Anda di halaman 1dari 24

Wiley CIAexcel Exam: Review 2014: Part 1,

Internal Audit Basics

By S. Rao Vallabhaneni
Copyright 2014 by S. Rao Vallabhaneni

Sample Practice Questions,

Answers, and Explanations

Domain 1: Mandatory Guidance (3545%) 2. Which of the following adds value to the others?
a. Governance processes.
1. The IIAs definition of internal auditing emphasizes the Incorrect. See correct answer (c).
effectiveness of which of the following? b. Risk management processes.
a. Value, cost, and benefit propositions. Incorrect. See correct answer (c).
Incorrect. See correct answer (c). c. Internal audit activities.
b. Inherent risk, residual risk, and total risk. Correct. Internal audit activities add value to the
Incorrect. See correct answer (c). organization (and its stakeholders) when they
provide objective and relevant assurance and con-
c. Risk management, control, and governance
tribute to the effectiveness and efficiency of gover-
nance, risk management, and control processes.
Correct. The definition of internal auditing states
d. Control processes.
the fundamental purpose, nature, and scope of
internal auditing. Internal auditing is an inde- Incorrect. See correct answer (c).
pendent, objective assurance and consulting
activity designed to add value and improve an 3. All of the following are examples of assurance services
organizations operations. It helps an organi- except:
zation accomplish its objectives by bringing a a. Financial engagement.
systematic, disciplined approach to evaluate and
Incorrect. Financial engagement is part of assurance
improve the effectiveness of risk management,
control, and governance processes.
b. Compliance engagement.
d. Purpose, nature, and scope of work.
Incorrect. Compliance engagement is part of assur-
Incorrect. See correct answer (c).
ance services.
c. Due diligence engagement.
Incorrect. Due diligence engagement is part of assur-
ance services.
d. Training engagement.
Correct. Training engagement is a part of
consulting. The IIAs Glossary defines assurance
services as objective examination[s] of evidence
for the purpose of providing an independent
assessment on governance, risk management, and
control processes for the organization. Examples
may include financial, performance, compliance,
system security, and due diligence engagements.
208 Wiley CIAexcel Exam Review: Part 1, Internal Audit Basics

4. All of the following are examples of consulting services 6. The IIAs Practice Guides do not contain which of the
except: following?
a. Legal counsel engagement. a. Good practices.
Incorrect. Legal counsel engagement is an example Correct. Good practices are part of Practice
of consulting services. Advisories, not Practice Guides. Practice Guides
b. System security engagement. provide detailed guidance for conducting inter-
nal audit activities. Practice Guides include
Correct. System security engagement is a part of
detailed processes and procedures, such as tools
assurance services. The IIAs Glossary defines con-
and techniques, programs, and step-by-step
sulting services as [a]dvisory and related client
approaches as well as examples of deliverables.
service activities, the nature and scope of which
are agreed with the client and are intended to b. Tools and techniques.
add value and improve an organizations gover- Incorrect. Tools and techniques are part of Practice
nance, risk management, and control processes Guides.
without the internal auditor assuming manage- c. Programs.
ment responsibility. Examples include counsel, Incorrect. Programs are part of Practice Guides.
advice, facilitation, and training. d. Deliverables.
c. Advice engagement. Incorrect. Deliverables are part of Practice Guides.
Incorrect. Advice engagement is an example of con-
sulting services. 7. According to the IIAs Organizational Independence
d. Facilitation engagement. Standard, which of the following is not a part of func-
Incorrect. Facilitation engagement is an example of tional reporting to the board?
consulting services. a. Audit charter.
Incorrect. See correct answer (c).
5. The IIAs Practice Advisories do not contain which of the b. Audit risk assessment.
following? Incorrect. See correct answer (c).
a. Approaches. c. Audit budgets.
Incorrect. Approaches are a part of practice advisories. Correct. The chief audit executive, reporting
b. Considerations. functionally to the board and administratively
Incorrect. Considerations are a part of practice to the organizations chief executive officer, facili-
advisories. tates organizational independence. Functional
c. Processes or procedures. reporting to the board typically involves the
Correct. Processes or procedures are part of board approving the internal audit activ-
Practice Guides, not Practice Advisories. The itys overall charter and approving the internal
other three choices are part of practice adviso- audit risk assessment and related audit plan.
ries. Practice Advisories assist internal auditors in Administrative reporting is the reporting rela-
applying the definition of internal auditing, the tionship within the organizations management
Code of Ethics, and the Standards and promot- structure that facilitates the day-to-day opera-
ing good practices. Practice Advisories address tions of the internal audit activity. Administra-
internal auditings approach, methodologies, tive reporting typically includes audit budgets
and consideration but not detailed processes or among other things.
procedures. They include practices relating to d. Audit plan.
international, country, or industry-specific issues; Incorrect. See correct answer (c).
specific types of engagements; and legal or regu-
latory issues.
d. Methodologies.
Incorrect. Methodologies are a part of practice
Sample Practice Questions, Answers, and Explanations 209

8. Which of the following differs between assurance ser- 10. Risk registers describe direct links between which of the
vices and consulting services when exercising due pro- following?
fessional care? a. Risk acceptance and risk avoidance.
a. Costs and benefits. Incorrect. Risk acceptance and risk avoidance are not
Incorrect. Costs and benefits are the same when exer- related to risk registers.
cising due professional care in assurance services and b. Risk categories and risk aspects.
consulting services.
Correct. Risk registers provide direct links among
b. Complexity of work. risk categories, risk aspects, audit universe, and
Incorrect. Complexity of work is the same when exer- internal controls.
cising due professional care is assurance services and c. Risk assignment and risk sharing.
consulting services.
Incorrect. Risk assignment and risk sharing are not
c. Extent of work. related to risk registers.
Incorrect. Extent of work is the same when exercis- d. Risk limitation and risk spreading.
ing due professional care in assurance services and
Incorrect. Risk limitation and risk spreading are not
consulting services.
related to risk registers.
d. Materiality.
Correct. Materiality is considered in assurance 11. The chief audit executive establishes a method for pri-
services and procedures but is not relevant to oritizing all of the following except:
consulting services.
a. Business units with low risk levels.
Incorrect. See correct answer (d).
9. Which of the following is driving the need for assurance
maps? b. Branch or field office with low risk levels.
a. Risk managers. Incorrect. See correct answer (d).
Incorrect. Risk managers do not deal with assurance c. Outstanding risk areas.
maps. Incorrect. See correct answer (d).
b. Board members. d. Low inherent risk areas.
Correct. The chief audit executive, senior man- Correct. Audits of lower risk level business units,
agement, and the board need assurance maps branch types, or field office types need to be peri-
to ensure proper coordination among diverse odically included in the internal audit activitys
risk activities. Assurance maps are usually driven plan to give them coverage and confirm that
by the board due to its oversight responsibility. their risks have not changed. Also, the internal
Assurance maps are organization-wide and coor- audit activity establishes a method for priori-
dinated exercises involving mapping assurance tizing outstanding risks not yet subject to an
coverage provided by multiple parties against internal audit. High inherent risk areas, not low
the key risks facing the organization so that inherent risk areas, are prioritized.
duplicate efforts, missed risks, and potential gaps
can be identified and monitored.
c. Internal auditors.
Incorrect. Internal auditors do not deal with assur-
ance maps.
d. Compliance practitioners.
Incorrect. Compliance practitioners do not deal with
assurance maps.
210 Wiley CIAexcel Exam Review: Part 1, Internal Audit Basics

