IIA-ACCA Questions and Answers

Manage and coordinate risk management processes.

Audit risk management processes.

Become involved in risk oversight committees, monitoring activities, and status reporting.

Accept management's responsibility for risk management without board approval.

1 only

4 only

1 and 3

2 and 4

Management disagrees with the report findings and conclusions in their responses.

Management has already satisfactorily completed the recommended corrective action.

Management has provided additional information that contradicts the findings.

Management believes that the finding is insignificant and unfairly included in the report.

Recommend additional segregation-of-duty reviews.

Recommend appropriate awareness training for all finance department staff.

Recommend rotating finance staff in this area.

Recommend that management address these concerns immediately.

The minimum resources and competencies needed for the internal audit activity.

Identification of the organizational units where engagements are to be performed.

Organizational relationships and reporting lines.

Assigned responsibilities for designing and implementing controls.

Automatic shut-off valve.

Auto-correct software functionality.

Confirmation with suppliers and vendors.

Safety instructions.

The complexity of deficiency findings.

The adequacy of preliminary survey information.

The organization and content of workpapers.

The method and amount of supporting detail used for the audit report.

Coach management in responding to risks.

Develop risk management strategies for board approval.

Facilitate identification and evaluation of risks.

Evaluate risk management processes.

Require the approval of additions and changes to the vendor master listing, where the inherent risk of false vendors is high.

Monitor amounts paid each period and compare them to the budget to identify potential issues.

Compare employee addresses to vendor addresses to identify potential employee fraud.

Monitor customer quality complaints compared to the prior period to identify vendor issues.

Informal, soft controls are omitted, and greater focus is placed on hard controls.

The entire objectives-risks-controls infrastructure of an organization is subject to greater monitoring and continuous improvement.

Internal auditors become involved in and knowledgeable about the self-assessment process.

Nonaudit employees become experienced in assessing controls and associating control processes with managing risks.

The review should focus on the efficiency of the controls in place to prevent fraud.

The scope of the review does not need to include all operating areas of the organization.

The cost of the control should be compared to the benefit of mitigating the related risk.

The review should assess whether the internal controls can be circumvented.

CSA allows management to have input into the audit plan.

CSA allows process owners to identify, evaluate, and recommend improving control deficiencies.

CSA can improve the control environment.

CSA increases control consciousness.

Strategic plans reflect the organization's business objectives and overall attitude toward risk.

Strategic plans are helpful to identify major areas of activity, which may direct the allocation of internal audit activity resources.

Strategic plans are likely to show areas of weak financial controls.

The strategic plan is a relatively stable document on which to base audit planning.

All assurance engagement observations should be communicated to the audit committee.

All assurance engagement observations should be included in the main section of the engagement communication.

During the "communicate" phase of an assurance engagement, it is best to define the methods and timing of engagement communications.

A detailed escalation process should be developed during the planning stage of an assurance engagement.

Evaluate and verify management's response, and determine the need and scope for additional work.

Evaluate and verify management's response, and establish timelines for corrective action by management.

Oversee the corrective actions undertaken by management, and determine the need and scope for additional work.

Oversee the corrective actions undertaken by management, and establish timelines for corrective action by management.

To help develop process maps.

To determine segregation of duties.

To identify residual risks.

To test the adequacy of controls.

1 and 2 only

3 and 4 only

1, 2, and 4

1, 3, and 4

Scheme.

Opportunity.

Rationalization.

Pressure.

1, 2, and 3

1, 2, and 4

1, 3, and 4

2, 3, and 4

Maintaining industry-specific knowledge appropriate to the organization.

Assessing how IT contributes to organization objectives, risks, and relevance to audit.

Maintaining technical aspects of accounting standards and reporting processes.

Understanding regulatory and legal framework and assessing its relevance.

Organizational independence.

Professional objectivity.

Due professional care.

Individual proficiency.

1.2, and 3.

1,2, and 4.

1.3, and 4.

2. 3, and 4.

1 and 3 only

2 and 4 only

1, 3, and 4 only

1, 2, 3, and 4

Customers, innovation, growth, and internal processes.

Business objectives, critical success factors, innovation, and growth.

Customers, support, critical success factors, and learning.

Financial measures, learning and growth, customers, and internal processes.

Audit client management only

Executive management only

Audit client management, executive management, and others approved by the chief audit executive.

Audit client management, executive management, and any those who request a copy.

Fraudulent statements.

Bribery.

Misappropriation of assets.

Corruption.

1 and 2 only

3 and 4 only

1, 2, and 4 only

1, 2, 3, and 4

Pressure or incentive.

Opportunity.

Rationalization.

Commitment.

The internal audit activity has to ensure team members' objectivity is not impaired.

Auditors cannot participate in an assurance engagement of a function for which they previously performed a consulting engagement.

The scope and objective of the engagement is agreed upon based on the engagement client's needs.

The internal audit activity must ensure management actions have been implemented effectively or risk accepted.

1 and 2 only.

2 and 3.

