Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[1] Gleim #: 1.1.1
An organization’s management perceives the need to make significant changes. Which
of the following factors is management least likely to be able to change?
A.
B.
C.
D.
The organization’s members.
The organization’s structure.
The organization’s environment.
The organization’s technology.
Answer (A) is incorrect. The organization’s members are a factor that managers
are clearly able to change.
Answer (B) is incorrect. The organization’s structure is a factor that managers are
clearly able to change.
Answer (C) is correct. The environment of an organization consists of external
forces outside its direct control that may affect its performance. These forces
include competitors, suppliers, customers, regulators, climate, culture, politics,
technological change, and many other factors. The organization’s members are a
factor that managers are clearly able to change.
Answer (D) is incorrect. The organization’s technology is a factor that managers
are clearly able to change.
[2] Gleim #: 1.1.2
A major corporation is considering significant organizational changes. Which of the
following groups will not be responsible for implementing these changes?
A.
B.
C.
D.
Employees.
Top management.
Common shareholders.
Outside consultants.
Answer (A) is incorrect. Organizational change is conducted through change
agents, who may include employees.
Answer (B) is incorrect. Organizational change is conducted through change
agents, who may include managers.
Answer (C) is correct. Common shareholders are not responsible for
implementing decisions within the organization. If members of the management
team also are common shareholders, they must make decisions consistent with
their stewardship function. Thus, they must separate their ownership interests
from their managerial responsibilities. Organizational change is conducted
through change agents, who may include employees, managers, or outside
consultants.
Answer (D) is incorrect. Organizational change is conducted through change
agents, who may include outside consultants. Outsiders can offer an objective,
independent view, but they lack knowledge of the organization and do not have to
cope with the effects of the changes.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 1
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[3] Gleim #: 1.1.3
An organization is changing to a quality assurance program that incorporates quality
throughout the process. This is very different from its years of dependence on quality
control at the end of the process. This type of change is a
A.
B.
C.
D.
Cultural change.
Product change.
Structural change.
Organizational change.
Answer (A) is correct. A cultural change involves a change in attitudes and
mindset.
Answer (B) is incorrect. Product change is change in a product’s physical
attributes and usefulness to customers.
Answer (C) is incorrect. No change to systems and structures is mentioned.
Answer (D) is incorrect. No organizational change occurred. The change involves
only quality assurance.
[4] Gleim #: 1.1.4
Lack of skills, threats to job status or security, and fear of failure all have been
identified as reasons that employees often
ffi
ci
al
Want to change the culture of their organization.
Are dissatisfied with the structure of their organization.
Are unable to perform their jobs.
Resist organizational change.
ia
ao
A.
B.
C.
D.
fb
.c
om
/c
Answer (A) is incorrect. Lack of skills, threats to job status or security, and fear
of failure inhibit changes in the culture of the organization.
Answer (B) is incorrect. Lack of skills, threats to job status or security, and fear
of failure are not symptoms of dissatisfaction with the structure of the
organization.
Answer (C) is incorrect. Lack of skills, threats to job status or security, and fear
of failure do not indicate an inability to perform.
Answer (D) is correct. Employees resist change for many reasons, for
example, (1) surprise, (2) inertia, (3) misunderstanding, (4) lack of skills,
(5) emotional reactions, (6) lack of trust of management, (7) fear of failure,
(8) personality conflicts, (9) poor timing, (10) management’s insensitivity,
(11) threats to job status or security, and (12) breakup of the work group.
Resistance may be overcome by involving employees to gain feedback and allay
fears.
[5] Gleim #: 1.1.5
Of the following reasons for employees to resist a major change in organizational
processes, which is least likely?
A.
B.
C.
D.
Threat of loss of jobs.
Required attendance at training classes.
Breakup of existing work groups.
Imposition of new processes by senior management without prior discussion.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 2
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Actual or imagined loss of jobs is a common reason for
employees to resist any change.
Answer (B) is correct. Change management is important to all organizations. An
appropriate balance between change and stability is necessary if an organization is to
thrive. Employee training programs educate employees to perform jobs in a new or
different way. Thus, they are a means of coping with employee resistance to change
through facilitation and support of the change.
Answer (C) is incorrect. Members of work groups often exert peer pressure on one
another to resist change, especially if social relationships are changed.
Answer (D) is incorrect. Imposing change without prior discussion of the need for
change threatens the status quo, which fosters employee resistance.
[6] Gleim #: 1.1.6
Employee resistance to change may be caused by
A.
B.
C.
D.
Only simple surprise or inertia.
Manipulation of information or events.
Bad timing.
Coercion.
Answer (A) is incorrect. Simple surprise and inertia are not the only possible
causes of resistance.
Answer (B) is incorrect. Manipulation of information or events is a method of
coping with employee resistance to change.
Answer (C) is correct. Resistance may be caused by simple surprise or by inertia,
but it also may arise from (1) misunderstandings or lack of the needed skills; (2)
lack of trust of, or conflicts with, management; (3) emotional reactions when
change is forced; (4) bad timing; (5) insensitivity to employees’ needs; (6)
perceived threats to employees’ status or job security; (7) dissolution of tightly
knit work groups; and (8) interference with achievement of other objectives.
Answer (D) is incorrect. Coercion is a method of coping with employee
resistance.
[7] Gleim #: 1.1.7
Organizational change must be considered in the light of potential employee
resistance. Resistance
A.
B.
C.
D.
May occur even though employees will benefit from the change.
Will be greatest when informal groups are weakest.
Will be insignificant if no economic loss by employees is expected.
Is centered mostly on perceived threats to psychological needs.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 3
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. Resistance to change may be caused by fear of the personal
adjustments that may be required. Employees may have a genuine concern about the
usefulness of the change, perceive a lack of concern for workers’ feelings, fear the
outcome, worry about downgrading of job status, and resent deviations from past
procedures for implementing change (especially if new procedures are less
participative than the old). Social adjustments also may be required that violate the
behavioral norms of informal groups or disrupt the social status quo within groups.
Economic adjustments may involve potential economic loss or insecurity based on
perceived threats to jobs. In general, any perceived deterioration in the work situation
that is seen as a threat to economic, social, and/or psychological needs will produce
resistance. The various adjustments required are most likely to be resisted when
imposed unilaterally by higher authority. However, employees who share in finding
solutions to the problems requiring change are less likely to resist because they will
have some responsibility for the change.
Answer (B) is incorrect. Strong informal groups are likely to offer more resistance.
Answer (C) is incorrect. Resistance arises from threats to a complex pattern of
economic, social, and psychological needs.
Answer (D) is incorrect. Resistance arises from threats to a complex pattern of
economic, social, and psychological needs.
[8] Gleim #: 1.1.8
Negotiation with the operating managers.
Participation by the managers in the decision process.
Coercion of the managers through threats.
Cooperation by approaching each manager individually.
fb
A.
B.
C.
D.
.c
om
/c
ia
ao
ffi
ci
al
An internal auditor is conducting an operational review that affects several different
functional units. The auditor believes that the process under review can be improved,
but the operating managers are resistant to suggestions for change. There are several
methods the auditor could use to overcome the operating managers’ resistance.
Identify the technique that will produce the highest probability of success with the
fewest negative side effects.
Answer (A) is incorrect. Negotiation may result in sacrifice by one or both
parties. Also, if significant concessions are made to one manager, the others will
try to gain a similar advantage.
Answer (B) is correct. Participation by the operating managers in the decision
process can improve the overall decision, reduce resistance, and secure their
commitment to the change.
Answer (C) is incorrect. Coercion is a temporary solution. Resistance will only
be subdued, not eliminated. In addition, future cooperation between the auditor
and operating managers will be severely restricted.
Answer (D) is incorrect. Attempting to obtain cooperation of individual managers
is not optimal. A manager approached to obtain his/her endorsement may feel that
(s)he is being used.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 4
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[9] Gleim #: 1.1.9
Co-optation is a
A.
B.
C.
D.
Method of coping with employee resistance.
Cause of resistance to change.
Model for categorizing organizational changes.
Way of allowing meaningful input by resistant employees.
Answer (A) is correct. Methods of coping with employee resistance include cooptation through allowing some participation but without meaningful input.
Answer (B) is incorrect. Co-optation is a method of coping with employee
resistance.
Answer (C) is incorrect. Co-optation is a method of coping with employee
resistance.
Answer (D) is incorrect. Co-optation is a way of allowing some participation but
without meaningful input.
[10] Gleim #: 1.1.10
A chief audit executive plans to make changes that may be perceived negatively by the
audit staff. The best way to reduce resistance would be to
A. Develop the new approach fully before presenting it to the audit staff.
B. Ask the chief executive officer (CEO) to approve the changes and have the CEO
attend the departmental staff meeting when they are presented.
C. Approach the staff with the general idea and involve them in the development of
the changes.
D. Get the internal audit activity’s clients to support the changes.
Answer (A) is incorrect. Fully developing the plan before presenting it to the
audit staff will not help reduce their resistance to change.
Answer (B) is incorrect. Involving the CEO will not necessarily reduce the audit
staff’s resistance to change.
Answer (C) is correct. Change management is important to all organizations. An
appropriate balance between change and stability is necessary. Organizational and
procedural changes often are resisted by the individuals and groups affected.
Involving the staff in the change from the beginning will reduce their resistance to
change.
Answer (D) is incorrect. Involving the internal audit activity’s clients will not
necessarily reduce the audit staff’s resistance to change.
[11] Gleim #: 1.1.11
Organizational development (OD) is one of the major approaches to proactive
management of change in organizations. One of the major objectives of OD is to
A.
B.
C.
D.
Increase the power of leaders.
Align the organization’s and the employees’ goals.
Attract better employees to the organization.
Provide the organization and its managers with ways to increase efficiency.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 5
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. OD focuses on participation and power sharing.
Answer (B) is correct. The objectives of OD are to (1) deepen the sense of
organizational purpose and align individuals with it; (2) promote interpersonal trust,
communication, cooperation, and support; (3) encourage a problem-solving approach;
(4) develop a satisfying work experience; (5) supplement formal authority with
authority based on expertise; (6) increase personal responsibility; and (7) encourage
willingness to change.
Answer (C) is incorrect. Attracting better applicants to an organization is not a major
goal of OD.
Answer (D) is incorrect. OD provides an organization and its managers with higher
effectiveness.
[12] Gleim #: 1.1.12
An organization has embarked on a program of process innovation and core process
redesign. To counter resistance, it has adopted an organizational development (OD)
approach that includes
A.
B.
C.
D.
Inducing employees to share organizational purposes and values.
Incremental change of subsystems.
Focusing each division’s attention on its own objectives.
Manipulating information and events.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is correct. The objectives of OD are to (1) deepen the sense of
organizational purpose and align individuals with it; (2) promote interpersonal
trust, communication, cooperation, and support; (3) encourage a problem-solving
approach; (4) develop a satisfying work experience; (5) supplement formal
authority with authority based on expertise; (6) increase personal responsibility;
and (7) encourage willingness to change.
Answer (B) is incorrect. The intended change is an instance of business process
reengineering. It is thus a strategic, not an incremental, change.
Answer (C) is incorrect. The organization should not promote the silo approach.
Rather, it should promote adherence to the organization’s culture, values, and
objectives.
Answer (D) is incorrect. Manipulation, co-optation, and coercion tend to be
ineffective means of change management.
[13] Gleim #: 1.1.13
Internal auditors can be considered leading agents for change within an organization.
Which of the following is not a good way to promote this concept?
A. A directive from top management stating that internal auditors will be used for all
process-improvement projects.
B. A brochure describing what internal auditing can do and the qualifications of the
internal auditors.
C. Postengagement questionnaires to obtain information on how engagement clients
perceive the internal audit activity.
D. Bulletins that highlight widespread or universal applications of engagement
observations.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 6
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. A directive does not promote, but requires, the use of internal
auditors. The result may be resentment towards the internal auditors and resistance to
beneficial change. Education, communication, participation in decisions by those
affected, facilitation and support, and negotiation are means of overcoming resistance
to change.
Answer (B) is incorrect. Brochures are an effective way to promote internal auditors
as leading agents for change within an organization. They are an educational and
communication tool.
Answer (C) is incorrect. Questionnaires provide a means of engagement client
participation in change.
Answer (D) is incorrect. Bulletins are an effective way to promote internal auditors as
leading agents for change within an organization. They are an educational and
communication tool.
[14] Gleim #: 1.2.14
Audit committees have been identified as a major factor in promoting the
independence of both internal and external auditors. Which of the following is the
most important limitation on the effectiveness of audit committees?
A. Audit committees may be composed of independent directors. However, those
directors may have close personal and professional friendships with management.
B. Audit committee members are compensated by the organization and thus favor an
owner’s view.
C. Audit committees devote most of their efforts to external audit concerns and do
not pay much attention to the internal audit activity and the overall control
environment.
D. Audit committee members do not normally have degrees in the accounting or
auditing fields.
Answer (A) is correct. The audit committee is a subcommittee made up of
outside directors who are independent of management. Its purpose is to help keep
external and internal auditors independent of management and to ensure that the
directors are exercising due care. However, if independence is impaired by
personal and professional friendships, the effectiveness of the audit committee
may be limited.
Answer (B) is incorrect. The compensation audit committee members receive is
usually minimal. They should be independent and therefore not limited to an
owner’s perspective.
Answer (C) is incorrect. Although audit committees are concerned with external
audits, they also devote attention to the internal audit activity.
Answer (D) is incorrect. Audit committee members do not need degrees in
accounting or auditing to understand engagement communications.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 7
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[15] Gleim #: 1.2.15
The audit committee may serve several important purposes, some of which directly
benefit the internal audit activity. The most significant benefit provided by the audit
committee to the internal audit activity is
A. Protecting the independence of the internal audit activity from undue management
influence.
B. Reviewing annual engagement work schedules and monitoring engagement
results.
C. Approving engagement work schedules, scheduling, staffing, and meeting with
the internal auditors as needed.
D. Reviewing copies of the procedures manuals for selected organizational
operations and meeting with organizational officials to discuss them.
ia
ao
ffi
ci
al
Answer (A) is correct. The audit committee is a subcommittee of the board of
directors composed of outside directors who are independent of corporate
management. Its purpose is to help keep external and internal auditors
independent of management and to ensure that the directors are exercising due
care. This committee often selects the external auditors, reviews their overall audit
plan, and examines the results of external and internal audits.
Answer (B) is incorrect. Reviewing the audit plan and the results can be
performed by the entire board.
Answer (C) is incorrect. Reviewing the audit plan and staffing requirements can
be performed by the entire board.
Answer (D) is incorrect. Reviewing procedures manuals can be performed by the
entire board.
om
/c
[16] Gleim #: 1.2.16
fb
.c
To avoid creating conflict between the chief executive officer (CEO) and the audit
committee, the chief audit executive (CAE) should
A. Submit copies of all engagement communications to the CEO and audit
committee.
B. Strengthen independence through organizational status.
C. Discuss all pending engagement communications to the CEO with the audit
committee.
D. Request board establishment of policies covering the internal audit activity’s
relationships with the audit committee.
Answer (A) is incorrect. The CEO and audit committee most likely should
receive summary reports. Senior management and the board ordinarily are not
involved in the details of internal audit work.
Answer (B) is incorrect. Independence is not sufficient to avert conflict unless
reporting relationships are well defined.
Answer (C) is incorrect. The CEO and audit committee most likely should
receive summary reports. Senior management and the board ordinarily are not
involved in the details of internal audit work.
Answer (D) is correct. Independence is not sufficient to avert conflict unless
reporting relationships are well defined.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 8
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[17] Gleim #: 1.2.17
Which of the following actions is an appropriate response by organizations wishing to
improve the public’s perception of their financial reporting?
A. Increased adoption of audit committees composed of outside directors.
B. Viewing internal auditing as a transient profession–a stepping stone to managerial
positions.
C. Requiring internal auditors to report all significant observations of illegal activity
to the chief executive officer.
D. Keeping external and internal auditing work separated to maintain independence.
Answer (A) is correct. The audit committee consists of outside directors who are
independent of management. Its purpose is to help keep external and internal
auditors independent of management and to assure that the directors are exercising
due care. This committee selects the external auditors, reviews their overall audit
plan, examines the results of external and internal auditing engagements, meets
regularly with the CAE, and reviews the internal audit activity’s engagement work
schedule, staffing plan, and financial budget. These functions should increase
public confidence that financial statements are fairly presented.
Answer (B) is incorrect. Transience of internal auditors impairs the proficiency of
the internal audit activity.
Answer (C) is incorrect. If illegal activities involve senior management,
distribution of engagement communications should be to the audit committee, not
the CEO.
Answer (D) is incorrect. The work of the internal and external auditors should be
coordinated to minimize duplicate efforts. Coordination does not impair
independence or reduce public confidence.
[18] Gleim #: 1.2.18
Which of the following is not an appropriate member of an audit committee?
A.
B.
C.
D.
The vice president of the local bank used by the organization.
An academic specializing in business administration.
A retired executive of a firm that had been associated with the organization.
The organization’s vice president of operations.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 9
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The vice president of the local bank used by the organization
is an external party who is usually independent of the organization’s internal
operations.
Answer (B) is incorrect. An academic specializing in business administration is an
external party who is usually independent of the organization’s internal operations.
Answer (C) is incorrect. A retired executive of a firm that had been associated with
the organization is an external party who is usually independent of the organization’s
internal operations.
Answer (D) is correct. The audit committee consists of outside directors who are
independent of management. Its purpose is to help keep external and internal auditors
independent of management and to assure that the directors are exercising due care.
The organization’s vice president is not an outside director. The vice president of the
local bank used by the organization, an academic specializing in business
administration, and a retired executive of a firm that had been associated with the
organization are all external parties who are usually independent of the organization’s
internal operations.
[19] Gleim #: 1.2.19
Which of the following audit committee activities is of the greatest benefit to the
internal audit activity?
fb
.c
om
/c
ia
ao
ffi
ci
al
A. Review and approval of engagement work programs.
B. Assurance that the external auditor will rely on the work of the internal audit
activity whenever possible.
C. Review and endorsement of all internal auditing engagement communications
prior to their release.
D. Determine whether scope limitations impede the ability of the internal audit
activity to execute its responsibilities.
Answer (A) is incorrect. Review and approval of engagement work programs is
the responsibility of internal audit supervisors.
Answer (B) is incorrect. Whether the external auditor will make use of the work
of internal auditing is not for the audit committee to decide.
Answer (C) is incorrect. Review and approval of internal audit engagement
communications is the responsibility of the chief audit executive or his/her
designee.
Answer (D) is correct. Among the functions of the audit committee is making
appropriate inquiries of management and the CAE to determine whether audit
scope or budgetary limitations impede the ability of the internal audit activity to
execute its responsibilities (PA 1110-1, para. 3).
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 10
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[20] Gleim #: 1.2.20
Which of the following features of a large manufacturer’s organizational structure is a
control weakness?
A. The information systems department is headed by a vice president who reports
directly to the president.
B. The chief financial officer is a vice president who reports to the chief executive
officer.
C. The audit committee of the board consists of the chief executive officer, the chief
financial officer, and a major shareholder.
D. The controller and treasurer report to the chief financial officer.
Answer (A) is incorrect. This reporting relationship is a strength. It prevents the
information systems operation from being dominated by a user.
Answer (B) is incorrect. It is a normal and appropriate reporting relationship.
Answer (C) is correct. The audit committee has a control function because of its
oversight of internal as well as external auditing. It should be made up of directors
who are independent of management. The authority and independence of the audit
committee strengthen the position of the internal audit activity.
Answer (D) is incorrect. It is a normal and appropriate reporting relationship.
[21] Gleim #: 1.2.21
The audit committee strengthens the control processes of an organization by
A. Assigning the internal audit activity responsibility for interaction with
governmental agencies.
B. Using the chief audit executive as a major resource in selecting the external
auditors.
C. Following up on recommendations made by the chief audit executive.
D. Approving internal audit activity policies.
Answer (A) is incorrect. A direct strengthening of controls does not result from
this activity.
Answer (B) is incorrect. A direct strengthening of controls does not result from
this activity.
Answer (C) is correct. Among the audit committee’s functions are to ensure that
engagement results are given due consideration and to receive distributions of
final engagement communications by the internal auditors (PA 2440-1, para. 4).
This enhancement of the position of internal auditing in turn strengthens control
processes.
Answer (D) is incorrect. A direct strengthening of controls does not result from
this activity.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 11
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[22] Gleim #: 1.2.22
An audit committee of the board of directors of an organization is being established.
Which of the following is normally a responsibility of the committee with regard to
the internal audit activity?
A.
B.
C.
D.
Approval of the selection and dismissal of the chief audit executive.
Development of the annual engagement work schedule.
Approval of engagement work programs.
Determination of engagement observations appropriate for specific engagement
communications.
al
Answer (A) is correct. Independence is enhanced when the board concurs in the
appointment or removal of the CAE (PA 1110-1). The audit committee is a
subcommittee of outside directors who are independent of management. The term
“board” includes the audit committee.
Answer (B) is incorrect. Development of the annual engagement work schedule
is an operational function of the CAE and the internal audit activity staff. A
summary of the (1) audit plan, (2) work schedule, (3) staffing plan, and (4)
financial budget is submitted annually to senior management and the board.
Answer (C) is incorrect. Approval of engagement work programs is a technical
responsibility of the internal audit activity staff.
Answer (D) is incorrect. The determination of engagement observations
appropriate for specific engagement communications is a field operation of the
internal audit activity staff.
ao
ffi
ci
[23] Gleim #: 1.2.23
fb
.c
om
/c
ia
An audit committee should be designed to enhance the independence of both the
internal and external auditing functions and to insulate these functions from undue
management pressures. Using this criterion, audit committees should be composed of
A. A rotating subcommittee of the board of directors or its equivalent.
B. Only members from the relevant outside regulatory agencies.
C. Members from all important constituencies, specifically including representatives
from banking, labor, regulatory agencies, shareholders, and officers.
D. Only external members of the board of directors or its equivalent.
Answer (A) is incorrect. The audit committee is not required to be rotated
periodically.
Answer (B) is incorrect. Regulators ordinarily do not serve as directors.
Answer (C) is incorrect. Officers are not outside directors.
Answer (D) is correct. The audit committee of the board of directors should be
composed entirely of outside directors. Outside directors are members of the
board who are independent of internal management. Because the primary purpose
of the audit committee is to promote the independence of the internal and external
auditors from management, an audit committee composed of inside directors
would be ineffective.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 12
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[24] Gleim #: 1.3.24
A primary purpose of establishing a code of conduct within a professional
organization is to
A. Reduce the likelihood that members of the profession will be sued for substandard
work.
B. Ensure that all members of the profession perform at approximately the same
level of competence.
C. Promote an ethical culture among professionals who serve others.
D. Require members of the profession to exhibit loyalty in all matters pertaining to
the affairs of their organization.
Answer (A) is incorrect. Although this result may follow from establishing a code
of conduct, it is not the primary purpose. To consider it so would be self-serving.
Answer (B) is incorrect. A code of conduct can help to establish minimum
standards of competence, but it would be impossible to legislate equality of
competence by all members of a profession.
Answer (C) is correct. The IIA Code of Ethics is typical. Its purpose is “to
promote an ethical culture in the profession of internal auditing.” The definition
of internal auditing states that it is “an independent, objective assurance and
consulting activity.” Moreover, internal auditing is founded on “the trust placed
in its objective assurance about risk management, control, and governance.”
Accordingly, internal auditors are professionals who serve others by providing
assurance and consulting services.
Answer (D) is incorrect. In some situations, responsibility to the public at large
may conflict with and be more important than loyalty to one’s organization.
[25] Gleim #: 1.3.25
In analyzing the differences between two recently merged businesses, the chief audit
executive of Organization A notes that it has a formal code of ethics and Organization
B does not. The code of ethics covers such things as purchase agreements,
relationships with vendors, and other issues. Its purpose is to guide individual
behavior within the firm. Which of the following statements regarding the existence of
the code of ethics in A can be logically inferred?
I. A exhibits a higher standard of ethical behavior than does B.
II. A has established objective criteria by which an individual’s actions can be
evaluated.
III. The absence of a formal code of ethics in B would prevent a successful review of
ethical behavior in that organization.
A.
B.
C.
D.
I and II.
II only.
III only.
II and III.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 13
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The mere existence of A’s code of ethics does not ensure that
its principles are followed.
Answer (B) is correct. A formal code of ethics effectively (1) communicates
acceptable values to all members, (2) provides a method of policing and disciplining
members for violations, (3) establishes objective standards against which individuals
can measure their own performance, and (4) communicates the organization’s value
system to outsiders.
Answer (C) is incorrect. The absence of a formal code of ethics does not preclude a
successful review of ethical behavior in an organization. Policies and procedures may
provide the criteria for such an engagement.
Answer (D) is incorrect. The existence of a code of ethics does establish objective
criteria by which individual actions can be evaluated. However, the absence of a
formal code of ethics does not preclude a successful review of ethical behavior in an
organization. Policies and procedures may provide the criteria for such an engagement.
[26] Gleim #: 1.3.26
An accounting association established a code of ethics for all members. What is one of
the association’s primary purposes of establishing the code of ethics?
/c
ia
ao
ffi
ci
al
A. To outline criteria for professional behavior to maintain standards of integrity and
objectivity.
B. To establish standards to follow for effective accounting practice.
C. To provide a framework within which accounting policies could be effectively
developed and executed.
D. To outline criteria that can be used in conducting interviews of potential new
accountants.
fb
.c
om
Answer (A) is correct. The primary purpose of a code of ethical behavior for a
professional organization is to promote an ethical culture among professionals
who serve others.
Answer (B) is incorrect. National standards-setting bodies, not codes of ethics,
provide guidance for effective accounting practice.
Answer (C) is incorrect. A code of ethics does not provide the framework within
which accounting policies are developed.
Answer (D) is incorrect. The primary purpose is not for interviewing new
accountants.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 14
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[27] Gleim #: 1.3.27
A code of conduct was developed several years ago and distributed by a large financial
institution to all its officers and employees. What is the internal auditor’s best
approach to providing the board with the highest level of comfort about the code of
conduct?
A. Fully evaluate the comprehensiveness of the code and compliance with it and
report the results to the board.
B. Fully evaluate organizational practices for compliance with the code and report to
the board.
C. Review employee activities for compliance with provisions of the code and report
to the board.
D. Perform tests on various employee transactions to detect potential violations of the
code of conduct.
Answer (A) is correct. When evaluating a code of conduct, it is important to
consider two items: comprehensiveness and compliance. The code should address
the ethical issues that the employees are expected to encounter and provide
suitable guidance. The internal auditor also must consider the extent to which
employees are complying with the standards established.
Answer (B) is incorrect. Evaluating practices and reporting to the board is not the
best approach.
Answer (C) is incorrect. Reviewing employee activities does not provide as much
comfort about the code of conduct as evaluation of comprehensiveness.
Answer (D) is incorrect. Performing tests on employee transactions is not the best
approach.
[28] Gleim #: 1.3.28
A review of an organization’s code of conduct revealed that it contained
comprehensive guidelines designed to inspire high levels of ethical behavior. The
review also revealed that employees were knowledgeable of its provisions. However,
some employees still did not comply with the code. What element should a code of
conduct contain to enhance its effectiveness?
A.
B.
C.
D.
Periodic review and acknowledgment by all employees.
Employee involvement in its development.
Public knowledge of its contents and purpose.
Provisions for disciplinary action in the event of violations.
Answer (A) is incorrect. Periodic review and acknowledgment would ensure
employee knowledge and acceptance of the code, which are not at issue.
Answer (B) is incorrect. Employee involvement in development would encourage
employee acceptance, which is not at issue.
Answer (C) is incorrect. Public knowledge might affect the behavior of some
individuals, but not to the same extent as the perceived likelihood of sanctions for
wrongdoing.
Answer (D) is correct. Penalties for violations of a code of conduct should
enhance its effectiveness. Some individuals will be deterred from misconduct if
they expect it to be detected and punished.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 15
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[29] Gleim #: 1.3.29
The best reason for establishing a code of conduct within an organization is that such
codes
A.
B.
C.
D.
Are typically required by governments.
Express standards of individual behavior for members of the organization.
Provide a quantifiable basis for personnel evaluations.
Have tremendous public relations potential.
Answer (A) is incorrect. Governments typically have no such requirement.
Answer (B) is correct. An organization’s code of ethical conduct is the
established general value system the organization wishes to apply to its members’
activities. It communicates organizational purposes and beliefs and establishes
uniform ethical guidelines for members, which include guidance on behavior for
members in making decisions. A code establishes high standards against which
individuals can measure their own performance. It also communicates to those
outside the organization the value system from which its members must not be
asked to deviate.
Answer (C) is incorrect. Codes of conduct provide qualitative, not quantitative,
standards.
Answer (D) is incorrect. Other purposes of a code of conduct are much more
significant.
[30] Gleim #: 1.3.30
.c
om
/c
Accept money, gifts, or services from a customer.
Participate (directly or indirectly) in the management of a public agency.
Borrow from or lend money to vendors.
Use organizational information for private purposes.
fb
A.
B.
C.
D.
ia
ao
ffi
ci
al
Which of the following statements is not appropriate to include in a manufacturer’s
conflict of interest policy? An employee shall not
Answer (A) is incorrect. A conflict of interest policy should prohibit the transfer
of benefits between an employee and those with whom the organization deals.
Answer (B) is correct. A prohibition on public service is ordinarily inappropriate.
Public service is a right, if not a duty, of all citizens.
Answer (C) is incorrect. A conflict of interest policy should prohibit financial
dealings between an employee and those with whom the organization deals.
Answer (D) is incorrect. The IIA Code of Ethics prohibits use of information for
personal gain (Rule of Conduct 3.2).
[31] Gleim #: 1.3.31
The code of ethics of a professional organization sets forth
A.
B.
C.
D.
Broad standards of conduct for the members of the organization.
The organizational details of the profession’s governing body.
A list of illegal activities that are proscribed to the members of the profession.
A basis for the measurement of internal audit performance.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 16
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. An organization’s code of ethical conduct is the established
general value system the organization wishes to apply to its members’ activities by
communicating organizational purposes and beliefs and establishing uniform ethical
guidelines for members, which include guidance on behavior for members in making
decisions. A code establishes high standards against which individuals can measure
their own performance and communicates to those outside the organization the value
system from which the organization’s members must not be asked to deviate.
Answer (B) is incorrect. The organizational details of the profession’s governing body
are stated in the by-laws of the professional organization.
Answer (C) is incorrect. Certain actions may be legal but contrary to an organization’s
code of ethics. For example, an internal auditor may not perform a service for which
(s)he does not possess the necessary knowledge, skills, and experience.
Answer (D) is incorrect. The Standards establish a basis for the measurement of
internal audit performance.
[32] Gleim #: 1.4.32
The purpose of the internal audit activity’s evaluation of the effectiveness of existing
risk management processes is to determine that
A. Management has planned and designed so as to provide reasonable assurance of
achieving objectives.
B. Management directs processes so as to provide reasonable assurance of achieving
objectives.
C. The organization’s objectives will be achieved efficiently and economically.
D. The organization’s objectives will be achieved in an accurate and timely manner
and with minimal use of resources.
Answer (A) is incorrect. The adequacy of risk management processes concerns
planning and design by management that provides reasonable assurance that
objectives will be achieved efficiently and economically.
Answer (B) is correct. Risk management, control, and governance processes are
effective if management directs processes to provide reasonable assurance of
achieving the organization’s objectives. In addition to accomplishing the
objectives and planned activities, management directs by authorizing activities
and transactions, monitoring resulting performance, and verifying that the
organization’s processes are operating as designed.
Answer (C) is incorrect. The adequacy of risk management processes concerns
planning and design by management that provides reasonable assurance that
objectives will be achieved efficiently and economically.
Answer (D) is incorrect. The adequacy of risk management processes concerns
planning and design by management that provides reasonable assurance that
objectives will be achieved efficiently and economically.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 17
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[33] Gleim #: 1.4.33
After using the same public accounting firm for several years, the board of directors
retained another public accounting firm to perform the annual financial audit in order
to reduce the annual audit fee. The new firm has now proposed a one-time engagement
relating to the cost-effectiveness of the various operations of the business. The chief
audit executive has been asked to advise management in making a decision on the
proposal. An argument can be made that the internal audit activity is better able to
perform such an engagement because
A. External auditors may not possess the same depth of understanding of the
organization as the internal auditors.
B. Internal auditors are required to be objective in performing engagements.
C. Engagement procedures used by internal auditors are different from those used by
external auditors.
D. Internal auditors will not be vitally concerned with fraud and waste.
fb
[34] Gleim #: 1.4.34
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is correct. Internal auditing should provide reasonable assurance that
management’s (1) risk management system is effective; (2) system of internal
control is effective and efficient; and (3) governance process is effective by
establishing and preserving values, setting goals, monitoring activities and
performance, and defining the measures of accountability. Internal auditors are
more familiar than external auditors with the organization, including systems,
people, and objectives.
Answer (B) is incorrect. Both internal and external auditors are required to be
objective.
Answer (C) is incorrect. Internal and external auditors use the same techniques.
Answer (D) is incorrect. Internal auditors are vitally concerned with fraud and
waste.
A manufacturer has been expanding rapidly and is considering adding a new
production line. Employees are currently working double shifts and receiving large
amounts of overtime pay. Demand for all of the organization’s products is currently
high, but management worries about demand fluctuations with changes in the
economy and technological developments by competitors. Management is concerned
with such issues as whether it is efficiently using its resources, whether it is expanding
too rapidly or not rapidly enough, whether employee morale is decreasing, and
whether future expansion should be financed internally or through debt. Of the
following management requests, which is within the normal scope of work of the
internal audit activity as stated in the Standards?
A. Perform an independent evaluation of management’s planning process as a basis
for making recommendations.
B. Talk with banks to identify financing alternatives and negotiate contract
alternatives that will be presented to management for evaluation.
C. Analyze financing alternatives and present the alternatives to the audit committee.
D. Undertake a make-or-buy decision analysis to determine whether the organization
should subcontract for part of its manufacturing versus adding capacity. Report
the recommendation to management for approval.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 18
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. Internal auditors evaluate the whole management process of
planning, organizing, and directing to determine whether reasonable assurance exists
that objectives will be achieved. Such evaluations, in the aggregate, provide
information to appraise the overall management process. All business systems,
processes, operations, functions, and activities within the organization are subject to
the internal auditors’ evaluations. The comprehensive scope of work of the internal
audit activity should provide reasonable assurance that (1) management’s risk
management system is effective; (2) its system of internal control is effective and
efficient; and (3) its governance process is effective by establishing and preserving
values, setting goals, monitoring activities and performance, and defining the measures
of accountability.
Answer (B) is incorrect. Discussing financing alternatives with banks is a
responsibility of management. Such an activity also has the potential to impair the
independence of the internal audit activity.
Answer (C) is incorrect. Analyzing financing options is a responsibility of the finance
function. Moreover, information about the analysis should be directed to management
or a finance committee of the board. The audit committee is concerned with oversight
of internal and external auditing functions.
Answer (D) is incorrect. Make-or-buy decisions are a responsibility of management.
[35] Gleim #: 1.4.35
Control by management is the result of
A. Planning, organizing, and directing of organizational activities.
B. Ascertaining needs, identifying alternative courses of action, setting standards for
measuring performance, and comparing outcomes with predetermined standards.
C. Authorizing and monitoring performance and comparing actual performance with
planned performance.
D. Determining efficiency and economy of operations, including whether objectives
have been met.
Answer (A) is correct. A control is any action taken by management, the board,
or other parties to manage risk and increase the likelihood that established
objectives will be achieved. Management plans, organizes, and directs the
performance of sufficient actions to provide reasonable assurance that objectives
will be achieved. Thus, control by management is the result of proper planning,
organizing, and directing.
Answer (B) is incorrect. Ascertaining needs, identifying alternative courses of
action, setting standards for measuring performance, and comparing outcomes
with predetermined standards is a basic management function.
Answer (C) is incorrect. Authorizing and monitoring performance and comparing
actual performance with planned performance is a basic management function.
Answer (D) is incorrect. Determining efficiency and economy of operations,
including whether objectives have been met, is a basic management function.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 19
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[36] Gleim #: 1.4.36
Controls should be designed to provide reasonable assurance that
A. Organizational objectives will be achieved economically and efficiently.
B. Management’s plans have not been circumvented by worker collusion.
C. The internal audit activity’s guidance and oversight of management’s performance
is accomplished economically and efficiently.
D. Management’s planning, organizing, and directing processes are properly
evaluated.
Answer (A) is correct. Risk management, control, and governance processes are
adequate if management has planned and designed them to provide reasonable
assurance that the organization’s objectives will be achieved efficiently and
economically. Reasonable assurance is provided when the most cost-effective
actions are taken in the design and implementation stages to reduce risks and
restrict deviations to a tolerable level.
Answer (B) is incorrect. Collusion is an inherent limitation of internal control.
Answer (C) is incorrect. Representatives of the organization’s stakeholders (e.g.,
the board) provide oversight of risk and control processes administered by
management.
Answer (D) is incorrect. Internal auditors evaluate management processes to
determine whether reasonable assurance exists that objectives will be achieved.
[37] Gleim #: 1.4.37
ia
/c
om
.c
fb
I. Risk management
II. Governance
III. Control
ao
ffi
ci
al
The board is responsible for implementing
A.
B.
C.
D.
I only.
II only.
III only.
II and III only.
Answer (A) is incorrect. Implementation of risk management is a key
responsibility of management at all levels.
Answer (B) is correct. Governance is the combination of processes and structures
implemented by the board to inform, direct, manage, and monitor the activities of
the organization toward the achievement of its objectives (The IIA Glossary). Risk
management is a key responsibility of senior management and the board. But the
board’s role is to provide oversight (PA 2120-1). Senior management’s role is to
oversee the establishment, administration, and assessment of the system of risk
management and control processes (PA 2130-1).
Answer (C) is incorrect. Senior management’s role is to oversee the
establishment, administration, and assessment of the system of risk management
and control processes.
Answer (D) is incorrect. Implementation of risk management and control
processes are key responsibilities of management at all levels.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 20
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[38] Gleim #: 1.4.38
What is the most accurate term for the procedures used by the board to oversee
activities performed to achieve organizational objectives?
A.
B.
C.
D.
Governance.
Control.
Risk management.
Monitoring.
Answer (A) is correct. Governance is the “combination of processes and
structures implemented by the board to inform, direct, manage, and monitor the
activities of the organization toward the achievement of its objectives” (The IIA
Glossary).
Answer (B) is incorrect. Control is “any action taken by management, the board,
and other parties to manage risk and increase the likelihood that established
objectives and goals will be achieved. Management plans, organizes, and directs
the performance of sufficient actions to provide reasonable assurance that
objectives and goals will be achieved” (The IIA Glossary).
Answer (C) is incorrect. Risk management is “a process to identify, assess,
manage, and control potential events or situations to provide reasonable assurance
regarding the achievement of the organization’s objectives” (The IIA Glossary).
Answer (D) is incorrect. Monitoring consists of actions taken by management
and others to assess the quality of internal control performance over time. It is not
currently defined in the Standards and The IIA Glossary.
[39] Gleim #: 1.4.39
Internal auditing is an assurance and consulting activity. An example of an assurance
service is a(n)
A.
B.
C.
D.
Advisory engagement.
Facilitation engagement.
Training engagement.
Compliance engagement.
Answer (A) is incorrect. An advisory engagement is a consulting service.
Answer (B) is incorrect. A facilitation engagement is a consulting service.
Answer (C) is incorrect. A training engagement is a consulting service.
Answer (D) is correct. According to The IIA Glossary, an assurance service is “an
objective examination of evidence for the purpose of providing an independent
assessment of governance, risk management, and control processes for the
organization. Examples may include financial, performance, compliance, system
security, and due diligence engagements.”
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 21
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[40] Gleim #: 1.4.40
Which of the following potentially are subject to the internal auditors’ evaluations?
I. The human resources function.
II. The purchasing process.
III. The manufacturing and production database system.
A.
B.
C.
D.
I only.
II only.
I, II, and III.
None of the answers are correct.
Answer (A) is incorrect. Items II and III are subject to internal auditor evaluation.
Answer (B) is incorrect. Items I and III are subject to internal auditor evaluation.
Answer (C) is correct. Internal auditing evaluations, in the aggregate, provide
information to appraise the overall management process. Thus, all business
systems, processes, operations, functions, and activities within the organization
are potentially subject to the internal auditors’ evaluations.
Answer (D) is incorrect. All of the listed items are subject to internal auditor
evaluation.
[41] Gleim #: 1.5.41
.c
om
/c
ia
ao
The external auditor.
The chief audit executive.
The chief executive officer.
Each assurance and consulting function.
fb
A.
B.
C.
D.
ffi
ci
al
Who has primary responsibility for providing information to the board on the
professional and organizational benefits of coordinating internal audit activities with
those of other providers of similar services?
Answer (A) is incorrect. The CAE is responsible for ensuring that the internal
audit activity’s work maximizes the benefits achievable from coordination with
other assurance and consulting activities. Comments on this function should
always form part of any activity reports by the CAE, not the external auditor, to
the board.
Answer (B) is correct. The chief audit executive should share information and
coordinate activities with other internal and external providers of assurance and
consulting services to ensure proper coverage and minimize duplication of efforts
(Perf. Std. 2050). While oversight of the work of external auditors is the
responsibility of the board, coordination of internal and external audit work is the
responsibility of the CAE (PA 2050-1, para. 1).
Answer (C) is incorrect. The CEO normally is not responsible for planning,
work, and coordination related to internal audit assurance and consulting
engagements or coordination with other assurance and consulting activities.
Answer (D) is incorrect. Not all other assurance and consulting activities are
organizationally responsible to the board for their work. Moreover, they may not
have the opportunity to report information directly to the board.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 22
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[42] Gleim #: 1.5.42
Which of the following is a false statement about the relationship between internal
auditors and external auditors?
A. Oversight of the work of external auditors is the responsibility of the chief audit
executive.
B. Sufficient meetings are scheduled between internal and external auditors to ensure
timely and efficient completion of the work.
C. Internal and external auditors may exchange engagement communications and
management letters.
D. Internal auditors may provide engagement work programs and working papers to
external auditors.
Answer (A) is correct. Oversight of the work of external auditors, including
coordination with the internal audit activity, is the responsibility of the board.
Coordination of internal and external audit work is the responsibility of the CAE
(PA 2050-1, para. 1).
Answer (B) is incorrect. Coordination between internal and external auditors
involves, among other things, sufficient meetings to both ensure coordination of
work and efficient and timely completion of activities and to determine whether
observations and recommendations from work performed to date require that the
scope of planned work be adjusted.
Answer (C) is incorrect. Coordination between internal and external auditors
involves, among other things, access to internal audit communications and
external auditors’ management letters.
Answer (D) is incorrect. Coordination between internal and external auditors
involves, among other things, access to each other’s work programs and working
papers.
[43] Gleim #: 1.5.43
To improve their efficiency, internal auditors may rely upon the work of external
auditors if it is
A.
B.
C.
D.
Performed after the internal auditing work.
Primarily concerned with operational objectives and activities.
Coordinated with internal auditing work.
Conducted in accordance with the Code of Ethics.
Answer (A) is incorrect. Duplication of effort may result if the external audit is
performed after the internal auditing engagement.
Answer (B) is incorrect. Internal auditing encompasses both financial and
operational objectives and activities. Thus, internal auditing coverage could also
be provided by external audit work that included primarily financial objectives
and activities.
Answer (C) is correct. Organizations may use the work of external auditors to
provide assurance related to activities within the scope of internal auditing (PA
2050-1, para. 2). Coordination of internal and external audit work is the
responsibility of the CAE (PA 2050-1, para. 1).
Answer (D) is incorrect. External auditing work is conducted in accordance with
auditing standards generally accepted in the host country.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 23
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[44] Gleim #: 1.5.44
You are the chief audit executive of a parent organization that has foreign subsidiaries.
Independent external audits performed for the parent are not conducted by the same
firm that conducts the foreign subsidiary audits. Because the internal audit activity
occasionally provides direct assistance to both external firms, you have copies of audit
programs and selected working papers produced by each firm. The foreign subsidiary’s
auditors would like to rely on some of the work performed by the parent organization’s
audit firm, but they need to review the working papers first. They have asked you for
copies of the working papers of the parent organization’s audit firm. What is the most
appropriate response to the foreign subsidiary’s auditors?
A. Provide copies of the working papers without notifying the parent’s audit firm.
B. Notify the parent’s auditors of the situation and request that they either provide
the working papers or authorize you to do so.
C. Provide copies of the working papers and notify the parent’s audit firm that you
have done so.
D. Refuse to provide the working papers under any circumstances.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. The working papers are the property of the parent’s
external auditors, and their confidentiality should be respected.
Answer (B) is correct. Organizations may use the work of external auditors to
provide assurance related to activities within the scope of internal auditing. In
these cases, the CAE takes the steps necessary to understand the work performed
by the external auditors, including access to the external auditors’ programs and
working papers. Internal auditors are responsible for respecting the confidentiality
of those programs and working papers (PA 2050-1, para. 2).
Answer (C) is incorrect. The external auditors must give prior authorization for
the release of their working papers.
Answer (D) is incorrect. The CAE has the responsibility to ensure proper
coordination with external auditors.
[45] Gleim #: 1.5.45
You are the chief audit executive of a parent organization that has foreign subsidiaries.
Independent external audits performed for the parent are not conducted by the same
firm that conducts the foreign subsidiary audits. Because the internal audit activity
occasionally provides direct assistance to both external firms, you have copies of audit
programs and selected working papers produced by each firm. The foreign subsidiary’s
external audit firm wants to rely on an audit of a function at the parent organization.
The audit was conducted by the internal audit activity. To place reliance on the work
performed, the foreign subsidiary’s auditors have requested copies of the working
papers. What is the most appropriate response to the foreign subsidiary’s auditors?
A.
B.
C.
D.
Provide copies of the working papers.
Ask the parent’s audit firm if it is appropriate to release the working papers.
Ask the board for permission to release the working papers.
Refuse to provide the working papers under any circumstances.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 24
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. Planned audit activities of internal and external auditors need
to be discussed to ensure that audit coverage is coordinated and duplicate efforts are
minimized where possible (PA 2050-1, para. 5). Coordination involves access to each
other’s work programs and working papers. Access to the internal auditors’ work
programs and working papers is provided to external auditors for them to be satisfied
as to the acceptability, for external audit purposes, of relying on the internal auditors’
work (PA 2050-1, para. 3).
Answer (B) is incorrect. The working papers are the property of the organization. The
responsibility of the CAE is to maintain the security of the working papers and to
coordinate efforts with the external auditors. Thus, the decision belongs not to the
parent’s external auditors but to the CAE.
Answer (C) is incorrect. Access to working papers by external auditors is subject to
the approval of the CAE.
Answer (D) is incorrect. The CAE ensures proper coordination with external auditors
by, among other things, granting the external auditors access to the internal auditors’
working papers.
[46] Gleim #: 1.5.46
Which of the following is not a true statement about the relationship between internal
auditors and external auditors?
A. External auditors must assess the competence and objectivity of internal auditors.
B. There may be periodic meetings between internal and external auditors to discuss
matters of mutual interest.
C. There may be an exchange of engagement communications and management
letters.
D. Internal auditors may provide engagement work programs and working papers to
external auditors.
Answer (A) is correct. The external auditor assesses the objectivity and
competence of the internal auditors only if (s)he intends to rely on their work.
Answer (B) is incorrect. The relationship involves a sufficient number of
meetings (PA 2050-1).
Answer (C) is incorrect. The relationship involves reasonable mutual access to
engagement communications and management letters (PA 2050-1).
Answer (D) is incorrect. The relationship involves reasonable mutual access to
engagement work programs and working papers (PA 2050-1).
[47] Gleim #: 1.5.47
If a department outside of the internal audit activity is responsible for reviewing a
function or process, the internal auditors should
A. Consider the work of the other department when assessing the function or process.
B. Ignore the work of the other department and proceed with an independent audit.
C. Reduce the scope of the audit since the work has already been performed by the
other department.
D. Yield the responsibility for assessing the function or process to the other
department.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 25
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. The chief audit executive should share information and
coordinate activities with other internal and external providers of relevant assurance
and consulting services to ensure proper coverage and minimize duplication of efforts
(Perf. Std. 2050). This standard applies not only to external auditors but also to other
“providers,” such as regulatory bodies (e.g., governmental auditors) and certain of the
organization’s other subunits (e.g., a health and safety department). Review and testing
of the other department’s work may reduce necessary audit coverage of the function or
process.
Answer (B) is incorrect. Concentrating on the function or process might lead to a
duplication of efforts.
Answer (C) is incorrect. The internal auditor cannot rely on the work of others
without verifying the results.
Answer (D) is incorrect. The internal audit activity’s overall responsibility for
assessing the function or process is not affected by the other department’s coverage.
[48] Gleim #: 1.5.48
Assessments of the work of external auditors may be made by the chief audit
executive
When the external auditor is appointed.
When the CAE oversees their work.
When their work is relied upon by the internal auditors.
As part of the evaluation of the coordination between the internal and external
auditors.
ci
al
A.
B.
C.
D.
fb
.c
om
/c
ia
ao
ffi
Answer (A) is incorrect. The assessment is part of the regular evaluation of the
coordination of audit work.
Answer (B) is incorrect. The board oversees external audit work.
Answer (C) is incorrect. The assessment arises from the evaluation of
coordination, not reliance.
Answer (D) is correct. The CAE is responsible for regular evaluations of the
coordination between internal and external auditors. Such evaluations may also
include assessments of the overall efficiency and effectiveness of internal and
external audit activities, including aggregate audit cost. The CAE communicates
the results of these evaluations to senior management and the board, including
relevant comments about the performance of external auditors (PA 2050-1,
para. 7).
[49] Gleim #: 1.5.49
An internal audit activity is often requested to coordinate its work with that of the
external auditors. Which of the following activities is most likely to be restricted to the
external auditor?
A.
B.
C.
D.
Evaluating the system of controls over cash collections and similar transactions.
Attesting to the fairness of presentation of cash position.
Evaluating the adequacy of the organization’s overall system of internal controls.
Reviewing the system established to ensure compliance with laws, regulations,
and contracts.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 26
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Evaluating controls is part of the internal auditor’s scope of
work.
Answer (B) is correct. Professional standards place sole responsibility for the attest
function on the external auditors. Only the external auditors have the necessary
independence to permit the provision of assurance to external parties. Unlike
circumstances in which the external auditors use the work of other independent
auditors, the responsibility cannot be shared with the internal auditors.
Answer (C) is incorrect. Senior management and the board normally expect that the
internal audit activity will perform sufficient engagement work and gather other
available information during the year to form an overall judgment about the adequacy
and effectiveness of the control process. The CAE should communicate that judgment
to senior management and the board.
Answer (D) is incorrect. Evaluating compliance is part of the internal auditor’s scope
of work.
[50] Gleim #: 1.5.50
Which of the following statements is true regarding coordination of internal and
external auditing efforts?
A. The chief audit executive should not give information about illegal acts to an
external auditor because external auditors may be required to report the matter to
the board or regulatory agencies.
B. Ownership and the confidentiality of the external auditor’s working papers
prohibit their review by internal auditors.
C. The chief audit executive should determine that appropriate follow-up and
corrective action was taken by management when required regarding matters
discussed in the external auditor’s management letter.
D. If internal auditors provide assistance to the external auditors in connection with
the annual audit, such assistance is not subject to the Standards.
Answer (A) is incorrect. Internal auditors should give external auditors access to
their engagement work programs, working papers, and communications. Thus,
information about illegal acts should be communicated to the external auditor.
Answer (B) is incorrect. Internal auditors and external auditors may grant access
to each other’s working papers.
Answer (C) is correct. Internal auditors need access to the external auditors’
presentation materials and management letters. Matters discussed in presentation
materials and included in management letters need to be understood by the CAE
and used as input to internal auditors in planning the areas to emphasize in future
internal audit work. After review of management letters and initiation of any
needed corrective action by appropriate members of senior management and the
board, the CAE should ensure that appropriate follow-up and corrective actions
have been taken (PA 2050-1, para. 6).
Answer (D) is incorrect. All work done by internal auditors should be done in
accordance with the Standards.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 27
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[51] Gleim #: 1.5.51
The chief audit executive plans to meet with the independent external auditor to
discuss joint efforts regarding an upcoming external audit of the organization’s
pension plan. The independent external auditor has performed all external audit work
in this area in the past. The CAE’s objective is to
A. Determine whether work in this area could not be performed exclusively by the
internal auditors.
B. Coordinate the external audit so as to fulfill professional responsibilities and not
duplicate work of the independent external auditor.
C. Ascertain which account balances have been tested by the independent external
auditor so that the internal auditors may test the internal controls to determine the
reliability of these balances.
D. Determine whether the independent external auditor’s techniques, methods, and
terminology should be used by internal auditors in this area to conform with past
work or to use techniques consistent with those used by other internal auditors.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. The independent external auditor is not permitted to
delegate certain work to the internal auditors, for example, the verification of
material account balances related to a pension plan.
Answer (B) is correct. Planned audit activities of internal and external auditors
need to be discussed to ensure that audit coverage is coordinated and duplicate
efforts are minimized where possible (PA 2050-1, para. 5).
Answer (C) is incorrect. Testing internal controls to determine the reliability of
account balances is an example of duplicate work.
Answer (D) is incorrect. Common understanding of techniques, methods, and
terminology is involved in coordination of activities with other internal and
external providers of relevant assurance and consulting services, and the use of
common techniques, methods, and terminology may be efficient. However, the
objective of coordination of efforts is to ensure adequate engagement coverage
and to minimize duplication of efforts, not to determine whether one set of
techniques should be used to the exclusion of another.
[52] Gleim #: 1.5.52
Exchange of engagement communications and management letters by internal and
external auditors is
A.
B.
C.
D.
Consistent with the coordination responsibilities of the chief audit executive.
Not consistent with the independence guidelines of the Standards.
A violation of the Code of Ethics.
Not addressed by the Standards.
Answer (A) is correct. Exchange of engagement communications and
management letters is properly a component of coordination between internal and
external audit.
Answer (B) is incorrect. The standard independence guidelines are not relevant to
this exchange between internal and external auditors.
Answer (C) is incorrect. The exchange does not violate the Code of Ethics.
Answer (D) is incorrect. The Standards address the coordination of internal and
external auditing work.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 28
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[53] Gleim #: 1.5.53
Coordination of internal and external auditing can reduce the overall costs. Who is
responsible for actual coordination of internal and external auditing efforts?
A.
B.
C.
D.
The chief audit executive.
The external auditor.
The board.
Management.
Answer (A) is correct. Coordination of internal and external audit work is the
responsibility of the CAE. The CAE obtains the support of the board to coordinate
audit work effectively (PA 2050-1, para. 1).
Answer (B) is incorrect. The external auditor is an interested party but not one
that has direct responsibility for coordinating internal and external auditing
efforts.
Answer (C) is incorrect. The board has oversight responsibility, but the CAE is
responsible for the actual coordination of internal and external auditing work.
Answer (D) is incorrect. Management is an interested party but not one that has
direct responsibility for coordinating internal and external auditing efforts.
[54] Gleim #: 1.5.54
Which of the following are responsibilities of the chief audit executive (CAE)?
I. Coordinating activities with other providers of assurance and consulting services.
II. Understanding the work of external auditors.
III. Providing sufficient information to the external auditors to permit them to
understand the internal auditors’ work.
A.
B.
C.
D.
I and II only.
II and III only.
I and III only.
I, II, and III.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 29
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Providing sufficient information to the external auditors to
permit them to understand the internal auditors’ work is a responsibility of the CAE
when external auditors rely on the internal audit activity’s work.
Answer (B) is incorrect. Coordinating activities with other providers of assurance and
consulting services is a responsibility of the CAE.
Answer (C) is incorrect. Understanding the work of external auditors is necessary
whenever external auditors provide assurance about matters within the scope of the
internal audit activity.
Answer (D) is correct. Organizations may use the work of external auditors to provide
assurance related to activities within the scope of internal auditing. In these cases, the
CAE takes the steps necessary to understand the work performed by the external
auditors. Moreover, the external auditor may rely on the work of the internal audit
activity in performing their work. In this case, the CAE needs to provide sufficient
information to enable external auditors to understand the internal auditor’s techniques,
methods, and terminology to facilitate reliance by external auditors on work
performed. Also, the CAE is responsible for regular evaluations of the coordination
between internal and external auditors. Such evaluations may include assessments of
the overall efficiency and effectiveness of internal and external audit activities,
including aggregate audit cost. The CAE communicates the results of these evaluations
to senior management and the board, including relevant comments about the
performance of external auditors (PA 2050-1).
[55] Gleim #: 1.5.55
.c
om
/c
Only external audit cost.
Efficiency of only internal audit activity.
Aggregate audit cost.
Effectiveness of only external audit activity.
fb
A.
B.
C.
D.
ia
ao
ffi
ci
al
A chief audit executive should include in regular evaluations of internal and external
audit activity an assessment of which of the following?
Answer (A) is incorrect. Evaluation of internal audit cost is also included.
Answer (B) is incorrect. The efficiency of external audit activity is also included.
Answer (C) is correct. The CAE is responsible for regular evaluations of the
coordination between internal and external auditors. Such evaluations may also
include assessments of the overall efficiency and effectiveness of internal and
external audit activities, including aggregate audit cost (PA 2050-1, para. 7).
Answer (D) is incorrect. The effectiveness of internal audit activity is also
included.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 30
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[56] Gleim #: 1.5.56
Coordinating internal and external audit activity can increase efficiency by using
which of the following?
I. Similar techniques
II. Similar methods
III. Similar terminology
A.
B.
C.
D.
I only.
I and III only.
I and II only.
I, II, and III.
Answer (A) is incorrect. Similar methods and terminology also increase
efficiency.
Answer (B) is incorrect. Similar methods also increase efficiency.
Answer (C) is incorrect. Similar terminology also increases efficiency.
Answer (D) is correct. It may be efficient for internal and external auditors to use
similar techniques, methods, and terminology to coordinate their work effectively
and to rely on the work of one another (PA 2050-1).
[57] Gleim #: 1.5.57
Which of the following is responsible for coordination of internal and external audit
work?
A.
B.
C.
D.
The board.
The chief audit executive.
Internal auditors.
External auditors.
Answer (A) is incorrect. The board oversees but is not actually responsible for
the coordination.
Answer (B) is correct. Oversight of the work of external auditors, including
coordination with the internal audit activity, is the responsibility of the board.
Coordination of internal and external audit work is the responsibility of the chief
audit executive (CAE). The CAE obtains the support of the board to coordinate
audit work effectively.
Answer (C) is incorrect. Internal auditors carry out the coordinated directions
from the CAE.
Answer (D) is incorrect. External auditors perform their work in coordination
with information provided by the CAE.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 31
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[58] Gleim #: 1.6.58
The internal audit activity should contribute to the organization’s governance process
by evaluating the processes through which
I.
II.
III.
IV.
A.
B.
C.
D.
Ethics and values are promoted.
Effective organizational performance management and accountability are ensured.
Risk and control information is communicated.
Activities of the external and internal auditors and management are coordinated.
I only.
IV only.
II and III only.
I, II, III, and IV.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. The internal audit activity also evaluates the processes
through which effective organizational performance management and
accountability are ensured, risk and control information is communicated, and
activities of the external and internal auditors and management are coordinated.
Answer (B) is incorrect. The internal audit activity also evaluates the processes
through which ethics and values are promoted, effective organizational
performance management and accountability are ensured, and risk and control
information is communicated.
Answer (C) is incorrect. The internal audit activity also evaluates the processes
through which ethics and values are promoted and activities of the external and
internal auditors and management are coordinated.
Answer (D) is correct. The internal audit activity must assess and make
appropriate recommendations for improving the governance process in its
accomplishment of the following objectives:
Promoting appropriate ethics and values within the organization.
Ensuring effective organizational performance management and
accountability.
Communicating risk and control information to appropriate areas of the
organization.
Coordinating the activities of and communicating information among the
board, external and internal auditors, and management. (Perf. Std. 2110).
[59] Gleim #: 1.6.59
Which of the following statements regarding corporate governance is not correct?
A. Corporate control mechanisms include internal and external mechanisms.
B. The compensation scheme for management is part of the corporate control
mechanisms.
C. The dilution of shareholders’ wealth resulting from employee stock options or
employee stock bonuses is an accounting issue rather than a corporate governance
issue.
D. The internal auditor of a company has more responsibility than the board for the
company’s corporate governance.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 32
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Corporate control mechanisms include both internal (e.g.,
internal auditing) and external (e.g., external auditing) mechanisms.
Answer (B) is incorrect. Management’s compensation scheme is part of the control
environment, specifically, the human resource element.
Answer (C) is incorrect. The dilution of shareholders’ wealth resulting from employee
stock options or employee stock bonuses is an accounting issue. Governance is “the
combination of processes and structures implemented by the board to inform, direct,
manage, and monitor the activities of the organization toward the achievement of its
objectives” (The IIA Glossary).
Answer (D) is correct. Governance is the responsibility of the board. Internal audit’s
responsibility is to assess governance processes and make appropriate
recommendations for improvement.
[60] Gleim #: 1.6.60
A basic principle of governance is
A. Assessment of the governance process by an independent internal audit activity.
B. Holding the board, senior management, and the internal audit activity accountable
for its effectiveness.
C. Exclusive use of external auditors to provide assurance about the governance
process.
D. Separation of the governance process from promoting an ethical culture in the
organization.
Answer (A) is correct. The internal audit activity must assess and make
appropriate recommendations for improving the governance process
(Perf. Std. 2110).
Answer (B) is incorrect. The internal audit activity is an assessor of the
governance process. It is not accountable for that process.
Answer (C) is incorrect. External parties and internal auditors may provide
assurance about the governance process.
Answer (D) is incorrect. The internal audit activity must assess and make
appropriate recommendations for improving the governance process in its
promotion of appropriate ethics and values within the organization.
[61] Gleim #: 1.6.61
The internal audit activity has a role in an organization’s governance process. The
internal audit activity most directly contributes to this process by
A.
B.
C.
D.
Identifying significant exposures to risk.
Evaluating the effectiveness of the risk-management system.
Promoting continuous improvement of controls.
Evaluating the design of ethics-related activities.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 33
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Identifying significant exposures to risk most directly relates
to risk management rather than to governance.
Answer (B) is incorrect. Evaluating the effectiveness of the risk-management system
most directly relates to risk management rather than to governance.
Answer (C) is incorrect. Promoting continuous improvement of controls relates to
controls rather than to governance.
Answer (D) is correct. Perf. Std. 2110 states, “The internal audit activity must assess
and make appropriate recommendations for improving the governance process in its
accomplishment of the following objectives:
Promoting appropriate ethics and values within the organization;
Ensuring effective organizational performance management and accountability;
Communicating risk and control information to appropriate areas of the
organization; and
Coordinating the activities of and communicating information among the board,
external and internal auditors and management.”
Thus, in an assurance engagement, “The internal audit activity must evaluate the
design, implementation, and effectiveness of the organization’s ethics-related
objectives, programs, and activities” (Impl. Std. 2110.A1).
[62] Gleim #: 1.7.62
Which of the following is most essential for guiding the internal audit staff?
ao
ffi
ci
al
Quality program assessments.
Position descriptions.
Performance appraisals.
Policies and procedures.
/c
ia
A.
B.
C.
D.
fb
.c
om
Answer (A) is incorrect. Quality program assessments do not provide specific
daily guidance to the staff with respect to performance standards.
Answer (B) is incorrect. Position descriptions do not provide specific daily
guidance to the staff with respect to performance standards.
Answer (C) is incorrect. Performance appraisals do not provide specific daily
guidance to the staff with respect to performance standards.
Answer (D) is correct. The chief audit executive must establish policies and
procedures to guide the internal audit activity (Perf. Std. 2040).
[63] Gleim #: 1.7.63
In most cases, an internal audit activity should document policies and procedures to
ensure the consistency and quality of its work. The exception to this principle is
directly related to
A.
B.
C.
D.
Departmentation.
Division of labor.
Size of the internal audit activity.
Authority.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 34
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Departmentation can improve communications among team
members, but sufficient direct supervision may be lacking if spans of control are large.
Answer (B) is incorrect. Division of labor produces highly specialized individuals, but
formalized guidance is necessary for newer employees if the internal audit activity is
large.
Answer (C) is correct. Formal administrative and technical audit manuals may not be
needed by all internal audit activities. A small internal audit activity may be managed
informally. Its audit staff may be directed and controlled through daily, close
supervision and written memoranda. In a large internal audit activity, more formal and
comprehensive policies and procedures are essential to guide the internal audit staff in
the execution of the internal audit plan (PA 2040-1, para. 1).
Answer (D) is incorrect. Regardless of the degree of authority wielded by the chief
audit executive, formal policies are needed in a large internal audit activity.
[64] Gleim #: 1.7.64
Policies and procedures must be established to guide the internal audit activity. Which
of the following statements is false with respect to this requirement?
A. The form and content of written policies and procedures depend on the size of the
internal audit activity.
B. All internal audit activities must have a detailed policies and procedures manual.
C. Formal administrative and technical manuals may not be needed by all internal
audit activities.
D. A small internal audit activity may be managed informally through close
supervision and memoranda.
Answer (A) is incorrect. The form and content of policies and procedures depend
on the size of the internal audit activity.
Answer (B) is correct. Formal administrative and technical audit manuals may
not be needed by all internal audit entities. A small internal audit activity may be
managed informally. Its audit staff may be directed and controlled through daily,
close supervision and written memoranda. In a large internal audit activity, more
formal and comprehensive policies and procedures are essential to guide the
internal audit staff in the execution of the internal audit plan (PA 2040-1, para. 1).
Answer (C) is incorrect. Formal administrative and technical manuals may not be
needed by all internal audit activities.
Answer (D) is incorrect. A small internal audit activity may be managed
informally through close supervision and memos.
[65] Gleim #: 1.7.65
Which of the items below most likely reflects differences between the policies of a
relatively large and a relatively small internal audit activity? The policies for the large
activity should
A.
B.
C.
D.
Define the scope of internal auditing.
Contain the authority to carry out engagements.
Be specific as to activities to be carried out.
Be in considerable detail.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 35
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The scope of internal auditing is covered in the charter.
Answer (B) is incorrect. The authority to carry out engagements is covered in the
charter.
Answer (C) is incorrect. Whether the internal audit activity is large or small, it must
have policies that specifically state its functions.
Answer (D) is correct. Formal administrative and technical audit manuals may not be
needed by all internal audit activities. A small internal audit activity may be managed
informally. Its audit staff may be directed and controlled through daily, close
supervision and memoranda. In a large internal audit activity, more formal and
comprehensive policies and procedures are essential to guide the internal audit staff in
the execution of the internal audit plan (PA 2040-1, para. 1).
[66] Gleim #: 1.7.66
Policies and procedures relative to managing the internal audit activity
Ensure compliance with its performance standards.
Give consideration to its structure and the complexity of the work performed.
Result in the execution of the internal audit plan.
Prescribe the format and distribution of engagement communications and the
classification of engagement observations.
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. Engagements must be properly supervised to ensure
objectives are achieved, quality is assured, and staff is developed (Standard 2340).
Compliance with performance standards is a quality issue, and ensuring quality
requires more than establishing policies and procedures.
Answer (B) is correct. The form and content of policies and procedures are
dependent upon the size and structure of the internal audit activity and the
complexity of its work (Interpretation of Standard 2040).
Answer (C) is incorrect. Whether policies and procedures are required depends
on the size and structure of the internal audit activity. Moreover, these measures
alone do not result in the execution of the internal audit plan.
Answer (D) is incorrect. Prescribing the format and distribution of engagement
communications and the classification of engagement observations is a
discretionary measure that depends on the size and structure of the internal audit
activity and the complexity of work performed.
fb
A.
B.
C.
D.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 36
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[67] Gleim #: 1.7.67
The chief audit executive for a large decentralized organization has developed a
manual containing comprehensive detailed written procedures as a guide for the
decentralized engagement work groups, each of which has 20 to 30 internal auditors.
The organization recently acquired a small organization that has an internal audit
activity consisting of a supervisor and two staff personnel. Which of the following
actions is the most practical in providing administrative guidance for this new internal
audit activity?
A. Select key procedures from the manual and use informal supervisory direction for
other engagement management issues.
B. Use informal supervisory direction for engagement management issues.
C. Use the already developed manual.
D. Adopt the administrative procedures being followed by the internal auditors of the
acquired organization.
Answer (A) is correct. Orientation to acquaint the acquired organization’s staff
with the established environment should be through exposure to selected key
procedures from the formal manual. The form and content of policies and
procedures are dependent upon the size and structure of the internal audit activity
and the complexity of its work (Inter. Std. 2040). Thus, a small internal audit
activity may be managed informally, for example, through daily close supervision
and written memoranda (PA 2040-1, para. 1).
Answer (B) is incorrect. The use of informal supervisory direction alone for new
staff is inadequate.
Answer (C) is incorrect. Complete reliance on the existing manual would require
more formal management than is necessary for a small internal audit activity.
Answer (D) is incorrect. Management of the new internal auditing organization
should not be inconsistent with the rest of the organization.
[68] Gleim #: 1.7.68
Written policies and procedures relative to managing the internal audit activity should
A.
B.
C.
D.
Ensure compliance with its performance standards.
Give consideration to its structure and the complexity of the work performed.
Result in consistent job performance.
Prescribe the format and distribution of engagement communications and the
classification of observations.
Answer (A) is incorrect. No written policy or procedure can ensure compliance
with standards.
Answer (B) is correct. The form and content of policies and procedures are
dependent upon the size and structure of the internal audit activity and the
complexity of its work (Inter. Std. 2040). Thus, formal administrative and
technical manuals may not be needed by all internal audit activities. A small
internal audit activity may be managed informally (PA 2040-1, para. 1).
Answer (C) is incorrect. Consistent performance depends on various factors,
especially adequate training and supervision.
Answer (D) is incorrect. The format and distribution of engagement
communications and the classification of observations may vary from engagement
to engagement.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 37
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[69] Gleim #: 1.7.69
Which of the following, though not appropriate for use with a large internal audit
activity, is an acceptable approach for managing a small internal audit activity?
A.
B.
C.
D.
Preparing comprehensive policies and procedures.
Writing detailed instructions and guidelines for each engagement area.
Using only daily, close supervision and written memoranda.
Developing technical manuals to guide performance.
Answer (A) is incorrect. Preparing comprehensive policies and procedures is
more appropriate for managing a large internal audit activity.
Answer (B) is incorrect. Writing detailed instructions and guidelines for each
engagement area is more appropriate for managing a large internal audit activity.
Answer (C) is correct. Formal administrative and technical audit manuals may
not be needed by all internal audit entities. A small internal audit activity may be
managed informally. Its audit staff may be directed and controlled through daily,
close supervision and written memoranda. In a large internal audit activity, more
formal and comprehensive policies and procedures are essential to guide the
internal audit staff in the execution of the internal audit plan (PA 2040-1, para. 1).
Answer (D) is incorrect. Developing technical manuals to guide performance is
more appropriate for managing a large internal audit activity.
[70] Gleim #: 1.7.70
ia
ao
ffi
ci
al
Policies and procedures should be established to guide the internal audit activity.
Which of the following statements is false with respect to this requirement?
fb
.c
om
/c
A. The form and content of written policies and procedures should be appropriate to
the size of the internal audit activity.
B. All internal auditing entities should have a detailed policies and procedures
manual.
C. Formal administrative and technical manuals may not be needed by all internal
auditing entities.
D. A small internal audit activity may be managed informally through close
supervision and written memos.
Answer (A) is incorrect. The form and content of written policies and procedures
should be appropriate to the size of the internal audit activity.
Answer (B) is correct. Formal administrative and technical audit manuals may
not be needed by all internal audit entities. A small internal audit activity may be
managed informally. Its audit staff may be directed and controlled through daily,
close supervision and written memoranda. In a large internal audit activity, more
formal and comprehensive policies and procedures are essential to guide the
internal audit staff in the execution of the internal audit plan (PA 2040-1, para. 1).
Answer (C) is incorrect. Formal administrative and technical manuals may not be
needed by all internal audit activities.
Answer (D) is incorrect. A small internal audit activity may be managed
informally through close supervision and written memos.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 38
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[71] Gleim #: 1.8.71
The purpose of the internal audit activity’s evaluation of the effectiveness of existing
risk management processes is to determine that
A. Management has planned and designed so as to provide reasonable assurance of
achieving objectives.
B. Management directs processes so as to provide reasonable assurance of achieving
objectives.
C. The organization’s objectives will be achieved efficiently and economically.
D. The organization’s objectives will be achieved in an accurate and timely manner
and with minimal use of resources.
Answer (A) is incorrect. The adequacy of risk management processes concerns
planning and design by management that provides reasonable assurance that
objectives will be achieved efficiently and economically.
Answer (B) is correct. Risk management, control, and governance processes are
effective if management directs processes to provide reasonable assurance of
achieving the organization’s objectives. In addition to accomplishing the
objectives and planned activities, management directs by authorizing activities
and transactions, monitoring resulting performance, and verifying that the
organization’s processes are operating as designed.
Answer (C) is incorrect. The adequacy of risk management processes concerns
planning and design by management that provides reasonable assurance that
objectives will be achieved efficiently and economically.
Answer (D) is incorrect. The adequacy of risk management processes concerns
planning and design by management that provides reasonable assurance that
objectives will be achieved efficiently and economically.
[72] Gleim #: 1.8.72
Which of the following represents the best statement of responsibilities for risk
management?
Internal
Management
Auditing
Board
A. Responsibility for risk
Oversight role
Advisory role
B.
Oversight role
Responsibility for risk
Advisory role
C. Responsibility for risk
Advisory role
Oversight role
D.
Oversight role
Advisory role
Responsibility for risk
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 39
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Internal auditors are generally involved in the assurance and
advisory role. The board has an oversight role.
Answer (B) is incorrect. Management performs the implementation role in risk
management, and the board has an oversight role. Internal auditors are generally
involved in the assurance and advisory role.
Answer (C) is correct. Risk management is a key responsibility of senior management
and the board. To achieve its business objectives, management ensures that sound risk
management processes are in place and functioning. Boards have an oversight role to
determine that appropriate risk management processes are in place and that these
processes are adequate and effective. In this role, they may direct the internal audit
activity to assist them by examining, evaluating, reporting, and/or recommending
improvements to the adequacy and effectiveness of risk management processes (PA
2120-1, para. 1). Management and the board are responsible for their organization’s
risk management and control processes. However, internal auditors acting in a
consulting role can assist the organization in identifying, evaluating, and implementing
risk management methodologies and controls to address those risks (PA 2120-1,
para. 2).
Answer (D) is incorrect. Management is responsible for risk management, not the
oversight role performed by the board.
[73] Gleim #: 1.8.73
.c
om
/c
Activities and cost drivers.
Information processing procedures.
Current product cost structures.
Risk management processes.
fb
A.
B.
C.
D.
ia
ao
ffi
ci
al
When the executive management of an organization decided to form a team to
investigate the adoption of an activity-based costing (ABC) system, an internal auditor
was assigned to the team. The best reason for including an internal auditor is the
internal auditor’s knowledge of
Answer (A) is incorrect. An engineer has more knowledge than an internal
auditor about activities and cost drivers.
Answer (B) is incorrect. An information systems expert has more knowledge than
an internal auditor about information needs and information processing
procedures.
Answer (C) is incorrect. A management accountant has more knowledge than an
internal auditor about a company’s current product cost.
Answer (D) is correct. The internal audit activity’s scope of work extends to
evaluating the organization’s risk management processes. The internal audit
activity should assist the organization by identifying and evaluating significant
exposures to risk and contributing to the improvement of risk management and
control systems.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 40
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[74] Gleim #: 1.8.74
Internal auditors should review the means of physically safeguarding assets from
losses arising from
A.
B.
C.
D.
Misapplication of accounting principles.
Procedures that are not cost justified.
Exposure to the elements.
Underusage of physical facilities.
Answer (A) is incorrect. Misapplication of accounting principles relates to the
reliability of information and not physical safeguards.
Answer (B) is incorrect. Procedures that are not cost justified relate to efficiency,
not effectiveness, of operations.
Answer (C) is correct. The internal audit activity must evaluate risk exposures
relating to governance, operations, and information systems regarding the
safeguarding of assets (Impl. Std. 2120.A1). For example, internal auditors
evaluate risk exposure arising from theft, fire, improper or illegal activities, and
exposure to the elements.
Answer (D) is incorrect. Underusage of facilities relates to efficiency of
operations.
[75] Gleim #: 1.8.75
Which of the following activities is outside the scope of internal auditing?
A. Evaluating risk exposures regarding compliance with policies, procedures, and
contracts.
B. Safeguarding of assets.
C. Evaluating risk exposures regarding compliance with laws and regulations.
D. Ascertaining the extent to which management has established criteria to determine
whether objectives have been accomplished.
Answer (A) is incorrect. Internal auditors must evaluate risk exposures relating to
the organization’s governance, operations, and information systems regarding the
compliance with laws, regulations, policies, procedures, and contracts.
Answer (B) is correct. Safeguarding assets is an operational activity and is
therefore beyond the scope of the internal audit activity.
Answer (C) is incorrect. The internal audit activity must evaluate risk exposures
relating to the organization’s governance, operations, and information systems
regarding the (1) reliability and integrity of financial and operational information;
(2) effectiveness and efficiency of operations and programs; (3) safeguarding of
assets; and (4) compliance with laws, regulations, policies, procedures, and
contracts.
Answer (D) is incorrect. Ascertaining the extent to which management has
established adequate criteria to determine whether objectives and goals have been
accomplished is within the scope of internal auditing.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 41
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[76] Gleim #: 1.8.76
In the risk management process, management’s view of the internal audit activity’s
role is likely to be determined by all of the following factors except
A.
B.
C.
D.
Organizational culture.
Preferences of the independent auditor.
Ability of the internal audit staff.
Local conditions and customs of the country.
Answer (A) is incorrect. Organizational culture is a factor that influences
management’s view of the role of internal auditing.
Answer (B) is correct. Ultimately, it is the role of senior management and the
board to determine the role of internal auditing in the risk management process.
Their view on internal auditing’s role is likely to be determined by factors such as
the culture of the organization, ability of the internal audit staff, and local
conditions and customs (PA 2120-1, para. 5).
Answer (C) is incorrect. The ability of the internal audit staff is a factor that
influences management’s view of the role of internal auditing.
Answer (D) is incorrect. Local conditions and customs of the country influence
management’s view of the role of internal auditing.
[77] Gleim #: 1.8.77
ci
al
Which of the following may be assessed by the internal auditor to determine the
effectiveness of the risk management process?
fb
.c
om
/c
ia
ao
ffi
I. Significant risks
II. Ongoing monitoring activities
III. Previous risk evaluation reports by management, internal auditors, external
auditors, and any other sources
A.
B.
C.
D.
I and II only.
I and III only.
II and III only.
I, II, and III.
Answer (A) is correct. Significant risks and ongoing management activities are
assessed by the internal audit activity as part of the risk management process
(Inter. Std. 2120). But review of previous risk evaluation reports is a means of
obtaining evidence for an assessment.
Answer (B) is incorrect. Review of previous risk evaluation reports by
management, internal auditors, external auditors, and any other sources is an audit
procedure, a means of obtaining evidence for an assessment. Moreover, internal
auditors assess ongoing monitoring activities.
Answer (C) is incorrect. Review of previous risk evaluation reports by
management, internal auditors, external auditors, and any other sources is an audit
procedure, and internal auditors assess significant risks.
Answer (D) is incorrect. Review of previous risk evaluation reports by
management, internal auditors, external auditors, and any other sources is an audit
procedure.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 42
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[78] Gleim #: 1.8.78
The board’s expectations of the internal audit activity regarding the risk management
process is
A.
B.
C.
D.
Noted in the work programs for formal consulting engagements.
Included in the business continuity plan.
Codified in the charters of the internal audit activity and the board.
Reviewed by the internal auditors immediately following a disaster.
Answer (A) is incorrect. A work program is a listing of specific procedures.
Answer (B) is incorrect. Business continuity planning is just one element of risk
management.
Answer (C) is correct. The chief audit executive (CAE) is to obtain an
understanding of senior management’s and the board’s expectations of the internal
audit activity in the organization’s risk management process. This understanding
is then codified in the charters of the internal audit activity and the board (PA
2120-1, para. 4).
Answer (D) is incorrect. The internal audit activity’s role needs to be understood
before a crisis.
[79] Gleim #: 1.8.79
Risk management is the responsibility of management. The role of the internal audit
activity in the risk management process may include which of the following?
I. Monitoring activities.
II. Evaluating the risk management process as part of the engagement plan.
III. Participating on oversight committees, monitoring of activities, and status
reporting.
IV. Managing and coordinating the process.
A.
B.
C.
D.
I only.
II only.
I, II, and III only.
I, II, III, and IV.
Answer (A) is incorrect. The internal audit activity’s role in the risk management
process may extend on a continuum from no role to managing and coordinating
the process.
Answer (B) is incorrect. The internal audit activity’s role in the risk management
process also may extend to participating on oversight committees, monitoring of
activities, and status reporting; and managing and coordinating the process.
Answer (C) is incorrect. The internal audit activity’s role in the risk management
process also may extend to managing and coordinating the process.
Answer (D) is correct. The internal audit activity’s role in the risk management
process of an organization can change over time and may include responsibilities
along a continuum that extends from (1) no role; (2) auditing the risk management
process as part of the internal audit plan; (3) active, continuous support and
involvement in the risk management process, such as participation on oversight
committees, monitoring activities, and status reporting; and (4) managing and
coordinating the process (PA 2120-1, para. 4).
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 43
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[80] Gleim #: 1.8.80
The internal audit activity must evaluate the effectiveness and contribute to the
improvement of risk management processes. With respect to evaluating the adequacy
of risk management processes, internal auditors most likely should
A.
B.
C.
D.
Recognize that organizations should use similar techniques for managing risk.
Determine that the key objectives of risk management processes are being met.
Determine the level of risks acceptable to the organization.
Treat the evaluation of risk management processes in the same manner as the risk
analysis used to plan engagements.
Answer (A) is incorrect. Risk management processes vary with the size and
complexity of an organization’s business activities.
Answer (B) is correct. Internal auditors need to obtain sufficient and appropriate
evidence to determine that key objectives of the risk management processes are
being met to form an opinion on the adequacy of risk management processes
(PA 2120-1, para. 8).
Answer (C) is incorrect. Management and the board determine the level of
acceptable organizational risks.
Answer (D) is incorrect. Evaluating management’s risk processes differs from the
internal auditors’ risk assessment used to plan an engagement, but information
from a comprehensive risk management process is useful in such planning.
[81] Gleim #: 1.8.81
ia
ao
ffi
ci
al
If an organization has no formal risk management processes, the chief audit executive
should
fb
.c
om
/c
A. Establish risk management processes based on industry norms.
B. Formulate hypothetical results of possible consequences resulting from risks not
being managed.
C. Inform regulators that the organization is guilty of an infraction.
D. Formally discuss with the directors their obligations for risk management
processes.
Answer (A) is incorrect. Internal auditors have no authority to establish risk
management processes. They must seek direction from management and the board
as to their role in the process.
Answer (B) is incorrect. Internal auditors are not required to perform a risk
analysis of the possible consequences of not establishing a risk management
process. However, such a request might be made by management.
Answer (C) is incorrect. In the absence of a specific legal requirement, internal
auditors are not required to report to outside parties.
Answer (D) is correct. In situations where the organization does not have formal
risk management processes, the chief audit executive formally discusses with
management and the board their obligations to understand, manage, and monitor
risks within the organization and the need to satisfy themselves that there are
processes operating within the organization, even if informal, that provide the
appropriate level of visibility into the key risks and how they are being managed
and monitored (PA 2120-1, para. 3).
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 44
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[82] Gleim #: 1.8.82
Quantitative risk management methods are most appropriate for
A.
B.
C.
D.
Assessing personnel risks.
Developing a risk matrix.
The use of derivatives by the organization.
Identifying risks from the COSO’s enterprise risk management framework.
Answer (A) is incorrect. Matters addressed in the control environment, e.g.,
integrity and ethical values, human resources, and organizational structure, are
subject to soft controls and soft risk management approaches.
Answer (B) is incorrect. A risk matrix links identified risks to, for example,
controls or business processes.
Answer (C) is correct. The organization designs risk management processes
based on its culture, management style, and business objectives. For example, the
use of derivatives or other sophisticated capital market products by the
organization could require the use of quantitative risk management tools. But the
internal auditor determines that the methodology chosen is sufficiently
comprehensive and appropriate for the nature of the organization (PA 2120-1,
para. 7).
Answer (D) is incorrect. An ERM framework contains broad statements of
classes of risks. They are not stated in the detail (quantitative or not) required by a
specific organization.
[83] Gleim #: 1.8.83
Which of the following is not a responsibility of the chief audit executive?
A. To communicate the internal audit activity’s plans and resource requirements to
senior management and the board for review and approval.
B. To coordinate with other internal and external providers of audit and consulting
services to ensure proper coverage and minimize duplication.
C. To oversee the establishment, administration, and assessment of the
organization’s system of risk management processes.
D. To follow up on whether appropriate management actions have been taken on
significant reported risks.
Answer (A) is incorrect. The CAE should communicate the internal audit
activity’s plans and resource requirements, including significant interim changes,
to senior management and to the board for review and approval. The CAE also
should communicate the impact of resource limitations.
Answer (B) is incorrect. The CAE should share information and coordinate
activities with other internal and external providers of relevant assurance and
consulting services to ensure proper coverage and minimize duplication of efforts.
Answer (C) is correct. Overseeing the establishment, administration, and
assessment of the organization’s system of risk management processes is the role
of senior management, not the CAE (PA 2130-1, para. 2).
Answer (D) is incorrect. The CAE should establish and maintain a system to
monitor the disposition of results communicated to management.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 45
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[84] Gleim #: 1.8.84
Which of the following threatens the independence of an internal auditor who had
participated in the initial establishment of a risk management process?
A.
B.
C.
D.
Developing assessments and reports on the risk management process.
Managing the identified risks.
Evaluating the adequacy and effectiveness of management’s risk processes.
Recommending controls to address the risks identified.
Answer (A) is incorrect. Developing assessments and reports on the
organization’s risk management processes is not only an internal audit role but
normally also a high audit priority.
Answer (B) is correct. Assuming management’s responsibility for the risk
management process is a potential threat to the internal audit activity’s
independence. It requires a full discussion and board approval (PA 2120-1,
para. 5).
Answer (C) is incorrect. Internal auditors assist both management and the board
by examining, evaluating, reporting, and recommending improvements on the
adequacy and effectiveness of risk management processes.
Answer (D) is incorrect. Internal auditors may recommend controls.
[85] Gleim #: 1.8.85
al
Which of the following best describes the internal audit activity’s purpose in
evaluating the adequacy of risk management, control, and governance processes?
fb
.c
om
/c
ia
ao
ffi
ci
A. To help determine the nature, timing, and extent of tests necessary to achieve
engagement objectives.
B. To ensure that material weaknesses in internal control are corrected.
C. To determine whether the organization’s risk management, control, and
governance processes provide reasonable assurance that management’s objectives
are achieved efficiently and economically.
D. To determine whether the organization’s risk management, control, and
governance processes ensure that the accounting records are correct and that
financial statements are fairly stated.
Answer (A) is incorrect. The nature, timing, and extent of certain tests must be
determined before the adequacy of control processes can be evaluated.
Answer (B) is incorrect. Internal auditors have no authority to ensure correction
of material weaknesses.
Answer (C) is correct. Risk management, control, and governance processes are
adequate if management has planned and designed them to provide reasonable
assurance of achieving the organization’s objectives efficiently and economically.
Efficient performance accomplishes objectives in an accurate, timely, and
economical fashion. Economical performance accomplishes objectives with
minimal use of resources (i.e., cost) proportionate to the risk exposure.
Answer (D) is incorrect. The scope of internal auditing is much broader than
concern for the fairness of financial statements.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 46
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[86] Gleim #: 1.9.86
The most important reason for the chief audit executive to ensure that the internal
audit department has adequate and sufficient resources is to
A.
B.
C.
D.
Ensure that the function is adequately protected from outsourcing.
Demonstrate sufficient capability to meet the audit plan requirements.
Establish credibility with the audit committee and management.
Fulfill the need for effective succession planning.
Answer (A) is incorrect. The decision to outsource the internal audit function is
not primarily based on existing resources.
Answer (B) is correct. The CAE must ensure that internal audit resources are
appropriate, sufficient, and effectively deployed to achieve the approved plan
(Perf. Std. 2030).
Answer (C) is incorrect. The amount of resources is not a significant factor in
establishing credibility.
Answer (D) is incorrect. Succession planning is not related to the amount of audit
resources.
[87] Gleim #: 1.9.87
Which of the following items would not be an appropriate staffing issue?
A.
B.
C.
D.
Selecting qualified and competent individuals.
Providing a competitive selection of employee benefits.
Providing continuing educational opportunities for each internal auditor.
Appraising each internal auditor’s performance at least annually.
Answer (A) is incorrect. Staffing addresses the selection of qualified and
competent individuals.
Answer (B) is correct. A program for selecting and developing human resources
should include provisions for developing written job descriptions for each level of
the internal audit activity’s staff, selecting qualified and competent individuals,
training and providing continuing educational opportunities for each internal
auditor, appraising each internal auditor’s performance at least annually, and
providing counsel to internal auditors on their performance and professional
development. Thus, a program for selecting and developing human resources does
not address employee compensation.
Answer (C) is incorrect. Staffing addresses the provision of continuing
educational opportunities for internal auditors.
Answer (D) is incorrect. Staffing addresses the annual appraisal of each internal
auditor’s performance.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 47
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[88] Gleim #: 1.9.88
Directors, management, external auditors, and internal auditors all play important roles
in creating proper control processes. Senior management is primarily responsible for
A. Establishing and maintaining an organizational culture.
B. Reviewing the reliability and integrity of financial and operational information.
C. Ensuring that external and internal auditors oversee the administration of the
system of risk management and control processes.
D. Implementing and monitoring controls designed by the board of directors.
al
Answer (A) is correct. Management plans, organizes, and directs the performance
of sufficient actions to provide reasonable assurance that goals and objectives will
be achieved. Management periodically reviews its objectives and goals and
modifies its processes to accommodate changes in internal and external
conditions. Management also establishes and maintains an organizational culture,
including an ethical climate that fosters control.
Answer (B) is incorrect. Internal auditors are responsible for evaluating the
adequacy and effectiveness of controls, including those relating to the reliability
and integrity of financial and operational information.
Answer (C) is incorrect. Senior management’s role is to oversee the
establishment, administration, and assessment of the system of risk management
and control processes.
Answer (D) is incorrect. The board has oversight responsibilities but ordinarily
does not become involved in the details of operations.
ao
ffi
ci
[89] Gleim #: 1.9.89
om
/c
ia
A basic principle of governance is
fb
.c
A. Assessment of the governance process by an independent internal audit activity.
B. Holding the board, senior management, and the internal audit activity accountable
for its effectiveness.
C. Exclusive use of external auditors to provide assurance about the governance
process.
D. Separation of the governance process from promoting an ethical culture in the
organization.
Answer (A) is correct. The internal audit activity must assess and make
appropriate recommendations for improving the governance process
(Perf. Std. 2110).
Answer (B) is incorrect. The internal audit activity is an assessor of the
governance process. It is not accountable for that process.
Answer (C) is incorrect. External parties and internal auditors may provide
assurance about the governance process.
Answer (D) is incorrect. The internal audit activity must assess and make
appropriate recommendations for improving the governance process in its
promotion of appropriate ethics and values within the organization.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 48
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[90] Gleim #: 1.9.90
Which of the following is most likely an internal audit role in a less structured
governance process?
A.
B.
C.
D.
Designing specific governance processes.
Playing a consulting role in optimizing governance practices and structure.
Providing advice about basic risks to the organization.
Evaluating the effectiveness of specific governance processes.
Answer (A) is incorrect. Internal auditors impair their objectivity by designing
processes. However, evaluating the design and effectiveness of specific processes
is a typical internal audit role.
Answer (B) is incorrect. Playing a consulting role in optimizing governance
practices and structure is typical of a more structured internal auditing governance
maturity model. The emphasis shifts to considering best practices and adapting
them to the specific organization.
Answer (C) is correct. A less mature governance system will emphasize the
requirements for compliance with policies, procedures, plans, laws, regulations,
and contracts. It will also address the basic risks to the organization. Thus, the
internal audit activity will provide advice about such matters. As the governance
process becomes more structured, the internal audit activity’s emphasis will shift
to optimizing the governance structure and practices.
Answer (D) is incorrect. Evaluating the effectiveness of specific governance
processes is typical of a more structured internal auditing governance maturity
model.
[91] Gleim #: 1.9.91
Ensuring effective organizational performance management and accountability is most
directly the proper function of
A.
B.
C.
D.
Control.
Governance.
Risk management.
A quality assurance program.
Answer (A) is incorrect. Governance (not control) is directly responsible for
ensuring effective organizational performance management and accountability.
Answer (B) is correct. The internal audit activity must assess and make
appropriate recommendations for improving the governance process in its
accomplishment of the following objectives:
Promoting appropriate ethics and values within the organization.
Ensuring effective organizational performance management and
accountability.
Communicating risk and control information to appropriate areas of the
organization.
Coordinating the activities of and communicating information among the
board, external and internal auditors and management. (Perf. Std. 2110)
Answer (C) is incorrect. Governance (not risk management) is directly
responsible for ensuring effective organizational performance management and
accountability.
Answer (D) is incorrect. A quality assurance program normally is implemented
for an organizational unit, e.g., the internal audit activity.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 49
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[92] Gleim #: 1.9.92
Which of the following is not a role of the internal audit activity in best practice
governance activities?
A.
B.
C.
D.
Support the board in enterprise-wide risk assessment.
Ensure the timely implementation of audit recommendations.
Monitor compliance with the corporate code of conduct.
Discuss areas of significant risks.
Answer (A) is incorrect. One internal audit activity role is to support the board in
enterprise-wide risk assessment. The board and management are responsible for
the identification of an appropriate risk model and methodology.
Answer (B) is correct. Management has the responsibility of ensuring the timely
implementation of the audit recommendations. The internal audit activity is
responsible for the development of a timely procedure to monitor the disposition
of the audit recommendations. It works with senior management and the board to
ensure that audit recommendations receive appropriate attention.
Answer (C) is incorrect. The internal audit activity should monitor compliance
with the corporate code of conduct set by the board and management.
Answer (D) is incorrect. The internal audit activity is responsible for discussing
significant financial, technical, and operational risks and exposures as well as the
plans to minimize such risks.
[93] Gleim #: 1.9.93
.c
om
/c
ia
Determine how the risk should best be managed.
Provide assurance on the management of the risk.
Update the risk management process based on risk exposures.
Design controls to mitigate the identified risks.
fb
A.
B.
C.
D.
ao
ffi
ci
al
When assessing the risk associated with an activity, an internal auditor should
Answer (A) is incorrect. Risk management is a key responsibility of senior
management and the board (PA 2120-1, para. 1), not the internal auditor.
Answer (B) is correct. The internal audit activity must evaluate and contribute to
the improvement of governance, risk management, and control processes using a
systematic and disciplined approach (Perf. Std. 2100). Assurance services involve
the internal auditor’s objective assessment of management’s risk management
activities and the degree to which they are effective.
