I, II, and IV only

Summary:
This question asks you to identify red flags specifically indicative of inventory fraud, often involving fictitious vendors or false billings. The key is to look for actions that bypass segregation of duties, avoid system controls, or create anomalies in the documentation trail. These signs point to someone intentionally creating or exploiting weaknesses to perpetrate a fraud scheme.

Correct Option:

C. I, II, and IV only
I. The controller assuming payment approval duties breaks segregation of duties. This allows them to both authorize payments and potentially create fictitious vendor invoices, a classic fraud red flag.

II. Delaying a new A/P system suggests a desire to avoid automated controls and detection mechanisms that a new system might introduce, allowing existing fraudulent schemes to continue.

IV. Using copies of receiving memos instead of originals is highly suspicious.It could indicate the receiving memo is forged or duplicated to support payment for goods that were never actually received, which is a core element of inventory/purchasing fraud.

Incorrect Option:

III. Sales commissions are not consistent with the organization's increased levels of sales.
This is a red flag, but it points toward revenue or sales fraud, not inventory fraud. Inconsistencies here might indicate issues like recording fictitious sales to inflate revenue, which is a different type of financial statement fraud. It does not directly signal a scheme to defraud the company through its inventory or accounts payable processes.

Reference:
The Institute of Internal Auditors. "International Professional Practices Framework (IPPF)." The concepts of red flags and fraud risk indicators are covered in the IIA's Practice Guide "Internal Auditing and Fraud" and are integral to the due professional care required by Standard 1220.A2.

Summary:
This question tests the auditor's obligation to gather sufficient and appropriate evidence before reaching a conclusion. While a correlation exists between frequent oven adjustments and customer complaints about cold pizza, the auditor must investigate further to establish a direct causal link. The high adjustment rate is a strong indicator of a potential problem but is not conclusive evidence by itself.

Correct Option:

B. Needs to conduct further inquiries and reviews to determine the impact of the oven variations on the pizza temperature.
This is the correct course of action. The high rate of oven adjustments is a significant symptom, but it does not prove that this is the definitive cause of the cold pizzas. The auditor must perform additional procedures, such as testing current oven temperatures, observing cooking processes, and interviewing staff, to establish a direct causal link between the oven performance and the final product temperature before forming a conclusion.

Incorrect Option:

A. Has enough evidence to conclude that improperly functioning ovens are the cause.
This is premature. The evidence is correlational but not yet causative. The auditor has not yet verified that the adjustments were effective or that the ovens are currently malfunctioning. Jumping to this conclusion violates the standard for sufficient evidence (Standard 2300).

C. Has enough evidence to recommend the replacement of some of the ovens.
This is an overreach. Recommending a capital-intensive solution like replacement requires robust evidence that repairs are ineffective or not cost-efficient. The auditor only has evidence of frequent adjustments, not that the ovens are beyond repair or that replacement is the only viable solution.

D. Must search for another cause since approximately 60 percent of the ovens did not require adjustment.
This logic is flawed. A problem affecting 40% of the ovens is significant and warrants investigation. Dismissing it because it doesn't affect 100% of the units would be a major audit failure. The issue is serious enough to explore in the stores where it is occurring.

Reference:
The Institute of Internal Auditors. "International Professional Practices Framework (IPPF)." Specifically, Standard 2300 – Performing the Engagement, which requires internal auditors to identify, analyze, evaluate, and document sufficient information to achieve the engagement's objectives. The evidence here is insufficient to meet that standard.

Summary:
This question focuses on the core assurance role of the internal auditor within the risk management process. The key distinction is that management is responsible for managing risk, while internal audit's duty is to provide independent assurance on whether those risks are being managed effectively. The auditor assesses the risk to plan the audit but does not take on management's responsibilities.

Correct Option:

B. Provide assurance on the management of the risk.
This is the fundamental role of internal audit. When assessing risk, the auditor is evaluating the existing risk management activities performed by management. The outcome of this assessment is an independent opinion (assurance) for the board and senior management on whether risks are being properly identified, assessed, and mitigated within the organization's risk appetite.