12. All of the following provide effective relationships in the 14. Ensuring internal audit teams have the right competen-
organizations governance framework except: cies with right level of work experience and designing
a. Organizational processes. effective internal audit procedures can reduce the risk
of which of the following?
Correct. Governance does not exist as a set of
distinct and separate organizational processes a. Business risk.
and structures. Rather, there are effective rela- Incorrect. Business risk is not applicable here.
tionships among governance, risk management, b. Audit failures.
and internal controls.
Correct. Audit failures result when there is a (1)
b. Governance. failure to evaluate both the design adequacy and
Incorrect. Governance provides effective relation- the control effectiveness as part of internal audit
ships in the organizations governance framework. procedures and (2) use of audit teams that do not
c. Risk management. have the appropriate level of competence based
on experience or knowledge of high-risk areas.
Incorrect. Risk management provides effective
relationships in the organizations governance c. Audit false assurance.
framework. Incorrect. Audit false assurance is not applicable here.
d. Internal controls. d. Audit reputation risk.
Incorrect. Internal controls provide effective relation- Incorrect. Audit reputation risk is not applicable here.
ships in the organizations governance framework.
15. Consulting engagement objectives must be consistent
13. Which of the following internal audit assessments with all of the following except:
belong to specific governance processes? a. Organizations goals.
a. Whistleblower process. Correct. Goals are short term in nature while
Correct. Internal audit assessments regarding objectives are long term in nature. Hence, con-
governance processes are likely to be based sulting engagement objectives must be consis-
on information obtained from numerous audit tent with the organizations values, strategies,
assignments over time. The internal auditor and objectives.
should consider: (1) the results of audits of b. Organizations values.
specific governance processes (e.g., the whis-
Incorrect. See correct answer (a).
tleblower process, the strategy management
process) and (2) governance issues arising from c. Organizations strategies.
audits that are not specifically focused on gover- Incorrect. See correct answer (a)
nance (e.g., audits of the risk management pro- d. Organizations objectives.
cess, internal control over financial reporting,
Incorrect. See correct answer (a).
and fraud risks).
b. Risk management audit process.
Incorrect. See correct answer (a).
c. Internal control over financial reporting.
Incorrect. See correct answer (a).
d. Fraud risks.
Incorrect. See correct answer (a).
Sample Practice Questions, Answers, and Explanations 211

16. Which of the following is the major purpose of perform- 18. An internal auditor is auditing the financial opera-
ing analytical procedures in internal audits? tions of an organization. Which of the following is not
a. To perform additional audit procedures. specified by the IIA Standards for inclusion in the scope
of the audit?
Incorrect. Performing additional audit procedures is
part of obtaining audit evidence. a. Reviewing the reliability and integrity of financial and
operational information.
b. To plan the audit engagement.
Incorrect. Reviewing the reliability and integrity of
Incorrect. Planning the audit engagement is part of
financial and operational information is the basic
obtaining audit evidence.
element of the audit.
c. To obtain audit evidence.
b. Reviewing the compliance with laws, regulations,
Correct. Analytical procedures often provide the policies, procedures, and contracts.
internal auditor with an efficient and effective
Incorrect. The Standards include compliance, and
means of obtaining audit evidence. The assess-
there are compliance aspects in financial operations.
ment results from comparing information with
expectations identified or developed by the c. Appraising the effectiveness and efficiency of opera-
internal auditor. tions and programs.
d. To study relationships among elements of Incorrect. The auditor would review the economy,
information. efficiency, and effectiveness of the financial functions.
Incorrect. Studying relationships among elements of d. Reviewing the financial decision-making process.
information is part of obtaining audit evidence. Correct. This element of the audit is not included
in IIA Standard 2130 Control.
17. According to the IIA Standards, which of the following is
not included in the scope of the internal audit function? 19. The audit committee of an organization has charged the
a. Appraising the effectiveness and efficiency of opera- chief audit executive (CAE) with bringing the depart-
tions and programs. ment into full compliance with the IIA Standards. The
CAEs first task is to develop a charter. Identify the item
Incorrect. Appraising the effectiveness and efficiency
that should be included in the statement of objectives:
of operations and programs is included in the scope
of internal auditing as stated in the IIA Standards. a. Report all audit findings to the audit committee every
b. Reviewing the strategic management process,
assessing the quality of management decision Incorrect. Only significant audit findings should be
making both quantitatively and qualitatively and discussed with the audit committee.
reporting the results to the audit committee. b. Notify governmental regulatory agencies of unethi-
Correct. The scope of the internal audit function cal business practices by organization management.
does not include an assessment of the companys Incorrect. Internal auditors are not required to report
strategic management process. deficiencies in regulatory compliance to the appro-
c. Reviewing the means of safeguarding assets. priate agencies. However, Institute members and
Certified Internal Auditors may not knowingly be
Incorrect. Reviewing the means of safeguarding
involved in illegal acts.
assets is included in the scope of internal auditing
as stated in the IIA Standards. c. Determine the adequacy and effectiveness of the
organizations systems of internal controls.
d. Complying with the laws, regulations, policies, pro-
cedures, and contracts. Correct. This is a primary function of any internal
auditing department.
Incorrect. Complying with the laws, regulations,
policies, procedures, and contracts is included in d. Submit departmental budget variance reports to
the scope of internal auditing as stated in the IIA management every month.
Standards. Incorrect. This choice is not a primary objective of
the internal auditing department. It is a budgetary
control that management may require on a periodic
212 Wiley CIAexcel Exam Review: Part 1, Internal Audit Basics

20. If an auditees operating standards are vague and thus 21. In which of the following situations does the auditor
subject to interpretation, the auditor should: potentially lack objectivity?
a. Seek agreement with the auditee as to the a. An auditor reviews the procedures for a new elec-
standards to be used to measure operating tronic data interchange connection to a major cus-
performance. tomer before it is implemented.
Correct. This is what is required by IIA Standard Incorrect. IIA Standards says that the internal auditors
2210Engagement Objectives. objectivity is not adversely affected when the auditor
b. Determine best practices in this area and use them reviews procedures before they are implemented.
as the standard. b. A former purchasing assistant performs a review
Incorrect. The auditor should seek to understand of internal controls over purchasing four months
the operating standards as they are applied to the after being transferred to the internal auditing
organization. department.
c. Interpret the standards in their strictest sense because Correct. IIA Standard 1130Impairment to
standards are otherwise only minimum measures of Independence or Objectivity says that persons
acceptance. transferred to the internal auditing department
should not be assigned to audit those activities
Incorrect. Agreement is necessary.
they previously performed until a reasonable
d. Omit any comments on standards and the auditees period of time has elapsed.
performance in relationship to those standards,
c. An auditor recommends standards of control and
because such an analysis would be meaningless.
performance measures for a contract with a ser-
Incorrect. The auditor should first seek to gain an vice organization for the processing of payroll and
understanding with the auditee on the appropriate employee benefits.
Incorrect. IIA Standards say that the internal auditors
objectivity is not adversely affected when the auditor
recommends standards of control for systems before
they are implemented.
d. A payroll accounting employee assists an auditor in
verifying the physical inventory of small motors.
Incorrect. Use of staff from other areas to assist the
internal auditor does not impair objectivity, espe-
cially when the staff is from outside of the area being
Sample Practice Questions, Answers, and Explanations 213

