Audit Practicum Final

While planning an assurance engagement, the internal auditor obtains knowledge about the activity under review’s operations to, among other things:

a) Develop an understanding of the activity under review’s objectives, risks, and controls.

b) Make constructive suggestions to management regarding internal control improvements.

c) Evaluate whether misstatements in the activity under review’s performance reports should be communicated to senior management and the audit committee.

d) Develop an attitude of professional skepticism concerning management’s assertions.

a) Develop an understanding of the activity under review’s objectives, risks, and controls.

Which of the following statements does not illustrate the concept of inherent business risk?

a)A broken lock on a security gate allows employees to access a restricted area that they are not authorized to enter.

b)Technological developments might make a particular product obsolete.

c)Transactions involving complex calculations are more likely to be misstated than transactions involving simple calculations.

d)Cash is more susceptible to theft than an inventory of sheet metal.

a)A broken lock on a security gate allows employees to access a restricted area that they are not authorized to enter.

Internal auditors perform both assurance engagements and advisory engagements. Which of the following would be classified as an advisory engagement?

Assessing the design adequacy of the organization’s entity-level monitoring activities.

 Facilitating senior management’s assessment of risks threatening the organization.

Directly assessing the organization’s compliance with laws and regulations.

 Assisting the external auditor during the financial statement audit engagement.

 Facilitating senior management’s assessment of risks threatening the organization.

When assessing the risk associated with an activity, an internal auditor should:

Determine how the risk should best be managed.

Design controls to mitigate the identified risks.

Update the risk management process based on risk exposures.

Provide assurance on the management of the risk.

Provide assurance on the management of the risk.

If an internal auditor’s evaluation of internal control design indicates that the controls are designed adequately, the appropriate next step would be to:

 

Prepare a flowchart depicting the system of internal controls.

Conclude that residual risk is low.

Test the operating effectiveness of the controls.

Conclude that control risk is high.

Test the operating effectiveness of the controls.

Which of the following is not a typical scope statement?

Time frame limitations.

Methods used to test process transactions.

In-scope versus out-of-scope locations.

Boundaries of the process.

Methods used to test process transactions.

Which of the following is not typically a key element of flowcharts or narrative memoranda?

Overall process objectives.

Key inputs to the process.

Key risks and controls.

Key outputs from the process.

Overall process objectives.

Which of the following is not a key question that must be answered when evaluating
the design adequacy of controls?

Do the key control activities, taken individually or in the aggregate, reduce the corresponding process-level risks to acceptable levels?

Are there additional compensating controls from other processes that further reduce risks to acceptable levels?

Are adequate internal audit resources available to evaluate the controls?

Does the internal auditor understand what an “acceptable level” of risk is, based on management’s risk tolerance levels for the process?

Are adequate internal audit resources available to evaluate the controls?

Which of the following auditee-prepared documents will likely be of greatest assistance to the internal auditor in their assessment of process design adequacy?

Detailed flowcharts depicting the flow of the process

Policies and procedures manual

Narrative memoranda listing key tasks for portions of the process

Organization charts and job descriptions

Detailed flowcharts depicting the flow of the process

Which of the following groups’ risk tolerance levels are least relevant when conducting an assurance engagement?

Vendors and customers.

Senior management.

The internal audit function.

Process-level management.

Vendors and customers.

Which of the following statements regarding audit evidence would be the least appropriate for an internal auditor to make?

“I evaluate both the usefulness of the evidence I can obtain and the cost to obtain it.”

“I consider the level of risk involved when deciding the kind of evidence I will gather.”

“I am seldom absolutely certain about the conclusions I reach based on the evidence I examine.”

“I do not perform procedures that provide persuasive evidence because I must obtain convincing evidence.”

“I do not perform procedures that provide persuasive evidence because I must obtain convincing evidence.”

Professional skepticism means that internal auditors beginning an assurance engagement should:

Assume that internal controls are designed inadequately and/or operating ineffectively.

Neither assume the employees within the activity under review are honest nor assume they are dishonest.

Assume the employees within the activity under review are dishonest until they gather evidence that clearly indicates otherwise.

