IIA-ACCA Sample Questions Answers

Internal auditor integrity enables stakeholders to constantly question the work of the internal audit activity.

Internal auditor integrity enables the internal auditor to avoid being challenged by any party in the organization.

Internal auditor integrity enables the internal audit activity to be able to demonstrate independence.

Internal auditor integrity enables users of internal auditors' work to make important business decisions.

1, 2, and 3

1, 2, and 4

1, 3, and 4

2, 3, and 4

Recommend additional segregation-of-duty reviews.

Recommend appropriate awareness training for all finance department staff.

Recommend rotating finance staff in this area.

Recommend that management address these concerns immediately.

Verify that amounts are correct.

Verify that payments are on time.

Verify that recipients are valid employees.

Verify that benefits deductions are accurate.

Consult on project design and implementation of the CSR program.

Serve as an advisor on internal controls related to CSR.

Identify and prioritize the CSR issues that are important to the organization.

Evaluate the effectiveness of the organization's CSR efforts.

That do not have to be repaid for over one year.

That appear to be too risky for most lenders to consider.

Granted on the basis of a company's credit standing.

Backed by mortgaged assets.

1 and 2 only

2 and 3 only

1, 2, and 3 only

1, 2, 3, and 4

1 and 2

1 and 3 only

2 and 4

1, 3, and 4

1 and 2

1 and 4

2 and 3

3 and 4

1 and 3

1 and 4

2 and 3

2 and 4

CSA allows management to have input into the audit plan.

CSA allows process owners to identify, evaluate, and recommend improving control deficiencies.

CSA can improve the control environment.

CSA increases control consciousness.

The audit supervisor should include the new contracts in the finding for the final audit report.

The audit supervisor should communicate the finding to the supervisor of the sales manager through an interim report.

The audit supervisor should remind the sales manager of his authority limit for the contracts under negotiation.

The auditor should not reference the new contracts, because they are not yet signed and therefore cannot be included in the final report.

The internal audit risk assessment and audit plan for the next fiscal year.

The internal audit budget and resource plan for the coming fiscal year.

A request for an increase of the CAE's salary for the next fiscal year.

The evaluation and compensation of the internal audit team.

1 and 2 only

1 and 3 only

2 and 3 only

1, 2, and 3

Testing controls where operating procedures vary.

Testing controls in decentralized offices.

Testing controls in high risk areas.

Testing controls in areas with high control failure rates.

The complexity of deficiency findings.

The adequacy of preliminary survey information.

The organization and content of workpapers.

The method and amount of supporting detail used for the audit report.

1 and 2

1 and 4

2 and 3

3 and 4

Having no active role or involvement in the risk management process.

Auditing the risk management process for reasonableness.

Coordinating and managing the risk management process.

Participating with management in identifying and evaluating risks.

Risks are discussed with audit client.

All available information from the risk-based plan is used.

Client efforts to affect risk management are considered.

Prior risk assessments are considered.

Reversing all previous closing adjustments is a mandatory step in the accounting cycle

Reversing entries should be completed at the end of the next accounting period after recording regular transactions of the period

Reversing entries are identical to the adjusting entries made in the previous period.

Reversing entries are the exact opposite of the adjustments made in the previous period.

Determining the trends that will influence key factors in the organization's environment.

Selecting the issue or decision that will impact how the organization conducts future business.

Selecting leading indicators to alert the organization of future developments.

Identifying how customers, suppliers, competitors, employees, and other stakeholders will react.

The lack of legal and industry frameworks on privacy.

The absence of generally accepted privacy principles.

The rapid growth and evolution of technology.

The legislated need to retain sensitive personal information.

Assert whether the described and reported control processes and systems exist.

Assess whether senior management adequately supports and promotes the internal control culture described in the report.

Evaluate the completeness of the report and management's responses to identified deficiencies.

Determine whether management's operating style and the philosophy described in the report reflect the effective functioning of internal controls.

Assess the status of corrective action during a follow-up audit engagement after the action plan has been completed.

Assess the effectiveness of corrections by reviewing statistics related to unplanned system outages, and denials of service.