22. Which of the following actions would be a violation of 23. The IIAs Code of Ethics includes which of the following
auditor independence? two essential components?
a. Continuing on an audit assignment at a division a. Definition of internal auditing and administrative
for which the auditor will soon be responsible as directives.
the result of a promotion. Incorrect. See correct answer (b).
Correct. IIA Standard 1130Impairment to Inde- b. Principles and Rules of Conduct.
pendence or Objectivity specifies that an auditor
Correct. The IIAs Code of Ethics extends beyond
who has been promoted to an operating depart-
the definition of internal auditing to include two
ment should not continue on an audit of the new
essential components:
1. Principles that are relevant to the profession and
b. Reducing the scope of an audit due to budget
practice of internal auditing.
2. Rules of Conduct that describe behavior norms
Incorrect. IIA Standard 1130Impairment to Inde-
expected of internal auditors. These rules are an
pendence or Objectivity states that budget restric-
aid to interpreting the Principles into practical
tions do not constitute a violation of an auditors
applications and are intended to guide the ethi-
cal conduct of internal auditors.
c. Participating on a task force which recommends
Note that the IIAs Bylaws and Administrative
standards for control of a new distribution system.
Directives are applicable to IIA members and
Incorrect. IIA Standard 1130Impairment to Inde- Certified Internal Auditor designation holders.
pendence or Objectivity states that an auditor may Integrity, objectivity, confidentiality, and com-
participate on a task force that recommends new petency are part of the Principles and the Rules
systems. However, designing, installing, or operating of Conduct.
such systems might impair objectivity.
c. Integrity and objectivity.
d. Reviewing a purchasing agents contract drafts prior
Incorrect. See correct answer (b).
to their execution.
d. Confidentiality and competency.
Incorrect. IIA Standard 1130Impairment to Indepen-
dence or Objectivity states that an auditor may review Incorrect. See correct answer (b).
contracts prior to their execution.
214 Wiley CIAexcel Exam Review: Part 1, Internal Audit Basics

24. A Certified Internal Auditor (CIA) is working in a non 25. An auditor, nearly finished with an audit, discovers that
internal audit position as the director of purchasing. The the director of marketing has a gambling habit. The
CIA signs a contract to procure a large order from the gambling issue is not directly related to the existing
supplier with the best price, quality, and performance. audit, and there is pressure to complete the current
Shortly after signing the contract, the supplier presents audit. The auditor notes the problem and passes the
the CIA with a gift of significant monetary value. Which information on to the chief audit executive but does
of the following statements regarding the acceptance no further follow-up. The auditors actions would:
of the gift is correct? a. Be in violation of the IIA Code of Ethics for withhold-
a. Acceptance of the gift would be prohibited only if it ing meaningful information.
were noncustomary. Incorrect. The auditor is not withholding information
Incorrect. Acceptance of the gift could easily be pre- because he or she has passed the information along
sumed to have impaired independence and thus to the chief audit executive. The information may be
would not be acceptable. useful in a subsequent audit in the marketing area.
b. Acceptance of the gift would violate the IIA Code b. Be in violation of the Standards because the auditor
of Ethics and would be prohibited for a CIA. did not properly follow-up on a red flag that might
Correct. As long as an individual is a CIA, he or indicate the existence of fraud.
she should be guided by the professions Code Incorrect. The auditor has documented a red flag that
of Ethics in addition to the organizations code may be important in a subsequent audit. This does
of conduct. Objectivity (Rules of Conduct) of not violate the Standards.
the Code of Ethics would preclude such a gift c. Not be in violation of either the IIA Code of Ethics
because it could be presumed to have influenced or the Standards.
the individuals decision.
Correct. There is no violation of either the Code
c. Since the CIA is no longer acting as an internal audi- of Ethics or the Standards.
tor, acceptance of the gift would be governed only
d. Both a and b.
by the organizations code of conduct.
Incorrect. See correct answer (c).
Incorrect. There is not sufficient information given to
judge possible violations of the organizations code
of conduct. However, the action could easily be per- 26. As used by the internal auditing profession, the IIA
ceived as a kickback. Standards refer to all of the following except:
d. Since the contract was signed before the gift was a. Criteria by which the operations of an internal audit
offered, acceptance of the gift would not violate department are evaluated and measured.
either the IIA Code of Ethics or the organizations Incorrect. This is the definition of the IIA Standards.
code of conduct. b. Criteria which dictate the minimum level of ethi-
Incorrect. There is not sufficient information given to cal actions to be taken by internal auditors.
judge possible violations of the organizations code Correct. The IIAs Code of Ethics defines the mini-
of conduct. However, the action could easily be per- mum ethical standards for the internal auditor.
ceived as a kickback.
c. Statements intended to represent the practice of
internal auditing, as it should be.
Incorrect. The Standards define the practice of inter-
nal auditing as it should be.
d. Criteria that is applicable to all types of internal audit
Incorrect. The IIA Standards are equally applicable
across all industries and all types of internal audit
organizations globally.
Sample Practice Questions, Answers, and Explanations 215

27. Which of the following situations would be a violation 28. In applying the standards of conduct set forth in the
of the IIA Code of Ethics? Code of Ethics, internal auditors are expected to:
a. An auditor was subpoenaed in a court case in which a. Exercise their individual judgment.
a merger partner claimed to have been defrauded Correct. The IIAs Code of Ethics contains basic
by the auditors company. The auditor divulged con- principles, such as integrity, which require indi-
fidential audit information to the court. vidual judgment to apply.
Incorrect. Article II prohibits members and Certified b. Compare them to standards in other professions.
Internal Auditors from being party to illegal activities.
Incorrect. While the comparison might be interesting,
Failure to comply with a subpoena would be illegal.
it would not help determine how to apply the Code.
b. An auditor for a manufacturer of office products
recently completed an audit of the corporate c. Be guided by the desires of the auditee.
marketing function. Based on this experience, the Incorrect. Application might not be in the best inter-
auditor spent several hours one Saturday working est of the auditee.
as a paid consultant to a hospital in the local area, d. Use discretion in deciding whether to use them or
which intended to conduct an audit of its marketing not.
function. Incorrect. Judgment may be applied to their use but
Incorrect. A part-time job would not be a problem not to whether to use them of their involvement, as
since it was not with a competitor or supplier. well as future objectivity and independence issues.
c. An auditor gave a speech at a local IIA chapter meet-
ing outlining the contents of a program the auditor 29. Reinforcing the Code of Conduct and ethical behavior
had developed for auditing electronic data inter- standards for all internal auditors can protect which of
change connections. Several auditors from major the following?
competitors were in the audience. a. Business risk.
Incorrect. Giving a speech is not a violation of the Incorrect. See correct answer (d).
Code of Ethics. In fact, the IIAs motto is progress
through sharing. b. Audit failures.
d. During an audit, an auditor learned that the Incorrect. See correct answer (d).
company was about to introduce a new product c. Audit false assurance.
that would revolutionize the industry. Because Incorrect. See correct answer (d).
of the probable success of the new product, the d. Audit reputation risk.
product manager suggested that the auditor buy
additional stock in the company, which the audi- Correct. A leading practice to protect the reputa-
tor did. tion of internal audits brand name is to rein-
force the Code of Conduct and ethical behavior
Correct. Confidentiality (Rules of Conduct) of standards for all internal auditors.
the IIAs Code of Ethics states that members and
Certified Internal Auditors shall not use confiden-
tial information for any personal gain.
216 Wiley CIAexcel Exam Review: Part 1, Internal Audit Basics

