IIA-CIA-Part2 Sample Questions Answers

Informal, soft controls are omitted, and greater focus is placed on hard controls.

The entire objectives-risks-controls infrastructure of an organization is subject to greater monitoring and continuous improvement.

Internal auditors become involved in and knowledgeable about the self-assessment process.

Nonaudit employees become experienced in assessing controls and associating control processes with managing risks.

Independently evaluating conflicts of interests.

Assessing contracts for relevant terms and conditions.

Performing statistical analysis for data anomalies.

Preparing evidentiary documentation.

Risks are discussed with audit client.

All available information from the risk-based plan is used.

Client efforts to affect risk management are considered.

Prior risk assessments are considered.

Coach management in responding to risks.

Develop risk management strategies for board approval.

Facilitate identification and evaluation of risks.

Evaluate risk management processes.

Each year send a different member of the internal audit staff to an IT audit conference to learn about emerging technologies

Contract an external IT special to offer advice and consult on IT audits

Employ an independent external IT specialist to perform IT audits for the first year

Invite qualified staff from the IT department to serve as guest auditors and lead IT audits

RACI (responsible, accountable, consult and inform) chart

Flowchart

SWOT{strengths. weaknesses opportunities, and threats) analysis

Workflow analysis

1 only

4 only

1 and 3

2 and 4

Remove the new employee's excessive access rights and request that he report any future access error.

Perform a complete review of all users who have access to the payroll system lo determine whether there are additional employees who were granted inappropriate access

Review the system activity log of the employee to determine whether he used the inappropriate access to conduct any unauthorized activities in the payroll system

Provide coaching to the IT specialist and introduce a secondary control to ensure system access is granted in accordance with the approved access request.

Proposing fine item recommendation lot the annual financial budget of the accounting department

Making recommendations regarding financial approval authority limits for the operations department

Validating whether employees are following established policies and procedures in the procurement department

Generating expense report metrics for employees in the finance department

Audit criteria should be consistent across audit assignments.

Audit criteria should represent reasonable standards against which to assess existing conditions.

Audit criteria should provide flexibility but allow identification of nonadherence.

Audit criteria should equate to good or acceptable management practices.

Recommend additional segregation-of-duty reviews.

Recommend appropriate awareness training for all finance department staff.

Recommend rotating finance staff in this area.

Recommend that management address these concerns immediately.

By defining activities by business processes.

By looking external factors such as product complaints.

By looking at activities by businesses cost centers.

By defining activities by the organization chart.

Disclosure risk.

Residual risk

Compliance risk

Inherent risk

The annual audit plan should only be adjusted in response to problems with resourcing, scope, and data availability.

The chief audit executive (CAE) may incorporate risk information, including risk appetite levels from management for the audit plan at her discretion.

In an immature risk management environment it is preferable for the CAE to rely solely on her judgment regarding risk identification and assessment to develop the audit plan.

The CAE may make adjustments to the annual audit plan as needed without senior management or board approval.

Information that is factual adequate and convincing

Information that is best attainable through the use of appropriate engagement techniques

Information that supports engagement objectives and recommendations

Information that helps the organization meet its goals

Strategic sourcing

Loan staff arrangement

Flat organizational structure

Hierarchical organizational structure

To save time during final report writing

To meet the Standards requirement for developing a draft report prior to issuing a final report

To use as a tool for communicating with management of the area under review.

To require that management implements solutions to issues identified during the engagement

Communicate the workpaper review results to management of fie area under review to validate the final report

Update the final report in the file with any necessary corrections based on the workpaper review.

Discuss the workpaper review results with the staff auditor where appropriate as a leaning opportunity

Add the manager's review notes to the final documentation following the review

Enter into long-term gasoline purchase agreements with end customers.

Trade crude oil derivatives at financial markets in order to benefit from price fluctuations

Purchase crude oil-related derivatives such as futures or options

Stock as much raw materials as possible and consider Investing into additional facilities

The auditor compares information from one period with the same information from the poor period

The auditor compares new information to his general knowledge of the organization

The auditor compares information he collected with simmer information from another source

The auditor compares expected outcomes with actual results

Senior management of the organization

The chief audit executive

The head of customer service

The board of directors

A heat map sets likelihood to have higher priority than impact.

A heat map sets impact to have higher priority than likelihood.

A heat map recognizes that the priority of impact and likelihood can vary.

A heat map recognizes impact and likelihood as equally important

Comparing the current ratio of the subsidiary with the current ratio of another company for the same period

Comparing common-size financial statements of the subsidiary with the averages of the industry for the last two periods

Comparing the sales of the subsidiary with the sales of another subsidiary for the last two periods.

Comparing the sales of the subsidiary with the budgeted figures for the last two periods

Inform the audit supervisor.

Investigate the potential conflict of interest.

Inform the external auditors of the potential conflict of interest.

Disregard the potential conflict, because it is outside the scope of the audit assignment.

It is best to determine planning activities on a case-by-case basis because they can vary widely from engagement to engagement.

If the engagement subject matter is not unique, it is not necessary to outline specific testing procedures during the planning phase.

The engagement plan includes the expected distribution of the audit results, which should be kept confidential until the audit report is final.

Engagement planning activities include setting engagement objectives that align with audit client's business objectives.

