Which of the following actions is related to the preliminary survey process?

A.

 Determining if controls are effective.

B.

Preparing the engagement work program.

C.

Identifying the current controls.

D.

Completing a detailed test of controls.

A code of business conduct provides:

A.

A fraud avoidance plan that does not explicitly describe punishments for violations.

B.

A passive method of fraud deterrence.

C.

A program to anonymously report irregularities to authorities.

D.

An alternative to "tone at the top" programs.

The chief executive officer has requested that the chief audit executive (CAE) coordinate the
establishment of an enterprise risk management (ERM) program for the organization. Which of the
following would be the most appropriate action for the CAE?

A.

Accept the request as the role of coordinating ERM is a core function of internal audit.

B.

Decline the request as this role compromises the CAE's objectivity.

C.

Accept the request after consulting with the board and adhering to proper safeguards.

D.

Decline the request as internal audit has limited knowledge and experience of risk at the
enterprise level to undertake the assignment.

Which of the following is the most common method management can use to manage risk within its
risk appetite?

A.

Implementation of controls.

B.

Use of risk registers and dashboard.

C.

Frequent communication of risk appetite for operating personnel.

D.

Continuous evaluations and audits.

Which of the following is an effective way for an internal auditor to improve communications with
the client during a contentious audit?

A.

Encourage the client to participate as a partner in the decision-making process to determine the
changes that need to be made.

B.

Clearly explain to the client the role of the internal audit activity in the change process.

C.

Obtain the support of the board of directors for proposed changes before discussing the
changes with operating management.

D.

Speak privately with key client personnel immediately after proposed changes are announced
to address their concerns.

The chief audit executive's responsibility regarding control processes includes:

A.

Assisting senior management and the audit committee in the development of an annual
assessment about internal control

B.

Overseeing the establishment of internal control processes.

C.

Maintaining the organization's governance processes.

D.

Ensuring that the internal audit activity assesses all control processes annually.

Inadequate risk assessment would have the strongest negative impact in which of the following
phases of an audit engagement?

A.

Determining the scope.

B.

Reviewing internal controls.

C.

Testing.

D.

Evaluating findings

The best method for assessing the relative importance of risk factors is to:

A.

 Change the rating of the factors from a 1-3 scale to a 1-5 scale.

B.

Assign weights to the factors based on the comparative impact.

C.

List the risk factors in a priority order.

D.

Use data from an independent source.

Which of the following audit planning activities adds the least value in understanding the current
risk exposures facing the corporation?

A.

Review of organizational strategic plans and operational plans

B.

Consultation with senior management and the audit committee.

C.

Review of the external auditor's risk assessment.

D.

Review of corporate performance reporting and benchmarking

The internal audit activity's primary responsibility in a review or examination of the organization by
an external regulatory body is to:

A.

Verify that regulatory reviews occur with adequate frequency.

B.

Provide follow-up to determine if the regulator's findings are appropriately resolved by
management.

C.

Prepare documentation for the regulator.

D.

Document the responses to the regulator's findings.

Under what circumstances would internal audit not become involved when intentional misconduct
is suspected?

A.

Management is involved in wrongdoing.

B.

Management is running a parallel investigation.

C.

Management does not believe a trusted employee could be guilty.

D.

Management does not maintain strong internal controls.

During a payroll audit of a large organization, an internal auditor noted that the assistant personnel
director is responsible for many aspects of the computerized payroll system, including adding new
employees in the system; entering direct-deposit information for employees; approving and
entering all payroll changes; and providing training for system users. After discussions with the
director of personnel, the auditor concluded that the director was not comfortable dealing with
information technology issues and felt obliged to support all actions taken by the assistant director.
The auditor should:

A.

Continue to follow the engagement program because the engagement scope and objectives
have already been discussed with management.

B.

Review the engagement program to ensure testing of direct deposits to employee bank
accounts is adequately covered.

C.

Recommend to the chief audit executive that a fraud investigation be started.

D.

Test a sample of payroll changes to ensure that they were approved by the assistant director
before being processed.