IIA-CIA-Part1 Essentials of Internal Auditing Questions and Answers

The quality assurance and improvement program identified several opportunities for the internal audit activity to make improvements.

In lieu of an external assessment, the internal audit activity performed a self-assessment with independent external validation.

During an internal quality assessment, it was identified that rotational auditors often perform consulting engagements for areas of the organization where they had previous responsibilities.

External assessments are performed every five years by a competent internal audit team from the organization's parent company.

A framework that specifies common best practices for an organization to evaluate and benchmark.

A framework that specifies correct and incorrect business methodologies.

A framework with precise specifications for how controls and processes should be employed.

A framework that offers step-by-step guidance for remedial action for all organization types.

Auditors must have an IT specialty in at least one of their organization's key information technology systems.

Auditors must be proficient in data analysis and computer assisted audit techniques for their organization.

Auditors must understand their organization's integrated test facilities and generalized audit software.

Auditors must understand their organization's IT governance, risk, and control processes.

The initial review of workpapers should be conducted after the final engagement report is issued.

Independent internal assessments of the internal audit activity should be performed by entry-level staff as part of on-the-job training.

Internal audit staff should be informed regularly of changes to policies and procedures.

Training documents should be destroyed at the end of the year to create space for the next year's training documents.

The CAE seeks senior management approval of the internal audit charter

The CAE obtains senior management's approval to hire staff

The CAE reports significant issues to the organization's CEO

The CAE provides the board with an annual budget for approval

Speak to the payroll manager so he may investigate the auditor's observations.

Continue to investigate the payments to confirm the accuracy of the observations, and determine whether further fraudulent payments have been made.

Stop the audit and report the findings to senior management immediately.

Escalate the concern to the engagement supervisor.

Request from the audit committee an additional budget and an extension so that the external assessment could be performed next year.

Review the results of the internal assessment, identify weaknesses, and implement improvements at the remaining offices.

Request the regional office that performed the internal assessment to perform an assessment of the remaining offices.

Request that an external assessor validate the results of the internal assessment and review the remaining offices.

Report the non-compliance cases to the board of directors.

Recommend that management update its policies and procedures based on the circumstances.

Investigate the rationale for management's actions.

Recommend those employees to report the cases through the designed whistleblowing channel for the appropriate treatment.

Internal assessments must be reported to the board at least every five years

If supported by assessment results, reporting provides assurance that internal auditors demonstrate conformance with the Code of Ethics

Following the reporting the board must give the internal audit activity five years to correct any deviations

A report, including the results of both internal and external assessments must be provided to the board annually

Include the engineering department on the audit plan, use the available internal audit resources to conduct the review, and exclude procedures that cannot be adequately assessed.

Advise management to accept the assessed risk until the internal auditors are able to review the area adequately.

Recruit internal auditors with the required competencies and wait until they are employed before including this audit on the internal audit plan.

Proceed with a review of the engineering department but supplement the internal audit team with nonauditors from an external engineering company who have the required skills to assist

Appoint the chief audit executive as a member of the board.

Adopt written policies and procedures for the internal audit activity, approved by the board.

Ensure the chief audit executive reports administratively to the audit committee.

Establish the internal audit activity’s position within the organization in an audit charter.

Stakeholders

The board

The chief executive officer

Internal auditors

Analyzing the results of successful testing of controls and monitoring procedures implemented by management

Determining that there are no gaps between the internal auditors' risk assessment and the risk assessment performed by the organization

Obtaining evidence that employees throughout the organization are aware of the organization s risk appetite

Verifying that previously identified organizational risks were documented in board meeting minutes

The auditor is prudent in the use and protection of information acquired in the course of his work.

The auditor does not accept anything that may impair or be presumed to impair his professional judgment.

The auditor does not perform services in a particular area when he lacks skills in that area.

The auditor performs work with honesty, diligence, and responsibility.

Checking the progress of risk treatment plans

Considering the consequence and likelihood of risks

Documenting the risks and their areas of impact

Communicating to management about risks

1 and 3 only.

2 and 4 only.

1,2. and 3.

2,3, and 4.

The auditor misunderstood the audit objectives.

The auditor lacked professional skepticism.

The auditor's fieldwork was not properly supervised.

The auditor lacked an understanding of the organization.

Corrective control

Process-level control

Compensating control

Preventive control

The risk and control model should be globally accepted by the profession.

The risk and control model should be strictly adhered to in performing the engagement.

The risk and control model should be tailored to the organization that will be the subject of the engagement.

The risk and control model should be developed individually by the auditor for use on individual audit projects within the planned engagement.

The chief audit executive (CAE) reports on the internal audit activity's day-to-day tasks and responsibilities to the CEO.

An assessment of the risk management function is reviewed by an outside consulting firm because the CAE is temporarily fulfilling the role of risk manager.

The CAE regularly meets with the organization's chief risk officer, who validates all reported audit findings and dictates which will be Included In the package to the audit committee.

The internal audit activity will experience staffing shortages for the next six months due to planned and unplanned leaves of absence; therefore the CAE proposed including fewer audits in the annual audit plan compared to the previous financial year.

Obtaining assurance on external financial, regulatory, and internal audits.

Complying with laws, regulations, and codes.

Assigning authority and responsibilities organization wide.

Monitoring and measuring performance.

Self-review threat.

Advocacy threat.

Familiarity threat.

Personal relationship threat.

Soft controls should not be audited due to subjectivity issues.

There are no effective tools to use for audits of soft controls.

Traditional testing is less suitable for soft controls assessment.

Management input is the best source for assessment of soft controls.

Integrity

Proficiency

Due Professional Care

Competency

General IT control.

Processing control.

Input control

Integrity control

The auditor should consider local cultures and customs in various regions when assessing control effectiveness.

Regardless of their location, employees at all levels share responsibility for designing effective controls to mitigate risks.

To achieve an effective internal control environment, the organization's risk management plan must be documented and communicated to all levels throughout each region.

Setting clear objectives is a precondition to effectively identifying, assessing, and responding to the organization's risks.

Verify the completeness and integrity of the data being analyzed.

Identify duplicated organizational transactions.

Analyze all transactions within the targeted area.

Check control totals that have may have been falsified.

Technical industry-specific expertise.

Expertise in cybersecurity, an area of increasing risk.

Knowledge of IT risks and controls.

Knowledge of forensic accounting.

Risk responses must be selected.

Risks must be assessed.

The risk universe must be established.

Risk responses must be aligned.

Fraud specialists are better at using computer-assisted audit techniques

Fraud specialists are better equipped to act as an expert witness in court

Fraud specialists are better able to properly apply due professional care

Fraud specialists are better at using crime scene investigation techniques

The chief audit executive (CAE) reports functionally to the CEO.

The CAE's compensation is approved by the chief financial officer.

The CAE's appointment Is determined by the CEO

The CAE reports administratively to the chief operating officer.