Incorrect Option:

A. Determine how the risk should best be managed.
This is a management responsibility. Deciding on the appropriate risk response (accept, avoid, mitigate, transfer) is an operational decision. If internal auditors were to dictate how risks should be managed, it would impair their objectivity when they later have to provide assurance on the effectiveness of those very management actions.

C. Modify the risk management process based on risk exposures.
This is also a management responsibility. Designing, implementing, and modifying the overall risk management process is a core function of management. The internal auditor assesses the design and operating effectiveness of this process and may recommend improvements, but they do not have the authority to modify the process themselves.

D. Design controls to mitigate the identified risks.
This is an inappropriate role for internal audit. Designing controls is a primary responsibility of management. Internal auditors can evaluate the adequacy and effectiveness of controls and recommend enhancements, but they should not design them, as this would make them responsible for the controls they are later required to independently evaluate.

Reference:
The Institute of Internal Auditors. "International Professional Practices Framework (IPPF)." Specifically, Standard 2120 – Risk Management, which clarifies that the internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes, but not manage risks directly.

Summary:
This question asks for the best evidence to prove the credit-granting function is effective. Effectiveness means it successfully achieves its goal of minimizing bad debt losses while supporting sales. Evidence must be objective and directly measure the outcome of the process, not just compliance with the process steps. The ultimate proof is in the financial results.

Correct Option:

B. Review the trend in receivables write-offs.
This provides the best evidence of effectiveness because it is a direct, objective outcome measure. A low or decreasing trend in receivables write-offs indicates that the credit-granting function is successfully identifying creditworthy customers and minimizing bad debts. This is the ultimate result the function is designed to achieve, making it the most convincing evidence of its effectiveness.

Incorrect Option:

A. Observe the process.
Observation only confirms that a process exists and is being followed. It does not confirm that the process is effective. An employee could be diligently following a flawed credit-check procedure that still results in high bad debt.

C. Ask the credit manager about the effectiveness of the function.
Inquiry alone is considered weak, corroborative evidence. It is subjective and potentially biased, as the credit manager has a vested interest in presenting the function in a positive light. It does not provide independent verification of performance.

D. Check for evidence of credit approval on a sample of customer orders.
This is a test of compliance with the control procedure, not its effectiveness. It confirms that credit was approved before the sale, but it does not reveal whether the approval decisions were correct or whether the customers ultimately paid their bills.

Reference:
The Institute of Internal Auditors. "International Professional Practices Framework (IPPF)." The concepts of sufficient, reliable, and relevant evidence are covered under Standard 2300. This option provides the most reliable and relevant evidence to support a conclusion on effectiveness.

Summary:
This question asks for the most effective role internal auditors can play to ensure the reliability of computerized information. Reliability is built on a foundation of strong internal controls. While reviewing data outputs or checking for timeliness and completeness are relevant, they are specific tests. The most comprehensive and proactive approach is to assess the entire control framework that governs how data is recorded, processed, and reported.

Correct Option:

A. Determining if controls over record keeping and reporting are adequate and effective.
This is the most effective approach because it addresses the root cause of reliability. By evaluating the design and operating effectiveness of the underlying controls (e.g., access security, data validation, processing integrity, change management), the auditor provides assurance that the system itself can be trusted to produce reliable information consistently. This is a preventative and holistic strategy.

Incorrect Option:

B. Reviewing data provided by information systems to test compliance with external requirements.
This is a limited, detective procedure. It only checks a specific subset of data against external rules and does not provide broad assurance over the overall reliability of all financial and operating information generated by the system. It is an output test, not a system-level assessment.

C. Determining if information systems provide management with timely information.
Timeliness is one attribute of useful information (along with reliability), but ensuring timeliness does not, by itself, guarantee that the information is accurate, complete, or valid. A system can provide fast but incorrect data.

D. Determining if information systems provide complete information.
Similar to option C, completeness is a single component of reliability. An auditor could verify that all transactions are recorded (completeness) but still not confirm their accuracy or validity. Focusing solely on completeness ignores other critical aspects of data integrity.