Present the revised audit plan directly to the board for approval.

Communicate with the chief financial officer and present the revised audit plan to the CEO tor approval

Present the revised audit plan directly to the CEO for approval

Communicate with the CEO and present the revised audit plan to the board for approval.

Questionnaires.

Surveys.

Structured interviews

Facilitated team workshops

Engagement objectives derived from risk assessment results from a company's risk function experts.

Engagement objectives derived from senior management's risk assessment results

Engagement objectives derived from the mental audit activity's own risk assessment results

Engagement objectives derived from risk assessment results from both senior management and the company's risk function experts

Testing the validity of information by following it backward to a previously prepared record

Testing the accuracy of the control by reperforming the task or process required

Soliciting and obtaining written verification of the accuracy from an independent third party

Testing the completeness of information forward from a record to a subsequently prepared document

Verify that amounts are correct.

Verify that payments are on time.

Verify that recipients are valid employees.

Verify that benefits deductions are accurate.

1 and 3

1 and 4

2 and 3

2 and 4

Acts that may endanger the health or safety of individuals.

Acts that favor one party to the detriment of another.

Acts that damage or have an adverse effect on the environment.

Acts that conceal inappropriate activities in the organization.

The effect on the organization's reputation

Any potential damage to the organization's relationship with customers.

Past fraud allegations and actual occurrences

The potential and realized financial impacts

Define the duties and responsibilities needed from management to perform the engagement.

Disclose the fact that auditors who perform the work may not be subject matter experts in the topic of the review.

Clarify that matters discovered during the engagement may also be reported to senior management and the audit committee.

Disclose the fact that follow-up reviews may be conducted to ensure that recommendations are implemented adequately.

The engagement supervisor should print sign and date each workpaper after the review is complete and scan the document into the database as evidence of review

Because the engagement supervisor called the help desk to correct the IT problem, he should upload the support-request ticket from the help desk to serve as evidence of the review

The engagement supervisor should ask another manager-level internal auditor not associated with the project to sign the workpaper on his behalf

The engagement supervisor should instruct the staff internal auditor to add a note in the workpaper on his behalf indicating that the workpaper was reviewed and feedback was provided

Top-down approach

Process-Metrix approach

Risk-factor approach

Bottom up approach

The corporate risk register.

The strategic plan.

Internal and external audit reports.

The board's meeting records.

A review of the key performance indicators of me area under review.

A walkthrough of the key processes of the area under review.

An interview with the manager regarding the area's business plan.

A review of previous audit and follow- up results of the area under review

Evaluate and verify management's response, and determine the need and scope for additional work.

Evaluate and verify management's response, and establish timelines for corrective action by management.

Oversee the corrective actions undertaken by management, and determine the need and scope for additional work.

Oversee the corrective actions undertaken by management, and establish timelines for corrective action by management.

Promptly adjust the audit work program to include tests that address the newly identified control and notify the other audit team members of the change

Proceed with the current audit work program because the engagement scope has already been finalized but plan to address the newly identified control as part of the follow up engagement

Adjust the audit work program to account for the new control, but only with approval from the engagement supervisor

Discuss the control with management of the area under review and seek their approval prior to including the control in the current audit engagement

The reason for not following the internal policy

A description of what constitutes proper approval

The annual impact of the changed agreement on cash flows

Details regarding when the change to the agreement was signed

The organization experiences a merger, and the management team is reorganized and redistributed globally

The organization launches a product into new global markets

After minimal testing, the organization implements a new system to replace a legacy system

Regulators announce broad legislative reforms applicable to the industry within which the organization operates

1 and 2 only

1 and 4 only

2 and 3 only

3 and 4 only

Analytical procedures.

Detail testing.

Test of design.

Test of control.

Strategic plans reflect the organization's business objectives and overall attitude toward risk.

Strategic plans are helpful to identify major areas of activity, which may direct the allocation of internal audit activity resources.

Strategic plans are likely to show areas of weak financial controls.

The strategic plan is a relatively stable document on which to base audit planning.

When internal auditors need to cover many control procedures using ICQs is generally less efficient than conducting observations and inspections

It is generally difficult for internal auditors lo compile appropriate ICQs for business activities that are governed by standardized operating procedures

ICQs are inadequate to provide effective assurance on how organizational processes are executed in practice.

It is generally difficult for internal auditors to process completed questionnaires, because ICQs frequently elicit detailed comments and long answers from management

Ensure the testimonials are well documented

Substantiate the testimonials with physical or documentary evidence

Corroborate testimonials with the results from other soft control techniques

Review the testimonials with the interviewed employees

Require the approval of additions and changes to the vendor master listing, where the inherent risk of false vendors is high.

Monitor amounts paid each period and compare them to the budget to identify potential issues.

Compare employee addresses to vendor addresses to identify potential employee fraud.

Monitor customer quality complaints compared to the prior period to identify vendor issues.

1 and 3 only

1 and 4 only

2 and 3 only

2 and 4 only

The employee’s name listed on organization’s payroll is compared to the personnel records.

Payroll time sheets are reviewed and approved by the timekeeper before processing.

Employee access to the payroll database is deactivated immediately upon termination.

Changes to payroll are validated by the personnel department before being processed.

Criteria.

Effect

Condition

Cause