Reassign information systems auditors to assist in implementing management's action plan.

Evaluate the ability of the action plan to correct the weaknesses and monitor key dates and deliverables.

It minimizes the amount of time spent and cost incurred to gather the necessary information.

Responses can be confidential, thus encouraging participants to be candid expressing their concerns.

Workshops do not require extensive facilitation skills and are therefore ideal for nonauditors.

Workshop participants have an opportunity to learn while contributing ideas toward the objectives.

Operational management, because they are responsible for the day-to-day management of the operational risks.

The CRO, because he is responsible for coordinating and project managing risk activities based on his specialized skills and knowledge.

The chief audit executive, although he is not accountable for risk management in the organization.

The CEO, because he has ultimate responsibility for ensuring that risks are managed within the agreed tolerance limits set by the board.

The last available risk assessment.

Requests from senior management and the board.

The longest interval since the last examination of each audit universe item.

The auditable areas required by regulatory agencies.

Informal, soft controls are omitted, and greater focus is placed on hard controls.

The entire objectives-risks-controls infrastructure of an organization is subject to greater monitoring and continuous improvement.

Internal auditors become involved in and knowledgeable about the self-assessment process.

Nonaudit employees become experienced in assessing controls and associating control processes with managing risks.

The number, experience, and availability of audit staff as well as the nature, complexity, and time constraints of the engagement.

The appropriateness and sufficiency of resources and the ability to coordinate with external auditors.

The number, proficiency, experience, and availability of audit staff as well as the ability to coordinate with external auditors.

The appropriateness and sufficiency of resources as well as the nature, complexity, and time constraints of the engagement.

Express an opinion on the participants' inputs and conclusions as the assessment progresses.

Provide appropriate techniques and guidelines on how the exercise should be undertaken.

Evaluate and report on all issues that may be uncovered during the exercise.

Screen and vet participants so that the most appropriate candidates are selected to participate in the exercise.

The audit committee of the board.

The environmental, health, and safety manager.

The organization's external environmental lawyers.

The organization's insurance department.

Internal auditors should obtain 80 hours of continuing professional education every two years, 20 of which should be audit-related, and the remainder may be operations-related.

Internal auditors should rotate to other areas of the organization for nonaudit assignments to gain an understanding of the organization's operations.

Internal auditors should have direct and unrestricted access to personnel and information throughout the organization and the governing board.

Internal auditors should undergo annual performance appraisals conducted by the chief audit executive, who reports administratively to the chief financial officer.

Customers, innovation, growth, and internal processes.

Business objectives, critical success factors, innovation, and growth.

Customers, support, critical success factors, and learning.

Financial measures, learning and growth, customers, and internal processes.

The accounts payable supervisor, accounts payable manager, and controller.

The accounts payable manager, purchasing manager, and receiving manager.

The accounts payable supervisor, controller, and treasurer.

The accounts payable manager, chief financial officer, and audit committee.

Acts that may endanger the health or safety of individuals.

Acts that favor one party to the detriment of another.

Acts that damage or have an adverse effect on the environment.

Acts that conceal inappropriate activities in the organization.

1 and 4 only

2 and 3 only

3 and 4 only

1, 2, and 4 only

Conduct anti-fraud training.

Perform background investigations.

Implement process controls.

Activate a whistleblower hotline.

1 and 2 only.

2 and 3.

3 and 4.

1,2, and 4.

Identify and manage risks in line with the organization's risk appetite.

Ensure that a proper and effective risk management process exists.

Attain an adequate understanding of the organization's key risk mitigation strategies.

Identify and ensure that appropriate controls exist to mitigate risks.

The review should focus on the efficiency of the controls in place to prevent fraud.

The scope of the review does not need to include all operating areas of the organization.

The cost of the control should be compared to the benefit of mitigating the related risk.

The review should assess whether the internal controls can be circumvented.

Analytical procedures.

Detail testing.

Test of design.

Test of control.

Strategic plans reflect the organization's business objectives and overall attitude toward risk.

Strategic plans are helpful to identify major areas of activity, which may direct the allocation of internal audit activity resources.