Assume the employees within the activity under review are honest until they gather evidence that clearly indicates otherwise.

Neither assume the employees within the activity under review are honest nor assume they are dishonest.

Documents sent directly from a third party to the internal auditor are less reliable than documents created by the organization.

True

False

False

Which of the following represents the most competent evidence that trade receivables actually exist?

Bills of lading.

Sales invoices.

Positive confirmations.

Receiving reports.

Positive confirmations.

Documentary evidence is one of the principal types of corroborating information used by an internal auditor. Which one of the following examples of documentary evidence generally is considered the most reliable?

A copy of a sales invoice prepared by the sales department

A receiving report obtained from the receiving department

A vendor’s invoice obtained from the accounts payable department

A credit memorandum prepared by the credit manager

A vendor’s invoice obtained from the accounts payable department

Criteria

What should be.

Recommendation

What should be done.

Cause

Why.

Condition

What was found through testing.

Effect

Exposure encountered because of what is.

Who has primary responsibility for providing information to the audit committee on the professional and organizational benefits of coordinating internal audit assurance and consulting activities with other assurance and consulting activities?

The CEO.

Each assurance and consulting function.

The CAE.

The external auditor.

The CAE.

Which of the following would not be considered a primary objective of a closing or exit conference?

To resolve conflicts.

To identify concerns for future audit engagements.

To identify management’s actions and responses to the engagement observations and recommendations.

To discuss the engagement observations and recommendations.

To identify concerns for future audit engagements.

A formal engagement communication must:

Provide an opportunity for the management of the activity under review to respond.

Document the corrective actions required of senior management.

Report significant findings.

 Provide a formal means by which the external auditor assesses potential reliance on the internal audit function.

Report significant findings.

The internal audit function's responsibilities end when engagement results are distributed.

True

False

False

In which phase(s) of the internal audit engagement can data analytics be used?
I. Planning the individual engagement.
II. Testing the effectiveness and efficiency of controls.
III. Assessing risk to determine which areas of the organization to audit.

I, II, and III

Which of the following is not typically a barrier to internal auditors using data analytics in achieving the engagement objective?

Knowing what data exists and where to find it.

Poorly defining the scope of the intended use of data analytics.

Data analytics software is limited by the number of records it can process.

The effort required to cleanse and prepare data for import to the data analytics tool.

Data analytics software is limited by the number of records it can process.

In developing a new system, change management is extremely important. What are two main reasons to assess change management controls?:

Identify invalid expense report items

Identify ghosts on the payroll.

Identify theft of inventory.

Identify suspect timesheets.

Identify theft of inventory.

This chapter emphasized the need for internal audit data analytics competencies. The CAE, assuming they have the budget, should hire an internal audit data analyst with the following competencies:
I. Audit experience.
II. Industry knowledge.
III. Legal experience.
IV. Data analytics experience.

I, II, and IV

What are the best uses of artificial intelligence (AI) for internal auditors?

Using AI to perform your interviews with audit clients.

Reading Internal Auditor magazine.

Providing internal company data to be used for testing controls.

Developing audit programs for complex areas you have not audited before.

Developing audit programs for complex areas you have not audited before.

An organization’s IT governance committee has several important responsibilities. Which of the following is not normally such a responsibility?

Aligning investments in IT with business strategies

Overseeing changes to IT systems

Monitoring IT security procedures

Designing IT application-based controls.

Designing IT application-based controls.

Requiring a user ID and password would be an example of what type of control?

Detective

Corrective

Preventative

Reactive

Preventative

In developing a new system, change management is extremely important. What are two main reasons to assess change management controls?

Increased regulatory requirements around IT and controls and the ubiquity of technology.

Increased organizational and internal audit expense budgets.

Reduce technology employees performing technology management and increase focus on technology project management.

Increase internal security and limit segregation of duties.

Increased regulatory requirements around IT and controls and the ubiquity of technology.

Which of the following statement(s) regarding an internal audit function’s continuous auditing responsibilities is/are true?
I. The internal audit function is responsible for assessing the effectiveness of management’s continuous monitoring activities.
II. In areas of the organization in which management has implemented effective monitoring activities, the internal audit function can conduct less stringent continuous assessments of risks and controls.