3 and 4.

1,2, and 4.

Globally accepted standards for industries and processes.

Bridging the gaps among control requirements, technical issues, and business risks.

Practical guidance and benchmarks for all organizations that use information systems.

Frameworks and guidance on enterprise risk management, internal control, and fraud deterrence.

Disclose the information in a separate report.

Distribute the information in a confidential report to the board only

Distribute the reports through the use of blind copies.

Exclude the results from the report and verbally report the conditions to senior management and the board.

Preparing the financial statements for the company's defined contribution plan.

Performing a pre-implementation review of the company's payroll application.

Providing the COBIT framework as a possible IT management tool.

Reviewing the company's policy for foreign currency translation adjustments for compliance with accounting standards.

A monitoring process.

A risk assessment process.

A strategic objective-setting process.

An information and communication process.

Risk avoidance.

Risk-benefit analysis.

Risk sharing.

Risk acceptance.

1 and 2

2 and 4

1, 2, and 3

2, 3, and 4

The financial interest the service provider may have in the organization.

The relationship the service provider may have had with the organization or the activities being reviewed.

Compensation or other incentives that may be applicable to the service provider.

The service provider's experience in the type of work being considered.

The corporate risk register.

The strategic plan.

Internal and external audit reports.

The board's meeting records.

Senior management is charged with overseeing the establishment risk management and control processes.

The chief audit executive is responsible for overseeing the evaluation risk management and control processes.

Operating managers are responsible for assessing risks and controls in their departments.

Internal auditors provide assurance about risk management and control process effectiveness.

1 2. and 3 only.

1. 2 and 4 only

1, 3. and 4 only.

1,2. 3, and 4

Forming stage.

Performing stage.

Norming stage.

Storming stage.

Report identifying data that is outside of system parameters

Report identifying general ledger transactions by time and individual

Report comparing processing results with original input

Report confirming that the general ledger data was processed without error.

Initiation stage

Bidding stage

Development stage

Negotiation stage

Star network.

Bus network.

Token ring network.

Mesh network.

Established strategy of players.

Low number of new firms.

High unit costs.

Technical expertise.

The CAE's work may be reviewed by any other experienced staff member within the IAA.

The CAE's work should be reviewed by an individual with the appropriate background and knowledge.

The CAE may self-review his work, provided he discloses this practice in the final report.

The CAE should avoid performing engagements to ensure he is able to review all audit work objectively.

Accepting a consulting request in the IT department without possessing the requisite experience.

Providing personal tax preparation services for a fee for several employees during the lunch hour.

Providing a friend with the marketing strategic plan, which she will use to prepare her university thesis.

Agreeing to reword an observation to avoid the client complaining directly to the auditor's supervisor.

An auditor conveys public information about an organization's financial condition.

An auditor reports a manager's illegal activity to senior management, rather than reporting the incident to the appropriate external authority.

An auditor receives allegations of fraud from a whistleblower and immediately reports the allegations to senior management.

An auditor reports material deficiencies, despite the fact that management is already aware of the defects.

Managers who have been with the organization for several decades become aware that newly hired, younger managers are being moved more quickly into senior positions.

The controller at a nationwide manufacturing company recently opted to no longer require two-week mandatory vacations for accounting staff.

Security cameras that monitor cash handling at the register are not functioning.

The organization is slowly phasing out three mature products that produce the highest commissions for the sales staff.

1 and 2.

1 and 3.

2 and 4.

3 and 4.

An internal auditor reports both functionally and administratively to the chief financial officer (CFO).

An internal auditor, who was an accounts receivable intern for the organization three years prior, performs an audit of the accounts receivable cycle.

According to policy, the internal auditor must obtain approval from the CFO prior to requesting information for internal audit purposes.

An internal auditor performs an audit in a department that is led by the auditor's close friend.

Fixed cost.

Variable cost.

Total maintenance cost.

Patient days.

Competent, corroborative evidence of future working capital requirements.

Sufficient, analytical evidence of the cash flow position at a given point of time in the future.

Competent, documentary evidence of future cash flow changes within the organization.

Sufficient, circumstantial evidence of the future solvency of the organization.

Establish and provide continuing assurance on an anti-money laundering program for new hires.

Survey employees for their understanding of anti-money laundering practices.

Provide assurance for the effectiveness of anti-money laundering training.

Assess the risk of being fined for ineffective anti-money laundering practices.

The human resources department generates a monthly list of terminated and transferred employees and requests IT to update the user access as required.

Standardized user access profiles are developed and the appropriate access profiles are automatically assigned to new or transferred employees.

System administrator rights are assigned to one user in each department who can update user access of terminated or transferred employees immediately.

Department managers are required to perform periodic user access reviews of relevant systems and applications.

Quality assessments and cultural biases of the internal audit activity.

Rotational assignments and familiarity of the internal audit activity.

Employee incentives and self review of the internal audit activity.

Organizational positioning and scope control of the internal audit activity.