Strategic plans are likely to show areas of weak financial controls.

The strategic plan is a relatively stable document on which to base audit planning.

Communication of any internal ethics violations to external parties may occur with appropriate safeguards.

Cultural impacts are less critical where the organization practices uniform polices around the globe.

Cross-cultural differences should always be handled by the staff of the same cultural background.

Local law enforcement should be involved as they are more familiar with the applicable local laws.

Refuse to accept the consulting engagement because it would be a violation of independence.

Collaborate with the external auditor to ensure the most efficient use of resources.

Accept the engagement but hire an external training specialist to provide the necessary expertise.

Accept the engagement even if the audit engagement staff was previously responsible for operational areas being trained.

The observation was made during the same audit, and the action plan has a common owner.

The observation relates to the same control activity within a common process.

The observation has a common control, and it was noted in a prior audit.

The observation has a common process, and the action plan for the observation has a common owner.

1 and 2 only

2 and 4 only

1, 2, and 4

2, 3, and 4

Evaluate and verify management's response, and determine the need and scope for additional work.

Evaluate and verify management's response, and establish timelines for corrective action by management.

Oversee the corrective actions undertaken by management, and determine the need and scope for additional work.

Oversee the corrective actions undertaken by management, and establish timelines for corrective action by management.

Management disagrees with the report findings and conclusions in their responses.

Management has already satisfactorily completed the recommended corrective action.

Management has provided additional information that contradicts the findings.

Management believes that the finding is insignificant and unfairly included in the report.

The amount of experience the auditors have conducting audits in the specific area of the organization.

The availability of the auditors in relation to the availability of key client staff.

Whether the budgeted hours are sufficient to complete the audit within the current scope.

Whether outside resources will be needed, and their availability.

1 and 3

1 and 4

2 and 3

2 and 4

Independently evaluating conflicts of interests.

Assessing contracts for relevant terms and conditions.

Performing statistical analysis for data anomalies.

Preparing evidentiary documentation.

Conduct a joint brainstorming session with management.

Ask the chief audit executive to mediate.

Disclose the client's differing opinion in the final report.

Escalate the issue to senior management for a decision.

A review of password policy compliance found that employees frequently use the same password more than once during a year. The IAA recommends that the access control software reject any password used more than once during a 12-month period.

A review of internal service-level agreement compliance in financial services found that requests for information frequently are fulfilled up to two weeks late. The IAA recommends that the financial services unit be eliminated for its ineffectiveness.

A vacation policy compliance review found that employees frequently leave on vacation before their leave applications are signed by their manager. The IAA recommends that the manager attend to the leave applications in a more timely fashion.

A review of customer service-level agreements found that orders to several customers are frequently delivered late. The IAA recommends that the organization extend the expected delivery time advertised on its website.

1 and 3 only

1 and 4 only

2 and 3 only

2 and 4 only

Report follow-up activities to senior management.

Implement follow-up procedures to evaluate residual risk.

Determine the costs of implementing the recommendations.

Evaluate the extent of improvements.

It is best to determine planning activities on a case-by-case basis because they can vary widely from engagement to engagement.

If the engagement subject matter is not unique, it is not necessary to outline specific testing procedures during the planning phase.

The engagement plan includes the expected distribution of the audit results, which should be kept confidential until the audit report is final.

Engagement planning activities include setting engagement objectives that align with audit client's business objectives.

The CAE has no role to play, because the chief health and safety officer reports to a senior executive.

The CAE should coordinate with, and review the work of, the chief health and safety officer to gain an understanding of whether risks related to health and safety are managed properly.

The CAE should give periodic reports directly to the regulator regarding health and safety issues, as it is the appropriate regulatory oversight body.

The CAE should hire an independent external specialist to conduct an annual assessment and provide assurance over the effectiveness of the health and safety program and the reliability of its reports.

Manage and coordinate risk management processes.

Audit risk management processes.

Become involved in risk oversight committees, monitoring activities, and status reporting.

Accept management's responsibility for risk management without board approval.

The CAE can release prior internal audit reports with the approval of the board and senior management.

