IIA-CIA-Part2 Practice of Internal Auditing Question and Answers

Continue the engagement with the available staff, providing more hands-on supervision than usual

Limit the objectives and scope of the engagement to align them with the skills available among the current staff.

Cosource the performance of the engagement using personnel in the area that will be reviewed to supplement the knowledge of the staff and complete the engagement

Supplement the internal auditors assigned to the engagement by bringing onto the engagement team a consultant who is independent of the area under review and has the missing expertise

The organization's attitude to hierarchy

The organization's whistleblowing strategy

The organization's ongoing risk monitoring process

The organization's risk management policy

Cause and effect.

Effect and criteria

Condition and cause

Criteria and condition.

It will be difficult to quantify the information obtained through this approach

This approach does not help the auditor learn about the existence of controls

It takes the auditor a long time to assess the relevant controls using this approach

Information on control functionality is limited

Review the organizational structure, management roles and responsibilities and operating procedures

Evaluate management's risk assessment and the internal audit activity's risk assessment

Assess process How and control documents used to meet regulatory requirements

Review meeting notes from discussions involving management of the area to be reviewed.

1 and 3 only

2 and 4 only

1, 3, and 4 only

1, 2, 3, and 4

End the consulting engagement and report the results to management as planned

Report the significant control issues to senior management and the board and recommend corrective action

Mutually agree with the engagement client on corrective actions

Focus on the consulting engagement and schedule an assurance engagement next to address the control issues

The contracting department's staffing changes within the last year

The certifications held by the internal auditors assigned to the engagement

The internal audit activity's increase n budget and staffing for the year

The organization's recent changes to how it processes payments

Option A

Option B

Option C

Option D

The amount of experience the auditors have conducting audits in the specific area of the organization.

The availability of the auditors in relation to the availability of key client staff.

Whether the budgeted hours are sufficient to complete the audit within the current scope.

Whether outside resources will be needed, and their availability.

Compare purchase orders generated from test data input into the LAN with purchase orders generated from production data for the most recent period

Develop a report of excess inventory and compare the inventory with current production volume

Compare the pans needed based on current production estimates and the MRP for the revised production techniques with the purchase orders generated from the system for the same period

Select a sample of production estimates and MRPs for several periods and trace them into the system to determine that input is accurate

Criteria

Cause

Effect

Condition

interview IT management in both regions

Inspect regional user software training records

Interview propel management and the vendor responsible for implementation

Distribute surveys to software users in both regions

Documentary evidence

Testimonial evidence

Analytical evidence

Physical evidence

A spaghetti map

A heat map.

A process map

An assurance map

An expert or decision support system

Generalized audit software

A system utility program

An integrated test facility

The number, experience, and availability of audit staff as well as the nature, complexity, and time constraints of the engagement.

The appropriateness and sufficiency of resources and the ability to coordinate with external auditors.

The number, proficiency, experience, and availability of audit staff as well as the ability to coordinate with external auditors.

The appropriateness and sufficiency of resources as well as the nature, complexity, and time constraints of the engagement.

Audit client management only

Executive management only

Audit client management, executive management, and others approved by the chief audit executive.

Audit client management, executive management, and any those who request a copy.

An assurance map is used by the chief audit executive to coordinate assurance activities with other internal and external assurance providers

An assurance map is a picture of all assurance engagements performed by the internal audit activity across the organization

An assurance map is used by the engagement supervisor to coordinate the roles of various internal audit team members assigned to assurance engagements

An assurance map lists the procedures and testing activities performed by an internal audit team during an assurance engagement

Disclose the information in a separate report.

Distribute the information in a confidential report to the board only

Distribute the reports through the use of blind copies.

Exclude the results from the report and verbally report the conditions to senior management and the board.

Write a risk acceptance memo for the CIO to sign acknowledging the observation and indicating a willingness to accept the risk.

Provide an example of the attestation form that vendors must use. Then, recommend that the IT team require vendors to submit the attestation form on a regular basis.

Escalate the issue to the audit committee, as the CIO is unwilling to implement the recommended action plan.

Escalate the issue to the CAE to assess whether the ClO's reasoning is acceptable.

To gain access to a wider variety of skills, competencies and best practices.

To complement existing expertise with a required skill and competency for a particular audit engagement.

To focus on and strengthen core audit competencies.

To provide the organization with appropriate contingency planning for the internal audit function.

The employee’s name listed on organization’s payroll is compared to the personnel records.

Payroll time sheets are reviewed and approved by the timekeeper before processing.

Employee access to the payroll database is deactivated immediately upon termination.

Changes to payroll are validated by the personnel department before being processed.

Enter into long-term gasoline purchase agreements with end customers.

Trade crude oil derivatives at financial markets in order to benefit from price fluctuations

Purchase crude oil-related derivatives such as futures or options

Stock as much raw materials as possible and consider Investing into additional facilities

An interview with the employee who performed the work

An analysis of purchasing and receiving documentation

Existence of a signed completion document accepting the work

A physical inspection of the retail outlet.

Align organizational activities to internal audit activities and measure according to the approved IAA performance measures.

