The chief audit executive (CAE) routinely provides activity reports to the board during
quarterly board meetings. Senior management has asked to review the CAE's board
presentation before each board meeting so that any issues or questions can be discussed
beforehand. The CAEshould:

A.

Provide the activity reports to senior management as requested and discuss any issues
that may require action to be taken.

B.

Not provide activity reports to senior management because such matters are the sole
province of the board.

C.

Disclose only those matters in the activity reports that pertain to expenditures and
financial budgets of the internal audit activity.

D.

Provide information to senior management that pertains only to completed audit
engagements and observations available in published engagement final communications.

A bank uses a risk analysis matrix to quantify the relative risk of auditable entities. The
analysis involves rating auditable entities on risk factors using a scale of 1 to 10,with 10
representing the greatest risk. A partial list of risk factors and the ratings given to three of
the bank's departments is provided below:
Department
Risk Factor
A
B
C
Control structure
9
5
7
Nature of assets in department

2
7
9
Dollar value of assets
6
6
8
Complexity of transactions

3
4
8
Which of the following statements regarding risk in the departments is true?

A.

As compared to departments A and C,department B has a stronger control system to
compensate for the greater complexity of the department's transactions and dollar value of its assets.

B.

The internal audit activity should schedule audits of department B more often than audits
of department C because of the relative control strength of department C as compared to
department B.

C.

The nature of department A's control structure may be justified by the nature of the
department's assets and the complexity of its transactions.

D.

The relative ranking of the departments in order of their risk,from greatest to least risk,is:A; C; B.

Which of the following audit findings would have the least impact (either positive or
negative) on a department's control environment?

A.

The department makes long-term investment risk decisions to maximize return on investment.

B.

The department manager sets and demonstrates a tone of honesty and integrity in all business dealings.

C.

Many department functions are duplicated or verified by other department employees.

D.

Deficiencies were found in the appropriate authorization of transactions.

When developing the annual audit plan and reviewing risk assessment priorities,a chief
audit executive should always identifythe:

A.

Potential recommendations for each auditable activity.

B.

Persons to whom engagement reports will be communicated.

C.

Engagement procedures to be used during the engagements.

D.

Internal audit resources required to achieve the audit plan.

Which of the following is the most important limitation on the effectiveness of audit committees?

A.

Audit committees may be composed of independent directors; however,those directors
may have close personal and professional friendships with management.

B.

Audit committee members are compensated by the organization and thus favor a stockholder view.

C.

Audit committees devote most of their efforts to external audit concerns and do not pay
much attention to internal auditing and the overall control environment.

D.

Audit committee members do not normally have degrees in the accounting or auditing fields.

Which of the following internal controls is likely to prevent pollution from waste disposal
before it occurs,rather than detect it after it occurs?

A.

Identification of large budget variances in disposal costs for hazardous chemicals.

B.

Restricted access to environmental department files.

C.

Formal on-the-job training program conducted by the environmental staff.

D.

Samples of water and solid waste taken daily with the results recorded in a log.

During a review of data center physical security and environmental controls,an auditor
should ensure that:
I. Visitors are accompanied by authorized personnel at all times.
II.Only developers and operators have access to the data center.
III.Fire suppression equipment is tested periodically.
IV.Fire and water detectors have been installed.

A.

I and IIIonly

B.

II and IVonly

C.

I,III,and IVonly

D.

II,III,and IVonly

A quantitative risk assessment model has all of the following advantages except:

A.

Accommodating a large number of risk factors in the assessment.

B.

Providing documentation for the chief audit executive,who must defend the long-range
audit plan.

C.

Providing a systematic method of applying weightings to risks and priorities.

D.

Removing the need for judgment on the part of the chief audit executive.

The main reason to establish internal controls in an organization is to:

A.

Encourage compliance with policies and procedures.

B.

Safeguard the resources of the organization.

C.

Ensure the accuracy,reliability,and timeliness of information.

D.

Provide reasonable assurance on the achievement of objectives.

When using a risk assessment model to develop audit plans,it is essential that the chief
audit executive take into accountthe:

A.

Results of the last audit.

B.

Planned visits by the external auditors during the upcoming year.

C.

Recent or expected changes in management direction and objectives.

D.

Dates of future board meetings.

The chief audit executive for an organization has just completed a risk assessment
process,identified the areas with the highest risk,and assigned an audit priority to each.
Which of the following statements is true and consistent with the International Professional
Practices Framework?
I.Items should be ranked in the order of quantifiable dollar exposure to the organization.
II.The audit priorities should be in order of major control deficiencies.
III.The risk assessment,though quantified,is the result of professional judgments about both
exposures and probability of occurrences.

A.

Ionly

B.

IIIonly

C.

 II and IIIonly

D.

I,II,and III.

Which of the following factors related to an organization's performance management
system would not contribute to the organization's success?

A.

Performance management is linked to competence and knowledge management.

B.

Subordinates and superiors have shared responsibility for the performance management process.

C.

Staff members own the performance management process,thereby ensuring implementation and accountability.

D.

Performance management is integrated into other organizational processes and human
resource processes.