A chief audit executive (CAE) suspects that several employees have used desktop computers for
personal gain. In conducting an investigation, the primary reason that the CAE would choose to
engage a forensic information systems auditor rather than using the organization's information
systems auditor is that a forensic information systems auditor would possess:

A.

Knowledge of the computing system that would enable a more comprehensive assessment of
the computer use and abuse.

B.

Knowledge of what constitutes evidence acceptable in a court of law.

C.

Superior analytical skills that would facilitate the identification of computer abuse.

D.

 Superior documentation and organization skills that would facilitate in the presentation of
findings to senior management and the board.

While conducting a payroll audit, an internal auditor in a large government organization found
inadequate segregation in the duties assigned to the assistant director of personnel. When the
auditor explained the risk of fraud, the assistant director became upset, terminated the interview,
and threatened to sue the organization for defamation of character if the audit engagement was
not curtailed. The auditor discussed the situation with the chief audit executive (CAE). The CAE
should then:

A.

Curtail the audit engagement to avoid potential legal action.

B.

 Provide a report to senior management recommending a fraud investigation.

C.

Continue the original engagement program as planned but include a comment about the
assistant director's reaction in the engagement final communication.

D.

Add additional testing to determine whether other indicators of fraud exist.

Which of the following is the most appropriate step for the chief audit executive to take in order to
avoid defamation of character of the principal suspect in a fraud investigation?

A.

Restrict the use of potentially damaging words to privileged reports or discussions.

B.

Label all workpapers, reports, and correspondence of the internal audit activity as private.

C.

Restrict discussions of the fraud to members of management who express an interest in the
investigation.

D.

Destroy all investigation workpapers and reports if the fraud cannot be proven.

The scope of a consulting engagement performed by internal auditors should:

A.

Be sufficient to address the objectives agreed upon with the client.

B.

Exclude areas that might be the subject of subsequent assurance engagements.

C.

Be limited to activities within the current operating period.

D.

Be preapproved in conjunction with the annual plan of consulting engagements

The following are potential sources of evidence regarding the effectiveness of a division's total
quality management program. The least persuasive evidence would be a comparison oF.

A.

Employee morale before and after program implementation.

B.

Scrap and rework costs before and after program implementation.

C.

 Customer returns before and after program implementation.

D.

Manufacturing and distribution costs per unit before and after program implementation.

A chief audit executive (CAE) of a major retailer has engaged an independent firm of information
security specialists to perform specialized internal audit activities. The CAE can rely on the
specialists' work only if it is:

A.

Performed in accordance with the terms of the contract.

B.

Carried out in accordance with the Standards.

C.

Performed under the supervision of the information technology department.

D.

 Carried out using standard review procedures for retailers.

When conducting a performance appraisal of an internal auditor who has been a below-average
performer, it is not appropriate to:

A.

Notify the internal auditor of the upcoming appraisal several days in advance.

B.

Use objective, impartial language.

C.

Use generalizations.

D.

Document the appraisal.

An organization contracted a third party to construct a new facility that was estimated to cost $25
million. Which of the following is the most pertinent reason for the organization to audit the
contractor's records?

A.

 The contract includes a right-to-audit clause.

B.

The contractor will be paid on a cost-plus basis.

C.

The estimated cost is high.

D.

The contractor has subcontracted much of the work.

Which of the following would not be an appropriate step for an internal auditor to perform during an
assessment of compliance with an organization's privacy policy?

A.

Determine who can access databases containing confidential information.

B.

Evaluate the organization's privacy policy to determine if appropriate information is covered.

C.

Analyze access to permanent files and reports containing confidential information.

D.

Evaluate the government's security measures related to confidential information received from
the organization.

An internal auditor for a financial institution has just completed an audit of loan processing. Of the
81 loans approved by the loan committee, the auditor found seven loans which exceeded the
approved amount. Which of the following actions would be inappropriate on the part of the
auditor?

A.

Examine the seven loans to determine if there is a pattern. Summarize amounts and include in
the engagement final communication.

B.

Report the amounts to the loan committee and leave it up to them to correct. Take no further
follow-up action at this time and do not include the items in the engagement final communication.

C.

Follow up with the appropriate vice president and include the vice president's acknowledgment
of the situation in the engagement final communication.

D.

Determine the amount of the differences and make an assessment as to whether the dollar
differences are material. If the amounts are not material, not in violation of government
regulations, and can be rationally explained, omit the observation from the engagement final
communication.

During a systems development audit, software developers indicated that all programs were moved from the development environment to the production environment and then tested in the
production environment. What should the auditor recommend?
I. Implement a test environment to ensure that testing is not performed in the production
environment.
II. Require developers to move modified programs from the development environment to the test
environment and from the test environment to the production environment.
III. Eliminate access by developers to the production environment.

A.

 I only

B.

 III only

C.

I and II only

D.

I and III only

A post-audit questionnaire sent to audit clients is an effective mechanism for:

A.

Substantiating audit observations.

B.

Promoting the internal audit activity.

C.

 Improving future audit engagements.

D.

Validating process flow.