Establish a periodic review of monitoring and reporting processes to help ensure relevant IAA reporting.

Use the results of IAA engagement and advisory reporting to guide current and future internal audit activities.

Establish a format and frequency for IAA reporting that is appropriate and aligns with the organization's governance structure.

Criteria

Condition

Cause

Effect

The establishment of an audit approach and documentation system

The standardization of workpaper terminology and notations

The ability to reach consistent audit conclusions regardless of who performs the audit

The application of documentation standards m an appropriate and consistent manner

Awareness of prior incidents of fraud.

Contractor non-disclosure agreements.

Verification of currency exchange rates.

Receipts for employee expenses.

Poor engagement supervision

ineffective board reporting

Untimely observation follows up and closure

Limited staff resources

A risk assessment

An operational audit

A third-party audit

A fraud investigation

interview management to determine what types of data are collected and maintained

Trace data from storage to the collection sources to determine how critical data is collected and organized

Review a sample of data to determine whether the risk classification is reasonable

Document and test a data inventory and classification program by determining the data classification levels and framework

Independently evaluating conflicts of interests.

Assessing contracts for relevant terms and conditions.

Performing statistical analysis for data anomalies.

Preparing evidentiary documentation.

The CAE should send the final report to operational and senior management and the audit committee.

The CAE should send the final report to operational management only, as there is no need to communicate this information to higher levels.

The CAE should notify operational and senior management that the audit engagement was completed with no significant findings to report.

The CAE should send the final report to operational management and notify senior management and the audit committee that no significant findings were identified.

1 and 2

2 and 4

1, 2, and 3

2, 3, and 4

Analytical procedures.

Detail testing.

Test of design.

Test of control.

Comer of competence

Career model

Rotational model

Cosourcing agreement

Utility software

Generalized audit software

Audit expert systems.

integrated test facility

The CAE should accept the engagement and ensure that an explanation of the expertise limitations is included in the final audit report.

The CAE should ask management to hire an external expert who is familiar with the industry to perform an independent audit for management

The CAE should accept the engagement and hire an external expert to assist the audit team with the audit of the subsidiary

The CAE should recommend postponing the engagement until the internal audit team is able to develop sufficient knowledge of the new industry

Surveys

Management produced analysis 0

Facilitated team workshops

Weighted risk factors

When the CAE reports the audit outcome to senior management.

When the residual risk is identified before the engagement is complete.

Immediately, as residual risk should be communicated as soon as possible

When management of the area under review has resolved and mitigated the residual risk

Defer the engagement until a system of internal control has been established

Change the scheduled engagement from assurance to consulting to help correct the shortcomings

Add a consulting component to the already scheduled assurance engagement

Seek the involvement of the external auditor to assist with improving the internal controls

PPS sampling s used to reach conclusions regarding monetary amounts, attribute sampling is not.

PPS sampling is used to roach conclusions regarding rates of occurrence, attribute sampling is not.

PPS sampling a applied within the context of testing controls attribute sampling s not.

Attribute sampling is affected by the monetary book value of the population PPS sampling is not

Meet with the chief operating officer 10 obtain Information about the MR department

Review the previous internal audit report and locus on key audit observations and action plans

Review the organization's risk strategy and risk appetite framework

Discuss the department's present strategies ‘and objectives with the head of the HR department

Employees who are being paid more than then approved wages

Employees who get paid although their employment has expired

Employees who are related to one of the subcontractors

Employees who are physically present at the workplace but who do not perform the specified job duties

To evaluate controls regarding the computer security of an oil refinery.

To examine the processes involved in exploring, developing, and operating a gold mine.

To assess the likelihood and impact of events associated with operating a finished goods warehouse.

To link a financial institution's business objectives to a work unit responsible for the associated risk.

The level of control is appropriate given the level of risk

The level of control is excessive given the level of risk

The level of control is inadequate given the level of risk

There is not enough of information to determine whether the controls are appropriate or not

The CAE should continue to meet with management to obtain their agreement for corrective action

The CAE should note in the final report that management has decided to accept the risk.

The CAE should ask that additional testing be undertaken to strengthen his case as to the need for corrective action.

The CAE should advise senior management of his intention to escalate the matter to the board.

The risk management process can provide more extensive internal audit services to the organization if it does not have an internal audit department

The risk management process supports internal audit by evaluating whether critical controls are adequate and effective.

The risk management process can determine whether all significant risks have been identified and are being treated.

The risk management process establishes an organization-specific documented risk management framework.

Present the revised audit plan directly to the board for approval

Communicate with the chief financial officer and present the revised audit plan to the CEO for approval

Present the revised audit plan directly to the CEO for approval

Communicate with the CCO and present the revised audit plan to the board for approval

All requests for consulting engagements must be included in the annual internal audit plan

Assurance engagements must be included in the annual internal audit plan but there is no requirement to include consulting engagements

Consulting engagements do not need to be included m the annual internal audit plan unless requested by the board

The acceptance of proposed consulting engagements into the annual internal audit plan may depend on their ability to add value