Multiple Choices

No. 1 – 8 Hal. 7.26 – 7.27

1. The software that manages interconnectivity … ( C. OPERATING SYSTEM
SOFTWARE)

2. An internet firewall is designed to provide protection against … ( B.

UNAUTHORIZED ACCESS FROM OUTSIDERS )

3. Which of the following best illustrates the use of EDI? … ( B. COMPUTERIZED

PLACEMENT OF A PURCHASE ORDER FROM A CUSTOMER TO ITS SUPPLIER )

4. The possibility of someone maliciously shutting down an information system

is most directly an element of … ( B. ACCESS RISK )

5. An organization’s IT governance committee has several important

responsibilities … ( D. DESIGNING IT APPLICATION-BASED CONTROLS )

6. If a sales transaction … ( C. VALIDITY CHECK )

7. The purpose of logical security controls ( A. RESTRICT ACCESS TO DATA )

8. Which of the following statements … continuous auditing … ( C. BOTH

STATEMENTS I AND II ARE TRUE )

No. 1 – 8 Hal. 9.31

1. Per IIA standards … ( C. BOTH INTERNAL AND EXTERNAL QUALITY ASSURANCE
AND IMPROVEMENT PROGRAM ASSESSMENT )

2. Senior management … ( A. ACCEPT THE AUDIT ENGAGEMENT BECAUSE

INDEPENDENCE WOULD NOT BE IMPAIRED )

3. Who is ultimately responsible for … ( B. THE CAE )

 4. Which of the following … CAE to consider … ( C. TO ENSURE THAT THE
INTERNAL AUDIT PLAN SUPPORTS THE OVERALL BUSINESS OBJECTIVES )

5. The standards requires policies … ( D. ALL INTERNAL AUDIT FUNCTIONS

SHOULD HAVE A DETAILED POLICIES AND PROCEDURES MANUAL )

6. When conducting a consulting engagement … ( B. DISCUSS THE PROBLEM

WITH THE CUSTOMER AND TOGETHER EVALUATE WHETHER ENGAGEMENT
SHOULD BE CONTINUED )

7. Which … responsibility of CAE? … ( B. TO OVERSEE THE ESTABLISHMENT,

ADMINISTRATION, AND ASSESSMENT OF THE ORGANIZATION’S SYSTEM OF
INTERNAL CONTROLS AND RISK MANAGEMENT PROCESSES )

8. The standards requires CAE to share … ( C. REQUIRING THE INDEPENDENT

OUTSIDE AUDITOR TO HAVE THE CAE’S APPROVAL OF THEIR ANNUAL AUDIT
PLAN FOR CONDUCTING FINANCIAL STATEMENT OF AUDIT )

Ch 9

1. What are the advantages of positioning the CAE on a senior management

level within the organization?
Organization that recognize the importance of placing the internal audit
function in a position that maximizes its effectiveness and ability to evaluate the
efficacy of the risk management, control, and governance processes that are in place
often do so through a senior management position described in the standards as a
CAE.

2. What information should be included in an internal audit charter?

In addition to establishing a charter, mission and/or vision, and internal audit
plan, the CAE is responsible for establishing and maintaining independence,
objectivity, proficiency, and due professional care within the internal audit function.
 3. According to Interpretation of Standard 2000, the CAE has three specific
management responsibilities. What are they?
a, Achieving the purpose and responsibility included in the internal audit charter.
b, ACE is responsible for establishing an maintaining independence, objectivity,
proficiency, and due to professional care within the internal audit function.
c, Individuals demonstrate conformance with the Code of Ethics and the Standards.

4. What circumstances could cause impairment of internal audit function

independence or internal auditor objectivity? How should an identified
impairment be handled?
Impairment to organization independence and individual objectivity may
include, but not limited to, personal conflict of interest, scope limitations,
restrictions on access to records, personnel, and properties, and resource
limitations, such as funding.
When there has identified impairment, the internal auditor must repot the import
the impairment or perceived impairment to the CAE who must decide if the internal
auditor needs to be reassigned.

5. Internal audit engagements must be performed with proficiency and due

professional care. What do proficiency and professional care mean?
Proficiency goes into more detail, stating that “internal auditors must possess
the knowledge, skills, and other competencies needed to perform their individual
responsibilities. The internal audit activity collectively must possess or obtain the
knowledge, skill, and other competencies needed to perform its responsibilities.”
Furthermore, IIA standard 1220: Due professional care states that “internal auditor
must apply the care and skill expected of a reasonably prudent and competent
internal auditor. Due professional care does not imply infallibility.”
Ch 10

1. Professional skepticism means that internal auditors take nothing for granted;
they continuously question what they hear and see and critically assess audit
evidence.

2. Reasonable assurance means that internal auditors strive to obtain sufficient

appropriate evidence to provide a reasonable basis for formulating their conclusions
and advice. Internal auditors are rarely, if ever, in a position to provide absolute
assurance regarding the truthfulness of management’s assertions regarding the
system of internal controls and performance. Even experienced internal auditors are
rarely convinced beyond all doubt. This is due to the nature and extent of evidence
they gather and the types of decisions they make. Frequently, internal auditors must
rely on evidence that is persuasive rather than absolutely convincing, and audit
decisions are rarely black and white. Moreover, internal auditors’ conclusions and
advice must be formed at a reasonable cost within a reasonable length of time to
add economic value.