Domain 2: Internal Control and Risk (2535%) 4. To be successful, large companies must develop means
to keep the organization focused in the proper direc-
tion. Organization control systems help keep companies
1. An exception report for management is an example of focused. These control systems consist of which of the
which of the following? following components?
a. Preventive control. a. Budgeting, financial ratio analysis, and cash
Incorrect. See correct answer (c). management.
b. Detective control. Incorrect. These are means of financial control.
Incorrect. See correct answer (c). b. Objectives, standards, and an evaluation-reward
c. Corrective control. system.
Correct. Detecting an exception in a business Correct. These items are the basic components of
transaction or process is detective in nature, but complex organizational control systems in large
reporting it is an example of a corrective control. companies.
Both preventive and directive controls do not c. Role analysis, team building, and survey feedback.
detect or correct an error; they simply stop the Incorrect. These are several types of organizational
error, if possible. development interventions.
d. Directive control. d. Coaching, protection, and challenging assignments.
Incorrect. See correct answer (c). Incorrect. Mentoring fulfills several types of career
enhancement functions, including these.
2. Organizational procedures allow employees to antici
pate problems. This type of control is known as:
5. Control has been described as a closed system consist
a. Feedback control. ing of six elements. Identify one of the six elements.
Incorrect. This is a retrospective control based on the a. Setting performance standards.
outcome of a completed activity.
Correct. Setting performance standards is one of
b. Strategic control. the six elements.
Incorrect. This is a broader-based control that should b. Adequately securing data files.
go hand in hand with strategic planning.
Incorrect. This choice is not an element of a closed
c. Feed-forward control. control system.
Correct. Procedures provide guidance on how c. Approval of audit charter.
tasks should be accomplished.
Incorrect. This choice is not an element of a closed
d. Performance appraisal. control system.
Incorrect. This is a retrospective control. d. Establishment of independent audit function.
Incorrect. This choice is not an element of a closed
3. As part of a total quality control program, a firm not control system.
only inspects finished goods but also monitors product
returns and customer complaints. Which type of control
best describes these efforts?
a. Feedback control.
Correct. Feedback control ensures that past mis-
takes are not repeated.
b. Feed-forward control.
Incorrect. The controls mentioned occur after process-
ing and therefore cannot provide feed-forward control.
c. Production control.
Incorrect. Complaints are not part of production
d. Inventory control.
Incorrect. The question is not limited to inventory.
Sample Practice Questions, Answers, and Explanations 217

6. The three basic components of all organizational control 8. A comprehensive management control system
systems are: that considers both financial and nonfinancial
a. Objectives, standards, and an evaluation-reward measures relating to a companys critical success factors
system. is called a(n):
Correct. These are the three basic components a. Balanced scorecard system.
of a control system. Correct. The balanced scorecard system is a com-
b. Plans, budgets, and organizational policies and prehensive management control system that
procedures. balances the traditional accounting (financial)
measures with the operational (nonfinancial)
Incorrect. These three terms are all used to describe
subsystems of a control system.
b. Economic value added system.
c. Statistical reports, audits, and financial controls.
Incorrect. See correct answer (a).
Incorrect. These three terms are used to describe
either a subsystem of a control process or a tool used c. Activity-based costing system.
in a control system. Incorrect. See correct answer (a).
d. Inputs, objectives, and an appraisal system. d. Market value added system.
Incorrect. While objectives is a correct answer, the Incorrect. See correct answer (a).
other two terms are incorrect. Inputs is a good dis-
tracter because it is part of the input-process-output 9. According to the IIA Planning Standard, the term risk
relationship used to describe a system. appetite means which of the following?
a. Risk avoidance.
7. Which of the following management control systems
Incorrect. Risk avoidance is eliminating the risk cause
measures performance in terms of operating profits
and/or consequence.
minus the cost of capital invested in tangible assets?
b. Risk limitation.
a. Open-book management system.
Incorrect. Risk limitation implements controls to mini-
Incorrect. The open-book management system
mize the adverse impact of a threat.
focuses on sharing companys financial information
to all employees. c. Risk acceptance.
b. Economic value added system. Correct. Risk acceptance is the level of risk that an
organization is willing to accept, and it is referred
Correct. The economic value added system is a
to as risk appetite.
new system to measure corporate performance.
d. Risk spreading.
c. Activity-based costing system.
Incorrect. Risk spreading is sharing the risk with other
Incorrect. The activity-based costing system identifies
divisions or business units of the same organization.
various activities needed to produce a product or
service and determines the cost of those activities.
d. Market value added system.
Incorrect. The market value added system deter-
mines the market value of a firm based on its market
capitalization rate.
218 Wiley CIAexcel Exam Review: Part 1, Internal Audit Basics

10. According to the IIA Planning Standard, residual risk is 12. Which of the following is closely linked to risk
also known as which of the following? acceptance?
a. Audit risk. a. Risk detection.
Incorrect. Audit risk results when an auditor fails to Incorrect. See correct answer (c).
detect a material error or event, and an auditor may b. Risk prevention.
fail to detect significant error or weakness during an
Incorrect. See correct answer (c).
c. Risk tolerance.
b. Pure risk.
Correct. Risk tolerance is the level of risk that
Incorrect. Pure risks are those in which there is a
an entity or a manager is willing to assume or
chance of loss or no loss only.
accept in order to achieve a potential desired
c. Current risk. result. Some managers accept more risk
Correct. Residual risk is current risk, which is the than others do due to their personal affinity
risk remaining after management takes action to to risk.
reduce the impact and likelihood of an adverse d. Risk correction.
event, including control activities in respond-
Incorrect. See correct answer (c).
ing to a risk. Current risk is often defined as the
risk managed within existing controls or control
systems. Current risk cannot be ignored; instead, 13. Which of the following risk concepts can be assumed
it should be managed well so it can become a to have no mitigating controls?
managed risk. a. Business risk.
d. Inherent risk. Incorrect. Business risk is total risk facing an
Incorrect. Inherent risk is a built-in risk; an example is organization.
the susceptibility of information or data to a material b. Residual risk.
misstatement. Incorrect. Residual risk is current risk.
c. Inherent risk.
11. Residual risk is calculated as which of the following?
Correct. Two fundamental risk concepts are
a. Known risks minus unknown risks. inherent risk and residual risk (also known as
Incorrect. See correct answer (d). current risk). Inherent risk is a built-in risk. To
b. Actual risks minus probable risks. financial/external auditors, inherent risk can be
summarized as the susceptibility of information
Incorrect. See correct answer (d).
or data to a material misstatement, assuming
c. Probable risks minus possible risks. that there are no related mitigating controls.
Incorrect. See correct answer (d). d. Current risk.
d. Potential risks minus covered risks. Incorrect. Inherent risk is the susceptibility of a man-
Correct. Potential risks include all possible and agement assertion to a material misstatement.
probable risks. Countermeasures cover some but
not all risks. Therefore, the residual risk is poten-
tial risks minus covered risks.
Sample Practice Questions, Answers, and Explanations 219