The CAE can employ judgment and release prior audit results as they deem appropriate and necessary.

The CAE can only release prior information outside the organization when mandated by legal or statutory requirements.

The CAE can release prior information provided it is as originally published and distributed within the organization.

The organization's audit universe is extensive and diverse.

There has been an increase in unanticipated requests for advisory work.

Previous work provided by the external service provider has been of great quality and value.

A recent benchmarking study found that using external service providers is a common practice of similarly-sized IAAs in other organizations.

All assurance engagement observations should be communicated to the audit committee.

All assurance engagement observations should be included in the main section of the engagement communication.

During the "communicate" phase of an assurance engagement, it is best to define the methods and timing of engagement communications.

A detailed escalation process should be developed during the planning stage of an assurance engagement.

Cost.

Independence.

Familiarity.

Flexibility.

Coach management in responding to risks.

Develop risk management strategies for board approval.

Facilitate identification and evaluation of risks.

Evaluate risk management processes.

Were audit findings relevant and useful to management?

Does the audit report format present issues clearly and concisely?

Does the IAA work with a high degree of professionalism and objectivity?

Were the findings reported in a timely manner?

1 and 3 only

2 and 4 only

1, 3, and 4 only

1, 2, 3, and 4

The matter does not need to be reported, because the noncompliant findings fall within the acceptable tolerance limit.

The deviations are within the acceptable tolerance limit, so the matter only needs to be reported to the information security manager.

The incidents of noncompliance fall outside the acceptable tolerance limit and require immediate corrective action, as opposed to reporting.

The incidents of noncompliance exceed the tolerance level and should be included in the final engagement report.

Require the approval of additions and changes to the vendor master listing, where the inherent risk of false vendors is high.

Monitor amounts paid each period and compare them to the budget to identify potential issues.

Compare employee addresses to vendor addresses to identify potential employee fraud.

Monitor customer quality complaints compared to the prior period to identify vendor issues.

Scheme.

Opportunity.

Rationalization.

Pressure.

Improper segregation of duties.

Incentives and bonus programs.

An employee's reported concerns.

Lack of an ethics policy.

Variability tolerance.

Ratio estimation.

Stratification.

Acceptance sampling.

The residual risk is lower than or equal to the risk appetite.

The residual risk is higher than or equal to the risk appetite.

The inherent risk is lower than or equal to the risk tolerance.

The inherent risk is higher than or equal to the risk tolerance.

Negotiation and conflict resolution.

Project management.

Financial accounting.

Ethics and fraud.

Control activities.

Information and communication.

Commitment.

Control environment.

Assurance services for outside clients are not covered under the internal audit charter.

Assurance services for outside clients must be approved on a case-by-case basis by the board of directors.

The nature of assurance services for outside clients should be defined in the internal audit charter.

The nature of assurance services for outside clients is the same as for internal clients.

Requiring employees to attend ethics training.

Performing background checks on employees.

Implementing a control self-assessment.

Performing a surprise audit.

4 only

1 and 3 only

1 and 4 only

2, 3, and 4 only

1 and 2.

1 and 3.

2 and 4.

3 and 4.

1 and 2.

1 and 4.

2 and 3.

2 and 4.

Invest in marketing.

Invest in research and development.

Control costs.

Shift toward mass production.

1 and 3.

1 and 4.

2 and 3.

2 and 4.

Sort on product identification code and identify missing product identification codes.

Review store identification code and identify missing product identification codes.

Compare product identification codes for consecutive periods.

Compare product identification codes by store for consecutive periods.

Review and acquire the external audit service.

Assess the appraisal and actuarial services.

Determine the selection criteria.

Identify regulatory requirements to be considered.

Full cost

Full cost plus a markup.

Market price of the product

Variable cost plus a markup

Borrowers may not sign all required mortgage loan documentation.

Fees paid by the borrower at the time of the loan may not be deposited in a timely manner.

The bank's loan documentation may not meet the government's disclosure requirements.

Loan officers may override the lending criteria established by senior management.

