IIA-CIA-Part2 Practice of Internal Auditing Questions and Answers

The organizational chart, business objectives and policies and procedures of the area to be reviewed.

The most recent risk assessment conducted by management of the area to be reviewed.

The requests of operational and senior management throughout the organization.

The preliminary risk assessment performed by internal auditors planning the engagement

Refuse to accept the consulting engagement because it would be a violation of independence.

Collaborate with the external auditor to ensure the most efficient use of resources.

Accept the engagement but hire an external training specialist to provide the necessary expertise.

Accept the engagement even if the audit engagement staff was previously responsible for operational areas being trained.

Independently evaluating conflicts of interests.

Assessing contracts for relevant terms and conditions.

Performing statistical analysis for data anomalies.

Preparing evidentiary documentation.

Having no active role or involvement in the risk management process.

Auditing the risk management process for reasonableness.

Coordinating and managing the risk management process.

Participating with management in identifying and evaluating risks.

It enables the auditor to identify the inherent risks to the effective operation of accounts payable process controls.

It enables the auditor to understand the framework of the activities and associated accounts payable subprocesses

it enables the auditor to understand the accounts payable process and its flow, including key steps and systems.

It enables the auditor to categorize the population of transactions within the accounts payable process

The organization incurred excessive cost overruns that resulted in significant financial and legal risk to the project.

The organization experienced a potential conflict of interest

The organization had weaknesses in its review process which allowed questionable transactions with some vendors

The organization allowed the project to launch without assurance that all transactions were regularly approved

The results of individual engagements do not support a satisfactory opinion on the effectiveness of internal control.

The results of the individual engagements do not support a positive assurance opinion on the effectiveness of internal control

The audit risk and associated legal implications increase

The reliance on other assurance providers increases

The document management policy requires business client data to be stored in a specific management database

Sales contracts were stored improperly because the office manager was not trained to use the electronic database and prefers to avoid it

if the organization becomes subject to litigation the agreed pricing terms and conditions of the contracts may be difficult to prove

All staff should be appropriately trained and required to follow the organization's established policies and procedures pertaining to document management

All requests for consulting engagements must be included in the annual internal audit plan

Assurance engagements must be included in the annual internal audit plan but there is no requirement to include consulting engagements

Consulting engagements do not need to be included m the annual internal audit plan unless requested by the board

The acceptance of proposed consulting engagements into the annual internal audit plan may depend on their ability to add value

To identify the greatest risks organizationwide

To ensure that the engagement work program covers all risk areas

To ensure that risks identified during previous audits of the area have been adequately addressed

To ensure that significant risks are included in the engagement scope

The CAE would automatically sand a copy of the report to the service provider as many of the findings relate to Via area managed by the service provider

The CAE may distribute the report to tie service provider at no cost, after consulting with legal counsel and tie chief compliance officer

The CAE may provide a copy of the audit report to the service provider If an agreement & signed and the service provider agrees to reimburse the cost of the audit

D, The CAE should benchmark with other organization in the industry by consorting with colleagues and distribute the report only I it is an acceptable practice m the industry

The CAE must establish a follow-up process tor both assurance and consulting engagements to monitor that management actions have been effectively implemented to address observations

The CAE must communicate the results of assurance and consulting engagements lo whoever can ensure that the results are given due consideration.

The CAE must acknowledge satisfactory performance when communicating the results of assurance and consulting engagements

The CAE may delegate the responsibility for communicating the results of consulting engagements although this responsibility cannot be delegated for assurance engagements

Process objectives.

Process risks

Process controls.

Process scope

Process objectives

Process risks

Process controls

Process scope

1, 2, and 3

1, 2, and 4

1, 3, and 4

2, 3, and 4

Surveys

Management produced analysis 0

Facilitated team workshops

Weighted risk factors

The form and content of monitoring policies could vary by industry

The board of directors is responsible for the establishment of monitoring polities

Both large and small audit departments must have written policies on monitoring.

The chief audit executive must develop all monitoring policies related to the activity

Bank confirmations

Internal bonk statements

Bank reconciliations as of the end of the year

Bank account general ledger balancer as of the end of the year

Internal control questionnaires are useful m evaluating the effectiveness of standard operating procedures

internal control questionnaires provide reliable documents allowing internal auditors to cover many control procedures in little time

Internal control questionnaires can be used by internal auditors as an interview guide

Internal control questionnaires provide direct audit evidence which may need corroboration

Percentage of recommendations implemented by corrective action date

Staff experience

Percentage of planned audits completed

Conformance with the International Professional Practices Framework

Objectives scope and timing at a high level to support coordination while adhering to confidentiality requirements

The area and timing of the audit engagement to ensure confidentially and avoid conflict of interest.

All plan information, including risk assessments, planned tests and past results to maximize the opportunity for coordination with internal and external providers.

No information should be shared with internal and external provider as it could introduce bias into the engagement results.