3. The defining characteristics of persuasive evidence are relevance, reliability, and

sufficiency.

4. Audit objectives specify what the engagement is intended to achieve. Audit

procedures are the specific tasks performed by the internal auditor to gather the
evidence required to achieve the prescribed audit objectives.

5. The nature of audit procedures relates to the types of tests the internal auditor
performs to achieve his or her objectives. The extent of audit procedures pertains to
how much audit evidence the internal auditor must obtain to achieve his or her
objectives. The timing of audit procedures pertains to when the tests are conducted
and the period of time covered by the tests.

6. Characteristics among effective interviewers include:

• Professionalism (for example, prepared, respectful, courteous, on time).
• Outstanding interpersonal and oral communication skills, including listening skills.
• The capacity to display confidence and command respect without being arrogant.
• An innate curiosity.
• Objectivity (that is, remain impartial and refrain from interjecting personal
opinions).

7. Vouching refers to the tracking of information backward from one document or

record to a previously prepared document or record, or to a tangible resource.
Vouching is performed specifically to test the validity of documented or recorded
information. Tracing refers to the tracking of information forward from one
document or record, or a tangible resource, to a subsequently prepared document
or record. Tracing is performed specifically to test the completeness of documented
or recorded information.

8. Common analytical procedures performed by internal auditors include analysis of

common-size financial statements, ratio analysis, trend analysis, analysis of future
oriented information, external benchmarking, and internal benchmarking.

9. Common types of computer-assisted audit techniques (CAATs) include generalized

audit software, utility software, test data, application software tracing and mapping,
audit expert systems, and continuous auditing.

10. The types of operations that internal auditors can perform with generalized audit
software (GAS) include:
• Examining files and records for validity, completeness, and accuracy.
• Recalculating recorded values and calculating other values of audit interest.
• Selecting and printing samples and calculating sample results.
• Comparing information in separate files.
• Summarizing, resequencing, and reformatting data.
• Creating pivot tables for multidimensional analysis.
• Searching for anomalies in data that may indicate errors or fraud.
• Preparing and printing reports.
• Automatically generating a historical log of data analyses performed.
11. The two most widely used commercially available audit software programs are
ACL (Audit Command Language) and IDEA (originally an acronym for Interactive Data
Extraction and Analysis).

12. Working papers purposes:

• Aid in planning and performing the engagement.
• Facilitate supervision of the engagement and review of the work completed.
• Indicate whether engagement objectives were achieved.
• Provide the principal support for the internal auditors’ communications to the
auditee, senior management, the board of directors, and appropriate third parties.
• Serve as a basis for evaluating the internal audit function’s quality assurance
program.
• Contribute to the professional development of the internal audit staff.
• Demonstrate the internal audit function’s compliance with The Institute of Internal
Auditors’ (IIA’s) International Standards for the Professional Practice of Internal
Auditing (Standards).

13. Key characteristics of well-prepared working papers include:

• Working paper formats should be standardized as appropriate to streamline the
audit process, facilitate consistent high-quality work across engagements, and
simplify review of the working papers, but not overly standardized so that they
inhibit internal auditor ingenuity and creativity.
• Working paper files should be complete and well organized.
• At the end of an engagement, the files should contain only the final versions of the
working papers completed during the engagement.
• Each individual working paper should stand on its own merits
Ch 13

1. The four reasons why an assurance engagement might be conducted are as

follows:
a. The engagement was identified in the annual internal audit plan because of
inherent risks identified during the business risk assessment process, risks detected
the last time the area was audited, and other relevant factors. For these
engagements, the internal auditor must understand what underlying business risks
caused the engagement to be included in the plan, and then design the engagement
plan to provide the appropriate assurance regarding the design adequacy and
operating effectiveness of controls implemented to mitigate those risks.
b. The engagement is part of an annual requirement to evaluate the organization’s
system of internal controls for external reporting purposes, such as the U.S.
Sarbanes Oxley Act of 2002 Section 404 requirements in the United States and
similar financial reporting laws in other countries. For these engagements, the
internal auditor must ensure that the engagement is designed to test the areas
covered by the underlying regulations (for example, provide assurance regarding the
design adequacy and operating effectiveness of internal control over financial
reporting).
c. A recent event (for example, natural disaster, fraud, or customer bankruptcy) has
tested the process under unusual circumstances and management desires a “post
mortem” to determine where the process was effective and where it was not. For
these engagements, the internal auditor must tailor the testing and evaluation
around the specific event that occurred.
d. Changes in the business or industry require immediate modifications to the
process and management desires a quick validation that these modifications appear
to be designed appropriately to address the changes. For these engagements, the
internal auditor may perform a full controls-focused audit or they may scope it to
focus only on the controls that changed.