Answer (C) is incorrect. Designing and updating the risk management process is
a role of management.
Answer (D) is incorrect. The design and implementation of controls is the
responsibility of management, not internal audit.
[94] Gleim #: 1.9.94
The primary reason that a bank would maintain a separate compliance function is to
A.
B.
C.
D.
Better manage perceived high risks.
Strengthen controls over the bank’s investments.
Ensure the independence of line and senior management.
Better respond to shareholder expectations.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 50
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. The risk management process identifies, assesses, manages,
and controls potential risk exposures. Organizations such as brokers, banks, and
insurance companies may view risks as sufficiently critical to warrant continuous
oversight and monitoring.
Answer (B) is incorrect. A separate compliance function may help strengthen
controls, but this is not its primary purpose.
Answer (C) is incorrect. Risk management is the direct responsibility of management.
Answer (D) is incorrect. A separate compliance function will help respond to
shareholder needs, but this is not its primary purpose.
[95] Gleim #: 1.9.95
Which of the following goals sets risk management strategies at the optimum level?
A.
B.
C.
D.
Minimize costs.
Maximize market share.
Minimize losses.
Maximize shareholder value.
Answer (A) is incorrect. Minimizing costs is not a comprehensive approach.
Answer (B) is incorrect. Maximizing market share is not a comprehensive
approach.
Answer (C) is incorrect. Minimizing losses is not a comprehensive approach.
Answer (D) is correct. The risk management processes chosen depend on the
organization’s culture, management style, and business objectives. These choices
should optimize stakeholder (for example, shareholder) value by coping
effectively with uncertainty, risks, and opportunities. Thus, maximizing
shareholder value is a comprehensive approach that relates to risk management
strategies across the organization.
[96] Gleim #: 1.9.96
An internal auditor plans to conduct an audit of the adequacy of controls over
investments in new financial instruments. Which of the following would not be
required as part of such an engagement?
A. Determine if policies exist which describe the risks the treasurer may take and the
types of instruments in which the treasurer may make investments.
B. Determine the extent of management oversight over investments in sophisticated
instruments.
C. Determine whether the treasurer is getting higher or lower rates of return on
investments than are treasurers in comparable organizations.
D. Determine the nature of controls established by the treasurer to monitor the risks
in the investments.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 51
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The first step of such an engagement should be to determine
the nature of policies established to manage the risks associated with the investments.
New financial instruments are very risky.
Answer (B) is incorrect. Oversight by a management committee is an important
control. Thus, the auditor should determine the nature of the risk management process
established to monitor and authorize such investments. The specific process used by an
organization must fit that organization’s culture, management style, and business
objectives. For example, the organization’s use of derivatives or other sophisticated
products available in capital markets requires the use of quantitative risk management
tools.
Answer (C) is correct. For this particular engagement, the auditor does not need to
develop a comparison of investment returns with those of other organizations. In fact,
some financial investment scandals show that such comparisons can be highly
misleading because high returns were due to taking on a high level of risk. Also, this
determination does not test the adequacy of the controls.
Answer (D) is incorrect. A fundamental control concept over cash-like assets is the
treasurer’s establishment of a mechanism to monitor the risks.
[97] Gleim #: 1.10.97
ci
ffi
ao
ia
/c
I, II, and III only.
II, III, and IV only.
I, III, and IV only.
I, II, III, and IV.
om
A.
B.
C.
D.
.c
Proper supervision
Proper training
Internal reviews
External reviews
fb
I.
II.
III.
IV.
al
A quality assurance and improvement program of an internal audit activity provides
reasonable assurance that internal auditing work is performed in accordance with its
charter. Which of the following are designed to provide feedback on the effectiveness
of an internal audit activity?
Answer (A) is incorrect. Proper training is a feedforward, not a feedback, control
Answer (B) is incorrect. Proper training is a feedforward, not a feedback, control
Answer (C) is correct. A quality assurance and improvement program is designed
to provide reasonable assurance to the various stakeholders of the internal audit
activity that it (1) performs in accordance with its charter, (2) operates effectively
and efficiently, and (3) is perceived by the stakeholders as adding value and
improving operations. These processes include appropriate supervision, periodic
internal assessments and ongoing monitoring of quality assurance, and periodic
external assessments (PA 1300-1, para. 2).
Answer (D) is incorrect. Proper training is a feedforward, not a feedback, control
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 52
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[98] Gleim #: 1.10.98
An individual became head of the internal audit activity of an organization 1 week
ago. An engagement client has come to the person complaining vigorously that one of
the internal auditors is taking up an excessive amount of client time on an engagement
that seems to be lacking a clear purpose. In handling this conflict with a client, the
person should consider
A. Discounting what is said, but documenting the complaint.
B. Whether existing procedures within the internal audit activity provide for proper
planning and quality assurance.
C. Presenting an immediate defense of the internal auditor based upon currently
known facts.
D. Promising the client that the internal auditor will finish the work within 1 week.
Answer (A) is incorrect. The new head of internal audit cannot afford to ignore a
potentially valid complaint.
Answer (B) is correct. The new head of internal audit should examine
departmental procedures and the conduct of the specific engagement mentioned to
ascertain that proper planning and quality assurance procedures are in place and
are being followed. Taking a neutral position with the complaining client and
promptly following up is appropriate.
Answer (C) is incorrect. Taking a defensive position with the client stifles
communication, hampers future engagement involvements, and ignores basic
responsibilities for managing the internal audit activity.
Answer (D) is incorrect. Making a promise to end the work within a specified
time without knowledge of the work schedule jeopardizes the integrity of the audit
process and respect for the internal audit activity. The new head of internal audit
has an obligation to assure that adequate time is allowed for achieving
engagement objectives.
[99] Gleim #: 1.10.99
The chief audit executive should develop and maintain a quality assurance and
improvement program that covers all aspects of the internal audit activity and
continuously monitors its effectiveness. All of the following are included in a quality
program except
A.
B.
C.
D.
Annual appraisals of individual internal auditors’ performance.
Periodic internal assessment.
Supervision.
Periodic external assessments.
Answer (A) is correct. Appraising each internal auditor’s work at least annually is
properly a function of the human resources program of the internal audit activity.
Answer (B) is incorrect. Internal assessment is an element of a quality program.
Answer (C) is incorrect. Supervision is an element of a quality program. Ongoing
reviews are internal assessments that include engagement supervision.
Answer (D) is incorrect. External assessment is an element of a quality program.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 53
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[100] Gleim #: 1.10.100
The internal audit activity’s quality assurance and improvement program is the
responsibility of
A.
B.
C.
D.
External auditors.
The chief audit executive.
The board.
The audit committee.
Answer (A) is incorrect. External auditors may perform an external assessment,
but the CAE is responsible for it.
Answer (B) is correct. The chief audit executive must develop and maintain a
quality assurance and improvement program that covers all aspects of the internal
audit activity (Attr. Std. 1300).
Answer (C) is incorrect. The CAE may report results to the board, but the
program is the CAE’s responsibility.
Answer (D) is incorrect. The CAE may report results to the audit committee, but
the program is the CAE’s responsibility.
[101] Gleim #: 1.10.101
Which of the following is part of an internal audit activity’s quality assurance program
rather than being included as part of other responsibilities of the chief audit executive
(CAE)?
fb
.c
om
/c
ia
ao
ffi
ci
al
A. The CAE provides information about and access to internal audit working papers
to the external auditors to enable them to understand and determine the degree to
which they may rely on the internal auditors’ work.
B. Management approves a formal charter establishing the purpose, authority, and
responsibility of the internal audit activity.
C. Each individual internal auditor’s performance is appraised at least annually.
D. Supervision of an internal auditor’s work is performed throughout each audit
engagement.
Answer (A) is incorrect. Providing working papers to the external auditors relates
to the responsibility of the CAE to coordinate with external auditors.
Answer (B) is incorrect. A CAE’s responsibility to seek approval of a charter to
establish the authority, purpose, and responsibility of the internal audit activity is
not part of a quality assurance program.
Answer (C) is incorrect. Individual performance appraisals are part of a CAE’s
responsibility for personnel management and development.
Answer (D) is correct. The CAE develops and maintains a quality assurance and
improvement program (Attr. Std. 1300) that includes ongoing and periodic
assessments (PA 1300-1, para. 2). Ongoing monitoring is incorporated into the
routine policies and practices used to manage the internal audit activity. Among
the processes and tools used in ongoing internal assessments is engagement
supervision (PA 1311-1, para. 1).
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 54
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[102] Gleim #: 1.10.102
Ordinarily, those conducting internal quality program assessments report to
A.
B.
C.
D.
The board.
The chief audit executive.
Senior management.
The internal audit staff.
Answer (A) is incorrect. At least annually, the CAE reports the results of internal
assessments to the board.
Answer (B) is correct. The CAE establishes a structure for reporting results of
internal assessments that maintains appropriate credibility and objectivity.
Generally, those assigned responsibility for conducting ongoing and periodic
reviews report to the CAE while performing the reviews and communicate results
directly to the CAE (PA 1311-1, para. 7).
Answer (C) is incorrect. The CAE shares information about internal assessments
with appropriate persons outside the internal audit activity, such as senior
management.
Answer (D) is incorrect. Results ordinarily are communicated directly to the
CAE. Given a self-assessment, reporting to the internal audit staff essentially
involves having the staff report to itself.
[103] Gleim #: 1.10.103
As a part of a quality program, internal assessment teams most likely will examine
which of the following to evaluate the quality of engagement planning and
documentation for individual engagements?
A.
B.
C.
D.
Written engagement work programs.
Project assignment documentation.
Weekly status reports.
The long-range engagement work schedule.
Answer (A) is correct. Internal assessments must include ongoing monitoring of
the performance of the internal audit activity and periodic reviews performed
through self-assessment or by other persons within the organization with
sufficient knowledge of internal auditing practices (Attr. Std. 1311). The
processes and tools used in ongoing internal assessments include, among other
things, selective peer reviews of working papers by staff not involved in the
respective audits (PA 1311-1, para. 1).
Answer (B) is incorrect. Project assignment documentation contains less relevant
information for assessment purposes than work programs.
Answer (C) is incorrect. Status reports do not bear directly on planning.
Answer (D) is incorrect. The long-range engagement work schedule does not
relate to planning and documentation for individual engagements.
[104] Gleim #: 1.10.104
Periodic internal assessments of the internal audit activity primarily serve the needs of
A.
B.
C.
D.
The board of directors.
The internal audit activity’s staff.
The chief audit executive (CAE).
Senior management.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 55
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The directors are secondary users of a periodic internal
assessment.
Answer (B) is incorrect. The internal audit activity staff are secondary users of a
periodic internal assessment.
Answer (C) is correct. Those conducting internal assessments generally should report
to the CAE while performing the reviews and communicate directly to the CAE (PA
1311-1, para. 7).
Answer (D) is incorrect. Senior management is a secondary user of a periodic internal
assessment.
[105] Gleim #: 1.10.105
Quality program assessments may be performed internally or externally. A
distinguishing feature of an external assessment is its objective to
A.
B.
C.
D.
Identify tasks that can be performed better.
Determine whether internal audit services meet professional standards.
Set forth the recommendations for improvement.
Provide independent assurance.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. An internal assessment will identify tasks that can be
performed better.
Answer (B) is incorrect. An internal assessment will determine whether internal
audit services meet professional standards.
Answer (C) is incorrect. An internal assessment will set forth recommendations
for improvement.
Answer (D) is correct. External assessments must be conducted at least once
every 5 years by a qualified, independent reviewer or review team from outside
the organization (Attr. Std. 1312). Individuals who perform the external
assessment are free of any obligation to, or interest in, the organization whose
internal audit activity is assessed (PA 1312-1, para. 5).
[106] Gleim #: 1.10.106
External assessment of an internal audit activity is not likely to evaluate
A.
B.
C.
D.
Adherence to the internal audit activity’s charter.
Conformance with the Standards.
Detailed cost-benefit analysis of the internal audit activity.
The tools and techniques employed by the internal audit activity.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 56
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Adherence to the internal audit activity’s charter is within the
broad scope of coverage of the external assessment.
Answer (B) is incorrect. Conformance with the Standards is within the broad scope of
coverage of the external assessment.
Answer (C) is correct. The external assessment has a broad scope of coverage that
includes (1) conformance with The IIA’s mandatory guidance and the internal audit
activity’s charter, plans, policies, procedures, practices, and applicable legislative and
regulatory requirements; (2) the expectations of the internal audit activity expressed by
the board, senior management, and operational managers; (3) the integration of the
internal audit activity into the governance process; (4) the tools and techniques
employed by the internal audit activity; (5) the mix of knowledge, experience, and
disciplines within the staff, including staff focus on process improvement; and (6) the
determination whether the internal audit activity adds value and improves operations
(PA 1312-1, para. 10). However, the costs and benefits of internal auditing are neither
easily quantifiable nor the subject of an external assessment.
Answer (D) is incorrect. The tools and techniques of the internal audit activity are
within the broad scope of coverage of the external assessment.
[107] Gleim #: 1.10.107
An external assessment of an internal audit activity contains an expressed opinion. The
opinion applies
A.
B.
C.
D.
Only to the internal audit activity’s conformance with the Standards.
Only to the effectiveness of the internal auditing coverage.
Only to the adequacy of internal control.
To the entire spectrum of assurance and consulting work.
Answer (A) is incorrect. An opinion is expressed on all assurance and consulting
work performed (or that should have been performed under its charter).
Answer (B) is incorrect. The scope of an external assessment extends to more
than the effectiveness of the internal auditing coverage.
Answer (C) is incorrect. An external assessment addresses the internal audit
activity, not the adequacy of the organization’s controls.
Answer (D) is correct. External assessments of an internal audit activity contain
an expressed opinion as to the entire spectrum of assurance and consulting work
performed (or that should have been performed under its charter), including (but
not limited to) conformance with the Definition of Internal Auditing, the Code of
Ethics, and the Standards. An external assessment also includes, as appropriate,
recommendations for improvement (PA 1312-1, para. 2). On completion of the
review, a formal communication should be given to senior management and the
board (PA 1312-1, para. 3).
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 57
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[108] Gleim #: 1.10.108
The interpretation related to quality assurance given by the Standards is that
A. External assessments can provide senior management and the board with
independent assurance about the quality of the internal audit activity.
B. Appropriate follow-up to an external assessment is the responsibility of the chief
audit executive’s immediate supervisor.
C. The internal audit activity is primarily measured against The IIA’s Code of Ethics.
D. Supervision is limited to the planning, examination, evaluation, communication,
and follow-up process.
al
Answer (A) is correct. External assessments provide an independent and
objective evaluation of the internal audit activity’s compliance with the Standards
and Code of Ethics.
Answer (B) is incorrect. The communication of final results of an external
assessment should include the CAE’s responses. These include an action plan and
implementation dates. Moreover, the results are communicated to the stakeholders
of the internal audit activity, such as senior management, the board, and the
external auditors.
Answer (C) is incorrect. The external assessment considers the internal audit
activity’s conformance with the Definition of Internal Auditing, the Standards,
and the Code of Ethics.
Answer (D) is incorrect. Supervision begins with planning and continues
throughout the engagement (PA 2340-1).
ao
ffi
ci
[109] Gleim #: 1.10.109
fb
.c
om
/c
ia
At what minimal required frequency does the chief audit executive report the results of
internal assessments in the form of ongoing monitoring to senior management and the
board?
A.
B.
C.
D.
Monthly.
Quarterly.
Annually.
Biennially.
Answer (A) is incorrect. The CAE may report on a monthly basis, but the
minimal requirement for reporting is annually.
Answer (B) is incorrect. The CAE may report on a quarterly basis, but the
minimal requirement for reporting is annually.
Answer (C) is correct. The CAE must communicate the results of the quality
assurance and improvement program to senior management and the board
(Attr. Std. 1320). To demonstrate conformance with the mandatory IIA guidance,
the results of external and periodic internal assessments are communicated upon
completion of such assessments and the results of ongoing monitoring are
communicated at least annually (Inter. Std. 1320).
Answer (D) is incorrect. The CAE is required to report more frequently than
every 2 years.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 58
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[110] Gleim #: 1.10.110
When is initial use of the conformance phrase by internal auditors appropriate?
A.
B.
C.
D.
After an internal review completed within the past 5 years.
After an external review completed within the past 10 years.
After an internal review completed within the past 10 years.
After an external review completed within the past 5 years.
Answer (A) is incorrect. An internal audit activity must have an external
assessment every 5 years.
Answer (B) is incorrect. Initial use of the conformance phrase requires the
completion of an external assessment within the past 5 years.
Answer (C) is incorrect. Initial use of the conformance phrase requires the
completion of an external assessment within the past 5 years.
Answer (D) is correct. The chief audit executive may state that the internal audit
activity conforms with the International Standards for the Professional Practice
of Internal Auditing only if the results of the quality assurance and improvement
program support this statement (Attr. Std. 1321). The internal audit activity
conforms with the Standards when it achieves the outcomes described in the
Definition of Internal Auditing, Code of Ethics, and Standards. The results of the
quality assurance and improvement program include the results of both internal
and external assessments. All internal audit activities will have the results of
internal assessments. Internal audit activities in existence for at least 5 years will
also have the results of external assessments (Inter. Std. 1321). Thus, to use the
phrase, the chief audit executive of an internal audit activity in existence for at
least 5 years must have the results of an external assessment within that period.
[111] Gleim #: 1.10.111
Following an external assessment of the internal audit activity, who is (are)
responsible for communicating the results to the board?
A.
B.
C.
D.
Internal auditors.
Audit committee.
Chief audit executive.
External auditors.
Answer (A) is incorrect. The chief audit executive (not internal auditors) is
responsible for communicating the results of external assessments to the board.
Answer (B) is incorrect. The chief audit executive (not the audit committee) is
responsible for communicating the results of external assessments to the board.
Answer (C) is correct. The chief audit executive must communicate the results of
the QAIP to senior management and the board (Attr. Std. 1320).
Answer (D) is incorrect. The chief audit executive (not external auditors) is
responsible for communicating the results of external assessments to the board.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 59
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[112] Gleim #: 1.10.112
To demonstrate conformance of the internal audit activity with the mandatory
guidance of The IIA,
A. The chief audit executive determines the form and content of the results
communicated.
B. The results of external assessments are communicated upon their completion.
C. The results of periodic internal assessments are communicated at least annually.
D. The results of ongoing monitoring are communicated upon their completion.
ffi
ci
al
Answer (A) is incorrect. The form, content, and frequency of communicating the
results of the quality assurance and improvement program is established through
discussions with senior management and the board and considers the
responsibilities of the internal audit activity and chief audit executive as contained
in the internal audit charter.
Answer (B) is correct. “To demonstrate conformance with the Definition of
Internal Auditing and the Standards, and application of the Code of Ethics, the
results of external and periodic internal assessments are communicated upon
completion of such assessments and the results of ongoing monitoring are
communicated at least annually. The results include the reviewer’s or review
team’s assessment with respect to the degree of conformance” (Inter. Std. 1320).
Answer (C) is incorrect. The results of periodic internal assessments are
communicated upon their completion.
Answer (D) is incorrect. The results of ongoing monitoring are communicated at
least annually.
/c
ia
ao
[113] Gleim #: 1.10.113
fb
.c
om
Assessment of a quality assurance and improvement program should include
evaluation of all of the following except
A.
B.
C.
D.
Adequacy of the oversight of the work of external auditors.
Conformance with the Standards and Code of Ethics.
Adequacy of the internal audit activity’s charter.
Contribution to the organization’s governance processes.
Answer (A) is correct. Oversight of the work of external auditors, including
coordination with the internal audit activity, is the responsibility of the board (PA
2050-1, para. 1). It is not within the scope of the process for monitoring and
assessing the quality program.
Answer (B) is incorrect. Conformance with the Definition of Internal Auditing,
Standards, and Code of Ethics, including timely corrective actions to remedy any
significant instances of nonconformance, is an element of the assessment of a
quality program.
Answer (C) is incorrect. Adequacy of the internal audit activity’s charter, goals,
objectives, policies, and procedures is an element of the assessment of a quality
program.
Answer (D) is incorrect. Contribution to the organization’s governance, risk
management, and control processes is an element of the assessment of a quality
program.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 60
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[114] Gleim #: 1.10.114
Internal auditors may report that their activities conform with the Standards. They may
use this statement only if
A. It is supported by the results of the quality program.
B. An independent external assessment of the internal audit activity is conducted
annually.
C. Senior management or the board is accountable for implementing a quality
program.
D. External assessments of the internal audit activity are made by external auditors.
Answer (A) is correct. The chief audit executive may state that the internal audit
activity conforms with the International Standards for the Professional Practice
of Internal Auditing only if the results of the quality assurance and improvement
program support this statement (Attr. Std. 1321).
Answer (B) is incorrect. An independent external assessment of the internal audit
activity must be conducted at least once every 5 years.
Answer (C) is incorrect. The CAE must develop and maintain a QAIP that covers
all aspects of the internal audit activity.
Answer (D) is incorrect. Assessments also may be made by others who are
(1) independent, (2) qualified, and (3) from outside the organization.
[115] Gleim #: 2.1.1
The term “risk” is best defined as the possibility that
A. An internal auditor will fail to detect a material misstatement that causes financial
statements or internal reports to be misstated or misleading.
B. An event could occur affecting the achievement of objectives.
C. Management will, either knowingly or unknowingly, make decisions that increase
the potential liability of the organization.
D. Financial statements or internal records will contain material misstatements.
Answer (A) is incorrect. Detection risk is a component of audit risk.
Answer (B) is correct. According to The IIA Glossary, risk is “the possibility of
an event occurring that will have an impact on the achievement of objectives. Risk
is measured in terms of impact and likelihood.”
Answer (C) is incorrect. The risk of increasing the organization’s liability could
be termed management decision-making risk.
Answer (D) is incorrect. Risk is not limited to misstated financial statements.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 61
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[116] Gleim #: 2.1.2
The chief audit executive is preparing the audit work schedule for the next budget year
and has limited resources. In deciding whether to schedule the purchasing or the
personnel department for an engagement, which of the following is the least important
factor?
A. Major changes in operations have occurred in one of the departments.
B. The internal audit staff has recently added an individual with expertise in one of
the areas.
C. More opportunities to achieve operating benefits are available in one of the
departments than in the other.
D. Updated assessed risk is significantly greater in one department than the other.
Answer (A) is incorrect. A major change in operations is a reason for scheduling
an engagement.
Answer (B) is correct. The CAE’s responsibility is to assign competent internal
auditors to the appropriate engagements, not to adjust the workplan to the abilities
of the staff.
Answer (C) is incorrect. Potential operating benefits are a reason for scheduling
an engagement.
Answer (D) is incorrect. Updated assessed risk is a reason for scheduling an
engagement.
[117] Gleim #: 2.1.3
.c
om
/c
Engagement work programs.
The effectiveness of risk management and control processes.
Workload requirements.
Issues relating to organizational governance.
fb
A.
B.
C.
D.
ia
ao
ffi
ci
al
Which of the following factors is least likely to be considered in determining the audit
work schedule?
Answer (A) is correct. Development of work programs occurs during the
planning phase of an individual engagement.
Answer (B) is incorrect. Determining an engagement work schedule includes
considering the effectiveness of risk management and control processes.
Answer (C) is incorrect. Determining an engagement work schedule includes
considering workload requirements.
Answer (D) is incorrect. Determining an engagement work schedule includes
considering issues relating to organizational governance.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 62
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[118] Gleim #: 2.1.4
During discussions with senior management, the chief audit executive identified
several strategic business issues to consider in preparing the annual audit work
schedule. Which of the following does not represent a strategic issue for this purpose?
A. A monthly budgeting process will be implemented.
B. An international marketing campaign will be started to develop product
recognition and also to leverage the new organization-based advertising
department.
C. Joint-venture candidates will be sought to provide manufacturing and sourcing
capabilities in European and Asian markets.
D. A human resources database will be established to ensure consistent
administration of policies and to improve data retention.
Answer (A) is correct. Implementing a monthly budgeting process is an operating
decision, not a strategic decision. (It does, however, involve a major change in
operations.)
Answer (B) is incorrect. An international marketing campaign is a strategic issue.
The CAE will need to ensure that the new marketing process and the centralized
advertising department are recognized and monitored in risk assessment and
planning activities.
Answer (C) is incorrect. Extending operations to European and Asian markets is
a strategic issue. The addition of joint-venture partners will add new or additional
concerns for risk assessment and planning in the internal audit activity.
Answer (D) is incorrect. Establishing a human resources database is a strategic
issue. The assumptions and ongoing activities related to a human resources
database will require consideration in the planning of the internal audit activity.
[119] Gleim #: 2.1.5
The chief audit executive for an organization has just completed a risk assessment
process, identified the areas with the highest risks, and assigned an engagement
priority to each. Which of the following conclusions most logically follow(s) from
such a risk assessment?
I. Items should be quantified as to risk in the rank order of quantifiable monetary
exposure to the organization.
II. The risk priorities should be in order of major control deficiencies.
III. The risk assessment process, though quantified, is the result of professional
judgments about both exposures and probability of occurrences.
A.
B.
C.
D.
I only.
III only.
II and III only.
I, II, and III.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 63
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Quantifiable monetary exposure is not the sole criterion for
ranking risk exposures.
Answer (B) is correct. Any assessment of risk priority and exposure necessarily
implies the exercise of professional judgment. Thus, although risk factors may be
weighted to determine their relative significance, a ranking based solely on such
specific criteria as monetary exposure or control deficiencies is not always indicated.
Answer (C) is incorrect. Major control deficiencies are not the sole criteria for ranking
risk exposures.
Answer (D) is incorrect. Ranking risk exposures strictly by quantifiable monetary
exposure or by major control deficiencies downplays the importance of professional
judgment.
[120] Gleim #: 2.1.6
A chief audit executive may use risk analysis in preparing work schedules. Which of
the following is not considered in performing a risk analysis?
A.
B.
C.
D.
Issues relating to organizational governance.
Skills available on the internal audit staff.
Results of prior engagements.
Major operating changes.
.c
fb
[121] Gleim #: 2.1.7
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. Issues relating to organizational governance are factors
that should be considered.
Answer (B) is correct. The skills of the internal audit staff do not affect the risk
associated with potential engagement clients.
Answer (C) is incorrect. Results of prior engagements should be considered.
Answer (D) is incorrect. Major operating changes should be considered.
Which of the following comments is(are) true regarding the assessment of risk
associated with two projects that are competing for limited internal audit resources?
I. Activities that are requested by the board always should be considered higher risk
than those requested by management.
II. Activities with higher financial budgets always should be considered higher risk
than those with lower financial budgets.
III. Risk always should be measured by the potential monetary or other adverse
exposure to the organization.
A.
B.
C.
D.
I only.
II only.
III only.
I and III.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 64
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Activities requested by the board do not necessarily have
greater risk.
Answer (B) is incorrect. Activities with higher financial budgets do not necessarily
have greater risk.
Answer (C) is correct. When ranking potential engagements that are competing for
limited internal audit resources, a decision criterion based on the degree of adverse
exposure to the organization is preferable.
Answer (D) is incorrect. A ranking based on the source of a request for performance
of an engagement is unlikely to reflect a comprehensive assessment based on a
sufficient number of risk factors.
[122] Gleim #: 2.1.8
Which of the following represent(s) appropriate internal audit action in response to the
risk assessment process?
I. The low-risk areas may be delegated to the external auditor, but the high-risk
areas should be performed by the internal audit activity.
II. The high-risk areas should be integrated into an audit work schedule along with
the high-priority requests of senior management and the audit committee.
III. The risk analysis should be used in determining an annual audit work schedule.
Thus, the risk analysis should be performed only on an annual basis.
A.
B.
C.
D.
I only.
II only.
III only.
I and III only.
Answer (A) is incorrect. Work should be coordinated with the external auditor to
avoid duplication of effort and to ensure adequate coverage, but allocation of tasks
based solely on relative risk is not appropriate.
Answer (B) is correct. The high-risk areas should be integrated into an audit work
schedule along with the high-priority requests of senior management and the audit
committee.
Answer (C) is incorrect. Changing conditions may require updating risk
assessment during the year.
Answer (D) is incorrect. Work should be coordinated with the external auditor to
avoid duplication of effort and to ensure adequate coverage, but allocation of tasks
based solely on relative risk is not appropriate. Also, changing conditions may
require updating the risk assessment during the year.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 65
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[123] Gleim #: 2.1.9
The internal auditor is considering making a risk analysis as a basis for determining
the areas of the organization where engagements should be performed. Which one of
the following statements is true regarding risk analysis?
A. The extent to which management judgments are required in an area could serve as
a risk factor in assisting the internal auditor in making a comparative risk analysis.
B. The highest risk assessment should always be assigned to the area with the largest
potential loss.
C. The highest risk assessment should always be assigned to the area with highest
probability of occurrence.
D. Risk analysis must be reduced to quantitative terms in order to provide
meaningful comparisons across an organization.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is correct. Among the common factors used in risk models for
establishing the priority of engagements is management competence (PA 2010-1,
para. 5). Hence, the internal auditor could appropriately consider the extent of
management competence, which includes judgment, as a risk factor.
Answer (B) is incorrect. Risk analysis considers both the potential loss (or
damages) and the probability of occurrence. An area with the largest potential loss
may have a very low likelihood.
Answer (C) is incorrect. A high probability of occurrence may be associated with
a small potential loss.
Answer (D) is incorrect. The concept of risk analysis is not limited to quantitative
measures.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 66
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[124] Gleim #: 2.1.10
The chief audit executive set up a computerized spreadsheet to facilitate the risk
assessment process involving a number of different divisions in the organization. The
spreadsheet included the following factors:
Pressure on divisional management to meet profit goals
Complexity of operations
Competence of divisional personnel
The monetary amount of subjectively influenced accounts in the division, such as
accounts in which management’s judgment can affect the expense, e.g.,
postretirement benefits
The CAE used a group meeting of internal audit managers to reach a consensus on the
competence of divisional personnel. Other factors were assessed as high, medium, or
low by either the CAE or an internal audit manager who had performed an engagement
at the division. The CAE assigned a weight ranging from 0.5 to 1.0 to each factor and
then computed a composite risk score. Which statement is true?
A. The risk analysis is not appropriate because it mixes both quantitative and
qualitative factors, thereby making expected value calculations impossible.
B. Assessing factors at discrete levels such as high, medium, and low is inappropriate
for the risk assessment process because the ratings are not quantifiable.
C. The weighting is subjective and should have been determined through a process
such as multiple-regression analysis.
D. Using a subjective group consensus to assess personnel competence is
appropriate.
Answer (A) is incorrect. Risk analysis considers all appropriate factors. It need
not be limited to quantitative or expected value calculations.
Answer (B) is incorrect. High, medium, and low may be the most precise
measures available.
Answer (C) is incorrect. Subjective analysis is acceptable. Use of multipleregression analysis to determine a weighted average for the risk-weighting model
is not feasible because no criteria exist to determine the weightings.
Answer (D) is correct. The risk assessment incorporates information from a
variety of sources, such as discussions with the board and management and with
internal audit management and staff. Thus, seeking the consensus of experienced
internal audit managers regarding personnel matters is appropriate. This method
tends to eliminate the extreme judgments that might be made by a single
evaluator.
[125] Gleim #: 2.1.11
When a risk assessment process has been used to construct an audit engagement
schedule, which of the following should receive attention first?
A. The external auditors have requested assistance for their upcoming annual audit.
B. A new accounts payable system is currently undergoing testing by the information
technology department.
C. Management has requested an investigation of possible lapping in receivables.
D. The existing accounts payable system has not been audited over the past year.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 67
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. External audit requests for assistance should be subordinate
to fraud investigations.
Answer (B) is incorrect. Given that the new system is not yet in production, it need
not receive immediate attention.
Answer (C) is correct. Prioritizing is needed to make decisions about applying
resources to engagements based on the relative significance of their risk and exposure
estimates. Most risk models use risk factors to establish engagement priorities. Internal
auditors traditionally regard fraud as significant even if the immediate exposure is not.
Thus, management’s request to investigate a possible fraud in the accounts receivable
unit must take precedence.
Answer (D) is incorrect. A management request involving a fraud should take priority
over a system that has not been audited over the past year.
[126] Gleim #: 2.1.12
Which of the following factors is considered the least important in deciding whether
existing internal audit resources should be moved from an ongoing compliance
engagement to a divisional-level engagement requested by management?
ci
al
A. A financial audit of the division performed by the external auditor a year ago.
B. The potential for fraud associated with the ongoing engagement.
C. An increase in the level of expenditures experienced by the division for the past
year.
D. The potential for significant regulatory fines associated with the ongoing
engagement.
fb
.c
om
/c
ia
ao
ffi
Answer (A) is correct. Prioritizing is needed to make decisions about applying
relative resources based on the significance of risk and exposure. Most risk
models use risk factors to establish engagement priorities. One such factor is the
potential for fraud. Internal auditors traditionally regard fraud as significant even
if the immediate exposure is not significant. Increased expenditures also constitute
a significant risk factor because they represent an increase in potential loss. For
the same reason, potential regulatory fines may also create an exposure
sufficiently great to affect the determination of priorities. Thus, the result of an
external financial audit performed a year ago is the least likely to affect the current
allocation of internal audit resources. Any adverse engagement observations most
probably have been acted upon and, in any case, may not be germane to the
ongoing compliance engagement or the proposed divisional-level engagement.
Answer (B) is incorrect. Potential fraud is likely to be a more important factor in
the use of limited internal audit resources than the results of an external financial
audit.
Answer (C) is incorrect. Increased expenditures is likely to be a more important
factor in the use of limited internal audit resources than the results of an external
financial audit.
Answer (D) is incorrect. Potential significant fines are likely to be a more
important factor in the use of limited internal audit resources than the results of an
external financial audit.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 68
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[127] Gleim #: 2.1.13
Which of the following represents the best risk assessment technique?
A. Assessment of the risk levels for future events based on the extent of uncertainty
of those events and their impact on achievement of long-term organizational
goals.
B. Assessment of inherent and control risks and their impact on the extent of
financial misstatements.
C. Assessment of the risk levels of current and future events, their effect on
achievement of the organization’s objectives, and their underlying causes.
D. Assessment of the risk levels of current and future events, their impact on the
organization’s mission, and the potential for elimination of existing or possible
risk factors.
Answer (A) is incorrect. Causation also should be considered.
Answer (B) is incorrect. Risk events include more than those classified as
inherent and control risks (terms used in the audit risk model used in financial
statement audits). Moreover, a comprehensive approach should be adopted.
Answer (C) is correct. When determining the best risk assessment technique,
internal auditors should choose the most comprehensive. Of the options given,
assessing risks, their effects, and their causes is the technique meeting that
criterion.
Answer (D) is incorrect. Elimination of risks is less likely than mitigation.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 69
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[128] Gleim #: 2.1.14
The internal auditing process is one of critical thinking, analysis, and careful
evaluation. All mechanical procedures are integrated into a larger context of
thoughtful inquiry. All engagements include a description and analysis of internal
controls. Engagement clients are selected in a number of ways, with risk being the
primary basis for selection. The departments being considered for possible review in
the coming year and attributes of those departments are as follows:
Department
Production A
Production B
Production C
Purchasing
Marketing
Shipping
Security
Travel
Annual
Costs
US $ 700,000
10,000,000
1,000,000
150,000
500,000
100,000
100,000
30,000
Assets
US $ 50,000
5,000,000
1,000,000
50,000
50,000
60,000
10,000
6,000
Probability
of Loss
10%
1%
1%
10%
10%
50%
90%
50%
A.
B.
C.
D.
fb
.c
om
/c
ia
ao
ffi
ci
al
All of these departments, except two, are on the potential list of engagement clients
because of a risk analysis performed by the chief audit executive. Production
department A is on the list because the president thinks too many bottlenecks occur in
that department. The marketing department is on the list because the chief of security
received an anonymous phone call accusing a marketing manager of accepting
substantial financial kickbacks from a media outlet. Internal controls seem adequate in
all departments, with the possible exception of marketing. What is the chief audit
executive’s most logical definition of risk of loss to be used in selecting engagement
clients?
Amount of risk exposure times the probability of loss.
Amount of annual costs in a department.
Probability of loss.
Amount of assets in a department.
Answer (A) is correct. The IIA’s Glossary defines risk as “the possibility of an
event occurring that will have an impact on the achievement of objectives. Risk is
measured in terms of impact and likelihood.” Thus, risk of loss is most logically
defined as an expected value equal to the amount at risk times the probability of
loss.
Answer (B) is incorrect. The amount of costs in a department is not necessarily
the amount exposed to a risk of loss.
Answer (C) is incorrect. The probability of a loss must be multiplied by the
amount exposed to possible loss.
Answer (D) is incorrect. The amount of assets in a department is not necessarily
the amount exposed to a risk of loss.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 70
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[129] Gleim #: 2.1.15
The internal auditing process is one of critical thinking, analysis, and careful
evaluation. All mechanical procedures are integrated into a larger context of
thoughtful inquiry. All engagements include a description and analysis of internal
controls. Engagement clients are selected in a number of ways, with risk being the
primary basis for selection. The departments being considered for possible review in
the coming year and attributes of those departments are as follows:
Department
Production A
Production B
Production C
Purchasing
Marketing
Shipping
Security
Travel
Assets
US $ 50,000
5,000,000
1,000,000
50,000
50,000
60,000
10,000
6,000
Annual
Costs
US $ 700,000
10,000,000
1,000,000
150,000
500,000
100,000
100,000
30,000
Probability
of Loss
10%
1%
1%
10%
10%
50%
90%
50%
All of these departments, except two, are on the potential list of engagement clients
because of a risk analysis performed by the chief audit executive. Production
department A is on the list because the president thinks too many bottlenecks occur in
that department. The marketing department is on the list because the chief of security
received an anonymous phone call accusing a marketing manager of accepting
substantial financial kickbacks from a media outlet. Internal controls seem adequate in
all departments, with the possible exception of marketing. Which department most
likely needs a pure operational (nonfinancial) engagement?
A.
B.
C.
D.
Production A.
Production C.
Purchasing.
Marketing.
Answer (A) is correct. An operational engagement includes reviewing the
activities, systems, and controls within an organization to reach efficiency,
effectiveness, economic, or other goals. A department that is causing bottlenecks
needs an operational audit to aid in determining the cause of the bottlenecks and
correcting the problem.
Answer (B) is incorrect. Production department C appears to be operating
efficiently and effectively.
Answer (C) is incorrect. The purchasing department appears to be operating
efficiently and effectively.
Answer (D) is incorrect. The marketing department appears to be operating
efficiently and effectively. The information relayed by the anonymous phone call
is not relevant to the operating efficiency of the department.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 71
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[130] Gleim #: 2.1.16
During the planning phase, a chief audit executive (CAE) is evaluating four audit
engagements based on the following factors: the engagement’s ability to reduce risk
to the organization, the engagement’s ability to save the organization money, and the
extent of change in the area since the last engagement. The CAE has scored the
engagements for each factor from low to high, assigned points, and calculated an
overall ranking. The results are shown below with the points in parentheses:
Audit
1
2
3
4
Risk
Reduction
High (3)
High (3)
Low (1)
Medium (2)
Cost
Savings
Medium (2)
Low (1)
High (3)
Medium (2)
Changes
Low (1)
High (3)
Medium (2)
High (3)
Which audit engagements should the CAE pursue if all factors are weighed equally?
A.
B.
C.
D.
1 and 2 only.
1 and 3 only.
2 and 4 only.
3 and 4 only.
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. Audit 1 has fewer total points than audit 4.
Answer (B) is incorrect. Audits 1 and 3 have fewer total points than audits 2 and
4.
Answer (C) is correct. Given that the areas to be audited are weighted equally, the
CAE should pursue audits 2 and 4 because they have the highest total points (7).
Answer (D) is incorrect. Audit 3 has fewer total points than audit 2.
fb
[131] Gleim #: 2.1.17
During the planning phase, a chief audit executive (CAE) is evaluating four audit
engagements based on the following factors: the engagement’s ability to reduce risk
to the organization, the engagement’s ability to save the organization money, and the
extent of change in the area since the last engagement. The CAE has scored the
engagements for each factor from low to high, assigned points, and calculated an
overall ranking. The results are shown below with the points in parentheses:
Audit
1
2
3
4
Risk
Reduction
High (3)
High (3)
Low (1)
Medium (2)
Cost
Savings
Medium (2)
Low (1)
High (3)
Medium (2)
Changes
Low (1)
High (3)
Medium (2)
High (3)
If the organization has asked the CAE to consider the cost savings factor to be twice as
important as any other factor, which engagements should the CAE pursue?
A.
B.
C.
D.
1 and 2 only.
1 and 3 only.
2 and 4 only.
3 and 4 only.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 72
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Audit 1 and audit 2 have 8 total points each.
Answer (B) is incorrect. Audit 1 has 8 total points.
Answer (C) is incorrect. Audit 2 has 8 total points.
Answer (D) is correct. After doubling the cost savings points, audit 3 [1 + (2 × 3) + 2
= 9] and audit 4 [2 + (2 × 2) + 3 = 9] have the highest total points.
[132] Gleim #: 2.1.18
Which of the following is the best reason for the chief audit executive to consider the
strategic plan in developing the annual audit plan?
A.
B.
C.
D.
To ensure that the internal audit plan supports the overall business objectives.
To ensure that the internal audit plan will be approved by senior management.
To make recommendations to improve the strategic plan.
To emphasize the importance of the internal audit function.
Answer (A) is correct. The chief audit executive must establish risk-based plans
to determine the priorities of the internal audit activity consistent with the
organization’s goals (Perf. Std. 2010). Including the strategic plan in the audit
universe ensures that it reflects the overall business objectives stated in the
strategic plan.
Answer (B) is incorrect. Making the internal audit plan fit better with the
strategic plan may not have an effect on management’s approval.
Answer (C) is incorrect. Recommending improvements to the strategic plan is
not the primary purpose of the CAE’s review.
Answer (D) is incorrect. The importance of the internal audit function depends on
the authority granted to it by the board and senior management.
[133] Gleim #: 2.1.19
A chief audit executive most likely uses risk assessment for audit planning because it
provides
A. A systematic process for assessing and integrating professional judgment about
probable adverse conditions.
B. A listing of potentially adverse effects on the organization.
C. A list of auditable activities in the organization.
D. The probability that an event or action may adversely affect the organization.
Answer (A) is correct. The chief audit executive must establish risk-based plans
to determine the priorities of the internal audit activity consistent with the
organization’s goals (Perf. Std. 2010).
Answer (B) is incorrect. A listing of potentially adverse effects might convince
the CAE of the need for risk assessment. But this process is not itself a risk
assessment.
Answer (C) is incorrect. A list of auditable activities is used in the risk
assessment process but is not the rationale for using risk assessment.
Answer (D) is incorrect. The probability that an event or action may adversely
affect the organization is one definition of risk.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 73
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[134] Gleim #: 2.1.20
A service company is currently experiencing a significant downsizing and process
reengineering. Its board of directors has redefined the business goals and established
initiatives using in-house developed technology to meet these goals. As a result, a
more decentralized approach has been adopted to run the business functions by
empowering the business branch managers to make decisions and perform functions
traditionally done at a higher level.
The internal auditing staff is made up of the director, two managers, and five staff
auditors, all with financial background. In the past, the primary focus of successful
audit activities has been the service branches and the six regional division
headquarters that support the branches. These division headquarters are the primary
targets for possible elimination. The support functions, such as human resources,
accounting, and purchasing, will be brought into the national headquarters, and
technology will be enhanced to enable and augment these operations.
Assuming that total available resources remain the same, what activities should the
internal audit activity perform to best serve the organization?
Decrease engagement time in systems development.
Increase engagement time in service branches.
Increase engagement time in functions being centralized.
Continue the allocation of engagement time as before.
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. Major technology changes require that the engagement
time devoted to systems development be increased.
Answer (B) is incorrect. Given the major changes in other areas, limited internal
audit activity resources most likely must be shifted away from their primary focus
on the service branches.
Answer (C) is correct. A major change in organizational structure is a significant
risk factor. Of the choices provided, devoting internal audit resources to this
engagement best serves the organization.
Answer (D) is incorrect. Major changes in the business, operations, programs,
systems, and controls also require changes by the internal audit activity.
fb
A.
B.
C.
D.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 74
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[135] Gleim #: 2.1.21
Which of the following statements is false regarding risk assessment as the term is
used in internal auditing?
A. Risk assessment is a judgmental process of assigning monetary amounts to the
perceived level of risk found in an activity being evaluated. These amounts allow
a chief audit executive to select the engagement clients most likely to result in
identifiable savings.
B. The chief audit executive should incorporate information from a variety of sources
into the risk assessment process, including discussions with the board,
management, external auditors, review of regulations, and analysis of
financial/operating data.
C. Risk assessment is a systematic process of assessing and integrating professional
judgments about events that could affect the achievement of organizational
objectives. It provides a means of organizing an engagement work schedule.
D. As a result of an engagement or preliminary survey, the chief audit executive may
revise the level of assessed risk of an engagement client at any time, making
appropriate adjustments to the work schedule.
Answer (A) is correct. Risk assessment is a complex process that cannot be
reduced to simple monetary terms.
Answer (B) is incorrect. The CAE should incorporate information from a variety
of sources into the risk assessment process. The Standards place no limit on such
sources.
Answer (C) is incorrect. Risk assessment is a systematic process of assessing and
integrating professional judgments about events that could affect the achievement
of organizational objectives. It provides a means of organizing an engagement
work schedule.
Answer (D) is incorrect. Risk assessments may be revised on the basis of new
information.
[136] Gleim #: 2.1.22
Risk modeling or risk analysis is often used in conjunction with development of longrange engagement work schedules. The key input in the evaluation of risk is
A.
B.
C.
D.
Previous engagement results.
Management concerns and preferences.
Specific requirements of professional standards.
Judgment of the internal auditors.
Answer (A) is incorrect. The informed judgment of the internal auditor is still
required to assess the magnitude of risk indicated by previous engagement results.
Answer (B) is incorrect. To assess the risk posed by management concerns,
informed judgment of the internal auditor is required.
Answer (C) is incorrect. Professional standards do not specify the basic inputs for
a risk analysis.
Answer (D) is correct. Assessing the risk of an activity entails analysis of
numerous factors, estimation of probabilities and amounts of potential losses, and
an appraisal of the costs and benefits of risk reduction. Consequently, in assessing
the magnitude of risk associated with any factor in a risk model, informed
judgment by the internal auditor is required.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 75
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[137] Gleim #: 2.1.23
Risk assessment is a systematic process for assessing and integrating professional
judgments about probable adverse conditions or events. Which of the following
statements reflects the appropriate action for the chief audit executive to take?
A. The CAE should generally assign engagement priorities to activities with higher
risks.
B. The CAE should restrict the number of sources of information used in the risk
assessment process.
C. Work schedule priorities should be established to lead the CAE in the risk
assessment process.
D. The risk assessment process should be conducted at least every 3 to 5 years.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is correct. Audit work schedules are based on, among other things,
an assessment of risk and exposures. Prioritizing is needed to make decisions for
applying resources. A variety of risk models exist to assist the CAE. Most risk
models use risk factors, such as impact, likelihood, materiality, asset liquidity,
management competence, quality of and adherence to internal controls, degree of
change or stability, timing and results of last audit engagement, complexity, and
employee and government relations (PA 2010-1, para. 5).
Answer (B) is incorrect. Internal auditors are expected to identify and evaluate
significant risk exposures in the normal course of their duties. Thus, they not only
use risk analysis to plan engagements but also to assist management and the board
by examining, evaluating, reporting, and recommending improvements on the
adequacy and effectiveness of the management’s risk processes. For these
purposes, the CAE should incorporate information from a variety of sources into
the risk assessment process. The Standards place no limit on such sources.
Answer (C) is incorrect. The risk assessment process should be used to determine
work schedule priorities.
Answer (D) is incorrect. The risk assessment should be undertaken at least every
year.
[138] Gleim #: 2.1.24
The chief audit executive for a retail merchandise sales organization is considering
engagement assignments for inclusion in the work schedule for the upcoming year.
The following areas have not been evaluated recently, and there are no known reasons
that they should be given immediate attention. If resources are scarce, which project
should be given priority?
A.
B.
C.
D.
Corporate code of ethics and conflict of interest policy.
Cash management and credit policy.
Employee time reporting system.
Budget preparation and forecasts.
Answer (A) is incorrect. Cash and credit policy has a greater risk of loss.
Answer (B) is correct. Of the areas listed, cash management and credit policy in a
retail merchandise sales organization would likely rank the highest in financial
exposure and risk of potential loss.
Answer (C) is incorrect. Cash and credit policy has a greater risk of loss.
Answer (D) is incorrect. Cash and credit policy has a greater risk of loss.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 76
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[139] Gleim #: 2.1.25
The chief audit executive of a manufacturer is updating the long-range engagement
work schedule. There are several possible assignments that can fill a given time spot.
Information on potential monetary exposure and key internal controls has been
gathered. Based on perceived risk, select the assignment of greatest merit.
A. Precious metals inventory -- carrying amount, US $1,000,000; separately stored,
but access not restricted.
B. Branch office petty cash -- ledger amount, US $50,000; 10 branch offices, equal
amounts; replenishment of accounts requires three separate approvals.
C. Sales force travel expenses -- budget, US $1,000,000; 50 sales people; all
expenditures over US $25 must be receipted.
D. Expendable tools inventory -- carrying amount, US $500,000; issued by tool crib
attendant upon receipt of authorization form.
Answer (A) is correct. Among the many considerations in judging an item’s risk
are the ease with which it can be converted to cash, its accessibility, and its
monetary value. The precious metals inventory should receive special emphasis
because of its high inherent risk. The inventory can be easily converted to cash,
access is not restricted, and its monetary value is relatively high.
Answer (B) is incorrect. The monetary exposure of petty cash is much smaller
than for the other proposed engagements, and the related controls are very
stringent.
Answer (C) is incorrect. Although the monetary value of the sales force travel
expense is identical to that of the precious metal inventory, the exposure is
divided among 50 people, and the receipting requirement provides substantial
safety against false claims.
Answer (D) is incorrect. The expendable tools inventory is subject to adequate
control.
[140] Gleim #: 2.1.26
The chief audit executive of an organization has developed a plan that includes a
detailed schedule of engagements to be performed during the coming year, an estimate
of the time required for each engagement, and the approximate starting date of each
engagement. The scheduling of specific engagements was based upon the time elapsed
since the last engagement in each area. The plan is inadequate because it fails to
A.
B.
C.
D.
Cite authoritative support for such a plan.
Consider factors such as risk and effectiveness of risk management processes.
State whether all internal audit activity resources had been committed to the plan.
Seek senior management approval of the plan.
Answer (A) is incorrect. The Standards contain no requirement to cite
authoritative support for the plan.
Answer (B) is correct. The internal audit activity’s plan of engagements must be
based on a documented risk assessment, undertaken at least annually
(Impl. Std. 2010.A1).
Answer (C) is incorrect. The plan should be flexible in the event of unanticipated
needs for internal audit activity resources.
Answer (D) is incorrect. Activity reports should be submitted to senior
management and to the board at least annually, but the Standards contain no
requirement for seeking approval of the annual engagement work schedule.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 77
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[141] Gleim #: 2.1.27
Which of the following is a valid reason for an internal auditing engagement involving
a payroll department to receive priority over a purchasing department engagement?
A. The director of the payroll department requested that the payroll department
engagement be performed first.
B. The purchasing department engagement will require more time to perform.
C. The payroll department’s relative risk and exposure are greater.
D. The purchasing department recently restructured its major operations.
Answer (A) is incorrect. This request is not as compelling a reason for granting
priority as the greater assessed risk of another engagement client.
Answer (B) is incorrect. The time required may not correlate with risk and other
factors that determine the internal audit activity’s priorities.
Answer (C) is correct. The CAE must establish risk-based plans to determine the
priorities of the internal audit activity consistent with the organization’s goals
(Perf. Std. 2010). Audit work schedules are based on, among other factors, an
assessment of risk and exposures (PA 2010-1, para. 5).
Answer (D) is incorrect. The restructuring is a reason for giving priority to the
purchasing department.
[142] Gleim #: 2.1.28
.c
Excessive scrap has been generated.
The price received for scrap may be inadequate.
The production of scrap indicates inefficiencies in production.
The collection of amounts receivable from the scrap buyer is questionable.
fb
A.
B.
C.
D.
om
/c
ia
ao
ffi
ci
al
An organization manufactures mirror frames. Scrap is adequately accounted for at the
point of generation. The scrap is sorted and sold frequently to the organization’s
regular buyer at a price negotiated between the scrap manager and the buyer. A risk
exposure caused by these procedures is that
Answer (A) is incorrect. Nothing suggests excessive scrap generation.
Answer (B) is correct. Various problems may arise. For example, the scrap
manager may be tempted to collude with the regular buyer to establish an
inadequate price. In the absence of fraud, the failure to seek competing bids, the
line manager’s lack of expertise in negotiation, ignorance of quoted prices in
established markets, and other factors may result in an inadequate price. Hence, a
separate subunit of the organization may be necessary to manage all aspects of
scrap disposition.
Answer (C) is incorrect. Nothing suggests inefficiency.
Answer (D) is incorrect. A regular buyer is likely to be reliable.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 78
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[143] Gleim #: 2.1.29
Feedback allows the chief audit executive to monitor the internal audit activity’s
efficiency and effectiveness. Actions resulting from feedback include all of the
following except
A.
B.
C.
D.
Revising risk assessments made during the planning phase of an engagement.
Revising the actual engagement hours to reflect only budgeted hours.
Identifying areas for future engagements.
Performing periodic follow-up procedures for outstanding recommendations.
Answer (A) is incorrect. Feedback is information gathered about completed
activities. Revising risk assessments is an adjustment in the engagement process
resulting from feedback.
Answer (B) is correct. The engagement budget should be analyzed to determine
and report the variance between actual and budgeted hours. Actual hours should
never be hidden.
Answer (C) is incorrect. Feedback is information gathered about completed
activities. Identifying areas for future engagements is an adjustment in the
engagement process resulting from feedback.
Answer (D) is incorrect. Feedback is information gathered about completed
activities. Following up is an adjustment in the engagement process resulting from
feedback.
[144] Gleim #: 2.1.30
Management has just implemented a policy that every department must downsize by
immediately cutting 10% of each department’s staff and budget. The chief audit
executive has reacted to the organization’s recent plans for “downsizing” (reducing the
size of staff across the board) by notifying the internal audit managers that the time
allocated for all jobs must be cut by 10%. Which of the following statements regarding
the CAE’s action and potential internal audit manager’s action is true?
A. The CAE’s action should result in approximately the same amount of risk
coverage as the previous engagement work schedule but reduced by 10%.
B. Individual internal audit managers can attain 90% of the previously defined
engagement coverage by uniformly cutting engagement procedures by 10%.
C. The CAE should have re-prioritized risks and eliminated specific engagements
rather than cutting 10% across the board.
D. All of the answers are correct.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 79
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Reducing the time allocation for all jobs by 10% does not
necessarily mean that the risks addressed will be reduced proportionately. The CAE
should reprioritize the engagement work schedule to ensure the optimal mitigation of
risk with the more limited resources.
Answer (B) is incorrect. A uniform 10% reduction in engagement procedures or scope
may result in gathering insufficient information and failure to meet engagement
objectives for all projects.
Answer (C) is correct. The CAE must establish risk-based plans to determine the
priorities of the internal audit activity consistent with the organization’s goals
(Perf. Std. 2010). Audit work schedules are based on, among other factors, an
assessment of risk and exposures. Prioritizing is needed to make decisions for applying
resources (PA 2010-1, para. 5). Hence, when the internal audit activity’s resources are
reduced, the CAE should allocate the remaining resources in the manner that best
meets its goals. For this purpose, risk priorities must be reevaluated. Eliminating some
projects may be preferable to reducing the effort devoted to all projects.
Answer (D) is incorrect. Only one of the responses is true.
[145] Gleim #: 2.1.31
The work of the internal audit activity includes evaluating and contributing to the
improvement of risk management systems. Risk is
ffi
ao
ia
/c
om
.c
I only.
I and II only.
II and III only.
I, II, and III.
fb
A.
B.
C.
D.
ci
al
I. The negative effect of events certain to occur
II. Measured in terms of impact
III. Measured in terms of likelihood
Answer (A) is incorrect. Risk is measured in terms of impact and likelihood.
Moreover, it involves uncertainty, and the effects of events are not necessarily
negative.
Answer (B) is incorrect. Risk also is measured in terms of likelihood. Moreover,
it involves uncertainty, and the effects of events are not necessarily negative.
Answer (C) is correct. The internal audit activity must evaluate the effectiveness
and contribute to the improvement of risk management processes
(Perf. Std. 2120). Risk is the possibility of an event’s occurrence that will have an
impact on the achievement of objectives. Risk is measured in terms of impact and
likelihood (Glossary).
Answer (D) is incorrect. Risk involves uncertainty, and the effects of events are
not necessarily negative.
[146] Gleim #: 2.1.32
Updating the audit universe is useful in developing the internal audit plan. The audit
universe
A.
B.
C.
D.
Consists of all possible audits.
Reflects only past organizational strategies.
May not overlap with the organization’s strategic plan.
Is typically updated every 5 years.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 80
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. In developing the internal audit activity’s audit plan, many
CAEs find it useful to first develop or update the audit universe. The audit universe is
a list of all the possible audits that could be performed (PA 2010-1, para. 1).
Answer (B) is incorrect. The audit universe needs to reflect the most current
strategies.
Answer (C) is incorrect. The audit universe may include elements of the strategic plan
and therefore reflect overall business objectives.
Answer (D) is incorrect. The audit universe needs to be updated at least annually.
[147] Gleim #: 2.1.33
Which of the following is not reflected in an organization’s audit universe?
A.
B.
C.
D.
The organization’s overall attitude toward risk.
The degree of difficulty in achieving planned objectives.
Overall business plan objectives.
The internal audit activity’s conformance with the Standards.
Answer (A) is incorrect. The organization’s overall attitude toward risk is
included in the strategic plan, components of which are part of the audit universe.
Answer (B) is incorrect. The degree of difficulty in achieving planned objectives
is included in the strategic plan, components of which are part of the audit
universe.
Answer (C) is incorrect. Overall business plan objectives are included in the
strategic plan, components of which are part of the audit universe.
Answer (D) is correct. The internal audit activity’s conformance with the
Standards is the object of ongoing and periodic internal assessments and periodic
external assessments, not a component of the audit universe.
[148] Gleim #: 2.1.34
The chief audit executive develops a risk-based plan after updating the audit universe.
The item least likely to be part of the audit universe is
A.
B.
C.
D.
Major programs.
Cost, profit, and investment centers.
A component of the organization’s strategic plan.
The minutes from the last board of directors meeting.
Answer (A) is incorrect. Major programs are activities of the organization and are
thus part of the audit universe.
Answer (B) is incorrect. Cost, profit, and investment centers are parts of the
organization and are thus part of the audit universe.
Answer (C) is incorrect. The audit universe can include components from the
organization’s strategic plan. By incorporating components of the organization’s
strategic plan, the audit universe will consider and reflect the overall business’
objectives.
Answer (D) is correct. In developing the internal audit activity’s audit plan, many
chief audit executives (CAEs) find it useful to first develop or update the audit
universe. The audit universe is a list of all the possible audits that could be
performed. The CAE may obtain input on the audit universe from senior
management and the board (PA 2010-1, para. 1).
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 81
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[149] Gleim #: 2.1.35
Risk is measured in terms of significance and likelihood. Excessive cash
disbursements due to duplicate payments to vendors are events that most likely are
placed in which area of a risk map?
A.
B.
C.
D.
Low significance, low likelihood.
Low significance, high likelihood.
High significance, medium likelihood.
High significance, low likelihood.
Answer (A) is incorrect. Duplicate payments to vendors tend to have medium to
high impact and more than a low likelihood.
Answer (B) is incorrect. Duplicate payments to vendors tend to have medium to
high impact and more than a low likelihood.
Answer (C) is correct. Duplicate payments to vendors are considered high
significance because they result in a material loss of cash if undetected. The
likelihood is medium because they are a common irregularity. However, there is
most often a good chance (not guaranteed) that a vendor will detect the error and
correct it.
Answer (D) is incorrect. The likelihood is more than low (rare or unlikely).
[150] Gleim #: 2.1.36
Requests by management for special projects are not considered.
Opportunities to achieve operating benefits are ignored.
Measurability criteria and targeted dates of completion are not provided.
Knowledge, skills, and other competencies required to perform work are ignored.
fb
A.
B.
C.
D.
.c
om
/c
ia
ao
ffi
ci
al
The internal audit activity of a large organization has established its operating plan and
budget for the coming year. The operating plan is restricted to the following
categories: a prioritized listing of all engagements, staffing, a detailed expense budget,
and the commencement date of each engagement. Which of the following best
describes the major deficiency of this operating plan?
Answer (A) is incorrect. Requests by management would have been considered
in establishing engagement work schedule priorities.
Answer (B) is incorrect. Opportunities to achieve operating benefits would have
been considered in establishing engagement work schedule priorities.
Answer (C) is correct. The goals of the internal audit activity should be capable
of accomplishment within given operating plans and budgets and should be
measurable to the extent possible. They should be accompanied by measurement
criteria and targeted dates of accomplishment.
Answer (D) is incorrect. The appropriate resources, including staffing, needed to
achieve engagement objectives would have been considered in establishing
engagement work schedule priorities. Staff members must possess the knowledge,
skills, and other competencies needed to perform their responsibilities
(Attr. Std. 1210).
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 82
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[151] Gleim #: 2.1.37
An approved audit plan for the internal audit activity is an essential part of
A. Scheduling support for the external audit.
B. Establishing standards for employee performance.
C. Providing senior management with information about the quality of the internal
audit activity’s performance.
D. Planning for the internal audit activity.
Answer (A) is incorrect. The engagement work schedule is not essential to proper
support for the external audit.
Answer (B) is incorrect. Management sets operating standards.
Answer (C) is incorrect. Providing information about internal audit’s
performance is not a function of the audit workplan.
Answer (D) is correct. The audit plan should include the activities to be
performed, when they will be performed, and the estimated time required,
considering the scope of the engagement work planned and the nature and extent
of related work performed by others. This plan permits determination of staffing
plans and financial budgets and is a basis for the presentation of reports.
[152] Gleim #: 2.1.38
In the AICPA’s audit risk model, the risk that an auditor’s procedures will lead to the
conclusion that a material misstatement does not exist in an account balance when, in
fact, such misstatement does exist is
A.
B.
C.
D.
Audit risk.
Inherent risk.
Control risk.
Detection risk.
Answer (A) is incorrect. Audit risk includes inherent risk and control risk, which
are not affected by the auditor’s procedures.
Answer (B) is incorrect. Inherent risk is the susceptibility of an assertion to
material misstatement in the absence of related controls.
Answer (C) is incorrect. Control risk is the risk that a material misstatement will
not be prevented or detected by internal control.
Answer (D) is correct. Detection risk is the risk that the auditor will not detect a
material misstatement that exists in a relevant assertion. It is affected by the
auditor’s procedures and can be changed at his/her discretion.
[153] Gleim #: 2.1.39
The acceptable level of detection risk is inversely related to the
A.
B.
C.
D.
Extent of engagement procedures performed.
Risk of misapplying auditing procedures.
Preliminary judgment about materiality levels.
Risk of failing to discover material misstatements.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 83
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. Detection risk is the only one of the three components of audit
risk that is subject to the auditor’s direct control. The greater the assessed levels of
control risk and/or inherent risk, the lower the acceptable level of detection risk.
Hence, the relationship between performing engagement procedures and detection risk
is inverse.
Answer (B) is incorrect. The risk of misapplying auditing procedures is related to the
auditor’s training and experience.
Answer (C) is incorrect. Preliminary judgments about materiality are used by the
auditor to determine the acceptable level of audit risk. Detection risk is just one
component of audit risk.
Answer (D) is incorrect. The acceptable level of detection risk is directly related to the
risk of failing to discover material misstatements.
[154] Gleim #: 2.1.40
Inherent risk and control risk differ from detection risk in that they
A.
B.
C.
D.
Arise from the misapplication of engagement procedures.
May be assessed in either quantitative or nonquantitative terms.
Exist independently of the audit engagement.
Can be changed at the auditor’s discretion.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. The misapplication of engagement procedures may
affect detection risk but is independent of inherent and control risk.
Answer (B) is incorrect. All three components of audit risk may be assessed
either quantitatively or nonquantitatively.
Answer (C) is correct. Inherent risk and control risk exist independently of the
engagement and cannot be changed by the auditor, only assessed. Detection risk is
set by the auditor in response to his/her assessment of inherent and control risk.
Answer (D) is incorrect. Inherent risk and control risk must be assessed by the
auditor, who then sets detection risk in response.
[155] Gleim #: 2.1.41
Inherent risk and control risk differ from detection risk in that inherent risk and control
risk are
A.
B.
C.
D.
Elements of audit risk, whereas detection risk is not.
Changed at the auditor’s discretion, whereas detection risk is not.
Considered only for entity as a whole, not for each engagement.
Functions of the client and its environment, whereas detection risk is not.
Answer (A) is incorrect. Detection risk is also a component of audit risk.
Answer (B) is incorrect. Inherent risk and control risk are assessed by the auditor,
but only detection risk can be changed at his/her discretion.
Answer (C) is incorrect. Audit risk is assessed at the engagement level.
Answer (D) is correct. Detection risk is a function of the effectiveness of an
engagement procedure and of its application by an auditor and can be changed at
his/her discretion. Inherent risk and control risk differ from detection risk in that
they exist independently of the engagement. They are functions of the client’s line
of business and system of internal control.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 84
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[156] Gleim #: 2.1.42
Which of the following audit risk components may be assessed in nonquantitative
terms?
Control
Detection
Inherent
Risk
Risk
Risk
A.
Yes
Yes
Yes
B.
No
Yes
Yes
C.
Yes
Yes
No
D.
Yes
No
Yes
Answer (A) is correct. All three components of audit risk may be assessed in
quantitative terms such as percentages or in nonquantitative terms that range, for
example, from high to low.
Answer (B) is incorrect. Control risk can be assessed in nonquantitative terms.
Answer (C) is incorrect. Inherent risk can be assessed in nonquantitative terms.
Answer (D) is incorrect. Detection risk can be assessed in nonquantitative terms.
[157] Gleim #: 2.1.43
An auditor assesses control risk because it
A.
B.
C.
D.
Is relevant to the auditor’s understanding of the control environment.
Provides assurance that the auditor’s materiality levels are appropriate.
Indicates to the auditor where inherent risk may be the greatest.
Affects the level of detection risk that the auditor may accept.
Answer (A) is incorrect. The understanding of the control environment provides
evidence for assessing control risk, not the other way around.
Answer (B) is incorrect. Materiality levels are based upon auditor judgment.
Answer (C) is incorrect. Inherent risk is independent of internal control.
Answer (D) is correct. Inherent risk and control risk exist independently of the
engagement and must be assessed by the auditor, who then sets detection risk in
response.
[158] Gleim #: 2.1.44
On the basis of audit evidence gathered and evaluated, an auditor decides to increase
the assessed level of control risk from that originally planned. To achieve an overall
audit risk level that is substantially the same as the planned audit risk level, the auditor
would
A.
B.
C.
D.
Increase inherent risk.
Increase materiality levels.
Decrease inherent risk.
Decrease detection risk.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 85
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Inherent risk is not under the control of the auditor and can
only be assessed.
Answer (B) is incorrect. Materiality and risk are interrelated. However, as risk
increases, the auditor will likely reduce the level of materiality.
Answer (C) is incorrect. Inherent risk is not under the control of the auditor and can
only be assessed.
Answer (D) is correct. Audit risk is a function of inherent risk, control risk, and
detection risk. The only risk the auditor directly controls is detection risk. Hence, the
auditor achieves the desired level of overall audit risk by setting detection risk in
response to the assessed levels of inherent risk and control risk. Detection risk has an
inverse relationship with control risk; if the auditor chooses to increase his/her
assessment of control risk, detection can be decreased.
[159] Gleim #: 2.1.45
In the AICPA’s audit risk model, which of the following is a definition of control risk?
A. The risk that a material misstatement will not be prevented or detected on a timely
basis by the client’s internal controls.
B. The risk that the auditor will not detect a material misstatement.
C. The risk that the auditor’s assessment of internal controls will be at less than the
maximum level.
D. The susceptibility of material misstatement assuming there are no related internal
control policies or procedures.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is correct. Control risk is the risk that internal control will not
prevent or detect on a timely basis a material misstatement that could occur in a
relevant assertion.
Answer (B) is incorrect. The risk that the auditor will not detect a material
misstatement that exists in a relevant assertion is the definition of detection risk.
Answer (C) is incorrect. When the auditor’s assessment of internal controls is at
less than the maximum level, the auditor has an expectation of their operating
effectiveness. This expectation results in a reduced assessment of the risk of
material misstatement.
Answer (D) is incorrect. The susceptibility of material misstatement assuming
there are no related internal control policies or procedures is the definition of
inherent risk.
[160] Gleim #: 2.1.46
A chief audit executive (CAE) uses a risk assessment model to establish the annual
audit plan. Which of the following would be an appropriate action by the CAE?
I.
II.
III.
IV.
A.
B.
C.
D.
Maintain ongoing dialogue with management and the audit committee
Ensure that the schedule of audit priorities remains unchanged
Employ only quantitative methods to determine risk weightings
Revise the risk assessment and audit priorities as warranted
III only.
I and II only.
I and IV only.
III and IV only.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 86
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The weighting of risk is both a quantitative and a qualitative
(judgment) exercise.
Answer (B) is incorrect. Audit schedules will likely change regularly to meet the
needs of the organization, particularly if based on an effective risk assessment process.
Answer (C) is correct. It is a best practice for risk assessment to be a dynamic process,
changing over time and as new information, business strategies, and risks are
identified. Ongoing consultation with members of management and the board is a way
for the internal audit activity to obtain such information and stay attuned to
organizational developments that may affect existing audit priorities. To accommodate
such emerging priorities, the work schedule may need to be altered.
Answer (D) is incorrect. The weighting of risk is both a quantitative and a qualitative
(judgment) exercise. Furthermore, the CAE should engage in ongoing consultation
with members of management and the board.
[161] Gleim #: 2.1.47
A chief audit executive is reviewing the following enterprise-wide risk map:
I
M
P
Critical
A
C Major
T Minor
LIKELIHOOD
Remote
Possible
Likely
Risk A
Risk B
Risk D
Risk C
Which of the following is the correct prioritization of risks, considering limited
resources in the internal audit activity?
A.
B.
C.
D.
Risk B, Risk C, Risk A, Risk D.
Risk A, Risk B, Risk C, Risk D.
Risk D, Risk B, Risk C, Risk A.
Risk B, Risk C, Risk D, Risk A.
Answer (A) is incorrect. Risk D clearly takes precedence over Risk C. It has a
higher likelihood and a greater impact.
Answer (B) is incorrect. Risk B clearly has a higher priority than Risk A. It has a
higher likelihood and the same impact.
Answer (C) is correct. Risk is the possibility of an event’s occurrence that could
have an impact on the achievement of objectives. Risk is measured in terms of
impact (exposures) and likelihood (probability). Prioritizing is needed to make
decisions for applying resources to engagements based on the relative significance
of their risk and exposure estimates. The best order of priority listed (highest to
lowest) is (1) Risk D (likely-major), (2) Risk B (possible-critical), (3) Risk C
(possible-minor), and (4) Risk A (remote-critical). However, it is not entirely clear
that Risk D and Risk C should have higher priorities than Risks B and A,
respectively. For example, depending on the values assigned to the variables, a
possible-critical impact (B) might have a higher priority than a likely-major
impact (D).
Answer (D) is incorrect. Risk D has a higher likelihood and a greater impact than
Risk C.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 87
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[162] Gleim #: 2.1.48
At a meeting with engagement managers, the chief audit executive is allocating the
engagement work schedule for next year’s plan. Which of the following methods will
ensure that each manager receives an appropriate share of both the work schedule and
internal audit activity resources?
A. Work is assigned to each manager based on risk and skill analysis.
B. Each of the managers selects the individual assignments desired, based on
preferences for the area and the management personnel involved.
C. Each manager chooses assignment preferences based on the total staff hours that
are currently available to each manager.
D. The full list of scheduled engagements is published for the staff, and work
assignments are made based on career interests and travel requirements.
.c
fb
[163] Gleim #: 2.2.49
om
/c
ia
ao
ffi
ci
al
Answer (A) is correct. Due professional care requires work assignments to be
proportional to the complexities of the engagement and must ensure that the
technical proficiency and educational background of the personnel assigned are
appropriate. A skill analysis of tasks to be performed is therefore necessary.
Furthermore, matters to be considered in establishing audit work schedule
priorities include, among many other factors, an assessment of risk and exposures.
Answer (B) is incorrect. Choice based on personal preference does not ensure the
exercise of due professional care.
Answer (C) is incorrect. Available staff hours do not correlate with risk or the
composite skills necessary for individual assignments.
Answer (D) is incorrect. Although career interests and travel requirements are
considerations for staffing engagements, these factors do not constitute an
objective basis for making assignments.
Which of the following is the best source of a chief audit executive’s information for
planning staffing requirements?
A. Discussions of internal audit needs with senior management and the board.
B. Review of internal audit staff education and training records.
C. Review internal audit staff size and composition of similarly sized organizations
in the same industry.
D. Interviews with existing internal audit staff.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 88
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. Ensuring the sufficiency of internal audit resources is
ultimately a responsibility of the organization’s senior management and board. The
CAE should assist them in discharging this responsibility (PA 2030-1, para. 1).
Answer (B) is incorrect. The scheduled work is the first consideration in determining
the number and qualifications of the staff required. Review of staff education and
training records is a subsequent step.
Answer (C) is incorrect. The staffing plan must consider the unique needs of a
particular organization. The review of staff size and composition of similarly sized
organizations in the same industry may not satisfy the engagement objectives for a
particular organization.
Answer (D) is incorrect. The scheduled work is the first consideration in determining
the number and qualifications of the staff required. Interviews with existing staff occur
later.
[164] Gleim #: 2.2.50
The capabilities of individual staff members are key features in the effectiveness of an
internal audit activity. What is the primary consideration used when staffing an
internal audit activity?
A.
B.
C.
D.
Background checks.
Job descriptions.
Continuing education.
Organizational orientation.
Answer (A) is incorrect. Background checks help ensure that statements made by
prospective employees are accurate. However, they are not the primary requisite.
Answer (B) is correct. The skills, capabilities, and technical knowledge of the
internal audit staff are to be appropriate for the planned activities (PA 2030-1,
para. 2). Properly formulated job descriptions provide a basis for identifying job
qualifications (including training and experience). Hence, they facilitate recruiting
human resources with the necessary attributes.
Answer (C) is incorrect. Continuing education occurs after the proper people are
hired.
Answer (D) is incorrect. A thorough orientation helps the new employee become
productive more rapidly. However, it will not compensate for hiring the wrong
person.
[165] Gleim #: 2.2.51
Which of the following statements most accurately reflects the chief audit executive’s
responsibilities for internal audit resources?
A. The CAE is responsible for ensuring that audit coverage is based on the periodic
skills assessment.
B. The CAE is responsible for evaluating the detailed summary of audit resources
presented by management to the board.
C. The CAE is not responsible for such human resource functions as evaluation and
development.
D. The CAE is responsible for communicating resource needs to the board but has no
explicit responsibility for administering the organization’s compensation program.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 89
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The CAE has responsibility for ensuring that the skills
assessment is driven by the needs of the audit coverage, not by the capabilities already
present in the internal audit activity.
Answer (B) is incorrect. The CAE has responsibility for presenting a detailed
summary of the status and adequacy of internal audit resources to the board.
Answer (C) is incorrect. The CAE has responsibility for considering human resource
disciplines, such as succession planning and staff evaluation and development
programs.
Answer (D) is correct. The CAE must ensure that internal audit resources are
appropriate, sufficient, and effectively deployed to achieve the approved plan
(Perf. Std. 2030). This includes the effective communication of resource needs and
reporting of status to senior management and the board (PA 2030-1, para. 1).
Responsibility for administering the organization’s compensation program normally
resides in the human resources (personnel) area.
[166] Gleim #: 2.2.52
The most important reason for the chief audit executive to ensure that the internal
audit department has adequate and sufficient resources is to
A.
B.
C.
D.
Ensure that the function is adequately protected from outsourcing.
Demonstrate sufficient capability to meet the audit plan requirements.
Establish credibility with the audit committee and management.
Fulfill the need for effective succession planning.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. The decision to outsource the internal audit function is
not primarily based on existing resources.
Answer (B) is correct. The CAE must ensure that internal audit resources are
appropriate, sufficient, and effectively deployed to achieve the approved plan
(Perf. Std. 2030).
Answer (C) is incorrect. The amount of resources is not a significant factor in
establishing credibility.
Answer (D) is incorrect. Succession planning is not related to the amount of audit
resources.
[167] Gleim #: 2.2.53
The internal audit activity has recently experienced the departure of two internal
auditors who cannot be immediately replaced due to budget constraints. Which of the
following is the least desirable option for efficiently completing future engagements,
given this reduction in resources?
A. Using self-assessment questionnaires to address audit objectives.
B. Employing information technology in audit planning, sampling, and
documentation.
C. Eliminating consulting engagements from the engagement work schedule.
D. Filling vacancies with personnel from operating departments that are not being
audited.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 90
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Using self-assessment questionnaires is an efficient means of
addressing the objectives of certain internal audits.
Answer (B) is incorrect. Use of technology is an appropriate means of achieving
efficiencies in audit execution.
Answer (C) is correct. The chief audit executive must ensure that internal audit
resources are appropriate, sufficient, and effectively deployed to achieve the approved
plan (Perf. Std. 2030). The audit schedule is reduced as a last resort once all other
alternatives have been explored, including the request for additional resources.
Answer (D) is incorrect. Using operating personnel with internal audit expertise and
corporate experience is an appropriate way to enhance internal audit resources.
[168] Gleim #: 2.2.54
By comparing job descriptions with the qualifications and duties of the individuals
currently holding those jobs, a manager can
A.
B.
C.
D.
Complete the human resource planning cycle.
Determine whether the organization is appropriately staffed.
Forecast future personnel needs.
Determine which employees should be promoted.
Answer (A) is incorrect. The human resource planning cycle refers to the entire
process. Examining job descriptions is merely a part of the job analysis process.
Answer (B) is correct. A job description summarizes the duties and qualifications
required for a job. It is prepared based on a job analysis, which is a systematic
procedure for observing work and determining what tasks should be accomplished
to achieve organizational goals. By comparing the job description with the actual
employees and their qualifications, a manager can determine whether the
organization has placed appropriate individuals in jobs best suited to their
abilities.
Answer (C) is incorrect. A forecast of future needs requires knowledge of future
plans and a projection of resource and staff requirements.
Answer (D) is incorrect. To determine which employees should be promoted, a
manager needs performance data.
[169] Gleim #: 2.2.55
Numerous environmental laws and regulations have recently changed. Senior
management has asked the chief audit executive to perform an environmental audit to
be completed as soon as possible. The internal audit activity currently is performing an
operational audit. As a result, the chief audit executive must make difficult decisions
about resource allocation. Which of the following is the least significant issue in
determining whether to reallocate audit resources?
A. The potential fraud discovered during the operational audit.
B. Potential cost to the organization for noncompliance with the new environmental
laws and regulations.
C. The knowledge, skills, and competencies of the internal audit staff.
D. The results from the prior financial audits.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 91
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The potential fraud or other illegal actions discovered during
the operational audit are relevant. Fraud always must be evaluated for its effect on
achievement of organizational objectives.
Answer (B) is incorrect. Potential consequences, such as fines, penalties, and legal
action, may be material.
Answer (C) is incorrect. The knowledge, skills, and competencies of the internal audit
staff are crucial. Proficiency is an ethical obligation of internal auditors.
Answer (D) is correct. When determining resource allocation under time constraints,
the auditor must consider all relevant factors. Relevant factors include (1) information
about both the ongoing and new engagement; (2) the consequences of not completing
either engagement in a timely manner; and (3) the knowledge, skills, and competencies
of the internal audit staff. Information about other unrelated engagements, such as
prior financial audits, is irrelevant.
[170] Gleim #: 2.2.56
When determining the number and experience level of an internal audit staff to be
assigned to an engagement, the chief audit executive should consider all of the
following except the
A.
B.
C.
D.
Complexity of the engagement.
Available internal audit activity resources.
Training needs of internal auditors.
Lapsed time since the last engagement.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. The complexity of the engagement determines the
experience and skills required of the assigned staff.
Answer (B) is incorrect. Available resources are a factor in a staffing decision.
Answer (C) is incorrect. The training needs of individual auditors are a factor in a
staffing decision.
Answer (D) is correct. Lapsed time since the last engagement is a factor affecting
engagement scheduling, not staffing.
[171] Gleim #: 2.2.57
When assigning individual staff members to actual engagements, internal auditing
managers are faced with a number of important considerations related to needs,
abilities, and skills. Which of the following is the least appropriate criterion for
assigning a staff internal auditor to a specific engagement?
A.
B.
C.
D.
The staff internal auditor’s desire for training in the area.
The complexity of the engagement.
The experience level of the internal auditor.
Special skills possessed by the staff internal auditor.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 92
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. A staff internal auditor’s desire for specific training is
necessarily secondary to carrying out the responsibilities of the internal audit activity
with regard to proper staffing.
Answer (B) is incorrect. The complexity of the engagement determines the experience
and skills required of the assigned staff.
Answer (C) is incorrect. Experience is a factor in a staffing decision.
Answer (D) is incorrect. Special expertise is a factor in a staffing decision.
[172] Gleim #: 2.2.58
Staff members of the internal audit activity should be assigned to engagements and
training projects that will enable them to develop their potential. Which of the
following should be the most important consideration in making assignments that will
allow staff members to develop properly?
A.
B.
C.
D.
The skills and experience levels of individual auditors.
Specific training requirements imposed by the Standards.
The importance of giving all staff members extensive supervisory experience.
Special interests of individual staff members.
Answer (A) is correct. The program for selecting and developing the human
resources of the internal audit activity should provide for written job descriptions
for each level of the staff, selection of qualified and competent individuals,
training and continuing educational opportunities, performance appraisals at least
annually, and counsel on performance and professional development. Obviously,
work assignments inconsistent with an internal auditor’s abilities will defeat the
purposes of human resources development.
Answer (B) is incorrect. The Standards contain no specific requirements.
Answer (C) is incorrect. All staff members may not be ready for supervisory
responsibility.
Answer (D) is incorrect. Although interests are not irrelevant, they are secondary
to skills and experience.
[173] Gleim #: 2.2.59
The requirements for staffing level, education and training, and research should be
included in
A.
B.
C.
D.
The internal audit activity’s charter.
The internal audit activity’s policies and procedures manual.
The annual plan for the internal audit activity.
Job descriptions for the various staff positions.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 93
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The charter is an overall statement of purpose, authority, and
responsibility.
Answer (B) is incorrect. This manual describes engagement methods, not personnel
and research matters.
Answer (C) is correct. The internal audit activity’s planning process involves
establishing staffing plans and financial budgets. These plans and budgets include the
number of internal auditors and the knowledge, skills, and other competencies required
to perform their work. They should be determined from (1) engagement work
schedules, (2) administrative activities, (3) education and training requirements, and
(4) internal auditing research and development efforts.
Answer (D) is incorrect. Job descriptions do not reveal internal auditing research
requirements.
[174] Gleim #: 2.2.60
In most organizations, the rapidly expanding scope of internal auditing responsibilities
requires continual training. What is the main purpose of such a training program?
A.
B.
C.
D.
To comply with continuing education requirements of professional organizations.
To use slack periods in engagement scheduling.
To help individuals to achieve personal career goals.
To achieve both individual and organizational goals.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. The CAE should establish a program for selecting and
developing human resources, but compliance with continuing education
requirements of professional organizations is not the primary purpose.
Answer (B) is incorrect. Training can be conducted during slack periods, but this
is not the primary objective.
Answer (C) is incorrect. Both personal and internal audit goals should be
achieved.
Answer (D) is correct. By being informed and up to date, internal auditors are
better prepared to reach their personal goals. In addition, internal audit
responsibilities are more readily discharged by auditors having the required
knowledge, skills, and other competencies.
[175] Gleim #: 2.2.61
The key factor in the success of an internal audit activity’s human resources program
is
A.
B.
C.
D.
An informal program for developing and counseling staff.
A compensation plan based on years of experience.
A well-developed set of selection criteria.
A program for recognizing the special interests of individual staff members.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 94
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The human resources program should be formal.
Answer (B) is incorrect. The quality of the human resources is more significant than
compensation.
Answer (C) is correct. Internal auditors should be qualified and competent. Because
the selection of a superior staff is dependent on the ability to evaluate applicants,
selection criteria must be well-developed. Appropriate questions and forms should be
prepared in advance to evaluate, among other things, the applicant’s technical
qualifications, educational background, personal appearance, ability to communicate,
maturity, persuasiveness, self-confidence, intelligence, motivation, and potential to
contribute to the organization.
Answer (D) is incorrect. The quality of the human resources is more significant than
special interests of the staff.
[176] Gleim #: 2.2.62
In selecting an instructional strategy for developing internal audit staff, a chief audit
executive begins by reviewing
A.
B.
C.
D.
Organizational objectives.
Learning content.
Learners’ readiness.
Budget constraints.
Answer (A) is correct. The chief audit executive must ensure that internal audit
resources are appropriate, sufficient, and effectively deployed to achieve the
approved plan (Perf. Std. 2030). The approved plan must be consistent with the
goals of the organization.
Answer (B) is incorrect. The learning content cannot be prepared without first
reviewing the organizational objectives.
Answer (C) is incorrect. Learners’ readiness should be considered later in the
program development process.
Answer (D) is incorrect. Budget constraints should be considered later in the
process.
[177] Gleim #: 2.2.63
Which of the following is a necessary part of a program for selecting and developing
internal audit activity staff?
A.
B.
C.
D.
Specifying that an accounting degree is necessary for employment.
Developing a written job description for each level of the staff.
Counseling each member of the staff on career opportunities.
Requiring a written examination prior to employment.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 95
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. An internal audit activity may need nonaccounting
specialists.
Answer (B) is correct. The program for selecting and developing human resources
should include (1) developing written job descriptions for each level of the internal
audit activity’s staff, (2) selection of qualified and competent individuals,
(3) providing training and continuing educational opportunities for each internal
auditor, (4) appraising performance at least annually, and (5) counseling internal
auditors on their performance and professional development.
Answer (C) is incorrect. Counseling must be provided regarding performance and
professional development, not career opportunities.
Answer (D) is incorrect. A written examination is often unnecessary.
[178] Gleim #: 2.2.64
The advantage attributed to the establishment of internal auditing field offices for
work at foreign locations is best described as
A.
B.
C.
D.
The possibility of increased objectivity of personnel assigned to a field office.
A reduction of travel time and related travel expense.
The increased ease of maintaining uniform organization-wide standards.
More contact with senior personnel leading to an increase in control.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. Field office personnel are more likely to lose objectivity
through increased contact with engagement client personnel in the area served.
Answer (B) is correct. The advantages of field offices compared with sending
internal auditors from the home office include (1) reduced travel time and
expense, (2) improved service in the operating locations served by the field
offices, (3) better morale of internal auditors as a result of increased authority, and
(4) the possibility of employing persons who do not wish to travel.
Answer (C) is incorrect. Maintenance of organization-wide standards is more
difficult after decentralization.
Answer (D) is incorrect. Contact with and control over field office personnel will
be reduced.
[179] Gleim #: 2.2.65
Although all the current members of an internal audit activity have good records of
performance, the manager is not sure if any of the members are ready to assume a
management role. Which of the following is an advantage of bringing in an outsider
rather than promoting from within?
A. Management training costs are reduced when a qualified outsider is hired.
B. The manager can be sure that the new position will be filled by a competent
employee.
C. Bringing in an outsider is a less expensive alternative than promoting from within.
D. The “modeling” effect is strengthened by bringing in a new role model.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 96
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. Hiring an experienced manager reduces management training
costs because the person has already been trained.
Answer (B) is incorrect. The manager is relying on outside information to evaluate the
candidate and cannot be certain the employee is competent until (s)he begins work.
Answer (C) is incorrect. Hiring an outsider is usually more expensive than promoting
from within.
Answer (D) is incorrect. The “modeling” effect occurs when employees see that
deserving coworkers are promoted to better-paying, higher-status jobs.
[180] Gleim #: 2.3.66
A chief audit executive’s performance report should
A.
B.
C.
D.
List the material engagement observations of major engagements.
List uncorrected reported conditions.
Report the weekly activities of the individual internal auditors.
Compare engagements completed with engagements planned.
Answer (A) is incorrect. A list of material engagement observations is not a
performance report.
Answer (B) is incorrect. A list of uncorrected reported conditions is not a
performance report.
Answer (C) is incorrect. A report of weekly activities is not a performance report.
Answer (D) is correct. The CAE must report periodically to senior management
and the board on the internal audit activity’s purpose, authority, responsibility, and
performance relative to its plan (Perf. Std. 2060). Performance reporting should be
relative to the most recently approved plan to inform senior management and the
board of (1) significant deviations from the approved audit plan, staffing plans,
and financial budgets; (2) reasons for the deviations; and (3) action needed or
taken (PA 2060-1, para. 2).
[181] Gleim #: 2.3.67
The chief audit executive routinely reports to the board as part of the board meeting
agenda each quarter. Senior management has asked to review this presentation before
each board meeting so that any issues or questions can be discussed beforehand. The
CAE needs to
A. Provide the report to senior management as requested and discuss any issues that
may require action to be taken.
B. Withhold disclosure of the report to senior management because such matters are
the sole province of the board.
C. Disclose to the board only those matters in the report that pertain to expenditures
and financial budgets of the internal audit activity.
D. Provide information to senior management that pertains only to completed
engagements and observations available in published engagement
communications.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 97
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. The frequency and content of reporting are determined in
discussion with senior management and the board and depend on the importance of the
information to be communicated and the urgency of the related actions to be taken by
senior management or the board (Intr. Std. 2060).
Answer (B) is incorrect. Reports must be presented to senior management.
Answer (C) is incorrect. The report is not restricted to expenditures and financial
budgets. Information about significant deviations from the approved audit plan and
staffing plans also is included.
Answer (D) is incorrect. The information need not be limited to completed
engagements and observations available in published engagement communications.
[182] Gleim #: 2.3.68
The best means for the internal audit activity to determine whether its goal of
implementing broader coverage of functional activities has been met is through
A.
B.
C.
D.
Accumulation of engagement observations by engagement client.
Comparison of the approved audit plan with actual engagement activity.
Surveys of management satisfaction with the internal audit activity.
Implementation of a quality assurance program.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. The number of engagement observations is not an
indicator of breadth or quality of work.
Answer (B) is correct. Performance reporting should be relative to the most
recently approved plan to inform senior management and the board of (1)
significant deviations from the approved audit plan, staffing plans, and financial
budgets; (2) reasons for the deviations; and (3) action needed or taken (PA 20601, para. 2).
Answer (C) is incorrect. Management satisfaction does not directly relate to the
expressed goal (broader engagement coverage).
Answer (D) is incorrect. Implementation of a quality assurance program has no
bearing on the stated goal.
[183] Gleim #: 2.3.69
An annual summary report of completed engagement work submitted to senior
management and the board by the chief audit executive should
A. Discuss the administrative condition of the internal audit activity.
B. Inform management of the scope of proposed work for the following year.
C. Describe the extent to which the internal audit activity has completed its approved
audit plan.
D. Emphasize the number of deficiency observations discovered by the internal
auditors.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 98
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The administrative condition of the internal audit activity is a
subject appropriate for an external assessment.
Answer (B) is incorrect. This information is contained in the summary of the
engagement work schedule, staffing plan, and financial budget for the coming year
submitted to senior management and the board.
Answer (C) is correct. Performance reporting should be relative to the most recently
approved plan to inform senior management and the board of (1) significant deviations
from the approved audit plan, staffing plans, and financial budgets; (2) reasons for the
deviations; and (3) action needed or taken (PA 2060-1, para. 2).
Answer (D) is incorrect. The materiality of observations, not their number, should be
emphasized.
[184] Gleim #: 2.3.70
Which internal audit planning tool is general in nature and is used to ensure adequate
engagement coverage over time?
A.
B.
C.
D.
The audit plan.
The engagement work program.
The internal audit activity’s budget.
The internal audit activity’s charter.
Answer (A) is correct. The CAE will annually submit a summary of the internal
audit plan, work schedule, staffing plan, and financial budget to senior
management and the board for review and approval (PA 2020-1, para. 1). Thus,
the planning process involves establishing the audit plan.
Answer (B) is incorrect. The engagement work program is limited in scope to a
particular project.
Answer (C) is incorrect. The internal audit activity’s budget may be used to
justify a head count, but it is not used to ensure adequate engagement coverage
over time.
Answer (D) is incorrect. The charter is not an engagement planning tool.
[185] Gleim #: 2.3.71
Which of the following is an appropriate responsibility of the board?
A. Performing a review of the procurement function of the organization.
B. Reviewing the internal audit activity’s engagement work schedule submitted by
the chief audit executive.
C. Reviewing the engagement records of the public accounting firm to determine the
firm’s competence.
D. Recommending the assignment of specific internal audit staff members for
specific engagements.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 99
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Reviewing the procurement function of the organization
requires detailed technical ability.
Answer (B) is correct. The CAE must communicate the internal audit activity’s plans
and resource requirements, including significant interim changes, to senior
management and the board for review and approval (Perf. Std. 2020).
Answer (C) is incorrect. The board will not likely have access to the public
accounting firm’s engagement reports.
Answer (D) is incorrect. Specific assignments should be made by internal audit
activity management.
[186] Gleim #: 2.3.72
Who reviews and approves a summary of the internal audit plan?
A.
B.
C.
D.
Senior management and the board.
The audit committee and the board.
Senior management only.
The chief audit executive (CAE) only.
.c
fb
[187] Gleim #: 2.3.73
om
/c
ia
ao
ffi
ci
al
Answer (A) is correct. The CAE will annually submit a summary of the internal
audit plan, work schedule, staffing plan, and financial budget to senior
management and the board for review and approval (PA 2020-1, para. 1).
Answer (B) is incorrect. The CAE also submits the internal audit plan to senior
management.
Answer (C) is incorrect. The CAE also submits the internal audit plan to the
board.
Answer (D) is incorrect. The audit plan is submitted to senior management and
the board.
As the chief audit executive, you have determined that the acquisition of some
expensive, state-of-the-art software for paperless working paper files will be useful.
Identify the preferred method for presenting your request to senior management.
A.
B.
C.
D.
The effect of not obtaining the software.
Statement of need.
Comparison with other internal audit activities.
Evaluation of the software’s technical specifications.
Answer (A) is correct. The CAE must communicate the internal audit activity’s
plans and resource requirements to senior management and the board for review
and approval. The CAE also must communicate the effect of resource limitations
(Perf. Std. 2020).
Answer (B) is incorrect. The need must be weighed against the cost.
Answer (C) is incorrect. Other internal audit activities may have different costbenefit relationships.
Answer (D) is incorrect. Specialists, not senior management, will perform this
evaluation.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 100
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[188] Gleim #: 3.1.1
The chief executive officer wants to know whether the purchasing function is properly
meeting its charge to “purchase the right materials at the right time in the right
quantities.” Which of the following types of engagements addresses this request?