14. The internal audit charter normally requires the internal 16. According to the IIA Standards, which of the following
audit activity to focus on areas consisting of which of best describes the two general categories or types of
the following? fraud that concern most internal auditors?
a. High inherent risk and high residual risk. a. Improper payments (i.e., bribes and kickbacks) and
Correct. The internal audit charter normally tax fraud.
requires the internal audit activity to focus on Incorrect. These are examples of kinds of fraud within
areas of high risk, including both inherent and the two general categories or types given in the
residual risk. The internal audit activity needs to Standards.
identify areas of high inherent risk, high residual b. Fraud designed to benefit the organization
risks, and the key control systems upon which the and fraud perpetrated to the detriment of the
organization is most reliant. organization.
b. High audit risk and high current risk. Correct. These are the two overall categories or
Incorrect. See correct answer (a). types of fraud given in the IIA Standards.
c. Low inherent risk and low audit risk. c. Acceptance of bribes or kickbacks and improper
Incorrect. See correct answer (a). related-party transactions.
d. Low inherent risk and high outstanding risk. Incorrect. These are examples of kinds of fraud within
the two general categories or types given in the
Incorrect. See correct answer (a).
d. Acceptance of kickbacks or embezzlement and mis-
15. Internal auditors would be more likely to detect fraud if
appropriation of assets.
they developed/strengthened their ability to:
Incorrect. These are examples of kinds of fraud within
a. Recognize and question changes which occur in
the two general categories or types given in the
Correct. The recognition and questioning of
change is critical to the detection of fraud.
17. A company hired a highly qualified accounts payable
b. Interrogate fraud perpetrators to discover why the manager who had been terminated from another com-
fraud was committed. pany for alleged wrongdoing. Six months later, the man-
Incorrect. Interrogation of fraud perpetrators occurs ager diverted $12,000 by sending duplicate payments
after detection. of invoices to a relative. A control that might have pre-
c. Develop internal controls to prevent the occurrence vented this situation would be to:
of fraud. a. Adequately check prior employment back-
Incorrect. The controls mentioned are preventive, not grounds for all new employees.
detective. Correct. This practice might give some leads to
d. Document computerized operating system previous shortcomings.
programs. b. Not hire individuals who appear overqualified for a
Incorrect. Documentation of operating systems is job.
not within the scope of internal auditing and would Incorrect. Individuals in their declining years may be
do little to enhance fraud detection skills. forced to accept jobs below their full capabilities.
c. Verify educational background for all new employees.
Incorrect. This does not include checking prior
d. Check to see if close relatives work for vendors.
Incorrect. This is not an adequate control in this
220 Wiley CIAexcel Exam Review: Part 1, Internal Audit Basics

18. Red flags are conditions that indicate a higher likelihood Domain 3: Conducting Internal Audit
of fraud. Which of the following would not be consid EngagementsAudit Tools and Techniques
ered a red flag? (2838%)
a. Management has delegated the authority to
make purchases under a certain dollar limit to
subordinates. 1. An audit team developed a preliminary questionnaire
with the following response choices:
Correct. This is an acceptable control procedure
aimed at limiting risk while promoting efficiency. Probably not a problem.
It is not, by itself, considered a red flag. Possibly a problem.
b. An individual has held the same cash-handling Probably a problem.
job for an extended period without any rotation of The questionnaire illustrates the use of:
a. Trend analysis.
Incorrect. Lack of rotation of duties or cross-training
Incorrect. Trend analysis is a specialized form of ana-
for sensitive jobs is one of the red-flag list factors.
lytical review procedure, used primarily to analyze
c. An individual handling marketable securities is the changes in account balances over time.
responsible for making the purchases, recording
b. Ratio analysis.
the purchases, and reporting any discrepancies and
gains/losses to senior management. Incorrect. Ratio analysis is a subset of trend analysis
used in analytical review. It is unrelated to the subject.
Incorrect. This would be an example of an inappropriate
segregation of duties, which is an identified red flag. c. Unobtrusive measures or observations.
d. The assignment of responsibility and accountability Incorrect. Observing means seeing and noticing,
in the accounts receivable department is not clear. not passing over. It implies a careful, knowledge-
able look at people and things. It means a visual
Incorrect. This is an identified red flag.
examination with a purpose, a mental comparison
with standards, an evaluative sighting. Use of rating
19. Internal auditors and management have become scales requires the participant to actively participate;
increasingly concerned about computer fraud. Which it is not unobtrusive.
of the following control procedures would be least
d. Rating scales.
important in preventing computer fraud?
Correct. The auditors are using a numerical rating
a. Program change control that requires a distinction
scale for the organization audited.
between production programs and test programs.
Incorrect. This is one of the elements of good pro-
2. Which of the following statements describes an internal
gram change control.
control questionnaire? It:
b. Testing of new applications by users during the sys-
a. Provides detailed evidence regarding the substance
tems development process.
of the control system.
Incorrect. Testing of new applications by users is one
Incorrect. Yes and no answers may be very general
of the most important controls to help prevent com-
and not specific as to degree.
puter fraud.
b. Takes less of the auditees time to complete than
c. Segregation of duties between the applications pro-
other control evaluation devices.
grammer and the program librarian function.
Incorrect. Such questionnaires are tiring for auditees
Incorrect. An adequate control structure over pro-
to complete due to their length.
gram changes is one of the most important control
procedures in a computerized environment. c. Requires that the auditor be in attendance to prop-
erly administer it.
d. Segregation of duties between the programmer
and systems analyst. Incorrect. The structured questionnaire asks for spe-
cific yes or no answers plus brief explanations.
Correct. This would be the least important con-
trol procedure. The analyst is responsible for d. Provides indirect audit evidence that might need
communicating the nature of the design to the corroboration.
programmer. There is no control reason not to Correct. The evidence provided is indirect and
combine these functions. therefore could require corroboration in some way.
Sample Practice Questions, Answers, and Explanations 221

3. Which of the following is the primary advantage of 5. When an internal auditor is interviewing to gain infor
using an internal control questionnaire? mation, the auditor will not be able to remember every-
a. It provides a clear picture of the interrelationships thing that was said in the interview. The most effective
that exist between the various controls. way to record interview information for later use is to:
Incorrect. This is an advantage of flowcharts. a. Write notes quickly, trying to write down everything
in detail, as it is said; then highlight important points
b. It reduces the risk of overlooking important
after the meeting.
aspects of the system.
Incorrect. Extensive note taking may interfere with
Correct. An internal control questionnaire can be
communication with respondents, since the auditor
prepared in advance and functions very much
cannot maintain eye contact or notice nonverbal as
like a checklist.
well when occupied taking notes.
c. It forces an auditor to acquire a full understanding of
b. Tape-record the interview to capture everything that
the system.
everyone says; then type everything said into a com-
Incorrect. This is an advantage of flowcharts. puter for documentation.
d. Negative responses indicate the only areas needing Incorrect. Tape recording might be used for contro-
further audit work. versial material but generally will not elicit positive
Incorrect. Positive responses must also be tested to feelings from respondents. For most organizational
determine compliance. purposes, auditors will not need exact quotes, which
are the major benefit of a recording.
4. Checklists used to assess audit risk have been criticized c. Hire a professional secretary to take notes, allow-
for all of the following reasons except: ing complete concentration on the interview; then
a. Providing a false sense of security that all relevant delete unimportant points after the meeting.
factors are addressed. Incorrect. Aside from cost, this option would not
Incorrect. This choice is a criticism of checklists. work because of confidentiality and negative reac-
tion from respondents. This interview is the auditors
b. Inappropriately implying equal weight to each item
job, not someone elses.
on the checklist.
d. Organize notes around topics on the interview
Incorrect. This choice is a criticism of checklists.
plan and note responses in the appropriate area,
c. Decreasing the uniformity of data acquisition. reviewing the notes after the meeting to make
Correct. Checklists increase the uniformity of additions.
data acquisition. Correct. Organizing note taking ahead of time
d. Being incapable of translating the experience or helps auditors have time during the interview to
sound reasoning intended to be captured by each listen and evaluate the responses and the reac-
item on the checklist. tions of respondents.
Incorrect. This choice is a criticism of checklists.
222 Wiley CIAexcel Exam Review: Part 1, Internal Audit Basics