Reference:
The Institute of Internal Auditors. "International Professional Practices Framework (IPPF)." Standard 2130 on Control states that the internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency. This is achieved through the fundamental activity described in option A.

Summary:
This question focuses on identifying a specific internal control weakness that enables check theft and fraudulent negotiation. The scenario involves an employee intercepting incoming customer payments. The critical control to prevent this is a restrictive endorsement, which ensures the check can only be deposited into the company's bank account, making it useless for a thief.

Correct Option:

A. Checks are not restrictively endorsed when received.
This is the correct answer. If checks received from customers are not immediately stamped "For Deposit Only to the Account of [Company Name]," they remain negotiable instruments. An employee who steals them can then endorse the check personally and cash or deposit it into their own account, effectively converting the company's asset into their own.

Incorrect Option:

B. Only one signature is required on the organization's checks
This is a control over outgoing checks from the organization. It is designed to prevent unauthorized disbursements. The scenario describes the theft of incoming checks from customers, which is not affected by the company's own check-signing policies.

C. One employee handles both accounts receivable and purchase orders.
This represents a failure in the segregation of duties between the revenue and expenditure cycles. It could allow an employee to create a fictitious vendor and a fictitious sale, but it does not directly create an opportunity to steal and cash an incoming customer check.

D. One employee handles both cash deposits and accounts payable.
This is a poor segregation of duties between handling assets (cash) and recording liabilities. It could allow an employee to misappropriate a cash deposit and cover it up by making an unauthorized accounts payable entry. However, it does not directly describe the mechanism for stealing and cashing an incoming check.

Reference:
The Institute of Internal Auditors. "International Professional Practices Framework (IPPF)." The underlying principle is from Standard 2120 on risk management and the need for controls over asset safeguarding. A restrictive endorsement is a fundamental physical control over cash receipts.

Summary:
This question tests the auditor's ability to define and adhere to a specific engagement scope. The audit is explicitly defined as an audit of security for a specific Local Area Network (LAN) in the finance department. The scope is limited to the controls, risks, and user perceptions related directly to that single system. Including other, unrelated systems would be a scope creep.

Correct Option:

D. The level of security of other LANs in the company which also utilize sensitive data.
This is outside the scope. The engagement letter and objective are specifically confined to the finance department's LAN. Auditing other LANs in the company, even if they handle similar sensitive data, constitutes a separate audit entity. Including them would require a different or broader audit scope and would not be appropriate for this defined engagement.

Incorrect Option:

A. Investigation of the physical security over access to the components of the LAN.
This is firmly within the scope. Physical security (e.g., access to server rooms, wiring closets, workstations) is a fundamental component of an overall IT security audit. A weakness in physical access could completely undermine logical security controls.

B. The ability of the LAN application to identify data items at the field or record level and implement user access security at that level.
This is a core part of the audit scope. Given the highly sensitive nature of the data (investment decisions, hedging strategies), testing the granularity of logical access controls (field/record level security) is essential to determine if users can only access the data necessary for their job duties.

C. Interviews with users to determine their assessment of the level of security in the system and the vulnerability of the system to compromise.
This is a standard and valuable audit procedure within scope. Interviewing users of the finance LAN can provide insights into potential security weaknesses, adherence to security policies, and the overall control culture as it pertains to the system being audited.

Reference:
The Institute of Internal Auditors. "International Professional Practices Framework (IPPF)." Specifically, Standard 2201 – Planning Considerations, which requires that engagement objectives reflect the results of the risk assessment and that the scope of the engagement is sufficient to satisfy the objectives. The scope here is clearly defined as the finance department LAN.

Summary:
This question focuses on categorizing an audit test according to the fundamental internal control objectives. The activity described is testing the accuracy of a specific management report. This directly relates to the quality and trustworthiness of the information used by management for decision-making, which is a distinct control category separate from compliance, goal achievement, or efficient resource use.

Correct Option:

C. To ensure the reliability and integrity of information.
This is the correct objective. Testing the accuracy of the cost-of-quality reports is a direct examination of the reliability and integrity of financial and operational information. Management depends on accurate data to monitor performance and make decisions. Verifying the report's accuracy ensures the information is valid, complete, and free from material misstatement.