A.
B.
C.
D.
A financial engagement relating to the purchasing department.
An operational engagement relating to the purchasing function.
A compliance engagement relating to the purchasing function.
A full-scope engagement relating to the manufacturing operation.
Answer (A) is incorrect. A financial engagement involves the analysis of the
economic activity of an entity as measured and reported by accounting methods.
Answer (B) is correct. According to Sawyer’s Internal Auditing, an operational
engagement involves “the review of a function or process to appraise the
efficiency and economy of operations and the effectiveness with which those
functions achieve their objectives.”
Answer (C) is incorrect. A compliance engagement is a review of both financial
and operating controls to assess conformance with established standards. It tests
adherence to management’s policies, procedures, and plans designed to ensure
certain actions.
Answer (D) is incorrect. A full-scale engagement relating to the manufacturing
operation has financial, compliance, and operational aspects. It exceeds the chief
executive officer’s request.
[189] Gleim #: 3.1.2
The primary difference between operational engagements and financial engagements is
that, in the former, the internal auditors
A. Are not concerned with whether the client entity is generating information in
compliance with financial accounting standards.
B. Are seeking to help management use resources in the most effective manner
possible.
C. Start with the financial statements of the client entity and work backward to the
basic processes involved in producing them.
D. Can use analytical skills and tools that are not necessary in financial engagements.
Answer (A) is incorrect. The reliability and integrity of financial information are
important in operational engagements. Information systems provide data for
decision making, control, and compliance with external requirements.
Answer (B) is correct. Financial engagements are primarily concerned with
forming an opinion on the fairness of the financial statements. Operational
engagements evaluate accomplishment of established objectives and goals for
operations or programs and economical and efficient use of resources.
Answer (C) is incorrect. A financial engagement entails using financial
statements as a starting point.
Answer (D) is incorrect. Analytical skills are necessary in all types of
engagements.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 101
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[190] Gleim #: 3.1.3
During an operational engagement, the internal auditors compare the current staffing
of a department with established industry standards to
A. Identify bogus employees on the department’s payroll.
B. Assess the current performance of the department and make appropriate
recommendations for improvement.
C. Evaluate the adequacy of the established internal controls for the department.
D. Determine whether the department has complied with all laws and regulations
governing its personnel.
Answer (A) is incorrect. The internal auditors would not be concerned with
payroll processing during this type of testing and evaluation.
Answer (B) is correct. According to Sawyer’s Internal Auditing, an operational
engagement involves “the review of a function or process to appraise the
efficiency and economy of operations and the effectiveness with which those
functions achieve their objectives.”
Answer (C) is incorrect. Comparison of staffing levels with industry standards
will not test the adequacy of internal controls.
Answer (D) is incorrect. The internal auditors would be more concerned with
legal requirements during a compliance engagement.
[191] Gleim #: 3.1.4
.c
om
/c
Determine the accuracy of the system used to record actual costs.
Measure the effectiveness of the standard cost system.
Assess the reasonableness of standard costs.
Assist management in its evaluation of effectiveness and efficiency.
fb
A.
B.
C.
D.
ia
ao
ffi
ci
al
An operational engagement relating to the production function includes a procedure to
compare actual costs with standard costs. The purpose of this engagement procedure is
to
Answer (A) is incorrect. The comparison will not determine the accuracy of
actual costs.
Answer (B) is incorrect. The comparison will not determine the effectiveness of
the system.
Answer (C) is incorrect. The comparison will not determine the reasonableness of
standard costs.
Answer (D) is correct. According to Sawyer’s Internal Auditing, an operational
engagement involves “the review of a function or process to appraise the
efficiency and economy of operations and the effectiveness with which those
functions achieve their objectives.” A comparison of actual and standard costs
addresses efficiency and economy issues.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 102
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[192] Gleim #: 3.1.5
A determination of cost savings is most likely to be an objective of a(n)
A.
B.
C.
D.
Program-results engagement.
Financial engagement.
Compliance engagement.
Operational engagement.
Answer (A) is incorrect. A program-results engagement addresses
accomplishment of program objectives.
Answer (B) is incorrect. A financial engagement concerns the safeguarding of
assets and the reliability and integrity of information.
Answer (C) is incorrect. A compliance engagement relates to compliance with
legal, regulatory, procedural, and other requirements.
Answer (D) is correct. According to Sawyer’s Internal Auditing, an operational
engagement involves “the review of a function or process to appraise the
efficiency and economy of operations and the effectiveness with which those
functions achieve their objectives.”
[193] Gleim #: 3.1.6
Which of the following procedures is the most valuable in an engagement involving
the traffic department operations of a large manufacturer?
A. Obtain written confirmation from the regulatory agencies that all carriers used are
properly licensed and bonded.
B. Review procedures for selection of routes and carriers.
C. Trace selected items from the weekly demurrage (car detention charge) report to
supporting documentation.
D. Verify that all bills of lading are prenumbered.
Answer (A) is incorrect. This information is available from other sources, and the
confirmation approach is unnecessary.
Answer (B) is correct. An operational engagement examines the premises and
policies for day-to-day activities, as well as the transaction flow that is the concern
of the evaluation of controls. Selection of routes and carriers is the chief function
of the department, and poor practice may lead to materially excessive shipping
costs or serious delays. Hence, an internal auditor conducting an operational
engagement should review the procedures for selection of routes and carriers.
Answer (C) is incorrect. The details of demurrage are not as significant to the
operations of the department as route and carrier selection.
Answer (D) is incorrect. Prenumbering of bills of lading is an internal control
matter that is important but not central to department objectives.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 103
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[194] Gleim #: 3.2.7
Of the three primary approaches of CSA programs, which one is designed to gather
information from work teams representing different levels in the business unit or
function?
A.
B.
C.
D.
Auditor-produced analysis.
Facilitated approach.
Questionnaire approach.
Self-certification approach.
Answer (A) is incorrect. Auditor-produced analysis is not one of the recognized
forms of CSA.
Answer (B) is correct. The three primary forms of CSA programs are the
facilitated approach, the questionnaire approach, and the self-certification
approach. The facilitated approach gathers information from work teams
representing different levels in the business unit or function. The format of the
approach may be based on objectives, risks, controls, or processes.
Answer (C) is incorrect. The questionnaire form of CSA uses a survey, not work
teams representing different levels in the business unit or function.
Answer (D) is incorrect. The self-certification approach is produced by
management, not by work teams representing different levels in the business unit
or function.
[195] Gleim #: 3.2.8
/c
om
.c
Operating managers.
Internal auditors.
External auditors.
Senior management.
fb
A.
B.
C.
D.
ia
ao
ffi
ci
al
Which group is charged with overseeing the establishment, administration, and
evaluation of the processes of risk management and control?
Answer (A) is incorrect. Operating managers’ responsibilities include assessment
of the risk management and control.
Answer (B) is incorrect. Internal auditors provide varying degrees of assurance
about the state of effectiveness of the risk management and control processes of
the organization.
Answer (C) is incorrect. External auditors provide varying degrees of assurance
about the state of effectiveness of the risk management and control processes of
the organization.
Answer (D) is correct. Senior management is charged with overseeing the
establishment, administration, and evaluation of the processes of risk management
and control. Operating managers’ responsibilities include assessment of the risks
and controls in their units. Internal and external auditors provide varying degrees
of assurance about the state of effectiveness of the risk management and control
processes of the organization.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 104
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[196] Gleim #: 3.2.9
Which of the following statements about control self-assessment (CSA) is false?
A. CSA is usually an informal and undocumented process.
B. In its purest form, CSA integrates business objectives and risks with control
processes.
C. CSA is also known as control/risk self-assessment.
D. Most implemented CSA programs share some key features and goals.
Answer (A) is correct. A methodology encompassing self-assessment surveys and
facilitated workshops called CSA is a useful and efficient approach for managers
and internal auditors to collaborate in assessing and evaluating control procedures.
The process is a formal and documented way of allowing participation by those
who are directly involved in the business unit, function, or process.
Answer (B) is incorrect. CSA does integrate business objectives and risks with
control processes.
Answer (C) is incorrect. CSA is also known as control/risk self-assessment.
Answer (D) is incorrect. Most implemented CSA programs share some key
features and goals.
[197] Gleim #: 3.2.10
Control self-assessment is a process that involves employees in assessing the adequacy
of controls and identifying opportunities for improvement within an organization.
Which of the following are reasons to involve employees in this process?
I.
II.
III.
IV.
A.
B.
C.
D.
Employees become more motivated to do their jobs right.
Employees are objective about their jobs.
Employees can provide an independent assessment of internal controls.
Managers want feedback from their employees.
I and II.
III and IV.
I and IV.
II and IV.
Answer (A) is incorrect. Employees often lack the perspective required to be
objective about their jobs or performance.
Answer (B) is incorrect. Although employees can be involved in assessing
internal controls, their assessments are not independent.
Answer (C) is correct. Participation by employees has a positive effect on
motivation because it tends to increase commitment to the job and results in
greater personal satisfaction. Moreover, full employee participation requires twoway communication and therefore encourages feedback from employees.
Answer (D) is incorrect. Employees often lack the perspective required to be
objective about their jobs or performance.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 105
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[198] Gleim #: 3.2.11
Which outcome can be derived from self-assessment methodologies?
A. Formal, hard controls are more easily identified and evaluated.
B. Management will become involved in and knowledgeable about the selfassessment process by serving as facilitators, scribes, and reporters for the work
teams.
C. Auditors’ responsibility for the risk management and control processes of the
organization will be reinforced.
D. People are motivated to take ownership of the control processes in their units and
corrective actions taken by work teams are often more effective and timely.
ffi
ci
al
Answer (A) is incorrect. Informal, soft controls are more easily identified and
evaluated.
Answer (B) is incorrect. Internal auditors will become involved in and
knowledgeable about the self-assessment process by serving as facilitators,
scribes, and reporters for the work teams and as trainers of risk and control
concepts supporting the CSA program.
Answer (C) is incorrect. Management’s responsibility for the risk management
and control processes of the organization is reinforced, and managers will be less
tempted to abdicate those activities to specialists, such as auditors.
Answer (D) is correct. One of the possible outcomes that may be derived from
self-assessment methodologies is that people are motivated to take ownership of
the control processes in their units and corrective actions taken by work teams are
often more effective and timely.
/c
ia
ao
[199] Gleim #: 3.2.12
fb
.c
om
Which type of facilitated approach format begins by listing all possible barriers,
obstacles, threats, and exposures that might prevent achieving an objective?
A.
B.
C.
D.
Objective-based format.
Control-based format.
Process-based format.
Risk-based format.
Answer (A) is incorrect. An objective-based format begins by identifying
controls currently in place, then determining the residual risks.
Answer (B) is incorrect. A control-based format begins with the facilitator
identifying the key risks and controls, then the group determining how well they
are working.
Answer (C) is incorrect. A process-based format focuses on selected activities
that are elements of a chain of processes.
Answer (D) is correct. A risk-based format focuses on listing the risks to
achieving an objective. The workshop begins by listing all possible barriers,
obstacles, threats, and exposures that might prevent achieving an objective and,
then, examining the control procedures to determine if they are sufficient to
manage the key risks. The aim of the workshop is to determine significant residual
risks. This format takes the work team through the entire objective-risks-controls
formula.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 106
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[200] Gleim #: 3.2.13
The element(s) of a control self-assessment (CSA) performed using one of the
facilitated team workshop approaches include(s)
I. Treating participating employees as process owners.
II. Taking surveys of employees regarding risks and controls.
III. Interviewing employees separately in the field.
A.
B.
C.
D.
I only.
II only.
II and III.
I, II, and III.
Answer (A) is correct. According to The IIA, an element of CSA is the gathering
of a group of people into a same-time/same-place meeting, typically involving a
facilitation seating arrangement (U-shaped table) and a meeting facilitator. The
participants are ‘process owners’, i.e., management and staff who are involved
with the particular issues under examination, who know them best, and who are
critical to the implementation of appropriate process controls.
Answer (B) is incorrect. The facilitated approach to CSA should be contrasted
with an approach that merely surveys employees regarding risks and controls.
Answer (C) is incorrect. The facilitated approach to CSA should be contrasted
with an approach that merely surveys employees regarding risks and controls or
performing separate interviews in the field.
Answer (D) is incorrect. The facilitated approach to CSA should be contrasted
with an approach that merely surveys employees regarding rights and controls
performing separate interviews in the field.
[201] Gleim #: 3.2.14
In which format of the facilitated approach does the facilitator identify the key risks
and controls before the beginning of the workshop?
A.
B.
C.
D.
Control-based format.
Objective-based format.
Risk-based format.
Process-based format.
Answer (A) is correct. A control-based format focuses on how well the controls
in place are working. Unlike with the objective-based and risk-based formats, the
facilitator identifies the key risks and controls before the beginning of the
workshop. During the workshop, the work team assesses how well the controls
mitigate risks and promote the achievement of objectives. The aim of the
workshop is to produce an analysis of the gap between how controls are working
and how well management expects those controls to work.
Answer (B) is incorrect. An objective-based format begins by identifying controls
currently in place, then determining the residual risks.
Answer (C) is incorrect. The risk-based format focuses on listing the risks to
achieving an objective.
Answer (D) is incorrect. A process-based format focuses on selected activities
that are elements of a chain of processes.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 107
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[202] Gleim #: 3.2.15
The aim of which format of the facilitated approach is to decide whether control
procedures are working effectively and resulting in residual risks within an acceptable
level?
A.
B.
C.
D.
Control-based format.
Objective-based format.
Process-based format.
Risk-based format.
al
Answer (A) is incorrect. The aim of a control-based format is to produce an
analysis of the gap between how controls are working and how well management
expects those controls to work.
Answer (B) is correct. An objective-based format focuses on the best way to
accomplish a business objective. The workshop begins by identifying the controls
presently in place to support the objective and then determines the residual risks
remaining. The aim of the workshop is to decide whether the control procedures
are working effectively and are resulting in residual risks within an acceptable
level.
Answer (C) is incorrect. The aim of a process-based format is to evaluate, update,
validate, improve, and even streamline the whole process and its component
activities.
Answer (D) is incorrect. The aim of a risk-based format is to determine
significant residual risks.
ao
ffi
ci
[203] Gleim #: 3.2.16
fb
.c
om
/c
ia
Which of the three primary approaches of CSA programs should be used if
management wants to minimize the time spent and costs incurred in gathering the
information?
A.
B.
C.
D.
Self-certification approach.
Facilitated approach.
Auditor-produced analysis.
Questionnaire approach.
Answer (A) is incorrect. The self-certification approach can be time-consuming.
Answer (B) is incorrect. The facilitated approach can be time-consuming.
Answer (C) is incorrect. This is not one of the three primary approaches of CSA
programs.
Answer (D) is correct. The questionnaire approach of CSA uses a questionnaire
that tends to ask mostly simple “Yes/No” or “Have/Have Not” questions that are
carefully written to be understood by the target recipients. They are preferred if
the culture in the organization may hinder open, candid discussions in workshop
settings or if management desires to minimize the time spent and costs incurred in
gathering the information.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 108
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[204] Gleim #: 3.2.17
Which one of the three primary types of CSA programs allows for internal auditor
involvement to synthesize this analysis with other information to enhance the
understanding about controls and to share the knowledge?
A.
B.
C.
D.
Facilitated approach.
Self-certification approach.
Questionnaire approach.
Auditor-produced analysis.
Answer (A) is incorrect. The facilitated approach gathers information from work
teams representing different levels in the business unit or function.
Answer (B) is correct. The form of self-assessment called the self-certification
approach covers most approaches by management groups to produce information
about selected business processes, risk management activities, and control
procedures. The internal auditor may synthesize this analysis with other
information to enhance the understanding about controls and to share the
knowledge with managers in business or functional units as part of the
organization’s CSA program.
Answer (C) is incorrect. The questionnaire approach of CSA uses a questionnaire
that tends to ask mostly simple “yes/no” or “have/have not” questions that are
carefully written to be understood by the target recipients.
Answer (D) is incorrect. Auditor-produced analysis is not one of the three
primary forms of CSA programs.
[205] Gleim #: 3.2.18
Which forms of control self-assessment assume that managers and members of work
teams possess an understanding of risk and control concepts and use those concepts in
communications?
A.
B.
C.
D.
The self-certification approach.
The self-certification approach and facilitated approach.
The self-certification approach and questionnaire approach.
All self-assessment programs.
Answer (A) is incorrect. Facilitated team workshops and surveys also assume that
managers and members of the work teams possess an understanding of risks and
controls concepts and using those concepts in communications.
Answer (B) is incorrect. Surveys also assume that managers and members of the
work teams possess an understanding of risks and controls concepts and using
those concepts in communications.
Answer (C) is incorrect. Facilitated team workshops also assume that managers
and members of the work teams possess an understanding of risks and controls
concepts and using those concepts in communications.
Answer (D) is correct. All self-assessment programs assume that managers and
members of the work teams possess an understanding of risk and control concepts
and using those concepts in communications. For training sessions, to facilitate
the orderly flow of workshop discussions and as a check on the completeness of
the overall process, organizations often use a control framework, such as the
COSO (Committee of Sponsoring Organizations) and CoCo (Canadian Criteria of
Control Board) models.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 109
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[206] Gleim #: 3.2.19
In most programs, the internal audit activity’s investment in the organization’s CSA
efforts is how large?
I. Internal audit sponsors, designs, implements, and in effect, owns the process;
conducts the training; supplies the facilitators, scribes, and reporters; and
orchestrates the participation of management and work teams.
II. Internal audit serves as an interested party and consultant to the whole process and
as ultimate verifier of evaluations produced by the teams.
A.
B.
C.
D.
I only.
II only.
Usually somewhere between I and II.
Never more than II, and sometimes less.
[207] Gleim #: 3.2.20
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. This is the largest investment that internal audit may
have in an organization’s CSA efforts.
Answer (B) is incorrect. This is the smallest investment that internal audit may
have in an organization’s CSA efforts.
Answer (C) is correct. Internal auditing’s investment in some CSA programs is
fairly significant. It may sponsor, design, implement and in effect, own the
process; conduct the training; supply the facilitators, scribes, and reporters; and
orchestrate the participation of management and work teams. In other CSA
programs, the involvement is minimal, serving as interested party and consultant
of the whole process and as ultimate verifier of the evaluations produced by the
teams. In most programs, the investment in the organization’s CSA efforts is
somewhere between the two extremes described above.
Answer (D) is incorrect. In most programs, internal audit’s investment is larger
than described in II.
Control self-assessment (CSA) is a method for examining and evaluating the
organization’s system of control, which includes
A.
B.
C.
D.
Risk analysis.
Self-assessment approaches.
Traditional internal auditing concepts.
All of the answers are correct.
Answer (A) is incorrect. Control self-assessment also includes self-assessment
approaches and traditional internal auditing concepts.
Answer (B) is incorrect. Control self-assessment also includes risk analysis and
traditional internal auditing concepts.
Answer (C) is incorrect. Control self-assessment also includes risk analysis and
self-assessment approaches.
Answer (D) is correct. Control self-assessment combines traditional auditing
concepts, risk analysis, and self-assessment approaches. All three types of
information are used while performing this type of assessment.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 110
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[208] Gleim #: 3.2.21
Which type of format of facilitated approaches focuses on the best way to accomplish
the goals of the organization?
A.
B.
C.
D.
Process-based format.
Control-based format.
Risk-based format.
Objective-based format.
Answer (A) is incorrect. A process-based format focuses on selected activities
that are elements of a chain of processes.
Answer (B) is incorrect. A control-based format focuses on how well the controls
in place are working.
Answer (C) is incorrect. A risk-based format focuses on listing the risks to
achieving an objective.
Answer (D) is correct. An objective-based format focuses on the best way to
accomplish a business objective. The workshop begins by identifying the controls
presently in place to support the objective and then determines the residual risk
remaining.
[209] Gleim #: 3.2.22
Which phrase best describes a control-based control self-assessment process?
A.
B.
C.
D.
Evaluating, updating, and streamlining selected control processes.
Examining how well controls are working in managing key risks.
Analyzing the gap between control design and control frameworks.
Determining the cost-effectiveness of controls.
Answer (A) is incorrect. This phrase best describes a process-based approach,
although control processes are not the only processes reviewed in this approach.
Answer (B) is correct. A control-based format focuses on how well the controls
in place are working. This format is different than the others because the
facilitator identifies the key risks and controls before the beginning of the
workshop. During the workshop, the work team assesses how well the controls
mitigate risks and promote the achievement of objectives. The aim of the
workshop is to produce an analysis of the gap between how controls are working
and how well management expects those controls to work.
Answer (C) is incorrect. Comparing control design and control frameworks in a
control-based approach does not adequately describe the process. A control-based
process is more likely to examine the gap between control design and control
effectiveness in managing risks.
Answer (D) is incorrect. Cost-effectiveness could be discussed in a control-based
control self-assessment workshop, but it is not the primary focus of this process.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 111
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[210] Gleim #: 3.2.23
Which of the following factors is least essential to a successful control self-assessment
(CSA) workshop?
A.
B.
C.
D.
Voting technology.
Facilitation training.
Prior planning.
Group dynamics.
ia
ao
ffi
ci
al
Answer (A) is correct. Elements of CSA include front-end planning, preliminary
audit work, a structured agenda, and reporting and development of action plans.
Furthermore, according to The IIA, an element of CSA is the gathering of a group
of people into a same-time/same-place meeting, typically involving a facilitation
seating arrangement (U-shaped table) and a meeting facilitator. The participants
are ‘process owners’, i.e., management and staff who are involved with the
particular issues under examination, who know them best, and who are critical to
the implementation of appropriate process controls. Optional elements include
the presence of a scribe to take an online transcription of the session and
electronic voting technology to enable participants to voice their perceptions of
the issues anonymously. Voting technology can increase efficiency, but it is not
essential to success. Manual forms of recording views and giving group feedback
are also effective.
Answer (B) is incorrect. CSA requires facilitation skills.
Answer (C) is incorrect. CSA requires careful planning.
Answer (D) is incorrect. CSA facilitators need to understand and manage group
dynamics.
om
/c
[211] Gleim #: 3.2.24
fb
.c
After reviewing the prior year’s internal audit recommendations, senior management
has decided to adopt a control self-assessment (CSA) program using a questionnaire
approach. The survey consists of descriptions of, and questions about, key controls.
What is the effect on the next audit of adopting this CSA program?
A. Audit tests will be substantially eliminated.
B. The CSA survey must be controlled by the internal audit activity.
C. The internal auditors need to verify that the controls are in place and working as
intended.
D. The internal audit activity will receive the results directly.
Answer (A) is incorrect. Some testing may be eliminated.
Answer (B) is incorrect. CSA is performed by management and work teams
without supervision by the internal audit activity.
Answer (C) is correct. A CSA program may reduce the effort expended, but the
existence and proper operation of the controls identified must still be verified.
Answer (D) is incorrect. Survey results are for the immediate benefit of people in
the business units assessed.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 112
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[212] Gleim #: 3.3.25
In reviewing a cost-plus construction contract for a new catalog showroom, the
internal auditor should be cognizant of the risk that
A. The contractor could be charging for the use of equipment not used in the
construction.
B. Income taxes related to construction equipment depreciation may have been
calculated erroneously.
C. Contractor cash budgets could have been inappropriately compiled.
D. Payroll taxes may have been inappropriately omitted from billings.
Answer (A) is correct. Under a cost-plus contract, the contractor receives a sum
equal to cost plus a fixed amount or a percentage of cost. The disadvantages of
this arrangement are that the contractor’s incentive for controlling costs is reduced
and the opportunity to overstate costs is created. Consequently, internal auditors
should be involved in monitoring economy and efficiency not only during the
earliest phases of construction but also from the outset of the planning process.
Answer (B) is incorrect. Income tax provisions related to depreciation charges are
not a risk; only those charges incurred under the terms of the contract constitute a
risk.
Answer (C) is incorrect. Budgets inappropriately prepared do not affect contract
costs and therefore do not constitute a risk.
Answer (D) is incorrect. The omission of taxes does not involve a risk of contract
overcharges or inadequacies in construction. Possible delays in payment or
underpayments from the omission are of less concern.
[213] Gleim #: 3.3.26
A company would like to contract for janitorial services for 1 year with 4 option years.
The specifications require the potential contractor to perform certain cleaning services
at specified intervals. Which of the following is the best contract type for this
requirement?
A.
B.
C.
D.
Cost-reimbursable.
Indefinite delivery.
Fixed-price.
Time-and-materials.
Answer (A) is incorrect. Cost-reimbursable contracts are used when the
requirements are complex and costs cannot be easily identified and estimated.
Answer (B) is incorrect. Indefinite delivery contracts are used only when the
supplies and/or service of future deliveries are not known at the time of contract
award.
Answer (C) is correct. Fixed-price contracts are used when the requirements are
well-defined, uncertainties can be identified and costs estimated, and there is
adequate competition.
Answer (D) is incorrect. Time-and-materials contracts are used when it is not
possible at the time of placing the contract to estimate accurately the duration of
the work.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 113
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[214] Gleim #: 3.3.27
An internal auditor is conducting an audit of environmental protection and alarm
devices. Which is the most significant objective of such an assignment? To determine
whether
A.
B.
C.
D.
The devices are installed and operating properly.
The costs of the devices were properly recorded.
The device specification documents are complete.
Acquisitions and disposals are properly authorized.
Answer (A) is correct. The objective should be to determine whether the devices
are working properly. For this purpose, the internal auditor must observe an actual
test of the operation.
Answer (B) is incorrect. Recordkeeping is not as important as the effectiveness of
such devices.
Answer (C) is incorrect. Specification documents become important only when
repairs are needed.
Answer (D) is incorrect. Authorization is less important than effectiveness.
[215] Gleim #: 3.3.28
Which of the following does the internal auditor not have to review as thoroughly in a
lump-sum contract?
ia
ao
ffi
ci
al
Progressive payments.
Adjustments to labor costs.
Work completed in accordance with the contract.
Incentives associated with the contract.
om
/c
A.
B.
C.
D.
fb
.c
Answer (A) is incorrect. The internal auditor should ensure that the contractor is
receiving payment to meet expenses and complete the contract.
Answer (B) is incorrect. Adjustments to labor cost may change the profitability of
the contract and are of great importance to the internal auditor.
Answer (C) is correct. The internal auditor usually has little to evaluate when the
work is performed in accordance with the contract. Further, the internal auditor
may lack the technical expertise to know if the contract is being completed
according to the terms.
Answer (D) is incorrect. Incentives such as a bonus for early completion affect
the overall profitability of the contract and are frequently reviewed by the internal
auditor.
[216] Gleim #: 3.3.29
No incentive for efficiency or economy may exist in a cost-plus construction contract
for small, unique projects. The potential exists for inflated costs. An appropriate
control to encourage efficiency and economy in these contracts is
A.
B.
C.
D.
Elimination of change orders to the contract.
Provision for maximum costs and sharing any savings.
Use of an agreed-upon price for each unit of work.
A checklist approach to the review of contract costs.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 114
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Elimination of all change orders is unreasonable.
Answer (B) is correct. Under a cost-plus contract, the contractor receives a sum equal
to cost plus a fixed amount or a percentage of cost. This arrangement has the benefit to
the contractor of allowing for the effects of events that cannot be specifically
anticipated. The disadvantages are that the contractor’s incentive for controlling costs
is reduced and the opportunity to overstate costs is created. Consequently, the contract
should include a provision for maximum costs and sharing of any savings. The
contractor will be encouraged to be efficient.
Answer (C) is incorrect. The use of an agreed-upon price for each unit of work
constitutes a unit-price contract, not a cost-plus contract.
Answer (D) is incorrect. A checklist approach to the review of contracts results in
sterile reviews.
[217] Gleim #: 3.3.30
An auditor is scheduled to audit payroll controls for an organization that has recently
outsourced its information processing to an external service provider (ESP). What
action should the auditor take, considering the outsourcing decision?
A. Review the controls over payroll in both the organization and the ESP.
B. Review only the organization’s controls over data sent to and received from the
ESP.
C. Review only the controls over payments to the ESP based on the contract.
D. Cancel the engagement because the processing is being performed outside of the
organization.
Answer (A) is correct. Engagements involving third parties may be necessary
when vital controls affecting transactions exist outside the organization. One
example is the outsourcing of the organization’s information processing function
to an external service provider (ESP). Although the processing is being performed
outside the organization, the ESP is an extension of the organization’s information
systems. As a result, control risk may be higher because an external organization’s
controls are part of the organization’s controls. Also, the recency of the change
and the complexity of communicating between the organization and the ESP
increase the risk.
Answer (B) is incorrect. The internal controls at the ESP and the user
organization interact with each other. Both must be reviewed.
Answer (C) is incorrect. Reviewing only the controls over payments to the ESP
based on the contract narrows the scope of the engagement.
Answer (D) is incorrect. Controls must be evaluated regardless of their location.
[218] Gleim #: 3.3.31
Written agreements for external audit engagements are to be signed by the
A.
B.
C.
D.
Chief audit executive and internal auditors.
Service provider and engagement client.
Audit committee and chief audit executive.
Board of directors and chief audit executive.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 115
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The CAE and internal auditors represent the engagement
client. The agreement should be signed by representatives of the engagement client and
the service provider.
Answer (B) is correct. PA 2050-2 addresses the acquisition of external audit services.
It states that service arrangements for external auditing should be documented in a
written agreement signed by both the service provider and the engagement client.
Answer (C) is incorrect. The audit committee and the CAE represent the engagement
client. The agreement should be signed by representatives of the engagement client and
the service provider.
Answer (D) is incorrect. The board of directors and the CAE represent the
engagement client. The agreement should be signed by representatives of the
engagement client and the service provider.
[219] Gleim #: 3.4.32
The management and employees of a large household goods moving company decided
to adopt total quality management (TQM) and continuous improvement (CI). The
company believes that if it became nationally known as adhering to TQM and CI, one
result would be an increase in the company’s profits and market share. The primary
reason for adopting TQM was to achieve
al
Greater customer satisfaction.
Reduced delivery time.
Reduced delivery charges.
Greater employee participation.
ci
A.
B.
C.
D.
fb
.c
om
/c
ia
ao
ffi
Answer (A) is correct. TQM is an integrated system that anticipates, meets, and
exceeds customers’ needs, wants, and expectations.
Answer (B) is incorrect. Reduced delivery time is one of many potential activities
that need improvement.
Answer (C) is incorrect. Reduced delivery charges is one of many potential
activities that need improvement.
Answer (D) is incorrect. Increased employee participation is necessary to achieve
TQM, but it is not the primary purpose for establishing the program.
[220] Gleim #: 3.4.33
Under a total quality management (TQM) approach,
A. Measurement occurs throughout the process, and errors are caught and corrected
at the source.
B. Quality control is performed by highly trained inspectors at the end of the
production process.
C. Upper management assumes the primary responsibility for the quality of the
products and services.
D. A large number of suppliers are used in order to obtain the lowest possible prices.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 116
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. Total quality management emphasizes quality as a basic
organizational function. TQM is the continuous pursuit of quality in every aspect of
organizational activities. One of the basic tenets of TQM is doing it right the first time.
Thus, errors should be caught and corrected at the source.
Answer (B) is incorrect. Total quality management emphasizes discovering errors
throughout the process, not inspection of finished goods.
Answer (C) is incorrect. All members of the organization assume responsibility for
quality of the products and services.
Answer (D) is incorrect. The total quality management philosophy recommends
limiting the number of suppliers to create a strong relationship.
[221] Gleim #: 3.4.34
Focusing on customers, promoting innovation, learning new philosophies, driving out
fear, and providing extensive training are all elements of a major change in
organizations. These elements are aimed primarily at
A.
B.
C.
D.
Copying leading organizations to better compete with them.
Focusing on the total quality of products and services.
Being efficient and effective at the same time, in order to indirectly affect profits.
Managing costs of products and services better, in order to become the low-cost
provider.
Answer (A) is incorrect. Competitive benchmarking is just one tool for
implementing TQM.
Answer (B) is correct. TQM is a comprehensive approach to quality. It treats the
pursuit of quality as a basic organizational function that is as important as
production or marketing. TQM is the continuous pursuit of quality in every aspect
of organizational activities through a philosophy of doing it right the first time,
employee training and empowerment, promotion of teamwork, improvement of
processes, and attention to satisfaction of customers, both internal and external.
Answer (C) is incorrect. TQM’s primary focus is not profitability.
Answer (D) is incorrect. TQM’s primary focus is not cost reduction.
[222] Gleim #: 3.4.35
Total quality management in a manufacturing environment is best exemplified by
A.
B.
C.
D.
Identifying and reworking production defects before sale.
Designing the product to minimize defects.
Performing inspections to isolate defects as early as possible.
Making machine adjustments periodically to reduce defects.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 117
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. TQM emphasizes prevention, not rework. The approach of
TQM is to build in and design in quality, not to “fix it in” or “inspect it in.”
Answer (B) is correct. Total quality management emphasizes quality as a basic
organizational function. TQM is the continuous pursuit of quality in every aspect of
organizational activities. One of the basic tenets of TQM is doing it right the first time.
Thus, errors should be caught and corrected at the source, and quality should be built
in (designed in) from the start.
Answer (C) is incorrect. TQM emphasizes prevention, not inspection. The approach
of TQM is to build in and design in quality, not to “fix it in” or “inspect it in.”
Answer (D) is incorrect. TQM emphasizes prevention, not adjustment. The approach
of TQM is to build in and design in quality, not to “fix it in” or “inspect it in.”
[223] Gleim #: 3.4.36
Which of the following statements about TQM is false?
A.
B.
C.
D.
This approach can increase revenues and decrease costs significantly.
TQM is a comprehensive approach to quality.
TQM begins with internal suppliers’ requirements.
TQM concepts are applicable to the operations of the internal audit activity itself.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. TQM can increase revenues and decrease costs
significantly.
Answer (B) is incorrect. TQM is a comprehensive approach to quality.
Answer (C) is correct. The emergence of the total quality management (TQM)
concept is one of the most significant developments in recent years because this
approach can increase revenues and decrease costs significantly. TQM is a
comprehensive approach to quality. It treats the pursuit of quality as a basic
organizational function that is as important as production or marketing. TQM
emphasizes the supplier’s relationship with the customer. Thus, TQM begins with
external customer requirements, identifies internal customer-supplier relationships
and requirements, and establishes requirements for external suppliers. TQM
concepts also are applicable to the operations of the internal audit activity itself.
For example, periodic internal assessments of those operations may “include
benchmarking of the internal audit activity’s practices and performance metrics
against relevant best practices of the internal audit profession.” (PA 1311-1)
Answer (D) is incorrect. TQM concepts are applicable to the operations of the
internal audit activity itself.
[224] Gleim #: 3.4.37
TQM is the continuous pursuit of quality in every aspect of organizational activities
through a number of goals. Which of the following is not one of those goals?
A.
B.
C.
D.
A philosophy of doing it right the first time.
Promotion of individual work.
Employee training and empowerment.
Improvement of processes.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 118
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. This goal is included in the definition of TQM.
Answer (B) is correct. TQM is the continuous pursuit of quality in every aspect of
organizational activities through (1) a philosophy of doing it right the first time, (2)
employee training and empowerment, (3) promotion of teamwork, (4) improvement of
processes, and (5) attention to satisfaction of customers, both internal and external.
Answer (C) is incorrect. This goal is included in the definition of TQM.
Answer (D) is incorrect. This goal is included in the definition of TQM.
[225] Gleim #: 3.5.38
Internal auditors are often called upon to either perform or assist the external auditor in
performing a due diligence review. A due diligence review may be a(n)
A. Review of interim financial statements as directed by an underwriting firm.
B. Operational audit of a division of an organization to determine if divisional
management is complying with laws and regulations.
C. Review of operations as requested by the audit committee to determine whether
the operations comply with audit committee and organizational policies.
D. Review of financial statements and related disclosures in conjunction with a
potential acquisition.
Answer (A) is incorrect. Although the reviews may be used by the underwriter,
they are not directed by the underwriter.
Answer (B) is incorrect. The due diligence review is not an internal operational
audit.
Answer (C) is incorrect. The due diligence review is not an internal review for
compliance with organizational policies.
Answer (D) is correct. A due diligence engagement is a service to determine the
business justification for a major transaction, such as a business combination, and
whether that justification is valid. Thus, the internal auditors and others may be
part of a team that reviews the acquiree’s operations, controls, financing, or
disclosures of financial information.
[226] Gleim #: 3.5.39
An internal audit team is performing a due diligence audit to assess plans for a
potential merger/acquisition. Which of the following would be the least valid reason
for a company to merge with or acquire another company?
A.
B.
C.
D.
To diversify risk.
To respond to government policy.
To reduce labor costs.
To increase stock prices.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 119
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The usual justifications for a combination include risk
management through diversifying the businesses in which the organization is engaged.
Answer (B) is incorrect. A change in governmental policy, for example, relaxation of
antitrust laws, is also a valid reason for a business combination. A larger organization
may be able to achieve greater economies of scale and competitive advantage.
Answer (C) is incorrect. A business combination may result in cost synergies, for
example, by eliminating duplicative functions.
Answer (D) is correct. A due diligence engagement is a service to determine the
business justification for a major transaction, such as a business combination, and
whether that justification is valid. Thus, the internal auditors and others may be part of
a team that reviews the acquiree’s operations, controls, financing, or disclosures of
financial information. Increasing stock prices is not often a valid reason for a merger or
acquisition. A business combination should be undertaken because it offers long-term
fundamental competitive advantages. Increasing stock prices is an effect that can be
achieved through other methods that directly improve the organization’s performance.
[227] Gleim #: 3.5.40
An organization is considering purchasing a small toxic waste disposal business. The
internal auditors are part of the team doing a due diligence review for the acquisition.
The scope of the internal auditors’ work will most likely not include
/c
ia
ao
ffi
ci
al
A. An evaluation of the merit of lawsuits currently filed against the acquiree.
B. A review of the acquiree’s procedures for acceptance of waste material and
comparison with legal requirements.
C. Analysis of the acquiree’s compliance with, and disclosure of, loan covenants.
D. Assessment of the efficiency of the operations of the acquiree.
fb
.c
om
Answer (A) is correct. An evaluation of the merit of lawsuits requires legal
expertise.
Answer (B) is incorrect. Compliance with laws, regulations, and contracts is
within the scope of internal auditing.
Answer (C) is incorrect. Compliance with laws, regulations, and contracts is
within the scope of internal auditing.
Answer (D) is incorrect. Internal auditors evaluate controls, including those over
effectiveness and efficiency of operations.
[228] Gleim #: 3.5.41
Who determines whether the internal audit activity has access to resources sufficient to
evaluate the reliability and integrity of information?
A.
B.
C.
D.
The chief executive officer.
The chief audit executive.
The external auditor.
The chief operating officer.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 120
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The CAE must make a determination of whether the internal
audit activity has the resources to meet its obligations.
Answer (B) is correct. The chief audit executive determines whether the internal audit
activity possesses, or has access to, competent audit resources to evaluate information
reliability and integrity and associated risk exposures. These risk exposures may be
internal or external, including those relating to the organization’s relationships with
outside entities (PA 2130.A1-1).
Answer (C) is incorrect. The CAE must make a determination of whether the internal
audit activity has the resources to meet its obligations.
Answer (D) is incorrect. The CAE must make a determination of whether the internal
audit activity has the resources to meet its obligations.
[229] Gleim #: 3.5.42
Which of the following statements is false with respect to information security?
A. Internal auditors should determine that senior management and the board, audit
committee, or other governing body have a clear understanding that information
reliability and integrity is the responsibility of the internal audit activity.
B. The chief audit executive should determine that the internal audit activity
possesses, or has access to, competent auditing resources to evaluate information
security and associated risk exposures.
C. Internal auditors should periodically assess the organization’s information security
practices and recommend, as appropriate, enhancements to, or implementation of,
new controls and safeguards.
D. Internal auditors should assess the effectiveness of preventive, detective, and
mitigative measures against past attacks, as deemed appropriate, and future
attempts or incidents deemed likely to occur.
Answer (A) is correct. According to PA 2130.A1-1, “Internal auditors determine
whether senior management and the board have a clear understanding that
information reliability and integrity is a management responsibility. This
responsibility includes all critical information of the organization, regardless of
how the information is stored.”
Answer (B) is incorrect. This is a correct statement about information security
according to PA 2130.A1-1.
Answer (C) is incorrect. This is a correct statement about information security
according to PA 2130.A1-1.
Answer (D) is incorrect. This is a correct statement about information security
according to PA 2130.A1-1.
[230] Gleim #: 3.5.43
The internal auditors’ ultimate responsibility for information security includes
A.
B.
C.
D.
Identifying technical aspects, risks, processes, and transactions to be examined.
Determining the scope and degree of testing to achieve engagement objectives.
Periodically assessing information security practices.
Documenting engagement procedures.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 121
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. An engagement work program is part of the planning
process, which includes identifying technical aspects, risks, processes, and transactions
to be examined.
Answer (B) is incorrect. An engagement work program is part of the planning
process, which includes determining the scope and degree of testing to achieve
engagement objectives.
Answer (C) is correct. Internal auditors should periodically assess the organization’s
information security practices and recommend, as appropriate, enhancements to, or
implementation of, new controls and safeguards. Following an assessment, an
assurance report should be provided to the board. Such assessments can either be
conducted as separate stand-alone engagements or as multiple engagements integrated
into other audits or engagements conducted as part of the approved audit plan.
Answer (D) is incorrect. An engagement work program is part of the planning
process, which includes documenting engagement procedures.
[231] Gleim #: 3.5.44
Which of the following is not a role of the internal audit activity in performing
assurance services?
ci
al
A. Assessing information systems security risks.
B. Working with information system users and system security personnel to
implement controls.
C. Monitoring the implementation of corrective action.
D. Evaluating security controls.
fb
.c
om
/c
ia
ao
ffi
Answer (A) is incorrect. Assessing information systems security risks is part of
the role of the internal audit activity with respect to assurance services.
Answer (B) is correct. The role of the internal audit activity with respect to
assurance services is to assess information systems security risks, monitor the
implementation of corrective action, and evaluate security controls. The internal
audit activity may also function in a consulting capacity by identifying security
issues and by working with users of information systems and with systems
security personnel to devise and implement controls.
Answer (C) is incorrect. Monitoring the implementation of corrective action is
part of the role of the internal audit activity with respect to assurance services.
Answer (D) is incorrect. Evaluating security controls is part of the role of the
internal audit activity with respect to assurance services.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 122
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[232] Gleim #: 3.6.45
The legislative auditing bureau of a country is required to perform compliance
engagements involving organizations that are issued defense contracts on a cost-plus
basis. Contracts are clearly written to define acceptable costs, including developmental
research cost and appropriate overhead rates.
During the past year, the government has engaged in extensive outsourcing of its
activities. The outsourcing included contracts to run cafeterias, provide janitorial
services, manage computer operations and systems development, and provide
engineering of construction projects. The contracts were modeled after those used for
years in the defense industry. The legislative internal auditors are being called upon to
expand their efforts to include compliance engagements involving these contracts.
Upon initial investigation of these outsourced areas, the internal auditor found many
areas in which the outsourced management has apparently expanded its authority and
responsibility. For example, the contractor that manages computer operations has
developed a highly sophisticated security program that may represent the most
advanced information security in the industry. The internal auditor reviews the
contract and sees reference only to providing appropriate levels of computing security.
The internal auditor suspects that the governmental agency may be incurring
developmental costs that the outsourcer may use for competitive advantage in
marketing services to other organizations.
Management has asked the internal auditor to recommend monitoring controls that
management could establish to provide timely oversight of the information systems
contract. Which of the following is the least effective monitoring control?
A. Require monthly internal reports summarizing overhead rates used in billings.
B. Require monthly reports by the outsourcer of total costs billed and services
rendered.
C. Use internal auditors to investigate the appropriateness of costs, as part of a yearly
engagement to evaluate the outsourcer.
D. Randomly investigate selected cost accounts throughout the year to determine that
all the expenses are properly charged to the governmental unit.
Answer (A) is incorrect. Monthly reporting is a monitoring control that provides
timely information to management as to whether this activity is out of control.
Answer (B) is incorrect. Monthly reporting is a monitoring control that provides
timely information to management as to whether this activity is out of control.
Answer (C) is correct. A yearly engagement to evaluate the outsourcer pertains to
compliance, not monitoring. This control procedure is not timely because it occurs
only once a year and does not provide prompt feedback for corrective action.
Answer (D) is incorrect. Randomly selecting transactions throughout the year is
an ongoing process of testing the validity of expenses.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 123
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[233] Gleim #: 3.6.46
Which of the following is part of the board’s role in protecting against privacy threats?
A. Establishing a privacy framework.
B. Identifying the information gathered by the organization that is deemed personal
or private.
C. Identifying the methods used to collect information.
D. Determining whether the use of the information collected is in accordance with its
intended use and the laws.
Answer (A) is correct. The board is ultimately accountable for ensuring that the
principal risks of the organization have been identified, and the appropriate
control processes have been implemented to mitigate those risks. This includes
establishing the necessary privacy framework for the organization and monitoring
its implementation (PA 2130.A1-2).
Answer (B) is incorrect. Identification of the information gathered by the
organization that is deemed personal or private is a duty of the internal auditors.
Answer (C) is incorrect. Identification of the collection methods used is a duty of
the internal auditors.
Answer (D) is incorrect. Determining whether the use of the information
collected is in accordance with its intended use and the laws is a duty of the
internal auditors.
[234] Gleim #: 3.6.47
A.
B.
C.
D.
ia
/c
om
.c
Medical status
Social status
Credit records
Disciplinary actions
fb
I.
II.
III.
IV.
ao
ffi
ci
al
Personal information may include
I, II, and IV only.
I only.
I and II only.
I, II, III, and IV.
Answer (A) is incorrect. Credit records are considered personal information.
Answer (B) is incorrect. Social status, credit records, and disciplinary actions are
considered personal information.
Answer (C) is incorrect. Credit records and disciplinary actions are considered
personal information.
Answer (D) is correct. PA 2130.A1-2 gives the following examples of
information that may be personal: (1) medical status, (2) social status, (3) family
relationships, (4) disciplinary actions, (5) name, (6) address, (7) identification
numbers, (8) income, (9) financial status, (10) comments, (11) employee files,
(12) evaluations, and (13) credit records.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 124
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[235] Gleim #: 3.6.48
The reliability and integrity of all critical information of an organization, regardless of
the media in which the information is stored, is the responsibility of
A.
B.
C.
D.
Shareholders.
IT department.
Management.
All employees.
Answer (A) is incorrect. Management has the ultimate responsibility for the
reliability and integrity of all critical information.
Answer (B) is incorrect. Management has the ultimate responsibility for the
reliability and integrity of all critical information.
Answer (C) is correct. Internal auditors determine whether senior management
and the board have a clear understanding that information reliability and integrity
is a management responsibility (PA 2130.A1-1, para. 1). Information reliability
and integrity includes accuracy, completeness, and security.
Answer (D) is incorrect. Management has the ultimate responsibility for the
reliability and integrity of all critical information.
[236] Gleim #: 3.6.49
Freedom from monitoring best defines
A.
B.
C.
D.
Personal privacy.
Privacy of space.
Privacy of communication.
Privacy of information.
Answer (A) is incorrect. Personal privacy is physical and psychological.
Answer (B) is incorrect. Privacy of space is freedom from surveillance.
Answer (C) is correct. Privacy may encompass (1) personal privacy (physical and
psychological), (2) privacy of space (freedom from surveillance), (3) privacy of
communication (freedom from monitoring), and (4) privacy of information
(collection, use, and disclosure of personal information by others) (PA 2130.A1-2,
para. 2).
Answer (D) is incorrect. Privacy of information is freedom from collection, use,
and disclosure of personal information by others.
[237] Gleim #: 3.6.50
When evaluating management of the organization’s privacy framework, the internal
auditor considers
A.
B.
C.
D.
The applicable laws relating to privacy.
Conferring with in-house legal counsel.
Conferring with information technology specialists.
All of the answers are correct.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 125
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The internal auditor also considers conferring with in-house
counsel and information technology specialists.
Answer (B) is incorrect. The internal auditor also considers the applicable laws,
regulations, and policies relating to privacy and conferring with information
technology specialists.
Answer (C) is incorrect. The internal auditor also considers the applicable laws,
regulations, and policies relating to privacy and conferring with in-house legal counsel.
Answer (D) is correct. In an evaluation of the privacy framework, the internal auditor
considers the following:
The various laws, regulations, and policies relating to privacy in the jurisdictions
where the organization operates.
Conferring with in-house legal counsel to determine the exact nature of laws,
regulations, and other standards and practices applicable to the organization and
the countries where it operates.
Conferring with information technology specialists to determine that information
security and data protection controls are in place and regularly reviewed and
assessed for appropriateness.
The level or maturity of privacy practices (PA 2130.A1-2, para. 7).
[238] Gleim #: 3.6.51
fb
.c
om
/c
ia
ao
ffi
ci
al
Which of the following privacy terms is matched with an accurate example of the
term?
Term
Example
A.
Privacy of space
Freedom from
surveillance
B. Privacy of information Freedom from monitoring
C.
Personal privacy Freedom from monitoring
D.
Privacy of
Freedom from
communication
surveillance
Answer (A) is correct. Risks associated with the privacy of information
encompass personal privacy (physical and psychological), privacy of space
(freedom from surveillance), privacy of communication (freedom from
monitoring), and privacy of information (collection, use, and disclosure of
personal information by others) (PA 2130.A1-2, para. 2).
Answer (B) is incorrect. Privacy of information includes collection, use, and
disclosure of personal information by others.
Answer (C) is incorrect. Personal privacy includes physical and psychological.
Answer (D) is incorrect. Privacy of communication includes freedom from
monitoring.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 126
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[239] Gleim #: 3.7.52
An engagement to evaluate a transportation department is being conducted. Review
procedures include an analysis of “rush shipment” requests. The engagement objective
in this case is the
A.
B.
C.
D.
Financial settlement of the rush shipment.
Transportation arrangements to be used for rush shipments.
Determination of the need for rush shipment services.
Handling of claims for undelivered rush shipment goods.
Answer (A) is incorrect. The emphasis in an analysis of requests for a service is
on need, not how the service will be paid for.
Answer (B) is incorrect. The engagement objective is to examine the generation
of requests, not the methods by which they are granted.
Answer (C) is correct. An internal auditor concerned with the efficiency and
effectiveness of the transportation function should inquire about the entity’s
procedures for addressing the appropriate means of moving items from one
location to another. Because rush shipment methods tend to be more expensive
than the alternatives, the internal auditor should examine the authorization
procedures and criteria for such treatment and the possibilities for reducing or
eliminating the need.
Answer (D) is incorrect. Analysis of claims against shipment agencies ordinarily
does not shed light on the reasons for rush shipment requests.
[240] Gleim #: 3.7.53
An operational engagement communication that concerns the scrap disposal function
in a manufacturer should address
A. The efficiency and effectiveness of the scrap disposal function and include any
observations requiring corrective action.
B. Whether the scrap material inventory is reported as a current asset.
C. Whether the physical inventory count of the scrap material equals the recorded
amount.
D. Whether the scrap material inventory is valued at the lower of cost or market.
Answer (A) is correct. An operational engagement involves appraising “the
efficiency and economy of operations and the effectiveness with which those
functions achieve their objectives” (Sawyer’s Internal Auditing, 5th ed., p. 30).
Thus, an engagement communication should inform management about the
efficiency and effectiveness of the given operations and should discuss
observations requiring corrective action.
Answer (B) is incorrect. An engagement communication should address the
efficiency and effectiveness of the function being evaluated, not reporting in the
financial statements.
Answer (C) is incorrect. Agreement between the records and the items being
evaluated is a primary concern in a financial audit.
Answer (D) is incorrect. Valuation is an issue in a financial audit.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 127
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[241] Gleim #: 3.7.54
Which of the following criteria would be most useful to a sales department manager in
evaluating the performance of the manager’s customer-service group?
A.
B.
C.
D.
The customer is always right.
Customer complaints should be processed promptly.
Employees should maintain a positive attitude when dealing with customers.
All customer inquiries should be answered within 7 days of receipt.
Answer (A) is incorrect. Customer orientation is difficult to quantify.
Answer (B) is incorrect. The standard specified is vague.
Answer (C) is incorrect. No measure of a positive attitude has been specified for
the employee.
Answer (D) is correct. A criterion that requires all customer inquiries to be
answered within 7 days of receipt permits accurate measurement of performance.
The quantitative and specific nature of the appraisal using this standard avoids the
vagueness, subjectivity, and personal bias that may afflict other forms of
personnel evaluations.
[242] Gleim #: 3.7.55
Using the balanced scorecard approach, an organization evaluates managerial
performance based on
ia
ao
ffi
ci
al
A single ultimate measure of operating results, such as residual income.
Multiple financial and nonfinancial measures.
Multiple nonfinancial measures only.
Multiple financial measures only.
om
/c
A.
B.
C.
D.
fb
.c
Answer (A) is incorrect. The balanced scorecard approach uses multiple
measures.
Answer (B) is correct. The trend in managerial performance evaluation is the
balanced scorecard approach. Multiple measures of performance permit a
determination as to whether a manager is achieving certain objectives at the
expense of others that may be equally or more important. These measures may be
financial or nonfinancial and usually include items in four categories: (1)
financial; (2) customer; (3) internal business processes; and (4) learning, growth,
and innovation.
Answer (C) is incorrect. The balanced scorecard approach includes financial
measures.
Answer (D) is incorrect. The balanced scorecard approach includes nonfinancial
measures.
[243] Gleim #: 3.7.56
Managerial performance may be measured in many ways. For example, an internal
nonfinancial measure is
A.
B.
C.
D.
Market share.
Delivery performance.
Customer satisfaction.
Manufacturing lead time.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 128
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Market share is an external nonfinancial measure.
Answer (B) is incorrect. Delivery performance is an external nonfinancial measure.
Answer (C) is incorrect. Customer satisfaction is an external nonfinancial measure.
Answer (D) is correct. Feedback regarding managerial performance may take the form
of financial and nonfinancial measures that may be internally or externally generated.
Moreover, different measures have a long-term or short-term emphasis. Examples of
internal nonfinancial measures are product quality, new product development time, and
manufacturing lead time (cycle time).
[244] Gleim #: 3.7.57
An organization’s managerial decision-making model for capital budgeting is based on
the net present value of discounted cash flows. The same organization’s managerial
performance evaluation model is based on annual divisional return on investment.
Which of the following is true?
A. Divisional managers are likely to maximize the measures in the decision-making
model.
B. Divisional managers are likely to maximize the measures in the performance
evaluation model.
C. The manager has an incentive to accept a project with a positive net present value
that initially has a negative effect on net income.
D. The use of models with different criteria promotes goal congruence.
Answer (A) is incorrect. Self-interest provides an incentive to maximize the
measures used in performance evaluation.
Answer (B) is correct. Effective management control requires performance
measurement and feedback. This process affects allocation of resources to
organizational subunits. It also affects decisions about managers’ compensation,
advancement, and future assignments. Furthermore, evaluating their performance
serves to motivate managers to optimize the measures in the performance
evaluation model. However, that model may be inconsistent with the
organization’s model for managerial decision making.
Answer (C) is incorrect. A manager evaluated on the basis of annual ROI has an
interest in maximizing short-term net income, not long-term NPV.
Answer (D) is incorrect. The models should be synchronized so that the goals of
the organization and the manager are congruent.
[245] Gleim #: 3.7.58
On a balanced scorecard, which of the following is not a customer measure?
A.
B.
C.
D.
Market share.
Economic value added.
Service response time.
Warranty expense.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 129
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Market share and its trend is a customer measure.
Answer (B) is correct. Customer measures include market share and its trend, service
response time, delivery performance, warranty returns, expense, complaints, and
survey results. Economic value added, or EVA, is a financial measure.
Answer (C) is incorrect. Service response time is a customer measure.
Answer (D) is incorrect. Warranty expense is a customer measure.
[246] Gleim #: 3.7.59
A performance audit engagement typically involves
A. Review of financial statement information, including the appropriateness of
various accounting treatments.
B. Tests of compliance with policies, procedures, laws, and regulations.
C. Appraisal of the business and control environment and comparison against
established criteria.
D. Evaluation of organizational and departmental structures, including assessments
of process flows.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. Financial engagements involve review of financial
information.
Answer (B) is incorrect. Compliance engagements involve examining control
procedures and compliance with them.
Answer (C) is correct. Performance audit engagements involve review of the
business and control environment and key performance indicators against set
criteria using balanced scorecards, SWOT analysis, and management control
evaluation. A balanced scorecard is an evaluation of company performance
against established criteria. SWOT analysis appraises the business and potentially
the control environment.
Answer (D) is incorrect. Operational engagements involve reviewing
organizational and departmental structures.
[247] Gleim #: 3.7.60
An auditor is reviewing an organization’s plan for developing a performance
scorecard. Which of the following potential performance measures should the auditor
recommend excluding from the performance scorecard?
A.
B.
C.
D.
Product innovation.
Market share.
Customer satisfaction.
Employee development.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 130
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. The trend in managerial performance evaluation is the balanced
scorecard approach. Multiple measures of performance permit a determination as to
whether a manager is achieving certain objectives at the expense of others that may be
equally or more important. For example, an improvement in operating results at the
expense of new product development would be apparent using this approach. The
scorecard is a goal congruence tool that informs managers about the nonfinancial
factors that top management believes to be important. Measures may be financial or
nonfinancial, internal or external, and short term or long term. A typical scorecard
includes measures in four categories: profitability; customer satisfaction; innovation;
and efficiency, quality, and time. Innovations in the production of goods or services do
not typically lend themselves to ongoing performance measurement.
Answer (B) is incorrect. Key results in market share track changes in the
organization’s competitive position.
Answer (C) is incorrect. Key results in customer satisfaction help predict future sales.
Answer (D) is incorrect. Key results in employee development help predict the ability
to attract and retain good employees.
[248] Gleim #: 3.7.61
Which type of engagement focuses on operations and how effectively and efficiently
the organizational units affected will cooperate?
A.
B.
C.
D.
Program-results engagement.
Process engagement.
Privacy engagement.
Compliance engagement.
Answer (A) is incorrect. A program-results engagement obtains information
about the costs, outputs, benefits, and effects of a program.
Answer (B) is correct. Process engagements tend to be challenging because of
their scope and the need to deal with subunits that may have conflicting
objectives.
Answer (C) is incorrect. Privacy engagements address the security of personal
information.
Answer (D) is incorrect. Compliance engagements address compliance with all
laws and regulations.
[249] Gleim #: 3.7.62
Which type of engagement attempts to measure the accomplishment and relative
success of the undertaking?
A.
B.
C.
D.
Program-results engagement.
Privacy engagement.
Process engagement.
Compliance engagement.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 131
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. A program-results engagement obtains information about the
costs, outputs, benefits, and effects of a program. It attempts to measure the
accomplishment and relative success of the undertaking. Because benefits often cannot
be quantified in financial terms, a special concern is the ability to measure
effectiveness. A program is a funded activity not part of the normal, continuing
operations of the organization.
Answer (B) is incorrect. A privacy engagement addresses the security of personal
information.
Answer (C) is incorrect. A process engagement addresses how effectively and
efficiently operating units cooperate.
Answer (D) is incorrect. A compliance engagement addresses compliance with related
laws and regulations.
[250] Gleim #: 3.7.63
A program-results engagement
Obtains information about the costs of the program.
Attempts to measure the accomplishment and success of the program.
Concerns the ability to measure the effectiveness of the program.
All of the answers are correct.
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. A program-results engagement also attempts to measure
the accomplishment and success of the program and concerns the ability to
measure the effectiveness of the program.
Answer (B) is incorrect. A program-results engagement also obtains information
about the costs of the program and concerns the ability to measure the
effectiveness of the program.
Answer (C) is incorrect. A program-results engagement also obtains information
about the costs of the program and attempts to measure the accomplishment and
success of the program.
Answer (D) is correct. A program-results engagement is intended to obtain
information about the costs, outputs, benefits, and effects of the program. It
attempts to measure the accomplishment and relative success of the undertaking.
Because benefits often cannot be quantified in financial terms, a special concern is
the ability to measure effectiveness.
fb
A.
B.
C.
D.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 132
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[251] Gleim #: 3.7.64
During an operational engagement, an internal auditor observes a large number of
above-ground storage containers and a large amount of black emissions from a
smokestack. The organization has an environmental safety department. The
engagement is not designed to consider environmental concerns. The best course of
action is to
A. Make a note to consider environmental risk concerns when developing the
engagement plan for the next year, but do not expand the scope of the existing
engagement because the budget and risk priorities are already set.
B. Report the observations to the engagement committee and seek their advice on
whether the engagement should be expanded for the environmental audit.
C. Document the observations and report them to the environmental safety
department. Determine if their response will be timely, and follow-up to
determine if they have taken timely action.
D. Inquire of local management as to the use of the storage tanks to determine if they
are properly classified as an asset. Do not take action on the environmental issues
because the internal auditor is untrained in the area, and such action is the
responsibility of an already existing department.
Answer (A) is incorrect. The internal auditor cannot ignore information about a
potentially large risk.
Answer (B) is incorrect. More information is needed before reporting to the audit
committee. The internal auditor should first contact the organization’s
environmental safety department.
Answer (C) is correct. An internal auditor cannot ignore information gathered
during the course of an engagement regardless of whether it is pertinent to the
engagement being conducted. Because environmental concerns present potentially
large risks to most organizations, the internal auditor should determine that the
environmental safety department is aware of the concerns and is actively
monitoring the situation. Follow-up is necessary.
Answer (D) is incorrect. The internal auditor should contact the environmental
safety department and follow-up the department’s actions. (S)he cannot ignore
information gathered.
[252] Gleim #: 3.7.65
A sales department has been giving away expensive items in conjunction with new
product sales to stimulate demand. The promotion seems successful, but management
believes the cost may be too high and has asked for a review by the internal audit
activity. Which of the following procedures would be the least useful to determine the
effectiveness of the promotion?
A. Comparing product sales during the promotion period with sales during a similar
non-promotion period.
B. Comparing the unit cost of the products sold before and during the promotion
period.
C. Performing an analysis of marginal revenue and marginal cost for the promotion
period, compared to the period before the promotion.
D. Performing a review of the sales department’s benchmarks used to determine the
success of a promotion.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 133
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. This comparison helps highlight the effectiveness of the
promotion in increasing revenues.
Answer (B) is correct. The facts do not indicate that the cost of the products sold has
changed. Moreover, this procedure does not consider the revenue effects of the
promotion. The challenge is to address the overall effectiveness of the promotion.
Answer (C) is incorrect. The key analysis is to determine the effect on the
organization’s contribution margin (revenues – variable costs).
Answer (D) is incorrect. This procedure is helpful if the sales department has useful
information on new customers and repeat purchases.
[253] Gleim #: 3.8.66
The internal audit activity evaluates controls in response to risks in governance
systems regarding
A.
B.
C.
D.
Compliance with contracts.
Strategic planning.
Formation of a governance committee of the board.
Formation of an audit committee of the board.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is correct. The internal audit activity must evaluate the adequacy and
effectiveness of controls in responding to the risks within the organization’s
governance, operations, and information systems regarding the (1) reliability and
integrity of financial and operational information; (2) effectiveness and efficiency
of operations; (3) safeguarding of assets; and (4) compliance with laws,
regulations, and contracts (Impl. Std. 2130.A1).
Answer (B) is incorrect. Strategic planning is part of the governance function of
strategic direction. The assurance provided by the internal audit activity is part of
the governance function of oversight.
Answer (C) is incorrect. The internal audit activity addresses the (1) reliability
and integrity of financial and operational information; (2) effectiveness and
efficiency of operations; (3) safeguarding of assets; and (4) compliance with laws,
regulations, and contracts, not the formation of board committees.
Answer (D) is incorrect. As part of its assurance function, the internal audit
activity does not address formation of board committees.
[254] Gleim #: 3.8.67
Compliance programs assist organizations by doing which of the following?
I. Evaluating business continuity.
II. Determining director and officer liability.
III. Evaluating disaster recovery plans.
A.
B.
C.
D.
I only.
II only.
I and II only.
I, II, and III.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 134
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Evaluating the business continuity is a way in which ecommerce activities assist an organization, not compliance programs.
Answer (B) is correct. Compliance programs assist organizations in preventing
inadvertent employee violations, detecting illegal activities, and discouraging
intentional employee violations. Evaluating the business continuity and disaster
recovery plans are major components of auditing contingency planning.
Answer (C) is incorrect. Evaluating the business continuity is a way in which ecommerce activities assist an organization, not compliance programs.
Answer (D) is incorrect. Evaluating the business continuity and disaster recovery
plans are both major components of auditing e-commerce activities.
[255] Gleim #: 3.8.68
Internal audit engagements vary in their degree of objectivity. Of the following, which
is likely to be the most objective?
A. Compliance engagement relating to an organization’s overtime policy.
B. Operational engagement relating to the personnel function’s hiring and firing
procedures.
C. Performance engagement relating to the marketing department.
D. Financial control engagement relating to payroll procedures.
Answer (A) is correct. A compliance engagement relating to overtime policy is
likely to be the most objective. It determines whether actual operations conform to
specific management policies and procedures, which are likely to be well defined
and documented. For example, determining whether overtime was properly paid
requires less judgment than whether a control is properly designed.
Answer (B) is incorrect. An operational engagement relating to hiring and firing
procedures involves substantial subjectivity. Personnel decisions are difficult to
quantify.
Answer (C) is incorrect. Evaluating the creative activities of the marketing
department is highly subjective.
Answer (D) is incorrect. Assessment of financial control over payroll procedures
is somewhat subjective. Control may be achieved in various ways.
[256] Gleim #: 3.8.69
An organization establishes compliance standards and procedures and develops a
written business code of conduct to be followed by its employees. Which of the
following is true concerning business codes of conduct and the compliance standards?
A. Compliance standards should be straightforward and reasonably capable of
reducing the prospect of criminal conduct.
B. The compliance standards should be codified in the charter of the audit
committee.
C. Companies with international operations should institute various compliance
programs, based on selective geographic locations, that reflect appropriate local
regulations.
D. In order to prevent future legal liability, the code should consist of legal terms and
definitions.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 135
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. The code of conduct should clearly identify prohibited
activities, making compliance standards reasonably capable of reducing the prospect of
criminal conduct (i.e., discouraging intentional employee violations). In addition,
codes that are straightforward and fair tend to decrease the risk that employees will
engage in unethical or illegal behavior.
Answer (B) is incorrect. Among the items that must be included in the audit
committee charter is reviewing the process for communicating the code of conduct to
company personnel and for monitoring compliance therewith; actually codifying the
compliance standards is inappropriate.
Answer (C) is incorrect. Companies with international operations should institute a
compliance program on a global basis, not just for selective geographic locations. Such
programs should reflect appropriate local conditions, laws, and regulations.
Answer (D) is incorrect. The code should be written in a language that all employees
can understand, avoiding legalese.
[257] Gleim #: 3.8.70
Employees have the most confidence in a hotline monitored by which of the
following?
A.
B.
C.
D.
An expert from the legal department, backed by a nonretaliation policy.
An in-house representative, backed by a retaliation policy.
An on-site ombudsperson, backed by a nonretaliation policy.
An off-site attorney who can better protect attorney-client privilege.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. Employees have little confidence in hotlines answered
by the legal department.
Answer (B) is incorrect. A retaliation policy would dissuade whistleblowers from
coming forth due to concern over possible backlash.
Answer (C) is correct. Although an attorney monitoring the hotline is better able
to protect attorney-client and work-product privileges, one study observed that
employees have little confidence in hotlines answered by the legal department or
by an outside service. The same study showed that employees have even less
confidence in write-in reports or an off-site ombudsperson, but have the most
confidence in hotlines answered by an in-house representative (or an on-site
ombudsperson) and backed by a nonretaliation policy.
Answer (D) is incorrect. Employees have little confidence in hotlines monitored
by the legal department or by an external service provider. Thus, they would have
even less confidence in an outside attorney.
[258] Gleim #: 3.8.71
Discipline of employees may be limited by all of the following except
A.
B.
C.
D.
Whistleblower laws.
A requirement to report certain employee violations to a governmental entity.
Union contracts.
Exceptions to the employee-at-will doctrine.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 136
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Whistleblower laws limit the termination or other discipline
of employees.
Answer (B) is correct. Termination or other discipline of employees may be limited by
(1) whistleblower laws; (2) exceptions to the employee-at-will doctrine (the right of an
employer to fire an employee for any reason); (3) employee or union contracts; and (4)
employer responsibilities with regard to discrimination, wrongful discharge, and
requirements to act in good faith. However, a governmental requirement that an entity
report certain employee violations is not itself a limitation on the employer’s power to
discipline employees.
Answer (C) is incorrect. Union contracts limit the termination or other discipline of
employees.
Answer (D) is incorrect. Exceptions to the employee-at-will doctrine limit the
termination or other discipline of employees.
[259] Gleim #: 3.8.72
A certified internal auditor is the chief audit executive for a large city and is planning
the engagement work schedule for the next year. The city has a number of different
funds, some that are restricted in use by government grants and some that require
compliance reports to the government. One of the programs for which the city has
received a grant is job retraining and placement. The grant specifies certain conditions
a participant in the program must meet to be eligible for the funding. The internal
auditors randomly select participants in the job retraining program for the past year to
verify that they had met all the eligibility requirements. This type of engagement is
concerned with
A.
B.
C.
D.
Compliance.
Operational effectiveness.
Economy and efficiency.
Program results.
Answer (A) is correct. The scope of work of internal auditing includes assurance
services that involve evaluating the risk exposures and controls relating to the
organization’s governance, operations, and information systems. This evaluation
extends to risk exposures and controls regarding compliance with laws,
regulations, and contracts. Selection of participants in the job retraining program
to verify satisfaction of eligibility requirements is a compliance procedure.
Answer (B) is incorrect. An operational effectiveness engagement consists of a
comprehensive review of the overall job retraining program.
Answer (C) is incorrect. An economy and efficiency engagement considers the
cost of the program compared with objectives achieved.
Answer (D) is incorrect. A program-results engagement attempts to measure
accomplishments and relative success of the program.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 137
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[260] Gleim #: 3.8.73
A certified internal auditor is the chief audit executive for a large city and is planning
the engagement work schedule for the next year. The city has a number of different
funds, some that are restricted in use by government grants and some that require
compliance reports to the government. One of the programs for which the city has
received a grant is job retraining and placement. The grant specifies certain conditions
a participant in the program must meet to be eligible for the funding. The chief audit
executive plans an engagement to verify that the job retraining program complies with
applicable grant provisions. One of the provisions is that the city adopt a budget for
the program and subsequently follow procedures to ensure that the budget is adhered
to and that only allowable costs are charged to the program. In performing an
engagement concerning compliance with this provision, the internal auditors should
perform all of the following procedures except
ci
al
A. Determine that the budget was reviewed and approved by supervisory personnel
within the city.
B. Determine that the budget was reviewed and approved by supervisory personnel
within the granting agency.
C. Select a sample of expenditures to determine that the expenditures are (1) properly
classified as to type, (2) appropriate to the program, and (3) designed to meet the
program’s objectives.
D. Compare actual results with budgeted results and determine the reason for
deviations. Determine if such deviations have been approved by appropriate
officials.
fb
.c
om
/c
ia
ao
ffi
Answer (A) is incorrect. The internal auditors should determine that the city has
complied with the requirement to adopt a budget.
Answer (B) is correct. The activities of the granting agency are not relevant to a
compliance engagement relating to the city’s use of the grant funds. The internal
auditors are only responsible for determining whether the city is in compliance
with the requirements of the grant.
Answer (C) is incorrect. Checking a sample of expenditures might reveal
expenditures charged to the wrong account to bypass budgeting control.
Answer (D) is incorrect. The internal auditors should verify that the city has
complied with the requirement to adhere to the budget.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 138
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[261] Gleim #: 3.8.74
A certified internal auditor is the chief audit executive for a large city and is planning
the engagement work schedule for the next year. The city has a number of different
funds, some that are restricted in use by government grants and some that require
compliance reports to the government. One of the programs for which the city has
received a grant is job retraining and placement. The grant specifies certain conditions
a participant in the program must meet to be eligible for the funding. The internal
auditors must determine the applicable laws and regulations. Which of the following
procedures is the least effective in learning about the applicable laws and regulations?
A. Make inquiries of the city’s chief financial officer, legal counsel, or grant
administrators.
B. Review prior-year working papers and inquire of officials as to changes.
C. Review applicable grant agreements.
D. Discuss the matter with the board and make inquiries as to the nature of the
requirements and the board’s objectives for the engagement.
Answer (A) is incorrect. Making inquiries of the city’s chief financial officer,
legal counsel, or grant administrators is an effective way to learn about the
applicable laws and regulations.
Answer (B) is incorrect. Reviewing prior-year working papers is an effective way
to learn about the applicable laws and regulations.
Answer (C) is incorrect. Reviewing applicable grant agreements is an effective
way to learn about the applicable laws and regulations.
Answer (D) is correct. Discussing the matter with the board would not be helpful.
The members are not likely to know the applicable laws and regulations. The
board’s oversight activities do not provide specific expertise needed to help the
internal auditors understand the applicable laws and regulations.
[262] Gleim #: 3.8.75
Which organization is least likely to have a good compliance environment?
A. An international organization that creates a global compliance program that
reflects local conditions, laws, and regulations.
B. An organization that creates an organizational chart, identifying personnel who are
responsible for implementing compliance programs.
C. An organization whose code of conduct provides guidance to employees on
relevant issues.
D. An organization that rewards employees for charging travel hours to take
advantage of the tax benefits.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 139
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. This represents an environment that exemplifies good
compliance.
Answer (B) is incorrect. This represents an environment that exemplifies good
compliance.
Answer (C) is incorrect. This represents an environment that exemplifies good
compliance.
Answer (D) is correct. An organization using reward systems that attach financial
incentives to apparently unethical or illegal behavior can expect a poor compliance
environment. For instance, an organization rewarding employees for charging travel
hours makes itself vulnerable to fraud. Employees may charge false travel hours to
receive additional rewards. Thus, the tax benefit of such an incentive may be negated
by fraudulent employee practices. A good compliance environment is created when an
organization
Develops a written, straightforward business code of conduct that clearly identifies
prohibited activities, provides guidance to employees on relevant issues, and
decreases the risk that employees will engage in unethical or illegal behavior.
Creates an organizational chart identifying board members, senior officers, a
senior compliance officer, and department personnel who are responsible for
implementing compliance programs.
Creates a compliance program on a global basis, not just for selective geographic
locations, to reflect appropriate local conditions, laws, and regulations.
[263] Gleim #: 3.8.76
ao
ia
/c
om
.c
Chief executive officer.
Chief general counsel.
Chief operating officer.
Chief audit executive.
fb
A.
B.
C.
D.
ffi
ci
al
The chief compliance officer of an organization should report to the
Answer (A) is correct. It is not enough for an organization to create the position
of chief compliance officer and to select the rest of the compliance unit. The
organization should also ensure that these personnel are appropriately empowered
and supplied with the resources necessary for carrying out their mission.
Furthermore, compliance personnel should have adequate access to senior
management. A reporting structure in which the chief compliance officer reports
directly to the chief executive officer is optimal.
Answer (B) is incorrect. The chief general counsel in many organizations is
assigned chief compliance responsibilities. In many organizations, however, this
structure may convince employees that management is not committed to the
program and that the program is important only to the legal department. Anyone
assigned chief compliance responsibilities should report to the chief executive
officer.
Answer (C) is incorrect. The chief compliance officer should report to the chief
executive officer, not the chief operating officer.
Answer (D) is incorrect. The chief compliance officer should report to the chief
executive officer, not the chief audit executive.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 140
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[264] Gleim #: 3.8.77
An organization should use due care not to delegate substantial discretionary authority
to individuals the organization knows have a propensity to engage in illegal activities.
Which of the following are steps an organization can take to ensure that such
individuals are detected?
I. Screening of applicants for employment at all levels for evidence of past
wrongdoing, especially past criminal convictions within the company’s industry.
II. Asking professionals about any history of discipline in front of licensing boards.
III. Performing background checks without permission on employees’ or applicants’
credit reports to ensure that they are financially sound and are unlikely to commit
theft or fraud.
A.
B.
C.
D.
I only.
III only.
I and II only.
I, II, and III.
Answer (A) is incorrect. It is not the only step out of those given that a company
can take to protect itself against individuals that have a propensity to engage in
illegal activities.
Answer (B) is incorrect. Performing checks on an employee’s or applicant’s
credit report, no matter how noble the reason, infringes upon their privacy rights,
under applicable laws. Thus, such an act is considered illegal, and the organization
can be held liable.
Answer (C) is correct. As part of the exercise of due care, an organization can
take a number of steps to protect itself against individuals who have a tendency to
engage in illegal activities. For instance, an organization can screen applicants for
employment at all levels for evidence of past wrongdoing, especially wrongdoing
within the organization’s industry. Furthermore, it may inquire as to past criminal
convictions, and professionals may be asked about any history of discipline in
front of licensing boards. Care should be taken, however, to ensure that the
organization does not infringe upon employees’ and applicants’ privacy rights
under applicable laws. Many jurisdictions have laws limiting the amount of
information an organization may obtain in performing background checks on
employees.
Answer (D) is incorrect. Performing checks without permission on an employee’s
or applicant’s credit report infringes upon their privacy rights, under applicable
laws.
[265] Gleim #: 3.8.78
An ombudsperson is most effective when the individual
I.
II.
III.
IV.
A.
B.
C.
D.
Is located on-site.
Reports to the chief compliance officer or the board of directors.
Is located off-site.
Reports to no one, thus ensuring a whistleblower’s secrecy.
II only.
I and II only.
I and IV only.
III and IV only.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 141
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Being located on-site also promotes an ombudsperson’s
effectiveness.
Answer (B) is correct. Use of an ombudsperson is more effective if the ombudsperson
is located on-site, reports directly to the chief compliance officer or the board of
directors, keeps the names of whistleblowers secret, provides guidance to
whistleblowers, and undertakes follow-up review to ensure that retaliation has not
occurred. An ombudsperson must report to someone at a high level in the organization
who is empowered to initiate a change in organization policies based on the
ombudsperson’s findings; thus, reporting to no one is not an option. In addition, an
ombudsperson’s location on-site promotes employee confidence in the ombudsperson.
Answer (C) is incorrect. An ombudsperson must report to someone at a high level in
the organization that can initiate a change in organization policies, based on the
ombudspersons’ findings.
Answer (D) is incorrect. An ombudsperson should report to someone high-up in the
organization that can initiate change based on the ombudsperson’s findings, and the
ombudsperson should be located on-site to promote employee confidence.
[266] Gleim #: 3.8.79
An internal audit plan should include a review of the organization’s compliance
program and its procedures, including reviews to determine all but which of the
following?
/c
ia
ao
ffi
ci
al
The effectiveness of written materials.
The receipt of communications by employees.
The appropriate handling of detected violations.
The performance of full background checks on employees and new hires.
.c
om
Answer (A) is incorrect. This is a review that is included in an internal audit plan,
with regard to the organization’s compliance program and procedures.
Answer (B) is incorrect. This is a review that is included in an internal audit plan,
with regard to the organization’s compliance program and procedures.
Answer (C) is incorrect. This is a review that is included in an internal audit plan,
with regard to the organization’s compliance program and procedures.
Answer (D) is correct. The audit plan should include a review of the compliance
program and its procedures. The review should determine whether (1) written
materials are effective, (2) communications have been received by employees,
(3) detected violations have been appropriately handled, (4) discipline has been
even-handed, (5) whistleblowers have been protected, and (6) the compliance unit
has fulfilled its responsibilities. The auditors should review the compliance
program to determine whether it can be improved and should solicit employee
input. Moreover, organizations should screen applicants for employment at all
levels and inquire as to past criminal convictions, taking care not to infringe upon
employees’ and applicants’ privacy rights. However, a review of the performance
of full background checks is not included in an audit plan as part of the review of
an organization’s compliance program.
fb
A.
B.
C.
D.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 142
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[267] Gleim #: 3.8.80
Which of the following is an effective tool for uncovering unethical or illegal activity
in an organization?
A.
B.
C.
D.
The screening of applicants.
The ethics interview.
The background check.
The ethics questionnaire.
Answer (A) is incorrect. Screening applicants for employment is a way to detect
past criminal activity and wrongdoing. Thus, it is of no use in uncovering
unethical or currently ongoing illegal activity.
Answer (B) is incorrect. An ethics interview may cause discomfort to an
employee, and an employee may not believe that the interview is protected by
privilege or as confidential as an ethics questionnaire.
Answer (C) is incorrect. The background check is a way to detect past
wrongdoing, not ongoing unethical or illegal activities.
Answer (D) is correct. An effective tool for uncovering unethical or illegal
activity is the ethics questionnaire. Each employee of the organization should
receive a questionnaire that asks whether the employee is aware of kickbacks,
bribes, or other wrongdoing.
[268] Gleim #: 3.8.81
Which of the following are forms of punishment for those who violate an
organization’s code of conduct?
I.
II.
III.
IV.
A.
B.
C.
D.
A warning
Loss of pay
Suspension
Termination
I and II only.
I, III, and IV only.
I, II, and III only.
I, II, III, and IV.
Answer (A) is incorrect. All of the choices are ways in which an organization can
punish a code of conduct violator.
Answer (B) is incorrect. All of the choices are ways in which an organization can
punish a code of conduct violator.
Answer (C) is incorrect. All of the choices are ways in which an organization can
punish a code of conduct violator.
Answer (D) is correct. Those who violate the code of conduct should receive
punishment appropriate to the offense, such as a warning, loss of pay, suspension,
transfer, or termination. Thus, if an employee is found to have committed some
illegal act, the organization might have to terminate that employee. This action is
consistent with the organization’s obligation to use due care not to delegate
substantial discretionary authority to individuals whom the organization knew, or
should have known through the exercise of due diligence, had a tendency to
commit crimes.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 143
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[269] Gleim #: 3.8.82
An organization with an effective regulatory compliance program displays which of
the following characteristics?
A. It punishes unethical or illegal activity based on seniority.
B. It disciplines those who knew of the misconduct and did not report it, but not
those who should have known but did not know.
C. After an offense is detected, the organization takes the necessary steps, short of
modifying its program, to prevent further similar offenses.
D. It thoroughly documents employee discipline.
.c
fb
[270] Gleim #: 3.8.83
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. Discipline under the program must be fair. The program
has only a slight chance of succeeding if unethical or illegal activity goes
unpunished, especially if tied to the activities of senior management or big
producers. Ignored wrongdoing by such persons will encourage wrongful behavior
in the rest of the workforce.
Answer (B) is incorrect. The program should provide for the discipline of
managers and other responsible persons who knew or should have known of
misconduct and did not report it.
Answer (C) is incorrect. After an offense has been detected, the organization
should take all reasonable steps to respond appropriately and prevent further
similar offenses. Any necessary modifications to its program to prevent and detect
violations of law should be made.
Answer (D) is correct. Organizations should be thorough in documenting
employee discipline. The organization should be able to prove that it made its best
efforts to collect information with regard to any incident and took appropriate
action based upon the information available.
Which of the following is true regarding appropriate responses to an offense detected
by an organization’s compliance program?
I. Disciplinary action taken against those engaged in misconduct is an appropriate
response.
II. Self-reporting the violation to the government is an appropriate response.
III. Acceptance of responsibility for the violation is an appropriate response.
IV. An appropriate response can lower the amount of an organization’s court fines.
A.
B.
C.
D.
I and II only.
I and III only.
I, II, and III only.
I, II, III, and IV.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 144
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. They are all true statements regarding appropriate responses
to an offense detected by an organization’s compliance program.
Answer (B) is incorrect. They are all true statements regarding appropriate responses
to an offense detected by an organization’s compliance program.
Answer (C) is incorrect. They are all true statements regarding appropriate responses
to an offense detected by an organization’s compliance program.
Answer (D) is correct. An organization should respond appropriately to each offense
detected by the compliance program. Appropriate responses include disciplinary action
taken with regard to those who engaged in misconduct. In some circumstances, an
appropriate response could require self-reporting the violation to the government,
cooperation with governmental investigations, and the acceptance of responsibility for
the violation. Making these responses could result in a court’s reduction of the amount
of the organization’s fine. A similar result may follow when the compliance program is
effective.
[271] Gleim #: 3.8.84
What is the role of a chief audit executive (CAE) with regard to an inspection by a
regulator?
A. Meet with the regulator before and after the inspection to provide relevant
information or receive advice on necessary compliance.
B. Meet with the regulator after the inspection to dispute any negative findings about
compliance.
C. Tour the facility with the regulator to ensure that no problems are uncovered.
D. Meet with specific managers to protect proprietary information.
Answer (A) is correct. The internal audit activity must evaluate, among other
things, operational risk exposures and related controls regarding compliance with
laws and regulations (Impl. Stds. 2120.A1 and 2130.A1). Thus, the CAE has an
interest in gathering information for compliance audits and in determining
whether the organizational response has been appropriate. Moreover, cooperation
is part of an appropriate response.The CAE should not attempt to mislead or
influence the regulator in any way. To make the process easier for all parties
involved, however, the CAE may provide any relevant information before the
inspection. Afterwards, the CAE may confer with the regulator to discuss
compliance issues.
Answer (B) is incorrect. The CAE is not qualified to dispute regulatory findings.
Answer (C) is incorrect. The CAE should not be present during the process.
Answer (D) is incorrect. Meeting with managers or other organization personnel
to mislead the regulator is most likely illegal.
[272] Gleim #: 4.1.1
In any organization-wide risk management assessment, the CAE should include risks
associated with which of the following activities?
A.
B.
C.
D.
Environmental.
Health.
Safety.
All of the answers are correct.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 145
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Environmental, health, and safety is generally conceived of
as a unified function, and must be included in any organization-wide risk management
assessment.
Answer (B) is incorrect. Environmental, health, and safety is generally conceived of
as a unified function, and must be included in any organization-wide risk management
assessment.
Answer (C) is incorrect. Environmental, health, and safety is generally conceived of
as a unified function, and must be included in any organization-wide risk management
assessment.
Answer (D) is correct. The CAE includes environmental, health, and safety (EHS)
risks in any organization-wide risk management assessment and assesses the activities
in a balanced manner relative to other types of risk associated with an organization’s
operations.
[273] Gleim #: 4.1.2
A manufacturing organization uses hazardous materials in production of its products.
An audit of these hazardous materials may include
ia
/c
om
.c
II only.
I and II only.
I, II, and IV only.
III and IV only.
fb
A.
B.
C.
D.
ao
ffi
ci
al
I. Recommending an environmental management system as a part of policies and
procedures.
II. Verifying the existence of “cradle to grave” (creation to destruction) tracking
records for these materials.
III. Using consultants to avoid self-incrimination of the firm in the event illegalities
were detected in an environmental audit.
IV. Evaluating the cost provided for in an environmental liability accrual account.
Answer (A) is incorrect. A hazardous materials audit may also include
recommending an environmental management system and evaluating the cost
provided for in an environmental liability accrual account.
Answer (B) is incorrect. A hazardous materials audit may include evaluating the
cost provided for in an environmental liability accrual account.
Answer (C) is correct. The use of external service providers by the internal audit
activity is to provide knowledge, skills, and other competencies that are not
available with the current staffing of internal audit. The use of consultants cannot
shield the organization from liability for illegal acts.
Answer (D) is incorrect. Use of consultants cannot shield the firm from liability
for illegal acts.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 146
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[274] Gleim #: 4.1.3
An organization is considering purchasing a commercial property. Because of the
location of the property and the known recent history of activities on the property,
management has asked the internal audit activity, in cooperation with legal counsel, to
provide a preliminary identification of any environmental liability. The strongest
reason supporting management’s decision to request such an investigation is
A. The potential for future liability may outweigh any advantages achieved by
obtaining the property.
B. Management will be able to pay a lower price for the property if environmental
contamination can be identified.
C. The current owner would be required by law to clean up all identified
contamination before the sale is closed.
D. Regulatory agencies require a purchaser to identify and disclose all actual and
potential instances of contamination.
Answer (A) is correct. The internal auditors should conduct a transactional audit
prior to the acquisition of property. A current landowner may be held responsible
for environmental contamination by previous owners. Thus, a buyer (or lender)
can attempt to identify and quantify a problem, determine its extent, and estimate
the potential liability and cost of cleanup. This information can then be reflected
in the terms of the transaction.
Answer (B) is incorrect. Although the price of contaminated property may be
lower, management may want to avoid the potential liability altogether by not
purchasing the property.
Answer (C) is incorrect. The current owner may agree to clean up the site but
may be under no legal obligation to do so.
Answer (D) is incorrect. Purchasers are not required to disclose any instances of
contamination, whether actual or potential.
[275] Gleim #: 4.1.4
Internal auditors are increasingly called on to perform audits related to an
organization’s environmental stewardship. Which of the following does not describe
the objectives of a type of environmental audit?
A. Determine whether environmental management systems are in place and operating
properly to manage future environmental risks.
B. Determine whether environmental issues are considered as part of economic
decisions.
C. Determine whether the organization’s current actions are in compliance with
existing laws.
D. Determine whether the organization is focusing efforts on ensuring that its
products are environmentally friendly, and confirm that product and chemical
restrictions are met.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 147
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. An environmental management system audit determines
whether environmental management systems are in place and operating properly to
manage future environmental risks.
Answer (B) is correct. Determining whether environmental issues are considered as
part of economic decisions is an audit procedure. It does not describe the objectives of
an environmental audit.
Answer (C) is incorrect. A compliance audit determines whether the organization’s
current actions are in compliance with existing laws.
Answer (D) is incorrect. A product audit determines whether the organization focuses
efforts on ensuring that its products are environmentally friendly and confirms that
product and chemical restrictions are met.
[276] Gleim #: 4.1.5
An internal auditor has been requested to perform a review of an organization’s
process for developing accruals for its liability to clean up toxic waste sites. The audit
should determine whether
A. The organization monitors governmental investigations to identify locations
where it may be potentially responsible for a waste site clean-up.
B. The organization has identified the situations in which it is potentially responsible
for cleaning up a waste site.
C. Clean-up costs are reasonably estimated.
D. All of the answers are correct.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. The audit should verify that the organization has
identified potential clean-up sites, that it tracks governmental investigations for
that purpose, and that it recognizes contingent liabilities if they are probable and
the losses can be reasonably estimated.
Answer (B) is incorrect. The audit should verify that the organization has
identified potential clean-up sites, that it tracks governmental investigations for
that purpose, and that it recognizes contingent liabilities if they are probable and
the losses can be reasonably estimated.
Answer (C) is incorrect. The audit should verify that the organization has
identified potential clean-up sites, that it tracks governmental investigations for
that purpose, and that it recognizes contingent liabilities if they are probable and
the losses can be reasonably estimated.
Answer (D) is correct. The internal auditor must perform an environmental
liability accrual audit. Such accruals are necessary because all owners of
hazardous materials in the chain of title are liable. Hence, a contingent liability
may exist not only when an organization is a current owner of a toxic waste site
but also when it is a former owner. The organization should therefore engage in
sufficient fact finding to identify potential liabilities and estimate their amounts.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 148
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[277] Gleim #: 4.1.6
Management is evaluating the need for an environmental audit program. Which one of
the following should not be included as an overall program objective?
A.
B.
C.
D.
Conduct site assessments at all waste-producing facilities.
Verify organizational compliance with all environmental laws.
Evaluate waste minimization opportunities.
Ensure management systems are adequate to minimize future environmental risks.
Answer (A) is correct. Site assessment is a procedure, not an objective.
Answer (B) is incorrect. An objective in a compliance audit is to verify
compliance with all environmental laws.
Answer (C) is incorrect. An objective in a pollution prevention audit is to
evaluate waste minimization opportunities.
Answer (D) is incorrect. An objective in an environmental management system
audit is to ensure management systems are adequate to minimize future
environmental risks.
[278] Gleim #: 4.1.7
In many countries, the organization generating hazardous waste is responsible for the
waste from “cradle to grave” (creation to destruction). A potential risk to the
organization is the use of an external service provider to process hazardous waste.
Which of the following steps are performed during a review of the waste vendor?
A.
B.
C.
D.
Review the vendor’s documentation on hazardous material.
Review the financial solvency of the vendor.
Review the vendor’s emergency response planning.
All of these steps are performed during a review of the waste vendor.
Answer (A) is incorrect. Each is only one of several steps to be performed when
reviewing hazardous waste vendors.
Answer (B) is incorrect. Each is only one of several steps to be performed when
reviewing hazardous waste vendors.
Answer (C) is incorrect. Each is only one of several steps to be performed when
reviewing hazardous waste vendors.
Answer (D) is correct. In addition to the procedures listed, the internal auditor
determines that the vendor is approved by the governmental entity that is
responsible for environmental protection and should obtain the vendor’s permit
number. The internal auditor also should conduct an inspection of the vendor’s
facilities.
[279] Gleim #: 4.1.8
An advantage of conducting environmental audits under the direction of the internal
audit activity is that
A.
B.
C.
D.
Independence and authority are already in place.
Technical expertise is more readily available.
The financial aspects are de-emphasized.
Internal auditing work products are confidential.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 149
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. The chief audit executive (CAE) evaluates the organizational
placement and independence of the environmental audit function to ensure that
significant matters resulting from serious risks to the enterprise are reported up the
chain of command to the board. The CAE also facilitates the reporting of significant
EHS risk and control issues to the board. Thus, an advantage of conducting
environmental audits under the direction of the internal audit activity is its position in
the organization. The internal audit activity has an established place in the organization
and normally has a broad scope of work permitting ready assimilation of the new
function. Moreover, the CAE is responsible to an individual in the organization with
sufficient authority to promote independence and to ensure broad audit coverage,
adequate consideration of engagement communications, and appropriate action on
engagement recommendations.
Answer (B) is incorrect. Environmental audits are highly complex and require
technical expertise. This complexity is an advantage of employing an environmental
audit group directed by a technically oriented department. Internal auditors normally
do not have the technical expertise necessary to assume primary responsibility.
Answer (C) is incorrect. An internal audit activity is preferable when financial issues
are important.
Answer (D) is incorrect. The Standards require engagement results to be disseminated
to appropriate parties (Perf. Std. 2440).
[280] Gleim #: 4.1.9
A.
B.
C.
D.
.c
Recycling and reuse
Elimination at the source
Energy conservation
Recovery as a usable product
Treatment
fb
I.
II.
III.
IV.
V.
om
/c
ia
ao
ffi
ci
al
Management is exploring different ways of reducing or preventing pollution in
manufacturing operations. The objective of a pollution prevention audit is to identify
opportunities to minimize waste and eliminate pollution at the source. In what order
should the following opportunities to reduce waste be considered?
V, II, IV, I, and III.
IV, II, I, III, and V.
I, III, IV, II, and V.
III, IV, II, V, and I.
Answer (A) is incorrect. Recovery of waste and pollution as a usable product is
the most appropriate goal; treatment is the least.
Answer (B) is correct. The first step in the pollution prevention hierarchy is to
determine whether production processes yield materials that can be sold as
separate products. The second step is source reduction, for example, by
reengineering processes. The third step is recycling and reuse. Step four is
conservation of energy. Step five is treatment and disposal. The release of
pollutants into the environment is not a viable alternative.