6. When conducting interviews during the early stages of 7. An auditor prepared a working paper that consisted of
an internal audit, it is more effective to: a list of employee names and identification numbers as
a. Ask for specific answers that can be quantified. well as this statement: By matching random numbers
with employee identification numbers, 40 employee
Incorrect. Later fieldwork will cover information that
personnel files were selected to verify that they con-
can be quantified. Building rapport is more important
tain all documents required by company policy 501. No
in the early interviews.
exceptions were noted.
b. Ask people about their jobs.
The auditor did not place any tick marks on this work-
Correct. Individuals feel more important when ing paper. Which one of the following changes would
they are asked people questions rather than improve the auditors working paper the most?
control questions. This will improve the impor-
a. Use of tick marks to show that each file was examined.
tant interpersonal part of building the audit
relationship. Incorrect. It is not necessary to use tick marks in this
case because the same procedures were applied
c. Ask surprise questions about daily procedures.
to all sample selections and no exceptions were
Incorrect. Unless fraud is suspected or the audit deals detected.
with cash or negotiable securities, it is more effective
b. Removal of the employee names to protect their
to defuse the anxiety of anticipating the audit by
providing information ahead of time that explains
the audit process and how to prepare for it. Incorrect. The audit working papers are themselves
kept confidential so it is not necessary to remove
d. Take advantage of the fact that fear is an important
employee names.
part of the audit.
c. Justification for the sample size.
Incorrect. Auditee fear may be a natural part of antici-
pating the audit, but the auditor should keep it from Correct. The working paper should specify the
being an important continuing part of the audit by sampling risk and the confidence level or preci-
using good interpersonal skills to build a positive sion achieved by the sample or the method of
participative relationship with auditees. determining size.
d. Listing of the actual documents examined for each
Incorrect. In this case, reference to the company
policy is equivalent to listing the documents that
were examined.

8. The standard deviation of a sample will usually decrease

a. A decrease in sample size.
Incorrect. A larger sample might more closely approx-
imate the population standard deviation, but that
could be either higher or lower depending on the
point of reference. A smaller sample might go either
way without the increased reliability.
b. The use of stratification.
Correct. Because high-value items can be sam-
pled 100%, a large segment of variability can be
c. An increase in desired precision.
Incorrect. To the extent that sample size is affected,
the results might be the same as in choice (a).
d. An increase in confidence level.
Incorrect. To the extent that sample size is affected,
the results might be the same as in choice (a).
Sample Practice Questions, Answers, and Explanations 223

9. Statistical sampling would be appropriate to estimate 12. An auditor becomes concerned that fraud in the form of
the value of an auto dealers 3,000 line-item inventory payments to bogus companies may exist. Buyers, who
because statistical sampling is: are responsible for all purchases for specific product
a. Reliable and objective. lines, are able to approve expenditures up to $50,000
without any other approval. Which of the following audit
Correct. This fits the definition.
procedures would be most effective in addressing the
b. Thorough and complete. auditors concerns?
Incorrect. Statistical sampling is neither thorough nor a. Use generalized audit software to list all purchases
complete. over $50,000 to determine whether they were prop-
c. Thorough and accurate. erly approved.
Incorrect. Statistical sampling is neither thorough nor Incorrect. This would provide evidence only on pur-
accurate. chases above $50,000, which must be approved by
d. Complete and precise. someone other than the buyer.
Incorrect. Statistical sampling is precise but not b. Develop a snapshot technique to trace all transac-
complete. tions by suspected buyers.
Incorrect. This would provide information only on
10. An important difference between a statistical sample whether the transactions that were authorized by the
and a judgmental sample is that with a statistical sample: buyer were properly processed. It does not provide
evidence on whether the transaction should have
a. No judgment is required, everything is by formula .
been processed.
Incorrect. Judgment is needed for sample size.
c. Use generalized audit software to take a random
b. A smaller sample size can be used. sample of all expenditures under $50,000 to deter-
Incorrect. A large sample may be needed. mine whether they were properly approved.
c. More accurate results are obtained. Incorrect. This would provide information on whether
Incorrect. There is no way to determine whether transactions under $50,000 contained the buyers
more accurate results are obtained. authorization. That is not the question here; the ques-
tion is whether there is support for the expenditure.
d. Population estimates with measurable reliability
Further, this procedure is limited because it is not
can be made.
directed to the specific indicators that a fraud might
Correct. A statistical sample is the only way to exist.
measure reliability.
d. Use generalized audit software to list all major
vendors by product line; select a sample of
11. Sample size: paid invoices to new vendors and examine evi-
a. Increases with the use of higher confidence dence which shows that services or goods were
levels. received.
Correct. In its simplest form, the sample-size for- Correct. This is the most comprehensive proce-
mula shows that sample size is equal to [(Confi- dure because it identifies major vendors, con-
dence level factor squared Estimated standard centrates on new vendors, and searches for
deviation squared)/(Precision squared)]; thus any underlying support that goods or services were
increase in confidence level would be accompa- provided by the vendor.
nied by an increase in sample size.
b. Decreases with the use of higher confidence levels.
Incorrect. See correct answer (a).
c. Remains unchanged with changes in confidence
Incorrect. See correct answer (a).
d. Increases with the use of lower confidence levels.
Incorrect. See correct answer (a).
224 Wiley CIAexcel Exam Review: Part 1, Internal Audit Basics

13. An auditor wishes to determine the extent to which 14. A bank internal auditor wishes to determine
invalid data could be contained in a human resources whether all loans are backed by sufficient collateral,
computer system. Examples would be an invalid job properly aged as to current payments, and properly
classification, age in excess of retirement age, or an categorized as current or noncurrent. The best audit
invalid ethnic classification. The best approach to deter- procedure to accomplish this objective would be to:
mine the extent of the potential problem would be to: a. Use generalized audit software to read the total
a. Submit test data to test the effectiveness of edit con- loan file, age the file by last payment due, and
trols over the input of data. take a statistical sample stratified by the cur-
Incorrect. Test data would provide evidence on rent and aged population. Examine each loan
whether the edit controls are currently working. The selected for proper collateralization and aging.
concern, however, is that data may have entered the Correct. This is the best procedure because it
system earlier and may be corrupted. takes a sample from the total loan file and tests to
b. Review and test access controls to ensure that access determine that the loan is properly categorized
is limited to authorized individuals. as well as properly collateralized.
Incorrect. Access controls are important, but they do b. Take a block sample of all loans in excess of a speci-
not address the auditors major concern, which is to fied dollar limit and determine if they are current and
determine the extent of the potential problem as a properly categorized. For each loan approved, verify
precursor for planning the extent to which additional aging and categorization.
audit work is necessary. Incorrect. This sample deals only with large-dollar
c. Use generalized audit software to develop a items and does not test for proper collateralization.
detailed report of all data outside specified c. Take a discovery sample of all loan applications to
parameters. determine whether each application contains a
Correct. This is both the most effective and the statement of collateral.
most efficient procedure as it provides a com- Incorrect. This is an inefficient audit procedure
prehensive analysis of the extent that obviously because it samples from loan applications, not loans
incorrect data are included in the database. approved.
d. Use generalized audit software to select a sample of d. Take a sample of payments made on the loan portfo-
employees. Use the sample to determine the validity lio and trace them to loans to see that the payments
of data items and project the result to the population are properly applied. For each loan identified, exam-
as a whole. ine the loan application to determine that the loan
Incorrect. This is a valid procedure, but given the has proper collateralization.
auditors more limited objective, choice (c) provides Incorrect. This would be an ineffective procedure
more comprehensive and efficient evidence. because it is based only on loans in which payments
are currently being madeit does not include
loans that should have been categorized differently
because payments are not being made.
Sample Practice Questions, Answers, and Explanations 225