2. The following are typical scope statements:

a. Boundaries of the process.
b. In-scope versus out-of-scope locations.
c. Subprocesses.
d. Components.
e. Time frame limitations.

3. The five types of exceptions are:

a. Financial statement errors or misclassifications.
b. Control deficiencies.
c. Shortfalls in objective achievement.
d. Inefficiencies.
e. Out-of-compliance situations.

4. Which type of process objective is the most common and why?

Operational objectives are the most common process objectives. This is due
to the fact that most auditable processes are created to support an important
but non-strategic aspect of the business. Such objectives tend to be task
oriented, which lend themselves to auditing. Reporting and compliance
objectives are frequently embedded in or produced as a by-product of
operational processes. Strategic processes tend to be less task-oriented and
more subject to the judgments and efforts of individuals.

5. The following are potential sources of useful process information from process
owners:
a. Policies relating to the process.
b. Procedures manuals.
c. Organizational charts or similar information outlining the number of employees
and key reporting relationships.
d. Job descriptions for people involved in the process.
e. Process maps or flowcharts depicting the overall flow of the process.
f. Narrative descriptions of key tasks or portions of the process.
g. Copies of key contracts with customers, vendors, outsourcing partners, etc.
h. Relevant information regarding laws and regulations affecting the process.
i. Other documentation that may have been developed to support required
reporting on the effectiveness of the system of internal controls.
6. Why IA perform Analytical Procedure?
Understanding the tasks in a process is an important step in planning an
engagement. However, these tasks describe the way a process is designed to
perform, but provide little indication regarding how effectively they are carried
out. Performing analytical procedures is one way internal auditors conduct high-
level assessments that may reveal process activities that warrant closer attention
and, accordingly, more detailed testing.
Ch 14

8. The closing conference (also referred to as an exit conference) allows the internal
audit function to confirm the preliminary facts relative to any observations indicated
by testing done during the assurance engagement with the appropriate
management representatives of the area that was audited prior to distribution of
the final engagement communication. It also allows all parties to review the form
and content of what is anticipated to be included in the final (formal and informal)
audit engagement communications and provides an opportunity for any
misunderstandings to be resolved. Additionally, it provides management of the
targeted functional areas a way to present their thoughts and planned actions
regarding the items to be covered in the final engagement communication and to
give feedback regarding how well the engagement team executed the assurance
engagement. Management’s action plan to address and resolve control weaknesses
identified during the assurance engagement is also agreed upon in the closing
conference. This provides another check point on the completeness and accuracy of
the draft final communication prior to distribution to management representatives
of the area that was subject to the assurance engagement.

9. All final (formal and informal) communications should include the following
information: the purpose and scope of the audit, the time frame of the audit, the
observations and recommendations (results) of the audit, the conclusion (opinion or
rating, if applicable) of the internal audit function, and management’s response
(action plan) to the recommendations.

10. If an internal audit function chooses to state that the controls are designed
adequately and operating effectively, it has given positive assurance. If, on the other
hand, the internal audit function chooses to communicate that nothing has come to
their attention that leads them to believe that the controls are not designed
adequately and operating effectively, it has given negative assurance.

11. Informal communication is considered appropriate only when, during the

observation evaluation and escalation process, all observations were assessed to be
insignificant with no key control activities compromised. The informal
communication will cover insignificant observations related to secondary control
activities that might be compromised and will only be distributed to management
representatives of the area that was the target of the audit.

Formal communications are assurance engagement communications for

which the intended recipient is senior management, the audit committee, the
organization’s independent outside auditor, and/or management to whom the key
individuals within the area that is the subject of the audit report. Formal
communications are indicated when the controls evaluated during an assurance
engagement are assessed to be: insignificantly compromised with key control
activities affected, significantly compromised, or materially compromised. Every
assurance engagement, no matter if there are observations to report or not, must
result in a final, formal communication for the internal audit function to fully
discharge its responsibilities as outlined in the Standards
Ch 15

2. There are several fundamental differences between assurance services and

consulting services: the number of parties involved in the engagement, the
application of The Institute of Internal Auditors’ (IIA’s) International Standards for
the Professional Practice of Internal Auditing (Standards) to both types of services,
the purpose of the engagement, and communication of the results of the
engagement.

3. The three types of consulting engagements performed by the internal audit

function are:
• Advisory (for example, advising on control design).
• Training (for example, training on risk management and internal control).
• Facilitative (for example, facilitating management’s control self-assessment).

4. Blended engagements incorporate elements of both consulting and assurance

services into one consolidated approach. Blended engagements are indicated when
it is cost-effective or otherwise desirable to combine a component of assurance,
such as the independent assessment of a process or controls, as well as a
component of consulting, such as advising or facilitation.

5. The three ways that potential consulting engagements are identified are:
• Engagements are proposed during the annual risk assessment process and, if
identified as highpriority, included in the annual internal audit plan.
• Specific engagements are requested by management.
• New or changing conditions warrant internal audit attention.

6. Generally, the phases of an advisory consulting engagement are similar to those of

an assurance engagement. They are (1) planning, (2) performing, and (3)
communicating.