Answer (C) is incorrect. Recovery of waste and pollution as a usable product has
a higher priority than either elimination at the source or energy conservation.
Answer (D) is incorrect. Recovery of waste and pollution as a usable product is a
better solution than any of the other choices offered.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 150
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[281] Gleim #: 4.1.10
All of the following would be part of a factory’s control system to prevent release of
wastewater that does not meet discharge standards except
A. Performing chemical analysis of the water, prior to discharge, for components
specified in the permit.
B. Specifying (by policy, training, and advisory signs) which substances may be
disposed of via sinks and floor drains within the factory.
C. Periodically flushing sinks and floor drains with a large volume of clean water to
ensure pollutants are sufficiently diluted.
D. Establishing a preventive maintenance program for the factory’s pretreatment
system.
Answer (A) is incorrect. Performing chemical analysis of the water, prior to
discharge, for components specified in the permit is part of a factory’s control
system.
Answer (B) is incorrect. Specifying (by policy, training, and advisory signs)
which substances may be disposed of via sinks and floor drains within the factory
is part of a factory’s control system.
Answer (C) is correct. Periodic dilution may not always prevent the release of
pollutants that exceed the discharge limits. In the pollution prevention hierarchy
used in pollution prevention audits, release without treatment is the least desirable
option.
Answer (D) is incorrect. Establishing a preventive maintenance program for the
factory’s pretreatment system is part of a factory’s control system.
[282] Gleim #: 4.1.11
As part of a manufacturing company’s environmental, health, and safety (EHS) selfinspection program, inspections are conducted by a member of the EHS staff and the
operational manager for a given work area or building. If a deficiency cannot be
immediately corrected, the EHS staff member enters it into a tracking database that is
accessible to all departments via a local area network. The EHS manager uses the
database to provide senior management with quarterly activity reports regarding
corrective action. During review of the self-inspection program, an auditor notes that
the operational manager enters the closure information and affirms that corrective
action is complete. What change in the control system would compensate for this
potential conflict of interest?
A. No additional control is needed because the quarterly report is reviewed by senior
management, providing adequate oversight in this situation.
B. No additional control is needed because those implementing a corrective action
are in the best position to evaluate the adequacy and completion of that action.
C. After closure is entered into the system, review by the EHS staff member of the
original inspection team should be required in order to verify closure.
D. The EHS department secretary should be responsible for entering all information
into the tracking system based on memos from the operational manager.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 151
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Although senior managers may use the report to question
why certain corrective actions may be behind schedule, they do not know whether the
corrective actions were actually completed.
Answer (B) is incorrect. Although the operational managers may in fact be the most
knowledgeable about the corrective action, independent verification is preferable.
Answer (C) is correct. Someone independent of the operational area that was
inspected should evaluate the adequacy and completeness of corrective action. This
independent verification minimizes the potential for closure fraud by the operational
manager.
Answer (D) is incorrect. The EHS staff may enter the initial inspection results.
However, having the secretary enter closure data does not improve control in the
absence of an independent review. This procedure is also less efficient and timely than
having the data entered directly into the field.
[283] Gleim #: 4.1.12
Which of the following suggestions for the CAE related to EHS auditing is false?
fb
.c
om
/c
ia
ao
ffi
ci
al
A. The CAE should foster a close working relationship with the chief environmental
officer and coordinate activities with the plan for environmental auditing.
B. At least once every three years, the CAE should schedule a quality assurance
review of the environmental audit function if it is organizationally independent of
the internal audit function.
C. The CAE should evaluate the organizational placement and independence of the
environmental audit function to ensure that significant matters resulting from
serious risks to the enterprise are reported up the chain of command.
D. The CAE should evaluate whether the environmental auditors, who are not part of
the CAE’s organization, are in compliance with recognized professional auditing
standards and a recognized code of ethics.
Answer (A) is incorrect. The CAE should foster a close working relationship
with the chief environmental officer and coordinate activities.
Answer (B) is correct. The CAE should foster a close working relationship with
the chief environmental officer and coordinate activities with the plan for
environmental auditing. If the environmental audit function reports to someone
other than the CAE, the CAE should offer to review the audit plan and the
performance of engagements. Periodically, the CAE schedules a quality assurance
review of the environmental audit function if it is organizationally independent of
the internal audit activity. The review determines whether the environmental risks
are being adequately addressed. The CAE evaluates whether the environmental
auditors, who are not part of the CAE’s organization, conform with recognized
professional auditing standards and a recognized code of ethics. The CAE
evaluates the organizational placement and independence of the environmental
audit function to ensure that significant matters resulting from serious risks to the
organization are reported up the chain of command to the board.
Answer (C) is incorrect. The organizational placement and independence of the
environmental audit function should be evaluated by the CAE.
Answer (D) is incorrect. The CAE should evaluate the credentials of the
environmental auditors.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 152
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[284] Gleim #: 4.1.13
What type of audit assesses the environmental risks and liabilities of land or facilities
prior to a property transaction?
A.
B.
C.
D.
Pollution prevention audit.
Compliance audit.
Transactional audit.
Product audit.
Answer (A) is incorrect. A pollution prevention audit determines how waste can
be minimized and pollution can be eliminated at the source.
Answer (B) is incorrect. A compliance audit is most common for industries. They
are detailed site-specific audits of current operations.
Answer (C) is correct. Transactional audits (also called acquisition and
divestiture audits, property transfer site assessments, property transfer evaluations,
and due diligence audit) assess the environmental risks and liabilities of land or
facilities prior to a property transaction.
Answer (D) is incorrect. A product audit determines whether products are
environmentally friendly and whether product and chemical restrictions are being
met.
[285] Gleim #: 4.2.14
An engagement objective is to determine if a company’s accounts payable contain all
outstanding liabilities. Which of the following audit procedures would not be relevant
for this objective?
A. Examine supporting documentation of subsequent (after-period) cash
disbursements and verify period of liability.
B. Send confirmations, including zero-balance accounts, to vendors with whom the
company normally does business.
C. Select a sample of accounts payable from the accounts payable listing and verify
the supporting receiving reports, purchase orders, and invoices.
D. Trace receiving reports issued before the period end to the related vendor invoices
and accounts payable listing.
Answer (A) is incorrect. This procedure identifies payments for liabilities not
included in the prior period but paid in the subsequent period.
Answer (B) is incorrect. This procedure identifies amounts not included in
accounts payable. Zero-balance accounts should be verified as part of the process.
Answer (C) is correct. The assertion being tested here is completeness: Are all
legitimate liabilities recorded as such? Thus, the auditor’s procedures must
address whether all accounts payable that should have been recorded were
recorded. Vouching a sample of payables, which by definition have already been
recorded, to supporting documentation will not accomplish this.
Answer (D) is incorrect. Tracing receiving reports from before the end of the
period to invoices and the payables listing ensures that liabilities for these
shipments are included in accounts payable.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 153
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[286] Gleim #: 4.2.15
Which of the following engagement procedures provides the best information about
the collectibility of notes receivable?
A. Confirmation of note receivable balances with the debtors.
B. Examination of notes for appropriate debtors’ signatures.
C. Reconciliation of the detail of notes receivable and the provision for uncollectible
amounts to the general ledger control.
D. Examination of cash receipts records to determine promptness of interest and
principal payments.
Answer (A) is incorrect. Confirmation establishes existence, not collectibility.
Answer (B) is incorrect. Inspection helps verify the validity (not collectibility) of
the notes.
Answer (C) is incorrect. Reconciliation merely tests bookkeeping procedures.
Answer (D) is correct. The best information about the collectibility (valuation) of
notes receivable lies in actual cash collections. Nonpayment or late payment may
bear unfavorably on the possibility of collection. An internal auditor also normally
sends positive confirmations to the makers and holders and inspects the notes to
verify maturity dates and other terms.
[287] Gleim #: 4.2.16
A.
B.
C.
D.
.c
om
/c
Reliability and integrity of financial and operational information.
Compliance with laws, regulations, policies, procedures, and contracts.
Effectiveness and efficiency of operations and programs.
Safeguarding of assets.
fb
I.
II.
III.
IV.
ia
ao
ffi
ci
al
A specific objective of an audit of a company’s expenditure cycle is to determine
whether all goods paid for have been received and charged to the correct account. This
objective addresses which of the following primary objectives identified in the
Standards?
I and II only.
I and IV only.
I, II, and IV only.
II, III, and IV only.
Answer (A) is incorrect. The specific engagement objective does not address
compliance, but it does address safeguarding of assets.
Answer (B) is correct. Determining whether all goods paid for have been
received addresses safeguarding of assets. Determining whether the correct
accounts have been charged addresses the reliability and integrity of financial
information.
Answer (C) is incorrect. The specific engagement objective does not address
compliance.
Answer (D) is incorrect. The specific engagement objective may address
effectiveness of operations but does not address efficiency or compliance.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 154
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[288] Gleim #: 4.2.17
The internal auditor wishes to test the assertion that all claims paid by a medical
insurer contain proper authorization and documentation, including but not limited to
the validity of the claim from an approved physician and an indication that the claim
complies with the claimant’s policy. The most appropriate engagement procedure is to
select a sample of
A. All policyholders and examine all claims for the sampled items during the year to
determine whether the claims were handled properly.
B. Claims filed and trace to documentary information about authorization and other
supporting documentation.
C. Claims denied and determine that all claims denied were appropriate. The claims
denied file is much smaller and the internal auditor can obtain greater coverage
with the sample size.
D. Paid claims from the claims (cash) disbursement file and trace to documentary
information about authorization and other supporting documentation.
Answer (A) is incorrect. Sampling from a population of policyholders is very
inefficient. Many may not have filed claims during the year.
Answer (B) is incorrect. A sample of claims filed does provide information about
the overall processing of claims. However, the preferable population for the given
assertion is that of paid claims.
Answer (C) is incorrect. The claims denied file provides information about the
claims denied, but the internal auditor cannot conclude that all claims that were
not denied should have been paid.
Answer (D) is correct. The internal auditor is interested in whether the actual
claims paid are properly supported. The most appropriate population from which
to sample is the claims paid file. The sample would then be vouched to the
supporting documents to test for proper authorization.
[289] Gleim #: 4.2.18
Shipments are made from the warehouse based on customer purchase orders. The
matched shipping documents and purchase orders are then forwarded to the billing
department for sales invoice preparation. The shipping documents are neither
accounted for nor prenumbered. Which of the following substantive tests should be
extended as a result of this control weakness?
A. Select sales invoices from the sales register and examine the related shipping
documents.
B. Select bills of lading from the warehouse and trace the shipments to the related
sales invoices.
C. Foot the sales register and trace the total to the general ledger.
D. Trace quantities and prices on the sales invoice to the customer purchase order
and test extensions and footings.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 155
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Selecting sales invoices from the sales register will not detect
unrecorded sales.
Answer (B) is correct. When shipping documents are neither accounted for nor
prenumbered, unrecorded sales are likely to result. Selecting bills of lading and tracing
them to sales invoices will test that goods shipped were billed.
Answer (C) is incorrect. Testing the sales register will not detect unrecorded sales.
Answer (D) is incorrect. Testing sales invoices will not detect unrecorded sales.
[290] Gleim #: 4.2.19
An organization makes a practice of investing excess short-term cash in marketable
equity securities. A reliable test of the valuation of those securities is a
A.
B.
C.
D.
Comparison of cost data with current market quotations.
Confirmation of securities held by the broker.
Recalculation of investment carrying amount using the equity method.
Calculation of premium or discount amortization.
ao
ffi
ci
al
Answer (A) is correct. If market quotations are based on sufficient market
activity, they usually provide sufficient competent evidence regarding valuation.
Answer (B) is incorrect. Confirmation of securities by the broker only confirms
the existence and ownership of the securities, not the value.
Answer (C) is incorrect. Short-term investments of excess cash do not qualify for
the equity method.
Answer (D) is incorrect. Discount or premium on fixed maturity short-term
securities is not amortized.
om
/c
ia
[291] Gleim #: 4.2.20
fb
.c
An engagement to review payroll is least likely to include
A. Tests of computations for gross and net wages.
B. Comparison of payroll costs to budget.
C. Tracing a sample of employee names to employment records in the personnel
department.
D. Observing the physical distribution of paychecks.
Answer (A) is incorrect. Tests of computations for gross and net wages are
standard.
Answer (B) is incorrect. Comparison of payroll costs to budget is standard.
Answer (C) is incorrect. Tracing a sample of employees to personnel records is
standard.
Answer (D) is correct. Most organizations large enough to have an internal audit
activity do not physically distribute paychecks on a regular basis. Moreover,
observing the physical distribution of paychecks is usually regarded as an
extended procedure most applicable to fraud engagements.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 156
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[292] Gleim #: 4.2.21
An internal auditor for a large service organization is performing an engagement to
review the organization’s cash balance. The internal auditor is considering the most
appropriate engagement procedure to use to ensure that the amount of cash is
accurately recorded on the financial statements. The most appropriate engagement
procedures for the objective are
A. Review collection procedures and perform an analytical review of accounts
receivable; confirm balances of accounts receivable; and verify the existence of
appropriate procedures and facilities.
B. Compare cash receipt lists to the receipts journal and bank deposit slips; review
the segregation of duties, and observe and test cash receipts.
C. Review the organizational structure and functional responsibilities; verify the
existence of, and describe protection procedures for, unused checks, including
security measures.
D. Examine bank reconciliations, confirm bank balances, and verify cutoff of receipts
and disbursements; foot totals of reconciliations and compare to cash account
balances.
Answer (A) is incorrect. Reviewing collection procedures and performing an
analytical review of accounts receivable, confirming balances of accounts
receivable, and verifying the existence of procedures and facilities are appropriate
for ensuring that all cash due is received.
Answer (B) is incorrect. Comparing cash receipt lists with the receipts journal
and bank deposit slips, reviewing the segregation of duties, and observing and
testing cash receipts are appropriate engagement procedures to satisfy the
objective of safeguarding cash receipts.
Answer (C) is incorrect. Reviewing the organizational structure and functional
responsibilities and verifying the existence of, and describing protection
procedures for, unused checks are engagement procedures that ensure appropriate
safeguards are in place to protect cash.
Answer (D) is correct. Testing the bank reconciliation determines whether the
bank balance per books is the same as the cash in the bank except for such
reconciling items as outstanding checks, deposits in transit, and bank charges. The
direct receipt of a bank confirmation verifies the amount for cash in the bank
stated on the reconciliation. A cutoff bank statement provides independent
information regarding the reconciling items. For example, a deposit in transit
should appear in the cutoff bank statement. Footing items in the reconciliation
tests for mechanical accuracy. The bank balance in the general ledger should be
the same as that in the reconciliation.
[293] Gleim #: 4.2.22
An engagement objective is to verify that the correct goods or services are received on
time, at the right price, and in the right quantity. Based on this objective, the function
to be reviewed is the
A.
B.
C.
D.
Receiving department.
Manufacturing department.
Payroll department.
Purchasing department.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 157
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The receiving department inspects and verifies the propriety
of the goods acquired based on the purchase order. The user departments also verify
the quality.
Answer (B) is incorrect. Manufacturing is not responsible for price variances of raw
materials, which are isolated at the time of acquisition. Thus, materials are transferred
to the manufacturing department at standard cost.
Answer (C) is incorrect. The payroll department is not concerned with goods and
services received from external sources.
Answer (D) is correct. The primary function of a purchasing department is to ensure
the authorized acquisition of goods and services of a specified quality and quantity on
a timely basis at an economical price. User departments should authorize purchases
based upon need and within budget. The purchasing department executes the purchase
transaction upon appropriate authorization.
[294] Gleim #: 4.2.23
.c
om
/c
ia
ao
Whether payables have been accrued properly at the end of the interim period.
The timing of revenue recognition and the valuation of inventories.
Whether accounting estimates are reasonable given past actual results.
Whether there have been changes in accounting principles that materially affect
the financial statements.
fb
A.
B.
C.
D.
ffi
ci
al
To better monitor the performance of operating management, executive management
has requested that the internal auditors examine interim financial statements that are
prepared for internal use only. Although interim financial statements have been
prepared for several years, this will be the first time that the internal auditors have
been involved. The primary reason for this request was that executive management
was surprised at the lower-than-anticipated net profit eventually reflected in last year’s
audited financial statements. Earnings had been artificially manipulated on quarterly
financial statements. In their work on this year’s interim financial statements, internal
auditors are likely to focus on which of the following?
Answer (A) is incorrect. Understating payables affects earnings only if expenses
would have been debited.
Answer (B) is correct. Many manipulations are possible. For example, net profit
will be overstated if current-period revenues include sales that should be
recognized in a subsequent period. Premature recognition may result from failure
to maintain a proper cutoff of transactions at the end of the period. Overstatement
of ending inventories also overstates net profit by understating cost of sales.
Answer (C) is incorrect. Estimates used in interim financial statements are often
approximate and usually would not materially distort the financial statements.
Answer (D) is incorrect. Such changes usually must be approved by executive
management and normally do not lead to surprises.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 158
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[295] Gleim #: 4.2.24
Identification of an appropriate population to sample is dependent upon audit
objectives. A population of entries in an asset repairs expense file is an appropriate
population if the audit objective is to determine whether
A.
B.
C.
D.
Expenditures for fixed assets have been improperly expensed.
Noncapital repair expenditures have been properly charged to expense.
Noncapital repair expenditures have been recorded in the proper period.
Expenditures for fixed assets have been recorded in the proper period.
Answer (A) is correct. An auditor should vouch significant debits in the repairs
expense file to supporting documentation to determine whether capitalizable
expenditures have been expensed. Expenditures that extend the life of a fixed
asset or significantly improve its functioning should be capitalized.
Answer (B) is incorrect. Ascertaining that all noncapital expenditures have been
expensed would require testing of expense accounts and selected asset accounts in
addition to the repairs expense account.
Answer (C) is incorrect. Ascertaining that noncapital repair expenditures have
been recorded in the proper time period requires sampling from more than one
accounting period.
Answer (D) is incorrect. Ascertaining that capitalizable fixed assets expenditures
were recorded in the proper accounting period involves sampling from the fixed
asset file.
[296] Gleim #: 4.2.25
For the chief audit executive (CAE), the financial reporting process encompasses the
steps to
A.
B.
C.
D.
Detect all fraud that is occurring throughout the organization.
Create information to help prepare the financial statements and related notes.
Provide all staff with information regarding raises and promotions.
Make sure the internal control matches up the specifications from the AICPA.
Answer (A) is incorrect. An auditor only needs to provide reasonable assurance
about detecting fraud. All fraud does not have to be detected.
Answer (B) is correct. The financial reporting process encompasses the steps to
create the information and prepare financial statements, related notes, and other
accompanying disclosures in the organization’s financial reports.
Answer (C) is incorrect. Raises and promotions are not part of the financial
reporting process.
Answer (D) is incorrect. There are no guidelines that the auditor needs to match
up internal controls with. They must use judgment and the AICPA does not have
an internal control checklist that all companies must follow.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 159
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[297] Gleim #: 4.2.26
Subsequent to the acquisition of a new subsidiary, the internal audit activity is
validating reports from subsidiary management. Which of the following areas will the
internal auditor corroborate with the external organizational counsel?
A.
B.
C.
D.
Credit lines.
Collateral arrangements.
Contingency estimates.
Accounts receivable balances.
Answer (A) is incorrect. Credit lines are corroborated by bank confirmations.
Answer (B) is incorrect. Collateral arrangements are corroborated by bank
confirmations.
Answer (C) is correct. Subsequent to the acquisition of a new subsidiary, the
internal auditor should contact the external organizational counsel regarding
contingency estimates, including any threatened or pending litigation, claims, and
assessments.
Answer (D) is incorrect. Accounts receivable balances are corroborated by
customer confirmations.
[298] Gleim #: 4.2.27
.c
Prepare a flowchart.
Prepare a system narrative.
Perform a test of controls.
Perform a substantive test.
fb
A.
B.
C.
D.
om
/c
ia
ao
ffi
ci
al
As part of a preliminary survey of the purchasing function, an auditor read the
department’s policies and procedures manual. The auditor concluded that the manual
described the processing steps well and contained an appropriate internal control
design. The next engagement objective was to determine the operating effectiveness of
internal controls. Which procedure would be most appropriate in meeting this
objective?
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 160
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Flowcharts are most appropriate for studying internal control
design. The audit objective is whether the controls are in place and effective, which
indicates the need for a test of controls.
Answer (B) is incorrect. System narratives are most appropriate for studying internal
control design. The audit objective is whether the controls are in place and effective,
which indicates the need for a test of controls.
Answer (C) is correct. The audit committee and management typically request that the
internal audit activity perform sufficient work to form an opinion on the adequacy and
effectiveness of internal control over financial reporting. Thus, audit procedures should
provide assurance that controls over financial reporting are adequately designed and
effectively executed. Controls should ensure the prevention and detection of
significant errors, irregularities, incorrect assumptions and estimates, and other events
that could misstate financial statements, notes, or disclosures. Tests of controls help an
auditor determine whether controls are being followed and are effective. For instance,
a policy may require that all large transactions be approved by a manager. As a test of
controls, the auditor may sample large transactions and review whether manager
approval was obtained and whether the proposed transaction meets all the criteria that
the manager was supposed to verify.
Answer (D) is incorrect. Substantive tests are tests to determine whether an objective
has been achieved and do not necessarily test internal controls.
[299] Gleim #: 4.2.28
In an assurance engagement of treasury operations, an internal auditor is required to
consider all of the following issues except
A. The audit committee has requested assurance on the treasury department’s
compliance with a new policy on use of financial instruments.
B. Treasury management has not instituted any risk management policies.
C. Due to the recent sale of a division, the amount of cash and marketable securities
managed by the treasury department has increased by 350%.
D. The external auditors have indicated some difficulties in obtaining account
confirmations.
Answer (A) is incorrect. The auditor should consider the extent of work needed
to achieve the engagement’s objectives. Assurance on compliance with a new
policy is a specific engagement objective.
Answer (B) is incorrect. The auditor should consider the adequacy and
effectiveness of risk management, control, and governance processes.
Answer (C) is incorrect. The auditor should consider the relative complexity,
materiality, or significance of matters to which assurance procedures are applied.
The increase in the amount of cash and marketable securities the treasury
department manages is significant.
Answer (D) is correct. Obtaining account confirmations is the responsibility of
the external auditors. It should not change the internal auditor’s concerns.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 161
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[300] Gleim #: 4.2.29
For an upcoming engagement, an internal auditor’s objective is to determine whether
costs are both documented and reasonable. This is most likely an engagement
involving
A.
B.
C.
D.
Advertising agency billings.
Allowance for doubtful accounts.
Asset disposals.
Accounts payable.
Answer (A) is correct. An advertising agency customarily charges for its costs
plus a commission based on those costs. To avoid being overcharged, the
organization requires assurance that the agency can justify (document) the costs
incurred and that these costs are reasonable. A field review of the agency’s books
and procedures is the best means of achieving the stated objective.
Answer (B) is incorrect. An appropriate objective is to determine whether the
allowance is appropriate and reflects past collection performance.
Answer (C) is incorrect. An appropriate objective is to determine whether asset
disposals were made in accordance with established policy.
Answer (D) is incorrect. A more appropriate objective is to verify the receipt of
properly authorized goods and services.
[301] Gleim #: 4.2.30
.c
om
/c
ia
Undetected errors in payroll rates for new employees.
Inaccurate payroll deductions.
Labor hours charged to the wrong account in the cost reporting system.
Employees not being asked if they want to contribute to the company pension
plan.
fb
A.
B.
C.
D.
ao
ffi
ci
al
The personnel department receives an edit listing of payroll changes processed at
every payroll cycle. If it does not verify the changes processed, the result could be
Answer (A) is correct. The personnel department is responsible for authorization
and execution of payroll transactions, e.g., hiring of new employees and
determining their pay rates. Hence, this department’s verification of the payroll
changes listing used in data processing is an important control over payroll
processing.
Answer (B) is incorrect. Inaccurate payroll deductions could be caused by errors
in payroll rates.
Answer (C) is incorrect. Labor hours should come from the time reporting system
(time card or time sheet), not the list of payroll changes.
Answer (D) is incorrect. Inspection of the listing of payroll changes would
indicate whether contributions by eligible employees have begun to be deducted,
not whether employees have been asked about contributing to the pension plan.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 162
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[302] Gleim #: 4.2.31
One operating department of an organization does not have adequate procedures for
inspecting and verifying the quantities of goods received. To evaluate the materiality
of this control deficiency, the internal auditor should review the department’s
A.
B.
C.
D.
Year-end inventory balance.
Annual inventory purchases.
Year-end total assets.
Annual operating expenses.
Answer (A) is incorrect. The deficiency affected all inventory purchased during
the period, not just the inventory still on hand at the end of the year.
Answer (B) is correct. Materiality is a function of both quantitative and
qualitative factors and has an effect on engagement risk. To determine the
materiality of the deficiency, annual inventory purchases should be reviewed
because the weakness affected all such purchases during the period.
Answer (C) is incorrect. A deficiency regarding inventory receipts should not
affect other assets.
Answer (D) is incorrect. Operating expenses are not affected.
[303] Gleim #: 4.2.32
An audit found that the cost of some material installed on capital projects had been
transferred to the inventory account because the capital budget had been exceeded.
Which of the following would be an appropriate technique for the internal audit
activity to use to monitor this situation?
A. Identify variances between amounts capitalized each month and the capital
budget.
B. Analyze a sample of capital transactions each quarter to detect instances in which
installed material was transferred to inventory.
C. Review all journal entries that transferred costs from capital to inventory accounts.
D. Compare inventory receipts with debits to the inventory account and investigate
discrepancies.
Answer (A) is incorrect. Analysis of these variances does not consider inventory.
Answer (B) is incorrect. Sampling all capital transactions is less effective than
examining the entries that specifically credited capital accounts and debited
inventory.
Answer (C) is correct. Some transfers from capital accounts to inventory may be
legitimate, for example, because materials previously transferred from inventory
were unused. However, the transfer of costs actually incurred for capital projects
back to inventory misstates both accounts and undermines the budget process.
Accordingly, the auditors should review all journal entries that transferred costs
from capital to inventory accounts.
Answer (D) is incorrect. There are no inventory receipts for the transfers.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 163
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[304] Gleim #: 4.2.33
In an engagement to evaluate an automated inventory control system, which approach
provides the best information that purchase orders are authorized?
A. Tracing purchase orders to the computer listing.
B. Comparing receiving reports with purchase order details.
C. Testing to ensure that only authorized persons are able to change parameters in the
program that generates purchase orders.
D. Reviewing system documentation to determine proper functioning of the program.
Answer (A) is incorrect. Tracing purchase orders to a computer listing only
determines whether the orders actually issued appear on the listing.
Answer (B) is incorrect. Comparing receiving reports with purchase order details
simply indicates receipt of the kinds and amounts of items ordered.
Answer (C) is correct. The internal auditor can determine whether computergenerated purchase orders are authorized by testing the system to ensure that only
authorized individuals are allowed to change the reorder point and EOQ
parameters. In a properly controlled information systems environment, access to
equipment, custody of programs, programming, and the authorization of program
changes should be clearly segregated functions.
Answer (D) is incorrect. A review of system documentation provides information
that the system was designed and documented properly but not whether it is
operating as prescribed.
ci
al
[305] Gleim #: 4.2.34
fb
.c
om
/c
ia
ao
ffi
An internal auditor fails to discover an employee fraud during an assurance
engagement. The nondiscovery is most likely to suggest a violation of the International
Professional Practices Framework if it was the result of a
A. Failure to perform a detailed review of all transactions in the area.
B. Determination that any possible fraud in the area would not involve a material
amount.
C. Determination that the cost of extending procedures in the area would exceed the
potential benefits.
D. Presumption that the internal controls in the area were adequate and effective.
Answer (A) is incorrect. Due professional care does not require detailed reviews
of all transactions.
Answer (B) is incorrect. The relative complexity, materiality, or significance of
matters to which assurance procedures are applied should be considered.
Answer (C) is incorrect. The internal auditor should consider the cost of
assurance in relation to potential benefits.
Answer (D) is correct. The internal audit activity evaluates the adequacy and
effectiveness of controls (Impl. Std. 2130.A1). Moreover, the internal audit
activity must assist the organization in maintaining effective controls by
evaluating their effectiveness and efficiency and by promoting continuous
improvement (Perf. Std. 2130). Thus, an internal auditor must not simply assume
that controls are adequate and effective.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 164
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[306] Gleim #: 4.2.35
You are an internal auditing supervisor who is reviewing the working papers of a staff
internal auditor’s overall examination of the firm’s sales function. The pages are not
numbered or cross-referenced. Furthermore, the working papers were dropped and
reassembled at random before they were brought to you. You decide to put the
working papers in the proper order according to the Standards. The first stage of this
activity is to identify each page as a part of the preliminary survey, the review of the
adequacy of control processes, the review for effectiveness of control processes, or the
review of results. The first page the supervisor selects documents a test of controls
performed during the course of the engagement. This page belongs with which
activity?
A.
B.
C.
D.
Preliminary survey.
Review for adequacy of control processes.
Review for effectiveness of control processes.
Review of results.
Answer (A) is incorrect. A test from a prior engagement might be reviewed in the
preliminary survey as background material. A current test would not yet be
performed.
Answer (B) is incorrect. Adequacy is present if management has planned and
designed in a manner that provides reasonable assurance that objectives and goals
will be achieved efficiently and economically. Tests of controls are not performed
in reviews for adequacy of the system.
Answer (C) is correct. Internal auditors are charged with evaluating the adequacy
and effectiveness of controls in responding to risks within the organization’s
governance, operations, and information systems (Impl. Std. 2130.A1).
Effectiveness is present if management directs processes so as to provide
reasonable assurance that objectives and goals will be achieved.
Answer (D) is incorrect. Tests of controls are not performed in a review of
results. Internal auditors review operations and programs to ascertain the extent to
which results are consistent with goals and objectives. The purpose is to
determine whether they are being implemented or performed as intended.
[307] Gleim #: 4.2.36
You are an internal auditing supervisor who is reviewing the working papers of a staff
internal auditor’s overall examination of the firm’s sales function. The pages are not
numbered or cross-referenced. Furthermore, the working papers were dropped and
reassembled at random before they were brought to you. You decide to put the
working papers in the proper order according to the Standards. The first stage of this
activity is to identify each page as a part of the preliminary survey, the review of the
adequacy of control processes, the review for effectiveness of control processes, or the
review of results. The third page the supervisor selects is a blank copy of the sales
contract form now in use by the organization. Annotated on the form in several places
are the words “key control” followed by a brief explanation. The supervisor recognizes
the writing as that of the staff internal auditor who performed the engagement. This
document belongs with which activity?
A.
B.
C.
D.
Preliminary survey.
Review for adequacy of control processes.
Review for effectiveness of control processes.
Review of results.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 165
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The standard sales contract form might be obtained during
the on-site survey portion of the preliminary survey. An analysis of the form indicating
the existence and adequacy of key control activities could also be performed as part of
the preliminary survey. However, the activity described involves a review for adequacy
regardless of its timing.
Answer (B) is correct. Internal auditors are charged with evaluating risk exposures
relating to, and the adequacy and effectiveness of controls encompassing, the
organization’s governance, operations, and information systems (Impl. Stds. 2120.A1
and 2130.A1). Adequacy is present if management has planned and designed in a
manner that provides reasonable assurance that objectives and goals will be achieved
efficiently and economically. The sales contract form is apparently a “key control” that
has been planned and designed into the system.
Answer (C) is incorrect. The form is blank. A completed form would be required to
provide information that the system is effective.
Answer (D) is incorrect. The form is blank. No data are available for testing to
determine results.
[308] Gleim #: 4.2.37
Controls should be designed to ensure that
/c
ia
ao
ffi
ci
al
A. Operations are performed efficiently.
B. Management’s plans have not been circumvented by worker collusion.
C. The internal audit activity’s guidance and oversight of management’s performance
is accomplished economically and efficiently.
D. Management’s planning, organizing, and directing processes are properly
evaluated.
fb
.c
om
Answer (A) is correct. The purpose of control processes is to support the
organization in the management of risks and the achievement of its established
and communicated objectives. The control processes are expected to ensure,
among other things, that operations are performed efficiently and achieve
established results (PA 2130-1, para. 1).
Answer (B) is incorrect. Collusion is an inherent limitation of internal control.
Answer (C) is incorrect. The board provides oversight of risk management and
control processes administered by management.
Answer (D) is incorrect. Controls are actions by management, the board, and
others to manage risk and increase the likelihood that established goals and
objectives will be achieved (The IIA Glossary). The internal audit activity
evaluates the effectiveness of control processes. Thus, controls do not directly
address management’s planning, organizing, and directing processes. Internal
auditors evaluate management processes to determine whether reasonable
assurance exists that objectives and goals will be achieved.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 166
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[309] Gleim #: 4.2.38
The function of internal auditing, as related to communicating results, is to
A.
B.
C.
D.
Ensure compliance with reporting procedures.
Review the expenditure items and match each item with the expenses incurred.
Determine whether any employees are expending funds without authorization.
Identify inadequate controls that increase the likelihood of unauthorized
expenditures.
Answer (A) is incorrect. Ensuring compliance is a management, not an internal
audit, responsibility.
Answer (B) is incorrect. Actual outflows of funds and accrued expenses are
unlikely to be equal.
Answer (C) is incorrect. Determining whether unauthorized expenditures are
occurring is a management, not an internal audit, responsibility.
Answer (D) is correct. The internal audit activity must assist the organization in
maintaining effective controls by evaluating their effectiveness and efficiency and
by promoting continuous improvement (Perf. Std. 2130).
[310] Gleim #: 4.2.39
The chief audit executive’s responsibility for assessing and reporting on control
processes includes
A. Communicating to senior management and the board an annual judgment about
internal control.
B. Overseeing the establishment of internal control processes.
C. Maintaining the organization’s governance processes.
D. Arriving at a single assessment based solely on the work of the internal audit
activity.
Answer (A) is correct. The CAE’s report on the organization’s control processes
is normally presented once a year to senior management and the board (PA 21301, para. 11).
Answer (B) is incorrect. Senior management is responsible for overseeing the
establishment of internal control processes.
Answer (C) is incorrect. The board is responsible for establishing and
maintaining the organization’s governance processes.
Answer (D) is incorrect. The challenge for the internal audit activity is to
evaluate the effectiveness of the organization’s system of controls based on the
aggregation of many individual assessments. Those assessments are largely gained
from internal auditing engagements, management’s self assessments, and external
assurance providers’ work.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 167
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[311] Gleim #: 4.2.40
The chief audit executive (CAE) of a mid-sized internal audit activity was concerned
that management might outsource the internal auditing function. Thus, the CAE
adopted a very aggressive program to promote the internal audit activity within the
organization. The CAE planned to present the results to senior management and the
board and recommend modification of the internal audit activity’s charter after using
the new program. The following lists six actions the CAE took to promote a positive
image within the organization:
fb
.c
om
/c
ia
ao
ffi
ci
al
1. Engagement assignments concentrated on efficiency. The engagements focused
solely on cost savings, and each engagement communication highlighted potential
costs to be saved. Negative observations were omitted. The focus on efficiency
was new, but the engagement clients seemed very happy.
2. Drafts of all engagement communications were carefully reviewed with the
engagement clients to get their input. Their comments were carefully considered
when developing the final engagement communication.
3. The information technology internal auditor participated as part of a development
team to review the control procedures to be incorporated into a major computer
application under development.
4. Given limited resources, the engagement manager performed a risk assessment to
establish engagement work schedule priorities. This was a marked departure from
the previous approach of ensuring that all operations are evaluated on at least a 3year interval.
5. To save time, the CAE no longer required that a standard internal control
questionnaire be completed for each engagement.
6. When the internal auditors found that the engagement client had not developed
specific criteria or data to evaluate operations, the internal auditors were
instructed to perform research, develop specific criteria, review the criteria with
the engagement client, and, if acceptable, use them to evaluate the engagement
client’s operations. If the engagement client disagreed with the criteria, a
negotiation took place until acceptable criteria could be agreed upon. The
engagement communication commented on the engagement client’s operations in
conjunction with the agreed-upon criteria.
Is Action 5 inappropriate?
A. Yes. Internal control should be evaluated on every engagement, but the internal
control questionnaire is not the mandated approach to evaluate the controls.
B. No. Internal auditors may omit necessary procedures if there is a time constraint.
It is a matter of professional judgment.
C. Yes. Internal control should be evaluated on every engagement, and the internal
control questionnaire is the most efficient method to do so.
D. No. Internal auditors are not required to fill out internal control questionnaires on
every engagement.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 168
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Internal control evaluations are not required on every
engagement.
Answer (B) is incorrect. Internal auditors cannot omit necessary procedures as a result
of a time constraint.
Answer (C) is incorrect. Internal control evaluations are not required on every
engagement.
Answer (D) is correct. The internal audit activity must assist the organization in
maintaining effective controls by evaluating their effectiveness and efficiency and by
promoting continuous improvement (Perf. Std. 2130). However, internal auditors are
not required to fill out standard internal control questionnaires. The information
documented in questionnaires may be found in other working papers, such as
flowcharts, checklists, and narratives.
[312] Gleim #: 4.2.41
An internal auditor’s role with respect to operating objectives and goals includes
A.
B.
C.
D.
Approving the operating objectives or goals to be met.
Determining that they conform with those of the organization.
Developing and implementing control procedures.
Accomplishing desired operating program results.
Answer (A) is incorrect. Approving the operating objectives or goals to be met is
an operational matters that is the responsibility of management.
Answer (B) is correct. Internal auditors should ascertain the extent to which
operating and program goals and objectives have been established and conform to
those of the organization.
Answer (C) is incorrect. Developing and implementing control procedures is an
operational matter that is the responsibility of management.
Answer (D) is incorrect. Accomplishing desired operating program results is an
operational matter that is the responsibility of management.
[313] Gleim #: 4.2.42
If the annual audit plan does not allow for adequate review of compliance with all
material regulations affecting the company, the internal audit activity should:
A. Ensure that the board of directors and senior management are aware of the
limitation.
B. Include a memo with the audit planning file listing the reasons for the lack of
coverage.
C. Document that regulations not included will be reviewed in the subsequent year.
D. Decrease the scope of operational and financial audits to make additional audit
time available.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 169
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. The internal audit activity evaluates and contributes to the
improvement of risk management, control, and governance processes by using a
systematic and defined approach (Perf. Std. 2100). Thus, they should assess
compliance in specific areas as part of their role in organizational governance. If the
annual audit plan does not allow for adequate review of compliance, senior
management and the board of directors should be informed of the implications of gaps
in audit coverage, including the review of compliance with applicable laws and
regulations.
Answer (B) is incorrect. the knowledge of incomplete audit coverage should not be
limited to the internal audit activity.
Answer (C) is incorrect. compliance with material regulations may need to be
reviewed at least on an annual basis.
Answer (D) is incorrect. audit coverage in other areas should not be automatically
reduced. The internal audit activity may require additional resources to provide
adequate coverage of risks.
[314] Gleim #: 4.2.43
In some countries, governmental units have established audit standards. For example,
in the United States, the Government Accountability Office has developed standards
for the conduct of governmental audits, particularly those that relate to compliance
with government grants. In performing governmental grant compliance audits, the
auditor should
fb
.c
om
/c
ia
ao
ffi
ci
al
A. Be guided only by the governmental standards.
B. Be guided only by The IIA Standards because they are more encompassing.
C. Be guided by the more general standards that have been issued by the public
accounting profession.
D. Follow both The IIA Standards and any additional governmental standards.
Answer (A) is incorrect. The internal auditor should not only follow the
governmental standards.
Answer (B) is incorrect. An internal auditor is legally obligated to adhere to
governmental standards when performing governmental grant compliance audits.
Answer (C) is incorrect. The internal auditor should follow the standards
established for those types of audits.
Answer (D) is correct. Rule of Conduct 4.2 of The IIA Code of Ethics states,
“Internal auditors shall perform internal auditing services in accordance with the
International Standards for the Professional Practice of Internal Auditing.”
Furthermore, an internal auditor is legally obligated to adhere to governmental
standards when performing governmental grant compliance audits.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 170
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[315] Gleim #: 4.2.44
Senior management has requested a compliance audit of the organization’s employee
benefits package. Which of the following is considered the primary engagement
objective by both the chief audit executive and senior management?
A. The level of organizational contributions is adequate to meet the program’s
demands.
B. Individual programs are operating in accordance with contractual requirements
and government regulations.
C. Participation levels support continuation of individual programs.
D. Benefit payments, when appropriate, are accurate and timely.
Answer (A) is incorrect. Contributions concern specific engagement objectives
subsumed by the primary objective of compliance with laws, regulations, and
contracts.
Answer (B) is correct. The internal audit activity evaluates risk exposures related
to governance, operations, and information systems regarding, among other
things, compliance with laws, regulations, and contracts. Based on the risk
assessment, the internal audit activity evaluates the adequacy and effectiveness of
controls encompassing governance, operations, and information systems. This
evaluation should include, among other things, compliance with laws, regulations,
and contracts (Impl. Stds. 2110.A2 and 2120.A1). Operation in accordance with
contracts and regulations takes precedence over all other objectives because it
relates to the most basic aspects of the programs.
Answer (C) is incorrect. Participation levels concern specific engagement
objectives subsumed by the primary objective of compliance with laws,
regulations, and contracts.
Answer (D) is incorrect. Benefit payments concern specific engagement
objectives subsumed by the primary objective of compliance with laws,
regulations, and contracts.
[316] Gleim #: 4.3.45
Internal auditors may provide consulting services that add value and improve an
organization’s operations. The performance of these services
A. Impairs internal auditors’ objectivity with respect to an assurance service
involving the same engagement client.
B. Precludes generation of assurance from a consulting engagement.
C. Should be consistent with the internal audit activity’s empowerment reflected in
the charter.
D. Imposes no responsibility to communicate information other than to the
engagement client.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 171
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Consulting services do not necessarily impair objectivity.
Decisions to implement recommendations made as a result of a consulting service are
made by management. Thus, decision making by management does not impair the
internal auditors’ objectivity.
Answer (B) is incorrect. Assurance and consulting services are not mutually
exclusive. One type of service may be generated from the other.
Answer (C) is correct. According to Impl. Std. 1000.C1, the nature of consulting
services must be defined in the charter.
Answer (D) is incorrect. A primary internal audit value is to provide assurance to
senior management and audit committee directors. Consulting engagements cannot be
rendered in a manner that masks information that in the judgment of the chief audit
executive (CAE) should be presented to senior executives and board members.
[317] Gleim #: 4.3.46
Consulting services
ao
ffi
ci
al
A. May enhance the auditor’s understanding of business processes or issues related to
an assurance engagement but will always impair the auditor’s or the internal audit
activity’s independence.
B. To be performed by the internal audit activity should be authorized by
management if they do not represent a conflict of interest.
C. Should not be performed by the internal audit activity because they impair
objectivity.
D. Are a natural extension of assurance and investigative services and may represent
informal or formal advice, analysis, or assessments.
fb
.c
om
/c
ia
Answer (A) is incorrect. Consulting services may enhance the auditor’s
understanding of business processes or issues related to an assurance engagement
and do not necessarily impair the internal audit activity’s objectivity and
independence.
Answer (B) is incorrect. The board empowers the internal audit activity to
perform additional services if they do not represent a conflict of interest or detract
from its obligations to the board.
Answer (C) is incorrect. An organization may find that the internal audit activity
is uniquely qualified for some formal consulting tasks.
Answer (D) is correct. Much of consulting is a natural extension of assurance and
investigative services and may represent informal or formal advice, analysis, or
assessments. The internal audit activity is uniquely positioned to perform this type
of consulting work based on (a) its adherence to the highest standards of
objectivity and (b) its breadth of knowledge about organizational processes, risk,
and strategies.
[318] Gleim #: 4.3.47
Advisory and related client service activities, the nature and scope of which are agreed
upon with the client, are best described as
A.
B.
C.
D.
Internal audit services.
Assurance services.
Consulting services.
External assurance services.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 172
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The definition that is given is The IIA definition of
consulting services with The IIA’s proposed change.
Answer (B) is incorrect. The definition that is given is The IIA definition of
consulting services with The IIA’s proposed change.
Answer (C) is correct. The IIA defines consulting services as “advisory and related
client service activities, the nature and scope of which are agreed upon with the client
and which are intended to add value and improve an organization’s governance, risk
management, and control processes while not assuming management responsibility.
Examples include counsel, advice, facilitation, and training.”
Answer (D) is incorrect. The definition that is given is The IIA definition of
consulting services with The IIA’s proposed change.
[319] Gleim #: 4.3.48
Which of the following statements is false?
A. A disciplined, systematic evaluation methodology is incorporated in each internal
audit activity. The list of services can generally be incorporated into two broad
categories of assurance and consulting.
B. Assurance and consulting are mutually exclusive and do preclude other auditing
services such as investigations and nonauditing roles.
C. Many audit services will have both an assurance and consultative role.
D. Internal audit consulting enriches value-adding internal auditing.
Answer (A) is incorrect. This is a true statement taken from the second principle
in PA 1000.C1-1.
Answer (B) is correct. Certain principles guide the performance of consulting
activities of internal auditors. For example, assurance and consulting are not
mutually exclusive and do not preclude other auditing services such as
investigations and nonauditing roles.
Answer (C) is incorrect. This is a true statement taken from the third principle in
PA 1000.C1-1.
Answer (D) is incorrect. This is a true statement taken from the fourth principle
in PA 1000.C1-1.
[320] Gleim #: 4.3.49
Before internal auditors begin to offer consulting services to an organization, a number
of things need to happen within the organization. What is the order in which the
following items should be performed?
I. The internal audit charter is amended to include authority and responsibilities for
consulting activities.
II. The CAE confirms that the board understands and approves the concept of
providing consulting services.
III. The internal audit activity develops appropriate policies and procedures for
conducting such engagements.
A.
B.
C.
D.
I, II, III.
II, III, I.
II, I, III.
III, II, I.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 173
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The order given in these solutions is incorrect.
Answer (B) is incorrect. The order given in these solutions is incorrect.
Answer (C) is correct. Prior to offering consulting services, the chief audit executive
confirms that the board understands and approves the concept of providing consulting
services. Once approved, the internal audit charter is amended to include authority and
responsibilities for consulting activities. The internal audit activity then develops
appropriate policies and procedures for conducting such engagements.
Answer (D) is incorrect. The order given in these solutions is incorrect.
[321] Gleim #: 4.3.50
Who is responsible for determining the methodology to use for classifying
engagements within the organization?
A.
B.
C.
D.
The chief audit executive.
Management.
The board.
The audit committee.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is correct. The chief audit executive determines the methodology to
use for classifying engagements within the organization. In some circumstances, it
may be appropriate to conduct a blended engagement that incorporates elements
of both consulting and assurance activities into one consolidated approach. In
other cases, it may be appropriate to distinguish between the assurance and
consulting components of the engagement.
Answer (B) is incorrect. The CAE is the individual who should determine the
methodology to use for classifying engagements within the organization.
Answer (C) is incorrect. The CAE is the individual who should determine the
methodology to use for classifying engagements within the organization.
Answer (D) is incorrect. The CAE is the individual who should determine the
methodology to use for classifying engagements within the organization.
[322] Gleim #: 4.3.51
An internal auditor performed a formal consulting engagement for XYZ Corporation
on June 1, Year 1. When is the earliest time the auditor can perform assurance services
for XYZ Corporation and be considered independent and objective?
A.
B.
C.
D.
January 1, Year 2.
June 1, Year 2.
July 1, Year 1.
June 2, Year 1.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 174
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. An internal auditor’s independence and objectivity may be
impaired if they perform assurance services within 1 year after a formal consulting
engagement.
Answer (B) is correct. Independence and objectivity may be impaired if assurance
services are provided within 1 year after a formal consulting engagement. Steps can be
taken to minimize the effects of impairment by assigning different auditors to perform
each of the services, establishing independent management and supervision, defining
separate accountability for the results of the projects, and disclosing the presumed
impairment.
Answer (C) is incorrect. An internal auditor’s independence and objectivity may be
impaired if they perform assurance services within 1 year after a formal consulting
engagement.
Answer (D) is incorrect. An internal auditor’s independence and objectivity may be
impaired if they perform assurance services within 1 year after a formal consulting
engagement.
[323] Gleim #: 4.3.52
Internal auditors should design the scope of work in a consulting engagement to ensure
that all of the following will be maintained except
A.
B.
C.
D.
Independence.
Integrity.
Credibility.
Professionalism.
Answer (A) is correct. Internal auditors need to reach an understanding of the
objectives and scope of the consulting engagement with those receiving the
service. During a consulting engagement, the internal auditor is acting as an
advocate for management, and independence is not required.
Answer (B) is incorrect. Internal auditors should design the scope of work to
ensure that professionalism, integrity, credibility, and reputation of the internal
audit activity will be maintained.
Answer (C) is incorrect. Internal auditors should design the scope of work to
ensure that professionalism, integrity, credibility, and reputation of the internal
audit activity will be maintained.
Answer (D) is incorrect. Internal auditors should design the scope of work to
ensure that professionalism, integrity, credibility, and reputation of the internal
audit activity will be maintained.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 175
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[324] Gleim #: 4.3.53
The internal auditor for ABC Corporation has received a special request from
management. The internal auditor believes that the objectives that should be pursued
go beyond those requested by management. What should the internal auditor do?
A. Refuse to accept the engagement unless he can persuade management to include
the additional objectives in the consulting engagement.
B. Include the objectives that he feels are necessary in the current consulting
engagement and inform management in the final communication of the
engagement results.
C. Document the fact that the objectives were not pursued and disclose that
observation to the audit committee in a formal report.
D. Try to persuade management to include the additional objectives in the consulting
engagement.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. The internal auditor has no reason not to accept the
consulting engagement.
Answer (B) is incorrect. The internal auditor must not perform any services that
go beyond the scope or objectives of the services understood and agreed upon
with management.
Answer (C) is incorrect. The internal auditor is only reporting to those receiving
the services during a consulting engagement, i.e., management.
Answer (D) is correct. In planning formal consulting engagements, internal
auditors design objectives to meet the appropriate needs of management officials
receiving these services. In the case of special requests by management, internal
auditors may consider the following actions if they believe that the objectives that
should be pursued go beyond those requested by management: (1) persuade
management to include the additional objectives in the consulting engagement; or
(2) document that the objectives were not pursued, disclose that observation in the
final communication of consulting engagement results, and include the objectives
in a separate and subsequent assurance engagement.
[325] Gleim #: 4.3.54
Substantial risk exposures or material control weaknesses discovered during a formal
consulting engagement are brought to the attention of management. In some situations,
the internal auditor’s concerns also are communicated to
A.
B.
C.
D.
Executive management.
Audit committee.
Board of directors.
All of the answers are correct.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 176
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The internal auditor may feel it is necessary to communicate
his concerns to all of these groups.
Answer (B) is incorrect. The internal auditor may feel it is necessary to communicate
his concerns to all of these groups.
Answer (C) is incorrect. The internal auditor may feel it is necessary to communicate
his concerns to all of these groups.
Answer (D) is correct. Internal auditors need to be observant of the effectiveness of
risk management and control processes during formal consulting engagements.
Substantial risk exposures or material control weaknesses are brought to the attention
of management. In some situations, the auditor’s concerns should also be
communicated to senior management or the board. (According to The IIA Glossary,
the board includes any “designated body of the organization, including the audit
committee . . .”)
[326] Gleim #: 4.3.55
An internal auditor concludes that the results of a consulting engagement should be
communicated beyond those who received or requested the services. The auditor
follows a series of steps until satisfied with the resolution. In what order will the
auditor perform the following steps?
I. Attempt to convince those receiving or requesting the service to expand
voluntarily the communication to the appropriate parties.
II. Determine what guidance is provided in the organization’s code of conduct, code
of ethics, and other relative policies, administrative directives, or procedures.
III. Determine what direction is provided in the agreement concerning the consulting
engagement and related communications.
A.
B.
C.
D.
II, I, III.
I, II, III.
III, I, II.
I, III, II.
Answer (A) is incorrect. They are not listed in the correct order that should be
followed.
Answer (B) is incorrect. They are not listed in the correct order that should be
followed.
Answer (C) is correct. When expanding the reporting to other parties, the auditor
takes the following steps until satisfied with the resolution of the matter:
1. Determine what direction is provided in the agreement concerning the
consulting engagement and related communications.
2. Attempt to persuade those receiving or requesting the service to expand
voluntarily the communication to the appropriate parties.
3. Determine what guidance is provided in the internal audit charter or audit
activity’s policies and procedures concerning consulting communications.
4. Determine what guidance is provided in the organization’s code of conduct,
code of ethics, and other relative policies, administrative directives, or
procedures.
5. Determine what guidance is provided by The IIA’s Standards and Code of
Ethics, other standards or codes applicable to the auditor, and any legal or
regulatory requirements that relate to the matter under consideration.
Answer (D) is incorrect. They are not listed in the correct order that should be
followed.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 177
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[327] Gleim #: 4.3.56
Which statement about consulting engagements is true?
A. Documentation requirements applicable to assurance engagements apply to
consulting engagements.
B. The internal audit activity monitors every aspect of a consulting engagement to
ensure it is being conducted to the extent agreed upon with the client.
C. Internal auditors keep senior management and the board informed about how audit
resources are being deployed.
D. Work programs for formal consulting engagements address policies and issues
related to ownership of consulting engagement records to protect the organization
and avoid any potential misunderstandings.
.c
fb
[328] Gleim #: 4.3.57
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. Documentation requirements applicable to assurance
engagements do not necessarily apply to consulting engagements.
Answer (B) is incorrect. The internal audit activity only monitors the results of
consulting engagements to the extent agreed upon with the client.
Answer (C) is correct. Internal auditors disclose to management, the board, or
other governing body of the organization the nature, extent, and overall results of
formal consulting engagements along with other reports of internal audit
activities. Internal auditors keep senior management and the board informed about
how audit resources are being deployed. Neither detail reports of these consulting
engagements nor the specific results and recommendations are required to be
communicated.
Answer (D) is incorrect. Work programs for formal consulting engagements
document the objectives and scope of the engagement as well as the methodology
to be used in satisfying the objectives.
The internal auditor should decline to perform which of the following types of
consulting engagements?
A. Engagements that have no conflict with the policies and procedures of the internal
audit activity.
B. Engagements in which the internal audit staff lacks the knowledge needed to
perform part of the engagement.
C. Engagements that are allowed by the terms of the internal audit charter.
D. Engagements that add value and promote the best interests of the organization.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 178
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Engagements that have no conflict with the policies and
procedures of the internal audit activity are permissible.
Answer (B) is correct. The internal auditor should decline to perform consulting
engagements that are prohibited by the terms of the internal audit charter, conflict with
the policies and procedures of the internal audit activity, or do not add value and
promote the best interests of the organization. “The chief audit executive must decline
the consulting engagement or obtain competent advice and assistance if the internal
audit staff lacks the knowledge, skills, or other competencies needed to perform all or
part of the engagement” (Impl. Std. 1210.C1).
Answer (C) is incorrect. Engagements that are allowed by the terms of the internal
audit charter are permissible.
Answer (D) is incorrect. Engagements that add value and promote the best interests of
the organization are permissible.
[329] Gleim #: 4.3.58
After the chief audit executive receives approval from the board to offer consulting
services, what should be done?
A.
B.
C.
D.
The CAE should begin performing consulting services.
The CAE should get approval from the internal auditors.
The internal audit charter should be amended.
The board should develop appropriate policies and procedures for conducting
such engagements.
Answer (A) is incorrect. After the CAE receives board approval, the internal
audit charter must be amended and the CAE must establish policies and
procedures.
Answer (B) is incorrect. The CAE does not need to get additional approval from
the internal auditors. Only board approval is required.
Answer (C) is correct. The purpose, authority, and responsibility of the internal
audit activity must be formally defined in an internal audit charter (Attr. Std.
1000). “The nature of consulting services must be defined in the internal audit
charter” (Impl. Std. 1000.C1).
Answer (D) is incorrect. The CAE must establish policies and procedures to
guide the internal audit activity (Perf. Std. 2040).
[330] Gleim #: 4.3.59
George is the new internal auditor for XYZ Corporation. George was in charge of
payroll for XYZ just 10 months ago. Performing what services in regard to payroll is
considered an impairment of independence or objectivity if performed by George?
A.
B.
C.
D.
Consulting services.
Assurance services.
Assurance or consulting services.
Neither assurance nor consulting services.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 179
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Providing assurance services but not consulting services
regarding payroll will impair the independence or objectivity of George (Impl. Std.
1130.C1).
Answer (B) is correct. Internal auditors must refrain from assessing specific
operations for which they were previously responsible. Objectivity is presumed to be
impaired if an internal auditor provides assurance services for an activity for which the
internal auditor had responsibility within the previous year (Impl. Std. 1130.A1). Thus,
if George provides assurance services for payroll, his objectivity is presumed to be
impaired. Internal auditors may provide consulting services relating to operations for
which they had previous responsibilities (Impl. Std. 1130.C1).
Answer (C) is incorrect. Providing assurance services regarding payroll will impair
the independence or objectivity of George.
Answer (D) is incorrect. Providing consulting services regarding payroll will not
impair the objectivity of George (Impl. Std. 1130.A1).
[331] Gleim #: 4.3.60
When an internal auditor has a potential impairment of independence or objectivity
relating to a proposed consulting engagement, what action must be taken?
/c
ia
ao
ffi
ci
al
A. The internal auditor must immediately refuse the consulting engagement.
B. The internal auditor must disclose the potential impairment to the chief audit
executive.
C. The internal auditor need not disclose the potential impairment and may accept
the engagement.
D. The internal auditor must disclose the potential impairment to the engagement
client prior to accepting the engagement.
fb
.c
om
Answer (A) is incorrect. The internal auditor does not need to refuse the
engagement but must properly disclose the potential impairment to the client.
Answer (B) is incorrect. The internal auditor must disclose the potential
impairment to the engagement client.
Answer (C) is incorrect. The internal auditor must properly disclose the potential
impairment to the engagement client before accepting the engagement.
Answer (D) is correct. Impl. Std. 1130.C2 states that if independence or
objectivity is potentially impaired in relation to a proposed consulting service,
disclosure must be made to the engagement client prior to accepting the
engagement.
[332] Gleim #: 4.3.61
If impairments of independence or objectivity exist prior to commencement of a
consulting engagement or develop during the engagement, what action should be
taken?
A.
B.
C.
D.
Disclosure should be made immediately to engagement client.
Disclosure should be made immediately to the board.
Disclosure should be made immediately to the external auditors.
The internal auditor should withdraw from the engagement.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 180
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. If internal auditors have potential impairments to independence
or objectivity relating to proposed consulting services, disclosure must be made to the
engagement client prior to accepting the engagement (Impl. Std. 1130.C2).
Answer (B) is incorrect. Disclosure should be made to the engagement client because
it is the party benefiting from the consulting services.
Answer (C) is incorrect. No disclosure need be made to the external auditors.
Answer (D) is incorrect. An informed engagement client may not object to an
impairment of independence or objectivity.
[333] Gleim #: 4.3.62
When internal auditors perform a consulting engagement, what is the best statement of
their responsibility regarding risk?
A. Be alert to the existence of significant risks.
B. Consider only the risk consistent with engagement objectives.
C. Address risk consistent with engagement objectives and be alert to certain other
risks.
D. Assume responsibility for managing risks.
Answer (A) is incorrect. Internal auditors also must address risk consistent with
engagement objectives.
Answer (B) is incorrect. Internal auditors also must be alert to the existence of
other significant risks.
Answer (C) is correct. During consulting engagements, internal auditors must
address risk consistent with the engagement’s objectives and be alert to the
existence of other significant risks (Impl. Std. 2120.C1). Moreover, internal
auditors must incorporate knowledge of risks gained from consulting engagements
into their evaluation of the organization’s risk management processes (Impl. Std.
2120.C2).
Answer (D) is incorrect. A consulting engagement may involve assisting
management with the establishment or improvement of risk management
processes. In such an engagement, internal auditors must not assume any
management responsibility by actually managing risks (Impl. Std. 2120.C3).
[334] Gleim #: 4.3.63
Senior management of an entity has requested that the internal audit activity provide
ongoing internal control training for all managerial personnel. This is best addressed
by a(n)
A.
B.
C.
D.
Formal consulting engagement agreement.
Informal consulting engagement agreement.
Special consulting engagement agreement.
Emergency consulting engagement agreement.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 181
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is correct. Consulting services are advisory and related client service
activities, the nature and scope of which are agreed upon with the client and intended
to add value and improve an organization’s governance, risk management, and control
processes without the internal auditor assuming management responsibility. Examples
include counsel, advice, facilitation, process design, and training. Thus, internal
control training is a consulting service. Such training should be planned and is
continuous. It should be subject to a consulting agreement that is formal and written
even though it is with the internal audit activity. Formality ensures that the needs and
expectations of those who will be trained are recognized and satisfied.
Answer (B) is incorrect. An informal consulting engagement agreement applies more
to routine tasks.
Answer (C) is incorrect. A special consulting engagement agreement applies more to
occasional, one-time special arrangements.
Answer (D) is incorrect. An emergency consulting engagement agreement applies
more to unplanned engagements.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 182
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[335] Gleim #: 4.4.64
The legislative auditing bureau of a country is required to perform compliance
engagements involving organizations that are issued defense contracts on a cost-plus
basis. Contracts are clearly written to define acceptable costs, including developmental
research cost and appropriate overhead rates.
During the past year, the government has engaged in extensive outsourcing of its
activities. The outsourcing included contracts to run cafeterias, provide janitorial
services, manage computer operations and systems development, and provide
engineering of construction projects. The contracts were modeled after those used for
years in the defense industry. The legislative internal auditors are being called upon to
expand their efforts to include compliance engagements involving these contracts.
Upon initial investigation of these outsourced areas, the internal auditor found many
areas in which the outsourced management has apparently expanded its authority and
responsibility. For example, the contractor that manages computer operations has
developed a highly sophisticated security program that may represent the most
advanced information security in the industry. The internal auditor reviews the
contract and sees reference only to providing appropriate levels of computing security.
The internal auditor suspects that the governmental agency may be incurring
developmental costs that the outsourcer may use for competitive advantage in
marketing services to other organizations.
Assuming that a high degree of security is needed, which of the following potential
sources of information will also be relevant to the internal auditor’s assessment of
whether the governmental unit is being charged for computer security that exceeds the
entity’s needs?
I. Comparison of the security system with best practices implemented for similar
systems
II. Comparison of the security system with recent publications on state-of-the-art
systems
III. Tests of the functionality of the security system
A.
B.
C.
D.
II only.
I and II only.
III only.
I, II, and III.
Answer (A) is incorrect. Benchmarking (identifying the best practices of similar
entities) also provides relevant information.
Answer (B) is correct. Comparison of the security system with best practices
implemented for similar systems and with recent publications on state-of-the-art
systems is the best approach. It compares the system being developed with cutting
edge systems and provides the internal auditor with a basis to address the
outsourcer’s claim that the system is the minimum necessary for the organization.
Answer (C) is incorrect. Testing the functionality of the system provides
information on whether the system works, not whether it is appropriate for the
entity.
Answer (D) is incorrect. Testing the functionality of the system provides
information on whether the system works, not whether it is appropriate for the
entity.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 183
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[336] Gleim #: 4.4.65
An internal auditor notes that production is often stopped or hampered because raw
materials inventory is not present when needed. Which of the following statements
is/are true based on this information alone?
I. The internal auditor should investigate the quality of communication between
production planners and purchasing agents.
II. The internal auditor should recommend that management implement an economic
order quantity (EOQ) model to better manage inventory and meet production
needs.
III. The internal auditor should attempt to quantify the costs to the organization
related to this problem.
A.
B.
C.
D.
I only.
I and II.
I and III.
II and III.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. The internal auditor should also attempt to quantify the
costs of this problem so that the maximum benefit from expending resources can
be obtained.
Answer (B) is incorrect. The information is insufficient for the internal auditor to
recommend implementing an EOQ.
Answer (C) is correct. The condition attribute of the engagement observation is
that stockouts are occurring. To determine the cause attribute of the observation,
the internal auditor should consider the coordination between those responsible
for scheduling production and those responsible for obtaining needed resources.
The internal auditor should also attempt to quantify the costs of the problem to
establish the effect attribute of the observation. However, the internal auditor
should not recommend implementation of an EOQ model because (1) the auditor
has not gathered sufficient information to justify it, and (2) implementing an EOQ
model would not resolve the observed condition since EOQs do not determine a
level of safety stock.
Answer (D) is incorrect. The information is insufficient for the internal auditor to
recommend implementing an EOQ.
[337] Gleim #: 4.4.66
Reengineering is the thorough analysis, fundamental rethinking, and complete
redesign of essential business processes. The intended result is a dramatic
improvement in service, quality, speed, and cost. An internal auditor’s involvement in
reengineering should include all of the following except
A.
B.
C.
D.
Determining whether the process has senior management’s support.
Recommending areas for consideration.
Developing audit plans for the new system.
Directing the implementation of the redesigned process.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 184
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Internal auditors may perform the functions of determining
whether the process has senior management’s support, recommending areas for
consideration, and developing audit plans for the new system.
Answer (B) is incorrect. Internal auditors may perform the functions of determining
whether the process has senior management’s support, recommending areas for
consideration, and developing audit plans for the new system.
Answer (C) is incorrect. Internal auditors may perform the functions of determining
whether the process has senior management’s support, recommending areas for
consideration, and developing audit plans for the new system.
Answer (D) is correct. Internal auditors should not become directly involved in the
implementation of the redesign process. This involvement would impair their
independence and objectivity. Staff assignments of internal auditors should be rotated
periodically whenever it is practicable to do so.
[338] Gleim #: 4.4.67
Monitoring is an important component of internal control. Which of the following
items would not be an example of monitoring?
A. Management regularly compares divisional performance with budgets for the
division.
B. Data processing management regularly generates exception reports for unusual
transactions or volumes of transactions and follows up with investigation as to
causes.
C. Data processing management regularly reconciles batch control totals for items
processed with batch controls for items submitted.
D. Management has asked internal auditing to perform regular audits of the controls
over cash processing.
Answer (A) is incorrect. Budgetary comparison is a typical example of a
monitoring control.
Answer (B) is incorrect. Investigation of exceptions is a monitoring control used
by lower-level management to determine when their operations may be out of
control.
Answer (C) is correct. Monitoring assesses the quality of internal control over
time. Management considers whether internal control is properly designed and
operating as intended and modifies it to reflect changing conditions. Reconciling
batch control totals is a processing control over a single instance of accounting
activity.
Answer (D) is incorrect. Internal auditing is a form of monitoring. It serves to
evaluate management’s other controls.
[339] Gleim #: 4.4.68
An example of an internal nonfinancial benchmark is
A. The labor rate of comparably skilled employees at a major competitor’s plant.
B. The average actual cost per pound of a specific product at the company’s most
efficient plant.
C. A US $50,000 limit on the cost of employee training programs at each of the
company’s plants.
D. The percentage of customer orders delivered on time at the company’s most
efficient plant.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 185
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The labor rate at a major competitor’s plant is an external
financial measure.
Answer (B) is incorrect. The average actual cost per pound of a specific product at the
company’s most efficient plant is an internal financial measure.
Answer (C) is incorrect. A US $50,000 limit on the cost of employee training
programs is an internal control rather than a benchmark.
Answer (D) is correct. The percentage of orders delivered on time at the company’s
most efficient plant is an example of an internal nonfinancial benchmark. The other
choices are monetary measures.
[340] Gleim #: 4.4.69
What is the first phase in the benchmarking process?
A.
B.
C.
D.
Organize benchmarking teams.
Select and prioritize benchmarking projects.
Researching and identifying best-in-class performance.
Data analysis.
.c
fb
[341] Gleim #: 4.4.70
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. Organizing benchmarking teams is a subsequent phase.
Answer (B) is correct. The first phase in the benchmarking process is to select
and prioritize benchmarking projects. The next phase is to organize benchmarking
teams. Researching and identifying best-in-class performance is the third phase in
the benchmarking process. The fourth phase is data analysis, and the final phase is
the implementation phase.
Answer (C) is incorrect. Researching and identifying best-in-class performance is
a subsequent phase.
Answer (D) is incorrect. Data analysis is a subsequent phase.
Which of the following statements regarding benchmarking is false?
A. Benchmarking involves continuously evaluating the practices of best-in-class
organizations and adapting company processes to incorporate the best of these
practices.
B. Benchmarking, in practice, usually involves a company’s formation of
benchmarking teams.
C. Benchmarking is an ongoing process that entails quantitative and qualitative
measurement of the difference between the company’s performance of an activity
and the performance by the best in the world or the best in the industry.
D. The benchmarking organization against which a firm is comparing itself must be a
direct competitor.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 186
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. It is a true statement about benchmarking.
Answer (B) is incorrect. It is a true statement about benchmarking.
Answer (C) is incorrect. It is a true statement about benchmarking.
Answer (D) is correct. Benchmarking is an ongoing process that entails quantitative
and qualitative measurement of the difference between the company’s performance of
an activity and the performance by a best-in-class organization. The benchmarking
organization against which a firm is comparing itself need not be a direct competitor.
The important consideration is that the benchmarking organization be an outstanding
performer in its industry.
[342] Gleim #: 4.4.71
The phase of the benchmarking process in which the team must be able to justify its
recommendations is the
A.
B.
C.
D.
Prioritize benchmarking projects phase.
Implementation phase.
Data analysis phase.
Researching and identifying best in class performance phase.
Answer (A) is incorrect. This is the stage where businesses must understand key
business processes and drivers.
Answer (B) is correct. Leadership is most important in the implementation phase
of the benchmarking process because the team must be able to justify its
recommendations. Also, the process improvement teams must manage the
implementation of approved changes.
Answer (C) is incorrect. The data analysis phase entails identifying performance
gaps and understanding the reasons they exist.
Answer (D) is incorrect. This stage involves the setting up of databases and
information-gathering methods.
[343] Gleim #: 4.4.72
Researching and identifying best-in-class performance is often the most difficult
phase. Which of the following is not a critical step?
A.
B.
C.
D.
Setting up databases.
Choosing information-gathering methods.
Formatting questionnaires.
Employee training and empowerment.
Answer (A) is incorrect. Setting up databases is a critical step in the researching
and identifying phase.
Answer (B) is incorrect. Choosing information-gathering methods is a critical
step in the researching and identifying phase.
Answer (C) is incorrect. Formatting questionnaires is a critical step in the
researching and identifying phase.
Answer (D) is correct. The critical steps in the researching and identifying phase
are setting up databases, choosing information-gathering methods, formatting
questionnaires, and selecting benchmarking partners. Employee training and
empowerment is part of total quality management (TQM).
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 187
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[344] Gleim #: 4.4.73
Which of the following is true of benchmarking?
A. Benchmarking is typically accomplished by comparing an organization’s
performance with the performance of its closest competitors.
B. Benchmarking can be performed using either qualitative or quantitative
comparisons.
C. Benchmarking is normally limited to manufacturing operations and production
processes.
D. Benchmarking is accomplished by comparing an organization’s performance to
that of the best-performing organizations.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. Benchmarking involves a comparison with industry
leaders or world-class operations. It uses either industry-wide amounts (to protect
the confidentiality of information provided by participating organizations) or
amounts from cooperating organizations.
Answer (B) is incorrect. Benchmarking requires measurements, which involve
quantitative comparisons.
Answer (C) is incorrect. Benchmarking can be applied to all of the functional
areas in an organization. In fact, manufacturing often tends to be industry-specific,
whereas activities such as processing an order or paying an invoice are not.
Nonmanufacturing functions often provide a greater opportunity to improve by
learning from global leaders.
Answer (D) is correct. Benchmarking is one of the primary tools used in the
implementation of a total quality management approach. It is a means of helping
organizations with productivity management and business process review. It is
therefore a source of consulting engagements for the internal auditors.
Benchmarking is a continuous evaluation of the practices of the best organizations
in their class and the adaptation of processes to reflect the best of these practices.
It entails analysis and measurement of key outputs against those of the best
organizations. This procedure also involves identifying the underlying key actions
and causes that contribute to the performance difference. Benchmarking is an
ongoing process that entails quantitative and qualitative measurement of the
difference between the organization’s performance of an activity and the
performance by the best in the world. The benchmark organization need not be a
competitor.
[345] Gleim #: 4.4.74
An organization wants to improve on its performance measures for a new business
line. Which type of benchmarking is most likely to provide information useful for this
purpose?
A.
B.
C.
D.
Functional.
Competitive.
Generic.
Internal.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 188
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. Benchmarking is one of the primary tools used in the
implementation of a TQM approach. It is a means of helping organizations with
productivity management and business process review. It is therefore a source of
consulting engagements for the internal auditors. Benchmarking is a continuous
evaluation of the practices of the best organizations in their class and the adaptation of
processes to reflect the best of these practices. It entails analysis and measurement of
key outputs against those of the best organizations. This procedure also involves
identifying the underlying key actions and causes that contribute to the performance
difference. The type of benchmarking most likely to help improve performance
measures for a new business line is functional benchmarking. Comparison with
organizations that perform related functions within the same technological area
provides information about what is being achieved elsewhere in the new business line.
Answer (B) is incorrect. Comparison with the best competitors focuses on
performance in related organizations as a whole and likely includes some activities
unrelated to the new business line.
Answer (C) is incorrect. Comparison of processes that are virtually the same
regardless of industry (such as document processing) would not be as helpful as
comparison of processes that are similar in function.
Answer (D) is incorrect. Comparison against the best within the same organization
may be misleading. It does not provide information about what is being accomplished
outside the organization in the new business line.
[346] Gleim #: 4.4.75
A company that has many branch stores has decided to benchmark one of its stores for
the purpose of analyzing the accuracy and reliability of branch store financial
reporting. Which one of the following is the most likely measure to be included in a
financial benchmark?
A.
B.
C.
D.
High turnover of employees.
High level of employee participation in setting budgets.
High amount of bad debt write-offs.
High number of suppliers.
Answer (A) is incorrect. Turnover of employees is not a financial benchmark.
Answer (B) is incorrect. Employee participation in setting budgets is not a
financial benchmark.
Answer (C) is correct. The level of bad debts written off as uncollectible is a
benchmark stated in financial terms. A level exceeding the benchmark could
indicate fraud, which compromises the accuracy and reliability of financial
reports. Bad debt write-offs may result from recording fictitious sales.
Answer (D) is incorrect. The number of suppliers is not a financial benchmark.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 189
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[347] Gleim #: 5.1.1
An auditor experienced in air-quality issues discovered a significant lack of knowledge
about legal requirements for controlling air emissions while interviewing the manager
of the environmental, health, and safety (EHS) department. The auditor should
A. Alter the scope of the engagement to focus on activities associated with air
emissions.
B. Share extensive personal knowledge with the EHS manager.
C. Take note of the weakness and direct additional questions to determine the
potential effect of the lack of knowledge.
D. Report potential violations in this area to the appropriate regulatory agency.
.c
fb
[348] Gleim #: 5.1.2
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. The scope of the engagement should not be altered too
early. Maintaining a broad scope and not reducing the scope prematurely are
important considerations in the engagement process.
Answer (B) is incorrect. Although the auditor may be able to contribute to the
EHS manager’s knowledge of pertinent air-quality matters, during this phase of
the engagement, the auditor should focus on learning what the manager does.
Answer (C) is correct. An engagement’s objectives and procedures address the
risks associated with the activities under review. The preliminary risk assessment
identifies significant activities requiring examination as potential objectives. Thus,
the auditor ensures that the field work is designed to identify potential instances of
noncompliance. In the closing conference, the auditor should recommend
additional training for the EHS manager.
Answer (D) is incorrect. An auditor should not report violations or potential
violations to regulatory agencies. Such matters are the responsibility of the
organization’s counsel.
In the planning phase, the scope of an internal audit engagement is defined by the
A.
B.
C.
D.
Engagement objectives.
Scheduling and time estimates.
Preliminary survey.
Engagement work program.
Answer (A) is correct. The established scope must be sufficient to satisfy the
objectives of the engagement (Perf. Std. 2220).
Answer (B) is incorrect. The scheduling and time estimates are based on the
objectives and scope of the engagement.
Answer (C) is incorrect. The preliminary survey must be completed and the
engagement objectives set before the engagement scope can be established.
Answer (D) is incorrect. The engagement work program is the last of the four
steps listed.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 190
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[349] Gleim #: 5.1.3
If an auditor’s preliminary evaluation of internal controls results in an observation that
controls may be inadequate, the next step is to
A. Expand audit work prior to the preparation of an engagement final
communication.
B. Prepare a flowchart depicting the internal control system.
C. Note an exception in the engagement final communication if losses have occurred.
D. Implement the desired controls.
Answer (A) is correct. After identifying the risks, the auditor determines the
procedures to be performed and the scope (nature, timing, and extent) of those
procedures (PA 2210-1, para. 3). If the preliminary evaluation indicates increased
control risk, the auditor usually decides to apply additional engagement
procedures to reach the engagement objectives.
Answer (B) is incorrect. A flowchart is prepared during the preliminary
evaluation.
Answer (C) is incorrect. The auditor is not ready to report until more work has
been performed.
Answer (D) is incorrect. Managers, not auditors, implement controls.
[350] Gleim #: 5.1.4
Which of the following statements is an engagement objective?
A.
B.
C.
D.
Observe the deposit of the day’s cash receipts.
Analyze the pattern of any cash shortages.
Evaluate whether cash receipts are adequately safeguarded.
Recompute each month’s bank reconciliation.
Answer (A) is incorrect. Observation is a procedure.
Answer (B) is incorrect. Analysis is a procedure.
Answer (C) is correct. Engagement objectives are broad statements developed by
internal auditors that define intended engagement accomplishments (The IIA
Glossary). Procedures are the means to reach conclusions related to the objectives.
Evaluating whether cash receipts are adequately safeguarded is an objective
because it states what the engagement is to accomplish.
Answer (D) is incorrect. Recomputation is a procedure.
[351] Gleim #: 5.1.5
While planning an engagement, an internal auditor establishes engagement objectives
to describe what is to be accomplished. Which of the following is a key issue to
consider in developing engagement objectives?
A.
B.
C.
D.
The qualifications of the internal auditing staff selected for the engagement.
Risks associated with the activities to be reviewed.
Recommendations of the engagement client’s employees.
The recipients of the final engagement communication.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 191
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The engagement objectives should regulate the selection of
staff members, not vice versa.
Answer (B) is correct. Internal auditors establish engagement objectives to address the
risks associated with the activity under review. For planned engagements, the
objectives proceed and align to those initially identified during the risk assessment
process from which the internal audit plan is derived (PA 2210-1, para. 1).
Answer (C) is incorrect. Internal auditors must set their own objectives. Client input is
more useful for defining the operating objectives to which the engagement objectives
must relate.
Answer (D) is incorrect. The needs of recipients addressed by the final engagement
communication are determined by the engagement client’s objectives.
[352] Gleim #: 5.1.6
The preliminary survey phase of an engagement to evaluate recruiting activity shows
that hotel and airfare expenses are approximately equal. Both hotel and airline
arrangements are made by the recruiting group secretary. Based on this information,
the scope of field work should include
/c
ia
ao
ffi
ci
al
A. Considering competitive factors involved in the selection of hotel
accommodations.
B. Recommending that someone outside the recruiting group make hotel and airline
reservations.
C. Comparing the detail of hotel charges per candidate’s expense reports to copies of
hotel bills obtained directly from hotel sources.
D. Obtaining assurance that candidates’ legal rights are protected during the course of
the interview experience.
fb
.c
om
Answer (A) is correct. Internal auditors can provide assistance to managers by
determining whether underlying assumptions are appropriate, information is
current and relevant, and suitable controls are incorporated into the operation in
question. The scope of an engagement to evaluate recruiting expenses should
include an inquiry as to whether procedures to minimize costs are in place and
functioning effectively.
Answer (B) is incorrect. Recommending that someone outside the recruiting
group make hotel and airline reservations is a recommendation, not the scope of
the engagement effort.
Answer (C) is incorrect. Comparing the detail of hotel charges per candidate’s
expense reports to copies of hotel bills obtained directly from hotel sources is an
engagement work program step.
Answer (D) is incorrect. The legal rights of interviewees are not relevant to an
engagement to evaluate recruiting expenses.
[353] Gleim #: 5.1.7
Which of the following is an appropriate statement of an engagement objective?
A. To observe the physical inventory count.
B. To determine whether inventory stocks are sufficient to meet projected sales.
C. To search for the existence of obsolete inventory by computing inventory turnover
by product line.
D. To include information about stockouts in the final engagement communication.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 192
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Observation of inventory is an engagement procedure.
Answer (B) is correct. An engagement objective is a broad statement developed by
internal auditors to define intended engagement accomplishments (The IIA Glossary).
Determining whether inventory stocks are sufficient to meet projected sales is an
engagement objective because it defines an audit accomplishment, not an engagement
procedure. A procedure is designed to gather information that corroborates and
documents conclusions about objectives.
Answer (C) is incorrect. Calculation of inventory turnover is an engagement
procedure.
Answer (D) is incorrect. Inclusion of stockout information is a specification for an
engagement communication.
[354] Gleim #: 5.1.8
In an engagement to review a not-for-profit organization’s special revenue fund, the
primary engagement objective is to determine whether the organization
A. Complied with existing fund requirements and performed specified activities.
B. Managed its resources economically and efficiently.
C. Prepared its financial statements in accordance with accounting principles
generally accepted in its country.
D. Applies the funds in a way that would benefit the greatest number of people.
Answer (A) is correct. A fund is a fiscal and accounting organization with a selfbalancing set of accounts recording cash and other financial resources. It also
records all related liabilities and residual equities and balances and changes in
them. These items are segregated for the purpose of carrying on specific activities
or attaining certain objectives in accordance with special regulations, restrictions,
or limitations. Thus, the primary engagement objective is to determine whether
the organization complied with the existing fund requirements and performed the
specified activities.
Answer (B) is incorrect. The special purpose of the fund outweighs issues of
economy and efficiency.
Answer (C) is incorrect. Not-for-profit entities may use a modified accrual
accounting system that is not in accordance with GAAP.
Answer (D) is incorrect. Only the activities specified by fund restrictions are
meant to be carried out.
[355] Gleim #: 5.1.9
Which of the following is an appropriate objective in an engagement to review a
personnel department? Determining whether
A. Hourly employees are being paid only for hours actually worked as indicated by
time cards or similar reports.
B. An equitable training program exists that provides all employees with
approximately the same amount of training each year.
C. Reference checks of prospective employees are being performed.
D. Recruitment is being delegated to the various departments that have personnel
needs.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 193
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Whether hourly employees are being paid only for hours
actually worked as indicated by time cards or similar reports is an objective of an
engagement to review payroll.
Answer (B) is incorrect. All employees do not need approximately the same annual
training.
Answer (C) is correct. An effective personnel function is necessary for hiring,
training, and monitoring human resources. One purpose of this function is to recruit,
select, hire, train, supervise, and evaluate individuals who are suitable in light of job
requirements, job descriptions, and job specifications (the abilities needed for
particular jobs). In a review of this function, an appropriate objective is to determine
whether the selection process is being properly performed. Thus, a potential
employee’s references should be checked to determine whether (s)he is truthful and
has the desired qualifications.
Answer (D) is incorrect. The personnel department should usually perform recruiting
tasks.
[356] Gleim #: 5.1.10
The established scope of the engagement must be sufficient to satisfy the objectives of
the engagement. When developing the objectives of the engagement, the internal
auditor considers the
ffi
ci
al
Probability of significant noncompliance.
Information included in the engagement work program.
Results of engagement procedures.
Resources required.
ao
A.
B.
C.
D.
fb
.c
om
/c
ia
Answer (A) is correct. Internal auditors must consider the probability of
significant errors, fraud, noncompliance, and other exposures when developing
assurance engagement objectives (Impl. Std. 2210.A2).
Answer (B) is incorrect. Engagement objectives must be determined before the
engagement work program is written.
Answer (C) is incorrect. The objectives determine the procedures to be
performed.
Answer (D) is incorrect. Internal auditors determine the resources required to
achieve the engagement objectives.
[357] Gleim #: 5.1.11
Which of the following possible engagement objectives would lead to a test of the
efficiency of an organization’s use of labor resources?
A. To determine that all employees are paid in accordance with union wages.
B. To determine that employees are assigned to work situations equivalent to their
training and skill level.
C. To determine that the quality of performance by labor meets organizational
standards.
D. To determine that only authorized employees are paid.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 194
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Determining that all employees are paid in accordance with
union wages is an objective of a compliance engagement, not a test of efficiency.
Answer (B) is correct. Internal auditors should appraise the economy and efficiency
with which resources are employed. Assignment of employees to tasks not
commensurate with their skills may result in excess labor costs (when more skilled and
more highly paid workers perform jobs for which they are overqualified) or in poor
performance (when underqualified labor is used).
Answer (C) is incorrect. Quality concerns effectiveness, not efficiency.
Answer (D) is incorrect. Whether only authorized employees are paid is irrelevant to
efficiency.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 195
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[358] Gleim #: 5.1.12
The chief audit executive (CAE) of a mid-sized internal audit activity was concerned
that management might outsource the internal auditing function. Thus, the CAE
adopted a very aggressive program to promote the internal audit activity within the
organization. The CAE planned to present the results to senior management and the
board and recommend modification of the internal audit activity’s charter after using
the new program. The following lists six actions the CAE took to promote a positive
image within the organization:
fb
.c
om
/c
ia
ao
ffi
ci
al
1. Engagement assignments concentrated on efficiency. The engagements focused
solely on cost savings, and each engagement communication highlighted potential
costs to be saved. Negative observations were omitted. The focus on efficiency
was new, but the engagement clients seemed very happy.
2. Drafts of all engagement communications were carefully reviewed with the
engagement clients to get their input. Their comments were carefully considered
when developing the final engagement communication.
3. The information technology internal auditor participated as part of a development
team to review the control procedures to be incorporated into a major computer
application under development.
4. Given limited resources, the engagement manager performed a risk assessment to
establish engagement work schedule priorities. This was a marked departure from
the previous approach of ensuring that all operations are evaluated on at least a 3year interval.
5. To save time, the CAE no longer required that a standard internal control
questionnaire be completed for each engagement.
6. When the internal auditors found that the engagement client had not developed
specific criteria or data to evaluate operations, the internal auditors were
instructed to perform research, develop specific criteria, review the criteria with
the engagement client, and, if acceptable, use them to evaluate the engagement
client’s operations. If the engagement client disagreed with the criteria, a
negotiation took place until acceptable criteria could be agreed upon. The
engagement communication commented on the engagement client’s operations in
conjunction with the agreed-upon criteria.
Regarding Action 6, which of the following elements of the action most likely would
have rendered it inappropriate if omitted?
A. Seek agreement with the client about the criteria.
B. Developing a set of criteria to present to the engagement client as a basis for
evaluating the engagement client’s operations.
C. Commenting on the agreed-upon criteria.
D. All of the answers are correct.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 196
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. If the criteria established by management to determine whether
objectives and goals have been accomplished are inadequate, the internal auditors must
work with management to develop appropriate evaluation criteria
(Impl. Std. 2210.A3).
Answer (B) is incorrect. Internal auditors may be required to interpret or select
operating standards and then to seek agreement with engagement clients as to the
criteria needed to measure operating performance.
Answer (C) is incorrect. The engagement final communication should include
observations and recommendations with the following attributes: criteria, condition,
cause, and effect. Criteria are the standards, measures, or expectations used in making
an evaluation or expectation. The effect is the impact of the difference between the
criteria (what should exist) and the condition (what does exist).
Answer (D) is incorrect. Two of the responses are incorrect.
[359] Gleim #: 5.1.13
In evaluating the effectiveness and efficiency with which resources are employed, an
internal auditor is responsible for
A.
B.
C.
D.
Determining the extent to which adequate operating criteria have been established.
Verifying the existence of assets.
Reviewing the reliability of operating information.
Verifying the accuracy of asset valuation.
Answer (A) is correct. Internal auditors must ascertain the extent to which
management has established adequate criteria to determine whether objectives and
goals have been accomplished (Impl. Std. 2210.A3).
Answer (B) is incorrect. Verifying existence relates to the safeguarding of assets.
Answer (C) is incorrect. The reliability of operating information concerns the
reliability and integrity of information.
Answer (D) is incorrect. Verifying the accuracy of asset valuation concerns the
reliability and integrity of information.
[360] Gleim #: 5.1.14
All of the following are acceptable criteria on which an internal audit may be based
except
A.
B.
C.
D.
Policies and procedures.
Standards or guidelines.
Control frameworks.
Management cooperation with audit activities.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 197
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Policies and procedures are standards, measures, or
expectations that may be used to make an evaluation. The internal auditor may
evaluate the conditions and determine that the organization or process is in compliance
with the policies and procedures.
Answer (B) is incorrect. Standards or guidelines are standards, measures, or
expectations that may be used to make an evaluation. The auditor may determine that
the process being audited is in compliance with the standards or guidelines.
Answer (C) is incorrect. The auditor decides whether the controls implemented are
adequate and effective. A control framework is useful in such an evaluation.
Answer (D) is correct. Management cooperation with audit activities is not a measure
or expectation but rather a condition. A condition is the factual evidence that the
internal auditor found in the course of the examination.
[361] Gleim #: 5.1.15
Which statement most accurately describes how criteria are established for use by
internal auditors in determining whether goals and objectives have been
accomplished?
ao
ffi
ci
al
A. Management is responsible for establishing the criteria.
B. Internal auditors should use professional standards or government regulations to
establish the criteria.
C. The industry in which a company operates establishes criteria for each member
company through benchmarks and best practices for that industry.
D. Appropriate accounting or auditing standards, including international standards,
should be used as the criteria.
fb
.c
om
/c
ia
Answer (A) is correct. Internal auditors must ascertain the extent to which
management has established adequate criteria to determine whether objectives and
goals have been accomplished (Impl. Std. 2210.A3). Thus, management is always
responsible for establishing the criteria.
Answer (B) is incorrect. If management has not established the criteria or if the
established criteria are inadequate, the auditor should work with management to
develop appropriate evaluation criteria.
Answer (C) is incorrect. Benchmarks and best industry practices are sources of
information that will assist management in establishing objective, relevant, and
meaningful criteria.
Answer (D) is incorrect. Accounting or auditing standards are not appropriate for
this purpose.
[362] Gleim #: 5.1.16
Before an assurance engagement can be performed, the auditor must identify
appropriate criteria. The sources of such criteria are least likely to include
A.
B.
C.
D.
Benchmarks for the leading firms in the industry.
Best practices for another industry.
Historical cost information for the processes examined.
Government regulations for the industry.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 198
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Benchmarks for the leading firms in the industry are more
likely to provide adequate criteria than those for firms in an unrelated industry.
Answer (B) is correct. Acceptable industry standards, standards developed by
professions or associations, standards in law and government regulations, and other
sound business practices are usually deemed to be appropriate criteria.
Answer (C) is incorrect. Historical cost information for the processes examined is
clearly relevant if they have not changed materially.
Answer (D) is incorrect. Government regulations for the industry must be followed.
[363] Gleim #: 5.1.17
Internal auditors need to ascertain the extent to which management has established
adequate control criteria. For this purpose, which of the following actions may be
appropriate?
I. Determining whether objectives have been accomplished
II. Using the criteria in their evaluation
III. Working with management to develop appropriate control evaluation criteria
A.
B.
C.
D.
I only.
I and II only.
I, II, and III.
II only.
Answer (A) is incorrect. The internal auditors also may take the actions described
in statements II and III.
Answer (B) is incorrect. The internal auditors also may take the action described
in statement III.
Answer (C) is correct. “Adequate criteria are needed to evaluate governance, risk
management, and controls. Internal auditors must ascertain the extent to which
management and/or the board has established adequate criteria to determine
whether objectives and goals have been accomplished. If adequate, internal
auditors must use such criteria in their evaluation. If inadequate, internal auditors
must work with management and/or the board to develop appropriate evaluation
criteria” (Impl. Std. 2210.A3).
Answer (D) is incorrect. The internal auditors also may take the actions described
in statements I and III.
[364] Gleim #: 5.1.18
If an engagement client’s operating standards are vague and thus subject to
interpretation, the internal auditor must
A. Seek agreement with management as to the criteria to be used to measure
operating performance.
B. Determine best practices in this area and use them as the standard.
C. Interpret the standards in their strictest sense because standards are otherwise only
minimum measures of acceptance.
D. Omit any comments on standards and the engagement client’s performance in
relationship to those standards because such an analysis would be meaningless.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 199
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. Adequate criteria are needed to evaluate controls. Internal
auditors must ascertain the extent to which management has established adequate
criteria to determine whether objectives and goals have been accomplished. If
adequate, internal auditors must use such criteria in their evaluation. If inadequate,
internal auditors must work with management to develop appropriate evaluation
criteria (Impl. Std. 2210.A3).
Answer (B) is incorrect. The internal auditor need not apply the principles of
competitive benchmarking.
Answer (C) is incorrect. Circumstances will dictate the interpretation of vague
operating standards.
Answer (D) is incorrect. The internal auditor must work with management to develop
appropriate criteria.
[365] Gleim #: 5.1.19
Developing engagement observations, conclusions, and recommendations involves
comparing the condition with the relevant standard or criterion. Which of the
following choices best represents an appropriate standard or criterion to support
engagement observations, conclusions, and recommendations?
om
/c
ia
ao
ffi
ci
al
A. A quality standard operating procedure (number and date) for the department.
B. An internal accounting control principle, cited and copied from a public
accounting reference.
C. A sound industry practice, based on the internal auditor’s knowledge and
experience obtained during many engagement assignments within the
organization.
D. All of the answers represent an appropriate standard or criterion to support
engagement observations, conclusions, and recommendations.
fb
.c
Answer (A) is incorrect. Standard operating procedures are a source of potentially
valid criteria.
Answer (B) is incorrect. Professional standards are a source of potentially valid
criteria.
Answer (C) is incorrect. Sound business practices are a source of potentially valid
criteria.
Answer (D) is correct. Acceptable industry standards, standards developed by
professions or associations, standards in law and government regulations, and
other sound business practices are usually deemed to be appropriate criteria.
[366] Gleim #: 5.1.20
Internal auditors must develop and document a plan for each engagement. The
planning process should include all the following except
A.
B.
C.
D.
Establishing engagement objectives and scope of work.
Obtaining background information about the activities to be reviewed.
Identifying sufficient information to achieve engagement objectives.
Determining how, when, and to whom the engagement results will be
communicated.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 200
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The planning process includes establishing engagement
objectives and scope of work.
Answer (B) is incorrect. The planning process includes obtaining background
information.
Answer (C) is correct. Internal auditors must develop and document a plan for each
engagement, including the engagement’s objectives, scope, timing, and resource
allocations (Perf. Std. 2200). Identifying sufficient information to achieve engagement
objectives is done during field work, not planning.
Answer (D) is incorrect. The planning process includes determining how, when, and
to whom the engagement results will be communicated.
[367] Gleim #: 5.1.21
Documentation required to plan an internal audit engagement includes information
that
A.
B.
C.
D.
Resources needed to complete the engagement were considered.
Planned engagement work will be completed on a timely basis.
Intended engagement observations have been clearly identified.
Internal audit activity resources are efficiently and effectively employed.
Answer (A) is correct. Internal auditors must develop and document a plan for
each engagement, including the engagement’s objectives, scope, timing, and
resource allocations (Perf. Std. 2200).
Answer (B) is incorrect. Whether the planned work will actually be completed on
time cannot be known in the planning phase.