15. Governmental auditors have been increasingly called 16. Management has requested an audit of promotional
on to perform audits to determine whether individuals expenses. The sales department has been giving away
are getting extra social welfare payments. One common expensive items in conjunction with new product sales to
type of welfare fraud is individuals receiving more than stimulate demand. The promotion seems successful, but
one social welfare payment. This is often accomplished management believes the cost may be too high. Which
by filing multiple claims under multiple names but using of the following audit procedures would be the least
the same address. Which of the following computer useful to determine the effectiveness of the promotion?
audit tools and techniques would be most helpful in a. A comparison of product sales during the promotion
identifying the existence of this type of fraud? period with sales during a similar nonpromotion period.
a. Tagging and tracing. Incorrect. This comparison would help highlight the
Incorrect. Tagging and tracing is most effective to effectiveness of the promotion in increasing sales.
determine that items properly submitted are pro- b. A comparison of the unit cost of the products
cessed correctly. sold before and during the promotion period.
b. Generalized audit software. Correct. There is no indication that the cost of the
Correct. Generalized audit software could be products sold has changed. The challenge is to
used to develop a list of multiple recipients at address the effectiveness of the promotion.
one address. The list could then be investigated c. An analysis of marginal revenue and marginal cost
further to determine the possibility of fraud. for the promotion period, compared to the period
c. Integrated test facility. before the promotion.
Incorrect. The integrated test facility is most effec- Incorrect. This is the key analysis, as it would show
tive to determine that items properly submitted are the extent of additional revenue versus cost.
processed correctly. d. A review of the sales departments reasons for believ-
d. Spreadsheet analysis. ing that the promotion has been successful.
Incorrect. This would not be the most effective Incorrect. This would be helpful because the sales
technique. department may have useful information on new
customers and repeat purchases.

17. An internal auditor plans to use an analytical review to

verify the correctness of various operating expenses in a
division. The use of an analytical review as a verification
technique would not be a preferred approach if:
a. The auditor notes strong indicators of a specific
fraud involving this account.
Correct. If the auditor already suspects fraud, a more
directed audit approach would be appropriate.
b. The company has relatively stable operations that
have not changed much over the past year.
Incorrect. Relatively stable operating data are a good
scenario for using analytical review.
c. The auditor would like to identify large, unusual, or
nonrecurring transactions during the year.
Incorrect. Analytical review would be useful in iden-
tifying whether large, nonrecurring, or unusual trans-
actions occurred.
d. The operating expenses vary in relation to other
operating expenses but not in relation to revenue.
Incorrect. Analytical review only needs to have accounts
related to other accounts or other independent data. It
does not require that they be related to revenue.
226 Wiley CIAexcel Exam Review: Part 1, Internal Audit Basics

18. During an audit, the internal auditor should consider the 20. During an operational audit, an auditor compares the
following factor(s) in determining the extent to which inventory turnover rate of a subsidiary with established
analytical procedures should be used: industry standards in order to:
a. Adequacy of the system of internal control. a. Evaluate the accuracy of the subsidiarys internal
Incorrect. Adequacy of the system of internal control financial reports.
would be used to determine the extent of analytical Incorrect. Comparison with industry standards will
audit procedures to be completed. not test the accuracy of internal reporting.
b. Significance of the area being examined. b. Test the subsidiarys controls designed to safeguard
Incorrect. The significance of the area being exam- assets.
ined would be a factor in determining the extent of Incorrect. Comparison with industry standards will
the analytical audit procedures to be used. not test the controls designed to safeguard the
c. Precision with which the results of analytical audit inventory.
procedures can be predicted. c. Determine if the subsidiary is complying with corpo-
Incorrect. The precision of the prediction of the inter- rate procedures regarding inventory levels.
nal audit results would be a factor in determining the Incorrect. A comparison with industry standards will
extent of analytical audit procedures to be used. not test compliance.
d. All of the above. d. Assess the performance of the subsidiary and
Correct. All of the listed factors would be consid- indicate where additional audit work may be
ered in determining the extent of analytical audit needed.
procedures to be used. Correct. Such an analytical procedure will pro-
vide an indication of the efficiency and effec-
19. An auditor performs an analytical review by comparing tiveness of the subsidiarys management of the
the gross margins of various divisional operations with inventory.
those of other divisions and with the individual divi-
sions performance in previous years. The auditor notes 21. Which of the following is true of a horizontal flowchart
a significant increase in the gross margin at one divi- as compared to a vertical flowchart?
sion. The auditor does some preliminary investigation a. It provides more room for written descriptions that
and also notes that there were no changes in products, parallel the symbols.
production methods, or divisional management during
Incorrect. A vertical flowchart usually is designed to
the year. Based on this information, the most likely cause
provide for written descriptions.
of the increase in gross margin would be:
b. It brings into sharper focus the assignment of
a. An increase in the number of competitors selling
duties and independent checks on performance.
similar products.
Correct. By emphasizing the flow of processing
Incorrect. An increase in the number of competi-
between departments and/or people, it more
tors would result in price competition and a likely
clearly shows any inappropriate separation
decrease in gross margin.
of duties and lack of independent checks on
b. A decrease in the number of suppliers of the material performance.
used in manufacturing the product.
c. It is usually longer.
Incorrect. A decrease in the number of suppliers
Incorrect. A horizontal flowchart is usually shorter
would cause less price competition on the incom-
because space for written descriptions is not
ing side and, all else being equal, would result in a
decreased gross margin.
d. It does not provide as broad a picture at a glance.
c. An overstatement of year-end inventory.
Incorrect. More of the flow of processing can be
Correct. An overstatement of year-end inventory
depicted on one page than in a vertical flowchart
would result in an increase in the gross margin.
with written descriptions.
d. An understatement of year-end accounts receivable.
Incorrect. A decrease in accounts receivable would
be very unlikely to signal an increase in the gross
Sample Practice Questions, Answers, and Explanations 227