I and II

The purpose of logical security controls is to:

Restrict access to data.

Limit access to hardware.

Record processing results.

Ensure complete and accurate processing of data.

Restrict access to data.

How should an organization handle an anonymous accusation from an employee that a supervisor in the organization has manipulated time reports?

Make a record of the accusation but do nothing, as anonymous accusations are typically not true.

Turn the issue over to the HR department because this type of anonymous accusation is usually just a human resources issue.

Assess the facts provided by the anonymous party against pre-established criteria to determine whether a formal investigation is warranted.

Assign a staff internal auditor to review all time reports for the past six months in the supervisor’s area.

Assess the facts provided by the anonymous party against pre-established criteria to determine whether a formal investigation is warranted.

Which of the following is an example of misappropriation of assets?

A duplicate bill is sent to a customer in hopes that they will pay it twice.

A foreign official is bribed by the chief operating officer to facilitate approval of a new product.

A small amount of petty cash is stolen

A journal entry is modified to improve reported financial results.

A small amount of petty cash is stolen

A payroll clerk increased the hourly pay rate of a friend and shared the resulting overpayment with the friend. Which of the following controls would have best served to prevent this fraud?

Limiting the ability to make changes in payroll system personnel information to authorized HR department supervisors.

Requiring that all changes to pay records be recorded on a standard form.

Monitoring payroll costs by department supervisors monthly.

Periodically reconciling pay rates per personnel records with those of the payroll system

Limiting the ability to make changes in payroll system personnel information to authorized HR department supervisors.

Which of the following types of companies would most likely need the strongest anti-fraud controls?

A bank

A manufacturer of popular athletic shoes

A grocery store.

An internet-based electronics retailer.

A bank

Which of the following is a valid statement about the detection of fraud?

Internal controls, when properly designed, are almost bullet proof in terms of preventing fraud.

Law enforcement plays a significant role in the detection of white collar (economic) crimes.

The combined frequency of tips and accidents in discovering fraud exceeds the combined frequency of internal and external audits.

For the purposes of understanding how fraud is discovered, whistleblower hotlines are the only method proven to detect fraud.

The combined frequency of tips and accidents in discovering fraud exceeds the combined frequency of internal and external audits.

Which of the following is not likely to be a step during an advisory engagement?

Flowcharting the key steps in a process

Assessing the risks in a process

Understanding the objectives of a process:

Expressing a conclusion on the design adequacy and operating effectiveness of a process

Expressing a conclusion on the design adequacy and operating effectiveness of a process

Which internal auditor will be the most successful in being perceived as a trusted advisor?

One who ensures 100 percent compliance with all policies, procedures, and rules

One who audits using a checklist

One who collaborates with management to reach a consensus on the best solution to balance controls and effieicient processes

One who best uses audit sampling techniques

One who collaborates with management to reach a consensus on the best solution to balance controls and effieicient processes

Which of the following best describes internal audit workpapers for advisory engagements?

Advisory engagements typically require more documentation than assurance engagements

Workpapers are not required for advisory engagements

Workpaper requirements for advisory engagements are similar to assurance engagements but typically have less documentation

Workpapers for advisory engagements do not require a review by internal audit management

Workpaper requirements for advisory engagements are similar to assurance engagements but typically have less documentation

Which of the following is not a required consideration of competency when choosing to perform an advisory engagement?

Needs and expectations of the engagement customer

Cost of the engagement relative to the potential benefits

Availability of adequate skills and resources to conduct the engagement

Potential impact on the external auditor's financial statement audit

Potential impact on the external auditor's financial statement audit

Which of the following would be a typical advisory engagement activity performed by the internal audit function?

Determining the scope of an engagement to test IT application controls

Testing the design adequacy of controls over the termination of employees

Testing compliance with accounts payable policies and procedures

Reviewing and commenting on a draft of a new ethics policy created by the company

Reviewing and commenting on a draft of a new ethics policy created by the company