Answer (C) is incorrect. Observations are what is actually found by performing
procedures. Auditors must not anticipate the results of the work. To do so
indicates a lack of objectivity.
Answer (D) is incorrect. Documenting the economic and efficient use of
resources can be done only upon completion of the engagement.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 201
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[368] Gleim #: 5.1.22
An internal auditor is assigned to perform an engagement to evaluate the
organization’s insurance program, including the appropriateness of the approach to
minimizing risks. The organization self-insures against large casualty losses and health
benefits provided for all its employees. It is a large national entity with over 15,000
employees located in various parts of the country. It uses an outside claims processor
to administer its health care program. The organization’s medical costs have been
rising by approximately 8% per year for the past five years, and management is
concerned with controlling these costs. The internal auditor needs to determine the
scope of the proposed evaluation of insurance coverage. Which of the following
statements are true regarding the potential scope of the engagement?
I. The internal audit activity should concentrate on processing that occurs within the
organization and not on evaluating the correctness of transactions processing by
the health care processor.
II. The internal auditor should interview management prior to beginning the
engagement to understand (1) its concerns and (2) the underlying assumptions
made and rationale used when making the self-insurance decision.
III. The internal auditor should consider engaging an actuarial consultant to better
understand the risks involved in order to help determine the scope of the
engagement.
.c
om
/c
ia
ao
ffi
ci
al
I only.
II only.
I and II.
II and III.
fb
A.
B.
C.
D.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 202
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The internal auditor needs to investigate the cause for the
increase in costs and the accuracy with which the claims processor is handling claims.
The internal auditor should routinely interview engagement client management and
should also consider engaging an actuarial consultant.
Answer (B) is incorrect. The internal auditor needs to investigate the cause for the
increase in costs and the accuracy with which the claims processor is handling claims.
The internal auditor should routinely interview engagement client management and
should also consider engaging an actuarial consultant.
Answer (C) is incorrect. The internal auditor needs to investigate the cause for the
increase in costs and the accuracy with which the claims processor is handling claims.
The internal auditor should routinely interview engagement client management and
should also consider engaging an actuarial consultant.
Answer (D) is correct. One step in planning the engagement is to define engagement
objectives (intended engagement accomplishments) and procedures (means of
achieving the objectives). Taken together, the objectives and procedures define the
scope of the internal auditor’s work. Objectives and procedures are documented in the
engagement work program. Before the work program can be drafted, however, a
preliminary assessment of the risks relevant to the activity under review is conducted
(PA 2210.A1). This survey includes, among other steps, discussions with the
engagement client to increase the internal auditor’s familiarity with the activities to be
reviewed. Furthermore, if the internal auditing staff does not have the requisite
knowledge, skills, and other competencies to perform all or part of the engagement, the
CAE must obtain competent advice and assistance (Standard 1210.A1). However, the
outside claims processing function is an integral part of the organization’s internal
control. Thus, the scope of the internal auditor’s work should extend to the adequacy
and effectiveness of internal control over claims processing.
[369] Gleim #: 5.2.23
An external consultant is developing methods for the management of a city’s capital
facilities. An appropriate scope of an engagement to evaluate the consultant’s product
is to
A. Review the consultant’s contract to determine its propriety.
B. Establish the parameters of the value of the items being managed and controlled.
C. Determine the adequacy of the risk management and control systems for the
management of capital facilities.
D. Review the handling of idle equipment.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 203
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The review of the consultant’s contract to determine its
propriety is related to the procurement decision.
Answer (B) is incorrect. The establishment of parameters for values of items being
managed and controlled is a management responsibility.
Answer (C) is correct. “In planning the engagement, internal auditors must consider:
The objectives of the activity being reviewed and the means by which the activity
controls its performance;
The significant risks to the activity, its objectives, resources, and operations and
the means by which the potential impact of risk is kept to an acceptable level;
The adequacy and effectiveness of the activity’s governance, risk management,
and control processes compared to a relevant framework or model; and
The opportunities for making significant improvements to the activity’s
governance, risk management, and control processes” (Perf. Std. 2201).
Answer (D) is incorrect. Management must determine policies regarding idle
equipment. Some equipment may be retained for emergency use.
[370] Gleim #: 5.2.24
As part of planning an engagement, the internal auditor in charge does all of the
following except
al
Determine the period covered.
Conduct meetings with management responsible for the activity under review.
Distribute reports from meetings with management.
Determine to whom engagement results will be communicated.
ci
A.
B.
C.
D.
fb
.c
om
/c
ia
ao
ffi
Answer (A) is incorrect. The internal auditor determines engagement
requirements not determined by the CAE. The internal auditor’s determinations
include the period covered, estimated completion dates, and the final engagement
communication format.
Answer (B) is incorrect. The internal auditor informs those in management who
need to know about the engagement and conducts meetings with management
responsible for the activity under review.
Answer (C) is incorrect. The internal auditor conducts meetings with
management responsible for the activity under review, summarizes and distributes
the discussions and any conclusions reached from the meetings, and retains the
documentation in the engagement working papers.
Answer (D) is correct. The CAE determines how, when, and to whom
engagement results will be communicated (PA 2200-1, para. 5).
[371] Gleim #: 5.2.25
Which of the following is least likely to be placed on the agenda for discussion at a
pre-engagement meeting?
A.
B.
C.
D.
Objectives and scope of the engagement.
Client personnel needed.
Sampling plan and key criteria.
Expected starting and completion dates.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 204
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Topics of discussion may include planned objectives and
scope of work.
Answer (B) is incorrect. Topics of discussion may include resources needed.
Answer (C) is correct. Possible objectives and scope for the engagement, the client
personnel to whom the auditors need access, and the expected start and completion
dates for the engagement are all appropriate matters for discussion at a pre-engagement
meeting. The sampling plan cannot be drafted until risk is assessed and the
engagement objectives are set.
Answer (D) is incorrect. Topics of discussion may include the timing of the work.
[372] Gleim #: 5.2.26
In planning an engagement, internal auditors must consider which of the following
items?
I. The objectives of the activity being reviewed.
II. The adequacy and effectiveness of the activity’s risk management and control
processes.
III. The opportunities for making significant improvements to the activity’s
information technology systems and control systems.
A.
B.
C.
D.
I and II.
II and III.
I and III.
I, II, and III.
Answer (A) is correct. “In planning the engagement, internal auditors must
consider:
The objectives of the activity being reviewed and the means by which the
activity controls its performance;
The significant risks to the activity, its objectives, resources, and operations
and the means by which the potential impact of risk is kept to an acceptable
level;
The adequacy and effectiveness of the activity’s governance, risk
management, and control processes compared to a relevant framework or
model; and
The opportunities for making significant improvements to the activity’s
governance, risk management, and control processes” (Perf. Std. 2201).
The internal auditor does not have to consider the opportunities for making
significant improvements to the activity’s information technology systems and
control systems.
Answer (B) is incorrect. The internal auditor must consider the objectives of the
activity being reviewed and the means by which the activity controls its
performance but not the opportunities for making significant improvements to the
activity’s information technology systems and control systems.
Answer (C) is incorrect. The internal auditor must consider the adequacy and
effectiveness of the activity’s risk management and control processes compared to
a relevant control framework or model but not the opportunities for making
significant improvements to the activity’s information technology systems and
control systems.
Answer (D) is incorrect. The internal auditor does not have to consider
opportunities to improve the activity’s information technology systems and
control systems.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 205
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[373] Gleim #: 5.2.27
Internal auditors must make a preliminary assessment of risks when conducting an
assurance engagement. This assessment may involve quantitative (objective) and
subjective factors. The least subjective factor is
A.
B.
C.
D.
The organization’s recognized losses on derivatives.
The auditor’s assessment of management responses.
Changes in the auditee’s business forecast.
The evaluation of internal control.
Answer (A) is correct. In planning the engagement, internal auditors must
consider the significant risks and the means by which the potential impact of risk
is kept to an acceptable level (Perf. Std. 2201). Risk factors have differing degrees
of objectivity. The most objective (least subjective) factors are facts. The
organization’s losses on derivatives are facts and therefore objective to the extent
measurable. Objective information is such that it can be supported by facts or
numbers. Subjective information is a judgment and may be interpreted differently
by different people.
Answer (B) is incorrect. The auditor’s assessment of management responses is a
professional judgment.
Answer (C) is incorrect. The business forecast is not a fact.
Answer (D) is incorrect. The evaluation of internal control is based on
professional judgment. Information based on judgment is subjective.
ci
al
[374] Gleim #: 5.3.28
fb
.c
om
/c
ia
ao
ffi
During a preliminary survey of the accounts receivable function, an internal auditor
discovered a potentially major control deficiency while preparing a flowchart. What
immediate action should the internal auditor take regarding the weakness?
A. Perform sufficient testing to determine its cause and effect.
B. Report it to the level of management responsible for corrective action.
C. Schedule a separate engagement to evaluate that segment of the accounts
receivable function.
D. Highlight the weakness to ensure that procedures to test it are included in the
engagement work program.
Answer (A) is incorrect. Testing of the control will be performed during the field
work phase of the engagement.
Answer (B) is incorrect. There is no need to report the potential defect. Testing is
needed before reporting the defect to management.
Answer (C) is incorrect. A separate engagement is not needed.
Answer (D) is correct. One purpose of the risk assessment is to highlight areas
that should be addressed during the engagement. A potentially major control
deficiency is a significant area warranting special emphasis and should be noted to
ensure the needed coverage in the engagement work program.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 206
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[375] Gleim #: 5.3.29
Data-gathering activities such as interviewing operating personnel, identifying
standards to be used to evaluate performance, and assessing risks inherent in a
department’s operations are typically performed in which phase of an audit
engagement?
A.
B.
C.
D.
Field work.
Preliminary survey.
Engagement program development.
Examination and evaluation of evidence.
Answer (A) is incorrect. The preliminary survey must be performed before field
work can be undertaken.
Answer (B) is correct. Engagement planning should include performing, as
appropriate, a survey to (1) become familiar with the activities, risks, and controls
to identify areas for engagement emphasis and (2) invite client comments and
suggestions from engagement clients (PA 2210.A1-1, para. 3). Among other
things, the survey should include discussions with the engagement client (e.g.,
interviews with operating personnel) and documenting key control activities
(including identifying performance standards).
Answer (C) is incorrect. The preliminary survey must be performed before the
engagement program can be developed.
Answer (D) is incorrect. The preliminary survey must be performed before
evidence can be examined or evaluated.
[376] Gleim #: 5.3.30
Levels of production stoppages over the past year at a large laminating business were
abnormally high due to machine malfunctions. Would it be appropriate for the internal
auditing function to develop a survey examining attitudes toward line operations,
rotation of work zones, training, maintenance schedule, etc., for the machine operators
to complete?
A.
B.
C.
D.
Yes, the survey is reliable without corroboration.
Yes, the examined areas are relevant to the malfunctions.
No, the examined areas are irrelevant to the malfunctions.
No, the survey is inappropriate without corroboration.
Answer (A) is incorrect. Reliability without corroboration is not the reason why
the use of the survey is appropriate. The auditors should keep in mind the
potential need to corroborate the information before making any final assessment.
Answer (B) is correct. If appropriate, internal auditors conduct a survey to
(1) become familiar with the activities, risks, and controls to identify areas for
engagement emphasis and (2) invite comments and suggestions from engagement
clients (PA 2210.A1-1, para. 3). The auditors should keep in mind the potential
need to corroborate the information before making any final assessment, but this
does not prevent use of the survey.
Answer (C) is incorrect. The examined areas are relevant to the malfunctions.
Answer (D) is incorrect. The need for corroboration will be determined after the
survey is completed. Corroboration does not preclude the use of the survey.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 207
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[377] Gleim #: 5.3.31
In planning an engagement, the internal auditor establishes objectives to address the
risk associated with the activity. Risk is the
A. Possibility that the balance or class of transactions and related assertions contains
misstatements that could be material to the financial statements.
B. Uncertainty of the occurrence of an event that could affect the achievement of
objectives.
C. Failure to adhere to organizational policies, plans, and procedures or to comply
with relevant laws and regulations.
D. Failure to accomplish established objectives and goals for operations or programs.
Answer (A) is incorrect. The risk of material misstatement in financial statement
assertions is just one adverse effect that can result from unmitigated risk.
Answer (B) is correct. Risk is the possibility that an event will occur having an
impact on the achievement of objectives. Risk is measured in terms of impact and
likelihood (The IIA Glossary).
Answer (C) is incorrect. The failure to adhere to organizational policies, plans,
and procedures or to comply with relevant laws and regulations is just one type of
adverse effect that can result from unmitigated risk.
Answer (D) is incorrect. The failure to accomplish established objectives and
goals for operations or programs is just one type of adverse effect that can result
from unmitigated risk.
ci
al
[378] Gleim #: 5.3.32
A.
B.
C.
D.
fb
.c
om
/c
ia
ao
ffi
Which of the following activities represents the greatest risk to a post-merger
manufacturing organization and is therefore most likely to be the subject of an internal
audit engagement?
Combining imprest funds.
Combining purchasing functions.
Combining legal functions.
Combining marketing functions.
Answer (A) is incorrect. Imprest funds are typically immaterial in amount.
Answer (B) is correct. The financial exposure in the purchasing function is
ordinarily greater than in, for example, the legal and marketing functions. Also,
purchasing functions ordinarily represent the greatest exposure to loss of the items
listed and are therefore most likely to be evaluated. After a merger, risk is
heightened because of the difficulty of combining the systems of the two
organizations. Thus, the likelihood of an engagement is increased.
Answer (C) is incorrect. Legal functions do not typically represent a risk of loss
as great as the purchasing functions.
Answer (D) is incorrect. Marketing functions do not typically represent a risk of
loss as great as the purchasing functions.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 208
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[379] Gleim #: 5.3.33
To determine the extent of testing to be performed during field work, preparing the
engagement work program should be the next step after completing the
A.
B.
C.
D.
Preliminary survey.
Survey of company policies.
Assignment of audit staff.
Time budgets for specific audit tasks.
Answer (A) is correct. Planning includes performing, if appropriate, a survey to
(1) become familiar with the activities, risks, and controls to be reviewed to
identify areas for engagement emphasis and (2) invite comments and suggestions
from engagement clients (PA 2210.A1-1, para. 3). Writing the work program is
the next step.
Answer (B) is incorrect. This survey is not a sufficient basis for a work program,
which is a detailed listing of engagement procedures.
Answer (C) is incorrect. Staff assignments are made prior to the preliminary
survey.
Answer (D) is incorrect. Time budgets for specific tasks are determined as part of
the preparation of the work program.
[380] Gleim #: 5.3.34
The chief audit executive was reviewing recent reports that had recommended
additional engagements because of risk exposures to the organization. Which of the
following represents the greatest risk and should be the next assignment?
A. Three prenumbered receiving reports were missing.
B. There were several purchase orders issued without purchase requisitions.
C. Payment had been made for routine inventory items without a purchase order or
receiving report.
D. Several times cash receipts had been held over an extra day before depositing.
Answer (A) is incorrect. The absence of a receiving report or purchase requisition
will prevent payment if disbursements are properly controlled.
Answer (B) is incorrect. Certain routine purchases may not require requisitions.
Answer (C) is correct. Payment vouchers for merchandise should be supported by
(1) a properly authorized purchase requisition, (2) a purchase order executing the
transaction, (3) a receiving report indicating all goods ordered have been received
in good condition, and (4) a vendor invoice confirming the amount owed. Lack of
such support for cash payments suggests a high risk of fraud.
Answer (D) is incorrect. Assuming other controls are in place, the extent of the
risk is the loss of 1 day’s receipts.
[381] Gleim #: 5.4.35
The purpose of including a time budget in an engagement work program is to
A.
B.
C.
D.
Provide an objective means of evaluating the internal auditor’s competence.
Ensure timely completion of the engagement.
Provide a means of controlling and evaluating the progress of the engagement.
Restrict the scope of the engagement.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 209
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Whether an internal auditor remains within the time budget is
affected by many factors other than professional competence.
Answer (B) is incorrect. The establishment of a budget cannot ensure that work will
be completed on a timely basis.
Answer (C) is correct. Supervision includes, among other things, ensuring the
approved engagement program is completed unless changes are justified and
authorized (PA 2340-1, para. 1). For this purpose, a time budget is necessary to
evaluate and control the progress of the engagement. It permits comparison of the
actual time spent on a procedure with its allotted time.
Answer (D) is incorrect. A time budget is not intended to limit the scope of the
engagement.
[382] Gleim #: 5.4.36
One of the primary roles of an engagement work program is to
A.
B.
C.
D.
Serve as a tool for planning and conducting engagement work.
Document an internal auditor’s evaluations of controls.
Provide for a standardized approach to the engagement.
Assess the risks associated with the activity under review.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is correct. Among other things, work programs state the objectives of
the engagement, identify technical requirements, and state the nature and extent of
testing required (PA 2200-1, para. 1).
Answer (B) is incorrect. Engagement working papers include results of control
evaluations.
Answer (C) is incorrect. The work program may not be consistent from year to
year given the changing conditions to which the engagement client must adapt.
Since the work program must reflect the current year’s situation, standardization
may not be appropriate.
Answer (D) is incorrect. The risk assessment in the planning phase helps to
identify objectives, a step that must be taken before the work program can be
developed.
[383] Gleim #: 5.4.37
Engagement work programs testing controls ordinarily must
A.
B.
C.
D.
Be specifically designed for each operation evaluated.
Be generalized to fit all situations without regard to departmental lines.
Be generalized so as to be usable at all locations of a particular department.
Reduce costly duplication of effort by ensuring that every aspect of an operation is
examined.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 210
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. A work program must be adapted to the specific needs of the
engagement after the internal auditor establishes the engagement objectives and scope
and determines the resources required. A pro forma (standard) work program is not
appropriate for a complex or changing environment. Its stated objectives and
procedures may no longer be relevant.
Answer (B) is incorrect. A work program must allow for variations resulting from
changing circumstances and varied conditions.
Answer (C) is incorrect. A generalized program cannot consider variations in
circumstances and conditions.
Answer (D) is incorrect. Every aspect of an operation need not be examined. Only
those likely to conceal problems and difficulties must be considered.
[384] Gleim #: 5.4.38
An internal auditor has just completed a survey to become familiar with the
organization’s payroll operations as part of an unplanned engagement. Which of the
following most likely is performed next?
A.
B.
C.
D.
Assign internal audit personnel.
Establish initial engagement objectives.
Write the engagement work program.
Conduct field work.
Answer (A) is incorrect. Internal audit personnel are usually assigned before the
survey.
Answer (B) is incorrect. Initial objectives for an unplanned engagement address
the issues that prompted the engagement. Accordingly, objectives are specified
before the survey.
Answer (C) is correct. The survey allows the internal auditor to become familiar
with the engagement client and therefore provides input to the work program.
Answer (D) is incorrect. Field work can be performed only after the work
program has been written and approved. Thus, field work cannot immediately
follow the survey.
[385] Gleim #: 5.4.39
Writing an engagement work program most likely occurs at which stage of the
engagement?
A.
B.
C.
D.
During the planning stage.
Subsequent to evaluating risk management and control systems.
As the engagement is performed.
At the end of each engagement when the standard work program should be
revised for the next engagement to ensure coverage of noted problem areas.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 211
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. The engagement work program is the culmination of the
planning stage.
Answer (B) is incorrect. The work program states the procedures to be followed
during the engagement (The IIA Glossary). It normally is the culmination of the
planning stage.
Answer (C) is incorrect. The work program normally is written during the planning
stage, not as the engagement is performed. However, the work program may be
modified during the engagement.
Answer (D) is incorrect. Although revising the work program at the end of one
engagement for the next engagement is allowed, it should still be written during the
planning phase.
[386] Gleim #: 5.4.40
A work program for a comprehensive assurance engagement to evaluate a purchasing
function should include
A. Procedures arranged by relative priority based upon perceived risk.
B. A statement of the engagement objectives for the operation under review with
agreement by the engagement client.
C. Procedures to accomplish engagement objectives.
D. A focus on risks affecting the financial statements as opposed to controls.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. Engagement procedures normally are arranged in an
order that will most efficiently complete the work program.
Answer (B) is incorrect. Engagement objectives are stated, but they do not need
to be agreed to by the engagement client.
Answer (C) is correct. Work programs are a necessary part of engagement
planning. They include the procedures for collecting, analyzing, interpreting, and
documenting information during the engagement (PA 2240-1, para. 2).
Answer (D) is incorrect. The engagement should not be narrowly focused on the
reliability and integrity of financial information.
[387] Gleim #: 5.4.41
Which of the following is not ordinarily considered an essential criterion for
developing engagement work programs?
A.
B.
C.
D.
Description of the objectives of the engagement client operation to be evaluated.
Specificity as to the controls to be tested.
Specificity as to procedures to be followed.
Specificity as to the methodology to be used for the engagement procedures.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 212
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Work programs are developed to achieve the engagement
objectives.
Answer (B) is incorrect. The work program states the procedures to be followed
during the engagement (The IIA Glossary). Hence, it normally is written in the
planning stage. These include procedures for testing controls.
Answer (C) is incorrect. The work program must include the engagement procedures
necessary to achieve engagement objectives.
Answer (D) is correct. Work programs are a necessary part of engagement planning.
They consist of the specific work steps required for the engagement, but they must
allow for some flexibility. Thus, they may be modified, provided that adjustments are
approved promptly.
[388] Gleim #: 5.4.42
Which of the following is a step in an engagement work program?
A. The engagement will commence in 6 weeks and include tests of compliance with
laws, regulations, and contracts.
B. A determination is made concerning whether the manufacturing operations are
effective and efficient.
C. Internal auditors may not reveal engagement observations to nonsupervisory,
operational personnel during the course of this engagement.
D. The methods used to identify defective units produced are observed.
Answer (A) is incorrect. A partial statement of the scope and the proposed
starting time are not engagement procedures.
Answer (B) is incorrect. Determination of whether operations are effective and
efficient is an engagement objective.
Answer (C) is incorrect. A prohibition on revealing observations is a rule for the
conduct of the internal auditors.
Answer (D) is correct. An engagement work program is a document that lists the
procedures to be followed during an engagement. These procedures are designed
to achieve the engagement objectives. Thus, observing the engagement client’s
execution of methods for identifying defects is an action performed to achieve the
engagement objectives and should be included in the work program.
[389] Gleim #: 5.4.43
The internal audit activity is planning a 3-year effort to perform engagements at all
branches of a large international car rental agency. Management is especially
concerned with standardized operation of the accounting, car rental, and inventory
functions. What type of work program is most appropriate for this project?
A. A pro forma program developed and tested by the internal audit activity.
B. Individual programs developed by the internal auditor-in-charge after a
preliminary survey of each branch.
C. A checklist of branch standard operating procedures.
D. An industry-developed engagement guide.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 213
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. A pro forma work program is designed to be used for repeated
engagements related to similar operations. It is ordinarily modified over a period of
years in response to problems encountered in the field. This type of program assures at
least minimum coverage, provides comparability, and saves resources when operations
at different locations have similar activities, risks, and controls.
Answer (B) is incorrect. Use of work programs specifically designed for each branch
may conflict with management’s desire for standardization.
Answer (C) is incorrect. A checklist of branch standard operating procedures is only
one input into the development of a work program.
Answer (D) is incorrect. An industry guide might not meet the specific needs of the
organization.
[390] Gleim #: 5.4.44
A standard engagement work program is not appropriate for which situation?
A.
B.
C.
D.
A stable operating environment undergoing only minimal changes.
A complex or changing operating environment.
Multiple locations with similar operations.
Subsequent engagements to provide assurance about inventory performed at same
location.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. A standard work program is appropriate for use in a
minimally changing operating environment. It may save effort and provide
continuity.
Answer (B) is correct. A standard work program is not appropriate for a complex
or changing operating environment. The engagement objectives and related
procedures may no longer be relevant.
Answer (C) is incorrect. A standard work program can be used for engagements
at multiple locations with similar operations if the same activities, risks, and
controls are present.
Answer (D) is incorrect. A standard work program is acceptable for conducting
subsequent inventory engagements at the same location if the inventory functions
performed have not varied substantially.
[391] Gleim #: 5.4.45
What action should an internal auditor take upon discovering that an area was omitted
from the engagement work program?
A. Document the problem in the engagement working papers and take no further
action until instructed to do so.
B. Perform the additional work needed without regard to the added time required to
complete the engagement.
C. Continue the engagement as planned and include the unforeseen problem in a
subsequent engagement.
D. Evaluate whether completion of the engagement as planned will be adequate.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 214
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The internal auditor must determine whether changes in the
work program are needed.
Answer (B) is incorrect. Changes in the engagement budgets must be authorized by
appropriate persons.
Answer (C) is incorrect. An engagement in the unforeseen area may be necessary to
achieve current engagement objectives.
Answer (D) is correct. Work programs are necessarily tentative because the internal
auditors are likely to encounter unexpected situations while carrying out the detailed
work. If they learn that an area is not covered, they must determine whether they can
achieve the engagement objectives and satisfy their professional responsibilities
without modification of the work program. Modification will necessitate consultation
with supervisors to obtain authorization to adjust time and financial budgets.
[392] Gleim #: 5.4.46
Field work is a systematic process of objectively gathering information about an
entity’s operations, evaluating it, and determining whether those operations meet
acceptable standards. Which of the following is not part of the work performed during
field work?
A.
B.
C.
D.
Expanding or altering engagement procedures if circumstances warrant.
Applying the engagement work program to accomplish engagement objectives.
Creating working papers that document the engagement.
Developing a written engagement work program.
Answer (A) is incorrect. Engagement procedures, including the testing and
sampling techniques employed, should be selected in advance, if practicable and
expanded or altered if necessary. Thus, work programs may be modified during
the field work, that is, during the course of the engagement.
Answer (B) is incorrect. Field work involves carrying out the work program to
identify, analyze, evaluate, and record sufficient information to achieve the
engagement objectives.
Answer (C) is incorrect. Working papers are prepared during field work to record
the information obtained and the analyses made and to support the bases for the
observations, conclusions, and recommendations to be reported (PA 2330-1).
Answer (D) is correct. The engagement work program is the culmination of the
planning process.
[393] Gleim #: 5.4.47
The action taken by an internal auditor who discovers a significant area not included
in the engagement work program should be to
A. Evaluate whether completion of the engagement as planned will be adequate.
B. Perform the additional work deemed necessary without regard to the additional
time needed to complete the engagement.
C. Continue the engagement as planned and include the unforeseen area in a
subsequent engagement.
D. Document the observation in the working papers and take no further action until
instructed to do so.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 215
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. A work program documents engagement procedures selected in
advance but should be modified, as appropriate, during the course of the engagement
(PA 2200-1). The work program must be approved prior to its implementation, and
any adjustments approved promptly (Impl. Std. 2240.A1). Work programs are
necessarily tentative because the internal auditors are likely to encounter unexpected
situations while performing detailed procedures. If they learn that a significant area is
not covered, the internal auditors must determine whether they can achieve the
engagement objectives and satisfy their professional responsibilities without
modification of the work program. Modification will necessitate consultation with
superiors to obtain authorization to adjust time and financial budgets.
Answer (B) is incorrect. Changes in the engagement budgets should be authorized by
appropriate persons.
Answer (C) is incorrect. Review of the unforeseen area may be necessary to achieve
current engagement objectives.
Answer (D) is incorrect. The internal auditor must determine whether changes in the
work program are needed.
[394] Gleim #: 5.4.48
The engagement work program should be approved
al
No later than the conclusion of engagement work.
By the engagement client or designee.
Orally in some circumstances.
In writing by the board.
ci
A.
B.
C.
D.
fb
.c
om
/c
ia
ao
ffi
Answer (A) is incorrect. Approval should be prior to the commencement of work.
Answer (B) is incorrect. The engagement work program should be approved by
the CAE or designee.
Answer (C) is correct. An engagement work program must be approved prior to
its implementation. Adjustments must be approved promptly. Initial approval may
be obtained orally if circumstances preclude obtaining written approval prior to
commencing engagement work.
Answer (D) is incorrect. The board is not involved in the operational details of
the internal audit activity.
[395] Gleim #: 5.4.49
A docket is to a judge as what is to an auditor performing an engagement?
A.
B.
C.
D.
Audit documentation.
Audit report.
Work program.
Charter.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 216
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Internal auditors use working papers to document relevant
information to support the conclusions and engagement results. Although specific
types of working papers (i.e., work programs) track audit progress as a docket tracks
the workload of a judge, working papers in general cover a broad range of purposes.
Answer (B) is incorrect. The audit report includes the auditor’s findings and
recommendations. A court docket tracks the workload. It does not record outcomes
and the basis for them.
Answer (C) is correct. Internal auditors must develop and document work programs
that achieve the engagement objectives (Perf. Std. 2240). Work programs establish the
procedures for collecting, analyzing, interpreting, and documenting information during
the engagement. During the engagement, each procedure is signed off to indicate that
the work has been completed. Like a court docket, a work program is used to keep
track of the events/workload (i.e., audit procedures/court cases) to be accomplished.
Answer (D) is incorrect. The charter defines the internal audit activity’s purpose,
authority, and responsibility. The charter does not track the audit workload in the same
way as a docket tracks the workload of the court.
[396] Gleim #: 5.4.50
An internal auditing supervisor reviewed the system of controls and the organizational
objective of the purchasing department. What facet of engagement planning was the
supervisor developing?
A.
B.
C.
D.
Internal auditing policy manual.
Engagement work schedule.
Engagement work program.
Internal auditing budget.
Answer (A) is incorrect. An internal auditing policy manual provides guidelines
for all operations of the internal audit activity.
Answer (B) is incorrect. An engagement work schedule describes what activities
are to be performed, when they will be performed, and the estimated time
required.
Answer (C) is correct. Internal auditors must develop and document work
programs that achieve the engagement objectives (Perf. Std. 2240). The work
program states the objectives of the engagement; identifies technical requirements,
objectives, risks, processes, and transactions that are to be examined; states the
nature and extent of testing required; documents the internal auditor’s procedures
for collecting, analyzing, interpreting, and documenting information during the
engagement; and is modified, as appropriate, during the engagement with the
approval of the chief audit executive (CAE) or his/her designee (PA 2200-1,
para. 1). Before work programs are developed, the internal auditor should review
background information (e.g., organizational objectives and goals) and, if
appropriate, conduct a survey. The survey involves becoming familiar with
activities, risks, and controls to identify areas for engagement emphasis and
inviting comments and suggestions from engagement clients (PA 2210.A1-1,
para. 3).
Answer (D) is incorrect. An internal auditing budget embraces all activities for a
specified period, not details of work on a given engagement.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 217
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[397] Gleim #: 5.4.51
Which of the following is least likely to be included in the engagement work schedule
of the internal audit activity?
A.
B.
C.
D.
To be consistent with its charter.
To be capable of being accomplished.
To include a list of activities to be performed.
To include the basics of the engagement work program.
Answer (A) is incorrect. Consistency with the charter is necessary.
Answer (B) is incorrect. Goals should be capable of being accomplished.
Answer (C) is incorrect. An engagement work schedule includes the activities to
be performed.
Answer (D) is correct. The engagement work program documents the
engagement procedures selected in advance of performing the engagement. It is
normally prepared after background information has been gathered and a survey
has been conducted. Its contents would thus not be known at the time the work
schedule is prepared.
[398] Gleim #: 5.4.52
ci
al
In developing an engagement work program and communicating engagement results,
the internal auditor should be alert for a condition that might reflect low materiality of
an observation but high relative risk to the overall operation of the organization.
Which of the following conditions would reflect such a situation?
fb
.c
om
/c
ia
ao
ffi
A. Many random clerical errors arise from the desire of employees to meet
production quotas.
B. No written quality-assurance procedure exists for a high-volume production line
item with low unit cost that has a 15% scrap experience.
C. The cashier is commingling personal funds with a US $1,000 imprest cash fund.
D. Levels of approval authority for purchasing personnel are not set forth in the
manual of purchasing procedures.
Answer (A) is incorrect. The condition has low relative risk.
Answer (B) is correct. Certain transactions (e.g., cash) are subject to a greater risk
of fraud, and engagement procedures for them may need to be carried out in a
more conclusive manner. Materiality is concerned with the qualitative or
quantitative significance of an item. Thus, in planning the engagement, internal
auditors consider, among other things, significant risks and opportunities for
significant improvements (Perf. Std. 2201). A 15% scrap experience for a highvolume item with a low unit cost may not be material, but the absence of a quality
assurance program suggests a high probability of errors or fraud (relative risk).
Answer (C) is incorrect. The condition is qualitatively material owing to the
possibility of fraud.
Answer (D) is incorrect. The condition is qualitatively material owing to the
apparent absence of proper authorization of transactions.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 218
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[399] Gleim #: 5.4.53
Of the following, the information collected by the internal auditor during an
engagement is best described as
A. The records of preliminary planning and surveys, the engagement work program,
and the results of field work.
B. The information documented by the internal auditor and obtained through
observing conditions, interviewing people, and examining records.
C. An intermediate fact, or group of facts, from which the internal auditor can infer
the fairness of an assertion being reviewed.
D. Detailed documentation for systems that do not achieve desired objectives, actions
that were taken improperly, and actions that should have been taken but were not.
Answer (A) is incorrect. The records of preliminary planning and surveys, the
engagement work program, and the results of field work are the working papers.
The records of preliminary planning, for example, do not constitute engagement
information.
Answer (B) is correct. The three activities that constitute information-gathering
by an internal auditor are observing conditions, interviewing people, and
examining records.
Answer (C) is incorrect. An intermediate fact, or group of facts, from which the
internal auditor can infer the fairness of an assertion being reviewed is a modified
definition of circumstantial evidence. This definition excludes direct evidence.
Answer (D) is incorrect. Information collected to achieve engagement objectives
underlies positive, as well as negative, observations.
[400] Gleim #: 5.4.54
Observation is considered a reliable engagement procedure, but one that is limited in
usefulness. However, it is used in a number of different engagement situations. Which
of the following statements is true regarding observation as an engagement technique?
A. It is the most effective engagement methodology to use in filling out internal
control questionnaires.
B. It is the most persuasive methodology to learn how transactions are really
processed during the period under review.
C. It is rarely sufficient to satisfy any assertion other than existence.
D. It is the most persuasive technique for determining if fraud has occurred.
Answer (A) is incorrect. Interviews are the most effective method to fill out
questionnaires. The interview results should be supplemented with observations.
Answer (B) is incorrect. Observation provides information on how transactions
are processed at one moment in time, not how they are processed throughout the
period under engagement investigation.
Answer (C) is correct. Observation is effective for verifying whether particular
assets such as inventory or equipment exist at a given date. However, it is of
limited use in addressing other assertions. Thus, it provides less persuasive
information about the assertions of completeness, rights, valuation, and
presentation and disclosure. For example, merely observing inventory does not
determine whether the engagement client has rights in it.
Answer (D) is incorrect. The internal auditor will very seldom be able to observe
a fraud.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 219
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[401] Gleim #: 5.4.55
An internal auditor is observing cash sales to determine whether customers are given
written receipts. The objective of this test is to ensure that
A.
B.
C.
D.
Cash received equals the total of the receipts.
Customers are charged authorized prices.
Cash balances are correct.
All cash sales are recorded.
Answer (A) is incorrect. Determining whether cash received equals the total of
the receipts is accomplished by counting the cash received and comparing it with
the total of the receipts.
Answer (B) is incorrect. Determining whether customers are charged authorized
prices is accomplished by comparing the price charged with an approved price list.
Answer (C) is incorrect. The correctness of cash balances is ascertained by
counting the cash and reconciling the expected total (beginning balance plus
receipts).
Answer (D) is correct. The written receipt fixes responsibility for the cash. The
employee who collected it and issued the receipt is accountable and therefore less
likely to commit irregularities. Moreover, the customer’s expectation of a receipt
increases the likelihood that transactions will be recorded.
[402] Gleim #: 5.4.56
ffi
ci
al
Which of the following statements describes an internal control questionnaire?
fb
.c
om
/c
ia
ao
A. It provides detailed information regarding the substance of the control system.
B. It takes less of the engagement client’s time to complete than other control
evaluation devices.
C. It requires that the internal auditor be in attendance to properly administer it.
D. It provides indirect information that might need corroboration.
Answer (A) is incorrect. Questionnaires usually provide for yes/no responses and
therefore provide less detailed information than some other procedures.
Answer (B) is incorrect. Questionnaires tend to be lengthy, and their completion
is time-consuming.
Answer (C) is incorrect. An auditor need not be present.
Answer (D) is correct. An internal control questionnaire consists of a series of
questions about the controls designed to prevent or detect errors or fraud. Answers
to the questions help the internal auditor to identify specific policies and
procedures relevant to specific assertions. They also help in the design of tests of
controls to evaluate their effectiveness. The questionnaire provides a means for
ensuring that specific concerns are not overlooked, but it is not a sufficient means
of understanding the entire system. Thus, the evidence obtained is indirect and
requires corroboration by means of observation, interviews, flowcharting,
examination of documents, etc.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 220
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[403] Gleim #: 5.4.57
Which of the following engagement objectives will be accomplished by tracing a
sample of accounts receivable debit entries to customer invoices and related shipping
documents?
A.
B.
C.
D.
Sales are properly recorded.
Sales are billed at the correct prices.
Accounts receivable represent valid sales.
Customer credit is approved.
Answer (A) is incorrect. The objective of determining whether sales are properly
recorded is accomplished by tracing a sample of sales invoices to accounts
receivable.
Answer (B) is incorrect. The objective of determining whether sales are billed at
the correct prices is accomplished by tracing invoice prices to the organization’s
approved price list.
Answer (C) is correct. The process described is vouching. It begins with amounts
recorded in the ledger and tracks backwards to the source documents. The purpose
is to detect fictitious sales and ensure that each claimed sale is properly supported.
Answer (D) is incorrect. The objective of determining whether customer credit is
approved is accomplished by examining sales documents for proper approvals by
credit personnel.
[404] Gleim #: 5.4.58
Confirmations are a highly regarded form of information. Confirmation is most
effective in addressing the existence assertion for the
A.
B.
C.
D.
Addition of a milling machine to a machine shop.
Sale of merchandise during regular course of business.
Inventory held on consignment.
Granting of a patent for a special process developed by the organization.
Answer (A) is incorrect. Observation and documentation are the most common
forms of information for asset additions.
Answer (B) is incorrect. Account balances but not individual sales transactions
are normally confirmed.
Answer (C) is correct. When inventories are held by an outside custodian, such as
a consignee, the internal auditor ordinarily obtains direct confirmation in writing
from the custodian. Confirmation of consigned goods is most likely to be effective
for the existence and rights-and-obligations assertions.
Answer (D) is incorrect. An examination of the patent document is the best
information.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 221
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[405] Gleim #: 5.4.59
Which of the following documents provides the most persuasive information
concerning the existence and valuation of a receivable?
A. A credit approval document supported by the customer’s audited financial
statements.
B. A copy of a sales invoice to the customer in the engagement client’s records.
C. A positive confirmation received directly from the customer.
D. A customer’s purchase order in the engagement client’s records related to the
credit sale.
Answer (A) is incorrect. A credit approval document is documentary information
in the hands of the engagement client and does not relate directly to the receivable.
Answer (B) is incorrect. A copy of a sales invoice to the customer in the
engagement client’s records is not original and is controlled by the engagement
client.
Answer (C) is correct. A positive confirmation by the debtor is the most reliable
information other than payment that the receivable is a valid asset and that it is
properly valued. This information is especially reliable because the customer has
no incentive to confirm a nonexisting obligation and because the documentation
has not been under the engagement client’s control.
Answer (D) is incorrect. Although purchase orders are originated by third parties,
the engagement client has an opportunity to alter them.
ci
al
[406] Gleim #: 5.4.60
fb
.c
om
/c
ia
ao
ffi
A bank internal auditor wanted to verify the accuracy of the general ledger balance of
a depository account. One engagement procedure used in this process was to mail
positive confirmations to statistically sampled depositors. However, the number of
replies received was not adequate to form a valid conclusion about the account’s
accuracy. What action should the internal auditor take to accomplish this objective?
A. Assume that the nonreplies represent tacit agreements by the depositor, document
the results, and perform no further work on this engagement procedure.
B. Expand the original confirmation sample to include additional depositors.
C. Verify accuracy of the depositors’ addresses. Remail confirmation requests a
second time with a notation indicating that it is a second request.
D. Mail negative confirmation requests to all non-replies and document results of
testing. If necessary, telephone depositors to inquire about any disagreement with
balances confirmed.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 222
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The form of the request specifically asks for a reply. Thus,
nonreplies provide no assurance, and alternative procedures are necessary.
Answer (B) is incorrect. Expanding the sample will result in more responses but will
not address the issue of the nonreplies, which are likely to occur at approximately the
same rate in the larger sample.
Answer (C) is correct. Positive confirmations are used when the amounts being
confirmed are material. The recipient is asked to sign and return the letter with a
positive assertion that the amount is either correct or incorrect. Because the amounts
involved are material, unanswered positive confirmations must be followed up. They
are thus more time-consuming than negative confirmations.
Answer (D) is incorrect. Negative confirmations require no reply. Hence, they serve
no purpose with respect to depositors not responding to the original confirmation
requests.
[407] Gleim #: 5.4.61
An internal auditor traces copies of sales invoices to shipping documents to determine
that
A.
B.
C.
D.
Customer shipments were billed.
Sales that are billed were also shipped.
Shipments to customers were also recorded as receivables.
The subsidiary accounts receivable ledger was updated.
Answer (A) is incorrect. The tracing procedure originated with a sample of billed
sales; thus, all the items in the sample were billed. However, this procedure does
not determine whether shipped items were billed.
Answer (B) is correct. The process described is tracing. It begins with a triggering
event and determines whether the result was proper. If the invoices in the sample
can be correctly matched with shipping documents, some assurance is given that
items billed to customers are actually shipped.
Answer (C) is incorrect. Receivables are not examined in this procedure.
Answer (D) is incorrect. Receivables are not examined.
[408] Gleim #: 5.4.62
To test whether debits to accounts receivable represent valid transactions, the internal
auditor should trace entries from the
A.
B.
C.
D.
Sales journal to the accounts receivable ledger.
Accounts receivable ledger to the cash receipts journal.
Accounts receivable ledger to sales documentation.
Cash receipts documentation to the accounts receivable ledger.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 223
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Tracing entries from the sales journal to the accounts
receivable ledger tests whether credit sales were properly recorded in the accounts
receivable ledger. It would not ensure that debit entries to accounts receivable
represent valid sales.
Answer (B) is incorrect. The internal auditor traces accounts receivable credit entries
to the cash receipts journal to test whether those entries represent actual customer
payments.
Answer (C) is correct. The auditor wants to verify that recorded amounts are properly
supported by originating events. This is accomplished through vouching. Only the two
choices that involve tracking ledger entries back to a journal or source document
describe a vouching procedure. A debit to accounts receivable is properly supported by
a credit sale to a customer.
Answer (D) is incorrect. Tracing entries from the cash receipts documentation to the
accounts receivable ledger tests whether customer payments were credited to accounts
receivable.
[409] Gleim #: 5.4.63
Vouching entails verifying recorded amounts by examining the underlying documents
from the _____ documents to the _____ documents.
al
Final; original.
Final; previous.
Original; final.
Original; subsequent.
ci
A.
B.
C.
D.
fb
.c
om
/c
ia
ao
ffi
Answer (A) is correct. Vouching entails verifying recorded amounts by
examining the underlying documents from the final documents to the original
documents. The engagement objective of working backward is to provide
information that recorded amounts reflect valid transactions. Vouching supports
the existence or occurrence assertion. Vouching is irrelevant to the completeness
assertion, because the existence of records of some transactions does not prove
that all transactions were recorded.
Answer (B) is incorrect. Vouching entails the examination of final documents to
original documents.
Answer (C) is incorrect. Vouching is designed to support the engagement
objective of working backward to provide information that recorded amounts
reflect valid transactions.
Answer (D) is incorrect. It implies the comparison of the original to the next
copy. Vouching entails examination from the final document to the original.
[410] Gleim #: 5.4.64
To determine whether refunds granted to customers were properly approved, an
internal auditor should vouch accounts receivable entries to
A.
B.
C.
D.
Sales invoices.
Remittance advices.
Shipping documents.
Credit memos.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 224
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The internal auditor vouches accounts receivable debit
entries to sales invoices to determine whether the debits represent valid sales.
Answer (B) is incorrect. Vouching accounts receivable credit entries to remittance
advices determines whether the credits represent actual collections from customers.
Answer (C) is incorrect. Vouching accounts receivable entries to shipping documents
determines whether merchandise was shipped to the customer.
Answer (D) is correct. The auditor wants to verify that customer refunds are properly
supported by triggering events, i.e., vouching. The proper triggering event for a refund
is an approved credit memo.
[411] Gleim #: 5.4.65
One of the audit objectives for a manufacturing company is to verify that all rework is
reviewed by the production engineer. Which of the following audit procedures would
provide the best evidence for meeting this objective?
A.
B.
C.
D.
Trace a sample of entries in the rework log to remedial action taken.
Trace a sample of rework orders to entries in the rework log.
Trace a sample of entries in the review log to rework orders.
Trace a sample of rework orders to entries in the review log.
Answer (A) is incorrect. This procedure only considers the rework jobs that
require remedial action. Not all rework orders reviewed by the engineer will
require remedial action.
Answer (B) is incorrect. This test is useful for verifying that all rework is
recorded in the rework log. However, it provides no evidence that the work was
reviewed.
Answer (C) is incorrect. The direction of testing is wrong. It will not detect
unreviewed work orders.
Answer (D) is correct. The process described is tracing. It begins with a
triggering event and determines whether the result was proper. To determine
whether all rework was reviewed, the auditor’s direction of testing should be from
the population of all the rework that was performed (rework order forms) to the
evidence of review (review log).
[412] Gleim #: 5.4.66
An internal auditor traces individual time tickets to the payroll cost distribution and
also traces totals from the payroll cost distribution to the various work-in-process
accounts. If no exceptions are found, this procedure constitutes information indicating
that
A. The work-in-process accounts have not been padded by the inclusion of
unsupported payroll costs.
B. Individual time tickets have been properly authorized.
C. Payroll costs have been accurately distributed to work-in-process accounts.
D. Employees have been paid only for time actually worked.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 225
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The direction of testing to establish that the work-in-process
accounts have not been padded is to the individual time tickets.
Answer (B) is incorrect. The payroll cost distribution is not relevant to the proper
authorization of the time tickets.
Answer (C) is correct. The process described begins with a triggering event and
determines whether the proper results took place, i.e., tracing. If no exceptions are
found, the auditor can conclude that payroll costs (the source data) have been properly
distributed to the destination ledger.
Answer (D) is incorrect. To establish that employees have been paid only for time
actually worked, the internal auditor would also have to reconcile total payroll costs to
the payroll cost distribution.
[413] Gleim #: 5.4.67
Shipping documents should be traced to and compared with sales records or invoices
to
A.
B.
C.
D.
Determine whether payments are properly applied to customer accounts.
Assure that shipments are billed to customers.
Determine whether unit prices billed are in accordance with sales contracts.
Ascertain whether all sales are supported by shipping documents.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. Shipping documents and sales records or invoices would
not include payment information.
Answer (B) is correct. The process described begins with a result (evidence of
goods shipped) and tracks backwards to the triggering event (sale to a customer),
i.e., vouching. The auditor is seeking assurance that the amounts billed to the
customer agree with the agreed terms of the sale.
Answer (C) is incorrect. Determining whether unit prices billed are in accordance
with sales contracts is done by comparing invoices with sales contracts or price
lists, noting the propriety of any discounts.
Answer (D) is incorrect. All sales might not require shipping.
[414] Gleim #: 5.4.68
An internal auditor has set an engagement objective of ascertaining the reasonableness
of the increases in rental revenue resulting from operating costs passed on to the lessee
by the landlord. The internal auditor has already inspected the lease contract to
determine that such costs are allowed. Which of the following engagement procedures
will best meet this objective?
A.
B.
C.
D.
Inspection of documents.
Observation.
Inquiry.
Analytical review.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 226
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The internal auditor has already inspected the documents.
Answer (B) is incorrect. Analytical review is required to ascertain the reasonableness
of the increases.
Answer (C) is incorrect. Analytical review is required to ascertain the reasonableness
of the increases.
Answer (D) is correct. Computation of the rates of increase in operating costs passed
through to the lessee from period to period in relation to inflation rates provides an
initial view of the reasonableness of the increases.
[415] Gleim #: 5.4.69
An internal auditor has set an engagement objective of identifying the existence of
personality conflicts that are detrimental to productivity. Which of the following
engagement techniques will best meet this objective?
A.
B.
C.
D.
Inspection of documents.
Observation.
Inquiry.
Analytical review.
Answer (A) is incorrect. Inquiry is the best technique to identify the existence of
personality conflicts.
Answer (B) is incorrect. Inquiry is the best technique to identify the existence of
personality conflicts.
Answer (C) is correct. By interviewing selected individuals about the causes of
inefficiencies, the internal auditor can expect to obtain input as to the existence
and seriousness of personality conflicts that inhibit efficient and effective work.
Answer (D) is incorrect. Inquiry is the best technique to identify the existence of
personality conflicts.
[416] Gleim #: 5.4.70
An internal auditor has set an engagement objective of ascertaining compliance with a
city ordinance forbidding city purchasing from vendors affiliated with elected city
officials. Which of the following engagement techniques will best meet this objective?
A.
B.
C.
D.
Inspection of documents.
Observation.
Inquiry.
Analytical review.
Answer (A) is correct. The purchase order should be inspected for information
about supervisory review to ensure that vendors used are from approved vendor
lists.
Answer (B) is incorrect. Inspection of documents is the best technique for
checking compliance.
Answer (C) is incorrect. Inspection of documents is the best technique for
checking compliance.
Answer (D) is incorrect. Inspection of documents is the best technique for
checking compliance.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 227
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[417] Gleim #: 5.4.71
An internal auditor has set an engagement objective of determining whether the
planned rate of return on investment in international operations has been achieved.
Which of the following engagement procedures will best meet this objective?
A.
B.
C.
D.
Inspection of documents.
Observation.
Inquiry.
Analytical review.
Answer (A) is incorrect. Analytical review is the best technique to determine
whether the planned rate of return has been achieved.
Answer (B) is incorrect. Analytical review is the best technique to determine
whether the planned rate of return has been achieved.
Answer (C) is incorrect. Analytical review is the best technique to determine
whether the planned rate of return has been achieved.
Answer (D) is correct. By comparing the rate of return achieved with the budget
for international operations for the last several time periods, the internal auditor
can determine the variances from budget and determine the adequacy of the return
on the investment.
[418] Gleim #: 5.4.72
ia
/c
om
.c
Inspection of documents.
Observation.
Inquiry.
Analytical review.
fb
A.
B.
C.
D.
ao
ffi
ci
al
An internal auditor has set an engagement objective of determining whether mail room
staff is fully used. Which of the following engagement techniques will best meet this
objective?
Answer (A) is incorrect. Observation is the best technique to determine if the
staff is fully used.
Answer (B) is correct. By observing mail room operations at various times on
various days of the week, the internal auditor can note whether incoming or
outgoing mail backlogs exist and whether mail room staff are busy on mail room
activities, idle, or working on other projects.
Answer (C) is incorrect. Observation is the best technique to determine if the
staff is fully used.
Answer (D) is incorrect. Observation is the best technique to determine if the
staff is fully used.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 228
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[419] Gleim #: 5.4.73
An organization manufacturing special-order products is experiencing excessive rates
of rejection of finished products. An engagement procedure to identify the source of
the problem is
A. Evaluating communications from the sales department to the production
department.
B. Evaluating communications from the production department to the sales
department.
C. Analyzing customer demand for the product.
D. Testing whether supply of the product is sufficient to meet customer demand.
Answer (A) is correct. The specially ordered goods may be made to customers’
specifications, which must be communicated clearly by the sales department to the
production department. Moreover, the sales department must provide timely
information about any other customer complaints, such as excessive defects, so
that production management can take prompt corrective action.
Answer (B) is incorrect. Sales personnel are in contact with customers and are in
a position to give feedback to production management, not vice versa.
Answer (C) is incorrect. The issue is production quality, not sales forecasts or
production volume.
Answer (D) is incorrect. The issue is production quality, not sales forecasts or
production volume.
[420] Gleim #: 5.4.74
An internal auditor observes that controls over the perpetual inventory system are
weak. An appropriate engagement response is to
A.
B.
C.
D.
Increase the testing of the inventory controls.
Perform turnover ratio tests.
Recommend that a physical inventory count be scheduled.
Apply gross profit analyses by product lines and compare the results with prioryears’ information for reasonableness.
Answer (A) is incorrect. If the internal auditor’s assessed control risk is
unreasonably high, testing controls may be inefficient.
Answer (B) is incorrect. Turnover ratio tests will not provide sufficient
information.
Answer (C) is correct. Observation of a physical inventory is ordinarily the most
effective engagement procedure. The internal auditor’s direct personal knowledge
obtained through observation is more persuasive than information obtained
indirectly.
Answer (D) is incorrect. Applying gross profit analyses by product lines and
comparing the results with prior-years’ information for reasonableness will not
provide sufficient information.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 229
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[421] Gleim #: 5.4.75
Which technique is most appropriate for testing the quality of the preliminary survey
of payment vouchers described in an internal control questionnaire?
A.
B.
C.
D.
Analysis.
Evaluation.
Verification.
Observation.
Answer (A) is incorrect. Analysis involves examining the interrelationships
among data.
Answer (B) is incorrect. Evaluation involves an estimation of worth and the
reaching of conclusions. It would not be appropriate for the yes and no responses
of an internal control questionnaire.
Answer (C) is correct. Verification is a broad term for the process of determining
the validity of provided information.
Answer (D) is incorrect. Observation is a means of identifying physical
information.
[422] Gleim #: 5.4.76
.c
om
/c
ia
ao
ffi
ci
Examining the organization’s escheatment account.
Interviewing the organization’s treasurer and cash manager.
Obtaining standard bank confirmations.
Comparing current cash in the bank with previous accounting periods through
analytical computations.
fb
A.
B.
C.
D.
al
An internal auditor of an organization in the process of acquiring another organization
has been requested to verify that cash for the organization being acquired is properly
stated. The engagement technique that will yield the most persuasive piece of
information is
Answer (A) is incorrect. Analytical information derived from organizational
records is less compelling than information from an external source. An
escheatment account records amounts, such as unclaimed wages, that must be paid
to the government after the lapse of a period specified by law.
Answer (B) is incorrect. Testimonial information obtained from organizational
officials is not as strong as external information.
Answer (C) is correct. Standard bank confirmation requests confirm deposit and
loan balances. They result in highly competent information because responses are
prepared independently of organizational records. Moreover, they also may detect
restrictions on cash.
Answer (D) is incorrect. Analytical computations are less likely to identify a
major misstatement of cash than a bank confirmation.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 230
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[423] Gleim #: 5.4.77
To identify the amount of obsolete inventory that may exist in an organization, an
internal auditor probably should collect information using all of the following
procedures except
A.
B.
C.
D.
Confirmation.
Scanning.
Recomputation.
Analytical review.
Answer (A) is correct. Confirmation is used to verify the physical existence of an
item. Obsolescence is a question of value, not physical existence.
Answer (B) is incorrect. Scanning is an excellent means of noting unusual
relationships such as very old items with no activity.
Answer (C) is incorrect. Recomputation of the value of identified obsolete items
is necessary to establish current inventory carrying value.
Answer (D) is incorrect. Analytical review offers a means to identify products
substantially likely to be obsolete.
[424] Gleim #: 5.4.78
Which of the substantive field work procedures presented below provides the best
information about completeness of recorded revenues?
A. Reconciling the sales journal to the general ledger control account.
B. Vouching charges made to the accounts receivable subsidiary ledger to supporting
shipping records.
C. Vouching shipping records to the customer order file.
D. Reconciling shipping records to recorded sales.
Answer (A) is incorrect. Reconciling the sales journal to the general ledger
control account would fail to detect unrecorded sales, which would result in no
entries to the sales journal or accounts receivable.
Answer (B) is incorrect. Vouching charges made to the accounts receivable
subsidiary ledger to supporting shipping records would fail to detect unrecorded
sales, which would result in no entries to the sales journal or accounts receivable.
Answer (C) is incorrect. Vouching shipping records to the customer order file
merely establishes that goods shipped were ordered, not that they were recorded as
sales.
Answer (D) is correct. The completeness assertion concerns whether all
transactions that should be presented are included. To test this assertion with
regard to revenues from sales of goods shipped, the internal auditor might trace
shipping documents to sales data to determine whether items shipped have been
recorded as revenues.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 231
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[425] Gleim #: 5.4.79
One engagement procedure for an engagement to evaluate facilities and equipment is
to test the accuracy of recorded depreciation. Which of the following is the best source
of information that the equipment in question is in service?
A. A review of depreciation policies and procedures.
B. A comparison of depreciation schedules with a listing of insurance appraisals for
the same equipment.
C. A comparison of depreciation schedules with the maintenance and repair logs for
the same equipment.
D. A review of inventory documentation for the equipment.
Answer (A) is incorrect. A review of policies and procedures provides no
information about the existence assertion for specific assets.
Answer (B) is incorrect. A comparison with current insurance records would be
inconclusive. Retired equipment could still be insured.
Answer (C) is correct. The maintenance and repair records provide information
that equipment exists and is in use. Equipment in service is more likely to require
maintenance than retired equipment. However, the best information is the internal
auditor’s direct observation.
Answer (D) is incorrect. Retired equipment could still be in the inventory.
[426] Gleim #: 5.4.80
.c
om
/c
Computation of selected sales commissions.
Calculating commission ratios.
Use of analytical procedures.
Tests of overall reasonableness.
fb
A.
B.
C.
D.
ia
ao
ffi
ci
al
Management believes that some specific sales commissions for the year were too
large. The accuracy of the recorded commission expense for specific salespersons is
best determined by
Answer (A) is correct. Sales commission is based on the application of a ratio to
the amount of the sale. The best information about the accuracy of sales
commission expense for specific individuals is to recompute the amounts derived
from a sample of transactions (i.e., reperformance). These tests should be done at
the same time as procedures testing accrued liabilities.
Answer (B) is incorrect. Calculating commission ratios uses gross sales data and
does not provide information about specific charges.
Answer (C) is incorrect. Use of analytical procedures is a test of overall
reasonableness, not specific transactions.
Answer (D) is incorrect. Tests of overall reasonableness cannot determine
whether a specific salesperson’s commissions are overstated.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 232
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[427] Gleim #: 5.4.81
A large manufacturer has a transportation division that supplies gasoline for the
organization’s vehicles. Gasoline is dispensed by an attendant who records the amount
issued on a serially prenumbered gasoline disbursement form, which is then given to
the accounting department for proper recording. When the quantity of gasoline falls to
a certain level, the service station attendant prepares a purchase requisition and sends
it to the purchasing department where a purchase order is prepared and recorded in a
gasoline purchases journal. Which of the following engagement procedures best
determines whether gasoline disbursements are fully recorded?
A. Compare the gasoline purchase requisitions with the gasoline disbursement
records.
B. Select a number of gasoline purchases from the gasoline purchases journal and
compare them with their corresponding purchase orders. Ascertain that the
purchases are serially prenumbered, are matched with purchase requisitions, and
are authorized by someone independent of employees of the service station.
C. Perform analytical procedures comparing this period’s gasoline consumption with
prior periods.
D. Match the quantity of gasoline disbursed according to disbursement forms with an
independent reading of quantity disbursed at the pump.
Answer (A) is incorrect. Matching the gasoline purchase requisitions with the
gasoline disbursement records is not a meaningful procedure. Temperature-related
expansion and contraction can cause significant differences between purchases
and disbursements.
Answer (B) is incorrect. Matching entries from the gasoline purchases journal
with the corresponding purchase orders ascertains that purchases are supported by
proper source documents but does not ensure the completeness of the
disbursement records.
Answer (C) is incorrect. Performing analytical procedures does not provide any
information regarding proper controls over gasoline purchases.
Answer (D) is correct. Physical information is best obtained through direct
observation or inspection by the internal auditor. Because the gasoline
disbursement forms are prenumbered, the internal auditor is able to match them
with the independent reading of quantity disbursed at the pump to test the
completeness of disbursement records.
[428] Gleim #: 5.4.82
Cash receipts should be deposited on the day of receipt or the following business day.
Select the most appropriate engagement procedure to determine that cash is promptly
deposited.
A. Review cash register tapes prepared for each sale.
B. Review the functions of cash handling and maintaining accounting records for
proper segregation of duties.
C. Compare the daily cash receipts totals with the bank deposits.
D. Review the functions of cash receiving and disbursing for proper segregation of
duties.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 233
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Cash register tapes will not ensure that cash is deposited.
Answer (B) is incorrect. Segregating functions will not ensure that cash is deposited.
Answer (C) is correct. A standard control over the cash receipts function is to require
that daily cash receipts be deposited promptly and intact. Hence, the total of cash
receipts for a day should equal the bank deposit because no cash disbursements are
made from the daily receipts. To determine whether cash receipts are promptly
deposited, the internal auditor should compare the daily cash receipts totals with bank
deposits.
Answer (D) is incorrect. Segregating receiving and disbursing functions will not
ensure that cash is promptly deposited.
[429] Gleim #: 5.4.83
Which of the following engagement procedures will provide the least relevant
information for determining that payroll payments were made to bona fide employees?
A. Reconcile time cards in use to employees on the job.
B. Examine canceled checks for proper endorsement and compare to personal
records.
C. Test for segregation of the authorization for payment from the hire/fire
authorization.
D. Test the payroll account bank reconciliation by tracing outstanding checks to the
payroll register.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. Verification that an employee is actually working is a
common procedure to test for nonexistent employees.
Answer (B) is incorrect. Examining for proper endorsements and comparing
them with personnel records might detect improper payments.
Answer (C) is incorrect. The personnel department should authorize hiring and
termination of employees and changes in wage rates but should have no authority
over payment of wages.
Answer (D) is correct. A payroll account proof tests the completeness assertion.
However, it has no bearing on the validity of the transactions.
[430] Gleim #: 5.4.84
Which of the tests provides the least significant information when testing for
suspected fraudulent sales?
A. Tracing a sample of inventory removal slips from inventory through billing to the
sales journal.
B. Performing analytical tests of sales by comparing sales and gross margins over
time.
C. Performing analysis of write-offs and sales returns and comparing the amounts
over the past several years.
D. Confirming sales transactions with customers and investigating nonresponses.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 234
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. Tracing a sample of inventory removal slips is least likely to
provide evidence of fraudulent sales because it applies to transactions that have
apparently been properly authorized and documented.
Answer (B) is incorrect. Analytical tests may disclose an unusual relationship between
sales and gross margins.
Answer (C) is incorrect. Write-offs could be used to cover false sales entries.
Answer (D) is incorrect. Confirmation of the transactions could lead to the discovery
of fictitious sales.
[431] Gleim #: 5.4.85
Which of the following is the most appropriate engagement procedure to test the
processing of interbank transfers?
A. Analyze a sample of interbank transfers throughout the period including periodend reconciliations.
B. Obtain cutoff bank statements for each bank account and reconcile them to
accounting records.
C. Send bank confirmation requests to each bank in which accounts are maintained
and reconcile the completed forms to accounting records.
D. Trace all bank deposits recorded in accounting records near the end of the fiscal
period to supporting documentation and to bank statements.
Answer (A) is correct. If the engagement objective is to test compliance with
processing procedures, the appropriate procedure is to examine a sample of
transfers and trace them to the accounting records, including the period-end bank
reconciliation for each account.
Answer (B) is incorrect. Cutoff statements are intended to test whether
reconciling items (outstanding checks, deposits in transit) have cleared within a
reasonable time after year end and thus whether transactions were properly
included in the period just ended.
Answer (C) is incorrect. Sending bank confirmations does not concern details of
transactions.
Answer (D) is incorrect. The year-end cutoff has a different engagement
objective from tests of inter-bank transfer procedures.
[432] Gleim #: 5.4.86
For review of an accounting department’s bank reconciliation unit, which of the
following is an appropriate engagement work program step for the review of canceled
checks for authorized signatures?
A. Comparing the check date with the first cancellation date.
B. Determining that all checks are to be signed by individuals authorized by the
board.
C. Examining a representative sample of signed checks and determining that the
signatures are authorized in the organizational signature book.
D. Completing the tests of controls over check signatures in 4 hours.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 235
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Comparing the check date with the first cancellation date has
no bearing on reviewing for authorized signatures.
Answer (B) is incorrect. Determining that all checks are to be signed by individuals
authorized by the board is a statement of engagement objectives.
Answer (C) is correct. Cash disbursements must be properly authorized. The issuance
of checks is performed by the treasury function after review of supporting documents,
including a payment voucher prepared by the accounts payable department. Proper
control procedures require that check-signing responsibility be limited to a few persons
whose signatures are kept on file at the banks where the organization has accounts.
Answer (D) is incorrect. Completing the tests of controls over check signatures in 4
hours is a time budget goal, not a work program step.
[433] Gleim #: 5.4.87
To ascertain that all credit sales are recorded in accounts receivable, an internal auditor
should
A. Confirm selected accounts receivable balances by direct correspondence with
customers.
B. Trace from a sample of subsidiary ledger entries to related sales invoices and to
related shipping documents.
C. Trace from a sample of customer purchase orders to related shipping documents.
D. Trace from a sample of shipping documents to related sales invoices and
subsidiary ledger.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. This procedure will not detect an unrecorded and
unbilled receivable.
Answer (B) is incorrect. This procedure will not detect an unrecorded and
unbilled receivable.
Answer (C) is incorrect. Comparing customer orders with shipping documents
does not determine whether goods shipped were billed.
Answer (D) is correct. To determine that all credit sales are recorded, the proper
direction of testing is from the shipping records, such as bills of lading, to the
sales invoices and the accounts receivable subsidiary ledger. Tracing supports the
completeness assertion.
[434] Gleim #: 5.4.88
During an engagement to evaluate travel expenses, the accounting supervisor tells the
internal auditor that each expense report is reviewed and approved before costs are
reimbursed to the traveler. Which of the following is the best course of action for the
internal auditor to take?
A. Request the supervisor to put the statement in writing.
B. Review a sample of expense reports for proper approval.
C. Conserve engagement resources by accepting the statement and redirect work into
another area.
D. Corroborate this information with the controller.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 236
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The internal auditor should verify that the procedure is
actually followed.
Answer (B) is correct. The supervisor has described a control intended to prevent
payment of unauthorized travel expenses. The internal auditor’s best course of action
is to test the control to determine whether it is actually in place and operating
effectively. The most reliable information for this purpose is to inspect a sample of the
relevant documents. Engagement information is obtained through observation, inquiry,
and examination of records. When an internal auditor becomes aware of a policy or
procedure through inquiry of employees or reading a written plan, it is best for the
internal auditor then to examine records to determine whether the policy or procedure
is actually followed in practice.
Answer (C) is incorrect. Testimonial information is less reliable than the internal
auditor’s direct personal knowledge obtained by reviewing documents. Hence,
accepting the uncorroborated statement is not appropriate.
Answer (D) is incorrect. Corroborating the statement with the controller does not
verify that the procedure is actually followed.
[435] Gleim #: 5.4.89
An organization has outsourced many services, including waste collection, cafeteria,
and custodial services previously performed internally. Management requests an
evaluation of contract compliance and the overall performance of the organizations
performing the outsourced activities. Which of the following engagement procedures
is the least effective in accomplishing the engagement objectives?
A. Comparison of current costs with the costs of performing the same services before
they were outsourced.
B. Comparison of charges with the terms of the outsourcing contract.
C. A survey of users’ satisfaction with the services performed by the outsourcer.
D. Comparison of identified activities for each outsourcer with “best practices” of
other outsourcers.
Answer (A) is incorrect. The internal auditor should determine whether
anticipated changes in costs or levels of service have been achieved.
Answer (B) is incorrect. A comparison of performance with amounts contracted
for is a crucial part of the engagement.
Answer (C) is incorrect. The degree of users’ satisfaction is a powerful indicator
of the outsourcer’s performance.
Answer (D) is correct. The crux of such an engagement is whether the anticipated
objectives were achieved at the lowest cost to the organization and whether the
outsourcer is meeting the terms of the contract. The efficiency of the outsourcing
firm is not an issue if the cost to the organization is the best available.
Furthermore, “best practices” for outsourcers are scarcely documented.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 237
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[436] Gleim #: 5.4.90
The legislative auditing bureau of a country is required to perform compliance
engagements involving organizations that are issued defense contracts on a cost-plus
basis. Contracts are clearly written to define acceptable costs, including developmental
research cost and appropriate overhead rates.
During the past year, the government has engaged in extensive outsourcing of its
activities. The outsourcing included contracts to run cafeterias, provide janitorial
services, manage computer operations and systems development, and provide
engineering of construction projects. The contracts were modeled after those used for
years in the defense industry. The legislative internal auditors are being called upon to
expand their efforts to include compliance engagements involving these contracts.
Upon initial investigation of these outsourced areas, the internal auditor found many
areas in which the outsourced management has apparently expanded its authority and
responsibility. For example, the contractor that manages computer operations has
developed a highly sophisticated security program that may represent the most
advanced information security in the industry. The internal auditor reviews the
contract and sees reference only to providing appropriate levels of computing security.
The internal auditor suspects that the governmental agency may be incurring
developmental costs that the outsourcer may use for competitive advantage in
marketing services to other organizations.
ao
ffi
ci
al
The internal auditor is concerned about whether all the debits to the computer security
expense account are appropriate expenditures. The most appropriate engagement
procedure is to
fb
.c
om
/c
ia
A. Take an attribute sample of computing invoices and determine whether all
invoices are properly classified.
B. Perform an analytical review comparing the amount of expenditures incurred this
year with the amounts incurred on a trend line for the past 5 years.
C. Take an attribute sample of employee wage expenses incurred by the outsourcing
organization and trace to the proper account classification.
D. Take a sample of all debits to the account and investigate by examining source
documents to determine the nature and authority of the expenditure.
Answer (A) is incorrect. The sample would be too broad to be efficient. The
auditor is specifically interested in the debits to the account.
Answer (B) is incorrect. Analytical procedures provide information as to whether
the total expense is reasonable. They do not determine whether specific debits are
correct.
Answer (C) is incorrect. This procedure furnishes some information about the
wage component of costs, but it is not relevant to other computer security costs.
Answer (D) is correct. The sample should be taken from the population of
interest, that is, debits to the expense account. The proper engagement procedure
is to vouch the accounting records back to the source documents.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 238
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[437] Gleim #: 5.4.91
A transportation department maintains its vehicle inventory and maintenance records
in a database. Which of the following audit procedures is most appropriate for
evaluating the accuracy of the database information?
A. Verify a sample of the records extracted from the database with supporting
documentation.
B. Submit batches of test transactions through the current system and verify with
expected results.
C. Simulate normal processing by using test programs.
D. Use program tracing to show how, and in what sequence, program instructions are
processed in the system.
Answer (A) is correct. Verifying is a process of corroboration and comparison,
for example, of one document or oral statement with another; a general ledger
balance with the detail in the subsidiary ledger; a manager’s approval with an
authorizing directive issued by a higher level of management; or a purchase with a
purchase requisition, an allowed amount (such as a bill of materials), production
schedule, or receiving report. Verifying that recorded information agrees with the
supporting documents is the most often used technique for testing the accuracy of
information maintained by a system, whether manual or automated.
Answer (B) is incorrect. Testing the program will not test the accuracy of data in
the database.
Answer (C) is incorrect. Simulating normal processing tests the program but not
the accuracy of data.
Answer (D) is incorrect. Tracing requires that additional coding be inserted into
the database system programs.
[438] Gleim #: 5.4.92
Which of the following documents should the internal auditor examine to determine
whether only authorized purchases are being accepted by the receiving department?
A.
B.
C.
D.
A bill of lading.
A copy of the purchase order.
An invoice.
Policies and procedures for the receiving function.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 239
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. A shipping document (bill of lading) received from the
vendor cannot be used to determine whether the purchase was authorized.
Answer (B) is correct. In determining whether the accounts accurately reflect the
obligations of the firm to vendors, the three items most useful to the auditor are
purchase orders, receiving reports, and vendors’ invoices. The purchase order provides
information as to whether the goods were actually ordered and are a voluntary
obligation of the organization. The receiving report confirms that the proper amount
was received and the liability recorded in the correct period. The vendor’s invoice
confirms that the proper amount due has been recorded. An internal auditor will also
be interested in the purchase requisitions to determine whether the purchase orders
were properly authorized. However, the purchase order, not the requisition, is vital to
determining the engagement client’s obligation.
Answer (C) is incorrect. A billing notice (invoice) received from the vendor cannot be
used to determine whether the purchase was authorized.
Answer (D) is incorrect. Policies and procedures are not transaction documents.
[439] Gleim #: 5.4.93
Which of the following represents the most reliable information that a receivable
actually exists?
ci
al
A positive confirmation.
A sales invoice.
A receiving report.
A bill of lading.
.c
om
/c
ia
ao
ffi
Answer (A) is correct. A confirmation is a direct communication between the
internal auditor and the debtor. A positive confirmation is the most reliable kind
of confirmation because it asks the debtor to respond regardless of whether (s)he
agrees with the information given. The negative confirmation asks for a response
only when the debtor disagrees. Positive confirmations are used when balances are
large or the internal auditor believes that a substantial number of accounts are in
dispute or contain errors or irregularities. The negative form is used when risk is
low, balances are small, and the recipients are likely to give confirmation their
consideration. Often, a combination of the two forms will be used.
Answer (B) is incorrect. The sales invoice was internally generated. Information
obtained directly from outside sources is more reliable.
Answer (C) is incorrect. A receiving report provides no information of a sale and
a receivable.
Answer (D) is incorrect. A bill of lading is less reliable than a confirmation. It
has been under the control of the engagement client.
fb
A.
B.
C.
D.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 240
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[440] Gleim #: 5.4.94
Which of the following procedures provides the most relevant information to
determine the adequacy of the allowance for doubtful accounts receivable?
A. Confirm the receivables.
B. Analyze the following month’s payments on the accounts receivable balances
outstanding.
C. Test the controls over the write-off of accounts receivable to ensure that
management approves all write-offs.
D. Analyze the allowance through an aging of receivables and an analysis of current
economic data.
Answer (A) is incorrect. Accounts receivable confirmations are more likely to be
effective for the existence assertion than for the valuation and completeness
assertions.
Answer (B) is incorrect. Although subsequent collections provide the best
information about collectibility, they do not indicate the value of uncollected
receivables.
Answer (C) is incorrect. Testing the controls over write-offs provides no
information about valuation.
Answer (D) is correct. The purpose of an allowance for doubtful accounts is to
state accounts receivable at net realizable value. Consequently, an appropriate
method of estimating collectibility of the receivables should be applied. Because
the probability of collection is inversely proportional to the age of the receivables,
aging the receivables provides information that is highly relevant. Current
economic conditions are also relevant because collectibility varies with changes in
the economic cycle.
[441] Gleim #: 5.4.95
The audit committee has expressed concern that the financial institution has been
taking on higher-risk loans in pursuit of short-term profit goals. Which of the
following engagement procedures provides the least amount of information to address
this concern?
A. Perform an analytical review of interest income as a percentage of the investment
portfolio in comparison with a group of peer financial institutions.
B. Take a random sample of loans made during the period and compare the riskiness
of the loans with that of a random sample of loans made 2 years ago.
C. Perform an analytical review that involves developing a chart to compare interest
income plotted over the past 10 years.
D. Develop a multiple-regression time-series analysis of income over the past 5 years
including such factors as interest rate in the economy, size of loan portfolio, and
dollar amount of new loans each year.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 241
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Higher-risk loans should generate higher short-term interest
income compared with that earned by comparable institutions. Higher-risk loans have
higher yields.
Answer (B) is incorrect. A historical comparison of loan risk for the institution
addresses the engagement objective.
Answer (C) is correct. Plotting the changes in interest income over the past 10 years is
the least useful procedure. It does not consider other important factors, such as size of
the portfolio, changes in interest rates, the development of new financial instruments,
the level of inflation, and government regulation.
Answer (D) is incorrect. Multiple regression explains the change in a dependent
variable (interest income) attributable to two or more independent variables. Thus, it
allows the internal auditor to estimate how much of the change might be due to a
change in the riskiness of the loans.
[442] Gleim #: 5.4.96
Which of the following procedures would provide the best evidence of the
effectiveness of a credit-granting function?
Observe the process.
Review the trend in receivables write-offs.
Ask the credit manager about the effectiveness of the function.
Check for evidence of credit approval on a sample of customer orders.
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. Observation will provide evidence about whether credit
personnel are following standard procedures while being observed. However,
because they know they are being observed, they will probably do what they
believe they should do, not what they normally do.
Answer (B) is correct. The purpose of the credit-granting function is to minimize
write-offs while accepting sales likely to result in collection. Trend (time-series)
analysis is an analytical procedure that relies on experience, i.e., the change in a
variable over time. Thus, reviewing the trend in write-offs will provide some
insight concerning the minimization of write-offs.
Answer (C) is incorrect. Responses from the credit manager will lack objectivity,
a key attribute of reliable evidence.
Answer (D) is incorrect. The credit limits may be set too high or not properly
revised periodically. The existence of approval will not detect these problems.
fb
A.
B.
C.
D.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 242
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[443] Gleim #: 5.4.97
An internal auditor determines that actual procedures differ from prescribed control
procedures. The internal auditor should
1. Require operating personnel to conform to prescribed procedures.
2. Document the discrepancies and make any appropriate recommendations to
management.
3. Expand all aspects of the engagement to determine other differences from
prescribed procedures.
4. Modify the engagement work program as warranted by the differences noted.
A.
B.
C.
D.
1 and 3.
2 and 3.
1 and 4.
2 and 4.
Answer (A) is incorrect. Directing the activities of operating personnel is a
management function. Also, a deviation in one control area does not justify
expanding testwork in all areas.
Answer (B) is incorrect. A deviation in one control area does not justify
expanding testwork in all areas.
Answer (C) is incorrect. Directing the activities of operating personnel is a
management function.
Answer (D) is correct. The internal auditor should document the discrepancy in
the engagement working papers and make a recommendation to management in
the engagement communication based on the impact of the changed procedures on
the effectiveness of control. The internal auditor also should modify the
engagement work program to reflect the modified control procedure, e.g., to
determine whether compensating controls exist.
[444] Gleim #: 5.4.98
An organization has grown rapidly and has just automated its human resource system.
The organization has developed a large database that tracks employees, employee
benefits, payroll deductions, job classifications, ethnic code, age, insurance, medical
protection, and other similar information. Management has asked the internal audit
activity to review the new system. To test whether data currently within the automated
system are correct, the internal auditor should
A. Use test data and determine whether all the data entered are captured correctly in
the updated database.
B. Take a sample of data to be entered for a few days and trace the data to the
updated database to determine the correctness of the updates.
C. Obtain a printout of all employees with invalid job descriptions and investigate
the causes of the problems.
D. Select a sample of employees from the database and verify the data fields.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 243
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The use of test data checks the processing of data within the
system, not the accuracy of the data.
Answer (B) is incorrect. Tracing a sample of new data checks the processing of that
data, not the accuracy of the data already in the system.
Answer (C) is incorrect. Identifying employees with invalid job descriptions only
checks one data field.
Answer (D) is correct. Given that the information is already in the system, the best
method is to select a sample and verify that the data fields in the database contain the
appropriate data.
[445] Gleim #: 5.4.99
A production manager ordered excessive raw materials for delivery to a separate
company owned by the manager. The manager falsified receiving documents and
approved the invoices for payment. Which of the following audit procedures would
most likely detect this fraud?
ci
al
A. Select a sample of cash disbursements and compare purchase orders, receiving
reports, invoices, and check copies.
B. Select a sample of cash disbursements and confirm the amount purchased,
purchase price, and date of shipment with the vendors.
C. Observe the receiving dock and count materials received; compare the counts to
receiving reports completed by receiving personnel.
D. Perform analytical tests, comparing production, materials purchased, and raw
materials inventory levels; investigate differences.
fb
.c
om
/c
ia
ao
ffi
Answer (A) is incorrect. Given that documents have been falsified, supporting
documents exist for each cash disbursement.
Answer (B) is incorrect. The vendors will confirm all transactions.
Answer (C) is incorrect. Given that the improper orders are shipped to another
location, observing receiving dock counts will not detect the fraud.
Answer (D) is correct. Analytical auditing procedures provide internal auditors
with an efficient and effective means of assessing and evaluating information
collected in an engagement. The assessment results from comparing information
with expectations identified or developed by the internal auditor. Analytical
auditing procedures are useful in identifying, among other things, differences that
are not expected; the absence of differences when they are expected; potential
errors, potential fraud or illegal acts; or other unusual or nonrecurring transactions
or events. Hence, the analytical procedures should identify an unexplained
increase in materials used.
[446] Gleim #: 5.4.100
To control daily operating costs, an organization decreased the number of times a
messenger service was used each day. Despite those measures, the monthly bill
continued to increase. What procedure should the internal auditor use to detect
whether improper services were being billed?
A.
B.
C.
D.
Reconcile a sample of messenger invoices to pickup receipts.
Test the mathematical accuracy of a sample of messenger invoices.
Scan ledger accounts and messenger invoices.
Observe daily use of the messenger service.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 244
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. When the amount charged for a service increases as an entity
reduces its use of the service, the possibility exists that the entity is being charged for
service not received. The internal auditor should reconcile a sample of messenger
invoices to pickup receipts. By multiplying the number of trips authorized by the
charge per trip, any discrepancy can be identified.
Answer (B) is incorrect. Multiplying the trips noted on the bills received by the rate
specified on the bill will not identify the improper billing related to trips not carried
out.
Answer (C) is incorrect. Scanning of ledger accounts and bills received is not likely to
uncover billings for trips not carried out unless particular bills on ledger entries
seriously deviate from expectations.
Answer (D) is incorrect. The internal auditor is unlikely to be able to observe usage of
the messenger service for a long enough period. This procedure is not cost efficient.
[447] Gleim #: 5.4.101
To determine whether credit controls are inconsistently applied, preventing valid sales
to creditworthy customers, the internal auditor should
A.
B.
C.
D.
Confirm current accounts receivable.
Trace postings on the accounts receivable ledger.
Analyze collection rates and credit histories.
Compare credit histories for those receiving credit and for those denied credit.
Answer (A) is incorrect. If credit is not granted, there would be no sale, and thus
no balance to confirm.
Answer (B) is incorrect. If credit is not granted, there would be no sale, and thus
no posting to trace.
Answer (C) is incorrect. If credit is not granted, there would be no sale, and thus
no receivables to collect.
Answer (D) is correct. Credit policy should maximize profits by balancing bad
debt losses and the increase in sales derived from granting credit. One concern in
an engagement to review credit management is whether credit policies and
procedures are fairly administered.
[448] Gleim #: 5.5.102
As a means of controlling projects and avoiding time-budget overruns, decisions to
revise time budgets for an engagement should normally be made
A.
B.
C.
D.
Immediately after the survey.
When a significant risk exposure has been substantiated.
When inexperienced staff are assigned to an engagement.
Immediately after expanding tests to establish reliability of observations.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 245
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. If appropriate, a survey should be conducted to (1) become
familiar with the activities, risks, and controls to identify areas for engagement
emphasis and (2) invite comments and suggestions from engagement clients (PA
2210.A1-1, para. 3). This survey may lead to a determination that activities other than
or in addition to those contemplated by the long-range engagement work schedule are
necessary. Consequently, revision of the time budget may then be indicated.
Answer (B) is incorrect. When a risk exposure has been substantiated, no further
engagement work is required.
Answer (C) is incorrect. The assignment of inexperienced staff should have no effect
on the decision to revise the time budget.
Answer (D) is incorrect. Expanded tests should have no effect on the time budget; the
budget would have already been expanded as necessary.
[449] Gleim #: 5.5.103
The internal auditor-in-charge has just been informed of the next engagement, and the
engagement team has been assigned. Select the appropriate phase for finalizing the
engagement budget.
A.
B.
C.
D.
During formulation of the long-range plan.
After the preliminary survey.
During the initial planning meeting.
After the completion of all field work.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. An initial budget is determined during the formulation
of the long-range plan, but revisions based on the preliminary survey may be
required.
Answer (B) is correct. A survey permits an informed approach to planning and
carrying out engagement work and is an effective tool for allocating the internal
audit activity’s resources where they can be used most effectively. Among other
things, the results of the survey should include preliminary estimates of time and
resource requirements. Thus, after the preliminary survey has been completed, the
final engagement budget can be prepared.
Answer (C) is incorrect. At the initial planning meeting stage, the project is not
sufficiently defined to complete the final budget.
Answer (D) is incorrect. After the completion of field work, the budget is no
longer useful as a control and evaluation tool.
[450] Gleim #: 5.5.104
As a particular engagement is being planned in a high-risk area, the chief audit
executive determines that the available staff does not have the requisite skills to
perform the assignment. The best course of action consistent with engagement
planning principles is to
A. Not perform the engagement because the requisite skills are not available.
B. Use the engagement as a training opportunity and let the internal auditors learn as
the engagement is performed.
C. Consider using external resources to supplement the needed knowledge, skills,
and other competencies and complete the assignment.
D. Perform the engagement but limit the scope in light of the skill deficiency.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 246
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Not performing the engagement is unacceptable, especially
for a high-risk area.
Answer (B) is incorrect. Engagements must be properly supervised. The internal audit
activity has no one to provide this supervision.
Answer (C) is correct. In determining the resources needed to perform the
engagement, the CAE must consider the knowledge, skills, and other competencies of
the internal audit staff when selecting internal auditors for the engagement (PA 22301, para. 1). The CAE considers the use of external resources when additional
knowledge and competencies are required.
Answer (D) is incorrect. Limiting the scope of the engagement is done only when the
requisite skills are not available even from external resources. If the scope is limited,
management must be informed of the constraint in an interim report.
[451] Gleim #: 5.5.105
The chief audit executive of a multinational organization must form an engagement
team to examine a newly acquired subsidiary in another country. Consideration should
be given to which of the following factors?
I.
II.
III.
IV.
A.
B.
C.
D.
Local customs
Language skills of the internal auditor
Experience of the internal auditor
Monetary exchange rate
I, II, and III.
II, III, and IV.
I and III.
I and II.
Answer (A) is correct. The knowledge, skills, and other competencies of the
internal audit staff must be considered when selecting internal auditors for the
engagement (PA 2230-1, para. 1). Thus, in an engagement to be performed in a
foreign country, the language skills of the internal auditor and knowledge of local
customs must be considered. For example, gender and ethnic issues may be
important in some countries because of religious restrictions and incompatibilities.
As always, experience levels are relevant in making staff assignments.
Answer (B) is incorrect. The exchange rate is irrelevant to determining the
needed traits of the team members.
Answer (C) is incorrect. The language skills of the internal auditor must be
considered.
Answer (D) is incorrect. Experience must always be considered.
[452] Gleim #: 5.5.106
Which of the following statements is true with respect to a time budget for an internal
audit engagement?
A.
B.
C.
D.
Requests for time budget adjustments should be approved by the audit committee.
Time budgets should be strictly adhered to, regardless of circumstances.
Time budgets should be used for financial audits, but not for operational audits.
Time budgets should normally be prepared in terms of hours or days.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 247
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Requests for time budget adjustments should be approved by
the CAE, not the audit committee.
Answer (B) is incorrect. Budgets should be subject to adjustment for unexpected
conditions.
Answer (C) is incorrect. Time budgets are equally applicable to all types of
engagements.
Answer (D) is correct. A budget is a plan that contains a quantitative statement of
expected results. It may be defined as a quantified program. All engagement projects
and other assignments must be kept under budgetary control. Time budgets for
engagement projects are usually prepared in employee-hours or employee-days.
[453] Gleim #: 5.5.107
In the preparation of an engagement work program, which of the following items is
least essential?
A.
B.
C.
D.
The performance of a preliminary risk assessment.
A review of material from prior engagement communications.
The preparation of a budget identifying the costs of resources needed.
A review of criteria established by management to determine whether operating
goals and objectives have been accomplished.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. The preliminary risk assessment is required. Objectives
must reflect this assessment.
Answer (B) is incorrect. Engagement communications contain, among other
things, information about observations from prior engagements and corrective
actions taken.
Answer (C) is correct. Internal auditors must determine appropriate and sufficient
resources to achieve engagement objectives based on an evaluation of the nature
and complexity of each engagement, time constraints, and available resources
(Perf. Std. 2230). Hence, it is implicit that the work program state the resources
necessary to carry out the detailed tasks specified. However, quantification of
costs is not essential to writing the work program.
Answer (D) is incorrect. Internal auditors must ascertain the extent to which
management has established adequate criteria to determine whether objectives and
goals have been accomplished.
[454] Gleim #: 5.6.108
Which of the following activities does not constitute engagement supervision?
A.
B.
C.
D.
Preparing a preliminary engagement work program.
Providing appropriate instructions to the internal auditors.
Reviewing engagement working papers.
Ensuring that engagement communications meet appropriate criteria.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 248
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. Preparing a preliminary engagement work program is part of
engagement planning, not an aspect of engagement supervision.
Answer (B) is incorrect. Providing appropriate instructions to the internal auditors is
an aspect of engagement supervision.
Answer (C) is incorrect. Reviewing engagement working papers is an aspect of
engagement supervision.
Answer (D) is incorrect. Ensuring that engagement objectives are achieved is an
aspect of engagement supervision.
[455] Gleim #: 5.6.109
A new staff internal auditor’s first assignment is to review the cash management
operations of the organization. The staff internal auditor has no background in cash
management. Under which of the following conditions would this arrangement be
appropriate?
I. The senior internal auditor is skilled in the area and closely supervises the staff
internal auditor.
II. The staff internal auditor performs the work and prepares an engagement
communication that is reviewed in detail by the chief audit executive.
A.
B.
C.
D.
I only.
II only.
Both I and II.
Neither I nor II.
Answer (A) is correct. Supervision includes ensuring that designated auditors
collectively possess the necessary knowledge, skills, and other competencies to
perform the engagement (PA 2340-1, para. 1). The extent of supervision depends
on the proficiency and experience of the internal auditors and the complexity of
the engagement (Inter. Std. 2340). Thus, the skill of the senior auditor and the
closeness of the supervision compensate for the new auditor’s inexperience
regarding cash management.
Answer (B) is incorrect. Supervision involves far more than a review of the
engagement communication.
Answer (C) is incorrect. The internal auditors assigned to the engagement must
have or obtain the necessary proficiency, and the staff internal auditor must be
closely supervised.
Answer (D) is incorrect. The internal auditors assigned to the engagement must
have or obtain the necessary proficiency, and the staff internal auditor must be
closely supervised.
[456] Gleim #: 5.6.110
Determining that engagement objectives have been met is part of the overall
supervision of an engagement and is the ultimate responsibility of the
A.
B.
C.
D.
Staff internal auditor.
Board.
Engagement supervisor.
Chief audit executive.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 249
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The chief audit executive, not a staff internal auditor, has the
responsibility to determine that engagement objectives have been met.
Answer (B) is incorrect. The chief audit executive, not the audit committee, has the
responsibility to determine that engagement objectives have been met.
Answer (C) is incorrect. The chief audit executive, not the engagement supervisor, has
the responsibility to determine that engagement objectives have been met.
Answer (D) is correct. The CAE has overall responsibility for supervising the
engagement (Inter. Std. 2340).
[457] Gleim #: 5.6.111
Which of the following best describes engagement supervision?
A. The manager of each engagement has the ultimate responsibility for supervision.
B. Supervision is primarily exercised at the final review stage of an engagement to
ensure the accuracy of the engagement communications.
C. Supervision is most important in the planning phase of the engagement to ensure
appropriate coverage.
D. Supervision is a continuing process beginning with planning and ending with the
conclusion of the engagement.
[458] Gleim #: 5.6.112
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. The CAE has the ultimate responsibility for supervision.
Answer (B) is incorrect. Supervision begins with planning and continues
throughout the engagement.
Answer (C) is incorrect. Supervision is equally important in all phases of the
engagement.
Answer (D) is correct. The CAE (or designee) provides appropriate engagement
supervision. Supervision is a process that begins with planning and continues
throughout the engagement (PA 2340-1, para. 1).
Supervision of an internal audit engagement includes
A. Determining that engagement working papers adequately support the engagement
observations.
B. Assigning staff members to the particular engagement.
C. Determining the scope of the engagement.
D. Appraising each internal auditor’s performance on at least an annual basis.
Answer (A) is correct. Supervision includes determining that the engagement
working papers adequately support the engagement observations, conclusions, and
recommendations (PA 2340-1, para. 1).
Answer (B) is incorrect. The plan for an engagement includes resource
allocations. Thus, resource allocation is a planning function, not a supervisory
function.
Answer (C) is incorrect. Determining the engagement scope is a planning
function, not a supervisory function.
Answer (D) is incorrect. Appraising performance on an annual basis is not a
supervisory function of a specific engagement but is part of the management of
the human resources of the internal audit activity.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 250
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[459] Gleim #: 5.6.113
When engagements are performed for the internal audit activity by nonstaff members,
the chief audit executive is responsible for
A. Ensuring that the engagement communications are objective, clear, and timely.
B. Reviewing the engagement work programs for approval.
C. Providing appropriate supervision from the beginning to the conclusion of the
engagement.
D. None of the engagement work performed by those outside the department.
Answer (A) is incorrect. Ensuring the quality of engagement communications is
only one facet of supervision for which the CAE has ultimate, although perhaps
not immediate, responsibility.
Answer (B) is incorrect. Approval of the engagement work program prior to the
commencement of work by the CAE or a designee is only one facet of supervision
for which the CAE has ultimate, although perhaps not immediate, responsibility.
Answer (C) is correct. The CAE has overall responsibility for supervising the
engagement, whether performed by or for the internal audit activity
(Inter. Std. 2340). Supervision is a process that begins with planning and
continues throughout the engagement (PA 2340-1, para. 1).
Answer (D) is incorrect. The CAE is responsible for all work performed by or for
the internal audit activity.
[460] Gleim #: 5.6.114
Of the many tools available to assist an internal auditing supervisor, which of the
following is of least assistance in the supervision of a specific engagement?
A.
B.
C.
D.
Assignment board.
Time budget.
Weekly status report.
Time report.
Answer (A) is correct. An assignment board is a cork board that uses assignment
slips and numbered tack heads to display the scheduled engagements weekly for
up to a year. It provides an overview of which staff members are working on each
project and is therefore of minimal assistance in the actual supervision of a
specific engagement.
Answer (B) is incorrect. A time budget is a tool for supervising a specific
engagement.
Answer (C) is incorrect. A weekly status report is a tool for supervising a specific
engagement.
Answer (D) is incorrect. A time report is a tool for supervising a specific
engagement.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 251
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[461] Gleim #: 5.6.115
A manager responsible for the supervision and review of other internal auditors needs
the necessary skills, knowledge, and other competencies. Which of the following does
not describe a skill, knowledge, or other competency necessary to supervise a
particular engagement?
A. The ability to review and analyze an engagement work program to determine
whether the proposed engagement procedures will result in information relevant
to the engagement’s objectives.
B. Assuring that an engagement communication is supported and accurate relative to
the information documented in the engagement working papers.
C. Using risk assessment and other judgmental processes to develop an engagement
work schedule for the internal audit activity and present the schedule to the board.