22. Of the following, which is the most efficient source for 24. In documenting the procedures used by several interact
an auditor to use to evaluate a companys overall control ing departments, the internal auditor will most likely
system? use:
a. Control flowcharts. a. A horizontal flowchart.
Correct. Control flowcharting provides an effi- Correct. A horizontal (systems) flowchart high-
cient and comprehensive method of describing lights the interaction between departments.
relatively complex activities, especially those b. A vertical flowchart.
involving several departments.
Incorrect. A vertical flowchart does not highlight the
b. Copies of standard operating procedures. interaction of departments.
Incorrect. Copies of procedures and related forms
c. A Gantt chart.
do not provide an efficient method of reviewing the
processing activities. Incorrect. A Gantt chart is not a procedure-oriented
documenting tool.
c. A narrative describing departmental history, activi-
ties, and forms usage. d. An internal control questionnaire.
Incorrect. A narrative review covering the depart- Incorrect. An internal control questionnaire does not
ments history and forms usage is not as efficient or highlight the interaction of departments.
comprehensive as flowcharting for communicating
relevant information about controls. 25. Which method of evaluating internal controls during
d. Copies of industry operating standards. the preliminary review provides the auditor with the
Incorrect. Industry standards do not provide a picture best visual grasp of a system and a means for analyzing
of existing practice for subsequent audit activity. complex operations?
a. A flowcharting approach.
23. Which of the following tools would best give a graphical Correct. A flowchart provides a visual grasp of
representation of a sequence of activities and decisions? the system and a means of analysis that cannot
a. Flowchart. be achieved by other methods.
Correct. According to its definition, a flowchart b. A questionnaire approach.
is a graphical representation of a sequence of Incorrect. A questionnaire approach provides only
activities and decisions. an agenda for evaluation.
b. Control chart. c. A matrix approach.
Incorrect. A control chart is used to monitor actual Incorrect. A matrix approach does not provide the
versus desired quality measurements during repeti- visual grasp of the system that a flowchart does.
tion operation. d. A detailed narrative approach.
c. Histogram. Incorrect. A detailed narrative does not provide the
Incorrect. A histogram is a bar chart showing confor- means of evaluating complex operations that a flow-
mance to a standard bell curve. chart does.
d. Run chart.
Incorrect. A run chart tracks the frequency or amount
of a given variable over time.
228 Wiley CIAexcel Exam Review: Part 1, Internal Audit Basics

26. The auditor wishes to test the assertion that all claims 27. In evaluating the validity of different types of audit
paid by a medical insurance company contain proper evidence, which one of the following conclusions is
authorization and documentation, including but not incorrect?
limited to the validity of the claim from an approved a. Recomputation, although highly valid, is limited in
physician and an indication that the claim complies usefulness due to its limited scope.
with the claimants policy. The most appropriate audit
Incorrect. This choice is a true statement.
procedure would be to:
b. The validity of documentary evidence is indepen-
a. Select a random statistical sample of all policyholders
dent of the effectiveness of the control system in
and examine all claims for the sampled items during
which it was created.
the year to determine if they were handled properly.
Correct. The validity of documentary evidence
Incorrect. Sampling from a population of policyhold-
depends on the internal control system.
ers would be very inefficient for the audit assertion, as
many policyholders may not have any activity during c. Internally created documentary evidence is consid-
the year. ered less valid than externally created documentary
b. Select a sample of claims filed and trace to documen- evidence.
tary evidence of authorization and other supporting Incorrect. This choice is a true statement.
documentation. d. The validity of confirmations varies directly with
Incorrect. A sample of claims filed does provide evi- the independence of the party receiving the
dence on the overall processing of claims and thus confirmation.
provides some evidence related to the assertion. Incorrect. This choice is a true statement.
However, given the assertion, choice (a) is more effi-
cient because it deals with paid claims.
28. Which of the following is generally not true when evalu
c. Select a sample of claims denied and determine ating the persuasiveness of evidence?
that all claims denied were appropriate. The claims
a. Verified by internally maintained documents
denied file is much smaller, and the auditor can
rather than by written inquiry of third party.
obtain greater coverage with the sample size.
Correct. Written inquiry/confirmation obtained
Incorrect. The claims denied filed provides evidence
from outside third parties is more persuasive
on the claims denied, but the auditor cannot con-
than internal company documents.
clude that all claims that were not denied should
have been paid. b. Obtained under conditions of strong controls rather
than weak controls.
d. Select a sample of paid claims from the claims
(cash) disbursement file and trace to documen- Incorrect. Evidence obtained under conditions of
tary evidence of authorization and other sup- strong control is always more persuasive than if con-
porting documentation. trols had been weak.
Correct. The auditor is interested in whether c. Known by an auditors personal knowledge rather
the actual claims paid are properly supported. than from a third-party confirmation.
The most appropriate population from which to Incorrect. Personal knowledge is generally more per-
sample is the claims-paid file. suasive than knowledge obtained from other parties.
d. Obtained from an external source rather than from
an internal source.
Incorrect. Generally, evidence from outside the orga-
nization is more persuasive than evidence obtained
from organizational sources. These justifications are
based on the general theory of audit evidence.
Sample Practice Questions, Answers, and Explanations 229

29. In testing the write-off of a deteriorated piece of equip 31. What standard of evidence is satisfied by an original
ment, the best evidence of the condition of the equip- signed document?
ment would be: a. Sufficiency.
a. The equipment managers statement regarding Incorrect. Sufficiency has to do with factual, ade-
condition. quate, and convincing evidence. The information
Incorrect. Testimonial evidence, standing alone, is contained on the document may be none of those
not conclusive. things.
b. Accounting records showing maintenance and repair b. Competence.
costs. Correct. Competent evidence is reliable. It is the
Incorrect. The record of repair and maintenance costs best available. An original document is the prime
is an internal record providing little evidence of cur- example of such evidence, per the IIA Standards.
rent condition. c. Relevance.
c. A physical inspection of the actual piece of Incorrect. Relevancy has to do with the relationship
equipment. of the evidence to some objective of the audit. Since
Correct. A physical inspection provides the best no audit objective is disclosed in the stem of the
evidence of current condition. question, the observer has no way to tell whether the
d. The production departments equipment downtime information on the document is or is not relevant to
report. the investigation.
Incorrect. As an internal document, the production d. Usefulness.
departments downtime report provides little per- Incorrect. Usefulness is achieved if the item of evi-
suasive evidence of current condition. dence helps the organization (the auditor, in this
case) to accomplish predetermined goals. Since no
30. Which of the following audit procedures provides such goals are specified, there is no way to determine
the best evidence about the collectibility of notes whether the information on the document will help
receivable? the auditor accomplish some goal established for the
a. Confirmation of note receivable balances with the
32. When sampling methods are used, the concept of suffi
Incorrect. Confirmation establishes existence, not
ciency of evidence means that the samples selected
b. Examination of notes for appropriate debtors
a. Reasonable assurance that they are representa-
tive of the sampled population.
Incorrect. Inspection helps verify the validity (not
Correct. A sample need only provide reasonable
collectibility) of the notes.
assurance. Due to of cost/benefit considerations,
c. Reconciliation of the detail of notes receivable and absolute assurance is not necessary.
the provision for uncollectible amounts to the gen-
b. The best evidence that is reasonably obtainable.
eral ledger control.
Incorrect. The best reasonably obtainable is a test of
Incorrect. This merely tests bookkeeping procedures.
d. Examination of cash receipts records to deter-
c. Reasonable assurance that the evidence has a logical
mine promptness of interest and principal
relationship to the audit objective.
Incorrect. The logical relationship is a test of relevance.
Correct. This procedure provides the best evi-
dence of the collectibility of notes receivable. d. Absolute assurance that a sample is representative
of the population.
Incorrect. Due to cost/benefit considerations, abso-
lute assurance is not necessary.
230 Wiley CIAexcel Exam Review: Part 1, Internal Audit Basics

33. An internal auditor takes a photograph of the auditees

workplace. The photograph is a form of what kind of
a. Physical.
Correct. All graphic evidence is classified as
physical evidence. This includes other forms of
graphic evidence, such as graphs, charts, and
b. Testimonial.
Incorrect. Testimonial evidence is restricted to the
written response to inquiry or interview.
c. Documentary.
Incorrect. Documentary evidence is nongraphical. It
takes the form of records, memoranda, correspon-
dence, and related written material.
d. Analytical.
Incorrect. Analytical evidence is the result of the divi-
sion of a complex entity into its constituent parts,
with the subsequent review of each subset of the
original whole.