Determine that this situation is acceptable and focus on more significant issues

Document the issue m the draft audit report

Document the observation for further follow up when testing the operating effectiveness of controls

Interview the personnel associated with this observation.

Ratio analysis

Vertical analysis

Benchmarking

Cost-benefit analysis.

The CAE should reassess and validate the risk tolerance policy

The CAE should escalate the issue to senior management .

The CAE should reiterate the internal audit team's recommendations to management .

The CAE should grant management more time to implement the recommendation and check the status of the issue during the next scheduled follow-up.

The assessment of high-level risks is typically a linear process.

Management should create the preliminary risk matrix

The analysis should begin with ne identification of objectives

Likelihood should receive greater consideration than impact

Previous performance of the subsidiary specifically its financial results over the last three years and the outcome of external audit reviews

The results of previous internal audits of the subsidiary the recommendations provided and whether the recommended actions have been implemented

Organizational strategy objectives, risks, control framework and the expectations of stakeholders regarding the audit

The qualifications and competencies of the subsidiary's management team and their understanding of risk and control

A spaghetti map

A heat map.

A process map

An assurance map

Testing controls where operating procedures vary.

Testing controls in decentralized offices.

Testing controls in high risk areas.

Testing controls in areas with high control failure rates.

To ascertain the operating effectiveness of a procedure

To verify the accuracy of Information in a report

To assess the controls mitigating major risks

To determine whether specified contra procedures are in place

As soon as possible, no later than two months after the audit

When convenient for both parties

When management has indicated that the issue has been resolved

Before financial year end

The overall performance resulting from the internal audit balanced scorecard

The number of outstanding and overdue management actions

The experience of the organization's internal auditors

The number of audits in the annual audit plan relative to similar organizations

Questionnaires.

Surveys.

Structured interviews

Facilitated team workshops

1, 2, and 3

1, 2, and 4

1, 3, and 4

2, 3, and 4

The internal auditor concludes that management may be placing undue reliance on me specified control

The internal auditor concludes that the specified control is more effective than it really is.

The internal auditor concludes that the specified control is acceptably effective

The internal auditor concludes that additional testing will be required to evaluate the specified control

1 and 3

1 and 4

2 and 3

2 and 4

1 and 3 only

2 and 4 only.

1.2. and 3 only

2. 3 and 4 only

Disclosure risk.

Residual risk

Compliance risk

Inherent risk

Proposing fine item recommendation lot the annual financial budget of the accounting department

Making recommendations regarding financial approval authority limits for the operations department

Validating whether employees are following established policies and procedures in the procurement department

Generating expense report metrics for employees in the finance department

The auditor should have ensured the preservation of audit evidence by taking screenshots or extracting tender documents

The auditor should have extracted a list of logs and identified any actions that were executed in the database during the audit

The auditor should have instructed procurement workers that changes to the database during the course of the audit were strictly forbidden

The internal auditor should have created a more thorough work program, which would address audit criteria and potential causes in more detail

An expert or decision support system

Generalized audit software

A system utility program

An integrated test facility

Interviews

Observations

Reperformance

Internal control questionnaires

The presence of an independent critical mass

The established philosophy and operating style of senior management

The articulated internal control objectives of the organization

The organization's employee recruiting and retention policies

A completed engagement workpaper review checklist.

The supervisor's review notes on engagement workpapers.

The email exchanges between the audit team and the supervisor.

A supervisor's approval of resources allocated to the engagement

Acts that may endanger the health or safety of individuals.

Acts that favor one party to the detriment of another.

Acts that damage or have an adverse effect on the environment.

Acts that conceal inappropriate activities in the organization.

CSA allows management to have input into the audit plan.

CSA allows process owners to identify, evaluate, and recommend improving control deficiencies.

CSA can improve the control environment.

CSA increases control consciousness.

The best source tor detailed process information is senior management

Audit objectives should be general and do not change.

Computer-assisted audit techniques are typically not useful during engagement planning

Internal auditors should prepare a dented audit program for testing controls

The audit committee of the board.

The environmental, health, and safety manager.

The organization's external environmental lawyers.

The organization's insurance department.

Coach management in responding to risks.

Develop risk management strategies for board approval.

Facilitate identification and evaluation of risks.

Evaluate risk management processes.

Opportunity.

Rationalization.

Pressure.

Incentives.

An internal auditor made purchases from several of the organization's retail outlets to evaluate customer service

An internal auditor interviewed various employees regarding health and safety issues and recorded their answers

An internal auditor obtained the current quarterly financial report and computed changes in deb-to-equity ratio

An internal auditor received a signed confirmation regarding the terms of a transaction from an independent attorney

They ore kitted as they do not allow the auditor to test many controls.

They do not highlight control gaps

They are not useful for identifying areas on which the auditor should locus.

They are limited as there is a risk that management may not answer fairly.