IIA IIA-CIA-Part2 Practice Test - Questions Answers, Page 32
List of questions
Related questions
Question 311
Which of the following is one of the five attributes that internal auditors include when documenting a deficiency?
Explanation:
One of the five attributes that internal auditors include when documenting a deficiency is the criteria used to make the evaluation. The criteria represent the standards, measures, or expectations used in the evaluation process. Documenting the criteria is essential as it provides a benchmark against which the actual conditions can be compared, thereby helping to identify and explain deficiencies in controls or processes.
The Institute of Internal Auditors (IIA) Standard 2410 -- Criteria for Communicating: 'Final communication of engagement results must, where appropriate, contain the internal auditors' overall opinion and/or conclusions, as well as the criteria used for evaluation.'
IIA Practice Guide on 'Documenting Internal Audit Observations'
Question 312
An internal auditor recommended that an organization implement computerized controls in its sales system in order to prevent sales representatives from executing contracts in excess of their delegated authority levels A follow-up review found that the sales system had not been modified, but a process had been implemented to obtain written approval by the vice president of sales for all contracts in excess of S1 million The chief audit executive (CAE) would be justified in reporting this situation to the organization's board under which of the tollowing circumstances'?
1. In the opinion of the CAE the level of residual risk assumed by senior management is too high
2. Testing of compliance with the new process finds that all new contracts in excess of $1 million have been approved by the vice president of sales
3. The cost of modifying the sales system to include a preventive control is less than S100.000
Explanation:
The Chief Audit Executive (CAE) would be justified in reporting the situation to the organization's board if, in the opinion of the CAE, the level of residual risk assumed by senior management is too high (1). Even though the new process of obtaining written approval by the vice president of sales addresses the issue, if the CAE believes that the residual risk remains too high, it is their duty to report it to the board. The cost of implementing a preventive control or the compliance with the new process does not change the responsibility of the CAE to report significant residual risks to the board.
The Institute of Internal Auditors (IIA) Standard 2600 -- Communicating the Acceptance of Risks: 'When the chief audit executive believes that senior management has accepted a level of residual risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the decision regarding residual risk is not resolved, the chief audit executive must report the matter to the board for resolution.'
IIA Practice Guide on 'Communicating Risk Acceptance to the Board'
Question 313
In the following risk control map risks have been categorized based on the level of significance and the associated level of control. Which of the following statements is true regarding Risk C?
Explanation:
In the risk control map, Risk C is positioned in the upper left quadrant, indicating it is critical (high risk significance) but with a low level of control. This suggests that the current controls are insufficient to mitigate the high level of risk associated with Risk C. For critical risks, a higher level of control is necessary to ensure that the risk is properly managed and mitigated.
Reference:
'Internal Auditing: Assurance & Advisory Services' (The Institute of Internal Auditors)
'Risk Management Framework' (COSO)
Question 314
In which of the following situations has an internal audit of obtained physical evidence?
Explanation:
Physical evidence in internal auditing refers to tangible, observable, and verifiable information obtained directly through auditors' activities. Making purchases from retail outlets to evaluate customer service involves direct interaction and observation, which constitutes obtaining physical evidence. This differs from documents, interviews, or confirmations, which are considered documentary or testimonial evidence.
Reference:
'Internal Auditing: Assurance & Advisory Services' (The Institute of Internal Auditors)
'Audit Evidence' (International Standards on Auditing)
Question 315
Which of the following is an appropriate documentation of proper engagement supervision?
Explanation:
Proper engagement supervision is documented through formal records that show a systematic review and oversight process. A completed engagement workpaper review checklist provides evidence that the supervisor has reviewed and approved the work done by the audit team. This formal checklist ensures all critical aspects of the engagement are reviewed systematically, meeting the standards for proper supervision documentation.
Reference:
'Internal Auditing: Assurance & Advisory Services' (The Institute of Internal Auditors)
'International Standards for the Professional Practice of Internal Auditing' (IIA)
Question 316
An internal auditor discovered that a new employee was granted inappropriate access to the payroll system Apparently the IT specialist had made a mistake and granted access to the wrong new employee. Which of the following management actions would be most effective to prevent a similar issue from occurring again?
Explanation:
The most effective management action to prevent similar issues in the future involves both corrective and preventive measures. Coaching the IT specialist addresses the immediate knowledge gap and mistake that occurred. Introducing a secondary control, such as a review or verification step, ensures that future access requests are granted correctly, thereby preventing similar errors. This combination addresses the root cause and adds a layer of assurance.
Reference:
'Internal Auditing: Assurance & Advisory Services' (The Institute of Internal Auditors)
'IT Control Objectives for Sarbanes-Oxley' (IT Governance Institute)
Question 317
The audit manager asked the internal auditor to perform additional testing because several irregularities were found in the financial information. Which of the following would be the most appropriate analytical review for the auditor to perform?
Explanation:
When several irregularities are found in the financial information, it is critical to perform an analytical review that provides a broader perspective on the firm's financial health. Comparing the firm's financial performance with organizations in the same industry helps identify anomalies and trends that may indicate irregularities. This benchmarking approach can highlight unusual deviations from industry norms, which may signal errors or potential fraud.
Reference:
'Internal Auditing: Assurance & Advisory Services' (The Institute of Internal Auditors)
'Auditing and Assurance Services' (Messier, Glover, Prawitt)
Question 318
Management requested internal audit consulting services. During fieldwork significant control issues were identified by the internal audit team. Which of the following is an appropriate response from the chief audit executive?
Explanation:
When significant control issues are identified during a consulting engagement, it is the responsibility of the chief audit executive to ensure that these issues are communicated to senior management and the board. This ensures that the organization is aware of the risks and can take corrective action. Consulting engagements should not overshadow the priority of addressing critical control issues that may affect the organization's risk profile.
Reference:
'International Standards for the Professional Practice of Internal Auditing' (IIA Standards)
'Internal Auditing: Assurance & Advisory Services' (The Institute of Internal Auditors)
Question 319
The internal auditor and her supervisor are in dispute about a risk that was not tested during an audit of the procurement function. Which of the following tools would best support the auditor's decision not to test the risk?
Explanation:
An assurance map is a tool that provides a visual representation of the coverage of risks by various assurance providers. It supports the auditor's decision by showing which risks are being addressed by internal audit and other functions, and which risks are not being tested. This can help justify the auditor's decision not to test a particular risk, by demonstrating that it has already been covered or deemed low priority.
Reference:
'Internal Auditing: Assurance & Advisory Services' (The Institute of Internal Auditors)
'Creating an Assurance Map' (IIA Practice Guide)
Question 320
Which of the following factors would be the most critical in determining which engagements should be included in the annual internal audit plan?
Explanation:
The most critical factor in determining which engagements should be included in the annual internal audit plan is the organization's annual risk management strategy. This strategy identifies the key risks facing the organization and ensures that the internal audit plan aligns with the areas of highest risk. This prioritization helps ensure that internal audit resources are focused on areas that could have the most significant impact on the organization.
Reference:
'Internal Auditing: Assurance & Advisory Services' (The Institute of Internal Auditors)
'Risk-Based Internal Auditing' (IIA Practice Guide)
Question