1 and 2

1 and 3

2 and 4

3 and 4

The extent to which management judgments are required in an area could serve as a risk factor in assisting the auditor in making a comparative risk analysis.

The highest risk assessment should always be assigned to the area with the largest potential loss.

The highest risk assessment should always be assigned to the area with the highest probability of occurrence.

Risk analysis must be reduced to quantitative terms in order to provide meaningful comparisons across an organization.

Cutbacks in preventive maintenance.

An inadequately trained and supervised labor force.

A large number of rush orders.

Production of more units than planned for in the master budget.

High-yield bonds.

Commodity-backed bonds.

Zero coupon bonds.

Junk bonds.

Priority over common stock with regard to dilution of shares.

Priority over common stock with regard to earnings.

Priority over common stock with regard to dividend payment.

Priority over common stock with regard to assets.

The financial interest the service provider may have in the organization.

The relationship the service provider may have had with the organization or the activities being reviewed.

Compensation or other incentives that may be applicable to the service provider.

The service provider's experience in the type of work being considered.

Degree of effort and cost needed to correct the reported condition.

Complexity of the corrective action.

Impact that may result should the corrective action fail.

Amount of resources required to conduct the follow-up activities.

Proceed with the audit engagement, but do not include the relative's information.

Have the chief audit executive and management determine whether the auditor should continue with the audit engagement.

Disclose in the engagement final communication that the relative is a customer.

Immediately withdraw from the audit engagement.

Maintaining industry-specific knowledge appropriate to the organization.

Assessing how IT contributes to organization objectives, risks, and relevance to audit.

Maintaining technical aspects of accounting standards and reporting processes.

Understanding regulatory and legal framework and assessing its relevance.

Statistical sampling only

Nonstatistical sampling only

A combination of both statistical and nonstatistical sampling.

Neither approach to testing the audit theory would be cost effective.

Managers who have been with the organization for several decades become aware that newly hired, younger managers are being moved more quickly into senior positions.

The controller at a nationwide manufacturing company recently opted to no longer require two-week mandatory vacations for accounting staff.

Security cameras that monitor cash handling at the register are not functioning.

The organization is slowly phasing out three mature products that produce the highest commissions for the sales staff.

The CAE's work may be reviewed by any other experienced staff member within the IAA.

The CAE's work should be reviewed by an individual with the appropriate background and knowledge.

The CAE may self-review his work, provided he discloses this practice in the final report.

The CAE should avoid performing engagements to ensure he is able to review all audit work objectively.

$11, 250

$25, 000

$33, 750

$45, 000

Pressure or incentive.

Opportunity.

Rationalization.

Commitment.

The chief audit executive (CAE) should review all work performed by the auditor during her temporary assignment to ensure no impairments.

The CAE may conduct audits in the purchasing department during the auditor's temporary assignment.

The auditor should obtain the CAE's approval as to the nature and scope of the duties she is permitted to perform during her temporary assignment.

Any work performed by the auditor during her temporary assignment must conform to the internal audit charter.

Working conditions.

Employees' families.

Marketplace competition.

Shareholders and investors.

1 and 2.

1 and 3.

2 and 3.

3 and 4.

The assigned internal auditor must determine the objectives, scope, and techniques of the engagement.

The CAE must personally obtain the needed skills, knowledge, or other competencies if the internal auditor does not have them.

The assigned internal auditor must not assume management responsibilities while performing the engagement.

The assigned internal auditor must maintain objectivity while performing the engagement.

Assessing the risk factors.

Aligning risk appetite and strategy.

Enhancing risk response decisions.

Reducing operational surprises and losses.

Coordinate and facilitate risk workshops for management to attend.

Establish the degree of risk appetite for management to accept.

Set risk indicators and mitigation plans for management to implement.

Determine the number of significant risks for management to report to the board.

Continuously monitor the organization's overall risk activities in relation to its risk appetite.

Evaluate the adequacy and effectiveness of the organization's governance activities.

Oversee the establishment and administration of an effective risk management program.

Assist management in implementing recommended control improvements.

When planning assurance and consulting engagements, internal auditors must consider the strategies and objectives of the activity being reviewed.

