Which of the following elements should an auditor recommend for inclusion in an
organization's code of ethics?
I.Ethics should vary with local customs in the organization's foreign operations.
II.Whistle-blowing should be discouraged because it can cause distrust among employees
and false accusations which waste organizational resources on investigations.
III.Ethical behavior should not be incorporated into performance evaluations because it is
too subjective and controversial.

A.

Ionly

B.

IIonly

C.

I,II,and III.

D.

None of the above.

Which of the following would have the least impact (either positive or negative) on an
assessment of a department's control environment?

A.

The department managed long-term investments,including investment in derivatives and
other financial instruments,to maximize return.

B.

The department manager sets a tone of honesty and integrity in all business dealings
and this tone is emulated by department personnel.

C.

Many department functions were duplicated or verified by other department employees
as part of the department's normal procedures.

D.

Audit tests designed to verify compliance with control procedures detected a general
failure to follow standard procedures for transaction authorization.

In assessing the independence of the internal audit activity,a member of a peer review
team should consider all of the following factors except:

A.

Access to and frequency of communications with the board of directors or its audit committee.

B.

The criteria of education and experience considered necessary when filling vacant
positions on the audit staff.

C.

The degree to which auditors assume operating responsibilities.

D.

The scope and depth of engagement objectives for the audit engagements included in the review.

A daily report which lists unsuccessful attempts to log on to a computer system is A.

A.

Corrective control.

B.

Preventive control.

C.

Detective control.

D.

Compensating control.

In addition to data protection,which of the following is a control that is typically used by
companies to safeguard the privacy rights of their customers?
I.End-user computing.
II.Encryption of data.
III.Spyware.
IV.Intrusion detection.

A.

IIonly

B.

I and IIIonly

C.

II and IVonly

D.

I,II,and IVonly

A chief audit executive (CAE) is obtaining information required by a regulatory oversight
body and discovers a situation that requires management to take immediate corrective
action. What is the best course of action for the CAE to take?

A.

Wait until all of the information has been gathered and reported to the oversight body
before reporting the situation to management.

B.

Check with legal counsel to determine whether the situation can be reported to
management before all information has been submitted to the oversight body.

C.

Report the situation to management immediately.

D.

Schedule an engagement to explore the situation in depth,before reporting to either
management or the oversight body.

In the annual audit of the financial statements of a company with high inherent risk and a
very strong control system,the external auditor may be able to allow detection risk to risebecause.

A.

Audit risk has been reduced.

B.

Control risk has been assessed at a lower level.

C.

The company's operations are very susceptible to misstatements.

D.

Whenever inherent risk is high,control risk is disregarded.

Which of the following best describes the procedures used by the representatives of an
organization's stakeholders to provide oversight of the processes administered by management?

A.

Governance

B.

Control

C.

Risk management

D.

Monitoring

During an audit of financial contracts,an auditor learns that a relative has a substantial loan
with the organization. The auditorshould:

A.

Exclude the relative's information from the audited work and proceed with the audit engagement.

B.

Proceed with the audit engagement but disclose in the engagement final communication that the relative is a customer.

C.

Immediately withdraw from the audit engagement.

D.

Notify management and the chief audit executive (CAE) and have the CAE determine
whether the auditor should continue with the audit engagement.

Which of the following should be the primary objective of an audit of an entity's business continuity plan?

A.

Cost of testing and updating the plan.

B.

Delegation of responsibilities for the plan.

C.

Relationship of the plan to risk exposures.

D.

Efficiency of the planning procedures.

An organization's external auditor has prepared a list of risks and issues and has
recommended to senior management that the internal audit activity focus on these items.
Senior management has forwarded the list to the chief audit executive (CAE). The CAEshould:

A.

Incorporate the external auditor's requirements into the internal audit plan.

B.

Ignore the external auditor's requirements because they are outside of the internal audit
activity's planned scope of work.

C.

Consider the issues raised by the external auditor for possible inclusion in the planned scope of work.

D.

Report the risks and issues to the audit committee for possible future attention.

Which of the following statements,if true,could justify an auditor's decision not to report
governance-related control deficiencies to the audit committee?

A.

Management plans to initiate corrective action.

B.

The board of directors has a separate corporate governance committee.

C.

The amounts and the potential risks associated with the deficiencies are not material to
the overall organization.

D.

 Governance issues are complex and the auditor should rely on management's analysis
of the extent of the problem.