IIA IIA-CIA-Part2 Practice of Internal Auditing Exam Practice Test

A review of password policy compliance found that employees frequently use the same password more than once during a year. The IAA recommends that the access control software reject any password used more than once during a 12-month period.

A review of internal service-level agreement compliance in financial services found that requests for information frequently are fulfilled up to two weeks late. The IAA recommends that the financial services unit be eliminated for its ineffectiveness.

A vacation policy compliance review found that employees frequently leave on vacation before their leave applications are signed by their manager. The IAA recommends that the manager attend to the leave applications in a more timely fashion.

A review of customer service-level agreements found that orders to several customers are frequently delivered late. The IAA recommends that the organization extend the expected delivery time advertised on its website.

The person responsible for performing the task

Two or more people that work in the area

The supervisor in charge of the process

The manager that wrote the steps to be followed

Uphold the quality of the internal audit actively

Provide engagement progress updates to management of the area under review

Assure risks and controls are identified and assessed

Ensure timely completion of the engagement

$84,000

$238,095

$700,000

$2100.000

RACI (responsible, accountable, consult and inform) chart

Flowchart

SWOT{strengths. weaknesses opportunities, and threats) analysis

Workflow analysis

1, 2, and 3

1, 2, and 4

1, 3, and 4

2, 3, and 4

1 and 3 only

1 and 4 only

2 and 3 only

2 and 4 only

Inform senior management of the appropriate actions they should take to control the risk

Recommend that the internal audit activity provide consulting services to help minimize the risk

Assume the responsibility of resolving the significant risk that will affect the organization

Determine whether senior management accepted risk that may be deemed unacceptable for the organization

A heat map sets likelihood to have higher priority than impact.

A heat map sets impact to have higher priority than likelihood.

A heat map recognizes that the priority of impact and likelihood can vary.

A heat map recognizes impact and likelihood as equally important

To assess the efficiency and effectiveness of the accounting department.

To evaluate organizational and departmental structures, including assessments of process flows related to financial matters.

To provide a review of routine financial reports, including analyses of selected accounts for compliance with generally accepted accounting principles.

To provide an analysis of business process controls in the accounting department, including tests of compliance with internal policies and procedures.

Perform a site visit to see whether the organization's servers are operational

Interview end users to determine whether they understand how to use the database information

Determine whether policies are in place on how to use the database information

Review for indications of potential issues with the database information

The overall performance resulting from the internal audit balanced scorecard

The number of outstanding and overdue management actions

The experience of the organization's internal auditors

The number of audits in the annual audit plan relative to similar organizations

Write a risk acceptance memo for the CIO to sign acknowledging the observation and indicating a willingness to accept the risk.

Provide an example of the attestation form that vendors must use. Then, recommend that the IT team require vendors to submit the attestation form on a regular basis.

Escalate the issue to the audit committee, as the CIO is unwilling to implement the recommended action plan.

Escalate the issue to the CAE to assess whether the ClO's reasoning is acceptable.

Positive aspects of the process or area under review

A brief synopsis of the process of area under review

Outcomes and ratings of the process or area under review

Report issuance and the communication process of the engagement.

The auditor should conclude that suspense accounts were not being cleared on a timely basis because they should be cleared daily

The auditor should ask management whether any undocumented policies exist and. if so, determine whether they are adequate

The auditor should conclude that the clearing of suspense accounts was timely and appropriate because weekly clearing is sufficient.

The auditor should rely on his professional judgment and experience to develop criteria for evaluating the existing controls over suspense accounts

It enables the auditor to identify the inherent risks to the effective operation of accounts payable process controls.

It enables the auditor to understand the framework of the activities and associated accounts payable subprocesses

it enables the auditor to understand the accounts payable process and its flow, including key steps and systems.

It enables the auditor to categorize the population of transactions within the accounts payable process

Entity-level controls

Application controls

General controls.

Transaction controls

The form and content of monitoring policies could vary by industry

The board of directors is responsible for the establishment of monitoring polities

Both large and small audit departments must have written policies on monitoring.

The chief audit executive must develop all monitoring policies related to the activity

An assessment of risks to the business objectives

An understanding of the engagement client's expectations

The probability of significant errors fraud or noncompliance

Criteria previously established by the board

An assurance map is used by the chief audit executive to coordinate assurance activities with other internal and external assurance providers

An assurance map is a picture of all assurance engagements performed by the internal audit activity across the organization

An assurance map is used by the engagement supervisor to coordinate the roles of various internal audit team members assigned to assurance engagements

An assurance map lists the procedures and testing activities performed by an internal audit team during an assurance engagement

Define the duties and responsibilities needed from management to perform the engagement.

Disclose the fact that auditors who perform the work may not be subject matter experts in the topic of the review.

Clarify that matters discovered during the engagement may also be reported to senior management and the audit committee.

Disclose the fact that follow-up reviews may be conducted to ensure that recommendations are implemented adequately.

1 and 2

1 and 4

2 and3

3 and 4

Detective compensating controls

Preventive compensating controls

Detective Key controls

Preventive key controls

Percentage of recommendations implemented by corrective action date

Staff experience

Percentage of planned audits completed

Conformance with the International Professional Practices Framework

Condition

Root cause

Criteria

Recommendation

Communication of any internal ethics violations to external parties may occur with appropriate safeguards.