Internal auditors determine the engagement objectives, scope, and work program for both assurance and consulting services.

Internal auditors must not provide assurance or consulting services for an activity for which they had responsibility within the previous year.

Both assurance and consulting services generally involve the internal auditor, the area under review, senior management, and the board.

The CAE would need to procure external services to deliver the internal audit assurance program.

There is no expertise within the internal audit team for detecting and investigating fraud.

There is no expertise within the internal audit team for auditing an IT engagement.

There is no available expertise on the internal audit team to perform a consulting engagement.

Senior management.

Internal audit activity.

All employees.

Board of directors.

Maintaining custody of inventory records.

Collecting payments on accounts.

Approving changes to employee records.

Preparing customer statements.

An internal auditor evaluates the significant risks arising from a consulting engagement.

An internal auditor declares that he would have a conflict of interest in providing planned audit support.

An internal auditor has been given sufficient authority to access documents needed to make an appraisal of an issue.

An internal auditor uses technology-based audit techniques to ensure that all significant risks are identified.

An internal auditor reviews a purchasing agent's contract drafts prior to their execution.

An internal auditor reduces the scope of an audit engagement due to budget restrictions.

An internal auditor receives a promotional gift that is available to the organization's employees.

An internal auditor performs an assessment of the operations for which he was recently responsible.

From sharing to reduction.

From acceptance to reduction.

From sharing to avoidance.

From acceptance to avoidance.

To help the internal audit activity complete its annual assurance plan.

To identify inefficiencies within the internal audit team.

To help improve the overall quality of the internal audit activity's work.

To identify key risks and areas of concern within the organization.

Usage of IT system policy.

Risk management framework.

Acceptance of gifts policy.

Personal responsibility policy.

Management will be able to reduce inherent risk because they will have a better understanding of risk.

Internal auditors will be able to reduce their sample sizes because controls will be more consistent.

Stakeholders will have more assurance that the risks are assessed consistently.

Decision makers will understand that the likelihood of missing or ineffective controls will be reduced.

Postpone the audit until the CAE hires internal audit staff with the required knowledge.

Ask the audit committee to decide the course of action.

Select the most experienced auditors in the department to perform the engagement.

Hire consultants who possess the required knowledge to perform the engagement.

Quality assessments and cultural biases of the internal audit activity.

Rotational assignments and familiarity of the internal audit activity.

Employee incentives and self review of the internal audit activity.

Organizational positioning and scope control of the internal audit activity.

The internal audit activity has to ensure team members' objectivity is not impaired.

Auditors cannot participate in an assurance engagement of a function for which they previously performed a consulting engagement.

The scope and objective of the engagement is agreed upon based on the engagement client's needs.

The internal audit activity must ensure management actions have been implemented effectively or risk accepted.

The minimum resources and competencies needed for the internal audit activity.

Identification of the organizational units where engagements are to be performed.

Organizational relationships and reporting lines.

Assigned responsibilities for designing and implementing controls.

Manage and support a quality assurance and improvement program.

Maintain industry-specific knowledge appropriate to the audit engagements

Set clear performance standards for internal auditors and the internal audit activity.

Apply problem-solving techniques for routine situations.

The bottom of the pyramid responsibility.

Innovative responsibility.

Ethical responsibility.

Discretionary responsibility.

An employee includes a faked receipt in his expense claim, and the claim is signed by the employee's manager.

A vendor inflates the price of an item and remits a portion of the excess to the purchasing manager.

A vendor sends a duplicate invoice with a new invoice number, and the accounts payable system fails to detect the duplication.

An employee works with the IT manager to develop a program for identifying duplicate invoice payments.

Establish and provide continuing assurance on an anti-money laundering program for new hires.

Survey employees for their understanding of anti-money laundering practices.

Provide assurance for the effectiveness of anti-money laundering training.

Assess the risk of being fined for ineffective anti-money laundering practices.

1 and 2 only

3 and 4 only

1, 2, and 4 only

1, 2, 3, and 4

Vendor invoice payment requests are accompanied by a purchase order and receiving report.