An internal auditor evaluates the significant risks arising from a consulting engagement.

An internal auditor declares that he would have a conflict of interest in providing planned audit support.

An internal auditor has been given sufficient authority to access documents needed to make an appraisal of an issue.

An internal auditor uses technology-based audit techniques to ensure that all significant risks are identified.

1 and 2.

1 and 3.

2 and 3.

2 and 4.

Fraud open on the books.

Fraud hidden on the books.

Fraud off the books.

Fraud on the balance sheet.

The CAE would need to procure external services to deliver the internal audit assurance program.

There is no expertise within the internal audit team for detecting and investigating fraud.

There is no expertise within the internal audit team for auditing an IT engagement.

There is no available expertise on the internal audit team to perform a consulting engagement.

To enable Triple Bottom Line reporting capability.

To facilitate the conduct of risk assessment.

To achieve and maintain sustainable development.

To fulfill regulatory and compliance requirements.

An internal auditor assessed the effectiveness of controls over payroll software, which he had helped implement with a previous employer.

An internal auditor participated in an audit of controls around absenteeism, despite providing some consultation on controls in this area earlier in the year.

An internal auditor performed an assurance engagement for the effectiveness of accounts payable access controls, one of which he previously helped to design.

An internal auditor, previously employed in the quality assurance operations area, performed a consulting engagement for the operations manager.

1 and 4.

1 and 3.

2 and 3.

3 and 4.

Resisting both internal and external distractions.

Waiting to review key concepts until the speaker has finished talking.

Tuning out messages that do not seem to fit the meeting purpose.

Factoring in biases in order to evaluate the information being given.

1 and 2 only

2 and 3 only

1, 2, and 3 only

1, 2, 3, and 4

The business continuity management charter.

The business continuity risk assessment plan

The business impact analysis plan

The business case for business continuity planning

Limit the use of the employee devices for personal use to mitigate the risk of exposure to organizational data.

Ensure that relevant access to key applications is strictly controlled through an approval and review process

Institute detection and authentication controls for all devices used for network connectivity and data storage

Use management software to scan and then prompt patch reminders when devices connect to the network

Filtering.

Communication overload.

Similar frames of reference.

Lack of source credibility.

Standards, framework, and process.

Standards, assessments, and process.

Principles, framework, and process.

Principles, practices, and process.

It may reduce the flexibility to change partners.

It may not reduce the bargaining power of suppliers.

It may limit the organization's ability to differentiate the product.

It may lead to limited control of proprietary knowledge.

Change the contract so payment is based on the distances traveled by the contractor during collection.

Renegotiate a lump-sum contract when the contract is up for renewal

Assign a city employee to verify the number of bins emptied each day

Require that the contractor provide supervisory review of the number of bins emptied each day

Determining the cost of the product.

Developing pricing objectives.

Evaluating prices set by the competitors.

Selecting a pricing method.

Lack of awareness of the state of processing.

Increased cost and complexity of network traffic.

Interference of the mirrored data with the original source data.

Confusion about where customer data are stored.

Develop and test the organization's disaster recovery plan.

Install and test fire detection and suppression equipment.

Restrict access to tangible IT resources.

Ensure that at least one developer has access to both systems and operations.

Increasing complexity over time.

Interface with corporate systems.

Ability to meet user needs.

Hidden data columns or worksheets.

Second-mortgage financing from a bank.

An issue of commercial paper.

Pledged accounts receivable.

Asset-based financing.

Invest in marketing.

Invest in research and development.

Control costs.

Shift toward mass production.

Cost of sales and net income are understated

Cost of sales and net income are overstated

Cost of sales is understated and net income is overstated.

Cost of sales is overstated and net income is understated.

Voice recognition and token.

Password and fingerprint.

Fingerprint and voice recognition

Password and token

Interviewing the organization's employees.

Observing the organization's operations.

Reading the board's minutes.

Inspecting manuals and documents.

Key processes across the entity which impact quality must be identified and included.

The quality management system must be documented in the articles of incorporation, quality manual, procedures, work instructions, and records.

Management must review the quality policy, analyze data about quality management system performance, and assess opportunities for improvement and the need for change.

The entity must have processes for inspections, testing, measurement, analysis, and improvement.

Internally encrypted passwords

System access privileges.

Logon passwords

Protocol controls.

Sort on product identification code and identify missing product identification codes.

Review store identification code and identify missing product identification codes.

Compare product identification codes for consecutive periods.

Compare product identification codes by store for consecutive periods.

Specializing in proven manufacturing techniques that have made the organization profitable in the past.

Substituting its own production technology with advanced techniques used by its competitors.

Forgoing profits over a period of time to gain market share from its competitors.

Using the same branding to sell its products through new sales channels to target new markets.

Conform with all other parts of The IIA's Standards and provide appropriate disclosures.

Conform with all other parts of The IIA's Standards; there is no need to provide appropriate disclosures.

Continue the engagement without conforming with the other parts of The IIA's Standards.

Withdraw from the engagement.