IIA IIA-CIA-Part2 Practice Test - Questions Answers, Page 18
List of questions
Related questions
Question 171
Some lime after the final audit report was issued, the engagement supervisor teamed that several internal control deficiencies were not remedied, despite management's previous agreement to remedy them According to IIA guidance, which of the following is the most appropriate response'5
Explanation:
According to the International Standards for the Professional Practice of Internal Auditing, the CAE must be kept informed of significant issues and deficiencies that are not addressed by management. Standard 2600 - Communicating the Acceptance of Risks requires the CAE to report any situation where management has accepted a level of risk that may be unacceptable to the organization. If the engagement supervisor learns that agreed-upon remedial actions have not been implemented, the CAE needs to be notified to determine further steps, ensuring that risks are managed appropriately and in alignment with the organization's risk tolerance. This response aligns with the internal audit function's responsibility to follow up on management's corrective actions.
Reference: The IIA's International Standards for the Professional Practice of Internal Auditing, Standard 2600 - Communicating the Acceptance of Risks.
Question 172
The chief audit executive (CAE) should determine whether the internal audit activity has confirmed the status of all of management's corrective actions Doing so would help the CAE assess which of the following?
Explanation:
When the CAE determines whether the internal audit activity has confirmed the status of all management's corrective actions, it helps in assessing residual risk. Residual risk is the risk that remains after management's actions to mitigate inherent risk. By confirming the status of corrective actions, the CAE can evaluate whether the risks identified during the audit have been adequately addressed and what level of risk still exists, ensuring that the internal control environment is effective and that management's risk responses are appropriate.
Reference: COSO's Enterprise Risk Management Framework and The IIA's International Standards for the Professional Practice of Internal Auditing.
Question 173
An internal audit activity is planning its first audit of IT shared services. Which of the following controls would typically be evaluated first?
Explanation:
When planning the first audit of IT shared services, it is typical to evaluate entity-level controls first. Entity-level controls are overarching controls that affect the entire organization and are foundational for ensuring that specific application and transaction controls operate effectively. These controls include the organization's governance, risk management processes, and the overall control environment. Assessing entity-level controls provides a broad understanding of the control environment and highlights any pervasive issues that might impact more detailed areas of the audit.
Reference: The IIA's Global Technology Audit Guide (GTAG) and COSO's Internal Control - Integrated Framework.
Question 174
To which of the following aspects should the chief audit executive give the most consideration while communicating an identified unacceptable risk to management?
Explanation:
The chief audit executive should give the most consideration to the organization's risk management policy when communicating an identified unacceptable risk to management. The risk management policy outlines the organization's approach to managing risk, including risk tolerance levels, risk appetite, and the procedures for identifying, assessing, and mitigating risks. By aligning the communication with the risk management policy, the CAE ensures that the discussion about unacceptable risk is framed within the context of the organization's established risk management framework, facilitating a more structured and effective response from management.
Reference: The IIA's International Standards for the Professional Practice of Internal Auditing, Standard 2010 - Planning and COSO's Enterprise Risk Management Framework.
Question 175
Which of the following statements is true regarding the use of internal control questionnaires (ICOs)?
Explanation:
Internal control questionnaires (ICQs) are used to gather information about the presence and effectiveness of controls within an organization. One of the limitations of ICQs is that the answers provided by respondents can be easily misinterpreted. This misinterpretation can occur due to unclear questions, differences in understanding terminology, or respondents not fully comprehending the context of the questions. Therefore, while ICQs are useful tools for identifying control issues, they require careful interpretation and often necessitate follow-up for clarification to ensure accurate understanding and assessment of the controls.
The Institute of Internal Auditors (IIA) Practice Guide: 'Internal Control Questionnaires'
IIA Standard 2310: Identifying Information
Question 176
The internal audit manager has been delegated the task of preparing the annual internal audit plan for the forthcoming fiscal year All engagements should be appropriately categorized and presented to the chief audit executive for review Which of the following would most likely be classified as a consulting engagement?
Explanation:
A consulting engagement in internal auditing involves providing advisory and related client service activities, the nature and scope of which are agreed upon with the client. These are intended to add value and improve an organization's governance, risk management, and control processes. Helping in the design of the risk management program is a consulting activity because it involves advising management on how to establish or improve the processes for identifying, assessing, and managing risks. This is different from assurance engagements, which primarily focus on assessing existing processes.
The Institute of Internal Auditors (IIA) Standard 2010: Planning
IIA Practice Advisory 2010-1: Linking the Audit Plan to Risk and Exposures
Question 177
Which of the following is one of the five basic tnanoal statement assertions when an internal auditor evaluates controls over financial reporting?
Explanation:
One of the five basic financial statement assertions that an internal auditor evaluates when assessing controls over financial reporting is 'existence or occurrence.' This assertion verifies that assets, liabilities, and equity interests actually exist at a given date, and that recorded transactions have actually occurred during a given period. It ensures that the financial statements are not overstated through the inclusion of fictitious or erroneous items.
COSO Framework
PCAOB Auditing Standard No. 15: Audit Evidence
Question 178
According to HA guidance, which of the following is the Key planning step internal auditors should perform to establish appropriate engagement objectives prior to starting an audit engagement?
Explanation:
A key planning step for internal auditors to establish appropriate engagement objectives is to evaluate management's risk assessment and the internal audit activity's risk assessment. This step ensures that the audit focuses on areas of highest risk and aligns with the organization's risk management framework. By understanding and incorporating the organization's risk priorities, the internal auditors can design their engagements to provide maximum value and assurance regarding the control environment and risk management processes.
The Institute of Internal Auditors (IIA) Standard 2010: Planning
IIA Practice Advisory 2010-2: Using the Risk Management Process in Internal Audit Planning
Question 179
At a construction company, an internal auditor is planning an audit of the company's process for designing and building grid connections The process involves customers making payments m three parts
* The first payment of 10% after approval of the customer s application
* The second payment of 70% prior to construction
* The third payment of 20% after construction is complete
Which of the following key controls should the auditor test to ensure that the company is not taking any unwanted credit risks?
Explanation:
To ensure that the company is not taking any unwanted credit risks, the internal auditor should test controls that ensure construction orders are initiated only after the second invoice, which represents 70% of the payment, is paid. This control is critical because it minimizes the financial risk to the company by ensuring that a significant portion of the payment is received before the majority of the work is undertaken. This practice helps protect the company from potential non-payment issues and reduces the financial exposure associated with the project.
COSO Framework
The Institute of Internal Auditors (IIA) Standard 2130: Control
Question 180
As part of the preliminary survey, an internal auditor sent an internal control questionnaire to the accounts payable function Based on the questionnaire responses, the auditor determines that there is no established procedure for adding and approving new vendors. What would the auditor do next?
Explanation:
When an internal auditor identifies a potential control deficiency based on a preliminary survey, such as the lack of established procedures for adding and approving new vendors, the next appropriate step is to gather more detailed information. Interviewing personnel involved in the accounts payable function allows the auditor to understand the context, confirm the accuracy of the questionnaire responses, and gain insights into the potential risks and impacts associated with the observed deficiency. This step is crucial before documenting the issue or planning further audit procedures to ensure the information is accurate and complete.
Reference: The IIA's International Standards for the Professional Practice of Internal Auditing, Standard 2201 - Planning Considerations.
Question