D. Determining that staff auditors have completed the engagement procedures and
that engagement objectives have been met.
al
Answer (A) is incorrect. The ability to review and analyze an engagement work
program is a necessary skill for an internal audit manager.
Answer (B) is incorrect. Assuring that an engagement communication is accurate
and supported is a necessary skill for an internal audit manager.
Answer (C) is correct. Using a risk assessment to develop an engagement work
schedule is a function of the CAE, not an internal audit manager.
Answer (D) is incorrect. Determining that procedures have been completed and
objectives met is a necessary skill for an internal audit manager.
ao
ffi
ci
[462] Gleim #: 5.6.116
.c
Allocating budgeted engagement hours among assigned staff.
Updating the permanent files.
Reviewing the working papers.
Preparing the critique sheet for the engagement.
fb
A.
B.
C.
D.
om
/c
ia
The engagement team leader is least likely to have a primary role in
Answer (A) is incorrect. Allocating budgeted engagement hours among assigned
staff is a planning task.
Answer (B) is correct. The engagement team leader (sometimes called a senior) is
responsible for planning the engagement, coordinating the staff, and supervising
the work. Updating the permanent files is a task most likely performed by the
staff.
Answer (C) is incorrect. Reviewing the working papers is a supervisory activity.
Answer (D) is incorrect. Preparing the critique sheet for the engagement is also a
supervisory activity performed by the engagement team leader.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 252
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[463] Gleim #: 5.6.117
Supervision of the work of internal auditors should be carried out continually. Which
of the following statements regarding supervision is (are) true?
I. “Continually” indicates that supervision should be performed throughout the
engagement.
II. Supervision also should be extended to development of the competencies of
internal auditors.
III. The extent of supervision needs to be documented.
A.
B.
C.
D.
I only.
I and III only.
II only.
I, II, and III.
Answer (A) is incorrect. Statements II and III are also true.
Answer (B) is incorrect. Statement II is also true.
Answer (C) is incorrect. Statements I and III are also true.
Answer (D) is correct. Supervision is a process that begins with planning and
continues throughout the engagement. It includes providing opportunities for
developing internal auditors’ knowledge, skills, and other competencies (PA
2340-1, para. 1). Appropriate evidence of supervision should be documented and
retained. The extent of supervision required will depend on the proficiency and
experience of internal auditors and the complexity of the engagement
(Inter. Std. 2340).
[464] Gleim #: 5.6.118
The best control over the work on which internal auditors’ opinions are based is
A.
B.
C.
D.
Supervisory review of all engagement work.
Preparation of time budgets for internal audit activities.
Preparation of engagement working papers.
Staffing of internal audit activities.
Answer (A) is correct. The engagement must be properly supervised to ensure
objectives are achieved, quality is ensured, and staff is developed
(Perf. Std. 2340). Supervision includes (1) ensuring the auditors possess the
requisite knowledge, skills, and other competencies; (2) providing appropriate
instructions during planning and approving the engagement program; (3) ensuring
the approved engagement program is complete unless changes are justified and
authorized; (4) determining working papers adequately support observations,
conclusions, and recommendations; (5) ensuring communications are accurate,
objective, clear, concise, constructive, and timely; (6) ensuring objectives are met;
and (7) providing opportunities for developing internal auditors’ knowledge,
skills, and other competencies (PA 2340-1, para. 1). Hence, supervision is a
control that applies to all aspects of engagements.
Answer (B) is incorrect. Although useful, time budgets do not ensure the
adequacy of work.
Answer (C) is incorrect. Working papers support the conclusions and
engagement results, but supervision is necessary to ensure the adequacy of work.
Answer (D) is incorrect. Proper staffing is required, but supervision is essential to
ensure the adequacy of work.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 253
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[465] Gleim #: 5.6.119
Which of the following best describes what determines the extent of supervision
required for a particular internal audit engagement?
A. Whether the engagement involves possible fraud on the part of management.
B. Whether the engagement involves possible violations of laws or governmental
regulations.
C. The proficiency of the internal auditors and the complexity of the engagement.
D. The internal audit activity’s prior experience in dealing with the particular
engagement client.
ia
ao
ffi
ci
al
Answer (A) is incorrect. Whether the engagement involves possible fraud on the
part of management is less important for determining the extent of supervision
than the proficiency of the internal auditors and the complexity of the engagement.
Answer (B) is incorrect. Whether the engagement involves possible violations of
laws or governmental regulations is less important for determining the extent of
supervision than the proficiency of the internal auditors and the complexity of the
engagement.
Answer (C) is correct. The CAE is responsible for providing appropriate
engagement supervision. The extent of supervision required will depend on the
proficiency and experience of the internal auditors and the complexity of the
engagement (Inter. Std. 2340).
Answer (D) is incorrect. The internal audit activity’s prior experience in dealing
with the particular engagement client is less important for determining the extent
of supervision than the proficiency of the internal auditors and the complexity of
the engagement.
om
/c
[466] Gleim #: 5.6.120
fb
.c
The chief audit executive is responsible for engagement supervision. The most
important form of supervision during the field work phase of engagements involves
A. Ensuring that the approved engagement work program is completed unless
changes are justified and authorized.
B. Providing suitable instructions to subordinates at the outset of the engagement and
approving the engagement work program.
C. Appraising each internal auditor’s performance at least annually.
D. Making sure that communications are accurate, objective, clear, concise,
constructive, and timely.
Answer (A) is correct. Supervision includes ensuring the approved engagement
program is completed unless changes are justified and authorized (PA 2340-1,
para. 1). Execution of the work program requires supervision during field work.
The other supervisory tasks generally are carried out before or after field work.
Answer (B) is incorrect. “At the outset of the engagement” is not during field
work.
Answer (C) is incorrect. Annual performance appraisal is not specific to a
particular engagement.
Answer (D) is incorrect. Engagement communications are prepared at the
conclusion of field work.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 254
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[467] Gleim #: 5.6.121
Which of the following items does not constitute evidence of proper supervision of an
internal auditing engagement?
A. An internal audit manager approves the engagement work program and gives
instructions to subordinates at the outset of the engagement, and is available for
consultation, but does not actively participate in the performance of procedures.
B. An internal audit manager is not intimately involved in an engagement, but does
review the results to ensure that all engagement objectives are being met.
C. A senior internal auditor continuously deviates from the approved engagement
work program, but consistently completes the engagement within the approved
time budget. The time budget is approved by the internal audit manager, and
compliance with the time budget is reviewed by the internal audit manager.
D. The internal audit manager carefully reviews all analytical procedures performed
by internal audit seniors during the preliminary planning for an engagement to
determine if the conclusions are justified.
Answer (A) is incorrect. Supervision includes approving the engagement work
program; providing suitable instructions to subordinates; ensuring objectives were
met and that engagement communications are accurate, timely, objective, clear,
concise, and constructive; and determining that working papers adequately
support the observations, conclusions, and recommendations.
Answer (B) is incorrect. Supervision includes approving the engagement work
program; providing suitable instructions to subordinates; ensuring objectives were
met and that engagement communications are accurate, timely, objective, clear,
concise, and constructive; and determining that working papers adequately
support the observations, conclusions, and recommendations.
Answer (C) is correct. Supervision includes ensuring the approved engagement
program is carried out unless changes are justified and authorized (PA 2340-1,
para. 1). Accordingly, the deviations from the planned engagement work program
by the senior internal auditor should be approved by a supervisor.
Answer (D) is incorrect. Supervision includes approving the engagement work
program; providing suitable instructions to subordinates; ensuring objectives were
met and that engagement communications are accurate, timely, objective, clear,
concise, and constructive; and determining that working papers adequately
support the observations, conclusions, and recommendations.
[468] Gleim #: 5.6.122
During a meeting of an internal audit project team, two members of the team disagree,
and one accuses the other of trying to advance personal interests over the interests of
the audit. The audit manager should
A. Discipline both auditors after the meeting for their lack of professional conduct.
B. Continue the meeting but speak to the accusing auditor later regarding the
inappropriate conduct.
C. Meet with both auditors after the meeting to resolve the conflict and the
inappropriate behavior.
D. Stop the meeting and refer the matter to the entire team for discussion.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 255
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The manager should address the behavior and not miss the
opportunity for coaching and conflict resolution with both staff members.
Answer (B) is incorrect. Although one auditor has behaved improperly, both auditors
allowed the situation to occur, and both should be involved in its resolution to protect
team morale and effectiveness.
Answer (C) is correct. Effective interpersonal relationships and organizational change
are closely tied to conflict management. Meeting with both auditors allows them to
discuss and resolve their differences under the supervision of the audit manager.
Moreover, part of the CAE’s responsibility for supervision is to adopt suitable policies
and procedures for resolving professional differences (PA 2340-1, para. 2).
Answer (D) is incorrect. This conflict is not a matter for the entire team to address.
The team may be advised after the resolution but should not be involved in a
disciplinary action by the manager.
[469] Gleim #: 5.7.123
During the working-paper review, an internal auditing supervisor finds that the
internal auditor’s observations are not adequately cross-referenced to supporting
documentation. The supervisor will most likely instruct the internal auditor to
fb
.c
om
/c
ia
ao
ffi
ci
al
A. Prepare a working paper to indicate that the full scope of the engagement was
carried out.
B. Familiarize him/herself with the sequence of working papers so that (s)he will be
able to answer questions about the conclusions stated in the final engagement
communication.
C. Eliminate any cross-references to other working papers because the system is
unclear.
D. Provide a cross-referencing system that shows the relationship among
observations, conclusions, recommendations, and the related facts.
Answer (A) is incorrect. A full set of properly indexed and cross-referenced
working papers, not a separate analysis, is necessary.
Answer (B) is incorrect. Proper cross-referencing avoids the need to memorize
the locations of supporting information.
Answer (C) is incorrect. Cross-references should be added, not deleted.
Answer (D) is correct. Cross-referencing is important because it simplifies review
either during the engagement or subsequently by creating a trail of related items
through the working papers. It thus facilitates preparation of the final engagement
communication and later engagements for the same engagement client.
[470] Gleim #: 5.7.124
Engagement working papers are reviewed to ensure that
A.
B.
C.
D.
They are properly cross-referenced to the engagement communications.
No issues are open at the conclusion of the field work.
They meet or exceed the work standards of the organization’s external auditors.
They are properly referenced for easy follow-up within the next year.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 256
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Cross-referencing working papers to the engagement
communications is not specifically addressed.
Answer (B) is correct. All engagement working papers are reviewed to ensure they
support engagement communications and necessary audit procedures are performed
(PA 2340-1, para. 3).
Answer (C) is incorrect. Whether working papers meet or exceed the work standards
of the external auditors is not specifically addressed.
Answer (D) is incorrect. Proper referencing of working papers for easy follow-up
within the next year is not specifically addressed.
[471] Gleim #: 5.7.125
When reviewing engagement working papers, the primary responsibility of an
engagement supervisor is to determine that
A. Each worksheet is properly identified with a descriptive heading.
B. Working papers are properly referenced and kept in logical groupings.
C. Standard internal audit activity procedures are adhered to with regard to working
paper preparation and technique.
D. Working papers adequately support the engagement observations, conclusions,
and recommendations.
Answer (A) is incorrect. Descriptive headings are not of primary importance.
Answer (B) is incorrect. Proper referencing and logical groupings are not of
primary importance.
Answer (C) is incorrect. Adherence to procedures is not of primary importance.
Answer (D) is correct. All engagement working papers are reviewed to ensure
they support engagement communications and necessary audit procedures are
performed (PA 2340-1, para. 3).
[472] Gleim #: 5.7.126
An internal auditing manager is reviewing the engagement working papers prepared by
the staff. Which of the following review comments is true?
A. Each working paper should include the actual and the budgeted times related to
such engagement work.
B. Including copies of all the forms and directives of the engagement client
constitutes over-documentation.
C. Conclusions need not be documented in the working papers when the engagement
objectives are achieved.
D. Each working paper should include a statement regarding the engagement client’s
cooperation.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 257
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Actual and budgeted times are documented in the budget
section of the working papers and not on each working paper.
Answer (B) is correct. All engagement working papers are reviewed to ensure they
support engagement communications and necessary audit procedures are performed
(PA 2340-1, para. 3). However, adequate support includes only those forms and
directives that are relevant to the engagement or to the observations, conclusions, and
recommendations. Thus, including copies of all the forms and directives of the client
constitutes over-documentation.
Answer (C) is incorrect. Conclusions should be documented in the working papers
whether or not the engagement objectives are achieved.
Answer (D) is incorrect. Only noncooperation is likely to be documented.
[473] Gleim #: 5.7.127
One purpose of the exit meeting is for the internal auditor to
A. Require corrective action.
B. Review and verify the appropriateness of the engagement communication based
upon client input.
C. Review the performance of internal auditors assigned to the engagement.
D. Present the final engagement communication to management.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. Only management can require corrective action.
Answer (B) is correct. Internal auditors discuss conclusions and
recommendations with appropriate levels of management before the CAE issues
the final engagement communications. This is usually accomplished during the
course of the engagement or at postengagement meetings (PA 2440-1, para. 1).
Another technique is the review of draft engagement conclusions, observations,
and recommendations by management of the activity reviewed. These discussions
and reviews help ensure that there have been no misunderstandings or
misinterpretations of fact by providing the opportunity for the engagement client
to clarify specific items and to express views of the observations, conclusions, and
recommendations (para. 2).
Answer (C) is incorrect. Internal auditor performance is reviewed in private with
the individual employee, not at the exit meeting.
Answer (D) is incorrect. The exit meeting is normally based on draft
communications. The final engagement communication is subject to modification
based on the results of the exit meeting.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 258
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[474] Gleim #: 5.7.128
The internal audit activity customarily has a dual relationship with management and
the audit committee. This means that
A. Management should help the internal audit activity by revising and forwarding
engagement communications to the audit committee.
B. The internal audit activity should report directly to the audit committee, without
corroborating engagement communications with management.
C. The accuracy of engagement communications should be verified with
management, and the internal audit activity should then report to management and
the audit committee.
D. Ideally, the internal audit activity works under the audit committee but reports to
the chief operating officer on all engagements relating to operations.
Answer (A) is incorrect. The internal audit activity should revise and forward
engagement communications to the audit committee.
Answer (B) is incorrect. Engagement communications should be discussed with
the client management.
Answer (C) is correct. Internal auditors discuss conclusions and
recommendations with appropriate levels of management before the chief audit
executive (CAE) issues the final engagement communications (PA 2440-1,
para. 1). These discussions and reviews help avoid misunderstandings or
misinterpretations of fact (para. 2).
Answer (D) is incorrect. The ideal arrangement is to send all engagement
communications to the audit committee.
[475] Gleim #: 5.7.129
Exit meetings serve to ensure the accuracy of the information used by an internal
auditor. A secondary purpose of an exit meeting is to
A.
B.
C.
D.
Get immediate action on a recommendation.
Improve relations with the engagement clients.
Agree to the appropriate distribution of the final engagement communication.
Brief senior management on the results of the engagement.
Answer (A) is incorrect. An interim engagement communication would have
been used to obtain immediate action on a recommendation.
Answer (B) is correct. Discussion of conclusions and recommendations with the
engagement client not only provides a quality control review but is also a courtesy
that enhances the internal auditor-client relationship. In addition, the exit meeting
is an important aspect of the participative approach to internal auditing because it
involves the client in the engagement process as well as in any recommended
changes arising from the engagement.
Answer (C) is incorrect. The distribution of communications is not a secondary
purpose of an exit meeting.
Answer (D) is incorrect. Senior management ordinarily should be given a
summary of the results.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 259
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[476] Gleim #: 5.7.130
A purpose of the internal auditors’ exit meeting with appropriate levels of
management is to
A.
B.
C.
D.
Inform members of the board of engagement results.
Present the final engagement communication to the chief executive officer.
Obtain information to evaluate internal control.
Generate commitment for appropriate managerial action.
Answer (A) is incorrect. The board would ordinarily receive a summary
communication.
Answer (B) is incorrect. The final engagement communication is generated after
the exit meeting.
Answer (C) is incorrect. The consideration of controls occurs at an early stage of
the engagement.
Answer (D) is correct. Discussion of conclusions and recommendations with the
engagement client not only provides a quality control review but is also a courtesy
that enhances the internal auditor-client relationship. In addition, the exit meeting
is an important aspect of the participative approach to internal auditing because it
involves the client in the engagement process as well as in any recommended
changes arising from the engagement. People are more likely to accept changes if
they have participated in the decisions and in the methods used to implement
changes.
ci
al
[477] Gleim #: 5.7.131
fb
.c
om
/c
ia
ao
ffi
Internal auditors should discuss conclusions and recommendations at appropriate
levels of management before issuing final engagement communications. Which of the
following is the primary reason that an exit meeting should be documented by the
internal auditor?
A.
B.
C.
D.
The information may be needed if a dispute arises.
The Standards require that exit meetings be documented.
The information may be needed to revise future engagement work programs.
Closing conference documentation becomes a basis for future engagements.
Answer (A) is correct. The purpose of postengagement meetings (exit meetings)
is to help avoid misunderstandings or misinterpretations of fact by providing the
opportunity for the engagement client to clarify specific items and express views
about the observations, conclusions, and recommendations (PA 2440-1, para. 2).
Documenting these discussions and reviews can be valuable in preventing or
resolving disputes.
Answer (B) is incorrect. Documentation of exit meetings is not specifically
required by the Standards.
Answer (C) is incorrect. Notes taken during the exit meeting may lead to a
revised engagement work program, but that result is not the primary purpose of
the practice.
Answer (D) is incorrect. Planning future engagements is not the primary purpose
of documenting an exit meeting.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 260
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[478] Gleim #: 5.7.132
In a well-developed management environment, the internal audit activity
A. Reports the results of an audit engagement to line management as well as to senior
management.
B. Conducts initial audits of new computer systems after they have begun operating.
C. Interfaces primarily with senior management, minimizing interactions with line
managers who are the subjects of internal audit work.
D. Focuses primarily on asset management and report results to the audit committee.
Answer (A) is correct. Internal auditors discuss conclusions and
recommendations with appropriate levels of management before the chief audit
executive (CAE) issues the final engagement communications (PA 2440-1,
para. 1). The level of participants in the discussions and reviews varies by
organization and nature of the report; they generally include those individuals who
are knowledgeable of detailed operations and those who can authorize the
implementation of corrective action (para. 3).
Answer (B) is incorrect. Emphasis should be placed on the audits of proposed
products and systems. These early examinations could be used to determine the
feasibility or desirability of changes before these changes are implemented.
Answer (C) is incorrect. The role of the internal auditor involves interfacing with
management at the operating level as well as at the senior level.
Answer (D) is incorrect. Asset management is not a primary focus of the internal
audit activity.
[479] Gleim #: 5.7.133
The effectiveness of an internal auditing engagement is related to the results and the
action taken on those results. Which of the following activities contributes to
engagement effectiveness?
A.
B.
C.
D.
Conducting an exit meeting with engagement clients.
Adhering to a time budget.
Preparing weekly time reports.
Having budget revisions approved by the project supervisor.
Answer (A) is correct. An exit meeting (postengagement meeting) is an
opportunity for discussion of engagement results, i.e., observations, conclusions,
and recommendations. The effectiveness of an engagement is enhanced by the exit
meeting because it provides the engagement client an opportunity to clarify
specific items and to express views of the observations, conclusions, and
recommendations.
Answer (B) is incorrect. Adhering to a time budget contributes to efficiency, not
effectiveness.
Answer (C) is incorrect. Preparing weekly time reports contributes to efficiency,
not effectiveness.
Answer (D) is incorrect. Having budget revisions approved by the project
supervisor contributes to efficiency, not effectiveness.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 261
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[480] Gleim #: 5.7.134
When conducting a performance appraisal of an internal auditor who has been a
below-average performer, an inappropriate procedure is to
A.
B.
C.
D.
Notify the internal auditor of the upcoming appraisal several days in advance.
Use objective, impartial language.
Use generalizations.
Document the appraisal.
Answer (A) is incorrect. This is an appropriate procedure when conducting a
performance appraisal.
Answer (B) is incorrect. This is an appropriate procedure when conducting a
performance appraisal.
Answer (C) is correct. In a performance appraisal of a below-average performer,
it is appropriate and advisable to notify the employee of the upcoming appraisal,
use objective language, and document the appraisal. It is not appropriate to use
generalizations when making a performance appraisal of a below-average
performer. Rather, the evaluator must cite specific information and be prepared to
support assertions with evidence.
Answer (D) is incorrect. This is an appropriate procedure when conducting a
performance appraisal.
[481] Gleim #: 6.1.1
fb
.c
om
/c
ia
ao
ffi
ci
al
During an engagement involving the receiving section of the purchasing division, the
internal auditor discovers that a receiving problem might be the result of procedures
followed in the procurement section. The internal audit activity’s management agrees
that the internal auditor should extend the engagement, on a limited scale, into the
procurement section. According to the Standards, which device should be used to
communicate the change in engagement scope to the engagement client?
A. An informal notification of the involved supervisor.
B. A formal written communication to the involved supervisor.
C. A written interim communication to the involved supervisor and the same
distribution as the original correspondence scheduling the engagement.
D. No communication is necessary if the internal audit activity’s charter specifies the
unrestricted scope of its work.
Answer (A) is incorrect. The engagement client’s management should be
informed.
Answer (B) is incorrect. The engagement client’s management should be
informed.
Answer (C) is correct. Interim reports are written or oral and may be transmitted
formally or informally. Interim reports are used to communicate information that
requires immediate attention, to communicate a change in engagement scope for
the activity under review, or to keep management informed of engagement
progress when engagements extend over a long period (PA 2410-1, para. 14).
Answer (D) is incorrect. Nothing in the charter negates the need to inform
concerned parties of changes in the scope of the engagement.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 262
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[482] Gleim #: 6.1.2
You are conducting an engagement to evaluate the organization’s marketing effort.
You agreed to keep the marketing vice president informed of your progress on a
regular basis. What method should be used for those progress reports?
A.
B.
C.
D.
Oral or written interim reports.
Written reports signed by the chief audit executive.
Copies of working paper summaries.
Briefing by the appropriate marketing first-line supervisor.
Answer (A) is correct. Interim reports are written or oral and may be transmitted
formally or informally. Interim reports are used to communicate information that
requires immediate attention, to communicate a change in engagement scope for
the activity under review, or to keep management informed of engagement
progress when engagements extend over a long period (PA 2410-1, para. 14).
Answer (B) is incorrect. An oral report is acceptable.
Answer (C) is incorrect. Engagement communications, not working papers,
should be submitted to engagement clients.
Answer (D) is incorrect. The internal auditors, not a marketing supervisor, should
submit engagement communications.
[483] Gleim #: 6.1.3
Which of the following is false with respect to the use of interim engagement
communications? Interim engagement communications
A. Are used to communicate information that requires immediate attention.
B. Are used to communicate a change in engagement scope for the activity under
review.
C. Keep management informed of engagement progress when engagements extend
over a long period of time.
D. Eliminate the need for issuing final engagement communications.
Answer (A) is incorrect. Interim engagement communications are used to
communicate information that requires immediate attention.
Answer (B) is incorrect. Interim engagement communications are used to
communicate a change in engagement scope for the activity under review.
Answer (C) is incorrect. Interim engagement communications are used to keep
management informed of engagement progress when engagements extend over a
long period of time.
Answer (D) is correct. Interim reports are written or oral and may be transmitted
formally or informally. They are used to communicate information that requires
immediate attention, to communicate a change in engagement scope for the
activity under review, or to keep management informed of engagement progress
when engagements extend over a long period. The use of interim reports does not
diminish or eliminate the need for a final report (PA 2410-1, para. 14).
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 263
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[484] Gleim #: 6.1.4
As an internal auditor for a multinational chemical producer, you have been assigned
to an engagement at a local plant. This plant is similar in age, siting, and construction
to two other plants owned by the same organization that have been recently cited for
discharge of hazardous wastes. In addition, you are aware that chemicals manufactured
at the plant release toxic by-products. Assume that you have evidence that the plant is
discharging hazardous wastes. As a certified internal auditor, what is the appropriate
communication requirement in this situation?
A. Send a copy of your engagement communication to the appropriate regulatory
agency.
B. Ignore the issue because the regulatory inspectors are better qualified to assess the
danger.
C. Issue an interim engagement communication to the appropriate levels of
management.
D. Note the issue in your working papers but do not report it.
fb
[485] Gleim #: 6.1.5
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. Internal auditors are not usually responsible for notifying
outside authorities of suspected wrongdoing.
Answer (B) is incorrect. Internal auditors must evaluate risk exposures and
controls relating to compliance with laws, regulations, and contracts.
Answer (C) is correct. Interim reports are written or oral and may be transmitted
formally or informally. Interim reports are used to communicate information that
requires immediate attention, to communicate a change in engagement scope for
the activity under review, or to keep management informed of engagement
progress when engagements extend over a long period (PA 2410-1, para. 14).
Answer (D) is incorrect. The Standards require the reporting of violations of
laws, regulations, and contracts.
Internal audit activity policy requires that final engagement communications not be
issued without a management response. An engagement with significant observations
is complete except for management’s response. Evaluate the following courses of
action and select the best alternative.
A.
B.
C.
D.
Issue an interim engagement communication regarding the important issues noted.
Modify the policy to allow a specific time period for management’s response.
Wait for management’s response and then issue the engagement communication.
Discuss the situation with the external auditors.
Answer (A) is correct. Interim reports are used to communicate information that
requires immediate attention, to communicate a change in engagement scope for
the activity under review, or to keep management informed of engagement
progress when engagements extend over a long period. The use of interim reports
does not diminish or eliminate the need for a final report (PA 2410-1, para. 14).
Answer (B) is incorrect. Significant observations should be timely
communicated.
Answer (C) is incorrect. Significant observations should be timely
communicated.
Answer (D) is incorrect. Significant observations should be timely communicated
to senior management and the board.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 264
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[486] Gleim #: 6.1.6
Engagement field work has identified a number of significant observations. Additional
tests from the original engagement work program still have to be performed, but data
are not readily available. Evaluate the following and select the best alternative.
A. Do not issue the engagement communication until all testing has been completed.
B. Issue an interim engagement communication to management regarding the
negative observations noted.
C. Identify other alternative tests to complete prior to reporting the engagement
observations.
D. Perform engagement tests when the final data are available.
Answer (A) is incorrect. Significant observations should be communicated
promptly to management.
Answer (B) is correct. Interim reports are written or oral and may be transmitted
formally or informally. Interim reports are used to communicate information that
requires immediate attention, to communicate a change in engagement scope for
the activity under review, or to keep management informed of engagement
progress when engagements extend over a long period (PA 2410-1, para. 14).
Answer (C) is incorrect. Significant observations are those that require immediate
attention.
Answer (D) is incorrect. Significant observations should be reported without
delay for final testing.
[487] Gleim #: 6.1.7
An internal audit activity is conducting an engagement to evaluate the payroll and
accounts receivable departments. Significant problems related to the approval of
overtime have been noted. While the engagement is still in process, which of the
following engagement communications is appropriate?
A.
B.
C.
D.
A summary communication.
A final written communication.
A questionnaire-type communication.
An oral communication.
Answer (A) is incorrect. A summary highlights engagement results; it is
inappropriate while the engagement is still in process.
Answer (B) is incorrect. A final written report is not required for each
engagement, only that results be promptly communicated. When a significant
problem is discovered during the engagement, an oral or written interim report
should be used to obtain immediate action.
Answer (C) is incorrect. A questionnaire-type report is normally used within the
internal audit activity. It has limited value.
Answer (D) is correct. Interim reports are written or oral and may be transmitted
formally or informally. Interim reports are used to communicate information that
requires immediate attention, to communicate a change in engagement scope for
the activity under review, or to keep management informed of engagement
progress when engagements extend over a long period. The use of interim reports
does not diminish or eliminate the need for a final report (PA 2410-1, para. 14).
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 265
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[488] Gleim #: 6.1.8
The most appropriate use of an oral engagement communication is to communicate
A. Sensitive matters to management when the chief audit executive does not want to
commit them to writing.
B. Complex matters to operating management when the possibility exists that
misunderstanding would result from reducing them to writing.
C. Conditions that demand immediate action.
D. Matters that are not material.
Answer (A) is incorrect. Highly sensitive matters should be thoroughly
documented, but access to such documentation must be restricted.
Answer (B) is incorrect. Complex matters are better communicated in writing.
Answer (C) is correct. Interim reports are written or oral and may be transmitted
formally or informally. Interim reports are used to communicate information that
requires immediate attention, to communicate a change in engagement scope for
the activity under review, or to keep management informed of engagement
progress when engagements extend over a long period. The use of interim reports
does not diminish or eliminate the need for a final report (PA 2410-1, para. 14).
Answer (D) is incorrect. Immaterial matters should not be communicated.
[489] Gleim #: 6.1.9
An oral engagement communication may be most appropriate when
.c
om
/c
ia
ao
ffi
ci
al
A permanent record of the communication is needed.
Emergency action is needed.
A summary of individual engagements is needed by higher-level management.
The communication is used only for internal reporting within the internal audit
activity.
fb
A.
B.
C.
D.
Answer (A) is incorrect. Oral communications do not provide a permanent
record.
Answer (B) is correct. A principal advantage of an oral communication is its
timeliness. This prompt feedback is important for observations needing immediate
action (PA 2410-1, para. 14). It also permits the auditor to provide an instant
response to engagement client questions, suggestions, or positions.
Answer (C) is incorrect. A summary of individual engagements is best presented
in a summary written report.
Answer (D) is incorrect. Questionnaire-type communications are normally used
for internal reporting within the internal audit activity.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 266
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[490] Gleim #: 6.1.10
Which of the following situations is most likely to be the subject of a written interim
report to the engagement client?
A. Seventy percent of the planned audit work has been completed with no significant
adverse observations.
B. The auditors have decided to substitute survey procedures for some of the planned
detailed review of certain records.
C. The engagement program has been expanded because of indications of possible
fraud.
D. Open burning at a subsidiary plant poses a prospective violation of pollution
regulations.
Answer (A) is incorrect. Significant adverse observations, not their absence, are a
basis for interim reporting.
Answer (B) is incorrect. This change in procedures is not likely to be a concern
of the engagement client.
Answer (C) is incorrect. Sufficient investigation should take place to establish
reasonable certainty that a fraud has occurred before any reporting is done.
Answer (D) is correct. Interim reports are written or oral and may be transmitted
formally or informally. Interim reports are used to communicate information that
requires immediate attention, to communicate a change in engagement scope for
the activity under review, or to keep management informed of engagement
progress when engagements extend over a long period (PA 2410-1, para. 14). A
possible violation of pollution regulations requires immediate attention.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 267
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[491] Gleim #: 6.1.11
In which of the following situations have the internal auditors appropriately
transmitted their engagement communication?
Situation 1 -- The engagement team is behind schedule so the in-charge internal
auditor decides to present the final engagement communication orally to the area’s
management in place of a written report.
Situation 2 -- The area manager will be on vacation when the final engagement
communication is expected to be issued. The in-charge internal auditor presents orally
several items that need immediate corrective action.
Situation 3 -- During inspection of inventory, an internal auditor observes water from a
leaking section of the roof dripping on items stored beneath it. These items are
susceptible to water damage. The internal auditor tells the plant manager who has the
items moved and the roof repaired. The internal auditor does not mention this item in
the final written engagement communication.
Situation 4 -- The engagement team found only one minor problem during the
engagement. This problem was pointed out to the manager of the area who took steps
to correct it before the engagement was finished. The in-charge internal auditor
decides that, because management need take no further corrective action, no written
engagement communication for this engagement is necessary.
ia
ao
ffi
ci
al
Situations 1 and 4.
Situations 1 and 3.
Situations 2 and 4.
Situations 2 and 3.
.c
om
/c
Answer (A) is incorrect. No final written engagement communication was issued
in either Situation 1 or 4.
Answer (B) is incorrect. No final written engagement communication was issued
in Situation 1.
Answer (C) is incorrect. Mentioning that corrective action has been taken in
Situation 4 is appropriate.
Answer (D) is correct. The handling of Situation 2 is appropriate because oral
interim reports may be used to communicate information that requires immediate
attention (the use of interim reports does not diminish the need for a final report)
(PA 2410-1, para. 14). The handling of Situation 3 is appropriate because the
condition does not exist at the date of the final communication.
fb
A.
B.
C.
D.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 268
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[492] Gleim #: 6.1.12
During an early phase of an extensive engagement to evaluate a manufacturer’s
inventory management system, an internal auditor reviewed inventory levels. During
this review, the internal auditor discovered that there had been recurring stockouts for
some high demand items and that this had led to expensive expediting and work
stoppages. Further investigation revealed that the purchasing department had regularly
ordered these items based upon purchase orders produced automatically by the
computerized inventory system. The quantity orders had been based on an economic
order quantity (EOQ) model included in the computerized inventory system. The
internal auditor determined that the EOQ model was properly designed and that the
problem had resulted from failure to update data in the model concerning the time
required for delivery. If the internal auditor decides that the situation warrants
management’s immediate attention and the entire engagement will not be completed
for several weeks, communication with management will probably take the form of
a(n)
A.
B.
C.
D.
Summary written report to operating management.
Oral report to senior management.
Written interim report to operating management.
Regular written report to operating management.
Answer (A) is incorrect. A summary report is addressed to senior management or
the board.
Answer (B) is incorrect. Operating management should be given oral reports.
Answer (C) is correct. Interim reports are written or oral and may be transmitted
formally or informally. Interim reports are used to communicate information that
requires immediate attention, to communicate a change in engagement scope for
the activity under review, or to keep management informed of engagement
progress when engagements extend over a long period (PA 2410-1, para. 14). An
observation of this degree of importance should be in written format.
Answer (D) is incorrect. A regular report would not be timely.
[493] Gleim #: 6.1.13
Communication skills are important to internal auditors. The internal auditor should be
able to effectively convey all of the following to the engagement client except
A.
B.
C.
D.
The engagement objectives for a specific engagement client.
The evaluations based on a preliminary survey of an engagement client.
The risk assessment used in selecting the area for engagement investigation.
Recommendations that are generated in relationship to a specific engagement
client.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 269
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The internal auditor should be able to effectively convey
engagement objectives.
Answer (B) is incorrect. The internal auditor should be able to effectively convey
evaluations.
Answer (C) is correct. Internal auditors need to be skilled in oral and written
communications so that they can clearly and effectively convey such matters as
engagement objectives, evaluations, conclusions, and recommendations (PA 1210-1,
para. 1). The internal auditor’s risk assessment is not specifically mentioned.
Answer (D) is incorrect. The internal auditor should be able to effectively convey
recommendations.
[494] Gleim #: 6.1.14
Which of the following should be identified as a deficiency by an engagement
supervisor who is reviewing working papers?
A. A memorandum recorded in the working papers explained why the time budget
for a part of the engagement was exceeded.
B. A draft communication concerning an engagement observation recorded in the
working papers omitted the criteria used for evaluation.
C. A memorandum recorded in the working papers explained why an engagement
work program step was omitted.
D. A letter to the engagement client outlining the scope of the engagement was
recorded in the working papers.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. Reasons for exceeding a time budget are appropriate for
inclusion in working papers.
Answer (B) is correct. Observations are included in engagement communications.
According to PA 2410-1, observations have four attributes: criteria, condition,
cause, and effect. Thus, omitting the criteria used in making an evaluation or
verification results in a failure to support observations properly.
Answer (C) is incorrect. An explanation of the omission of a work program step
is appropriate for inclusion in working papers.
Answer (D) is incorrect. A letter outlining the scope of the engagement is
appropriate for inclusion in working papers.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 270
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[495] Gleim #: 6.2.15
An engagement communication relating to an engagement performed at a bank
categorizes observations as “deficiencies” for major problems and “other areas for
improvement” for less serious problems. Which of the following excerpts is properly
included under “other areas for improvement?”
A. Many secured loans did not contain hazard insurance coverage for tangible
property collateral.
B. Loan officers also prepare the cashier’s checks for disbursement of the loan
proceeds.
C. The bank is incurring unnecessary postage cost by not combining certain special
mailings to checking account customers with the monthly mailing of their
statements.
D. At one branch a large amount of cash was placed on a portable table behind the
teller lines.
Answer (A) is incorrect. A lack of hazard insurance coverage for collateral is a
serious risk or exposure for the bank that could have a material effect on its
financial statements.
Answer (B) is incorrect. Loan officers should not be permitted to prepare
disbursement checks and grant loans to bank customers. These are duties that
must be segregated to prevent possible employee defalcations.
Answer (C) is correct. The attributes of engagement observations include effect,
the risk or exposure, because the condition is inconsistent with the criteria.
Moreover, the internal auditor must determine the degree of the risk or exposure.
That the bank incurs unnecessary postage expense by not combining mailings
warrants mentioning but does not constitute a serious risk or exposure.
Answer (D) is incorrect. Failure to limit access to cash violates internal control
policies assigning cash to specific individuals for accountability purposes.
[496] Gleim #: 6.2.16
During an early phase of an extensive engagement to evaluate a manufacturer’s
inventory management system, an internal auditor reviewed inventory levels. During
this review, the internal auditor discovered that there had been recurring stockouts for
some high demand items and that this had led to expensive expediting and work
stoppages. Further investigation revealed that the purchasing department had regularly
ordered these items based upon purchase orders produced automatically by the
computerized inventory system. The quantity orders had been based on an economic
order quantity (EOQ) model included in the computerized inventory system. The
internal auditor determined that the EOQ model was properly designed and that the
problem had resulted from failure to update data in the model concerning the time
required for delivery. The internal auditor should most likely conclude that these facts
indicate a(n)
A. Breakdown in an operating system that the internal auditor should direct
management to correct immediately.
B. Important problem that discussion with operating management should easily
resolve.
C. Indication that the materials standards used in production planning should be
scheduled for review.
D. Important problem that should be included in an engagement communication.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 271
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Internal auditors have no authority to compel management
action.
Answer (B) is incorrect. Informal discussion is not an appropriate way to approach a
problem of such magnitude.
Answer (C) is incorrect. The quantity available, not its quality, is at issue.
Answer (D) is correct. The problems described clearly meet the materiality threshold
for coverage in an engagement communication. The internal auditor should furnish
recommendations for procedures to generate and enter the data necessary to update the
model.
[497] Gleim #: 6.2.17
Recommendations should be included in audit reports to
Provide management with options for addressing audit findings.
Ensure that problems are resolved in the manner suggested by the auditor.
Minimize the amount of time required to correct audit findings.
Guarantee that audit findings are addressed, regardless of cost.
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is correct. Recommendations are based on the internal auditor’s
observations and conclusions. They call for action to correct existing conditions or
improve operations and may suggest approaches to correcting or enhancing
performance as a guide for management in achieving desired results (PA 2410-1,
para. 9).
Answer (B) is incorrect. Problems must be resolved in the manner deemed
appropriate by management, not the auditor. However, the auditor is responsible
for monitoring the disposition of results communicated to management.
Answer (C) is incorrect. Providing recommendations may or may not enable
management to reduce the costs/time of addressing audit findings.
Answer (D) is incorrect. Management may assume the risk of not taking
corrective action on reported observations, for example, because of cost.
fb
A.
B.
C.
D.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 272
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[498] Gleim #: 6.2.18
The internal audit activity has just completed an engagement to review loan processing
and commercial loan account balances for a financial institution. Following are a few
excerpts from the working papers indicating potential engagement observations.
A. The auditors took a statistical sample of 100 loan applications and determined that
only 85 loans were granted.
B. Of the 85 loans granted, the auditors noted that 4 loans should have been reviewed
and approved by the loan committee but were not. Organizational policy states
that all loans must be approved by the committee prior to funding. Each of the 4
loans, however, was approved by the vice president. The matter was discussed
with the vice president, who indicated it was a competitive loan situation to a new
customer and in the best interests of the financial institution to expedite the loan
and establish a firm relationship with a growing customer. All of the other loans
were formally approved by the loan committee.
C. Of the 81 loans approved by the loan committee, the auditors found 7 in which the
actual amount lent exceeded the approved amount.
D. The auditors noted three instances in which loans were made to related groups of
organizations without an analysis of the total amount of loans made to the
controlling entity. There may be statutory limitations on the amount of loans that
can be made to any individual controlling organization.
E. Of the 81 loans approved by the loan committee, the auditors found that 14
contained either insufficient documentation or were not received by the committee
in a timely fashion in advance of their meeting.
The statistical sample was taken with a 95% confidence level using attribute sampling
with a tolerable error limit of 4%. Assume that the sampling plan was implemented
correctly.
Regarding item D, which of the following is true?
I. The deviation rate is under 4%; therefore, the observation need not be reported to
management and the board.
II. The internal auditor should review appropriate regulations and possibly obtain
legal counsel’s opinion about the observation prior to including it in the final
engagement communication.
III. The internal auditor should report the observation to the vice president who
approved the loans and ask for a follow-up communication during the engagement
scheduled next year. No further action need be taken at this time.
IV. Review a plan by the loan committee to prevent such occurrences in the future and
include a summary and analysis of the plan in the final engagement
communication.
A.
B.
C.
D.
I only.
III only.
II and IV.
II only.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 273
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The inclusion of an item in an engagement communication is
based on the significance of the observation, not just the tolerable error rate.
Furthermore, the upper error rate (not computed here) would be higher than the
tolerable error rate.
Answer (B) is incorrect. The loan approvals may represent significant violations of
both governmental regulations and organizational policy. Waiting a full year for
follow-up action without reaching a conclusion on the seriousness of the problem
would not be appropriate.
Answer (C) is correct. Regarding item II, the internal auditor should independently
determine the significance of the observation and should consult an outside service
provider (e.g., a legal specialist) if (s)he lacks the requisite expertise. Regarding
item IV, the engagement communication should include recommendations for
improvements, acknowledgments of satisfactory performance, and corrective actions
(PA 2410-1, para. 9).
Answer (D) is incorrect. Statement IV is also true.
[499] Gleim #: 6.2.19
While performing an operational engagement involving the firm’s production cycle, an
internal auditor discovers that, in the absence of specific guidelines, some engineers
and buyers routinely accept vacation trips paid by certain of the firm’s vendors. Other
engineers and buyers will not accept even a working lunch paid for by a vendor.
Which of the following actions should the internal auditor take?
fb
.c
om
/c
ia
ao
ffi
ci
al
A. None. The engineers and buyers are professionals. An internal auditor should not
inappropriately interfere in what is essentially a personal decision.
B. Informally counsel the engineers and buyers who accept the vacation trips. This
helps prevent the possibility of kickbacks, while preserving good internal auditorengagement client relations.
C. Formally recommend that the organization establish a code of ethics. Guidelines
of acceptable conduct, within which individual decisions may be made, should be
provided.
D. Issue a formal engagement communication naming the personnel who accept
vacations but make no recommendations. Corrective action is the responsibility of
management.
Answer (A) is incorrect. Internal auditors are charged with the responsibility of
evaluating what they examine and of making recommendations, if appropriate.
Answer (B) is incorrect. Management is charged with the responsibility of
making any corrections necessary within its department.
Answer (C) is correct. The internal auditor may communicate recommendations
for improvements, acknowledgments of satisfactory performance, and corrective
actions. Recommendations are based on the internal auditor’s observations and
conclusions. They call for action to correct existing conditions or improve
operations and may suggest approaches to correcting or enhancing performance as
a guide for management in achieving desired results. Recommendations can be
general or specific (PA 2410-1, para. 9). Accordingly, the internal auditor’s
responsibility in these circumstances is to recommend adoption of a code of
ethics.
Answer (D) is incorrect. Internal auditors should make recommendations if
appropriate.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 274
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[500] Gleim #: 6.2.20
An engagement observation is worded as follows:
The capital budget includes funds to purchase 11 new vehicles. Review of usage
records showed that 10 vehicles in the fleet of 70 had been driven less than 2,500
miles during the past year. Vehicles have been assigned to different groups whose
usage rates have varied greatly. There was no policy requiring rotation of vehicles
between high and low usage groups. Lack of criteria for assigning vehicles and a
system for monitoring their usage could lead to purchasing unneeded vehicles.
Based on the facts presented, it is appropriate to recommend that management
A. Establish a minimum of 2,500 miles per quarter as a criterion for assigning
vehicles to user groups.
B. Establish a system to rotate vehicles among users periodically.
C. Delay the proposed vehicle purchases until the apparent excess capacity is
adequately explained or absorbed.
D. Withhold approval of the capital budget until other projects can be reviewed by
internal auditing.
Answer (A) is incorrect. Recommending specific criteria is not appropriate.
Answer (B) is incorrect. Establishing a system to rotate vehicles is not an
appropriate recommendation; the matter requires further analysis.
Answer (C) is correct. The internal auditor may communicate recommendations
for improvements, acknowledgments of satisfactory performance, and corrective
actions. Under some circumstances, the internal auditor may recommend a general
course of action and specific suggestions for implementation. In other
circumstances, the internal auditor may suggest further investigation or study (PA
2410-1, para. 9).
Answer (D) is incorrect. Withholding approval of the capital budget is excessive
given the results of the engagement just completed.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 275
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[501] Gleim #: 6.2.21
The following information is extracted from a draft of an engagement communication
prepared upon the completion of an engagement to review the inventory warehousing
procedures for a division.
Observations and Recommendations
[#7]
Inventory is messy. We recommend that
management communicate the
importance of orderly inventory
management techniques to warehouse
personnel to avoid the problems noted
earlier about (1) locating inventory when
needed for production and (2) incurring
unusually large amounts of inventory
write-offs because of obsolescence.
fb
.c
om
ci
al
[#8]
We appreciate the cooperation of
divisional management. We intend to
discuss our observations with them and
follow up by communicating your
reaction to those recommendations
included within this engagement
communication. Given additional time
for analysis, we feel that substantial
opportunities are available for significant
cost savings, and we are proud to be a
part of the process.
ffi
ao
/c
ia
[#5]
We performed extensive tests of
inventory recordkeeping and quantities
on hand. Based on our tests, we have
concluded that the division carries a
large quantity of excess inventory,
particularly in the area of component
parts. We expect this is due to the
conservatism of local management that
does not want to risk shutting down
production if the goods are not on hand.
However, as noted earlier in this
engagement communication, the excess
inventory has led to a higher-thanaverage level of obsolete inventory
write-downs at this division. We
recommend that production forecasts be
established, along with lead times for
various products, and used in
conjunction with economic order
quantity concepts to order and maintain
appropriate inventory levels.
[#6]
We noted that receiving reports were not
filled out when the receiving department
became busy. Instead, the receiving
manager would fill out the reports after
work and forward them to accounts
payable. There is a risk that all items
received might not be recorded, or that
failing to record them initially might
result in some items being diverted to
other places. During our tests, we
discovered many instances in which
accounts payable had to call receiving to
obtain a receiving report. We
recommend that receiving reports be
prepared.
A major deficiency in paragraph #5 related to the completeness of the engagement
communication is that
A. There is no indication of the potential cause of the problem.
B. It does not contain criteria by which the concept of “excessive inventory” is
judged.
C.
D.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 276
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The cause of the problem is attributed to divisional
management’s conservatism regarding the risk of shutdowns.
Answer (B) is correct. Observations and recommendations are based on the attributes
of criteria, conditions, cause, and effect (PA 2410-1, para. 7). Paragraph #5 is silent on
the criteria the internal auditor used in determining that the division had excessive
levels of inventory.
Answer (C) is incorrect. The engagement communication states that excess inventory
has led to write-downs as a result of obsolescence.
Answer (D) is incorrect. The recommendations are logically derived from the
observations and represent an approach that should be considered by management.
Recommendations should be included in engagement communications.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 277
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[502] Gleim #: 6.2.22
The following information is extracted from a draft of an engagement communication
prepared upon the completion of an engagement to review the inventory warehousing
procedures for a division.
Observations and Recommendations
[#7]
Inventory is messy. We recommend that
management communicate the
importance of orderly inventory
management techniques to warehouse
personnel to avoid the problems noted
earlier about (1) locating inventory when
needed for production and (2) incurring
unusually large amounts of inventory
write-offs because of obsolescence.
fb
.c
om
ci
al
[#8]
We appreciate the cooperation of
divisional management. We intend to
discuss our observations with them and
follow up by communicating your
reaction to those recommendations
included within this engagement
communication. Given additional time
for analysis, we feel that substantial
opportunities are available for significant
cost savings, and we are proud to be a
part of the process.
ffi
ao
/c
ia
[#5]
We performed extensive tests of
inventory recordkeeping and quantities
on hand. Based on our tests, we have
concluded that the division carries a
large quantity of excess inventory,
particularly in the area of component
parts. We expect this is due to the
conservatism of local management that
does not want to risk shutting down
production if the goods are not on hand.
However, as noted earlier in this
engagement communication, the excess
inventory has led to a higher-thanaverage level of obsolete inventory
write-downs at this division. We
recommend that production forecasts be
established, along with lead times for
various products, and used in
conjunction with economic order
quantity concepts to order and maintain
appropriate inventory levels.
[#6]
We noted that receiving reports were not
filled out when the receiving department
became busy. Instead, the receiving
manager would fill out the reports after
work and forward them to accounts
payable. There is a risk that all items
received might not be recorded, or that
failing to record them initially might
result in some items being diverted to
other places. During our tests, we
discovered many instances in which
accounts payable had to call receiving to
obtain a receiving report. We
recommend that receiving reports be
prepared.
A major deficiency in paragraph #6 related to the completeness of the engagement
communication is that the
A. Factual support for the observation is not given.
B. Cause of the problem is not defined.
C. Risk is presented in an overdramatic fashion.
D.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 278
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Factual support comes from the internal auditors’ visual
inspection.
Answer (B) is incorrect. The cause of the problem (or at least the excuse given) is that
concurrent receiving reports are not prepared when the department is busy.
Answer (C) is incorrect. The internal auditor describes factually the result that might
occur if the control deficiency is not adequately addressed.
Answer (D) is correct. Receiving reports are being prepared but not on a timely basis
or concurrently with the receipt of the goods. The recommendation needs to be more
detailed.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 279
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[503] Gleim #: 6.2.23
The following information is extracted from a draft of an engagement communication
prepared upon the completion of an engagement to review the inventory warehousing
procedures for a division.
Observations and Recommendations
[#7]
Inventory is messy. We recommend that
management communicate the
importance of orderly inventory
management techniques to warehouse
personnel to avoid the problems noted
earlier about (1) locating inventory when
needed for production and (2) incurring
unusually large amounts of inventory
write-offs because of obsolescence.
ci
al
[#8]
We appreciate the cooperation of
divisional management. We intend to
discuss our observations with them and
follow up by communicating your
reaction to those recommendations
included within this engagement
communication. Given additional time
for analysis, we feel that substantial
opportunities are available for significant
cost savings, and we are proud to be a
part of the process.
ffi
ao
fb
.c
om
/c
ia
[#5]
We performed extensive tests of
inventory recordkeeping and quantities
on hand. Based on our tests, we have
concluded that the division carries a
large quantity of excess inventory,
particularly in the area of component
parts. We expect this is due to the
conservatism of local management that
does not want to risk shutting down
production if the goods are not on hand.
However, as noted earlier in this
engagement communication, the excess
inventory has led to a higher-thanaverage level of obsolete inventory
write-downs at this division. We
recommend that production forecasts be
established, along with lead times for
various products, and used in
conjunction with economic order
quantity concepts to order and maintain
appropriate inventory levels.
[#6]
We noted that receiving reports were not
filled out when the receiving department
became busy. Instead, the receiving
manager would fill out the reports after
work and forward them to accounts
payable. There is a risk that all items
received might not be recorded, or that
failing to record them initially might
result in some items being diverted to
other places. During our tests, we
discovered many instances in which
accounts payable had to call receiving to
obtain a receiving report. We
recommend that receiving reports be
prepared.
A major deficiency in paragraph #8 is that
A. The nature of the follow-up action is inappropriate.
B. The observations were not discussed with division management before being
presented to upper management.
C. The cost savings mentioned are not supported in the engagement communication.
D.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 280
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Not discussing the observations with management and not
supporting the claim about cost savings are also deficiencies.
Answer (B) is incorrect. The inappropriate nature of the follow-up action and not
supporting the claim about cost savings are also deficiencies.
Answer (C) is incorrect. Not discussing the observations with management and the
inappropriate nature of the follow-up action are also deficiencies.
Answer (D) is correct. The follow-up is insufficient. Following up entails ascertaining
that the engagement client has taken appropriate action or that senior management or
the board has assumed the risk of not taking corrective action. Moreover, conclusions
and recommendations should be discussed at appropriate levels of management before
issuing final engagement communications, and interim engagement communications
may be transmitted formally or informally. Finally, the statement about opportunities
for cost savings is not wholly supported.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 281
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[504] Gleim #: 6.2.24
The following information is extracted from a draft of an engagement communication
prepared upon the completion of an engagement to review the inventory warehousing
procedures for a division.
Observations and Recommendations
[#7]
Inventory is messy. We recommend that
management communicate the
importance of orderly inventory
management techniques to warehouse
personnel to avoid the problems noted
earlier about (1) locating inventory when
needed for production and (2) incurring
unusually large amounts of inventory
write-offs because of obsolescence.
ci
al
[#8]
We appreciate the cooperation of
divisional management. We intend to
discuss our observations with them and
follow up by communicating your
reaction to those recommendations
included within this engagement
communication. Given additional time
for analysis, we feel that substantial
opportunities are available for significant
cost savings, and we are proud to be a
part of the process.
ffi
ao
fb
.c
om
/c
ia
[#5]
We performed extensive tests of
inventory recordkeeping and quantities
on hand. Based on our tests, we have
concluded that the division carries a
large quantity of excess inventory,
particularly in the area of component
parts. We expect this is due to the
conservatism of local management that
does not want to risk shutting down
production if the goods are not on hand.
However, as noted earlier in this
engagement communication, the excess
inventory has led to a higher-thanaverage level of obsolete inventory
write-downs at this division. We
recommend that production forecasts be
established, along with lead times for
various products, and used in
conjunction with economic order
quantity concepts to order and maintain
appropriate inventory levels.
[#6]
We noted that receiving reports were not
filled out when the receiving department
became busy. Instead, the receiving
manager would fill out the reports after
work and forward them to accounts
payable. There is a risk that all items
received might not be recorded, or that
failing to record them initially might
result in some items being diverted to
other places. During our tests, we
discovered many instances in which
accounts payable had to call receiving to
obtain a receiving report. We
recommend that receiving reports be
prepared.
A major writing problem in paragraph #5 is
A. The use of potentially emotional words such as “conservatism” of local
management.
B. The presentation of observations before recommendations. The engagement
communication would have more impact if recommendations are made before the
C.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 282
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. The internal auditor should avoid using emotionally charged
words because they might provoke an unexpected, negative reaction from the
engagement client. The actions of divisional management could have been described
adequately in neutral terms.
Answer (B) is incorrect. The excerpt is from the observations and recommendations
section of the engagement communication, not the management executive summary.
Thus, it is appropriate to present the observations and their basis before presenting the
recommendations.
Answer (C) is incorrect. The term “component parts” is not commonly regarded as
having a negative connotation.
Answer (D) is incorrect. The problem of excessive inventory has been noted in
relationship to this observation. As long as the amounts of excessive write-downs have
been noted earlier in the communication, it is appropriate to refer to that section for
more detail.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 283
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[505] Gleim #: 6.2.25
The following information is extracted from a draft of an engagement communication
prepared upon the completion of an engagement to review the inventory warehousing
procedures for a division.
Observations and Recommendations
[#7]
Inventory is messy. We recommend that
management communicate the
importance of orderly inventory
management techniques to warehouse
personnel to avoid the problems noted
earlier about (1) locating inventory when
needed for production and (2) incurring
unusually large amounts of inventory
write-offs because of obsolescence.
fb
.c
om
ci
al
[#8]
We appreciate the cooperation of
divisional management. We intend to
discuss our observations with them and
follow up by communicating your
reaction to those recommendations
included within this engagement
communication. Given additional time
for analysis, we feel that substantial
opportunities are available for significant
cost savings, and we are proud to be a
part of the process.
ffi
ao
/c
ia
[#5]
We performed extensive tests of
inventory recordkeeping and quantities
on hand. Based on our tests, we have
concluded that the division carries a
large quantity of excess inventory,
particularly in the area of component
parts. We expect this is due to the
conservatism of local management that
does not want to risk shutting down
production if the goods are not on hand.
However, as noted earlier in this
engagement communication, the excess
inventory has led to a higher-thanaverage level of obsolete inventory
write-downs at this division. We
recommend that production forecasts be
established, along with lead times for
various products, and used in
conjunction with economic order
quantity concepts to order and maintain
appropriate inventory levels.
[#6]
We noted that receiving reports were not
filled out when the receiving department
became busy. Instead, the receiving
manager would fill out the reports after
work and forward them to accounts
payable. There is a risk that all items
received might not be recorded, or that
failing to record them initially might
result in some items being diverted to
other places. During our tests, we
discovered many instances in which
accounts payable had to call receiving to
obtain a receiving report. We
recommend that receiving reports be
prepared.
A major deficiency in paragraph #7 related to the completeness of the engagement
communication is
A. No separate section adequately discusses the risks associated with the observation.
B. The recommendation does not follow from the observation. The recommendation
could have been reached without any observation.
C.
D.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 284
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The risks are described in some detail.
Answer (B) is incorrect. The recommendation is logically presented. The problem is
that the author has mixed a condition and a cause.
Answer (C) is correct. The condition is that inventory is “messy.” However, “messy”
is a word that does not completely, specifically, and factually describe what the
internal auditor found during the engagement.
Answer (D) is incorrect. The problem of excessive inventory has been noted in
relationship to this observation. As long as the amounts of excessive write-downs have
been noted earlier in the communication, it is appropriate to refer to that section for
more detail.
[506] Gleim #: 6.2.26
A recommendation in a final engagement communication should address what
attribute?
A.
B.
C.
D.
Cause.
Statement of condition.
Criteria.
Effect.
Answer (A) is correct. A recommendation must address the cause attribute in
order to describe the necessary corrective action.
Answer (B) is incorrect. The condition attribute simply describes “what is” to
serve as a basis for comparison with given criteria.
Answer (C) is incorrect. Criteria describe “what should be” and are compared
with the statement of condition.
Answer (D) is incorrect. The effect attribute addresses the importance of an
observation.
[507] Gleim #: 6.2.27
Engagement observations and recommendations emerge by a process of comparing
what should be with what is. In determining “what should be” during an engagement
to review an organization’s treasury function, which of the following is the least
desirable criterion against which to judge current operations?
A. The operations of the treasury function as documented during the last engagement.
B. Organizational policies and procedures delegating authority and assigning
responsibilities.
C. Finance textbook illustrations of generally accepted good treasury function
practices.
D. Codification of best practices of the treasury function in relevant industries.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 285
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. Criteria are the standards, measures, or expectations used in
making an evaluation and/or verification (the correct state) (PA 2410-1, para. 7). The
least desirable criterion is prior operations. They may or may not have been in
compliance with organizational policies and generally accepted practices.
Answer (B) is incorrect. Organizational policies and procedures delegating authority
and assigning responsibilities is a sound criterion against which to judge current
operations.
Answer (C) is incorrect. Textbook illustrations of generally accepted practices is a
sound criterion against which to judge current operations.
Answer (D) is incorrect. Codification of best practices (benchmarking) in relevant
industries is a sound criterion against which to judge current operations.
[508] Gleim #: 6.2.28
The following data were gathered during an internal auditor’s investigation of the
reason for a material increase in bad debts expense. In preparing an engagement
communication, each of the items might be classified as criteria, condition, cause,
effect, or background information.
1. Very large orders require
management’s approval of credit.
fb
.c
om
al
ci
ffi
ao
/c
3. A monthly report of write-offs is
prepared but distributed only to the
accounting department.
ia
2. Engagement procedures showed that
sales personnel regularly disregard
credit guidelines when dealing with
established customers.
7. Even though procedures and criteria
were changed to reduce the amount of
bad-debt write-offs, the loss of
commissions because of written-off
accounts has increased for some sales
personnel.
4. Credit reports are used only on new
accounts.
8. Credit department policy requires the
review of credit references for all new
accounts.
9. Current payment records are to be
reviewed before extending additional
credit to open accounts.
5. Accounting department records
suggest that uncollectible accounts
could increase by 5% for the current
year.
10. To reduce costs, the use of outside
credit reports was suspended on
several occasions.
6. The bad debts loss increased by
US $100,000 during the last fiscal
year.
11. Because several staff positions in the
credit department were eliminated to
reduce costs, some new accounts have
received only cursory review.
12. According to the new credit manager,
strict adherence to established credit
policy is not necessary.
The criteria attribute is best illustrated by items numbered
A.
B.
C.
D.
1, 8, and 9.
2, 10, and 11.
3, 4, and 12.
5, 6, and 7.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 286
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. Criteria are the standards, measures, or expectations used in
making an evaluation and/or verification (the correct state) (PA 2410-1, para. 7). Items
1, 8, and 9 describe expectations.
Answer (B) is incorrect. Items 2, 10, and 11 best illustrate the condition attribute.
Answer (C) is incorrect. Items 3, 4, and 12 best illustrate the cause attribute.
Answer (D) is incorrect. Items 5, 6, and 7 best illustrate the effect attribute.
[509] Gleim #: 6.2.29
The following data were gathered during an internal auditor’s investigation of the
reason for a material increase in bad debts expense. In preparing an engagement
communication, each of the items might be classified as criteria, condition, cause,
effect, or background information.
1. Very large orders require
management’s approval of credit.
2. Engagement procedures showed that
sales personnel regularly disregard
credit guidelines when dealing with
established customers.
3. A monthly report of write-offs is
prepared but distributed only to the
accounting department.
4. Credit reports are used only on new
accounts.
7. Even though procedures and criteria
were changed to reduce the amount of
bad-debt write-offs, the loss of
commissions because of written-off
accounts has increased for some sales
personnel.
8. Credit department policy requires the
review of credit references for all new
accounts.
9. Current payment records are to be
reviewed before extending additional
credit to open accounts.
5. Accounting department records
suggest that uncollectible accounts
could increase by 5% for the current
year.
10. To reduce costs, the use of outside
credit reports was suspended on
several occasions.
6. The bad debts loss increased by
US $100,000 during the last fiscal
year.
11. Because several staff positions in the
credit department were eliminated to
reduce costs, some new accounts have
received only cursory review.
12. According to the new credit manager,
strict adherence to established credit
policy is not necessary.
The cause attribute is best illustrated by items numbered
A.
B.
C.
D.
2, 10, and 11.
3, 4, and 12.
5, 6, and 7.
1, 8, and 9.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 287
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Items 2, 10, and 11 best illustrate the condition attribute.
Answer (B) is correct. The cause attribute is the reason for the difference between the
expected and actual conditions (PA 2410-1, para. 7). Items 3, 4, and 12 explain why
the deviation from the criteria occurred.
Answer (C) is incorrect. Items 5, 6, and 7 best illustrate the effect attribute.
Answer (D) is incorrect. Items 1, 8, and 9 best illustrate the criteria attribute.
[510] Gleim #: 6.2.30
The following data were gathered during an internal auditor’s investigation of the
reason for a material increase in bad debts expense. In preparing an engagement
communication, each of the items might be classified as criteria, condition, cause,
effect, or background information.
1. Very large orders require
management’s approval of credit.
7. Even though procedures and criteria
were changed to reduce the amount of
bad-debt write-offs, the loss of
commissions because of written-off
accounts has increased for some sales
personnel.
2. Engagement procedures showed that
sales personnel regularly disregard
credit guidelines when dealing with
established customers.
8. Credit department policy requires the
review of credit references for all new
accounts.
al
3. A monthly report of write-offs is
prepared but distributed only to the
accounting department.
9. Current payment records are to be
reviewed before extending additional
credit to open accounts.
ia
ao
ffi
ci
om
/c
4. Credit reports are used only on new
accounts.
10. To reduce costs, the use of outside
credit reports was suspended on
several occasions.
6. The bad debts loss increased by
US $100,000 during the last fiscal
year.
11. Because several staff positions in the
credit department were eliminated to
reduce costs, some new accounts have
received only cursory review.
fb
.c
5. Accounting department records
suggest that uncollectible accounts
could increase by 5% for the current
year.
12. According to the new credit manager,
strict adherence to established credit
policy is not necessary.
The condition attribute is best illustrated by items numbered
A.
B.
C.
D.
5, 6, and 7.
1, 8, and 9.
2, 10, and 11.
3, 4, and 12.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 288
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Items 5, 6, and 7 best illustrate the effect attribute.
Answer (B) is incorrect. Items 1, 8, and 9 best illustrate the criteria attribute.
Answer (C) is correct. The condition attribute is the factual evidence that the internal
auditor found in the course of the examination (the current state) (PA 2410-1, para. 7).
Items 2, 10, and 11 state information gathered by the internal auditor as a result of
engagement procedures.
Answer (D) is incorrect. Items 3, 4, and 12 best illustrate the cause attribute.
[511] Gleim #: 6.2.31
The following data were gathered during an internal auditor’s investigation of the
reason for a material increase in bad debts expense. In preparing an engagement
communication, each of the items might be classified as criteria, condition, cause,
effect, or background information.
1. Very large orders require
management’s approval of credit.
2. Engagement procedures showed that
sales personnel regularly disregard
credit guidelines when dealing with
established customers.
3. A monthly report of write-offs is
prepared but distributed only to the
accounting department.
4. Credit reports are used only on new
accounts.
7. Even though procedures and criteria
were changed to reduce the amount of
bad-debt write-offs, the loss of
commissions because of written-off
accounts has increased for some sales
personnel.
8. Credit department policy requires the
review of credit references for all new
accounts.
9. Current payment records are to be
reviewed before extending additional
credit to open accounts.
5. Accounting department records
suggest that uncollectible accounts
could increase by 5% for the current
year.
10. To reduce costs, the use of outside
credit reports was suspended on
several occasions.
6. The bad debts loss increased by
US $100,000 during the last fiscal
year.
11. Because several staff positions in the
credit department were eliminated to
reduce costs, some new accounts have
received only cursory review.
12. According to the new credit manager,
strict adherence to established credit
policy is not necessary.
The effect attribute is best illustrated by items numbered
A.
B.
C.
D.
3, 4, and 12.
5, 6, and 7.
1, 8, and 9.
2, 10, and 11.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 289
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Items 3, 4, and 12 best illustrate the cause attribute.
Answer (B) is correct. The effect attribute is the risk or exposure the organization
and/or others encounter because the condition is not consistent with the criteria (the
impact of the difference) (PA 2410-1 para. 7). Items 5, 6, and 7 describe the impact of
the difference.
Answer (C) is incorrect. Items 1, 8, and 9 best illustrate the criteria attribute.
Answer (D) is incorrect. Items 2, 10, and 11 best illustrate the condition attribute.
[512] Gleim #: 6.2.32
Final engagement communications should, at a minimum, contain the purpose, scope,
and results of the engagement. Engagement observations and recommendations should
be based on four attributes: criteria, condition, cause, and effect. The cause can best be
described as
A.
B.
C.
D.
Factual evidence that the internal auditor found.
Reason for the difference between the expected and actual conditions.
The risk or exposure because of the condition found.
Resultant evaluations of the effects of the observations and recommendations.
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. Factual evidence is the condition attribute.
Answer (B) is correct. The cause attribute is the reason for the difference between
the expected and actual conditions (PA 2410-1, para. 7). Cause provides the
answer to the question “Why?” and should be the basis for corrective action.
Answer (C) is incorrect. Risk or exposure is the effect attribute.
Answer (D) is incorrect. Evaluations of the effects of the observations and
recommendations are the internal auditor’s conclusions.
.c
om
[513] Gleim #: 6.2.33
fb
As a result of an engagement performed at a bank, the internal auditor included the
following observation in the final engagement communication:
The late charges were waived on an excessive number of delinquent installment loan
payments at the Spring Street Branch. We were informed that late charge waivers are
not approved by an officer. Approximately US $5,000 per year in revenues are being
lost. In order to provide a better control over late charges waived and loss of income,
we recommend that a lending officer be responsible for waiving late charges and that
this approval be in writing.
Which of the following elements of an observation is not properly addressed?
A.
B.
C.
D.
Criteria or standards.
Condition.
Cause.
Effect.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 290
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. Criteria are the standards, measures, or expectations used in
making an evaluation and/or verification (the correct state) (PA 2410-1, para. 7). The
internal auditor has used the word “excessive” without defining what would constitute
normal waived charges.
Answer (B) is incorrect. The condition is that excessive late charges are being waived.
Answer (C) is incorrect. The cause is that approval by an officer is not required.
Answer (D) is incorrect. The effect is the annual loss of $5,000.
[514] Gleim #: 6.2.34
The internal audit activity has just completed an engagement to review loan processing
and commercial loan account balances for a financial institution. Following are a few
excerpts from the working papers indicating potential engagement observations.
A. The auditors took a statistical sample of 100 loan applications and determined that
only 85 loans were granted.
B. Of the 85 loans granted, the auditors noted that 4 loans should have been reviewed
and approved by the loan committee but were not. Organizational policy states
that all loans must be approved by the committee prior to funding. Each of the 4
loans, however, was approved by the vice president. The matter was discussed
with the vice president, who indicated it was a competitive loan situation to a new
customer and in the best interests of the financial institution to expedite the loan
and establish a firm relationship with a growing customer. All of the other loans
were formally approved by the loan committee.
C. Of the 81 loans approved by the loan committee, the auditors found 7 in which the
actual amount lent exceeded the approved amount.
D. The auditors noted three instances in which loans were made to related groups of
organizations without an analysis of the total amount of loans made to the
controlling entity. There may be statutory limitations on the amount of loans that
can be made to any individual controlling organization.
E. Of the 81 loans approved by the loan committee, the auditors found that 14
contained either insufficient documentation or were not received by the committee
in a timely fashion in advance of their meeting.
The statistical sample was taken with a 95% confidence level using attribute sampling
with a tolerable error limit of 4%. Assume that the sampling plan was implemented
correctly.
Assume with regard to item B, the vice president asks the loan committee to review
the loans on an after-the-fact basis. Assume further, upon this subsequent review, the
loan committee approves the loans on the after-the-fact basis. Which of the following
conclusions is true regarding the communication of the engagement observations?
I. The sample deviation rate would drop to 0%.
II. The item should still be reported in the audit report because it was not approved in
a timely manner in accordance with organizational policies.
III. The item should be reported as a nondeviation because subsequent action
validated the vice president’s approach.
A.
B.
C.
D.
I only.
II only.
III only.
I, II, and III.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 291
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Statement I is false.
Answer (B) is correct. The loans were not approved in a timely fashion prior to
funding according to organizational policies and procedures. Thus, the condition
attribute differs from the criteria attribute of the observation, and the loans should be
reported as deviations. But the internal auditor should note that the loans were
subsequently reviewed and approved by the loan committee.
Answer (C) is incorrect. Statement III is false.
Answer (D) is incorrect. Statements I and III are false.
[515] Gleim #: 6.2.35
The legislative auditing bureau of a country is required to perform compliance
engagements involving organizations that are issued defense contracts on a cost-plus
basis. Contracts are clearly written to define acceptable costs, including developmental
research cost and appropriate overhead rates.
During the past year, the government has engaged in extensive outsourcing of its
activities. The outsourcing included contracts to run cafeterias, provide janitorial
services, manage computer operations and systems development, and provide
engineering of construction projects. The contracts were modeled after those used for
years in the defense industry. The legislative internal auditors are being called upon to
expand their efforts to include compliance engagements involving these contracts.
fb
.c
om
/c
ia
ao
ffi
ci
al
Upon initial investigation of these outsourced areas, the internal auditor found many
areas in which the outsourced management has apparently expanded its authority and
responsibility. For example, the contractor that manages computer operations has
developed a highly sophisticated security program that may represent the most
advanced information security in the industry. The internal auditor reviews the
contract and sees reference only to providing appropriate levels of computing security.
The internal auditor suspects that the governmental agency may be incurring
developmental costs that the outsourcer may use for competitive advantage in
marketing services to other organizations.
Regarding the engagement observation concerning an advanced computing security
system, what is the most appropriate course of action by the internal auditor?
A. Estimate the amount of cost used to develop the advanced security system and
inform the outsourcer that it will be a disallowed cost.
B. Exclude the observation from the engagement communication because the
contract was vague and the level of security is clearly acceptable.
C. Estimate the added cost, report it to management, and suggest that management
meet with its lawyers and the outsourcer to resolve differences.
D. Compare the cost with previous costs incurred by governmental operations and
inform the outsourcer that the difference will be a disallowed cost.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 292
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The internal auditor does not have the authority to disallow
the cost. The contract is vague, and differences should be reported to management for
reconciliation.
Answer (B) is incorrect. The internal auditor has a duty to report the purpose, scope,
and results of the audit finding. The cost issue should be resolved by management.
Answer (C) is correct. Observations and recommendations are based on the following
attributes: criteria (the correct state), condition (the current state), cause (the reason for
the difference), and effect (the impact of the difference) (PA 2410-1, para. 7). Stating
the significance of the observation, the cause (vague contract), the potential impact,
and the recommended action is consistent with these attributes.
Answer (D) is incorrect. Previous costs may not be comparable, and the internal
auditor is not authorized to disallow costs.
[516] Gleim #: 6.2.36
This information is to be included in a final communication made following an
inventory control engagement for a tent and awning manufacturer. The issue relates to
overstocked rope.
I. The quantity on hand at the time of the engagement represented a 10-year supply
based on normal usage.
II. The organization had held an open house of its new factory 2 months prior to the
engagement and had used the rope to provide safety corridors through the plant for
visitors. This was not considered when placing the last purchase order.
III. Rope is reordered when the inventory level reaches a 1-month supply and is based
on usage during the previous 12 months.
IV. The quantity to be ordered should be adequate to cover expected usage for the
next 6 months.
V. The purchasing department should review inventory usage and inquire about any
unusual fluctuations before placing an order.
VI. A public warehouse was required to store the rope.
VII. The purchasing agent receives an annual salary of US $59,000.
Which of these statements should be in the criteria section of the communication?
A.
B.
C.
D.
II only.
III only.
III and IV only.
V only.
Answer (A) is incorrect. Statement II should be included in the cause section.
Answer (B) is incorrect. Statement IV should be in the criteria section.
Answer (C) is correct. Criteria are the standards, measures, or expectations used
in making an evaluation and/or verification (the correct state) (PA 2410-1,
para. 7). Only statements III and IV describe a situation as it ought to be.
Answer (D) is incorrect. Statement V should be in the recommendations section.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 293
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[517] Gleim #: 6.2.37
This information is to be included in a final communication made following an
inventory control engagement for a tent and awning manufacturer. The issue relates to
overstocked rope.
I. The quantity on hand at the time of the engagement represented a 10-year supply
based on normal usage.
II. The organization had held an open house of its new factory 2 months prior to the
engagement and had used the rope to provide safety corridors through the plant for
visitors. This was not considered when placing the last purchase order.
III. Rope is reordered when the inventory level reaches a 1-month supply and is based
on usage during the previous 12 months.
IV. The quantity to be ordered should be adequate to cover expected usage for the
next 6 months.
V. The purchasing department should review inventory usage and inquire about any
unusual fluctuations before placing an order.
VI. A public warehouse was required to store the rope.
VII. The purchasing agent receives an annual salary of US $59,000.
Which of these statements should be in the condition section of the communication?
ci
al
I only.
IV only.
VI only.
VII only.
.c
om
/c
ia
ao
ffi
Answer (A) is correct. The condition attribute states the factual evidence that the
internal auditor found in the course of the examination (the current state) (PA
2410-1, para. 7). Only statement I is a description of things as they are.
Answer (B) is incorrect. Statement IV should be in the criteria section.
Answer (C) is incorrect. Statement VI should be in the effect section.
Answer (D) is incorrect. Statement VII should not be in the engagement
communication. It is not relevant.
fb
A.
B.
C.
D.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 294
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[518] Gleim #: 6.2.38
This information is to be included in a final communication made following an
inventory control engagement for a tent and awning manufacturer. The issue relates to
overstocked rope.
I. The quantity on hand at the time of the engagement represented a 10-year supply
based on normal usage.
II. The organization had held an open house of its new factory 2 months prior to the
engagement and had used the rope to provide safety corridors through the plant for
visitors. This was not considered when placing the last purchase order.
III. Rope is reordered when the inventory level reaches a 1-month supply and is based
on usage during the previous 12 months.
IV. The quantity to be ordered should be adequate to cover expected usage for the
next 6 months.
V. The purchasing department should review inventory usage and inquire about any
unusual fluctuations before placing an order.
VI. A public warehouse was required to store the rope.
VII. The purchasing agent receives an annual salary of US $59,000.
Which of these statements should be in the effect section of the communication?
A.
B.
C.
D.
II only.
III only.
V only.
VI only.
Answer (A) is incorrect. Statement II should be in the cause section.
Answer (B) is incorrect. Statement III should be in the criteria section.
Answer (C) is incorrect. Statement V should be in the recommendations section.
Answer (D) is correct. The effect attribute states the risk or exposure the
organization and/or others encounter because the condition is not consistent with
the criteria (the impact of the difference). In determining the degree of risk or
exposure, internal auditors consider the effect their engagement observations and
recommendations may have on the organization’s operations and financial
statements (PA 2410-1, para. 7). Only statement VI describes the negative results
of the situation as it is.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 295
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[519] Gleim #: 6.2.39
During an engagement involving a bank’s data processing department, an internal
auditor noted a steady increase in overtime expenses for data entry personnel over the
last 5 years. The increase over 1 year was in excess of 30%. Neither changes in the
department’s workload nor rotation of personnel were sufficient to explain the
increases.
Competition for computer time during periods of high demand had become intense
because of a planned increase in the use of the computer by operating departments.
The internal auditor recommended staggering the work days of data entry personnel to
decrease demand during peak periods.
Based on the Standards, the statement, “Competition for computer time during periods
of high demand had become intense because of a planned increase in the use of the
computer by operating departments,” is an example of
A.
B.
C.
D.
Cause.
Condition.
Criteria.
Effect.
/c
ia
ao
ffi
ci
al
Answer (A) is correct. The cause attribute is the reason for the difference between
the expected and actual conditions (why the conditions exist) (PA 2410-1,
para. 7). The description of the planned increase in the use of the computer fulfills
this attribute.
Answer (B) is incorrect. The condition attribute is not applicable.
Answer (C) is incorrect. The criteria attribute is not applicable.
Answer (D) is incorrect. The effect attribute is not applicable.
.c
om
[520] Gleim #: 6.2.40
fb
An internal auditor’s final engagement communication contains the statement: “The
training department expended $100,000 on the development of a training course that
cannot be used.” That statement is an example of
A.
B.
C.
D.
Effect.
Recommendation.
Cause.
Criteria.
Answer (A) is correct. The effect attribute is the risk or exposure the organization
and/or others encounter because the condition is not consistent with the criteria
(the impact of the difference) (PA 2410-1, para. 7). The description of the
needless expenditure of $100,000 fulfills this attribute.
Answer (B) is incorrect. A recommendation is a suggestion for improving a
condition to bring it into conformity with the criteria.
Answer (C) is incorrect. A cause is the reason for the difference between the
expected and actual conditions (why the difference exists).
Answer (D) is incorrect. Criteria are the standards, measures, or expectations
used in making an evaluation or verification (what should exist).
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 296
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[521] Gleim #: 6.2.41
Paragraph 1: The production department has the newest production equipment
available because of a fire that required the replacement of all equipment.
Paragraph 2: The members of the production department have become completely
comfortable with the state-of-the-art technology over the past year and a half. As a
result, the production department has become an industry leader in production
efficiency and effectiveness.
Paragraph 3: The production department produces an average of 25 units per worker
per shift. The defect rate is 1%.
Paragraph 4: The industry average productivity is 20 units per worker per shift. The
industry defect rate is 3%.
Which paragraph should be characterized as the attribute described in the Standards as
“condition”?
A.
B.
C.
D.
1
2
3
4
Answer (A) is incorrect. Paragraph 1 states the cause attribute of the observation.
Answer (B) is incorrect. Paragraph 2 states the effect attribute of the observation.
Answer (C) is correct. Condition is defined as the factual evidence that the
internal auditor found in the course of the examination (the current state) (PA
2410-1, para. 7). Paragraph 3 describes the actual productivity of the firm.
Answer (D) is incorrect. Paragraph 4 states the criteria attribute of the
observation.
[522] Gleim #: 6.2.42
In beginning an engagement, an internal auditor reviews written procedures that detail
segregations of responsibility adopted by management to strengthen internal controls.
These written procedures should be viewed as which attribute of an observation?
A.
B.
C.
D.
Criteria.
Condition.
Cause.
Effect.
Answer (A) is correct. Criteria are the standards, measures, or expectations used
in making an evaluation and/or verification (the correct state) (PA 2410-1,
para. 7). The written procedures represent the standards (criteria) against which an
observation concerning segregation of responsibility should be measured.
Answer (B) is incorrect. The condition is the factual evidence that the internal
auditor found in the course of the examination (the current state).
Answer (C) is incorrect. The cause is the reason for the difference between the
expected and actual conditions (why the difference exists).
Answer (D) is incorrect. The effect is the risk or exposure that the organization or
others encounter because the condition is not consistent with the criteria (the
impact of the difference).
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 297
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[523] Gleim #: 6.2.43
An excerpt from an engagement observation indicates that travel advances exceeded
prescribed maximum amounts. Organizational policy provides travel funds to
authorized employees for travel. Advances are not to exceed 45 days of anticipated
expenses. Organizational procedures do not require justification for large travel
advances. Employees can and do accumulate large, unneeded advances. The cause of
the engagement observation is that
A.
B.
C.
D.
Advance procedures do not require specific justification.
Organizational policy is to provide travel funds to authorized employees.
Employees accumulate large travel advances.
Travel advances have not been cleared in timely manner.
Answer (A) is correct. The cause is the reason for the difference between the
expected and actual conditions (PA 2410-1, para. 7). Thus, the cause provides the
answer to the question “Why?” and should be the basis for corrective action. The
cause of the observation is that advance procedures do not require specific
justification.
Answer (B) is incorrect. The policy provides for advances to authorized
employees only.
Answer (C) is incorrect. Accumulating large travel advances is an effect.
Answer (D) is incorrect. Not clearing travel advances in a timely manner is an
effect.
ci
al
[524] Gleim #: 6.2.44
fb
.c
om
/c
ia
ao
ffi
Recent criticism of an internal audit activity suggested that engagement coverage was
not providing adequate feedback to senior management on the processes used in the
organization’s key lines of business. The problem was further defined as lack of
feedback on the recent implementation of automated support systems. Which two
functions does the chief audit executive need to improve?
A.
B.
C.
D.
Staffing and communicating.
Staffing and decision making.
Planning and organizing.
Planning and communicating.
Answer (A) is incorrect. The facts do not indicate the existence of staffing
problems.
Answer (B) is incorrect. Decision making and staffing are not problems.
Answer (C) is incorrect. Nothing indicates that the structure of the entity is a
problem.
Answer (D) is correct. The lack of feedback indicates the CAE has problems in
planning and allocating internal audit resources to communicate necessary
information to management. The CAE must establish risk-based plans to
determine the priorities of the internal audit activity, consistent with the
organization’s goals (Perf. Std. 2010). Furthermore, internal auditors must
communicate engagement results (Perf. Std. 2400), including applicable
conclusions, recommendations, and action plans (Perf. Std. 2410).
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 298
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[525] Gleim #: 6.3.45
An internal auditor has completed an engagement to review an organization’s
activities and is ready to issue a final engagement communication. However, the
engagement client disagrees with the internal auditor’s conclusions. The internal
auditor should
A. Withhold the issuance of the final engagement communication until agreement on
the issues is obtained.
B. Perform more work, with the engagement client’s concurrence, to resolve areas of
disagreement. Delay the issuance of the final engagement communication until
agreement is reached.
C. Issue the final engagement communication and indicate that the engagement client
has provided a scope limitation that has led to a difference as to the conclusions.
D. Issue the final engagement communication and state both the internal auditor and
engagement client positions and the reasons for the disagreement.
Answer (A) is incorrect. If the engagement is complete, the final engagement
communication should be issued in a timely manner. Moreover, agreement with
the engagement client is not mandatory.
Answer (B) is incorrect. If the internal auditor is satisfied with the conclusions
drawn from the engagement, there is no reason to perform more work.
Answer (C) is incorrect. The disagreement on conclusions is not a scope
limitation.
Answer (D) is correct. As part of the internal auditor’s discussions with the
engagement client, the internal auditor obtains agreement on the results of the
engagement and on any necessary plan of action to improve operations. If the
internal auditor and engagement client disagree about the engagement results, the
engagement communications state both positions and the reasons for the
disagreement. The engagement client’s written comments may be included as an
appendix to the engagement report, in the body of the report, or in a cover letter
(PA 2410-1, para. 12).
[526] Gleim #: 6.3.46
Which of the following is the most appropriate method of reporting disagreement
between the internal auditor and the engagement client concerning engagement
observations and recommendations?
A. State the internal auditor’s position because the report is designed to provide the
internal auditor’s independent view.
B. State the engagement client’s position because management is ultimately
responsible for the activities reported.
C. State both positions and identify the reasons for the disagreement.
D. State neither position. If the disagreement is ultimately resolved, there will be no
reason to report the previous disagreement. If the disagreement is never resolved,
the disagreement should not be reported because there is no mechanism to resolve
it.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 299
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Both positions should be reported, and the reasons for the
disagreement should be identified.
Answer (B) is incorrect. Both positions should be reported, and the reasons for the
disagreement should be identified.
Answer (C) is correct. As part of the internal auditor’s discussions with the
engagement client, the internal auditor obtains agreement on the results of the
engagement and on any necessary plan of action to improve operations. If the internal
auditor and engagement client disagree about the engagement results, the engagement
communications state both positions and the reasons for the disagreement. The
engagement client’s written comments may be included as an appendix to the
engagement report in the body of the report or in a cover letter (PA 2410-1, para. 12).
Answer (D) is incorrect. Both positions should be reported, and the reasons for the
disagreement should be identified.
[527] Gleim #: 6.3.47
An internal auditor is preparing a final engagement communication to management.
However, the internal auditor and the engagement client disagree about one
observation that describes the client’s violation of the organization’s purchasing
policy. The client believes the purchasing policy is open to interpretation and that no
violation occurred. The internal auditor believes that the policy is clearly stated and
that the client’s actions were a violation. In this circumstance, the internal auditor
should
fb
.c
om
/c
ia
ao
ffi
ci
al
A. Delete the observation from the report.
B. Present only those facts that support the observation and ignore those that detract
from it.
C. Present the internal auditor’s and client’s positions in the report.
D. Not issue the report until the internal auditor and client agree on all observations
and recommendations.
Answer (A) is incorrect. The internal auditor communicates those observations
necessary to support or prevent misunderstanding of the internal auditor’s
conclusions and recommendations. Deleting observations solely because of the
engagement client’s disagreement suggests a lack of independence.
Answer (B) is incorrect. Omitting material and relevant facts indicates a lack of
objectivity.
Answer (C) is correct. As part of the internal auditor’s discussions with the
engagement client, the internal auditor obtains agreement on the results of the
engagement and on any necessary plan of action to improve operations. If the
internal auditor and engagement client disagree about the engagement results, the
engagement communications state both positions and the reasons for the
disagreement. The engagement client’s written comments may be included as an
appendix to the engagement report in the body of the report or in a cover letter
(PA 2410-1, para. 12).
Answer (D) is incorrect. Waiting for resolution of the conflict may prevent the
report’s timely issuance.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 300
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[528] Gleim #: 6.3.48
During the exit conference, the manager of the engagement client objected to a valid
observation about a major control deficiency because the manager felt the observation
was based upon a “biased sample and immaterial risk.” What step should the internal
auditor take?
A. Let some neutral group coordinate the follow-up effort after the final engagement
communication is issued.
B. Include the engagement client’s comments in the report but recommend corrective
action.
C. Review the condition during the next annual engagement to determine whether the
deficiency is major or minor.
D. Research a compromise by modifying the wording of the conclusion.
Answer (A) is incorrect. The internal audit activity’s responsibility does not end
with the issuance of a final engagement communication. Follow-up is required.
Answer (B) is correct. As part of the internal auditor’s discussions with the
engagement client, the internal auditor obtains agreement on the results of the
engagement and on any necessary plan of action to improve operations. If the
internal auditor and engagement client disagree about the engagement results, the
engagement communications state both positions and the reasons for the
disagreement. The engagement client’s written comments may be included as an
appendix to the engagement report in the body of the report or in a cover letter
(PA 2410-1, para. 12).
Answer (C) is incorrect. Waiting a year is too long if a major deficiency is
involved.
Answer (D) is incorrect. The conclusion (opinion) may not be compromised.
[529] Gleim #: 6.3.49
An internal auditor has uncovered illegal acts committed by a member of senior
management. Such information
A. Should be excluded from the internal auditor’s engagement communication and
discussed orally with the senior manager.
B. Must be immediately reported to the appropriate government authorities.
C. May be disclosed in a separate communication and distributed to all senior
management.
D. May be disclosed in a separate communication and distributed to the board.
Answer (A) is incorrect. Although improper or illegal acts may be disclosed in a
separate communication, the internal auditor should not discuss such information
with individuals who have committed such acts.
Answer (B) is incorrect. In general, internal auditors are responsible to their
organization’s management rather than outside agencies. In the case of fraud,
statutory filings with regulatory agencies may be required.
Answer (C) is incorrect. Such information should be communicated to
individuals to whom senior managers report.
Answer (D) is correct. Certain information is not appropriate for disclosure to all
report recipients because it is privileged, proprietary, or related to improper or
illegal acts. Disclose such information in a separate report. Distribute the report to
the board if the conditions being reported involve senior management (PA 2410-1,
para. 13).
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 301
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[530] Gleim #: 6.3.50
An internal audit activity’s evaluation of sales contracts revealed that a bribe had been
paid to secure a major contract. The strong possibility existed that a senior executive
had authorized the bribe. Which of the following best describes the proper distribution
of the completed final engagement communication?
A. The report should be distributed to the chief executive officer and the appropriate
regulatory agency.
B. The report should be distributed to the board, the chief executive officer, and the
independent external auditor.
C. The chief audit executive should provide the board a copy of the report and decide
whether further distribution is appropriate.
D. The report should be distributed to the board, the appropriate law enforcement
agency, and the appropriate regulatory agency.
ia
ao
ffi
ci
al
Answer (A) is incorrect. Outside distribution conflicts with the internal auditors’
ethical obligations, and the CEO may be involved in the illegality.
Answer (B) is incorrect. Outside distribution conflicts with the internal auditors’
ethical obligations, and the CEO may be involved in the illegality.
Answer (C) is correct. Certain information is not appropriate for disclosure to all
report recipients because it is privileged, proprietary, or related to improper or
illegal acts. Disclose such information in a separate report. Distribute the report to
the board if the conditions being reported involve senior management (PA 2410-1,
para. 13).
Answer (D) is incorrect. Outside distribution conflicts with the internal auditors’
ethical obligations, and the CEO may be involved in the illegality.
om
/c
[531] Gleim #: 6.3.51
fb
.c
According to the Standards, final engagement communications should be distributed
to those members of the organization who are able to ensure that engagement results
are given due consideration. For higher-level members of the organization, that
requirement can usually be satisfied with
A.
B.
C.
D.
Interim reports.
Summary reports.
Oral reports.
Final written reports only.
Answer (A) is incorrect. Interim reports are used to communicate urgent
information, changes in engagement scope, and engagement progress.
Answer (B) is correct. Summary reports highlighting engagement results are
appropriate for levels of management above the engagement client and can be
issued separately from or in conjunction with the final report (PA 2410-1,
para. 15). Thus, summary written reports are usually intended for senior
management or the board.
Answer (C) is incorrect. Only interim reports may be oral. The final report must
be written.
Answer (D) is incorrect. Senior management is often too busy to read an entire
report.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 302
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[532] Gleim #: 6.3.52
Which of the following is most appropriate for inclusion in the summary of a final
engagement communication?
A.
B.
C.
D.
Engagement client responses to recommendations.
A concise statement of engagement observations.
Reference to areas not covered by the engagement.
Discussion of recommendations given in prior years’ engagement
communications.
Answer (A) is incorrect. Engagement client responses to recommendations are
appropriately included in the body of the communication rather than in the
summary.
Answer (B) is correct. A signed report is issued after the engagement’s
completion. Summary reports highlighting engagement results are appropriate for
levels of management above the engagement client (PA 2410-1, para. 15).
Answer (C) is incorrect. A reference to areas not covered by the engagement
communications is appropriately included in the body of the communication
rather than in the summary.
Answer (D) is incorrect. A discussion of recommendations given in prior years’
engagement communications is appropriately included in the body of the
communication rather than in the summary.
[533] Gleim #: 6.3.53
To enhance communications with top management, some internal audit activities
include a summary report with each written engagement communication. What
information should be included in such a summary report?
A.
B.
C.
D.
The same information as the written report but in diagram form.
Highlights of the engagement results.
The internal auditor’s assessment of the adequacy of internal controls.
Only that information needed to resolve the disagreements between the
engagement clients and the internal auditors.
Answer (A) is incorrect. A summary is a condensed version of the information in
the full report.
Answer (B) is correct. Summary reports highlighting engagement results are
appropriate for levels of management above the engagement client and can be
issued separately from or in conjunction with the final report (PA 2410-1,
para. 15).
Answer (C) is incorrect. A summary is not limited to a particular engagement
objective.
Answer (D) is incorrect. A summary need not concern internal auditorengagement client conflicts.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 303
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[534] Gleim #: 6.3.54
A relatively new internal auditor is completing a final engagement communication.
The communication should most appropriately be signed by the
A. Internal auditor because of a greater level of detailed knowledge of the report.
B. Internal auditor and the manager of the activity under review to indicate that they
concur with the report.
C. Chief audit executive.
D. Chair of the audit committee.
Answer (A) is incorrect. Although the internal auditor performing the
engagement has much detailed knowledge, the final report should be signed by the
CAE or designee after supervisory review.
Answer (B) is incorrect. Neither a new internal auditor nor the manager of the
activity under review should sign engagement communications. However, the
manager of the activity under review should receive the final engagement
communication and have his/her dissenting views, if any, represented in the
report, an appendix thereto, or a cover letter.
Answer (C) is correct. The CAE determines which internal auditor is authorized
to sign the report (PA 2410-1, para. 15).
Answer (D) is incorrect. The chair of the audit committee is responsible for
oversight of the ongoing activities of the internal audit activity, not for the review
and approval of engagement communications.
ci
al
[535] Gleim #: 6.3.55
.c
om
/c
Whenever an opinion is expressed.
At the conclusion of an engagement.
At predetermined stages as the engagement progresses.
Only if required by the particular engagement.
fb
A.
B.
C.
D.
ia
ao
ffi
According to the Standards, when should a signed report be issued?
Answer (A) is incorrect. A signed report is required even when an opinion is not
appropriate.
Answer (B) is correct. A signed report is issued after the engagement’s
completion (PA 2410-1, para. 15).
Answer (C) is incorrect. Interim reports may be written or oral and may be
transmitted formally or informally.
Answer (D) is incorrect. Every engagement requires a signed report.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 304
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[536] Gleim #: 6.3.56
The internal auditor completed work on a segment of the engagement work program.
As a result, the internal auditor determined that a modification of the organization’s
distribution procedures is required. The engagement client agreed and has
implemented revised procedures. The internal auditor should
A. Research the problem and recommend in the final engagement communication
measures that should be taken.