Purchase orders are typed by the purchasing department using prenumbered forms.

Buyers promptly update the official vendor listing as new supplier sources become known.

Department managers initiate purchase requests that must be approved by the plant superintendent.

1 and 2.

1 and 4.

2 and 3.

3 and 4.

During facilitated workshops, people more openly say things to internal auditors than during private interviews.

Internal auditors do not need other sources of information, as the data gathered during facilitated workshops is sufficient.

Facilitated workshops create a synergy of discussion that can bring multiple perspectives to the same issue.

The testimonial evidence obtained during facilitated workshops is generally considered more reliable.

Objective setting.

Control activities.

Information and communication.

Event identification.

Management principles.

Computerized information systems.

Internal audit standards, procedures, and techniques.

Fundamentals of accounting, economics, and finance.

1 and 4 only.

3 and 4 only.

2, 3, and 4 only.

1,2, 3, and 4.

Segregation of duties.

Exception reports.

Incentive compensation plans.

Automated reconciliations.

Attending annual professional conferences and seminars.

Participating in on-the-job training in various departments of the organization.

Pursuing as many professional certifications as possible.

Maintaining membership in The HA and similar professional organizations and subscribing to relevant email updates or news feeds.

Internal auditors shall continually improve their proficiency and effectiveness and quality of their services.

Internal auditors shall respect and contribute to legitimate and ethical objectives of the organization.

Internal auditors shall not accept anything that may impair or be presumed to impair their professional judgment.

Internal auditors shall be prudent in the use and protection of information acquired in the course of their duties.

Comprehensive supervisory and verification procedures.

A well-designed system of internal controls.

A culture of integrity and transparency.

Unique operating environments with varying complexity.

Independently evaluate the skills and experience of potential chief information officer candidates to assess the best fit based on the organization's risk appetite.

Evaluate the organization's governance standards and assess IT-related activities to identify gaps and develop policies, ensuring alignment with the organization's risk appetite.

Assist management in interpreting complex IT-related privacy and security risk exposures and evaluating potential mitigation strategies.

Assess whether governance activities are aligned with the organization's risk appetite and take into consideration emerging risks.

1 and 2 only

1 and 3 only

2 and 3 only

1, 2, and 3

Predictive analytics

Prescriptive analytics

Descriptive analytics

Diagnostic analytics

Application control.

IT general control

Data input control

Data output control

A zero-based budget provides estimates of costs that would be incurred under different levels of activity.

A zero-based budget maintains focus on the budgeting process.

A zero-based budget is prepared each year and requires each item of expenditure to be justified.

A zero-based budget uses input from lower-level and middle-level managers to formulate budget plans.

A higher initial investment level.

A higher discount rate.

Cash inflows that are larger in the later years of the life of the project.

Cash inflows that are larger in the earlier years of the life of the project.

1 and 3 only

2 and 4 only

1, 2, and 4 only

1, 2, 3, and 4

Verify whether the organization uses the most recent database software version

Verify whether the database software version is supported by the vendor.

Verify whether the database software version has been recently upgraded

Verify whether access to database version information is appropriately restricted

Management assurance on risks.

Implementing risk responses on behalf of management.

Providing assurance that risks assessed are correctly evaluated.

Setting the risk appetite.

Backup servers in the data center are stored in an environmentally controlled location

All users have a unique ID and password to access data

Swipe cards are used to access the data center

Firewalls and antivirus protection are in place to prevent unauthorized access to data.

Lack of flexibility.

Incompatibility with client/server technology.

Employee resistance to change.

Inadequate technical support.

Standardization.

Global marketing.

Limited exporting.

Domestic marketing.

1 and 3

1 and 4

2 and 3

2 and 4

A multinational company has stockholders in other countries.

A multinational company exports its products to other countries.

A multinational company operates outside of its country of origin.

A multinational company uses raw materials and components from more than one country.

Electronic funds transfer.

Knowledge-based systems.

Biometrics.

Standardized graphical user interface.

Risk acceptance.

Risk sharing.

Risk avoidance.

Risk reduction.