Incorrect Option:

A. To ensure compliance with policies, plans, procedures, laws, and regulations.
This objective is not the primary focus. While accurate reporting may be a policy, the test itself is not checking for adherence to an external law or a specific internal procedure for how the report is prepared. It is directly testing the quality of the output (the information itself).

B. To ensure the accomplishment of established objectives and goals for operations or programs.
This relates to operational or performance objectives. The test is not determining if quality goals were met; it is verifying whether the data used to measure if those goals were met is correct. This is a fundamental distinction between the information and the operation it describes.

D. To ensure the economical and efficient use of resources.
This is the objective of economy and efficiency. The test is not assessing whether resources were used with minimal waste to produce the report. It is solely concerned with whether the information within the report is accurate, regardless of the cost to produce it.

Reference:
The Institute of Internal Auditors. "International Professional Practices Framework (IPPF)." The IPPF's framework outlines key control objectives, which include the reliability of information as a distinct category. This is a core concept underlying Standard 2130 on Control.

Summary:
This question distinguishes between the nature of assurance and consulting engagements. For consulting services, which are advisory in nature and undertaken at the specific request of a client, the scope and objectives are not unilaterally set by the internal auditor. Instead, they are agreed upon with the client to address their specific needs and objectives, while still operating within the overall framework of the internal audit charter.

Correct Option:

C. The engagement client.
For consulting engagements, the scope is primarily determined through agreement with the engagement client. The client identifies the specific problem or process they wish to have examined, and the internal auditor works with them to define the objectives, scope, and terms of the engagement. This collaborative approach is a fundamental characteristic that differentiates consulting from assurance work.

Incorrect Option:

A. Internal auditing standards.
While the conduct of the engagement must adhere to the IPPF's standards for due professional care and quality, the standards do not dictate the specific scope of an individual consulting engagement. The standards provide the framework for how to perform the work, not what the work will be about.

B. The audit engagement team.
The engagement team plans and executes the work, but they do not unilaterally determine the scope for a consulting engagement. The scope is a matter of agreement with the client. The team's role is to provide professional advice within the boundaries set by that agreement.

D. The internal audit activity's charter.
The charter provides the overall mandate and authority for the internal audit activity to perform both assurance and consulting work. It sets the boundaries within which the activity operates but does not specify the detailed scope for a particular consulting engagement. The charter enables the service, but the client defines its specific focus.

Reference:
The Institute of Internal Auditors. "International Professional Practices Framework (IPPF)." Specifically, Standard 2200 – Engagement Planning, which states that for consulting engagements, "internal auditors must ensure that the scope of the engagement is sufficient to address the agreed-upon objectives." The term "agreed-upon" highlights the client's primary role in scope determination.

Summary:
This question tests knowledge of the waste management hierarchy, a fundamental environmental management concept. The hierarchy prioritizes options based on their environmental impact and sustainability. The most desirable option is to prevent waste from being created at all, while the least desirable is disposal. The correct order reflects this preference for source reduction over end-of-pipe solutions.

Correct Option:

A. V, II, IV, I, III.
This corresponds to the standard waste hierarchy. The correct order is:

II. Elimination at the source: The most effective method is to not create the waste in the first place by modifying the process or materials.

IV. Recovery as a usable product: If waste cannot be eliminated, the next best step is to recover it for use as a product in another process.

I. Recycling and reuse: If not recoverable as a product, the waste should be recycled or reused within the organization.

V. Treatment: If the above are not feasible, treat the waste to reduce its volume or toxicity before disposal.

III. Energy conservation: While important, energy conservation is a separate environmental objective and is not a direct method for minimizing hazardous waste. It is correctly placed last in this specific sequence.

Incorrect Option:

B. IV, II, I, III, V.
This sequence is incorrect because it prioritizes recovery (IV) over elimination (II), which is contrary to the fundamental principle of the waste hierarchy. Prevention is always superior to management after the fact.