B. Jointly develop and communicate an appropriate recommendation.
C. Communicate the problem and assume that management will take appropriate
action.
D. Indicate in the final engagement communication that the client determined and
implemented corrective action.
Answer (A) is incorrect. The final engagement communication should indicate
that the client has already determined and implemented corrective action.
Answer (B) is incorrect. The final engagement communication should indicate
that the client has already determined and implemented corrective action.
Answer (C) is incorrect. The final engagement communication should indicate
that the client has already determined and implemented corrective action.
Answer (D) is correct. The internal auditor may communicate engagement client
accomplishments, in terms of improvements since the last engagement or the
establishment of a well-controlled operation. This information may be necessary
to fairly present the existing conditions and to provide perspective and balance to
the final engagement communication (PA 2410-1, para. 10).
[537] Gleim #: 6.3.57
During a review of purchasing operations, an internal auditor finds that current
procedures differ markedly from stated organizational procedures. However, the
internal auditor concludes that the procedures currently used represent an increase in
efficiency and a decrease in processing time, without a discernible decrease in control.
The internal auditor should
A. Report the lack of adherence to documented procedures as an operational risk
exposure.
B. Develop a flowchart of the new procedures and include it in the report to
management.
C. Report the change and suggest that the change in procedures be documented.
D. Suspend the completion of the engagement until the client documents the new
procedures.
Answer (A) is incorrect. The procedures do not represent a risk exposure.
Answer (B) is incorrect. The internal auditor should not prepare documentation
for the engagement client.
Answer (C) is correct. The internal auditor may communicate engagement client
accomplishments, in terms of improvements since the last engagement or the
establishment of a well-controlled operation. This information may be necessary
to fairly represent the existing conditions and to provide proper perspective and
balance to the engagement final communications (PA 2410-1, para. 10).
Answer (D) is incorrect. The engagement should be completed.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 305
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[538] Gleim #: 6.3.58
According to the International Professional Practices Framework, which of the
following is part of the minimum requirements for an engagement final
communication?
I.
II.
III.
IV.
V.
A.
B.
C.
D.
Background information.
Purpose of the engagement.
Engagement scope.
Results of the engagement.
Summaries.
I, II, and III only.
I, III, and V only.
II, III, and IV only.
II, IV, and V only.
ao
ffi
ci
al
Answer (A) is incorrect. Background information is not required, but the results
of the engagement are required.
Answer (B) is incorrect. Background information and summaries are not
required, but the purpose and results are required.
Answer (C) is correct. Although the format and content of the final engagement
communications may vary by organization or type of engagement, they are to
contain, at a minimum, the purpose, scope, and results of the engagement (PA
2410-1, para. 1).
Answer (D) is incorrect. Summaries are not required, but the scope is required.
om
/c
ia
[539] Gleim #: 6.3.59
fb
.c
Which of the following is not included in the statement of scope in an engagement
final communication?
A.
B.
C.
D.
Period covered by the engagement.
Engagement objectives.
Activities not reviewed.
Nature and extent of the work performed.
Answer (A) is incorrect. The time period covered is included in the statement of
scope.
Answer (B) is correct. Scope statements identify the audited activities and may
include supportive information such as time period reviewed and related activities
not reviewed to delineate the boundaries of the engagement. They may describe
the nature and extent of engagement work performed (PA 2410-1, para. 4).
Answer (C) is incorrect. The related activities not reviewed are included in the
statement of scope.
Answer (D) is incorrect. The nature and extent of the work performed is included
in the statement of scope.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 306
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[540] Gleim #: 6.3.60
The scope statement of an engagement communication should
A. Describe the engagement objectives and tell the reader why the engagement was
conducted.
B. Identify the activities reviewed and describe the nature and extent of work
performed.
C. Define the standards, measures, or expectations used in evaluating engagement
observations.
D. Communicate the internal auditor’s evaluation of the effect of the observations on
the activities reviewed.
Answer (A) is incorrect. Engagement objectives and the reason for conducting
the engagement are described in the purpose statement.
Answer (B) is correct. Scope statements identify the audited activities and may
include supportive information such as time period reviewed and related activities
not reviewed to delineate the boundaries of the engagement. They may describe
the nature and extent of engagement work performed (PA 2410-1, para. 4).
Answer (C) is incorrect. This is the definition of criteria.
Answer (D) is incorrect. The effect of the observations and recommendations on
the activities reviewed is properly presented in the conclusions section of the
engagement communication.
[541] Gleim #: 6.3.61
The scope section of an internal auditor’s final engagement communication should
identify
A.
B.
C.
D.
The engagement techniques used.
Any limitations imposed.
The sampling methodology employed.
Any unresolved differences with engagement clients.
Answer (A) is incorrect. This subject is inappropriate for the scope section.
Answer (B) is correct. Since limitations set the boundaries of the engagement,
they must be identified in the scope section.
Answer (C) is incorrect. This subject is inappropriate for the scope section.
Answer (D) is incorrect. This subject is inappropriate for the scope section.
[542] Gleim #: 6.3.62
An internal auditor has just completed an engagement and is in the process of
preparing the final engagement communication. The observations in the final
engagement communication should include
A. Statements of opinion about the cause of an observation.
B. Pertinent factual statements concerning the control weaknesses uncovered during
the course of the engagement.
C. Statements of both fact and opinion developed during the course of the
engagement.
D. Statements concerning potential future events that may be helpful to the
engagement client.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 307
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Observations must be statements of fact rather than
statements of opinion. Opinions are the internal auditor’s evaluations of the effects of
observations and recommendations on the activities reviewed.
Answer (B) is correct. Observations are pertinent statements of fact (PA 2410-1,
para. 6).
Answer (C) is incorrect. The observations include statements of fact, but not
statements of opinion.
Answer (D) is incorrect. Observations concern current, not future, factual conditions
or events.
[543] Gleim #: 6.3.63
During an engagement involving sales representatives’ travel expenses, the internal
auditor discovered that 152 of 200 travel advances issued to sales representatives in
the past year exceeded the prescribed maximum amount allowed. Which of the
following statements is a justifiable engagement opinion?
A. The majority of travel advances in the organization exceed the prescribed
maximum.
B. Travel advances are not controlled in accordance with existing policy.
C. The prescribed maximum travel advance is too low.
D. Seventy-six percent of all travel advances exceed the management-prescribed
maximum.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. This statement is a statement of the condition found.
Answer (B) is correct. Conclusions and opinions are the internal auditor’s
evaluations of the effects of the observations and recommendations on the
activities reviewed. They usually put the observations and recommendations in
perspective based upon their overall implications (PA 2410-1, para. 8).
Accordingly, the statement that travel advances are not controlled in accordance
with existing policy is an opinion that the activity under review is not functioning
as intended. It also puts the observations in perspective based upon their overall
implications.
Answer (C) is incorrect. This statement is a possible cause of, or explanation for,
the problem.
Answer (D) is incorrect. This statement is a statement of the condition found.
[544] Gleim #: 6.3.64
Which of the following best defines an internal auditor’s opinion expressed following
an assurance engagement?
A. A summary of the significant engagement observations.
B. The internal auditor’s professional judgment about the situation that was
reviewed.
C. Conclusions that must be included in the final engagement communication.
D. Recommendations for corrective action.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 308
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The summary of significant observations and
recommendations is not an opinion. An opinion is the internal auditor’s professional
judgment about the situation under review.
Answer (B) is correct. Conclusions are among the required elements of
communications (Perf. Std. 2410). Conclusions and opinions are the internal auditor’s
evaluations of the effects of the observations and recommendations on the activities
reviewed. They usually put the observations and recommendations in perspective
based upon their overall implications (PA 2410-1, para. 8).
Answer (C) is incorrect. The Standards do not require the inclusion of opinions.
However, the opinion is a desirable component of the final engagement
communication.
Answer (D) is incorrect. Recommendations for corrective action are separate from the
opinion. The opinion is the internal auditor’s professional judgment.
[545] Gleim #: 6.3.65
Which of the following statements is appropriate as a conclusion (opinion) in an
internal auditing final communication of the results of an engagement to evaluate the
organization’s branch operations?
A. Statistical sampling was used to determine the extent of unauthorized purchases
from the imprest fund.
B. The engagement to review branch operations was conducted in accordance with
the Standards.
C. The vice-president of branch operations should require the timely review of the
daily transaction report as a means of monitoring purchases from the imprest fund.
D. Except for the unauthorized purchases from the imprest fund, the system of
internal controls over branch operations appears to be working well.
Answer (A) is incorrect. The statement about the use of statistical sampling
describes an engagement procedure, not a conclusion.
Answer (B) is incorrect. Stating that the engagement to review branch operations
was conducted in accordance with the Standards describes the engagement scope;
it is not a conclusion.
Answer (C) is incorrect. Stating that the vice-president of branch operations
should require the timely review of the daily transaction report is a
recommendation, not a conclusion.
Answer (D) is correct. Conclusions and opinions are the internal auditor’s
evaluations of the effects of the observations and recommendations on the
activities reviewed. They usually put the observations and recommendations in
perspective based upon their overall implications (PA 2410-1, para. 8).
[546] Gleim #: 6.3.66
A final communication issued by an internal auditor following an assurance
engagement should contain an expression of opinion when
A.
B.
C.
D.
The area of the engagement is the financial statements.
The internal auditors’ work is to be used by external auditors.
A full-scope engagement has been conducted in an area.
An opinion will improve communications with the readers of the communication.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 309
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The area of the engagement is irrelevant to decisions about
whether an overall opinion is appropriate.
Answer (B) is incorrect. Whether the internal auditors’ work is to be used by external
auditors is irrelevant. The external auditors cannot depend on an overall opinion but
must examine details and form their own opinion.
Answer (C) is incorrect. An overall opinion is not mandatory.
Answer (D) is correct. Final communication of engagement results must, where
appropriate, contain the internal auditor’s opinion and/or conclusions
(Impl. Std. 2410.A1). Improving communications with the reader satisfies the
appropriateness criterion.
[547] Gleim #: 6.3.67
The content and format of engagement communications may vary. However,
according to the Standards, a necessary element is statement of
Engagement objectives.
The status of observations from prior engagement communications.
Related activities not reviewed.
Documentation of previous oral communications.
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is correct. Communications must include the engagement’s
objectives and scope as well as applicable conclusions, recommendations, and
action plans (Perf. Std. 2410).
Answer (B) is incorrect. The status of observations from prior engagement
communications is an optional item in the final engagement communication.
Answer (C) is incorrect. Related activities not reviewed is an optional item in the
final engagement communication.
Answer (D) is incorrect. Documentation of previous oral communications is an
optional item in the final engagement communication.
fb
A.
B.
C.
D.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 310
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[548] Gleim #: 6.3.68
An internal auditor has submitted a first draft of an engagement communication to an
engagement client in preparation for an exit meeting. An excerpt is below.
The engagement was performed to accomplish several objectives:
Verify the existence of unused machinery being stored in the warehouse.
Determine whether machinery had been damaged during storage.
Review the handling procedures being performed by personnel at the warehouse.
Determine whether proper accounting procedures are being followed for
machinery kept in the warehouse.
Calculate the current fair value of warehouse inventories.
Compare the total value of the machinery with accounting records.
It was confirmed that, of the 30 machines selected from purchasing records for the
sample, 13 were present on the warehouse floor and another five were on the loading
dock ready for conveyance to the production facility. Twelve others had already been
sent to the production facility at a previous time. An examination of the accounting
procedures used at the warehouse revealed the failure by the warehouse accounting
clerk to reconcile inventory records monthly, as required by policy. A sample of 25
machines was examined for possible damage, and all but one was in good condition. It
was confirmed by the internal auditors that handling procedures outlined in the
warehouse policy manual appear to be adequate, and warehouse personnel apparently
were following those procedures, except for the examination of items being received
for inventory. At a minimum, the following elements should be included in final
engagement communications: purpose, scope, and results. Results include
observations, conclusions (opinions), recommendations, and action plans. Which of
the following describes all of the elements missing from the engagement
communication?
A.
B.
C.
D.
Scope, conclusion, recommendation.
Purpose, result, recommendation.
Observations, conclusion, recommendation.
Purpose, scope, recommendation.
Answer (A) is correct. Although a portion of the scope is discussed, the reader
cannot determine the significance of the amount of machines selected without
knowing the total amount of machines available and the value of the machinery.
Also, the conclusion or opinion about the operation is not stated, and the
engagement communication makes no recommendations.
Answer (B) is incorrect. The purpose of the engagement was clearly stated.
Answer (C) is incorrect. The observations were given.
Answer (D) is incorrect. The purpose of the engagement was clearly stated, and
the conclusions were left out.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 311
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[549] Gleim #: 6.3.69
The primary reason for having written formal audit reports is to
A. Provide an opportunity for engagement client response.
B. Document the corrective actions required of senior management.
C. Provide a formal means by which the external auditor assesses potential reliance
on the internal audit activity.
D. Record observations and recommended courses of action.
Answer (A) is incorrect. An engagement client should have an opportunity to
respond before the report is written.
Answer (B) is incorrect. Internal auditors make recommendations; they do not
submit requirements.
Answer (C) is incorrect. When appropriate, external auditors review the internal
auditors’ reports and working papers for this purpose. However, external auditor
assessment is at best a secondary reason for formal reporting.
Answer (D) is correct. A written formal audit report provides client personnel and
senior management with a consistent version of the conditions found by the
auditors and of the recommended remedial actions.
[550] Gleim #: 6.3.70
Which of the following is not a major purpose of an engagement communication?
om
/c
ia
ao
ffi
ci
al
Inform.
Get results.
Assign responsibility.
Persuade.
.c
Answer (A) is incorrect. Informing the board and senior management is a major
purpose of an engagement communication.
Answer (B) is incorrect. Getting results is a major purpose of an engagement
communication.
Answer (C) is correct. According to Sawyer’s Internal Auditing (5th ed., p. 689),
“Internal auditors should seek to inform (tell what they found), persuade
(convince management of the worth and validity of the audit findings), and get
results (move management toward change and improvement).”
Answer (D) is incorrect. Persuading the board and senior management that
certain conditions exist is a major purpose of an engagement communication.
fb
A.
B.
C.
D.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 312
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[551] Gleim #: 6.3.71
The internal audit activity for a chain of retail stores recently concluded an
engagement to evaluate sales adjustments in all stores in the Southeast region. The
engagement revealed that several stores are costing the organization substantial sums
in duplicate credits to customers’ charge accounts. The final engagement
communication published 8 weeks after the engagement was concluded incorporated
the internal auditors’ recommendations to store management that should prevent
duplicate credits to customers’ accounts. Which of the following standards has been
disregarded?
A. The follow-up actions were not adequate.
B. The internal auditors should have implemented appropriate corrective action as
soon as the duplicate credits were discovered.
C. Internal auditor recommendations should not be included in the final engagement
communication.
D. The final engagement communication was not timely.
Answer (A) is incorrect. Information is not sufficient to evaluate the effectiveness
of follow-up.
Answer (B) is incorrect. Internal auditors may properly make recommendations
for potential improvements but should not implement corrective action.
Answer (C) is incorrect. Internal auditor recommendations are part of the results
of the engagement. Final engagement communications include, at a minimum, the
purpose, scope, and results of the engagement.
Answer (D) is correct. Communications must be accurate, objective, clear,
concise, constructive, complete, and timely (Perf. Std. 2420). Timely
communications are opportune and expedient, depending on the significance of
the issue, allowing management to take appropriate corrective action
(Inter. Std. 2420). The report, which was not published until 8 weeks after the
engagement was concluded, was not issued in a timely fashion, given the
significance of the observations and the need for prompt, effective action.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 313
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[552] Gleim #: 6.3.72
An internal auditor has submitted a first draft of an engagement communication to an
engagement client in preparation for an exit meeting. An excerpt is below.
The engagement was performed to accomplish several objectives:
Verify the existence of unused machinery being stored in the warehouse.
Determine whether machinery had been damaged during storage.
Review the handling procedures being performed by personnel at the warehouse.
Determine whether proper accounting procedures are being followed for
machinery kept in the warehouse.
Calculate the current fair value of warehouse inventories.
Compare the total value of the machinery with accounting records.
fb
.c
om
/c
ia
ao
ffi
ci
al
It was confirmed that, of the 30 machines selected from purchasing records for the
sample, 13 were present on the warehouse floor and another five were on the loading
dock ready for conveyance to the production facility. Twelve others had already been
sent to the production facility at a previous time. An examination of the accounting
procedures used at the warehouse revealed the failure by the warehouse accounting
clerk to reconcile inventory records monthly, as required by policy. A sample of 25
machines was examined for possible damage, and all but one was in good condition. It
was confirmed by the internal auditors that handling procedures outlined in the
warehouse policy manual appear to be adequate, and warehouse personnel apparently
were following those procedures, except for the examination of items being received
for inventory. When an internal auditor is communicating with engagement clients,
both situational factors and message characteristics can damage the communication
process. An internal auditor has only limited control over situational factors but has
substantial control over message characteristics. Which of the following is a message
characteristic that the internal auditor who prepared the engagement communication
overlooked?
A.
B.
C.
D.
Sequence of message.
Nature of the audience.
Noise.
Prior encounters with the engagement client.
Answer (A) is correct. Communications must be accurate, objective, clear,
concise, constructive, complete, and timely (Perf. Std. 2420). Clear
communications are easily understood and logical (Inter. Std. 2420). Because the
information being communicated is complicated, the engagement
communication’s content should be organized in logical succession to facilitate
understanding and acceptance. The internal auditor neglected to organize the
information in this communication.
Answer (B) is incorrect. The nature of an audience is a situational factor that is
outside the control of the internal auditor.
Answer (C) is incorrect. Noise is a situational factor that interferes with the
effective communication of intended messages.
Answer (D) is incorrect. The history of previous encounters is a situational factor
that is outside the control of the internal auditor.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 314
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[553] Gleim #: 6.3.73
An internal auditor has submitted a first draft of an engagement communication to an
engagement client in preparation for an exit meeting. An excerpt is below.
The engagement was performed to accomplish several objectives:
Verify the existence of unused machinery being stored in the warehouse.
Determine whether machinery had been damaged during storage.
Review the handling procedures being performed by personnel at the warehouse.
Determine whether proper accounting procedures are being followed for
machinery kept in the warehouse.
Calculate the current fair value of warehouse inventories.
Compare the total value of the machinery with accounting records.
It was confirmed that, of the 30 machines selected from purchasing records for the
sample, 13 were present on the warehouse floor and another five were on the loading
dock ready for conveyance to the production facility. Twelve others had already been
sent to the production facility at a previous time. An examination of the accounting
procedures used at the warehouse revealed the failure by the warehouse accounting
clerk to reconcile inventory records monthly, as required by policy. A sample of 25
machines was examined for possible damage, and all but one was in good condition. It
was confirmed by the internal auditors that handling procedures outlined in the
warehouse policy manual appear to be adequate, and warehouse personnel apparently
were following those procedures, except for the examination of items being received
for inventory. The objectives of an engagement communication are to inform and to
influence. Whether these objectives are met depends on the clarity of the writing.
Which of the following principles of communication clarity was violated in the
engagement communication?
A.
B.
C.
D.
Appropriately organize the communication.
Keep most sentences short and simple.
Use active voice verbs.
All of the answers are correct.
Answer (A) is incorrect. An engagement communication should be appropriately
organized.
Answer (B) is incorrect. An engagement communication should be concise.
Answer (C) is incorrect. An engagement communication should use active voice
verbs.
Answer (D) is correct. The communication should be well-organized so that the
information is given appropriate attention. Also, effective organization enhances
understanding by presenting information in an logical order that clarifies the
internal auditor’s reasoning. Keeping sentences as short and simple as possible
likewise facilitates understanding. Also, active voice verbs are more vivid and
concise than passive voice verbs.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 315
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[554] Gleim #: 6.3.74
When a final engagement communication contains a significant error, the Standards
require the chief audit executive to
A. Issue a written report to individuals who can ensure that engagement results are
given due consideration.
B. Issue a written report to individuals who received the original communication.
C. Communicate corrected information to all individuals who received the original
communication.
D. Communicate corrected information to all those who might have relied on the
original communication.
Answer (A) is incorrect. The Standards do not require a written report, and the
required correction should be communicated to the original distributees.
Answer (B) is incorrect. The Standards do not require a written report, and the
required correction should be communicated to the original distributees.
Answer (C) is correct. If a final engagement communication contains a
significant error or omission, the CAE must communicate corrected information
to all who received the original communication (Perf. Std. 2421). Hence, the
Standards do not require a written report.
Answer (D) is incorrect. The Standards do not require a written report, and the
required correction should be communicated to the original distributees.
[555] Gleim #: 6.3.75
/c
om
.c
Accurate.
Concise.
Clear.
Complete.
fb
A.
B.
C.
D.
ia
ao
ffi
ci
al
Avoiding unnecessary technical language is best associated with which quality of
communication addressed in the Standards?
Answer (A) is incorrect. Accurate communications avoid errors and distortions.
Answer (B) is incorrect. Concise communications avoid superfluous detail,
redundancy, and wordiness.
Answer (C) is correct. Communications must be accurate, objective, clear,
concise, constructive, complete, and timely (Perf. Std. 2420). Clear
communications are easily understood and logical. Clarity can be improved by
avoiding unnecessary technical language and providing all significant and relevant
information (Inter. Std. 2420).
Answer (D) is incorrect. Complete communications lack nothing that is essential
to the target audience and include all significant and relevant information and
observations to support recommendations and conclusions.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 316
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[556] Gleim #: 6.3.76
Providing useful and timely information and promoting improvements in operations
are goals of internal auditors. To accomplish these goals in their engagement
communication, they should provide
A. Senior management with engagement communications that emphasize the
operational details of defective conditions.
B. Operating management with engagement communications that emphasize general
concerns and risks.
C. Information in written form before it is discussed with the engagement client.
D. Engagement communications that meet the expectations and perceptions of both
operational and senior management.
Answer (A) is incorrect. Senior management can best use engagement
communications that convey information having organization-wide significance.
Answer (B) is incorrect. Details of operations are most useful to operating
management.
Answer (C) is incorrect. Information should be discussed with the engagement
client before the report is written.
Answer (D) is correct. An engagement communication must be objective, clear,
accurate, concise, constructive, complete, and timely (Perf. Std. 2420).
Furthermore, to best fulfill their responsibilities for effective communication of
the results of their work, internal auditors should provide engagement
communications that address the expectations, perceptions, and needs of both
operational and senior management. Thus, the engagement communication should
contain general concepts that are concerned with matters of significance to the
organization as a whole for the benefit of senior management. The engagement
communication should also emphasize details of operations for the benefit of
operating management.
[557] Gleim #: 6.3.77
Word selection can have an impact on the recipient when presenting an engagement
communication in either written or oral form. In a written or oral presentation in which
the internal auditor’s objective is to persuade an individual to accept the
recommendations, using words with strong or emotional connotation rather than words
with low connotation
A. May move the recipient deliberately in the direction of the internal auditor’s
recommendation.
B. May misfire quickly, moving the recipient away from the internal auditor’s
recommendation.
C. Will cause the recipient to accept the internal auditor’s recommendations quickly
with no reservations.
D. Will have no effect whatsoever on the recipient.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 317
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Use of emotion-laden words may have unintended
consequences.
Answer (B) is correct. Words that are connotation-rich have strong but unpredictable
effects. Using too strong a word or a word inappropriate for the particular recipient
may induce an unwanted response. Hence, high connotation language should be
chosen carefully to appeal to the specific recipient.
Answer (C) is incorrect. Words rich in emotional content may induce quick
acceptance but not without reservations.
Answer (D) is incorrect. Words that are connotation-rich have strong, unpredictable
effects.
[558] Gleim #: 6.3.78
When making a presentation to management, the internal auditor wants to report
observations, conclusions, and recommendations and to stimulate action. These
objectives are best accomplished by
A. Delivering a lecture on the engagement results.
B. Showing a series of slides or overheads, which graphically depict the engagement
results; limit verbal commentary.
C. Using slides/overheads to support a discussion of major points.
D. Handing out copies of the final engagement communication, asking the
participants to read it, and asking for questions.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. According to research, observers will remember only
70% of verbal information after 3 hours, and 10% after 3 days.
Answer (B) is incorrect. Research indicates that observers will remember 72% of
audiovisual information after 3 hours, and 20% after 3 days.
Answer (C) is correct. Using audiovisual aids to support a discussion of major
points results in the greatest retention of information. One study concluded that
85% of the information presented in this way will be remembered after 3 hours,
and 65% after 3 days.
Answer (D) is incorrect. Research indicates that observers will remember 72% of
written information after 3 hours, and 20% after 3 days.
[559] Gleim #: 6.3.79
Successful communication between the internal auditor and the engagement client
partially depends on achieving appropriate emphasis so that both parties are aware of
the most important points in their discussion. Which of the following approaches
provides the most emphasis in an engagement communication?
A.
B.
C.
D.
Graphics, repetition, and itemization.
Solid paragraphs and detailed appendices.
Calm discussion in a conversational tone.
Key points embedded in discussion.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 318
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. Graphic illustrations (e.g., pictures, charts, or graphs), oral and
written repetition such as summaries, and itemized lists (bulleted or numbered) are
good ways of emphasizing information.
Answer (B) is incorrect. Long paragraphs may bury important information.
Appendices hide important information because readers may not use them.
Answer (C) is incorrect. Vocal emphasis comes from raising or lowering the
projection of the voice to attract attention to the idea being stated, not from keeping the
voice even.
Answer (D) is incorrect. Embedding ideas subordinates rather than emphasizes them.
[560] Gleim #: 6.3.80
The manner in which data and evidence is gathered, evaluated, and summarized for
presentation should be done with care and precision. Which quality of
communications does this statement best describe?
A.
B.
C.
D.
Objective.
Accurate.
Timely.
Constructive.
Answer (A) is incorrect. Objective communications concern observations,
conclusions, and recommendations that should be derived and expressed without
prejudice, partisanship, personal interests, and the undue influence of others.
Answer (B) is correct. Communications should be accurate, objective, clear,
concise, constructive, complete, and timely (Perf. Std. 2420). Accurate
communications are free from errors and distortions and are faithful to the
underlying facts (Inter. Std. 2420).
Answer (C) is incorrect. Timely communications concern the timing of the
presentation of engagement results, which should be set without undue delay and
with a degree of urgency and so as to enable prompt, effective action.
Answer (D) is incorrect. Constructive communications concern the contents and
tone of the presentation, which should be useful, positive, and well-meaning and
contribute to the objectives of the organization.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 319
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[561] Gleim #: 6.3.81
A governmental agency, constrained by scarce internal audit and human resources,
wishes to know the status of its program for licensing automobiles. In particular,
management is concerned about the possibility of
A backlog in new license applications, and
Poor controls over the collection and processing of application fees.
The results of the preliminary survey and limited testing conducted by the internal
audit activity revealed that the licensing process was operating as intended. No major
deficiencies were noted. How should the internal audit activity proceed?
A. Perform no further work, issue a formal engagement communication with the
survey results, and discuss the results with management.
B. Perform no further work, discuss pertinent issues with management and the
executive director, and prepare an engagement work program for future use so that
another survey will not be necessary.
C. Complete the engagement as scheduled to ensure that other issues do not exist that
were not noted during the survey phase.
D. Send a memorandum communication to the executive director and other
concerned parties summarizing the preliminary survey results and indicating that
the engagement has been canceled.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. Given that no further work was performed beyond the
preliminary survey and limited testing, issuing a formal engagement
communication discussing survey results with management would be
inappropriate.
Answer (B) is incorrect. No engagement work program should be prepared for
the future. Because future events may alter existing circumstances, or compliance
with policies and procedures may change, an engagement work program written
now may be outdated for future use. Also, an engagement communication
summarizing survey results should be prepared.
Answer (C) is incorrect. An engagement may not be necessary if the survey and
limited testing were conducted with due professional care. Given these results, the
costs of an engagement may exceed the benefits.
Answer (D) is correct. According to Sawyer, when preliminary surveys are
effectively conducted, they provide very useful information regarding how well
the organization (or surveyed process) is operating (Sawyer’s Internal Auditing, p.
184). When survey and preliminary testing results indicate “good systems, good
controls, good surveillance, and good management . . .,” a decision may be made
to perform no further engagement procedures. Accordingly, the internal auditor
need only communicate this fact, along with summarized survey results, in a
memorandum (an informal communication) to the executive director and other
concerned parties.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 320
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[562] Gleim #: 6.4.82
An engagement performed at an organization’s payroll department has revealed
various control weaknesses. These weaknesses, along with recommendations for
corrective actions, were addressed in the final engagement communication. This
communication should be most useful to the organization’s
A.
B.
C.
D.
Treasurer.
Audit committee of the board of directors.
Payroll manager.
President.
Answer (A) is incorrect. The treasurer is not responsible for the payroll
department.
Answer (B) is incorrect. The audit committee is not in operational control of the
department.
Answer (C) is correct. The CAE distributes the final engagement communication
to the management of the audited activity and to those members of the
organization who can ensure engagement results are given due consideration and
take corrective action or ensure that corrective action is taken (PA 2440-1,
para. 4). A communication on control weaknesses in the payroll function should
be most useful to the payroll manager because (s)he is in a position to take
corrective action.
Answer (D) is incorrect. The president is not in operational control of the
department.
[563] Gleim #: 6.4.83
Which of the following combinations of participants is most appropriate to attend an
exit meeting?
A. The responsible internal auditor and representatives from management who are
knowledgeable about detailed operations and who can authorize implementation
of corrective action.
B. The chief audit executive and the executive in charge of the activity or function
reviewed.
C. Staff internal auditors who conducted the field work and operating personnel in
charge of the daily performance of the activity or function reviewed.
D. Staff auditors who conducted the field work and the executive in charge of the
activity or function reviewed.
Answer (A) is correct. The level of participants in the discussions and reviews
may vary by organization and nature of the report; they generally include those
individuals who are knowledgeable of detailed operations and who can authorize
the implementation of corrective action (PA 2440-1, para. 3).
Answer (B) is incorrect. The CAE and the executive in charge of the activity
reviewed might not be knowledgeable about the details.
Answer (C) is incorrect. Staff auditors and operating personnel might not have
the necessary perspectives or authority.
Answer (D) is incorrect. The staff auditors might lack the proper perspective and
authority.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 321
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[564] Gleim #: 6.4.84
The chief audit executive (CAE) or a designee is required to decide to whom the final
engagement communication will be distributed. Observations concerning significant
internal control weakness are included in an engagement communication on the
accounts payable system of an organization whose securities are publicly traded.
Which of the following is the most likely reason that the CAE has chosen to send
copies of this engagement communication to the board and the external auditor?
A. The board and external auditor are normally sent copies of all internal audit
engagement communications as a courtesy.
B. The board and external auditor will need to take corrective action based on the
observations.
C. The activities of the board and external auditor may be affected because of the
potential for misstated financial statements.
D. A regulatory agency’s guidelines require such distribution.
fb
[565] Gleim #: 6.4.85
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. Normal distribution is to management of the activity
under review and others in a position to take corrective action or ensure that
corrective action is taken.
Answer (B) is incorrect. Operating management is responsible for taking
corrective action.
Answer (C) is correct. The CAE distributes the final engagement communication
to the management of the audited activity and to those members of the
organization who can ensure engagement results are given due consideration and
take corrective action or ensure that corrective action is taken (PA 2440-1,
para. 4). The potential for misstated financial statements created by the internal
control weaknesses should be of interest to the board and the external auditor.
Answer (D) is incorrect. Such a requirement is unlikely.
Which of the following is not an objective of the exit meeting for an engagement
performed by the internal auditors?
A.
B.
C.
D.
To resolve conflicts.
To discuss the observations, conclusions, and recommendations.
To identify concerns for future engagements.
To identify management’s actions and responses to the observations, conclusions,
and recommendations.
Answer (A) is incorrect. Resolving conflicts is an objective of the exit meeting.
Answer (B) is incorrect. Reaching an agreement on the facts and possible courses
of future action is an objective of the exit meeting.
Answer (C) is correct. The purpose of post-engagement meetings (exit meetings)
is to help avoid misunderstandings or misinterpretations of fact by providing the
opportunity for the engagement client to clarify specific items and express views
of the observations, conclusions, and recommendations (PA 2440-1, para. 2).
Identifying concerns for future engagements is thus not a purpose of the exit
meeting.
Answer (D) is incorrect. Determining management’s action plan and responses is
an objective of the exit meeting.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 322
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[566] Gleim #: 6.4.86
Several levels of management are interested in the results of an engagement performed
in the marketing department. What is the best method of communicating the results of
the engagement?
A. Write detailed communications for each level of management.
B. Write a communication to the marketing management and give summary
communications to other management levels.
C. Discuss results with marketing management and issue a summary communication
to senior management.
D. Discuss results with all levels of management.
Answer (A) is incorrect. Each level of management does not need a detailed
communication.
Answer (B) is correct. The CAE distributes the final engagement communication
to the management of the audited activity and to those members of the
organization who can ensure engagement results are given due consideration and
take corrective action or to ensure that corrective action is taken. Where required
by the internal audit charter or organizational policy, the CAE also communicates
to other interested or affected parties, such as external auditors and the board (PA
2440-1, para. 4).
Answer (C) is incorrect. A formal, detailed, written communication should be
addressed to marketing management if that is the level of management able to act
on the engagement results.
Answer (D) is incorrect. Observations, conclusions, and recommendations should
be discussed with the appropriate levels of management, but an engagement
communication should still be issued.
[567] Gleim #: 6.4.87
The internal audit activity has recently completed an engagement to evaluate the
organization’s accounts payable function. The chief audit executive decided to issue a
summary in conjunction with the final engagement communication. Who is most
likely to receive the summary only?
A.
B.
C.
D.
Accounts payable manager.
External auditor.
Controller.
Audit committee of the board.
Answer (A) is incorrect. The accounts payable manager is best served by
receiving a copy of the full final engagement communication.
Answer (B) is incorrect. The external auditor needs the details in the full
engagement communication.
Answer (C) is incorrect. The controller is responsible for the accounting function
and is more likely to receive the full engagement communication than the audit
committee.
Answer (D) is correct. The CAE distributes the final engagement communication
to the management of the audited activity and to those members of the
organization who can ensure engagement results are given due consideration and
take corrective action or ensure that corrective action is taken. Where appropriate,
the CAE may send a summary communication to higher-level members in the
organization (PA 2440-1, para. 4).
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 323
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[568] Gleim #: 6.4.88
Which of the following individuals should normally not receive a final engagement
communication related to a review of the purchasing cycle?
A.
B.
C.
D.
The director of purchasing.
The independent external auditor.
The chief audit executive.
The chair of the board.
Answer (A) is incorrect. The CAE distributes the final engagement
communication to the management of the audited activity and to those members
of the organization who can ensure engagement results are given due
consideration and take corrective action or ensure that corrective action is taken.
Answer (B) is incorrect. The CAE distributes the final engagement
communication to the management of the audited activity and to those members
of the organization who can ensure engagement results are given due
consideration and take corrective action or ensure that corrective action is taken.
Answer (C) is incorrect. The CAE distributes the final engagement
communication to the management of the audited activity and to those members
of the organization who can ensure engagement results are given due
consideration and take corrective action or ensure that corrective action is taken.
Answer (D) is correct. The board ordinarily receives summary reports only.
ci
al
[569] Gleim #: 6.4.89
om
/c
ia
ao
ffi
The final engagement communication regarding supply activities of a division will
most likely be circulated to
fb
.c
A. The lowest level of managers with sufficient authority to take action on
engagement recommendations because it is their responsibility.
B. The highest level of managers because they should be kept informed.
C. The mid- and lower-level engagement client personnel of the division because
they are the ones most affected.
D. The organization’s external auditors because they will need the information in
performing their own engagement.
Answer (A) is correct. The CAE distributes the final engagement communication
to the management of the audited activity and to those members of the
organization who can ensure engagement results are given due consideration and
take corrective action or ensure that corrective action is taken (PA 2440-1,
para. 4).
Answer (B) is incorrect. The highest level of managers is likely to receive a
summary.
Answer (C) is incorrect. Engagement client personnel at lower levels lack
authority to act on recommendations.
Answer (D) is incorrect. External auditors may see such reports, but the lowest
level of managers with authority to take corrective action must see such reports.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 324
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[570] Gleim #: 6.4.90
An engagement communication with routine observations about the accounts payable
department is being issued. Distribution should include the accounts payable
supervisor, manager, and unit general manager. The communication may also be sent
to the
A.
B.
C.
D.
External auditors and the controller.
Unit purchasing manager and the operations director.
Unit receiving manager, the purchasing manager, and the operations director.
External auditors, the controller, and the chair of the board.
Answer (A) is correct. The CAE distributes the final engagement communication
to the management of the audited activity and to those members of the
organization who can ensure engagement results are given due consideration and
take corrective action or ensure that corrective action is taken. Where appropriate,
the CAE may send a summary communication to higher-level members in the
organization. Where required by the internal audit charter or organizational policy,
the CAE also communicates to other interested or affected parties, such as
external auditors and the board (PA 2440-1, para. 4).
Answer (B) is incorrect. The purchasing manager and the operations director are
not interested in or affected by a report with routine observations about another
department.
Answer (C) is incorrect. The receiving manager, the purchasing manager, and the
operations director are not interested in or affected by a report with routine
observations about another department.
Answer (D) is incorrect. A report with routine observations does not warrant
being sent to the chair of the board.
[571] Gleim #: 6.4.91
The person responsible for engagement communication distribution should be the
A.
B.
C.
D.
Chief audit executive or designee.
Board.
Vice president responsible for the activity under review.
Supervisor of the engagement being performed.
Answer (A) is correct. The chief audit executive must communicate results to the
appropriate parties (Perf. Std. 2440).
Answer (B) is incorrect. The board is a recipient of the reports.
Answer (C) is incorrect. The vice president responsible for the activity under
review would not be knowledgeable about potential recipients of the report.
Answer (D) is incorrect. The supervisor is a technician engaged in the
performance of the engagement, not an internal audit activity administrator.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 325
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[572] Gleim #: 6.4.92
Some audit findings reveal a variation in the scope of objectives between an audit
client’s objectives and the overall organizational objectives. Which of the following is
the proper action to be taken by the auditor?
A. Identify the variation in scope and present recommendations based on satisfying
both the organizational objectives and those of the audit client.
B. Report the variation in scope to the audit client only.
C. Report the variation in scope to senior management only.
D. Do not report the variation.
Answer (A) is correct. Helping achieve goal congruence between audit clients
and the overall organization is an appropriate function of internal audit’s role in
improving governance processes.
Answer (B) is incorrect. Merely reporting the variation is insufficient to fulfill
internal audit’s role in improving governance processes.
Answer (C) is incorrect. Merely reporting the variation is insufficient to fulfill
internal audit’s role in improving governance processes.
Answer (D) is incorrect. Engagement communications must be complete, and
that would include the variation.
[573] Gleim #: 6.5.93
al
Which of the following is a possible disadvantage when the draft engagement
communication is provided to local management for review and comment?
fb
.c
om
/c
ia
ao
ffi
ci
A. The engagement client may take corrective action before the final communication
is issued.
B. The engagement client will have an opportunity to rebut observations and
recommendations.
C. Genuine consideration for the engagement client will be demonstrated.
D. Discussion of the report might center unduly on words rather than on the
substantive issues.
Answer (A) is incorrect. The possibility of early corrective action is an
advantage.
Answer (B) is incorrect. The possibility of rebuttal is an advantage.
Answer (C) is incorrect. Demonstrating consideration for the engagement client
is an advantage.
Answer (D) is correct. The internal auditor should be prepared for conflicts and
questions and possibly time-consuming disagreement over semantic matters.
While showing flexibility on matters not affecting the report’s substance, the
internal auditor’s response to these conflicts should never be to negotiate the
engagement conclusions.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 326
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[574] Gleim #: 6.5.94
Successful consultative communication in an internal auditing engagement is partially
based on feedback from engagement clients about internal auditors’ actions during the
engagement. This feedback
A. Should go only to senior management as a means of reviewing the internal
auditors.
B. Should go only to the internal auditors to help them improve their performance.
C. Should go to both management and the internal auditors to ensure business value
is being added.
D. Will keep clients on the defensive regarding the internal auditors.
Answer (A) is incorrect. The feedback should also go to the internal auditors.
Answer (B) is incorrect. The feedback should also go to management.
Answer (C) is correct. Feedback should go to both management and the internal
auditors to ensure the accountability of the internal audit activity. The feedback
process is a way of judging the internal auditors’ performance, improving future
engagements by identifying areas of weak performance, bettering internal auditorclient relations through a greater sense of participation, minimizing conflicts, and
helping clients to understand the difficulties faced by the internal auditors.
Answer (D) is incorrect. Giving the clients an opportunity to give feedback
should help reduce conflict and defensiveness.
[575] Gleim #: 6.6.95
Which of the following should not be one of the primary reasons why an internal
auditor may communicate sensitive information outside the normal chain of
command?
A. The desire to stop the wrongful, harmful, or improper activity.
B. Legal advice indicates that the internal auditor should disclose the sensitive
information to an outside party.
C. A professional obligation requires disclosure of the activity to an outside party.
D. The internal auditor does not agree with how the board or directors or
management may correct the problem.
Answer (A) is incorrect. The primary motive of outside disclosure to get
management or the board of directors to stop the activity they are engaged in.
Answer (B) is incorrect. The internal auditor will often consult legal counsel
before deciding what course of action to take with regard to the activity.
Answer (C) is incorrect. A professional obligation often forces the internal
auditor to disclose to outside parties. The IIA’s Code of Ethics requires IIA
members and certified internal auditors to adhere to the disclosure requirements of
illegal or unethical acts.
Answer (D) is correct. An internal auditor who communicates sensitive
information outside the chain of command should be motivated by the desire to
stop the wrongful, harmful, or improper activity; legal advice; or a professional
obligation. A personal disagreement is the least satisfactory reason.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 327
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[576] Gleim #: 6.6.96
For which situation should the internal auditor consider communicating sensitive
information outside the organization’s governance structure?
A. The internal auditor believes the corporation does not have the resources to
address the problem efficiently.
B. Action by management may take longer than the internal auditor believes is
necessary to correct the problem.
C. The internal auditor believes that the problem will not be properly investigated by
management.
D. An outside agency may be able to help the corporation correct the problem faster
than the corporation could on its own.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. Management and the board of directors may still take
corrective action and seek outside assistance if they believe it is necessary.
Revealing sensitive information prematurely would put the corporation at an
unnecessary risk.
Answer (B) is incorrect. Management is taking appropriate action and the internal
auditor should work with management and the board of directors to correct
problems before involving an outside party.
Answer (C) is correct. In most cases of whistleblowing, whistleblowers will
disclose sensitive information internally, even if not within the normal chain of
command, if they trust the policies and mechanisms of the organization to
investigate the problem. If the whistleblower doubts the problem will be properly
investigated by the corporation, (s)he may consider disclosing the problem to an
outside party.
Answer (D) is incorrect. Management and the board of directors have the
responsibility to decide how to handle the problem. If management or the board of
directors believes that an outside party should be consulted, management and the
board of directors may make that decision.
[577] Gleim #: 6.6.97
In which of the following scenarios must the chain of command discussions be
accelerated?
A. A manager is not taking adequate steps to protect a patent developed by the
corporation.
B. A publicly traded corporation is hiding its liabilities in off-balance-sheet entities.
C. Activities that the corporation engages in may result in environmental damage in
the future.
D. Several significant investments held by the corporation are being mismanaged by
the corporation.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 328
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The manager’s lack of action affects the corporation’s
competitiveness and success but would not require the chain of command discussions
to be accelerated. Corrective action may be taken before the issue is brought before the
board of directors.
Answer (B) is correct. Situations involving fraudulent financial reporting by an
organization with publicly traded securities should be brought to the attention of the
audit committee of the board of directors immediately. This action must be taken even
if the chief audit executive and management agree on a course of action.
Answer (C) is incorrect. Although this is an issue that management will have to
address in the future, it does not force the acceleration of the chain of command
discussions.
Answer (D) is incorrect. Mismanagement of funds may be corrected at lower levels in
the corporation. Although the misallocation of resources may result in losses, it does
not require the acceleration of the chain of command discussions.
[578] Gleim #: 6.6.98
Which of the following actions should not be taken initially when credible evidence
exists that the corporation is unnecessarily exposing itself to risk?
A. The chief audit executive may discuss his/her concerns about the risk exposure
with senior management within his/her normal chain of command.
B. The chief audit executive may discuss his/her concerns about the risk of exposure
with the board of directors.
C. The chief audit executive may discuss his/her concerns with the parties
responsible for the risk exposure.
D. The chief audit executive may discuss his/her concerns with someone outside the
organization.
Answer (A) is incorrect. Discussion with senior management is often one of the
first actions taken by the chief audit executive when risks are exposed.
Answer (B) is incorrect. The board of directors is normally within the chief audit
executive’s chain of command, and the chief audit executive is likely to bring up
risk exposures to the board of directors.
Answer (C) is incorrect. The chief audit executive may believe that the problem
can be solved quickly by discussing the issue with those directly responsible for
the risk exposure.
Answer (D) is correct. If the internal auditor has credible evidence of exposure to
an unnecessary risk, the auditor should normally communicate the information to
those in management who can act on it. If the chief audit executive is not satisfied
with the result, other options are available. The chief auditor could discuss his/her
concerns with senior management, which often includes members of the board of
directors. The chief audit executive should only consider discussion with outside
parties if (s)he believes that management will not investigate the issue properly
and other people may be adversely affected.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 329
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[579] Gleim #: 6.6.99
An internal auditor has a professional duty to do each of the following with regard to
sensitive information except
A. Consider the duty of confidentiality.
B. Disclose sensitive information that the internal auditor has a legal obligation to
disclose.
C. Consider whether further action is needed to protect the interests of the
organization, the community, or the institutions of society.
D. Seek the advice of legal counsel or other experts.
Answer (A) is incorrect. The internal auditor is supposed to respect the value and
ownership of information and avoid disclosing it without appropriate authority.
Answer (B) is incorrect. An internal auditor must disclose information that (s)he
is legally or professionally required to disclose.
Answer (C) is incorrect. The internal auditor has a professional duty and an
ethical responsibility to evaluate the sensitive evidence and decide whether further
action is needed to protect the interests of parties that may be adversely affected.
Answer (D) is correct. Although the advice of legal counsel or other experts is
recommended, the internal auditor does not have a professional duty to seek such
advice. Discussing the information with lawyers or experts may help provide a
different perspective on the circumstances as well as offer opinions about various
actions.
ci
al
[580] Gleim #: 6.6.100
om
/c
ia
ao
ffi
Which of the following actions should a chief audit executive most likely take upon
discovery of fraudulent financial reporting by a publicly traded company?
fb
.c
A. The chief audit executive should try to solve the problem before consulting
management.
B. The chief audit executive may discuss the problem with the audit committee and
decide upon a course of action.
C. The chief audit executive should accelerate the chain of command discussions
with senior management.
D. The chief audit executive should report the fraudulent financial reporting to the
appropriate governmental agency.
Answer (A) is incorrect. The law is likely to require the chief audit executive to
disclose the fraudulent financial reporting to management and the board of
directors upon discovery of credible evidence.
Answer (B) is incorrect. Discussion with the audit committee will delay the
process of disclosing the fraud to management and the board of directors.
Answer (C) is correct. The law is likely to require the chief audit executive to
disclose the fraudulent financial reporting as soon as possible to senior
management and the board of directors.
Answer (D) is incorrect. The chief audit executive should not go outside the
chain of command of the organization until all other options are exhausted.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 330
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[581] Gleim #: 6.6.101
Which of the following parties should the chief audit executive not consult upon the
discovery of sensitive information?
A.
B.
C.
D.
Senior management within the chain of command.
A party outside the organization.
The board of directors.
Legal counsel.
Answer (A) is incorrect. The chief audit executive should communicate the
sensitive information to management in his/her chain of command first.
Answer (B) is correct. An internal auditor should communicate sensitive
information within his/her chain of command first. If the internal auditor has
exhausted all of his/her internal options, the last resort is to disclose sensitive
information to an outside party.
Answer (C) is incorrect. The board of directors are often a part of the chief audit
executive’s chain of command. Therefore, the chief audit executive will
communicate with the board of directors early upon discovery of sensitive
information.
Answer (D) is incorrect. Internal auditors should discuss options with legal
counsel before disclosing information outside of the chain of command.
[582] Gleim #: 6.6.102
The chief audit executive should disseminate results to the appropriate individuals.
Disseminating information outside the organization
A. Is prohibited by The IIA’s Standards.
B. Requires the elimination of references to the Standards.
C. Requires that an engagement performed to generate such information be
conducted in accordance with the standards.
D. Is permissible only if a new engagement is performed.
Answer (A) is incorrect. The IIA’s Standards permit dissemination of
information outside the organization.
Answer (B) is incorrect. The report or other communication should refer to
applicable standards.
Answer (C) is correct. Engagements to generate internal auditing reports or
communications to be disseminated outside the organization need to (1) be
performed in accordance with applicable standards and (2) refer to such standards
in the report or other communication.
Answer (D) is incorrect. In certain situations, it may be possible to revise an
existing report or information to make it suitable for dissemination outside the
organization. In other situations, it may be possible to generate a new report based
on work previously conducted.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 331
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[583] Gleim #: 6.6.103
An internal auditor has the following information available to write a memorandum on
the progress of developing new engagement software for accounts receivable:
The programmers, who were to start on the sampling software last week, will not
be able to start until next week.
The programmers want to purchase a commercially available software package.
The funds for the software are not in the budget.
By using the software, the programmers expect to complete their work on
schedule.
The purchased software will reduce programming costs by substantially more than
the cost of the software.
The programming of the sampling techniques is expected to be completed one
week early.
The overall project is expected to be completed on time.
Except for the software package and the programming costs, the project is on
budget.
The most important message for the internal auditor to convey to senior management
is
ci
al
The development of the new software is behind schedule.
The programmers want to buy new software.
The project is expected to be completed on time and within budget.
The programming of the sampling techniques will be completed one week early.
.c
om
/c
ia
ao
ffi
Answer (A) is incorrect. The project is expected to be completed on time. Senior
management is concerned with the timeliness of the entire project.
Answer (B) is incorrect. The new software purchase will reduce overall costs.
Senior management is concerned about significant variances from the budget.
Answer (C) is correct. The most important message is that the project is expected
to be completed on time and within budget. This message is an appropriate
summary of the information given. Ordinarily, senior management receives
summary engagement communications, and lower level managers receive detailed
reports.
Answer (D) is incorrect. The programming of the sampling techniques is a detail
with which senior management is not concerned.
fb
A.
B.
C.
D.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 332
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[584] Gleim #: 6.6.104
An internal auditor has the following information available to write a memorandum on
the progress of developing new engagement software for accounts receivable:
The programmers, who were to start on the sampling software last week, will not
be able to start until next week.
The programmers want to purchase a commercially available software package.
The funds for the software are not in the budget.
By using the software, the programmers expect to complete their work on
schedule.
The purchased software will reduce programming costs by substantially more than
the cost of the software.
The programming of the sampling techniques is expected to be completed one
week early.
The overall project is expected to be completed on time.
Except for the software package and the programming costs, the project is on
budget.
Regarding the unbudgeted funds for the purchase of a software package, the internal
auditor should
A. Disclose it with the expected reduction in programming costs to provide full
disclosure.
B. Leave it out of the engagement communication because it is irrelevant.
C. Emphasize it because it is outside the budget.
D. Leave it out of the engagement communication to avoid criticism.
Answer (A) is correct. The unbudgeted funds should be disclosed in conjunction
with the reduction in programming costs. This information justifies the
expenditure and assures the recipient of the memorandum that the project will still
be within budget. If both items are not disclosed, the memorandum will be
misleading.
Answer (B) is incorrect. The unbudgeted expenditure is relevant.
Answer (C) is incorrect. The expenditure is not important enough to be
emphasized.
Answer (D) is incorrect. Information should not be left out to avoid criticism.
This information is important enough to warrant disclosure.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 333
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[585] Gleim #: 6.7.105
The internal audit activity has just completed an engagement to review loan processing
and commercial loan account balances for a financial institution. Following are a few
excerpts from the working papers indicating potential engagement observations.
al
A. The auditors took a statistical sample of 100 loan applications and determined that
only 85 loans were granted.
B. Of the 85 loans granted, the auditors noted that 4 loans should have been reviewed
and approved by the loan committee but were not. Organizational policy states
that all loans must be approved by the committee prior to funding. Each of the 4
loans, however, was approved by the vice president. The matter was discussed
with the vice president, who indicated it was a competitive loan situation to a new
customer and in the best interests of the financial institution to expedite the loan
and establish a firm relationship with a growing customer. All of the other loans
were formally approved by the loan committee.
C. Of the 81 loans approved by the loan committee, the auditors found 7 in which the
actual amount lent exceeded the approved amount.
D. The auditors noted three instances in which loans were made to related groups of
organizations without an analysis of the total amount of loans made to the
controlling entity. There may be statutory limitations on the amount of loans that
can be made to any individual controlling organization.
E. Of the 81 loans approved by the loan committee, the auditors found that 14
contained either insufficient documentation or were not received by the committee
in a timely fashion in advance of their meeting.
.c
om
/c
ia
ao
ffi
ci
The statistical sample was taken with a 95% confidence level using attribute sampling
with a tolerable error limit of 4%. Assume that the sampling plan was implemented
correctly.
fb
Regarding item C, which of the following actions would be inappropriate on the part
of the auditor?
A. Examine the loans to determine if there is a pattern of the loans to other
organizations. Summarize amounts and include in the engagement
communication.
B. Report the amounts to the loan committee and leave it up to them to correct. Take
no further follow-up action at this time and do not include the items in the
engagement communication.
C. Follow up with the vice president and include the vice president’s
acknowledgment of the situation in the engagement communication.
D. Determine the amount of differences and make an assessment as to whether the
monetary differences are material. If the amounts are not material, not in violation
of government regulations, and can be rationally explained, omit the observation
from the engagement communication.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 334
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The internal auditor should attempt to determine the causes
of engagement observations and, if appropriate, include them in the engagement
communication.
Answer (B) is correct. The CAE must establish a follow-up process to monitor and
ensure that management actions have been effectively implemented or that senior
management has accepted the risk of not taking action (Impl. Std. 2500.A1).
Answer (C) is incorrect. The engagement client’s view about engagement
observations, conclusions, and recommendations should be included in the
engagement communication.
Answer (D) is incorrect. Failure to report the deviations may be justified if the internal
auditor has concluded that the amounts are clearly not material, that they are not in
violation of governmental regulations, and that a rationale for the deviations exists.
[586] Gleim #: 6.7.106
After an engagement report with adverse observations has been communicated to
appropriate engagement client personnel, internal auditing’s proper action is to
A.
B.
C.
D.
Schedule a follow-up engagement.
Implement corrective action indicated by the observations.
Examine further the data supporting the observations.
Assemble new data to support the observations.
Answer (A) is correct. The CAE must establish and maintain a system to monitor
the disposition of results communicated to management (Perf. Std. 2500).
Answer (B) is incorrect. The internal audit activity ordinarily has no
responsibility to implement corrective action.
Answer (C) is incorrect. Data have already been examined.
Answer (D) is incorrect. Data have already been examined.
[587] Gleim #: 6.7.107
An audit committee is concerned that management is not addressing all internal audit
observations and recommendations. What should the audit committee do to address
this situation?
A. Require managers to provide detailed action plans with specific dates for
addressing audit observations and recommendations.
B. Require all managers to confirm when they have taken action.
C. Require the chief executive officer to report why action has not been taken.
D. Require the chief audit executive to establish procedures to monitor progress.
Answer (A) is incorrect. Management is responsible for ensuring action on all
internal audit observations and recommendations, but some actions may take time
to complete. It is not feasible to expect that all will be resolved when an audit
committee meets.
Answer (B) is incorrect. The internal audit activity must monitor progress.
Waiting for management confirmation may lead to harmful delays.
Answer (C) is incorrect. Management should report reasons for inaction.
Answer (D) is correct. The CAE must establish and maintain a system to monitor
the disposition of results communicated to management (Perf. Std. 2500).
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 335
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[588] Gleim #: 6.7.108
An organization’s internal auditors have conducted a series of assurance engagements.
The resulting recommendations have been readily accepted by engagement clients
because of the potential cost savings. Given the acceptance of the cost savings
engagements and the scarcity of internal auditing resources, the manager in charge of
these engagements also decided that follow-up action was not needed. The manager
reasoned that cost savings should be sufficient to motivate the client to implement the
engagement recommendations. Thus, follow-up was not scheduled as a regular part of
the engagement plan. Was the manager’s decision appropriate?
A. Yes. Follow-up is not customary.
B. No. The internal auditors should determine whether the client has appropriately
implemented all of the engagement recommendations.
C. No. Scarcity of resources is not a sufficient reason to omit follow-up.
D. Yes. Given sufficient evidence of motivation by the client, follow-up is not
needed.
fb
[589] Gleim #: 6.7.109
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. Follow-up is required.
Answer (B) is incorrect. Follow-up determines what management actions have
been taken, not merely whether the engagement recommendations have been
implemented.
Answer (C) is correct. The CAE must establish a follow-up process to monitor
and ensure that management actions have been effectively implemented or that
senior management has accepted the risk of not taking action
(Impl. Std. 2500.A1). Accordingly, cost (lack of resources) is a factor in
determining the nature, timing, and extent of follow-up, not in determining
whether to follow up.
Answer (D) is incorrect. Follow-up is required.
An internal auditor found that employees in the maintenance department were not
signing their time cards. This situation also existed during the last engagement. The
internal auditor should
A. Include this observation in the current engagement communication.
B. Ask the manager of the maintenance department to assume the resulting risk.
C. Withhold conclusions about payroll internal control in the maintenance
department.
D. Instruct the employees to sign their time cards.
Answer (A) is correct. The internal auditor determines whether the desired results
were achieved or if senior management or the board has assumed the risk of not
taking action or implementing the recommendation (PA 2500.A1-1, para. 1).
Answer (B) is incorrect. Asking the manager of the maintenance department to
assume the resulting risk is not within the internal auditor’s authority, and it
would not remedy the situation. However, the internal auditor should ascertain
whether senior management has decided to assume the risk.
Answer (C) is incorrect. The final engagement communication must contain
conclusions about internal control of payroll in the maintenance department.
Answer (D) is incorrect. The internal auditor should not supervise maintenance
department employees.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 336
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[590] Gleim #: 6.7.110
Management is beginning to take corrective action on personnel department
deficiencies reported during the last engagement performed by the internal audit
activity. The internal auditor should
A. Oversee the corrective action.
B. Postpone the next engagement of the personnel department until the corrective
action is completed.
C. Refrain from judging whether the corrective action will remedy the deficiencies.
D. Follow up to see that the corrective action satisfies the engagement
recommendations.
Answer (A) is incorrect. Internal auditors should not perform operating functions.
Answer (B) is incorrect. A follow-up engagement should be considered if
engagement observations were especially significant. Moreover, no reason is
given for postponing the next regular engagement.
Answer (C) is incorrect. Internal auditors must determine that management
actions have been effectively implemented or that senior management has
accepted the risk of not taking action.
Answer (D) is correct. The CAE must establish a follow-up process to monitor
and ensure that management actions have been effectively implemented or that
senior management has accepted the risk of not taking action
(Impl. Std. 2500.A1).
[591] Gleim #: 6.7.111
Recommendations in engagement communications may or may not actually be
implemented. Which of the following best describes internal auditing’s role in followup on engagement recommendations? Internal auditing
A. Has no role; follow-up is management’s responsibility.
B. Should be charged with the responsibility for implementing engagement
recommendations.
C. Should follow up to ascertain that appropriate action is taken on engagement
recommendations.
D. Should request that independent auditors follow up on engagement
recommendations.
Answer (A) is incorrect. Internal auditing has follow-up responsibility.
Answer (B) is incorrect. Internal auditors should not assume operating
responsibilities. Implementing recommendations would impair the independence
of the internal audit activity and the objectivity of the internal auditors.
Answer (C) is correct. The CAE must establish a follow-up process to monitor
and ensure that management actions have been effectively implemented or that
senior management has accepted the risk of not taking action
(Impl. Std. 2500.A1).
Answer (D) is incorrect. This responsibility cannot be assumed by the
independent auditors.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 337
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[592] Gleim #: 6.7.112
An audit of an organization’s claims department determined that a large number of
duplicate payments had been issued due to problems in the claims processing system.
During the exit conference, the vice president of the claims department informed the
auditors that attempts to recover the duplicate payments would be initiated
immediately and that the claims processing system would be enhanced within
6 months to correct the problems. Based on this response, the chief audit executive
should
A. Adjust the scope of the next regularly scheduled audit of the claims department to
assess controls within the claims processing system.
B. Monitor the status of corrective action and schedule a follow-up engagement
when appropriate.
C. Schedule a follow-up engagement within 6 months to assess the status of
corrective action.
D. Discuss the findings with the audit committee and ask the committee to determine
the appropriate follow-up action.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. The reported observation is significant, so the internal
audit activity should not wait until the next regularly scheduled audit to assess the
status of corrective action.
Answer (B) is correct. The chief audit executive must establish a follow-up
process to monitor and ensure that management actions have been effectively
implemented or that senior management has accepted the risk of not taking action
(Impl. Std. 2500.A1).
Answer (C) is incorrect. Management indicated that the corrections would be
completed within 6 months, but the promised implementation may not have
occurred. As a result, the internal audit activity should monitor the status of
corrective action and schedule a follow-up engagement when it is appropriate.
Answer (D) is incorrect. Although the significant observations should be
discussed with the audit committee, the scope and timing of a follow-up
engagement should be determined by the chief audit executive based on available
information.
[593] Gleim #: 6.7.113
Assume that the internal auditors’ observations are so serious that, in their view, they
require immediate action by management. Which of the following statements
regarding the internal auditors’ responsibility with respect to communicating results
and follow-up are true?
I. The conditions should be actively monitored by the internal auditors until
corrected.
II. The initial observations should be communicated to senior management and the
board even if the engagement is not complete.
III. The internal auditors should test the actions implemented by management to
determine if they remedy the problem.
A.
B.
C.
D.
I only.
II only.
II and III only.
I, II, and III.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 338
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The internal auditors should communicate serious
observations and recommendations to senior management and the board even if the
engagement is not complete. Also, any corrective actions implemented by management
should also be tested by the internal auditors to determine whether the actions remedy
the problem.
Answer (B) is incorrect. The conditions should be monitored by the internal auditors,
and any corrective actions implemented by management should also be tested by the
internal auditors to determine whether the actions remedy the problem.
Answer (C) is incorrect. The conditions should be actively monitored by the internal
auditors until corrected.
Answer (D) is correct. If certain reported observations and recommendations are
significant enough to require immediate action by management or the board, the
internal audit activity monitors actions taken until the observation is corrected or the
recommendation implemented (PA 2500-1, para. 2). The CAE establishes procedures
to determine the timeframe within which management’s response to the engagement
observations and recommendations is required, to evaluate the response, to verify the
response, to conduct a follow-up engagement, and to transmit unsatisfactory responses
or actions to the appropriate management levels (para. 1).
[594] Gleim #: 6.7.114
Follow-up activity may be required to ensure that corrective action has taken place for
certain observations made in an assurance engagement. The internal audit activity’s
responsibility to perform follow-up activities as required is defined in the
A.
B.
C.
D.
Internal audit activity’s written charter or the agreement with the client.
Mission statement of the audit committee.
Engagement memo issued prior to each engagement.
Purpose statement within applicable engagement communications.
Answer (A) is correct. Follow-up is a process by which internal auditors evaluate
the adequacy, effectiveness, and timeliness of actions taken by management on
reported observations and recommendations, including those made by external
auditors and others (PA 2500.A1-1, para. 2). The internal audit activity’s charter
should define the responsibility for follow-up (para. 3).
Answer (B) is incorrect. Follow-up is not specified in the content of the audit
committee’s mission statement.
Answer (C) is incorrect. The engagement memo may contain a statement about
responsibility for follow-up, but it should be based on the wording and authority
of the internal audit activity’s charter.
Answer (D) is incorrect. Follow-up authority and responsibility may be cited in
applicable engagement communications, but the definition should be stated first in
the internal audit activity’s charter.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 339
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[595] Gleim #: 6.7.115
Which of the following describes the most appropriate action to be taken concerning a
repeated observation of violations of company policy pertaining to competitive
bidding?
A. The engagement final communication should note that this same condition had
been reported in the prior engagement.
B. During the exit meeting, management should be made aware that the violation has
not been corrected.
C. The chief audit executive should determine whether management or the board has
assumed the risk of not taking corrective action.
D. The chief audit executive should determine whether this condition should be
reported to the external auditor and any regulatory agency.
ia
ao
ffi
ci
al
Answer (A) is incorrect. The appropriate action when a matter is unresolved
depends on determining whether management or the board has assumed the risk
of not taking corrective action.
Answer (B) is incorrect. The appropriate action when a matter is unresolved
depends on determining whether management or the board has assumed the risk
of not taking corrective action.
Answer (C) is correct. Internal auditors determine whether management has taken
action or implemented the recommendation. The internal auditor determines
whether the desired results were achieved or if senior management or the board
has assumed the risk of not taking action or implementing the recommendation
(PA 2500.A1-1, para. 1).
Answer (D) is incorrect. The CAE has no outside reporting responsibility.
om
/c
[596] Gleim #: 6.7.116
fb
.c
Internal auditors realize that at times corrective action is not taken even when agreed
to by the appropriate parties. Thus, in an assurance engagement, internal auditors
should
A. Decide the extent of necessary follow-up work.
B. Allow management to decide when to follow up because follow-up is
management’s ultimate responsibility.
C. Decide to conduct follow-up work only if management requests the internal
auditor’s assistance.
D. Write a follow-up engagement communication with all observations and
recommendations and their significance to the operations.
Answer (A) is correct. The chief audit executive determines the nature, timing,
and extent of follow-up (PA 2500.A1-1, para. 3).
Answer (B) is incorrect. Determining the timing of follow-up is not
management’s responsibility. It is the responsibility of the CAE.
Answer (C) is incorrect. Determining the nature and extent of follow-up is the
CAE’s responsibility. Management’s responsibility is to decide the appropriate
action to be taken in response to reported engagement observations and
recommendations.
Answer (D) is incorrect. The internal auditors must decide the extent of followup before submitting a follow-up engagement communication.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 340
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[597] Gleim #: 6.7.117
An internal audit activity had been requested to perform an engagement to determine
whether the organization is in compliance with a particular set of laws and regulations.
The engagement did not reveal any issues of noncompliance but did reveal that the
organization did not have an established system to ensure compliance with the
applicable laws and regulations. The internal auditor’s responsibility is to
I. Report that no significant compliance issues were noted.
II. Report that the organization has a significant control deficiency because
management has not established a system to ensure compliance.
III. Meet with management to determine what follow-up action will be taken.
IV. Monitor to determine that follow-up action has been taken.
A.
B.
C.
D.
I only.
I and II only.
II and III only.
I, II, III, and IV.
Answer (A) is incorrect. The internal auditor must also report management’s
failure to establish a control system and must follow up to determine that effective
corrective action has been taken.
Answer (B) is incorrect. The internal auditor must also follow up to determine
that effective corrective action has been taken.
Answer (C) is incorrect. The internal auditor must also report the absence of
noncompliance and must follow up to determine that effective corrective action
has been taken.
Answer (D) is correct. That no significant compliance issues were noted and that
management has not met its responsibility for establishing systems designed to
ensure compliance with laws and regulations are matters to be reported in the
condition section of the observation. Also, internal auditors determine whether
management has taken action or implemented the recommendation. The internal
auditor determines whether the desired results were achieved or if senior
management or the board has assumed the risk of not taking action or
implementing the recommendation (PA 2500.A1-1, para. 1).
[598] Gleim #: 6.7.118
The preliminary survey discloses that corrective action was never taken on a prior
reported assurance engagement observation. Subsequent field work confirms that the
condition still exists. Which of the following courses of action should the internal
auditors pursue?
A. Take no action. To do otherwise would be an exercise of operational control.
B. Discuss the issue with the chief audit executive. The problem requires an ad hoc
solution.
C. Discuss the issue with the person(s) responsible for the problem. (S)he or they
should know how to solve the problem.
D. Order the person(s) responsible to correct the problem. (S)he or they have had
long enough to do so.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 341
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The condition observed may place the organization at risk
until the situation changes or the condition is corrected.
Answer (B) is incorrect. Conditions that have not been corrected are not unique and
do not require ad hoc solutions.
Answer (C) is correct. Internal auditors determine whether management has taken
action or implemented the recommendation. The internal auditor determines whether
the desired results were achieved or if senior management or the board has assumed
the risk of not taking action or implementing the recommendation (PA 2500.A1-1,
para. 1). The person responsible for the problem is most likely to know how to solve it.
Answer (D) is incorrect. The internal auditors have no line authority over the client.
To exercise such authority impairs objectivity.
[599] Gleim #: 6.7.119
Why should organizations require assurance engagement clients to reply promptly and
outline the corrective action that has been implemented on reported observations?
A.
B.
C.
D.
To remove items from the pending list as soon as possible.
To effect savings or to institute compliance as early as possible.
To indicate concurrence with the engagement observations.
To ensure that the engagement work schedule is kept up to date.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. Removing items from the pending list concerns a
mechanical and immaterial aspect of the communication process.
Answer (B) is correct. Of the choices provided, effecting savings or achieving
compliance are the only ones that benefit organizations as a whole.
Answer (C) is incorrect. The client may not concur with the observations and
recommendations. This dispute may or may not be considered in closing the
engagement.
Answer (D) is incorrect. Ensuring that the engagement work schedule is kept up
to date is an administrative function of the internal audit activity.
[600] Gleim #: 6.7.120
Which of the following statements best describes an internal auditor’s responsibility
for follow-up activities related to a previous engagement?
A. The internal auditor should determine that corrective action has been taken and is
achieving the desired results or that management or the board has assumed the
risk of not taking corrective action.
B. The internal auditor should determine that management has initiated corrective
action, but the internal auditor has no responsibility to determine if the action is
achieving the desired results. That determination is solely management’s
responsibility.
C. The chief audit executive is responsible for scheduling follow-up activities only if
directed to do so by senior management or the audit committee. Otherwise,
follow-up is entirely discretionary.
D. None of the answers are correct.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 342
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. The internal auditor determines whether the desired results
were achieved or if senior management or the board has assumed the risk of not taking
action or implementing the recommendation (PA 2500.A1-1, para. 1).
Answer (B) is incorrect. The internal auditor is responsible for determining that the
action taken by senior management is achieving the desired results.
Answer (C) is incorrect. The CAE is responsible for performing follow-up activities.
Answer (D) is incorrect. The internal auditor should ascertain that corrective action
has been taken and is achieving the desired results or that senior management or the
board has assumed the risk of not taking corrective action.
[601] Gleim #: 6.7.121
The chief audit executive should ensure follow-up of prior engagement observations
and recommendations
A.
B.
C.
D.
To determine if corrective action was taken and is achieving the desired results.
Unless management rejected the recommendation in its initial response.
Unless the engagement work schedule does not allow time for follow-up.
Unless management has accepted the recommendation.
Answer (A) is correct. The internal auditor determines whether the desired results
were achieved or if senior management or the board has assumed the risk of not
taking action or implementing the recommendation (PA 2500.A1-1, para. 1).
Answer (B) is incorrect. If management rejects a recommendation, such action
should be reviewed and approved by senior management.
Answer (C) is incorrect. Follow-up should be scheduled. Failing to follow up is
unacceptable.
Answer (D) is incorrect. Mere acceptance does not ensure that recommendations
will be carried out.
[602] Gleim #: 6.7.122
The policy of some organizations is to have engagement clients respond to
engagement communications by writing to an administrative vice president who has
the primary responsibility for follow-up. Under such arrangements, copies of
responses are usually sent to the internal audit activity, which reviews them for
adequacy. If the internal audit activity considers the response to a particular report
inadequate, which of the following is the most appropriate course of action?
A. Perform a follow-up engagement immediately.
B. Follow up in connection with the next regularly scheduled engagement to review
the engagement client.
C. Schedule a follow-up engagement within 6 months.
D. Inform the administrative vice president that the response is not considered
adequate, and coordinate any additional follow-up with the vice president.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 343
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Responsibility for a follow-up is the vice president’s in this
organization.
Answer (B) is incorrect. Any follow-up should be prompt.
Answer (C) is incorrect. Any follow-up should be prompt.
Answer (D) is correct. If the administrative vice president has the primary
responsibility for follow-up, the internal auditors should communicate with him/her to
learn whether corrective action will be taken or if (s)he will assume the risk of not
taking such action.
[603] Gleim #: 6.7.123
During an engagement to perform an assurance service related to purchasing, the
internal auditors found several violations of organizational policy concerning
competitive bidding. The same condition had been reported in an engagement
communication last year and corrective action had not been taken. Which of the
following best describes the appropriate action concerning these repeat observations?
ci
al
A. The engagement communication should note that the same condition was reported
in the prior engagement.
B. During the exit meeting, management should be informed that observations from
the prior engagement communication have not been resolved.
C. The chief audit executive should determine whether management or the board has
assumed the risk of not taking corrective action.
D. The chief audit executive should determine whether this condition should be
reported to the independent external auditor and any regulatory agency.
fb
.c
om
/c
ia
ao
ffi
Answer (A) is incorrect. This action does not fully satisfy the internal auditors’
responsibility.
Answer (B) is incorrect. This action does not fully satisfy the internal auditors’
responsibility.
Answer (C) is correct. The internal auditor determines whether the desired results
were achieved or if senior management or the board has assumed the risk of not
taking action or implementing the recommendation (PA 2500.A1-1, para. 1).
Answer (D) is incorrect. Such reporting may be contrary to the Code of Ethics,
which requires internal auditors to be prudent in the use and protection of
information acquired in the course of their duties (Rule of Conduct 3.1).
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 344
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[604] Gleim #: 6.7.124
An internal auditing engagement communication disclosed a substantial annual loss to
the organization because the purchasing department had no procedures manual. In
light of this observation, which of the following actions should the internal audit
activity take?
A. Take no further action, because the internal audit activity’s duty is completed with
the publication of the final report.
B. Write the procedures manual because the purchasing department clearly needs the
help, and the internal audit activity can provide it.
C. Make recommendations regarding the procedures manual, then perform a followup engagement to ensure that corrective action is taken or that senior management
or the board takes the responsibility for not taking action.
D. Require that the purchasing department develop or otherwise obtain a suitable
procedures manual, then check to make sure that they do so. The purchasing
department’s responsibility is to ensure that such a manual is in use.
Answer (A) is incorrect. Follow-up action is required.
Answer (B) is incorrect. Internal auditors should not assume operating
responsibilities.
Answer (C) is correct. The internal auditor determines whether the desired results
were achieved or if senior management or the board has assumed the risk of not
taking action or implementing the recommendation (PA 2500.A1-1, para. 1).
Answer (D) is incorrect. The internal audit activity has no line authority over
operating departments.
[605] Gleim #: 6.7.125
When actions have not been taken by management on reported engagement
observations, conclusions, and recommendations, the internal auditor should
A. Determine whether management or the board has assumed the risk for not taking
corrective action.
B. Develop and implement a plan of corrective action.
C. Withhold communications about other related engagement observations,
conclusions, and recommendations until corrective action is taken.
D. Conclude that the engagement observations, conclusions, and recommendations
are insignificant and no corrective action is necessary.
Answer (A) is correct. The internal auditor determines whether the desired results
were achieved or if senior management or the board has assumed the risk of not
taking action or implementing the recommendation (PA 2500.A1-1, para. 1).
Answer (B) is incorrect. Internal auditors do not have operating authority.
Answer (C) is incorrect. The Code of Ethics requires disclosure of all material
facts known to the internal auditors that, if not disclosed, may distort the reporting
of activities under review (Rule of Conduct 2.3).
Answer (D) is incorrect. Lack of corrective action does not signify that the
engagement results are insignificant.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 345
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[606] Gleim #: 6.7.126
When conducting audit follow-up of a finding related to cash management routines,
which of the following does not need to be considered?
A.
B.
C.
D.
Inherent risk has been eliminated as a result of resolution of the condition.
The steps being taken are resolving the condition disclosed by the finding.
Controls have been implemented to deter or detect a recurrence of the finding.
Benefits have accrued to the entity as a result of resolving the condition.
Answer (A) is correct. Inherent risk is the susceptibility of a particular activity or
operation to influences that impede the achievement of the activity’s or
operation’s objectives. For example, cash, because it is easier to steal, carries
higher inherent risk than large inventory items. By its nature, inherent risk cannot
be eliminated.
Answer (B) is incorrect. Evaluating the steps being taken to resolve the condition
is an appropriate action for the internal auditors.
Answer (C) is incorrect. Evaluating controls implemented to deter or detect a
recurrence is an appropriate action for the internal auditors.
Answer (D) is incorrect. Evaluating benefits that have accrued to the organization
as a result of the resolution is an appropriate action for the internal auditors.
[607] Gleim #: 6.7.127
ia
ao
ffi
ci
al
A follow-up review found that a significant internal control weakness had not been
corrected. The chief audit executive (CAE) discussed this matter with senior
management and was informed of management’s willingness to accept the risk. The
CAE should
fb
.c
om
/c
A. Do nothing further because management is responsible for deciding the
appropriate action to be taken in response to reported engagement observations
and recommendations.
B. Initiate a fraud investigation to determine if employees had taken advantage of the
internal control weakness.
C. Inform senior management that the weakness must be corrected and schedule
another follow-up review.
D. Assess the reasons that senior management decided to accept the risk and inform
the board of senior management’s decision.
Answer (A) is incorrect. The CAE and senior management should report the
matter to the board if the CAE believes that the residual risk may be unacceptable.
Answer (B) is incorrect. The facts do not indicate that employee fraud is an issue.
Answer (C) is incorrect. The CAE has no authority to require corrective action.
Answer (D) is correct. When the chief audit executive believes that senior
management has accepted a level of residual risk that may be unacceptable to the
organization, the chief audit executive must discuss the matter with senior
management. If the decision regarding residual risk is not resolved, the chief audit
executive must report the matter to the board for resolution (Perf. Std. 2600).
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 346
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[608] Gleim #: 6.7.128
Upon reviewing the final communication of engagement results, senior management
decided to assume the risk of not implementing corrective action on certain
engagement observations. Evaluate the following and select the best alternative for the
chief audit executive:
A. Notify regulatory authorities of management’s decision.
B. Perform additional engagement procedures to further identify the policy
violations.
C. Conduct a follow-up engagement to determine whether corrective action was
taken.
D. Discuss the matter with senior management and possibly the board if the residual
risk accepted is excessive.
Answer (A) is incorrect. Regulatory authorities do not need to be notified.
Management has decided to assume responsibility, and no regulatory violations
were mentioned.
Answer (B) is incorrect. Additional procedures are not required unless the CAE
believes that the residual risk assumed is too great.
Answer (C) is incorrect. A follow-up engagement is not required unless the CAE
believes that the residual risk assumed is too great.
Answer (D) is correct. When the chief audit executive believes that senior
management has accepted a level of residual risk that may be unacceptable to the
organization, the chief audit executive must discuss the matter with senior
management. If the decision regarding residual risk is not resolved, the chief audit
executive must report the matter to the board for resolution (Perf. Std. 2600).
[609] Gleim #: 6.7.129
What action must the chief audit executive take when (s)he believes that senior
management has accepted a level of residual risk that is unacceptable to the
organization?
A.
B.
C.
D.
Report the matter to the board for resolution.
Report the matter to an external authority.
Discuss the matter with external auditors.
Discuss the matter with senior management.
Answer (A) is incorrect. The CAE must report the matter to the board for
resolution when a decision is not resolved after a discussion with senior
management.
Answer (B) is incorrect. The matter must be discussed with senior management.
Answer (C) is incorrect. The CAE must discuss the matter with senior
management.
Answer (D) is correct. When the chief audit executive believes that senior
management has accepted a level of residual risk that may be unacceptable to the
organization, the chief audit executive must discuss the matter with senior
management. If the decision regarding residual risk is not resolved, the chief audit
executive must report the matter to the board for resolution (Perf. Std. 2600).
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 347
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[610] Gleim #: 6.7.130
Management and the board of directors are responsible for following up on
observations and recommendations made by the external auditors. What role, if any,
should the internal audit activity have in this process?
A. The internal audit activity should have no role in this process in order to ensure
independence.
B. The internal audit activity should only become involved if the chief audit
executive has sufficient evidence that the follow-up is not occurring.
C. The internal audit activity should establish a monitoring process to review the
adequacy and effectiveness of management’s follow-up actions.
D. The internal audit activity should become involved only if specifically requested
by management or the board of directors.
al
Answer (A) is incorrect. Internal audit activity independence is not impaired by
participating in the follow-up process.
Answer (B) is incorrect. The internal audit activity should be involved throughout
the follow-up process.
Answer (C) is correct. The chief audit executive must establish a follow-up
process to monitor and ensure that management actions have been effectively
implemented or that senior management has accepted the risk of not taking action
(Impl. Std. 2500.A1).
Answer (D) is incorrect. The internal audit activity should be involved
throughout the follow-up process.
ao
ffi
ci
[611] Gleim #: 6.7.131
fb
.c
om
/c
ia
An audit of accounts payable found that the individuals responsible for maintaining
the vendor master file could also enter vendor invoices into the accounts payable
system. During the exit conference, management agreed to correct this problem. When
performing a follow-up engagement of accounts payable, the auditor should expect to
find that management had
A. Transferred the individuals who maintained the vendor master file to another
department to ensure responsibilities were appropriately segregated.
B. Compared the vendor and employee master files to determine if any unauthorized
vendors had been added to the vendor master file.
C. Modified the access control system to prevent employees from both entering
invoices and approving payments.
D. Modified the accounts payable system to prevent individuals who maintained the
vendor master file from entering invoices.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 348
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Transferring the employees is not necessary and does not
resolve the control problem.
Answer (B) is incorrect. This comparison may detect the presence of an employee on
the vendor list, but it does not prevent the addition of another unauthorized vendor to
the list by someone who also performs the recording function for invoices.
Answer (C) is incorrect. This change does not address the problem. Individuals with
access to the vendor master file who can also enter invoices will still be able to
perpetrate and conceal fraud.
Answer (D) is correct. Control is enhanced by segregation of duties. Different persons
or organizational subunits should authorize transactions, record (account for)
transactions, and have custody of assets. Individuals who maintain the list of
authorized vendors (the vendor master file) are in a position to perpetrate and conceal
fraud if they also perform the accounting function for accounts payable. Hence, these
functions should be segregated.
[612] Gleim #: 7.1.1
In the course of their work, internal auditors must be alert for fraud and other forms of
white-collar crime. The important characteristic that distinguishes fraud from other
varieties of white-collar crime is that
A. Fraud is characterized by deceit, concealment, or violation of trust.
B. Unlike other white-collar crimes, fraud is always perpetrated against an outside
party.
C. White-collar crime is usually perpetrated for the benefit of an organization, but
fraud benefits an individual.
D. White-collar crime is usually perpetrated by outsiders to the detriment of an
organization, but fraud is perpetrated by insiders to benefit the organization.
Answer (A) is correct. Fraud is defined in The IIA Glossary as “any illegal act
characterized by deceit, concealment, or violation of trust. These acts are not
dependent upon the threat of violence or physical force. Frauds are perpetrated by
parties and organizations to obtain money, property, or services; to avoid payment
or loss of services; or to secure personal or business advantage.”
Answer (B) is incorrect. Fraud may be perpetrated internally.
Answer (C) is incorrect. Fraud may be perpetrated for the organization’s benefit
or for otherwise unselfish reasons.
Answer (D) is incorrect. Fraud may be perpetrated by insiders and outsiders, and
it may be either beneficial or detrimental to an organization.
[613] Gleim #: 7.1.2
Which of the following wrongful acts committed by an employee constitutes fraud?
A.
B.
C.
D.
Libel.
Embezzlement.
Assault.
Harassment.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 349
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Libel is defamation published in a relatively permanent form
(newspaper, letter, film, etc.).
Answer (B) is correct. Fraud is defined in The IIA Glossary as “any illegal act
characterized by deceit, concealment, or violation of trust. These acts are not
dependent upon the threat of violence or physical force. Frauds are perpetrated by
parties and organizations to obtain money, property, or services; to avoid payment or
loss of services; or to secure personal or business advantage.” Embezzlement is the
intentional appropriation of property entrusted to one’s care. The embezzler converts
property to his/her own use and conceals the theft.
Answer (C) is incorrect. The tort of assault entails placing another in reasonable fear
of a harmful or offensive bodily contact.
Answer (D) is incorrect. Harassment is the act of persistently annoying another.
[614] Gleim #: 7.1.3
One factor that distinguishes fraud from other employee crimes is that fraud involves
A.
B.
C.
D.
Intentional deception.
Personal gain for the perpetrator.
Collusion with a party outside the organization.
Malicious motives.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is correct. Fraud is defined in The IIA Glossary as “any illegal act
characterized by deceit, concealment, or violation of trust. These acts are not
dependent upon the threat of violence or physical force. Frauds are perpetrated by
parties and organizations to obtain money, property, or services; to avoid payment
or loss of services; or to secure personal or business advantage.”
Answer (B) is incorrect. Fraud may be perpetrated for the organization’s benefit
or for otherwise unselfish reasons.
Answer (C) is incorrect. An employee may act alone.
Answer (D) is incorrect. Fraud may be perpetrated for the organization’s benefit
or for otherwise unselfish reasons.
[615] Gleim #: 7.1.4
A key feature that distinguishes fraud from other types of crime or impropriety is that
fraud always involves the
A.
B.
C.
D.
Violent or forceful taking of property.
Deceitful wrongdoing of management-level personnel.
Unlawful conversion of property that is lawfully in the custody of the perpetrator.
False representation or concealment of a material fact.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 350
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Fraud usually does not involve force or violence.
Answer (B) is incorrect. Employees at any level in an organization can commit fraud.
Answer (C) is incorrect. Embezzlement is the unlawful conversion of property that is
lawfully in the custody of the perpetrator.
Answer (D) is correct. Fraud is defined in The IIA Glossary as “any illegal act
characterized by deceit, concealment, or violation of trust. These acts are not
dependent upon the threat of violence or physical force. Frauds are perpetrated by
parties and organizations to obtain money, property, or services; to avoid payment or
loss of services; or to secure personal or business advantage.”
[616] Gleim #: 7.1.5
Which of the following statements is (are) true regarding the prevention of fraud?
I. The primary means of preventing fraud is through internal control established and
maintained by management.
II. Internal auditors are responsible for assisting in the prevention of fraud by
examining and evaluating the adequacy of the internal control system.
III. Internal auditors should assess the operating effectiveness of fraud-related
communication systems.
A.
B.
C.
D.
I only.
I and II only.
II only.
I, II, and III.
Answer (A) is incorrect. Internal auditors are responsible for assisting in the
prevention of fraud by examining and evaluating the adequacy of the internal
control system, and internal auditors should assess the operating effectiveness of
fraud-related communication systems.
Answer (B) is incorrect. Internal auditors should assess the operating
effectiveness of fraud-related communication systems.
Answer (C) is incorrect. The primary means of preventing fraud is through
internal control established and maintained by management, and internal auditors
should assess the operating effectiveness of fraud-related communication systems.
Answer (D) is correct. Control is the principal means of preventing fraud.
Management is primarily responsible for the establishment and maintenance of
control. Internal auditors, in turn, are primarily responsible for preventing fraud by
examining and evaluating the adequacy and effectiveness of control. Internal
auditors also should assess the operating effectiveness of fraud-related
communication systems and practices and support fraud-related training.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 351
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[617] Gleim #: 7.1.6
A significant employee fraud took place shortly after an internal auditing engagement.
The internal auditor may not have properly fulfilled the responsibility for the
prevention of fraud by failing to note and report that
A. Policies, practices, and procedures to monitor activities and safeguard assets were
less extensive in low-risk areas than in high-risk areas.
B. A system of control that depended upon separation of duties could be
circumvented by collusion among three employees.
C. There were no written policies describing prohibited activities and the action
required whenever violations are discovered.
D. Divisional employees had not been properly trained to distinguish between bona
fide signatures and cleverly forged ones on authorization forms.
.c
fb
[618] Gleim #: 7.1.7
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. For cost-benefit reasons, controls should be more
extensive in high-risk areas.
Answer (B) is incorrect. Even the best system of control can often be
circumvented by collusion.
Answer (C) is correct. Management is responsible for establishing and
maintaining internal control. Thus, management also is responsible for the fraud
prevention program. The control environment element of this program includes a
code of conduct, ethics policy, or fraud policy to set the appropriate tone at the
top. Moreover, organizations should establish effective fraud-related information
and communication practices, for example, documentation and dissemination of
policies, guidelines, and results.
Answer (D) is incorrect. Forgery, like collusion, can circumvent even an effective
control.
In an organization with a separate division that is primarily responsible for the
prevention of fraud, the internal audit activity is responsible for
A. Examining and evaluating the adequacy and effectiveness of that division’s
actions taken to prevent fraud.
B. Establishing and maintaining that division’s system of internal control.
C. Planning that division’s fraud prevention activities.
D. Controlling that division’s fraud prevention activities.
Answer (A) is correct. Control is the principal means of preventing fraud.
Management is primarily responsible for the establishment and maintenance of
control. Internal auditors are primarily responsible for preventing fraud by
examining and evaluating the adequacy and effectiveness of control.
Answer (B) is incorrect. Establishing and maintaining control is a responsibility
of management.
Answer (C) is incorrect. Planning fraud prevention activities is a responsibility of
management.
Answer (D) is incorrect. Controlling fraud prevention activities is a responsibility
of management.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 352
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[619] Gleim #: 7.1.8
Internal auditors have a responsibility for helping to deter fraud. Which of the
following best describes how this responsibility is usually met?
A. By coordinating with security personnel and law enforcement agencies in the
investigation of possible frauds.
B. By testing for fraud in every engagement and following up as appropriate.
C. By assisting in the design of control systems to prevent fraud.
D. By evaluating the adequacy and effectiveness of controls in light of the potential
exposure or risk.
Answer (A) is incorrect. Investigating possible frauds involves detection, not
deterrence.
Answer (B) is incorrect. Testing for fraud in every engagement is not required.
Answer (C) is incorrect. Designing systems impairs an internal auditor’s
objectivity.
Answer (D) is correct. Internal auditors are responsible for assisting in the
deterrence of fraud by examining and evaluating the adequacy and the
effectiveness of controls.
[620] Gleim #: 7.1.9
Which of the following describes one of the responsibilities of the internal auditor for
the deterrence of fraud in an organization?
A.
B.
C.
D.
Implementation of systems to discourage fraud.
Prosecuting perpetrators of fraud.
Reporting suspected fraud to law enforcement personnel.
Evaluating the adequacy of controls to prevent fraud.
Answer (A) is incorrect. Implementing systems is an operating function for which
management is responsible.
Answer (B) is incorrect. Prosecuting perpetrators of fraud is a responsibility of
management.
Answer (C) is incorrect. Reporting suspected fraud to law enforcement personnel
is a responsibility of management.
Answer (D) is correct. Internal auditors are responsible for assisting in the
deterrence of fraud by examining and evaluating the adequacy and the
effectiveness of controls.
[621] Gleim #: 7.1.10
Internal auditing is responsible for assisting in the prevention of fraud by
A. Informing the appropriate authorities within the organization and recommending
whatever investigation is considered necessary in the circumstances when
wrongdoing is suspected.
B. Establishing the organization’s governance, operations, and information systems
concerning compliance with laws, regulations, and contracts.
C. Examining and evaluating the adequacy and the effectiveness of control,
commensurate with the extent of the potential exposure or risk in the various
segments of the organization’s operations.
D. Determining whether operating standards are acceptable and are being met.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 353
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Informing appropriate authorities in the organization when
the internal auditor suspects wrongdoing concerns the internal auditor’s obligation for
detecting, not preventing, fraud.
Answer (B) is incorrect. Management is responsible for establishing these systems.
Answer (C) is correct. Internal auditors are responsible for assisting in the prevention
of fraud by examining and evaluating the adequacy and the effectiveness of controls.
Answer (D) is incorrect. These standards are criteria to determine whether operational
objectives and goals have been accomplished. They do not concern prevention of
fraud.
[622] Gleim #: 7.1.11
The internal auditors’ responsibility regarding fraud includes all of the following
except
A.
B.
C.
D.
Determining whether the control environment sets the appropriate tone at top.
Ensuring that fraud will not occur.
Being aware of activities in which fraud is likely to occur.
Evaluating the effectiveness of control activities.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. Internal auditing is responsible for evaluating the
organization’s control environment.
Answer (B) is correct. Control is the principal means of preventing fraud, and
management is responsible for establishing and maintaining internal control.
Thus, internal auditors cannot give absolute assurance that noncompliance or
fraud does not exist.
Answer (C) is incorrect. The internal auditor should have sufficient knowledge of
fraud indicators and be alert to opportunities that could allow fraud.
Answer (D) is incorrect. Assessing the design and operating effectiveness of
fraud-related controls is the responsibility of internal auditing.
[623] Gleim #: 7.1.12
The internal audit activity’s responsibility for preventing fraud is to
A.
B.
C.
D.
Establish internal control.
Maintain internal control.
Evaluate the system of internal control.
Exercise operating authority over fraud prevention activities.
Answer (A) is incorrect. Establishing internal control is management’s
responsibility.
Answer (B) is incorrect. Maintaining internal control is management’s
responsibility.
Answer (C) is correct. Control is the principal means of preventing fraud.
Management is primarily responsible for the establishment and maintenance of
control. Internal auditors, in turn, are primarily responsible for preventing fraud by
examining and evaluating the adequacy and effectiveness of control.
Answer (D) is incorrect. Operating authority is a management function.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 354
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[624] Gleim #: 7.1.13
After noting some red flags, an internal auditor has an increased awareness that fraud
may be present. Which of the following best describes the internal auditor’s
responsibility?
A. Expand activities to determine whether an investigation is warranted.
B. Report the possibility of fraud to senior management and the board and ask them
how they would like to proceed.
C. Consult with external legal counsel to determine the course of action to be taken,
including the approval of the proposed engagement work program to make sure it
is acceptable on legal grounds.
D. Report the matter to the audit committee and request funding for outside service
providers to help investigate the possible fraud.
Answer (A) is correct. An internal auditor’s responsibilities for detecting fraud
include evaluating fraud indicators and deciding whether any additional action is
necessary or whether an investigation should be recommended.
Answer (B) is incorrect. The internal auditor should notify the appropriate
authorities within the organization if (s)he has determined that the indicators of
fraud are sufficient to recommend an investigation.
Answer (C) is incorrect. The internal auditor does not have the authority to
consult with external legal counsel.
Answer (D) is incorrect. The internal auditor should report the matter and request
funding for outside service providers only if (s)he has determined that the
indicators of fraud are sufficient to recommend an investigation.
[625] Gleim #: 7.1.14
An internal auditor who suspects fraud should
A.
B.
C.
D.
Determine that a loss has been incurred.
Interview those who have been involved in the control of assets.
Identify the employees who could be implicated in the case.
Recommend an investigation if appropriate.
Answer (A) is incorrect. Determining the loss could alert the perpetrator of the
fraud. The perpetrator could then destroy or compromise evidence.