Performing a system audit.

Making system changes.

Testing policy compliance.

Conducting system monitoring.

The business continuity management charter.

The business continuity risk assessment plan

The business impact analysis plan

The business case for business continuity planning

$170,000

$280,000

$300,000

$540,000

The Committee of Sponsoring Organizations of the Treadway Commission.

The Board of Environmental, Health, and Safety Auditor Certifications.

The International Organization of Supreme Audit Institutions.

The International Standards Organization.

Increase shareholder value.

Maximize market share.

Improve operational efficiency.

Mitigate losses.

Standards used for evaluation and control are determined at local subsidiaries, not set by headquarters.

Orders, commands and advice are sent to the subsidiaries from headquarters.

People of local nationality are developed for the best positions within their own country

There is a significant amount of collaboration between headquarters and subsidiaries.

Empathetic listening.

Reframing.

Reflective listening.

Dialogue.

Lower annual unit sales.

Higher fixed inventory ordering costs.

Higher annual carrying costs as a percentage of inventory value.

A higher purchase price per unit of inventory.

Observation.

Inspection.

Original cost.

Vouching.

1, 2, and 3

1, 2, and 4

1, 3, and 4

2, 3, and 4

1, 2, and 3

1, 2, and 4

1, 3, and 4

2, 3, and 4

$350,000

$500,000

$850,000

$1,200,000

1 and 3 only

1 and 4 only

2 and 3 only

2 and 4 only

Export strategy

Transnational strategy.

Multi-domestic strategy

Globalization strategy.

The organization should review the skill requirements and ensure that the service provider is maintaining sufficient expertise and retaining skilled resources.

The organization should proactively monitor the performance of the service provider, escalate concerns, and use penalty clauses in the contract where necessary.

The organization should ensure that there is a clear management communication strategy and path for evaluating and reporting on all outsourced services concerns.

The organization should work with the service provider to review the current agreement and expectations relating to objectives, processes, and overall performance.

Ensuring that payments to the vendor are appropriate and timely for the services delivered.

Ensuring that the vendor has complete management control of the outsourced process.

Ensuring that there are means of monitoring the efficiency of the outsourced process.

Ensuring that there are means of monitoring the effectiveness of the outsourced process.

Forming stage.

Performing stage.

Norming stage.

Storming stage.

Ensuring that the other party has a personal stake in the agreement.

Focusing on interests rather than on obtaining a winning position.

Considering a few select choices during the settlement phase.

Basing the agreement on negotiating power and positioning leverage.

A transmission control protocol/Internet protocol (TCP/IP).

An operating system.

A web browser.

A web server.

Report identifying data that is outside of system parameters

Report identifying general ledger transactions by time and individual

Report comparing processing results with original input

Report confirming that the general ledger data was processed without error.

Prestige

Small size.

Competition

Common threat

Use an aging schedule to more closely estimate uncollectible accounts.

Eliminate the need for an allowance for doubtful accounts.

Emphasize the accuracy of the net realizable value of the receivables on the balance sheet.

Use a method that approximates the matching principle.

Lost sales, lost customers, and backorder.

Lost sales, safety stock, and backorder.

Lost customers, safety stock, and backorder.

Lost sales, lost customers, and safety stock.

Each party's negotiator presents a menu of options to the other party.

Each party adopts one initial position from which to start.

Each negotiator minimizes the information provided to the other party.

Each negotiator starts with an offer, which is optimal from the negotiator's perspective.

Globally accepted standards for industries and processes.

Bridging the gaps among control requirements, technical issues, and business risks.

Practical guidance and benchmarks for all organizations that use information systems.

Frameworks and guidance on enterprise risk management, internal control, and fraud deterrence.

The risk that users try to bypass controls and do not install required software updates.

The risk that smart devices can be lost or stolen due to their mobile nature.

The risk that an organization intrusively monitors personal information stored on smart devices.

The risk that proprietary information is not deleted from the device when an employee leaves.

Exception report identifying payment anomalies.

Documented policy and procedures.

Periodic account reconciliation of contractor charges.

Monthly management review of all contractor activity.