselves or with management.

Correct Option

D. Assist the audit committee by facilitating the development of an appropriate evaluation process.
This is the correct role for the CAE. The audit committee is responsible for appointing, compensating, and overseeing the external auditor. The CAE, as an independent advisor to the committee, can provide valuable support by helping to design a fair and thorough evaluation process, providing data on the external auditor's performance, and ensuring the process is effective. This maintains the CAE's objectivity and reinforces the audit committee's primary authority.

Incorrect Option

A. Work with the organization's chief financial officer to evaluate...and together make the decision.
This is incorrect because it inappropriately places the decision with management (the CFO). The audit committee, not management, should have ultimate responsibility for appointing the external auditor to ensure independence. The CAE partnering with the CFO in the decision could impair the CAE's objectivity.

B. Not be involved in this decision process as it would compromise the CAE's objectivity.
This is incorrect. Complete non-involvement is not required and represents a missed opportunity. The Standards encourage coordination between internal and external audit. The CAE can and should be involved in an advisory capacity to support the audit committee without making the final decision, which does not compromise objectivity.

C. Evaluate the external auditor's performance and retain the external auditor if quality and cost criteria are met.
This is incorrect because it assigns the decision-making authority to the CAE. The decision to retain the external auditor is a governance responsibility that rests with the audit committee or the board, not the CAE.

Reference
The IIA's International Standards for the Professional Practice of Internal Auditing, specifically Standard 2050: Coordination, states that "The chief audit executive should share information and coordinate activities with other internal and external assurance and consulting service providers to ensure proper coverage and minimize duplication of efforts." Furthermore, Standard 2060: Reporting to Senior Management and the Board requires the CAE to coordinate with and provide assistance to the board. The CAE facilitates the evaluation process as part of this coordination and assistance role, supporting the board's/audit committee's ultimate decision-making authority.