Cultural impacts are less critical where the organization practices uniform polices around the globe.

Cross-cultural differences should always be handled by the staff of the same cultural background.

Local law enforcement should be involved as they are more familiar with the applicable local laws.

Engagement objectives derived from risk assessment results from a company's risk function experts.

Engagement objectives derived from senior management's risk assessment results

Engagement objectives derived from the mental audit activity's own risk assessment results

Engagement objectives derived from risk assessment results from both senior management and the company's risk function experts

Risks are discussed with audit client.

All available information from the risk-based plan is used.

Client efforts to affect risk management are considered.

Prior risk assessments are considered.

A spaghetti map

A heat map.

A process map

An assurance map

Communicate the workpaper review results to management of fie area under review to validate the final report

Update the final report in the file with any necessary corrections based on the workpaper review.

Discuss the workpaper review results with the staff auditor where appropriate as a leaning opportunity

Add the manager's review notes to the final documentation following the review

Report the matter to the board

Implement the recommended control to address the exposure

Discuss the matter with senior management

Ask the regulatory agency to persuade management to address the issue

The observation was made during the same audit, and the action plan has a common owner.

The observation relates to the same control activity within a common process.

The observation has a common control, and it was noted in a prior audit.

The observation has a common process, and the action plan for the observation has a common owner.

Disclosure risk.

Residual risk

Compliance risk

Inherent risk

Determine which controls if any are in place to mitigate the fraud risks

Follow protocol for internal reporting and investigating fraud allegations

Research frauds that nave occurred t\ similar organizations

Incorporate the fraud risk assessment into the engagement plan

Were audit findings relevant and useful to management?

Does the audit report format present issues clearly and concisely?

Does the IAA work with a high degree of professionalism and objectivity?

Were the findings reported in a timely manner?

1.2 and 3

1.2. and 4.

1.3. and 4.

2. 3. and 4.

Manage and coordinate risk management processes.

Audit risk management processes.

Become involved in risk oversight committees, monitoring activities, and status reporting.

Accept management's responsibility for risk management without board approval.

1 and 2

1 and 4

2 and 3

3 and 4

For assurance engagements internal auditors should plan to assess the effectiveness of all entity-level controls

Poorly designed or deficient entity-level controls can prevent well-designed process controls from working as intended.

During engagement planning, internal auditors should not discuss the identified key risks and controls with management of the area under review to prevent tipping off probable audit lasts

Reviewing process maps and flowcharts is an appropriate method for the internal a auditor to identify all key risks and controls during engagement planning

Effectiveness

Response

Efficiency

Mitigation.

Defer the engagement until a system of internal control has been established

Change the scheduled engagement from assurance to consulting to help correct the shortcomings

Add a consulting component to the already scheduled assurance engagement

Seek the involvement of the external auditor to assist with improving the internal controls

Information that is factual adequate and convincing

Information that is best attainable through the use of appropriate engagement techniques

Information that supports engagement objectives and recommendations

Information that helps the organization meet its goals

Residual risk

Inherent risk

Compensating controls

Control activities

A relevant procurement law or regulation.

A list of the company's vendors.

A review of a sample of tenders during the audited period.

A summary of the company's expenditures and their categories.

Senior management of the organization

The chief audit executive

The head of customer service

The board of directors

The level of control is appropriate given the level of risk

The level of control is excessive given the level of risk

The level of control is inadequate given the level of risk

There is not enough of information to determine whether the controls are appropriate or not

Action plan

Recommendation

Condition

Criteria

The reason for not following the internal policy

A description of what constitutes proper approval

The annual impact of the changed agreement on cash flows

Details regarding when the change to the agreement was signed

Review management's organ nationwide risk assessment

Understand the objectives and strategies of the new arrangement

Revise the scope of the audit engagement

Form objectives for the audit engagement

Informal, soft controls are omitted, and greater focus is placed on hard controls.

The entire objectives-risks-controls infrastructure of an organization is subject to greater monitoring and continuous improvement.

Internal auditors become involved in and knowledgeable about the self-assessment process.

Nonaudit employees become experienced in assessing controls and associating control processes with managing risks.

To gather information from a sample of people who are geographically dispersed

To assess risks that could prevent an audited area from achieving its objectives.

To evaluate tie level of compliance of remote offices with centrally designed procedures

To perform testing of controls more frequently

Infrastructure.

Emerging.

Managed.

Initial.

All requests for consulting engagements must be included in the annual internal audit plan

Assurance engagements must be included in the annual internal audit plan but there is no requirement to include consulting engagements

Consulting engagements do not need to be included m the annual internal audit plan unless requested by the board

The acceptance of proposed consulting engagements into the annual internal audit plan may depend on their ability to add value

The CAE is required to review, approve, and sign every engagement report.

The CAE is required to review, approve, and sign all regulatory compliance engagement reports only

The CAE may delegate responsibility for reviewing, approving and signing engagement reports, but should review the reports after they are issued.

The internal audit charter must identify authorized signers of engagement reports.