C. I, III, IV, II, V.
This sequence is incorrect as it starts with recycling (I), which is a mid-level solution, and places the most effective option, elimination (II), far too late in the process. It also incorrectly prioritizes energy conservation (III).

D. III, IV, II, V, I.
This sequence is incorrect because it begins with energy conservation (III), which is not a direct method for waste minimization in this context, and misplaces the other hierarchy elements.

Reference:
The Institute of Internal Auditors. "International Professional Practices Framework (IPPF)." While a specific standard is not cited, this aligns with the due professional care (Standard 1220) required for engagements involving environmental issues and the need to apply recognized frameworks, such as the waste management hierarchy, which is a cornerstone of pollution prevention.

Summary:
This scenario involves a significant error in regulatory reporting. The IIA's standards and principles of governance dictate a clear chain of communication. The internal auditors' primary responsibility is to report findings to the appropriate level within the organization's management, who then hold the ultimate responsibility for addressing the issue and communicating with external parties.

Correct Option:

B. Plant management.
The auditors should immediately report the concern to Plant Management. Management is responsible for the accuracy of regulatory reports and for taking corrective action. Informing management first allows them to investigate, correct the error, assess the impact, and fulfill their obligation to communicate with the regulatory agency, which is a management function, not an internal audit function.

Incorrect Option:

A. The regulatory agency.
This is incorrect. Direct external communication is the responsibility of senior management or the legal department, not internal audit. The IIA's standards emphasize that internal auditors communicate within the organization. Bypassing management to report directly to a regulator would overstep their role and could create significant legal and reputational issues for the organization.

C. A plant health and safety officer.
This is incorrect. While emissions can have safety and health implications, the primary and immediate issue identified is the accuracy of regulatory reporting. The health and safety officer is not the appropriate owner for correcting a computer error in financial/environmental reporting or for managing the regulatory relationship. This is a broader management issue.

D. The risk management function.
This is not the most immediate and appropriate action. While the reporting error represents a significant compliance risk that should be incorporated into the organization's risk framework, the immediate need is for operational correction. Plant management is responsible for the process and the data; they are the ones who must act immediately to fix the computer error and address the regulatory exposure.

Reference:
The Institute of Internal Auditors. "International Professional Practices Framework (IPPF)." Standard 2400 – Communicating Results, specifies that communications must include the objectives, scope, and results of engagements, and are to be directed to the appropriate parties within the organization, which in this case is the management responsible for the area.

Summary:
This question addresses a control weakness where expensive consumable materials are expensed immediately and placed in unsecured, open bins. This creates a high risk of theft and unauthorized use. The most appropriate control improvement would be one that directly restricts physical access to the assets, thereby safeguarding them and ensuring they are used only for authorized production purposes.

Correct Option:

C. Lock the bins during normal working hours.
This is the most direct and appropriate control improvement. Locking the bins restricts physical access, preventing theft and unauthorized use of the consumable materials. Access can be controlled through a custodian who issues the items only for authorized production needs. This simple physical control directly addresses the risk without unnecessarily hindering production efficiency.

Incorrect Option:

A. Relocate bins to the inventory warehouse.
While this would centralize storage, it may be highly inefficient for a consumable used frequently on the production line. If the items are still expensed immediately and placed in open bins within the warehouse, the control weakness remains. The key issue is the lack of access control, not necessarily the location.

B. Require management to compare the cost of consumable items used to the budget.
This is a detective control, not a preventative one. It may eventually identify a significant variance, but only after the theft or waste has already occurred. It does not physically prevent the loss from happening in the first place and is less effective than a direct access control.

D. None of the above actions are needed for items of minor cost and size.
The question explicitly states there are "large quantities" of these consumables. Therefore, the total value is likely significant, making this an incorrect assumption. Controls should be commensurate with the risk, and the risk here is material.

Reference:
The Institute of Internal Auditors. "International Professional Practices Framework (IPPF)." The underlying principle is from Standard 2130 on Control, which requires internal auditors to assess the adequacy and effectiveness of controls in managing risks, including the risk of asset loss. A physical access control like a lock is a fundamental preventative control for safeguarding assets.