Answer (B) is incorrect. Interviewing those who have been involved in the
control of assets is part of the fraud investigation.
Answer (C) is incorrect. Identifying the employees who could be implicated in
the case is part of the fraud investigation.
Answer (D) is correct. An internal auditor’s responsibilities for detecting fraud
include evaluating fraud indicators and deciding whether any additional action is
necessary or whether an investigation should be recommended.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 355
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[626] Gleim #: 7.1.15
An international nonprofit organization finances medical research. The majority of its
revenue and support comes from fundraising activities, investments, and specific
grants from an initial sponsoring corporation. The organization has been in operation
over 15 years and has a small internal audit department. The organization has just
finished a major fundraising drive that raised US $500 million for the current fiscal
period.
The following are selected data from recent financial statements (US dollar figures in
millions):
Current
Year
US $500
210
418
16
10
Revenue
Investments (average balances)
Medical research grants made
Investment income
Administrative expense
Past
Year
US $425
185
325
20
6
Auditors must always be alert for the possibility of fraud. Assume the controls over
each risk listed below are marginal. Which of the following possible frauds or misuses
of organization assets should be considered the area of greatest risk?
fb
.c
om
/c
ia
ao
ffi
ci
al
A. The president is using company travel and entertainment funds for activities that
might be considered questionable.
B. Purchases of supplies are made from fictitious vendors.
C. Grants are made to organizations that might be associated with the president or are
not for purposes dictated in the organization’s charter.
D. The payroll clerk has added ghost employees.
Answer (A) is incorrect. Administrative expense is 2% (10 ÷ 500) of current
revenue.
Answer (B) is incorrect. Purchases of supplies from fictitious vendors involve
risk exposures that are far less than those arising from inappropriate grants.
Answer (C) is correct. Grants represent 83.6% (418 ÷ 500) of current revenue.
Consequently, fraudulent grants constitute a much greater risk exposure than any
of the other items listed.
Answer (D) is incorrect. The payroll clerk’s addition of ghost employees involves
risk exposures that are far less than those arising from inappropriate grants.
[627] Gleim #: 7.1.16
Internal auditors are more likely to detect fraud by developing/strengthening their
ability to
A.
B.
C.
D.
Recognize and question changes that occur in organizations.
Interrogate fraud perpetrators to discover why the fraud was committed.
Develop internal controls to prevent the occurrence of fraud.
Document computerized operating system programs.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 356
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. An internal auditor’s responsibilities for detecting fraud
include evaluating fraud indicators and deciding whether any additional action is
necessary or whether an investigation should be recommended.
Answer (B) is incorrect. Interrogation of fraud perpetrators occurs after detection. The
danger signals of fraud often involve negative organizational changes.
Answer (C) is incorrect. The controls mentioned are preventive, not detective.
Answer (D) is incorrect. Documentation of operating systems is not within the scope
of internal auditing and would do little to enhance fraud detection skills.
[628] Gleim #: 7.1.17
When an internal auditor identifies multiple factors that have been linked with
possible fraudulent conditions and suspects that fraud has taken place, the auditor
should
A.
B.
C.
D.
Immediately report to senior management and the board.
Immediately report to the board.
Recommend an investigation.
Extend tests to determine the extent of the fraud.
Answer (A) is incorrect. Immediate reporting by the CAE to senior management
and the board is required only after a sufficient investigation has been made to
establish reasonable certainty that a significant fraud has occurred. Thus,
reasonable certainty is necessary before any fraud reporting is made.
Answer (B) is incorrect. Immediate reporting by the CAE to senior management
and the board is required only after a sufficient investigation has been made to
establish reasonable certainty that a significant fraud has occurred. Thus,
reasonable certainty is necessary before any fraud reporting is made.
Answer (C) is correct. An internal auditor’s responsibilities for detecting fraud
include evaluating fraud indicators and deciding whether any additional action is
necessary or whether an investigation should be recommended.
Answer (D) is incorrect. Extended tests to determine the extent of fraud are
performed after the fraud has in fact been determined, not suspected.
[629] Gleim #: 7.1.18
An internal auditor suspects that a mailroom clerk is embezzling funds. In exercising
due professional care, the internal auditor should
A.
B.
C.
D.
Reassign the clerk to another department.
Institute stricter controls over mailroom operations.
Evaluate fraud indicators and decide whether further action is necessary.
Confront the clerk with the auditor’s suspicions.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 357
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Personnel assignments are the responsibility of management.
Answer (B) is incorrect. The system of internal controls is management’s
responsibility.
Answer (C) is correct. An internal auditor’s responsibilities for detecting fraud
include evaluating fraud indicators and deciding whether any additional action is
necessary or whether an investigation should be recommended.
Answer (D) is incorrect. An internal auditor should not confront a suspect until the
proper authorities have been notified and have determined the appropriate action.
[630] Gleim #: 7.1.19
An internal auditor’s field work uncovers a series of transactions that indicate a
possible embezzlement. Which of the following actions should the chief audit
executive take?
A. Confront the suspected embezzler to determine that the facts are correct.
B. Review the finding with the suspect’s fellow workers to see whether the workers
can furnish additional evidence.
C. Decide whether to recommend an investigation.
D. Discuss the case with the board.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. The internal auditor should avoid confronting suspected
employees. Employees suspected of theft or fraud have certain common law and
statutory rights that, if infringed upon, can be costly to the organization.
Answer (B) is incorrect. Fellow workers may also be involved in the
embezzlement.
Answer (C) is correct. An internal auditor’s responsibilities for detecting fraud
include evaluating fraud indicators and deciding whether any additional action is
necessary or whether an investigation should be recommended.
Answer (D) is incorrect. The CAE should determine the extent, if any, of the
fraud before presenting it to the board.
[631] Gleim #: 7.1.20
Which of the following best describes an auditor’s responsibility after noting some
indicators of fraud?
A.
B.
C.
D.
Expand activities to determine whether an investigation is warranted.
Report the possibility of fraud to senior management and ask how to proceed.
Consult with external legal counsel to determine the course of action to be taken.
Report the matter to the audit committee and request funding for outside
specialists to help investigate the possible fraud.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 358
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. An internal auditor’s responsibilities for detecting fraud
include evaluating fraud indicators and deciding whether any additional action is
necessary or whether an investigation should be recommended.
Answer (B) is incorrect. The internal auditor should notify senior management and the
board only if (s)he has determined that the indicators of fraud are sufficient to
recommend an investigation.
Answer (C) is incorrect. The internal auditor does not have the authority to consult
with external legal counsel.
Answer (D) is incorrect. The internal auditor should notify the audit committee only if
(s)he has determined that the indicators of fraud are sufficient to recommend an
investigation.
[632] Gleim #: 7.1.21
Which of the following policies is most likely to result in an environment conducive to
the occurrence of fraud?
A. Budget preparation input by the employees who are responsible for meeting the
budget.
B. Unreasonable sales and production goals.
C. The division’s hiring process frequently results in the rejection of adequately
trained applicants.
D. The application of some accounting controls on a sample basis.
Answer (A) is incorrect. Participatory budgeting can reduce antagonism to
budgets and reduce the likelihood of inappropriate means of meeting the budget.
Answer (B) is correct. Unrealistically high sales or production quotas can be an
incentive to falsify the records or otherwise take inappropriate action to improve
performance measures so that the quotas appear to have been met.
Answer (C) is incorrect. Hiring policies should be based on factors other than
adequate training, such as the applicants’ personal integrity. Furthermore, hiring
of all adequately trained applicants is unlikely to be necessary.
Answer (D) is incorrect. Under the reasonable assurance concept, the cost of
controls should not exceed their benefits. The cost of applying controls to all
relevant transactions rather than a sample may be greater than the resultant
savings.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 359
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[633] Gleim #: 7.1.22
The following are facts about a subsidiary:
1. The subsidiary has been in business for several years and enjoyed good profit
margins although the general economy was in a recession, which affected
competitors.
2. The working capital ratio has declined from a healthy 3:1 to 0.9:1.
3. Turnover for the last several years has included three controllers, two supervisors
of accounts receivable, four payables supervisors, and numerous staff in other
financial positions.
4. Purchasing policy requires three bids. However, the supervisor of purchasing at
the subsidiary has instituted a policy of sole-source procurement to reduce the
number of suppliers.
When conducting a financial audit of the subsidiary, the internal auditor should
A. Most likely not detect 1., 2., or 3.
B. Ignore 2. since the economy had a downturn during this period.
C. Consider 3. to be normal turnover, but be concerned about 2. and 4. as warning
signals of fraud.
D. Consider 1., 2., 3., and 4. as warning signals of fraud.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. The items described can be detected through usual
procedures in a financial audit.
Answer (B) is incorrect. Although the economy suffered a downturn, the change
in working capital is unusual in light of the continuing strong profit margins and
should be investigated.
Answer (C) is incorrect. The working capital ratio, the high employee turnover
rate, and the sole-source procurement policy are all warning signals of fraud.
Answer (D) is correct. That the organization has reported high profits when
competitors have not may indicate a misstatement of the financial statements.
Insufficient working capital may indicate such problems as overexpansion,
decreases in revenues, transfers of funds to other organizations, insufficient credit,
and excessive expenditures. The internal auditor should be alert for the diversion
of funds for personal use through such methods as unrecorded sales and falsified
expenditures. Rapid turnover in financial positions may signify existing problems
with which the individuals feel uncomfortable but that they do not want to
disclose. Accountability for funds and other resources should be determined upon
termination of employment. Use of sole-source procurement does not encourage
competition to ensure that the organization is obtaining the required materials or
equipment at the best price. Sole-source procurement, if not adequately justified,
indicates potential favoritism or kickbacks.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 360
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[634] Gleim #: 7.1.23
When comparing perpetrators who have embezzled an organization’s funds with
perpetrators of financial statement fraud (falsified financial statements), those who
have falsified financial statements are less likely to
A.
B.
C.
D.
Have experienced an autocratic management style.
Be living beyond their obvious means of support.
Rationalize the fraudulent behavior.
Use organizational expectations as justification for the act.
Answer (A) is incorrect. Autocratic management styles have been linked to
management (financial statement) fraud.
Answer (B) is correct. Living beyond one’s means has been linked to employee
fraud (embezzlement), not to financial statement fraud. Fraud perpetrated for the
benefit of the organization ordinarily benefits the wrongdoer indirectly, whereas
fraud that is detrimental to the organization provides immediate, direct benefits to
the employee.
Answer (C) is incorrect. Rationalization is common to all fraud.
Answer (D) is incorrect. High expectations are often given as a motivating factor
by those who have committed financial statement fraud.
[635] Gleim #: 7.1.24
Internal auditors have been advised to consider red flags to determine whether
management is involved in a fraud. Which of the following does not represent a
difficulty in using the red flags as fraud indicators?
A. Many common red flags are also associated with situations in which no fraud
exists.
B. Some red flags are difficult to quantify or to evaluate.
C. Red flag information is not gathered as a normal part of an engagement.
D. The red flags literature is not well enough established to have a positive impact on
internal auditing.
Answer (A) is incorrect. Red flags are developed by correlation analysis, not
necessarily by causation analysis.
Answer (B) is incorrect. Many red flags, such as management’s attitude, are
difficult to quantify.
Answer (C) is incorrect. Internal auditors should be able to identify fraud
indicators and should be alert to opportunities that could allow fraud. However,
internal auditors do not normally perform procedures specifically to gather red
flag information.
Answer (D) is correct. The state of red flags literature is not a difficulty. It is well
established and will be refined in the future as research is done. Thus, it does not
preclude consideration of red flags.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 361
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[636] Gleim #: 7.1.25
An internal auditor should be concerned about the possibility of fraud if
A. Cash receipts, net of the amounts used to pay petty cash-type expenditures, are
deposited in the bank daily.
B. The monthly bank statement reconciliation is performed by the same employee
who maintains the perpetual inventory records.
C. The accounts receivable subsidiary ledger and accounts payable subsidiary ledger
are maintained by the same person.
D. One person, acting alone, has sole access to the petty cash fund (except for a
provision for occasional surprise counts by a supervisor or auditor).
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is correct. Paying petty cash expenditures from cash receipts
facilitates the unauthorized removal of cash before deposit. All cash receipts
should be deposited intact daily. Petty cash expenditures should be handled
through an imprest fund.
Answer (B) is incorrect. The monthly bank reconciliation should not be
performed by a person who makes deposits or writes checks, but the inventory
clerk has no such responsibilities.
Answer (C) is incorrect. There is no direct relationship between the transactions
posted to the accounts receivable and accounts payable subsidiary ledgers; having
the same person maintain both does not create a control weakness.
Answer (D) is incorrect. To establish accountability for petty cash, only one
person should have access to the fund.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 362
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[637] Gleim #: 7.1.26
Randy and John had known each other
for many years. They had become best
friends in college, where they both
majored in accounting. After graduation,
Randy took over the family business from
his father. His family had been in the
grocery business for several generations.
When John had difficulty finding a job,
Randy offered him a job in the family
store. John proved to be a very capable
employee. As John demonstrated his
abilities, Randy began delegating more
and more responsibility to him. After a
period of time, John was doing all of the
general accounting and authorization
functions for checks, cash, inventories,
documents, records, and bank
reconciliations. (1) John was trusted
completely and handled all financial
functions. No one checked his work.
Randy decided to expand the business
and opened several new stores. (2) Randy
was always handling the most urgent
problem . . . “crisis management” is
what his college professors had termed it.
John assisted with the problems when his
other duties allowed him time.
Although successful at work, John had
(3) difficulties with personal financial
problems.
At first, the amounts stolen by John were
small. John didn’t even worry about
making the accounts balance. But John
became greedy. “How easy it is to take the
money,” he said. He felt that he was a
critical member of the business team
(4) and that he contributed much more to
the success of the company than was
represented by his salary. “It would take
two or three people to replace me,” he
often thought to himself. As the amounts
became larger and larger, (5) he made the
books balance. Because of these
activities, John was able to purchase an
expensive car and take his family on
several trips each year. (6) He also joined
an expensive country club. Things were
changing at home, however. (7) John’s
family observed that he was often
argumentative and at other times very
depressed.
The fraud continued for 6 years. Each
year, the business performed more and
more poorly. In the last year, the stores
had a substantial net loss. Randy’s bank
required an audit. John confessed when he
thought the auditors had discovered his
embezzlements.
When discussing frauds, the pressures,
opportunities, and rationalizations that
cause/allow a perpetrator to commit the
fraud are often identified. Symptoms of
fraud are also studied.
Number 1, “John was trusted completely . . .,” is an example of a(n)
A.
B.
C.
D.
Document symptom.
Situational pressure.
Opportunity to commit.
Physical symptom.
Answer (A) is incorrect. Complete trust is an opportunity to commit a fraud.
Answer (B) is incorrect. Complete trust is an opportunity to commit a fraud.
Answer (C) is correct. Complete trust in an individual represents an opportunity
to commit fraud. John’s actions went unscrutinized because of the absence of an
appropriate segregation of functions and his ability to override whatever control
procedures were in place.
Answer (D) is incorrect. Complete trust is an opportunity to commit a fraud.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 363
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[638] Gleim #: 7.1.27
fb
.c
om
/c
ia
Although successful at work, John had
(3) difficulties with personal financial
problems.
The fraud continued for 6 years. Each
year, the business performed more and
more poorly. In the last year, the stores
had a substantial net loss. Randy’s bank
required an audit. John confessed when he
thought the auditors had discovered his
embezzlements.
ci
ffi
ao
Randy decided to expand the business
and opened several new stores. (2) Randy
was always handling the most urgent
problem . . . “crisis management” is
what his college professors had termed it.
John assisted with the problems when his
other duties allowed him time.
At first, the amounts stolen by John were
small. John didn’t even worry about
making the accounts balance. But John
became greedy. “How easy it is to take the
money,” he said. He felt that he was a
critical member of the business team
(4) and that he contributed much more to
the success of the company than was
represented by his salary. “It would take
two or three people to replace me,” he
often thought to himself. As the amounts
became larger and larger, (5) he made the
books balance. Because of these
activities, John was able to purchase an
expensive car and take his family on
several trips each year. (6) He also joined
an expensive country club. Things were
changing at home, however. (7) John’s
family observed that he was often
argumentative and at other times very
depressed.
al
Randy and John had known each other
for many years. They had become best
friends in college, where they both
majored in accounting. After graduation,
Randy took over the family business from
his father. His family had been in the
grocery business for several generations.
When John had difficulty finding a job,
Randy offered him a job in the family
store. John proved to be a very capable
employee. As John demonstrated his
abilities, Randy began delegating more
and more responsibility to him. After a
period of time, John was doing all of the
general accounting and authorization
functions for checks, cash, inventories,
documents, records, and bank
reconciliations. (1) John was trusted
completely and handled all financial
functions. No one checked his work.
When discussing frauds, the pressures,
opportunities, and rationalizations that
cause/allow a perpetrator to commit the
fraud are often identified. Symptoms of
fraud are also studied.
Number 2, “Randy was always handling the most urgent . . .,” is an example of a(n)
A.
B.
C.
D.
Opportunity to commit.
Analytical symptom.
Situational pressure.
Rationalization.
Answer (A) is correct. When a manager continually handles the most pressing
issues of a company, an opportunity for the manager to commit fraud is created.
The lack of long-range planning creates a potential for fraud because
organizational objectives may have been replaced with individual initiatives.
Answer (B) is incorrect. Crisis management provides an opportunity to commit
fraud.
Answer (C) is incorrect. Crisis management provides an opportunity to commit
fraud.
Answer (D) is incorrect. Crisis management provides an opportunity to commit
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 364
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[639] Gleim #: 7.1.28
Randy and John had known each other
for many years. They had become best
friends in college, where they both
majored in accounting. After graduation,
Randy took over the family business from
his father. His family had been in the
grocery business for several generations.
When John had difficulty finding a job,
Randy offered him a job in the family
store. John proved to be a very capable
employee. As John demonstrated his
abilities, Randy began delegating more
and more responsibility to him. After a
period of time, John was doing all of the
general accounting and authorization
functions for checks, cash, inventories,
documents, records, and bank
reconciliations. (1) John was trusted
completely and handled all financial
functions. No one checked his work.
Randy decided to expand the business
and opened several new stores. (2) Randy
was always handling the most urgent
problem . . . “crisis management” is
what his college professors had termed it.
John assisted with the problems when his
other duties allowed him time.
Although successful at work, John had
(3) difficulties with personal financial
problems.
At first, the amounts stolen by John were
small. John didn’t even worry about
making the accounts balance. But John
became greedy. “How easy it is to take the
money,” he said. He felt that he was a
critical member of the business team
(4) and that he contributed much more to
the success of the company than was
represented by his salary. “It would take
two or three people to replace me,” he
often thought to himself. As the amounts
became larger and larger, (5) he made the
books balance. Because of these
activities, John was able to purchase an
expensive car and take his family on
several trips each year. (6) He also joined
an expensive country club. Things were
changing at home, however. (7) John’s
family observed that he was often
argumentative and at other times very
depressed.
The fraud continued for 6 years. Each
year, the business performed more and
more poorly. In the last year, the stores
had a substantial net loss. Randy’s bank
required an audit. John confessed when he
thought the auditors had discovered his
embezzlements.
When discussing frauds, the pressures,
opportunities, and rationalizations that
cause/allow a perpetrator to commit the
fraud are often identified. Symptoms of
fraud are also studied.
Number 3, “Difficulties with personal financial problems,” is an example of a(n)
A.
B.
C.
D.
Behavioral symptom.
Situational pressure.
Rationalization.
Opportunity to commit.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 365
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. Personal financial problems are a situational pressure to
commit a fraud.
Answer (B) is correct. Financial difficulties create situational pressures or temptations
that may contribute to fraud. These situational pressures result from high personal
indebtedness, extravagant lifestyles, gambling problems, etc.
Answer (C) is incorrect. Personal financial problems are a situational pressure to
commit a fraud.
Answer (D) is incorrect. Personal financial problems are a situational pressure to
commit a fraud.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 366
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[640] Gleim #: 7.1.29
Randy and John had known each other
for many years. They had become best
friends in college, where they both
majored in accounting. After graduation,
Randy took over the family business from
his father. His family had been in the
grocery business for several generations.
When John had difficulty finding a job,
Randy offered him a job in the family
store. John proved to be a very capable
employee. As John demonstrated his
abilities, Randy began delegating more
and more responsibility to him. After a
period of time, John was doing all of the
general accounting and authorization
functions for checks, cash, inventories,
documents, records, and bank
reconciliations. (1) John was trusted
completely and handled all financial
functions. No one checked his work.
Randy decided to expand the business
and opened several new stores. (2) Randy
was always handling the most urgent
problem . . . “crisis management” is
what his college professors had termed it.
John assisted with the problems when his
other duties allowed him time.
Although successful at work, John had
(3) difficulties with personal financial
problems.
At first, the amounts stolen by John were
small. John didn’t even worry about
making the accounts balance. But John
became greedy. “How easy it is to take the
money,” he said. He felt that he was a
critical member of the business team
(4) and that he contributed much more to
the success of the company than was
represented by his salary. “It would take
two or three people to replace me,” he
often thought to himself. As the amounts
became larger and larger, (5) he made the
books balance. Because of these
activities, John was able to purchase an
expensive car and take his family on
several trips each year. (6) He also joined
an expensive country club. Things were
changing at home, however. (7) John’s
family observed that he was often
argumentative and at other times very
depressed.
The fraud continued for 6 years. Each
year, the business performed more and
more poorly. In the last year, the stores
had a substantial net loss. Randy’s bank
required an audit. John confessed when he
thought the auditors had discovered his
embezzlements.
When discussing frauds, the pressures,
opportunities, and rationalizations that
cause/allow a perpetrator to commit the
fraud are often identified. Symptoms of
fraud are also studied.
Number 4, “and that he contributed much more . . .,” is an example of a
A.
B.
C.
D.
Rationalization.
Behavioral symptom.
Situational pressure.
Physical symptom.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 367
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is correct. Rationalization occurs when one attributes actions to rational
and creditable motives without analysis of one’s true and especially unconscious
motives. Thus, a feeling that one is contributing more than one is paid would be a
rationalization for committing fraud.
Answer (B) is incorrect. The belief that compensation is inadequate is a possible
rationalization for improprieties.
Answer (C) is incorrect. The belief that compensation is inadequate is a possible
rationalization for improprieties.
Answer (D) is incorrect. The belief that compensation is inadequate is a possible
rationalization for improprieties.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 368
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[641] Gleim #: 7.1.30
Randy and John had known each other
for many years. They had become best
friends in college, where they both
majored in accounting. After graduation,
Randy took over the family business from
his father. His family had been in the
grocery business for several generations.
When John had difficulty finding a job,
Randy offered him a job in the family
store. John proved to be a very capable
employee. As John demonstrated his
abilities, Randy began delegating more
and more responsibility to him. After a
period of time, John was doing all of the
general accounting and authorization
functions for checks, cash, inventories,
documents, records, and bank
reconciliations. (1) John was trusted
completely and handled all financial
functions. No one checked his work.
Randy decided to expand the business
and opened several new stores. (2) Randy
was always handling the most urgent
problem . . . “crisis management” is
what his college professors had termed it.
John assisted with the problems when his
other duties allowed him time.
Although successful at work, John had
(3) difficulties with personal financial
problems.
At first, the amounts stolen by John were
small. John didn’t even worry about
making the accounts balance. But John
became greedy. “How easy it is to take the
money,” he said. He felt that he was a
critical member of the business team
(4) and that he contributed much more to
the success of the company than was
represented by his salary. “It would take
two or three people to replace me,” he
often thought to himself. As the amounts
became larger and larger, (5) he made the
books balance. Because of these
activities, John was able to purchase an
expensive car and take his family on
several trips each year. (6) He also joined
an expensive country club. Things were
changing at home, however. (7) John’s
family observed that he was often
argumentative and at other times very
depressed.
The fraud continued for 6 years. Each
year, the business performed more and
more poorly. In the last year, the stores
had a substantial net loss. Randy’s bank
required an audit. John confessed when he
thought the auditors had discovered his
embezzlements.
When discussing frauds, the pressures,
opportunities, and rationalizations that
cause/allow a perpetrator to commit the
fraud are often identified. Symptoms of
fraud are also studied.
Number 5, “he made the books balance,” is an example of a(n)
A.
B.
C.
D.
Physical symptom.
Analytical symptom.
Lifestyle symptom.
Document symptom.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 369
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. Making the “books balance” is an example of a document
symptom.
Answer (B) is incorrect. Making the “books balance” is an example of a document
symptom.
Answer (C) is incorrect. Making the “books balance” is an example of a document
symptom.
Answer (D) is correct. Tampering with the company’s books is a document symptom.
In other words, the indicator of fraud consists of the changes in actual company
records.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 370
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[642] Gleim #: 7.1.31
Randy and John had known each other
for many years. They had become best
friends in college, where they both
majored in accounting. After graduation,
Randy took over the family business from
his father. His family had been in the
grocery business for several generations.
When John had difficulty finding a job,
Randy offered him a job in the family
store. John proved to be a very capable
employee. As John demonstrated his
abilities, Randy began delegating more
and more responsibility to him. After a
period of time, John was doing all of the
general accounting and authorization
functions for checks, cash, inventories,
documents, records, and bank
reconciliations. (1) John was trusted
completely and handled all financial
functions. No one checked his work.
Randy decided to expand the business
and opened several new stores. (2) Randy
was always handling the most urgent
problem . . . “crisis management” is
what his college professors had termed it.
John assisted with the problems when his
other duties allowed him time.
Although successful at work, John had
(3) difficulties with personal financial
problems.
At first, the amounts stolen by John were
small. John didn’t even worry about
making the accounts balance. But John
became greedy. “How easy it is to take the
money,” he said. He felt that he was a
critical member of the business team
(4) and that he contributed much more to
the success of the company than was
represented by his salary. “It would take
two or three people to replace me,” he
often thought to himself. As the amounts
became larger and larger, (5) he made the
books balance. Because of these
activities, John was able to purchase an
expensive car and take his family on
several trips each year. (6) He also joined
an expensive country club. Things were
changing at home, however. (7) John’s
family observed that he was often
argumentative and at other times very
depressed.
The fraud continued for 6 years. Each
year, the business performed more and
more poorly. In the last year, the stores
had a substantial net loss. Randy’s bank
required an audit. John confessed when he
thought the auditors had discovered his
embezzlements.
When discussing frauds, the pressures,
opportunities, and rationalizations that
cause/allow a perpetrator to commit the
fraud are often identified. Symptoms of
fraud are also studied.
Number 6, “He also joined an expensive country club,” is an example of a
A.
B.
C.
D.
Rationalization.
Lifestyle symptom.
Behavioral symptom.
Physical symptom.
Answer (A) is incorrect. Joining an expensive country club is an example of a
lifestyle symptom.
Answer (B) is correct. John was living beyond his means. The change in lifestyle
was a symptom that indicated the presence of fraud.
Answer (C) is incorrect. Joining an expensive country club is an example of a
lifestyle symptom.
Answer (D) is incorrect. Joining an expensive country club is an example of a
lifestyle symptom.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 371
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[643] Gleim #: 7.1.32
fb
.c
om
/c
ia
Although successful at work, John had
(3) difficulties with personal financial
problems.
The fraud continued for 6 years. Each
year, the business performed more and
more poorly. In the last year, the stores
had a substantial net loss. Randy’s bank
required an audit. John confessed when he
thought the auditors had discovered his
embezzlements.
ci
ffi
ao
Randy decided to expand the business
and opened several new stores. (2) Randy
was always handling the most urgent
problem . . . “crisis management” is
what his college professors had termed it.
John assisted with the problems when his
other duties allowed him time.
At first, the amounts stolen by John were
small. John didn’t even worry about
making the accounts balance. But John
became greedy. “How easy it is to take the
money,” he said. He felt that he was a
critical member of the business team
(4) and that he contributed much more to
the success of the company than was
represented by his salary. “It would take
two or three people to replace me,” he
often thought to himself. As the amounts
became larger and larger, (5) he made the
books balance. Because of these
activities, John was able to purchase an
expensive car and take his family on
several trips each year. (6) He also joined
an expensive country club. Things were
changing at home, however. (7) John’s
family observed that he was often
argumentative and at other times very
depressed.
al
Randy and John had known each other
for many years. They had become best
friends in college, where they both
majored in accounting. After graduation,
Randy took over the family business from
his father. His family had been in the
grocery business for several generations.
When John had difficulty finding a job,
Randy offered him a job in the family
store. John proved to be a very capable
employee. As John demonstrated his
abilities, Randy began delegating more
and more responsibility to him. After a
period of time, John was doing all of the
general accounting and authorization
functions for checks, cash, inventories,
documents, records, and bank
reconciliations. (1) John was trusted
completely and handled all financial
functions. No one checked his work.
When discussing frauds, the pressures,
opportunities, and rationalizations that
cause/allow a perpetrator to commit the
fraud are often identified. Symptoms of
fraud are also studied.
Number 7, “John’s family observed that he was often argumentative . . .,” is an
example of a
A.
B.
C.
D.
Rationalization.
Lifestyle symptom.
Behavioral symptom.
Physical symptom.
Answer (A) is incorrect. Being argumentative is an example of a behavioral
symptom.
Answer (B) is incorrect. Being argumentative is an example of a behavioral
symptom.
Answer (C) is correct. A drastic change in an employee’s behavior may indicate
the presence of fraud. The guilt and the other forms of stress associated with
perpetrating and concealing the fraud may induce noticeable changes in behavior.
Answer (D) is incorrect. Being argumentative is an example of a behavioral
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 372
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[644] Gleim #: 7.1.33
Which of the following is an indicator of possible financial reporting fraud being
perpetrated by management of a manufacturer?
A. A trend analysis discloses (1) sales increases of 50% and (2) cost of goods sold
increases of 25%.
B. A ratio analysis discloses cost of goods sold is 50% of sales.
C. A cross-sectional analysis of common size statements discloses (1) the firm’s
percentage of cost of goods sold to sales is 40% and (2) the industry average
percentage of cost of goods sold to sales is 50%.
D. A cross-sectional analysis of common size statements discloses (1) the firm’s
percentage of cost of goods sold to sales is 50% and (2) the industry average
percentage of cost of goods sold to sales is 40%.
Answer (A) is correct. Increases in sales are usually accompanied by close to
proportional increases in cost of goods sold. Examples of situations in which
increases in sales can be disproportionately larger than increases in cost of goods
sold include (1) operations within the realm of economies of scale (increasing
returns to scale) and (2) the introduction of a highly accepted fashion item. Cases
in which disproportionately large sales increases indicate fraudulent conduct
include (1) collusion by the host firm’s sales personnel and the buying firm’s
purchasing personnel and (2) collusion by members of two departments within the
host firm, such as sales and transportation. Because the internal auditor would not
know whether the disproportionately large increase in sales is legitimate, the
auditor should view this condition as an indicator of possible fraud.
Answer (B) is incorrect. A gross profit margin of 50% is not an indicator of
fraud. Manufacturers can expect a range of 40-60% for this ratio.
Answer (C) is incorrect. These data indicate an industry gross profit margin of
50% and host firm gross profit margin (GPM) of 40%. The greater GPM realized
by the host firm may result from any number of reasonable causes. These include
(1) greater efficiencies exercised by the host firm, (2) greater sales effort (or a
more highly accepted product), and (3) measurement errors.
Answer (D) is incorrect. These data indicate an industry gross profit margin
(GPM) of 40% and a host firm GPM of 50%. The lower GPM realized by the host
firm may result from such causes as (1) host firm inefficiencies; (2) less
acceptance of host firm product, or less sales effort; and (3) measurement errors.
[645] Gleim #: 7.1.34
Which of the following would indicate that fraud may be taking place in a marketing
department?
A. There is no documentation for some fairly large expenditures made to a new
vendor.
B. A manager appears to be living a lifestyle that is in excess of what could be
provided by a marketing manager’s salary.
C. The control environment can best be described as “very loose.” However, this
attitude is justified by management on the grounds that it is needed for creativity.
D. All of the answers are correct.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 373
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Lack of documentation for expenditures is a potential fraud
symptom.
Answer (B) is incorrect. A manager’s inappropriate lifestyle is a potential fraud
symptom.
Answer (C) is incorrect. Management’s careless approach to control is a potential
fraud symptom.
Answer (D) is correct. An internal auditor’s responsibilities for the detection of fraud
include having sufficient knowledge to identify indicators that fraud may have been
committed; being alert to opportunities, such as control weaknesses, that could allow
fraud to occur; and evaluating the indicators of fraud sufficiently to determine whether
any further action is needed or whether a fraud investigation should be recommended.
Among the many such indicators are lack of timely and appropriate documentation
(including information about authorization) for material transactions, suspicious
lifestyle characteristics of employees in a position to commit fraud, and management’s
failure to display and communicate an appropriate attitude toward internal control.
[646] Gleim #: 7.1.35
.c
om
/c
ia
ao
ffi
ci
al
When an internal auditor followed up on a significant increase in maintenance supplies
during the past year, a purchasing agent explained to the internal auditor that the
primary reason for the increase was painting services and supplies. The internal
auditor found a blanket purchase order without the normal bid or quote
documentation. The blanket purchase order had been signed by the general manager
and named the general manager’s father as the sole contractor for painting services on
the organization’s projects. The auditor also found a number of large invoices,
authorized for payment by the general manager, that showed the general manager’s
father as the person who signed for the receipt of the material at the supplier. Which is
not a symptom of fraud as described in this situation?
fb
A. Purchased material is not received by authorized organizational personnel.
B. Routine controls are suspended for certain transactions.
C. Purchased material is not delivered to a central location on the organization’s
premises.
D. The use of blanket purchase orders.
Answer (A) is incorrect. The receipt of goods or services by non-organizational
personnel is a symptom of fraud.
Answer (B) is incorrect. Suspension of normal and appropriate procedures is a
fraud indicator.
Answer (C) is incorrect. The receipt of goods or services off-site is a symptom of
fraud.
Answer (D) is correct. Fraud is characterized by intentional deception and can be
perpetrated for the benefit or to the detriment of the organization. However, the
use of blanket purchase orders is a normal business practice.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 374
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[647] Gleim #: 7.1.36
When an internal auditor followed up on a significant increase in maintenance supplies
during the past year, a purchasing agent explained to the internal auditor that the
primary reason for the increase was painting services and supplies. The internal
auditor found a blanket purchase order without the normal bid or quote
documentation. The blanket purchase order had been signed by the general manager
and named the general manager’s father as the sole contractor for painting services on
the organization’s projects. The auditor also found a number of large invoices,
authorized for payment by the general manager, that showed the general manager’s
father as the person who signed for the receipt of the material at the supplier. What is
the common indicator of fraud recognized by the internal auditor in this scenario?
A. Analytical procedures revealed an extraordinary increase in account balances.
B. Paint and supplies are being purchased for a contractor.
C. The purchasing agent is selecting the contractor on the basis of a blanket purchase
order.
D. Invoices are being authorized for payment by the general manager.
Answer (A) is correct. Analytical procedures are commonly performed by
internal auditors to assess and evaluate information collected in an engagement.
The assessment results from comparing information with expectations identified
or developed by the internal auditor. Thus, an extraordinary increase in an account
balance should be detected and investigated as the result of applying analytical
methods.
Answer (B) is incorrect. The provision of paint is not an issue.
Answer (C) is incorrect. The purchasing agent is fulfilling this responsibility in
accordance with the authority of a purchasing agent’s position.
Answer (D) is incorrect. The general manager may appropriately authorize
payment.
[648] Gleim #: 7.1.37
Bank management suspects that a bank loan officer frequently made loans to fictitious
entities, disbursed loan proceeds to personally established accounts, and then let the
loans go into default. Some pertinent facts about the loan officer include
A high standard of living, explained as the result of sound investments and not
taking vacations;
An expensive personal car obtained through business contacts;
Gasoline and repair bills submitted for a car assigned by the bank that are higher
than the organization’s average (mileage logs were submitted on a quarterly
basis); and
Marked annoyance with questions from internal auditors.
In this situation, typical indicators of the suspected fraud include all of the following
except
A.
B.
C.
D.
Not taking an annual vacation.
Becoming easily annoyed with auditor inquiries about questionable loans.
Explaining a high standard of living as the result of investments.
Submitting gasoline and repair bills that are higher than company average.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 375
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Not taking an annual vacation suggests that the loan officer
fears discovery of wrongdoing in his/her absence.
Answer (B) is incorrect. Becoming defensive may indicate a guilty conscience.
Answer (C) is incorrect. A high standard of living may be inconsistent with the loan
officer’s income.
Answer (D) is correct. Submitting gasoline and repair bills that are higher than
average is not correlated with making fraudulent loans. These factors are not
controllable by the loan officer, so they cannot be indicators of unusual activity by
him/her.
[649] Gleim #: 7.1.38
Which of the following is an indicator of increased risk of fraud? The treasurer
A.
B.
C.
D.
Takes all vacations and has just accepted a promotion to vice president of finance.
Takes no vacations and has just accepted a promotion to vice president of finance.
Takes all vacations and has refused promotion to vice president of finance.
Takes no vacations and has refused promotion to vice president of finance.
ao
ffi
ci
al
Answer (A) is incorrect. This combination of behaviors is not unusual.
Answer (B) is incorrect. This combination of behaviors is not unusual.
Answer (C) is incorrect. This combination of behaviors is not unusual.
Answer (D) is correct. Sawyer, in Sawyer’s Internal Auditing (p. 1018), states
that “refusing to take vacations and shunning promotions” may indicate a fear of
detection. The apparent lack of ambition is inconsistent with the treasurer’s
diligence.
om
/c
ia
[650] Gleim #: 7.1.39
fb
.c
An engagement had been scheduled by the chief audit executive to address unusual
inventory shortages revealed in the annual physical inventory process at a large
consumer goods warehouse operation. A cycle count program had been installed in the
storeroom at the beginning of the year in place of the disruptive process of counting
one entire product line at the end of each month. The cycle count program appeared
effective because only nine minor adjustments had been made for the entire year on
the several thousand different products located in the storeroom. The storeroom
supervisor explained that each of the 15 stockroom personnel selected one item each
day for cycle count based on how efficiently the item could be counted. The
opportunity for control-related problems including fraud has been increased in the
stockroom because
A. Items for cycle count are selected by stockroom personnel.
B. A cycle count program has been installed in place of a less efficient program.
C. Only nine minor adjustments have been recorded as a result of the cycle count
process.
D. Stockroom personnel record cycle count information.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 376
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. The opportunity for fraud has been increased because
stockroom personnel select the items for cycle count. Selection of items should be
based on relative values or the relationship of an item to the total volume of
transactions. Moreover, personnel who do not have custodial or record-keeping
responsibilities should control the counts.
Answer (B) is incorrect. An appropriate and effective cycle count process should
improve control.
Answer (C) is incorrect. The number of adjustments is not indicative of the level of
control in this situation.
Answer (D) is incorrect. A properly controlled cycle count process could involve
stockroom personnel in performing counts.
[651] Gleim #: 7.1.40
The internal audit activity has been assigned to perform an engagement involving a
division. Based on background review, the internal auditor knows the following about
management policies:
Organizational policy is to rapidly promote divisional managers who show
significant success. Thus, successful managers rarely stay at a division for more
than 3 years.
A significant portion of division management’s compensation comes in the form
of bonuses based on the division’s profitability.
The division was identified by senior management as a turnaround opportunity. The
division is growing but is not scheduled for a full audit by the external auditors this
year. The division has been growing about 7% per year for the past 3 years and uses a
standard cost system.
During the preliminary review, the internal auditor notes the following changes in
financial data compared with the prior year:
Sales have increased by 10%.
Cost of goods sold has increased by 2%.
Inventory has increased by 15%.
Divisional net profit has increased by 8%.
Which of the following items might alert the internal auditor to the possibility of fraud
in the division?
A. The division is not scheduled for an external audit this year.
B. Sales have increased by 10%.
C. A significant portion of management’s compensation is directly tied to reported
net profit of the division.
D. All of the answers are correct.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 377
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Lack of an external audit this year has not been identified as
a significant red flag. In addition, the division is reviewed by the internal audit activity.
Answer (B) is incorrect. Sales have normally been increasing by about 7% at this
division. Thus, an increase of 10%, by itself, is not unexpected and does not raise a red
flag.
Answer (C) is correct. The internal auditor’s responsibilities for detecting fraud
include having sufficient knowledge of fraud to be able to identify indicators that fraud
may have been committed. This knowledge includes the characteristics of fraud, the
techniques used to commit fraud, and the types of frauds associated with the activities
reviewed. For example, performance may be distorted because promotion and
compensation (e.g., bonuses) are tied to profitability.
Answer (D) is incorrect. Not all responses are red flags.
[652] Gleim #: 7.1.41
An internal auditor is investigating the performance of a division with an unusually
large increase in sales, gross margin, and profit. Which of the following indicators is
least likely to indicate the possibility of sales-related fraud in the division?
ao
ffi
ci
al
A. A significant portion of divisional management’s compensation is based on
reported divisional profits.
B. There is an unusually large amount of sales returns recorded after year-end.
C. The internal auditor has taken a random sample of sales invoices but cannot locate
a shipping document for a number of the sales transactions selected for November
and December.
D. One of the division’s major competitors went out of business during the year.
fb
.c
om
/c
ia
Answer (A) is incorrect. Basing management compensation on reported profits
creates an incentive for fraud.
Answer (B) is incorrect. An unusually large amount of sales returns after yearend may indicate that invalid sales were recorded near the end of the year.
Answer (C) is incorrect. The lack of shipping documents may indicate that
invalid sales were recorded during November and December.
Answer (D) is correct. A decrease in the number of competitors during the year is
a reasonable explanation for the increase in sales and profits.
[653] Gleim #: 7.1.42
Which of the following is most likely to be considered an indication of possible fraud?
A.
B.
C.
D.
The replacement of the management team after a hostile takeover.
Rapid turnover of the organization’s financial executives.
Rapid expansion into new markets.
A government audit of the organization’s tax returns.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 378
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The replacement of the management team after a hostile
takeover is not unusual.
Answer (B) is correct. Even the most effective internal control can sometimes be
circumvented – perhaps by collusion of two or more employees. Thus, an auditor must
be sensitive to certain conditions that might indicate the existence of fraud, including
high personnel turnover. In the case of financial executives, high turnover may suggest
a pattern of inflation of profits to obtain bonuses or other benefits, to secure
advantages in the marketplace, or to conceal incompetence or rash actions.
Answer (C) is incorrect. Rapid expansion into new markets is not unusual.
Answer (D) is incorrect. A government audit of the organization’s tax returns is not
unusual.
[654] Gleim #: 7.1.43
Red flags are conditions that indicate a higher likelihood of fraud. Which of the
following is not considered a red flag?
A. Management has delegated the authority to make purchases under a certain value
to subordinates.
B. An individual has held the same cash-handling job for an extended period without
any rotation of duties.
C. An individual handling marketable securities is responsible for making the
purchases, recording the purchases, and reporting any discrepancies and
gains/losses to senior management.
D. The assignment of responsibility and accountability in the accounts receivable
department is not clear.
Answer (A) is correct. Delegating the authority to make purchases under a certain
value to subordinates is an acceptable and common practice intended to limit risk
while promoting efficiency. It is not, by itself, considered a red flag.
Answer (B) is incorrect. Lack of rotation of duties or cross-training for sensitive
jobs is a red flag. Such a person may have a greater opportunity to commit and
conceal fraud.
Answer (C) is incorrect. An inappropriate combination of duties is a red flag.
Answer (D) is incorrect. Establishing clear lines of authority and accountability
not only helps to assign culpability but also has preventive effects.
[655] Gleim #: 7.1.44
The most common motivation for management fraud is the existence of
A.
B.
C.
D.
Vices, such as a gambling habit.
Job dissatisfaction.
Financial pressures on the organization.
The challenge of committing the perfect crime.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 379
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Vices are an example of motivators of fraud perpetrated for
the benefit of individuals and to the organization’s detriment.
Answer (B) is incorrect. Job dissatisfaction is an example of motivators of fraud
perpetrated for the benefit of individuals and to the organization’s detriment.
Answer (C) is correct. Management fraud is intended to benefit organizations rather
than individuals, so the existence of financial pressures is the most common
motivation. Management perpetrators attempt to make their financial statements
appear more attractive because of the financial pressures of stock market expectations,
restrictive loan covenants, a poor cash position, etc.
Answer (D) is incorrect. The challenge of committing the perfect crime is an example
of motivators of fraud perpetrated for the benefit of individuals and to the
organization’s detriment.
[656] Gleim #: 7.1.45
Which of the following fraudulent entries is most likely to be made to conceal the theft
of an asset?
A.
B.
C.
D.
Debit expenses and credit the asset.
Debit the asset and credit another asset account.
Debit revenue and credit the asset.
Debit another asset account and credit the asset.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is correct. Most fraud perpetrators attempt to conceal their theft by
charging it against an expense account. The result is that the recorded asset
balance equals the actual amount on hand, and applying procedures to it will not
detect the theft.
Answer (B) is incorrect. Debiting the stolen asset account simply increases the
discrepancy between the recorded amount and the amount on hand.
Answer (C) is incorrect. An entry decreasing revenue is unusual and would
attract attention.
Answer (D) is incorrect. This entry would not permanently conceal the fraud. It
would simply shift the irreconcilable balance to another asset account.
[657] Gleim #: 7.2.46
When conducting fraud investigations, internal auditors should
A. Clearly indicate the extent of the internal auditors’ knowledge of the fraud when
questioning suspects.
B. Assign personnel to the investigation in accordance with the engagement schedule
established at the beginning of the fiscal year.
C. Perform its investigation independently of lawyers, security personnel, and
specialists from outside the organization who are involved in the investigation.
D. Assess the probable level of, and the extent of complicity in, the fraud within the
organization.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 380
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. By always giving the impression that additional evidence is
in reserve, the internal auditors are more apt to obtain complete and truthful answers.
Answer (B) is incorrect. Fraud investigations usually occur unexpectedly and cannot
be scheduled in advance. Also, the fraud investigation must be conducted by
individuals having the appropriate expertise, even if another engagement must be
delayed.
Answer (C) is incorrect. The internal auditors should coordinate their activities with
management, legal counsel, and other specialists.
Answer (D) is correct. When conducting fraud investigations, internal auditors or
others should assess the level of, and the extent of complicity in, the fraud within the
organization. This assessment can be critical to ensuring that (1) crucial evidence is not
tainted or destroyed and (2) misleading information is not obtained from persons who
may be involved.
[658] Gleim #: 7.2.47
Which of the following gives the internal auditor the authority to investigate fraud?
A.
B.
C.
D.
The Standards.
Common law.
Management.
The IIA’s Code of Ethics.
Answer (A) is incorrect. The internal auditor has authority only to recommend an
investigation.
Answer (B) is incorrect. An internal auditor has no authority under common law.
Answer (C) is correct. Any fraud investigation undertaken by internal auditors
must be authorized by management.
Answer (D) is incorrect. The IIA’s Code of Ethics does not mention fraud
investigation.
[659] Gleim #: 7.2.48
Questions used to interrogate individuals suspected of fraud should
A.
B.
C.
D.
Adhere to a predetermined order.
Cover more than one subject or topic.
Move from the general to the specific.
Direct the individual to a desired answer.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 381
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The interviewee’s answer may suggest a follow-up question
that should be asked before asking the next planned question.
Answer (B) is incorrect. This interviewing technique may be confusing for the
respondent.
Answer (C) is correct. Internal auditors should be skilled in dealing with people and in
communicating effectively. One important communications skill is the ability to
conduct an effective interview. For example, initial questions in a fraud interview
should be broad. In contrast with a directive approach emphasizing narrowly focused
questions, this nondirective approach is more likely to elicit clarifications and
unexpected observations from employees who are under suspicion.
Answer (D) is incorrect. The interrogator should avoid leading questions, that is,
questions that suggest an answer.
[660] Gleim #: 7.2.49
If an internal auditor is interviewing three individuals, one of whom is suspected of
committing a fraud, which of the following is the least effective approach?
A. Ask each individual to prepare a written statement explaining the individual’s
actions.
B. Take the role of one seeking the truth.
C. Listen carefully to what each interviewee has to say.
D. Attempt to get the suspected individual to confess.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. A written statement by the interviewee provides
admissions of fact that may be compared with other evidence for possible
inconsistencies or that may provide starting points for further investigation.
Answer (B) is incorrect. The interviewer should be objective, unemotional, and
nonthreatening.
Answer (C) is incorrect. Effective listening is a vital communication skill in
many situations.
Answer (D) is correct. Because of the legal hazards and their lack of expertise in
criminal interrogation, internal auditors should often defer to security specialists.
An attempt to obtain a confession is threatening, contrary to the presumption of
innocence, and not likely to gain the confidence of the interviewee.
[661] Gleim #: 7.2.50
Which of the following statements is correct regarding audit engagement workpaper
documentation for a fraud investigation?
I. All incriminating evidence should be included in the workpapers.
II. All important testimonial evidence should be reviewed to ensure that it provides
sufficient basis for the conclusions reached.
III. If interviews are held with a suspected perpetrator, written transcripts or
statements should be included in the workpapers.
A.
B.
C.
D.
I only.
II only.
II and III only.
I, II, and III.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 382
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. All important testimonial evidence should be reviewed to
ensure that it provides sufficient basis for the conclusions reached, and if interviews
are held with a suspected perpetrator, written transcripts or statements should be
included in the workpapers.
Answer (B) is incorrect. All incriminating evidence should be included in the
workpapers, and if interviews are held with a suspected perpetrator, written transcripts
or statements should be included in the workpapers.
Answer (C) is incorrect. All incriminating evidence should be included in the
workpapers.
Answer (D) is correct. Internal auditors must document relevant information to
support the conclusions and engagement results (Perf. Std. 2330). Incriminating
evidence, important testimonial evidence, and interviews with supply are clearly
relevant and should be documented.
[662] Gleim #: 7.3.51
A purchasing agent acquired items for personal use with the organization’s funds. The
organization allowed designated employees to purchase a specified amount per day in
merchandise under open-ended contracts. Supervisory approval of the purchases was
required, but that information was not communicated to the vendor. Instead of
reviewing and authorizing each purchase order, supervisors routinely signed the
authorization sheet at the end of the month without reviewing any of the supporting
documentation. Because purchases of this nature were not subject to normal receiving
policies, the dishonest employee picked up the supplies at the vendor’s warehouse. All
purchases were for items routinely ordered by the organization. During the past year,
the employee amassed enough merchandise to start a printing and photography
business. Which of the following controls would have been most effective in
preventing this fraud?
A. Allowing purchases only from a list of pre-approved vendors.
B. Requiring the use of prenumbered purchase orders for all purchases of
merchandise.
C. Canceling supporting documents, such as purchase orders and receiving reports, at
the time invoices are paid.
D. Establishing separation of duties between the ordering and receiving of
merchandise.
Answer (A) is incorrect. The facts do not suggest that the vendor’s actions were
inappropriate.
Answer (B) is incorrect. Prenumbering would not have prevented the fraud. The
weakness is in the authorization and receiving procedures.
Answer (C) is incorrect. Canceling supporting documents when invoices are paid
prevents the same document from being used to support two identical payments,
but that is not the abuse here.
Answer (D) is correct. Separating the purchasing and receiving functions would
have improved internal control. If the supplies in question had been sent to the
organization, and a receiving report had been prepared by an employee other than
the one ordering the goods, the fraud could not have occurred. Moreover, the
receiving department should not accept goods unless it has a blind copy of a
properly approved purchase order for the items.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 383
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[663] Gleim #: 7.3.52
A purchasing agent acquired items for personal use with the organization’s funds. The
organization allowed designated employees to purchase a specified amount per day in
merchandise under open-ended contracts. Supervisory approval of the purchases was
required, but that information was not communicated to the vendor. Instead of
reviewing and authorizing each purchase order, supervisors routinely signed the
authorization sheet at the end of the month without reviewing any of the supporting
documentation. Because purchases of this nature were not subject to normal receiving
policies, the dishonest employee picked up the supplies at the vendor’s warehouse. All
purchases were for items routinely ordered by the organization. During the past year,
the employee amassed enough merchandise to start a printing and photography
business. Which of the following engagement procedures, performed by the internal
auditor, is most likely to detect this fraud?
A. Tracing selected canceled checks to the cash payments journal and to the related
vendors’ invoices.
B. Performing a trend analysis of printing supplies expenses for a 2-year period.
C. Tracing prices and quantities on selected vendors’ invoices to the related purchase
orders.
D. Recomputing the clerical accuracy of selected vendors’ invoices, including
discounts and sales taxes.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. A legitimate vendor’s invoice existed for each cash
payment related to this fraud.
Answer (B) is correct. A basic premise underlying the application of analytical
procedures is that plausible relationships among data may reasonably be expected
to exist and continue in the absence of known conditions to the contrary. Thus,
performing a trend analysis of printing supplies expenses for a 2-year period
should identify an excess use of supplies.
Answer (C) is incorrect. The issue is not whether the quantities ordered by the
customer were billed but whether the transactions are authorized.
Answer (D) is incorrect. The issue is not whether the invoices are accurate but
whether the transactions are authorized.
[664] Gleim #: 7.3.53
Which of the following controls is the least effective in preventing a fraud conducted
by sending purchase orders to bogus vendors?
A. Require that all purchases be made from an authorized vendor list maintained
independently of the individual placing the purchase order.
B. Require that only approved vendors be paid for purchases, based on actual
production.
C. Require contracts with all major vendors from whom production components are
purchased.
D. Require that total purchases for a month not exceed the total budgeted purchases
for that month.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 384
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Segregating the selection and approval of reputable vendors
from placement of actual orders is an effective means of preventing fraud.
Answer (B) is incorrect. Restricting payment to approved vendors is an effective
means of preventing fraud.
Answer (C) is incorrect. Requiring contracts with major vendors is an effective means
of preventing fraud.
Answer (D) is correct. Requiring that total purchases for a month not exceed the total
budgeted purchases for that month controls the total amount of expenditures, not
whether a purchase has been requested and authorized, with whom the purchase orders
are placed, or whether goods purchased are received.
[665] Gleim #: 7.3.54
A potential problem for a manufacturer is that purchasing agents may take kickbacks
or receive gifts from vendors in exchange for favorable contracts. Which of the
following is the least effective in preventing this problem?
A. A specific organizational policy prohibiting the acceptance of anything of value
from a vendor.
B. An organizational code of ethics that prohibits such activity.
C. A requirement for the purchasing agent to develop a profile of all vendors before
the vendors are added to the authorized vendor list.
D. The establishment of long-term contracts with major vendors, with the contract
terms approved by senior management.
Answer (A) is incorrect. A policy prohibiting kickbacks and gifts from vendors
provides guidance and influences behavior.
Answer (B) is incorrect. A code of ethics gives direction to the purchasing agents
and is helpful in influencing behavior.
Answer (C) is correct. A requirement for the purchasing agent to develop a
profile of all vendors is the least effective approach because it concerns only the
authorization of vendors, a function that should be performed independently of the
purchasing agent. It does not address the purchasing agent’s relationships with
approved vendors.
Answer (D) is incorrect. Approval of long-term vendor contracts by senior
management is an effective procedure that is increasingly being used by many
organizations.
[666] Gleim #: 7.3.55
A purchasing agent received expensive gifts from a vendor in return for directing a
significant amount of business to that vendor. Which of the following organizational
policies most effectively prevents such an occurrence?
A. All purchases exceeding specified monetary amounts should be approved by an
official who determines compliance with budgetary requirements.
B. Important high-volume materials should regularly be purchased from at least two
different sources in order to afford supply protection.
C. The purchasing function should be decentralized so each department manager or
supervisor does his/her own purchasing.
D. Competitive bids should be solicited on purchases to the maximum extent that is
practicable.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 385
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. The problem is vendor selection, not authorization of
purchases.
Answer (B) is incorrect. A purchasing agent could still display favoritism to one of
the vendors.
Answer (C) is incorrect. Decentralization creates more opportunities for buyer fraud.
Answer (D) is correct. In the absence of special circumstances, competitive bidding is
a legitimate and effective means of obtaining the lowest price consistent with quality.
It is a practice that exploits competition in the market place. Competitive bidding also
serves as a control over fraud by restricting the ability of a purchasing agent to reward
a favored vendor.
[667] Gleim #: 7.3.56
ffi
ci
al
A fraud was perpetrated in a moderate-sized organization when the accounting clerk
was delegated too much responsibility. During the year, the organization switched
suppliers of a service to a new vendor. The accounting clerk continued to submit
fraudulent invoices from the “old supplier.” Because contracting for services and
approval of supplier invoices had been delegated to the clerk, it was possible for the
clerk to continue billings from the old supplier and deposit the subsequent checks,
which the clerk was responsible to mail, into a new account the clerk opened in the
name of the old supplier. The clerk was considered an excellent employee and
eventually was improperly given the added responsibility of preparing the department
budgets. This added responsibility allowed the clerk to budget for the amount of the
fraudulent payments. Which of the following controls would have been least likely to
prevent or detect the fraud described?
fb
.c
om
/c
ia
ao
A. Requiring authorization of payments by someone other than the clerk negotiating
the contract.
B. Comparison by the person signing checks of invoices with an independent
verification of services received.
C. Budget preparation by someone other than the person signing contracts and
approving payment.
D. Mailing of checks by someone other than the person responsible for check signing
or invoice approval.
Answer (A) is incorrect. Separating contracting for services and approval of
invoices would have prevented the fraud.
Answer (B) is incorrect. An independent verification of services received
reviewed by the check signer would have prevented payment for services not
received.
Answer (C) is incorrect. Independent budget preparation would have allowed an
actual-with-budget comparison to detect the payments.
Answer (D) is correct. Once invoices have been approved, and checks prepared
and signed, the mailing of the check by an independent person provides no means
of preventing improper payments. The person responsible for the treasury function
should sign the checks, transmit them, and cancel the supporting documents.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 386
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[668] Gleim #: 7.3.57
A fraud was perpetrated in a moderate-sized organization when the accounting clerk
was delegated too much responsibility. During the year, the organization switched
suppliers of a service to a new vendor. The accounting clerk continued to submit
fraudulent invoices from the “old supplier.” Because contracting for services and
approval of supplier invoices had been delegated to the clerk, it was possible for the
clerk to continue billings from the old supplier and deposit the subsequent checks,
which the clerk was responsible to mail, into a new account the clerk opened in the
name of the old supplier. The clerk was considered an excellent employee and
eventually was improperly given the added responsibility of preparing the department
budgets. This added responsibility allowed the clerk to budget for the amount of the
fraudulent payments. Which of the following engagement procedures is most likely to
detect the fraud?
A. Take a sample of paid invoices and verify receipt of services by departments
involved.
B. Trace a sample of checks disbursed to approved invoices for services.
C. Perform a bank reconciliation and account for all outstanding checks.
D. Trace a sample of receiving documents to invoices and to checks disbursed.
Answer (A) is correct. Confirming with the using department the receipt of
services that have been paid for would uncover the fraud.
Answer (B) is incorrect. The fraudulent invoices were approved by the clerk, and
each check is therefore supported by an approved invoice.
Answer (C) is incorrect. Bank reconciliations do not test the validity of the cash
payments.
Answer (D) is incorrect. Beginning with valid receiving reports will not detect
the fraud. The direction of testing is inappropriate.
[669] Gleim #: 7.3.58
A programmer’s accumulation of roundoff errors into one account, which is later
accessed by the programmer, is a type of computer fraud. The best way to prevent this
type of fraud is to
A.
B.
C.
D.
Build in judgment with reasonableness tests.
Independently test programs during development and limit access to the programs.
Segregate duties of systems development and programming.
Use control totals and check the results of the computer.
Answer (A) is incorrect. Reasonableness tests will not detect this irregularity. In
this particular type of fraud, all of the amounts will balance.
Answer (B) is correct. Programmers should not have access to programs used in
processing. The accumulation of roundoff errors into one person’s account is a
procedure written into the program. Independent testing of a program will lead to
discovery of this programmed fraud.
Answer (C) is incorrect. Segregation of duties between systems development and
programming would not prevent this type of error. The skills required to construct
the program are possessed by programmers.
Answer (D) is incorrect. This particular fraud will result in balanced entries.
Thus, control totals would not detect the fraud.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 387
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[670] Gleim #: 7.3.59
The risk of the addition of fictitious employees to the payroll by the person performing
the payroll processing function is reduced by
A.
B.
C.
D.
Requiring that payroll additions be approved by the controller.
Requiring the same employee to perform the monthly payroll bank reconciliation.
Performing periodic floor checks of employees on the payroll.
Requiring a reconciliation of hours between time cards and hours paid.
Answer (A) is incorrect. Payroll additions should be authorized by the personnel
department, not by the controller (chief accounting officer), an official with record
keeping responsibility.
Answer (B) is incorrect. For a proper segregation of functions, the reconciliation
should be performed by someone who has no payroll processing duties.
Answer (C) is correct. One control used to detect the addition of fictitious
persons to the payroll is for the auditor to make a periodic comparison of the
names on the payroll with persons observed working for the company.
Observation of payroll distribution is such a control.
Answer (D) is incorrect. The amount, not the validity, of the payment is verified.
[671] Gleim #: 7.3.60
.c
om
/c
ia
Establishing an employee counseling program.
Periodic review of buyer lifestyles.
A policy of identifying and reducing buyer situational pressures.
A strong, written statement of management’s commitment to organizational
ethics.
fb
A.
B.
C.
D.
ao
ffi
ci
al
During an engagement involving the purchasing department, an internal auditor
learned that one vendor rewarded buyers in proportion to the size of the orders
received. What recommendation should the internal auditor make to reduce the
likelihood of future acceptance of such rewards by the buyers?
Answer (A) is incorrect. Counseling is unlikely to change the behavior of
dishonest employees.
Answer (B) is incorrect. Such review is a detective control that would not
uncover fraud unless a lifestyle change occurred.
Answer (C) is incorrect. Situational pressures external to the organization may be
beyond its control. Pressures within the organization, e.g., to improve
performance, should not cause a buyer to take bribes from vendors.
Answer (D) is correct. A strong commitment by management to ethical conduct
reflected in its written policies, personnel practices, interest in effective control,
etc., will foster creation of the appropriate environment.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 388
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[672] Gleim #: 7.3.61
Fraudulent use of the organization’s credit cards is minimized by which of the
following internal control procedures?
A. Establishing an organizational policy on the issuance of credit cards to authorized
employees.
B. Reviewing the validity of credit card need at executive and operating levels on a
periodic basis.
C. Reconciling the monthly statement from the credit card issuer with the submitted
copies of the cardholder’s charge slips.
D. Subjecting credit card charges to the same expense controls as those used on
regular organizational expense forms.
Answer (A) is incorrect. Establishing a policy on the issuance of credit cards
relates to appropriate issuance, not fraudulent use.
Answer (B) is incorrect. Reviewing the validity of credit card need at executive
and operating levels relates to appropriate issuance of credit cards, not fraudulent
use.
Answer (C) is incorrect. The reconciliation tests correct invoicing by the credit
card issuers for credit charges. It would not necessarily detect personal or
fraudulent use if the payees and amounts were not suspicious.
Answer (D) is correct. The problem of charging the organization for unauthorized
expenditures is the same for any type of expense account, whether credit card or
cash. Thus, normal expense controls should preclude credit card fraud by
employees.
[673] Gleim #: 7.3.62
An organization hired a highly qualified accounts payable manager who had been
terminated from another organization for alleged wrongdoing. Six months later, the
manager diverted US $12,000 by sending duplicate payments of invoices to a relative.
A control that might have prevented this situation is to
A.
B.
C.
D.
Adequately check prior employment backgrounds for all new employees.
Not hire individuals who appear overqualified for a job.
Verify educational background for all new employees.
Check to see whether close relatives work for vendors.
Answer (A) is correct. Because honest and capable personnel also help create an
environment conducive to effective internal control, hiring policies and
procedures are crucial. Background checks, for example, may screen out potential
hirees of questionable character and serve to prevent potential fraud.
Answer (B) is incorrect. Being overqualified is not an indicator of bad character.
Answer (C) is incorrect. Checking prior employment is more likely to uncover
prior fraudulent behavior.
Answer (D) is incorrect. Checking to see whether close relatives work for
vendors is not an adequate control in this scenario.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 389
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[674] Gleim #: 7.3.63
Internal auditors and management have become increasingly concerned about
computer fraud. Which of the following control procedures is least important in
preventing computer fraud?
A. Program change control requiring a distinction between production programs and
test programs.
B. Testing of new applications by users during the systems development process.
C. Segregation of duties between the applications programmer and the program
librarian function.
D. Segregation of duties between the programmer and systems analyst.
al
Answer (A) is incorrect. A program should be redesigned using a working copy,
not the version in use.
Answer (B) is incorrect. Testing of new applications by users is one of the most
important controls to help prevent computer fraud.
Answer (C) is incorrect. Adequate control over program changes is one of the
most important control procedures in a computerized environment. Programmers
should not have access to operational progress, and librarians should not be able
to program.
Answer (D) is correct. Segregation of the programming and systems analysis
functions is of least concern given that the analyst is responsible for
communicating the nature of the design to the programmer. Programmer/analyst is
a common job title.
ao
ffi
ci
[675] Gleim #: 7.3.64
A.
B.
C.
D.
fb
.c
om
/c
ia
A means of ensuring that payroll checks are drawn for properly authorized amounts is
to
Conduct periodic floor verification of employees on the payroll.
Require that undelivered checks be returned to the cashier.
Require supervisory approval of employee time cards.
Witness the distribution of payroll checks.
Answer (A) is incorrect. Employees may be properly included on payroll, but the
amounts paid may be unauthorized.
Answer (B) is incorrect. Returning undelivered checks to the cashier provides no
information regarding the validity of the amounts of checks.
Answer (C) is correct. Review and approval of time cards by line supervisors is
appropriate because they should know whether work has been performed. Also,
because they do not distribute paychecks, they are not in a position to divert
falsely authorized checks.
Answer (D) is incorrect. Witnessing a payroll distribution does not assure that the
amounts paid are authorized.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 390
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[676] Gleim #: 7.3.65
A payroll clerk working through a computerized payroll system increased the hourly
pay rate of two employees and shared the resulting overpayments with the employees.
Which of the following would have best served to prevent this illegal act?
A. Requiring that all changes to pay records be recorded on a standard form.
B. Limiting access to master payroll records to supervisory personnel in the payroll
department.
C. Reconciling pay rates per personnel records with those of the payroll system
annually.
D. Monitoring of payroll costs by department heads on a monthly basis.
Answer (A) is incorrect. Requiring a standard form does not prevent an
unauthorized pay rate change if it can be made without the form. The requirement
that all changes to pay records be recorded on a standard form does not restrict
access to the computer files. Hence, unauthorized changes could still be made.
Answer (B) is correct. The best preventive control is to restrict the ability of
employees to gain access to sensitive information. The computer security system
should therefore incorporate measures (such as password protection and device
authorization tables) that will prevent an unauthorized person from changing
stored information.
Answer (C) is incorrect. Annual reconciliation of pay rates per personnel records
with those of the payroll system is detective rather than preventive.
Answer (D) is incorrect. Monitoring of payroll costs by department heads on a
monthly basis is detective rather than preventive.
[677] Gleim #: 7.4.66
A production manager for a moderate-sized manufacturer began ordering excessive
raw materials and had them delivered to a wholesale business that the manager was
running on the side. The manager falsified receiving documents and approved the
invoices for payment. Which of the following procedures is most likely to detect this
fraud?
A. Take a sample of cash disbursements; compare purchase orders, receiving reports,
invoices, and check copies.
B. Take a sample of cash disbursements; confirm the amount purchased, purchase
price, and date of shipment with the vendors.
C. Observe the receiving dock and count materials received; compare the counts with
receiving reports completed by receiving personnel.
D. Perform analytical tests, comparing production, materials purchased, and raw
materials inventory levels; investigate differences.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 391
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Given that documents have been falsified, supporting
documents exist for each cash disbursement.
Answer (B) is incorrect. The vendors will confirm all transactions.
Answer (C) is incorrect. Given that the improper orders are shipped to another
location, observing receiving dock counts will not detect the fraud.
Answer (D) is correct. The application of analytical procedures is based on the
premise that, in the absence of known conditions to the contrary, relationships among
information may reasonably be expected to exist and continue. Hence, the analytical
procedures should identify an unexplained increase in materials used.
[678] Gleim #: 7.4.67
The manager of a production line has the authority to order and receive replacement
parts for all machinery that requires periodic maintenance. The internal auditor
received an anonymous tip that the manager ordered substantially more parts than
were necessary from a family member in the parts supply business. The unneeded
parts were never delivered. Instead, the manager processed receiving documents and
charged the parts to machinery maintenance accounts. The payments for the
undelivered parts were sent to the supplier, and the money was divided between the
manager and the family member. Which of the following tests would best assist the
auditor in deciding whether to investigate this anonymous tip further?
om
/c
ia
ao
ffi
ci
al
A. Comparison of the current quarter’s maintenance expense with prior-period
activity.
B. Physical inventory testing of replacement parts for existence and valuation.
C. Analysis of repair parts charged to maintenance to review the reasonableness of
the number of items replaced.
D. Review of a test sample of parts invoices for proper authorization and receipt.
fb
.c
Answer (A) is incorrect. The current quarter’s expense may not vary significantly
from the prior period’s unless the manager just started this fraud. The auditor has
no information on how long this might have been occurring.
Answer (B) is incorrect. Physical testing would not locate nonexistent parts that
already have been charged to maintenance.
Answer (C) is correct. A basic premise underlying the application of analytical
procedures is that plausible relationships among data may reasonably be expected
to exist and continue in the absence of known conditions to the contrary. Thus, an
analysis of repair parts charged to maintenance would quantify the excessive
number of items and raise a red flag that abuse may be occurring.
Answer (D) is incorrect. Lack of segregation of duties allowed the fraud to occur.
The manager was authorized to process both the purchase and receipt, so the test
would only verify the fraudulent paperwork.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 392
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[679] Gleim #: 7.4.68
The internal auditor reviewed documentation showing that a customer had recently
returned three expensive products to the regional service center for warranty
replacement. The documentation also showed that the warranty clerk had rejected the
claim and sent it to the customer’s local distributor. The claim was rejected because
the serial numbers listed in the warranty claim were not found in the computer’s sales
history file. Subsequently, the distributor supplied three different serial numbers, all of
which were validated by the computer system, and the clerk completed the warranty
claim for replacements. What is the best course of action for the internal auditor under
the circumstances?
A. Determine if the original serial numbers provided by the customer can be traced to
other records, such as production and inventory records.
B. Notify the appropriate authorities within the organization that there are sufficient
indicators that a fraud has been committed.
C. Verify with the appropriate supervisor that the warranty clerk had followed
relevant procedures in the processing and disposition of this claim.
D. Summarize this item along with other valid transactions in the internal auditor’s
test of warranty transactions.
Answer (A) is correct. The best course of action for the internal auditor is to
determine whether the related equipment had actually been reported in a sales
transaction. This will allow the auditor to draw preliminary conclusions as to
whether this is a case of error or of fraud.
Answer (B) is incorrect. The internal auditor should pursue additional
information before alerting authorities.
Answer (C) is incorrect. Verifying that the warranty clerk followed procedures
does not provide more information about the validity of the warranty claim.
Answer (D) is incorrect. The internal auditor should obtain more information
about the validity of the transaction.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 393
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[680] Gleim #: 7.4.69
Jane Jackson had been the regional sales
manager for an organization for over 10
years. During this time, she had become
very close friends with Frank Hansen, an
internal audit manager. In addition to being
neighbors, Jane and Frank had many of the
same interests and belonged to the same
tennis club. They trusted each other. Frank
had helped Jane solve some sales
problems, and Jane had given Frank some
information that led to significant
engagement observations during the past
three engagements.
Percent increase in sales
Inventory turnover
Gross margin percentage
Percent change in sales returns
Below are selected analytical data from
the organization that have led staff
internal auditors to believe that there
has been a financial statement fraud.
The perpetrator appears to have falsified
sales information for the past 2 years.
Frank is concerned because he recently
completed an engagement in the area
and accepted Jane’s explanation for
differences in the analytical data. Frank
is now certain that Jane is involved in
the fraud.
Current
Year
10
5
54
8
Last
Year
8
4
49
6
–2
Year
6
5
42
3
–3
Year
4
3.5
39
2.5
–4
Year
5
4
40
3
.c
om
/c
ia
ao
Percentage increase in sales and inventory turnover.
Gross margin percentage and change in sales returns.
Inventory turnover and change in sales returns.
Percentage increase in sales and gross margin percentage.
fb
A.
B.
C.
D.
ffi
ci
al
Which combination of the following analytical data provides the strongest indication
of the possibility of the fraud?
Answer (A) is incorrect. The increase in percentage change in sales is not
unreasonable, and given the constant increase, one might expect increases in
inventory that could keep turnover constant.
Answer (B) is correct. Rapid increases in gross margin percentage are expected if
sales are fictitious, that is, if sales are recorded without shipments and a
consequent increase in cost of sales. The large increase in returns is also
symptomatic of falsified sales.
Answer (C) is incorrect. The turnover and return figures, when taken together, are
not indications of sales overstatements.
Answer (D) is incorrect. If the increase in sales was due to a market sales price
increase, one might expect these results.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 394
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[681] Gleim #: 7.4.70
Jane Jackson had been the regional sales
manager for an organization for over 10
years. During this time, she had become
very close friends with Frank Hansen, an
internal audit manager. In addition to being
neighbors, Jane and Frank had many of the
same interests and belonged to the same
tennis club. They trusted each other. Frank
had helped Jane solve some sales
problems, and Jane had given Frank some
information that led to significant
engagement observations during the past
three engagements.
Percent increase in sales
Inventory turnover
Gross margin percentage
Percent change in sales returns
Current
Year
10
5
54
8
Below are selected analytical data from
the organization that have led staff
internal auditors to believe that there
has been a financial statement fraud.
The perpetrator appears to have falsified
sales information for the past 2 years.
Frank is concerned because he recently
completed an engagement in the area
and accepted Jane’s explanation for
differences in the analytical data. Frank
is now certain that Jane is involved in
the fraud.
Last
Year
8
4
49
6
–2
Year
6
5
42
3
–3
Year
4
3.5
39
2.5
–4
Year
5
4
40
3
The current dilemma in which Frank finds himself was least likely caused by
A. Not rotating engagements every year.
B. Accepting an engagement in an area where he was a close personal friend of
management.
C. Failing to select the appropriate analytical procedures.
D. Accepting the response of management without additional testing.
Answer (A) is incorrect. Failure to rotate engagements seems to have contributed
to Frank’s decision to accept management’s explanation for the analytical
findings.
Answer (B) is incorrect. Frank’s friendship with Jane impaired his objectivity.
Answer (C) is correct. The information given suggests that Frank applied the
proper analytical procedures but accepted management’s explanation of the
findings.
Answer (D) is incorrect. Frank’s acceptance of management’s explanations
apparently resulted in his failure to obtain sufficient information.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 395
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[682] Gleim #: 7.4.71
The chief of an organization’s security received an anonymous call accusing a
marketing manager of taking kickbacks from a media outlet. Thus, the marketing
department is on the list of possible engagement clients for the coming year. The
internal audit activity is assigned responsibility for investigating fraud by its charter. If
obtaining access to outside media outlet records and personnel is not possible, the best
action an internal auditor could take to investigate the allegation of marketing
kickbacks is to
A.
B.
C.
D.
Search for unrecorded liabilities from media outlets.
Obtain a list of approved media outlets.
Develop a financial and behavioral profile of the suspect.
Vouch any material past charge-offs of receivables.
.c
fb
[683] Gleim #: 7.4.72
om
/c
ia
ao
ffi
ci
al
Answer (A) is incorrect. If the employee is taking kickbacks, unrecorded
liabilities are not being created.
Answer (B) is incorrect. A list of approved media outlets would not provide any
information about kickbacks.
Answer (C) is correct. A common indicator of fraud by an employee is an
unexplained change in his/her financial status. A standard of living not
commensurate with the employee’s income may signify wrongdoing. The
employee’s behavior may also be suspicious (for example, constant association
with, and entertainment by, a member of the media outlet’s staff). The profile may
help to corroborate illegal income and thereby provide a basis for tracing illegal
payments to the employee.
Answer (D) is incorrect. The receipt of kickbacks would have no effect on
accounts receivable.
While reviewing a division’s accounts, an internal auditor becomes concerned that the
division’s management may have shipped poor quality merchandise to boost sales and
profitability and thereby increase the manager’s bonus. For this reason, the internal
auditor suspects that returned goods are being shipped to other customers as new
products without full correction of their defects. Which of the following engagement
procedures is the least effective in determining whether such shipments took place?
A. Examine credit memos issued after year end for goods shipped before year end.
B. Physically observe the shipping and receiving area for information of returned
goods.
C. Interview customer service representatives regarding unusual amounts of
customer complaints.
D. Require the division to take a complete physical inventory at year end, and
observe the taking of the inventory.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 396
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. Credit memos provide the customer with proof that returned
goods have been received by the organization and posted to the customer’s account.
Examining credit memos issued after year end for goods shipped before year end
would show that customers are returning inferior goods.
Answer (B) is incorrect. Physically observing the shipping and receiving area might
reveal goods returned that are not yet accounted for.
Answer (C) is incorrect. Unusual amounts of customer complaints may suggest a
condition not explained by normal spoilage rates.
Answer (D) is correct. Taking a complete year-end inventory is an ineffective
procedure because goods returned and reshipped without the correction of defects
would not be on hand to be counted.
[684] Gleim #: 7.4.73
Contributions to a nonprofit organization have been constant for the past 3 years. The
audit committee has become concerned that the president may have embarked on a
scheme in which some of the contributions from many sustaining members have been
redirected to other organizations. The audit committee suspects that the scheme may
involve taking major contributions and depositing them in alternative accounts or
soliciting contributions to be made in the name of another organization. Which of the
following procedures should be most effective in detecting the existence of such a
fraud?
A. Use generalized audit software to take a sample of pledged receipts not yet
collected and confirm the amounts due with the donors.
B. Take a sample that includes all large donors for the past 3 years and a statistical
sample of others and request a confirmation of total contributions made to the
organization or to affiliated organizations.
C. Take a discovery sample of cash receipts and confirm the amounts of the receipts
with the donors. Investigate any differences.
D. Use analytical review procedures to compare contributions generated with those
of other comparable institutions over the same period of time. If the amount is
significantly less, take a detailed sample of cash receipts and trace to the bank
statements.
Answer (A) is incorrect. Sampling amounts listed as unpaid does not provide
evidence about contributions previously paid or shifted to another organization.
Answer (B) is correct. The engagement objective is to determine whether
contributions have been wrongly directed to alternate accounts or solicited for
other organizations. Consequently, an appropriate procedure is to send
confirmation requests to donors. However, testing transactions recorded by the
accounting system will not result in sufficient information about solicitation of
contributions for other organizations. The internal auditor must therefore make
inquiries of the sustaining members about such solicitations.
Answer (C) is incorrect. Sampling cash receipts that have been recorded by the
organization provides no evidence about unrecorded receipts or contributions
diverted elsewhere.
Answer (D) is incorrect. Analytical procedures are of limited use. Also, the
follow-up procedure only provides evidence that recorded receipts were also
deposited.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 397
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[685] Gleim #: 7.4.74
During an engagement performed at a smaller division, the internal auditor notes the
following regarding the purchasing function:
There are three purchasing agents.
Agent 1 is responsible for ordering all
large component parts, agent 2 for
electric motors, and agent 3 for
smaller parts such as fasteners.
There are separate accounts payable
and receiving departments.
In order to hold vendors more
responsible, all invoices are sent to
the purchasing agent placing the
order. The purchasing agent matches
the vendor invoice, receiving slip, and
purchase order. If all match, the
purchasing agent sends the documents
forward to the accounts payable
department. Differences are
investigated by the purchasing agent.
Only the accounts payable
department has the ability to
authorize an item for payment.
All recorded receipts are
immediately recorded into a
perpetual inventory record by the
department to which the goods are
transferred after receipt.
The internal auditor interviewed both
management and the purchasing agents.
Both groups were very satisfied with the
current system because it helps maintain
vendor accountability and provides
sufficient segregation of duties given
that only the accounts payable
department can authorize an item for
payment.
ffi
ci
al
Which of the following engagement procedures is most effective in determining
whether material fraud was taking place?
fb
.c
om
/c
ia
ao
A. Take a random sample of cash disbursements and trace to approved purchase
orders and receiving slips.
B. Reconcile the perpetual inventory to the general ledger and investigate any
differences.
C. Take a random sample of purchase orders. Trace each purchase order to a
receiving slip, vendor invoice, and approval by the accounts payable department.
D. Perform an analytical review of inventory by product line to determine whether a
particular product line has increased. Inquire of the purchasing agent as to the
reason for the inventory increase.
Answer (A) is incorrect. Cash disbursements are authorized by accounts payable
and are not made in the absence of approved documents. Purchasing agents have
control of these documents. Hence, if they are falsified by the purchasing agents,
merely verifying that documents exist to support payments is ineffective.
Answer (B) is correct. A fraud could result in an overstatement of inventory in
the ledger. However, the perpetual inventory reflects the actual goods received.
Answer (C) is incorrect. Tracing purchase orders to receiving slips, invoices, and
accounts payable approvals verifies only that purchase orders were processed. It
would not detect fictitious purchase orders.
Answer (D) is incorrect. Analytical review of inventory by product line provides
limited evidence on the possibility of fraud but would not be as effective as
reconciling inventory.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 398
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[686] Gleim #: 7.4.75
During an engagement performed at a smaller division, the internal auditor notes the
following regarding the purchasing function:
There are three purchasing agents.
Agent 1 is responsible for ordering all
large component parts, agent 2 for
electric motors, and agent 3 for
smaller parts such as fasteners.
There are separate accounts payable
and receiving departments.
In order to hold vendors more
responsible, all invoices are sent to
the purchasing agent placing the
order. The purchasing agent matches
the vendor invoice, receiving slip, and
purchase order. If all match, the
purchasing agent sends the documents
forward to the accounts payable
department. Differences are
investigated by the purchasing agent.
Only the accounts payable
department has the ability to
authorize an item for payment.
All recorded receipts are
immediately recorded into a
perpetual inventory record by the
department to which the goods are
transferred after receipt.
The internal auditor interviewed both
management and the purchasing agents.
Both groups were very satisfied with the
current system because it helps maintain
vendor accountability and provides
sufficient segregation of duties given
that only the accounts payable
department can authorize an item for
payment.
The internal auditor is responsible for evaluating internal control to determine whether
it allows undetected fraud. Based on the information presented, the most likely
undetected fraud, if any, is that the
A. Purchasing agent is purchasing the majority of products from a favorite vendor
because rotation among purchasing agents is not mandatory.
B. Purchasing agent is sending fake purchase orders to a dummy vendor, inserting a
receiving slip, and having payments made to the dummy vendor.
C. Receiving department is diverting receipts to different locations and failing to
create receiving reports.
D. Production department is deflating the price of products purchased and thereby
increasing the reported gross margin of sales.
Answer (A) is incorrect. Purchasing most goods from a particular vendor may be
justified.
Answer (B) is correct. Internal control is unlikely to detect the purchasing agent’s
fraud because this individual is in a position to perpetrate and conceal
irregularities. Receiving documents and vendors’ invoices should be sent to
accounts payable, not to the purchasing agent.
Answer (C) is incorrect. This possible fraud should be detected by the absence of
receiving reports to support vendors’ invoices.
Answer (D) is incorrect. This response is unrelated to the purchasing
environment.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 399
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[687] Gleim #: 7.4.76
During an engagement performed at a smaller division, the internal auditor notes the
following regarding the purchasing function:
There are three purchasing agents.
Agent 1 is responsible for ordering all
large component parts, agent 2 for
electric motors, and agent 3 for
smaller parts such as fasteners.
There are separate accounts payable
and receiving departments.
In order to hold vendors more
responsible, all invoices are sent to
the purchasing agent placing the
order. The purchasing agent matches
the vendor invoice, receiving slip, and
purchase order. If all match, the
purchasing agent sends the documents
forward to the accounts payable
department. Differences are
investigated by the purchasing agent.
Only the accounts payable
department has the ability to
authorize an item for payment.
All recorded receipts are
immediately recorded into a
perpetual inventory record by the
department to which the goods are
transferred after receipt.
The internal auditor interviewed both
management and the purchasing agents.
Both groups were very satisfied with the
current system because it helps maintain
vendor accountability and provides
sufficient segregation of duties given
that only the accounts payable
department can authorize an item for
payment.
.c
om
/c
ia
ao
Require periodic rotation of purchases among different vendors.
Require rotation of duties among the three purchasing agents.
Require that receiving reports be sent directly to accounts payable.
Require that the updates to the perpetual inventory record be made by the
receiving department.
fb
A.
B.
C.
D.
ffi
ci
al
Which of the following controls, if properly implemented, is most likely to decrease
the likelihood of fraud?
Answer (A) is incorrect. Rotation of vendors might partially alleviate the
problem, but the purchasing agent could develop new dummy vendors.
Answer (B) is incorrect. Rotation of duties will not affect the type of fraud that
could occur in this environment. The purchasing agent could develop another
dummy vendor for the new product line.
Answer (C) is correct. This change in procedures prevents the purchasing agent
from falsifying receiving reports. An even better procedure is to have both the
receiving reports and the vendors’ invoices sent to accounts payable.
Answer (D) is incorrect. This procedure will create an additional opportunity for
fraud by the receiving department.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 400
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[688] Gleim #: 7.4.77
During an engagement relating to purchasing, the internal auditor finds that the largest
blanket purchase order is for tires, which are expensed as vehicle maintenance items.
The fleet manager requisitions tires against the blanket order for the company’s 400vehicle service fleet based on a visual inspection of the cars and trucks in the parking
lot each week. Sometimes the fleet manager picks up the tires but always signs the
receiving report for payment. Vehicle service data are entered into a maintenance
database by the mechanic after the tires are installed. What is the best course of action
for the internal auditor in these circumstances?
A. Determine whether the number of tires purchased can be reconciled to
maintenance records.
B. Count the number of tires on hand and trace them to the related receiving reports.
C. Select a judgmental sample of requisitions and verify that each one is signed by
the fleet manager.
D. Compare the number of tires purchased under the blanket purchase order with the
number of tires purchased in the prior year for reasonableness.
Answer (A) is correct. That the fleet manager both requisitions and receives the
tires provides an opportunity for fraud. The internal auditor should determine
whether tires purchased have been used on company vehicles rather than diverted
to another purpose.
Answer (B) is incorrect. Tracing the tires on hand to the receiving reports would
not reveal a fraud. The manager signs the receiving report.
Answer (C) is incorrect. Testing for signed requisitions would not necessarily
reveal whether fraud is present.
Answer (D) is incorrect. A fraud could have occurred during the prior year also.
[689] Gleim #: 7.4.78
During a post-completion engagement related to a warehouse expansion, the internal
auditor noted several invoices for redecorating services from a local merchant that
were account-coded and signed for payment only by the cost engineer. The internal
auditor should
A. Compare the cost and description of the services with the account code used in the
construction project and with related estimates in the construction-project budget.
B. Consult with the cost engineer for assurance that these purchases were authorized
for this construction project.
C. Obtain a facsimile of the cost engineer’s signature from the accounts payable
group and compare it with the signature on the invoices.
D. Recommend reclassifying the expenditure to the appropriate account code for
redecorating services.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 401
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is correct. The internal auditor needs to determine the validity of the
transaction because the engineer is performing incompatible tasks. Comparing the cost
and description of the services with the account code and the budget will verify the
transaction. However, normal controls over disbursements need to be established.
Answer (B) is incorrect. The cost engineer’s assurance would not confirm the
authorization of these expenditures.
Answer (C) is incorrect. The primary focus is the validity of the transaction within
this construction project.
Answer (D) is incorrect. There is no basis for reclassifying the transaction within this
context.
[690] Gleim #: 7.4.79
The internal auditor suspects a disbursements fraud in which an unknown employee(s)
is submitting and approving invoices for payment. Before discussing the potential
fraud with management, the internal auditor decides to gather additional information.
Which of the following procedures is most helpful in providing the additional
information?
fb
.c
om
/c
ia
ao
ffi
ci
al
A. Use software to develop a list of vendors with post office box numbers or other
unusual features. Select a sample of those items and trace to supporting
documents such as receiving reports.
B. Select a sample of payments made during the year and investigate each one for
approval.
C. Select a sample of receiving reports representative of the period under
investigation and trace to approved payment. Note any items not properly
processed.
D. Take a sample of invoices received during the past month, examine to determine
whether properly authorized for payment, and trace to underlying documents.
Answer (A) is correct. A disbursements fraud may be accomplished through the
use of fictitious vendors. Investigating vendors with suspicious characteristics
appropriately focuses on payees as sources of additional information.
Answer (B) is incorrect. The individual perpetrating the fraud may have been in a
position to obtain approvals.
Answer (C) is incorrect. The problem is more likely to be with payments for
which no valid support exists.
Answer (D) is incorrect. Sampling invoices for the past month is not as effective
as investigating suspicious vendors. It focuses only on a short period of time, and
it does not emphasize the items most likely to be fraudulent.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 402
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[691] Gleim #: 7.4.80
During an engagement, the internal auditor found a scheme in which the warehouse
director and the purchasing agent for a retail organization diverted a significant
amount of goods to their own warehouse, then sold the goods to third parties. The
fraud was not noted earlier because the warehouse director forwarded receiving reports
(after updating the perpetual inventory records) to the accounts payable department for
processing. Which of the following procedures most likely led to the discovery of the
missing materials and the fraud?
A. Take a random sample of receiving reports and trace to the recording in the
perpetual inventory record. Note differences and investigate by type of product.
B. Take a random sample of purchase orders and trace them to receiving documents
and to the records in the accounts payable department.
C. Take an annual physical inventory, reconciling amounts with the perpetual
inventory, noting the pattern of differences and investigating.
D. Take a random sample of sales invoices and trace to the perpetual records to see if
inventory was on hand. Investigate any differences.
Answer (A) is incorrect. Sampling receiving reports would not have detected the
fraud. The warehouse director updates the perpetual inventory records before
forwarding the false receiving reports to accounts payable.
Answer (B) is incorrect. Taking a sample of purchase orders would not have
detected the irregularities. All the goods were ordered, and the perpetrators
colluded to falsify receiving reports even when the goods were diverted to another
location.
Answer (C) is correct. Taking an annual physical inventory should lead to the
identification of systematic shrinkages in the inventory. The pattern of the
shrinkages should implicate the warehouse director. At that time, a fraud
investigation should be undertaken.
Answer (D) is incorrect. The warehouse director falsified the inventory records.
[692] Gleim #: 7.4.81
The internal auditor finds a situation in which one person has the ability to collect
receivables, make deposits, issue credit memos, and record receipt of payments. The
internal auditor suspects the individual may be stealing from cash receipts. Which of
the following engagement procedures is most effective in discovering fraud in this
scenario?
A. Send positive confirmations to a random selection of customers.
B. Send negative confirmations to all outstanding accounts receivable customers.
C. Perform a detailed review of debits to customer discounts, sales returns, or other
debit accounts, excluding cash posted to the cash receipts journal.
D. Take a sample of bank deposits and trace the detail in each bank deposit back to
the entry in the cash receipts journal.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 403
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
Answer (A) is incorrect. An employee who performs asset custody, authorization, and
recording functions can conceal the theft by debiting customer discounts or sales
returns.
Answer (B) is incorrect. Seeking information from customers and tracing bank
balances will not detect the fraud because neither customer statements nor bank
records will contain evidence of fraud.
Answer (C) is correct. Debits to customer discounts, sales returns, etc., are the most
likely accounts to be affected if this person were attempting to conceal a theft of cash
payments without alerting customers. Seeking confirmation from customers and
tracing bank balances will not detect the fraud because neither customer statements nor
bank records will contain evidence of fraud.
Answer (D) is incorrect. Bank deposits will agree with journal entries. The stolen
amounts are never recorded.
[693] Gleim #: 7.4.82
Management has requested that the internal auditor investigate the possibility that a
purchasing agent is receiving kickbacks. Which of the following procedures is least
effective in addressing management’s concern?
om
/c
ia
ao
ffi
ci
al
A. Confirm all contract terms with vendors.
B. Analyze, by purchasing agent, all increases in cost of procured goods from
specific vendors.
C. Take a statistical sample of goods purchased and compare purchase prices for
goods with those of other sources of similar goods, such as other organizations or
catalogs.
D. Observe any changes in the lifestyles or individual consumption habits of the
purchasing agents involved.
fb
.c
Answer (A) is correct. Confirming contract terms is the least useful procedure
because the contract terms are already known. The confirmation would have to be
expanded to inquire as to whether the purchasing agent has pressured vendors to
make kickbacks. That approach is useful only if the kickbacks were initiated by
the purchasing agent rather than the vendor.
Answer (B) is incorrect. Analyzing increases in the cost of procured goods from
specific vendors provides insight as to what products and which purchasing agent
may be involved.
Answer (C) is incorrect. Sampling goods purchased and comparing prices against
other sources of similar goods provides information on excess purchase prices.
Answer (D) is incorrect. Unexplained changes in personal habits of purchasing
agents may reveal the purchasing agent involved in receiving the kickbacks.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 404
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[694] Gleim #: 7.4.83
An investment portfolio manager has the authority to use financial derivatives to
hedge transactions but is not supposed to take speculative positions. However, the
manager launches a scheme that includes (1) taking a position larger than required by
the hedge, (2) putting the speculative gains in a suspense account, and (3) transferring
the funds to a nonexistent broker and from there to a personal account. Which of the
following engagement procedures is least effective in detecting this fraud?
A. Examine individual trades to determine whether the trades violate the
authorization limit for the manager.
B. Sample individual trades and determine the exact matching of a hedge. Schedule
and investigate all differences.
C. Sample all debits to the suspense account and examine their disposition.
D. Sample fund transfers to brokers and determine if the brokers are on the
organization’s authorized list for transactions.
Answer (A) is correct. The monetary amount involved would not reveal whether
the transaction was speculative.
Answer (B) is incorrect. Sampling individual trades may detect an unauthorized
speculation.
Answer (C) is incorrect. All debits to the suspense account should be sampled
given the potential for using such an account for irregularities.
Answer (D) is incorrect. Sampling fund transfers to brokers and determining
whether the brokers are on the authorized list for transactions may detect a
fictitious party.
[695] Gleim #: 7.4.84
When testing the year-end balance for trade accounts payable, the use of a software
package to identify unauthorized vendors in a vendor database is most valuable in
developing tests to determine
A.
B.
C.
D.
Existence of valid recorded liabilities.
Accuracy of the receiving cutoff used.
Ownership of the recorded payables.
Valuation of recorded transactions.
Answer (A) is correct. The software package can determine whether unauthorized
vendors were paid. If none are found, the auditor has gathered evidence that
recorded liabilities are valid.
Answer (B) is incorrect. Irregularities in vendor information have little bearing
on the cut-off used.
Answer (C) is incorrect. Recorded payables are liabilities, not assets.
Answer (D) is incorrect. Valuation is not directly determined by review of vendor
information irregularities.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 405
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[696] Gleim #: 7.4.85
While performing analytical procedures related to an engagement involving a social
services agency of a government entity, the internal auditor noted an unusually large
increase in payments to individual recipients who are under the direction of a
particular social worker in the agency. Which of the following engagement procedures
is the best procedure to investigate this observation?
A. Use generalized audit software to sort payments to recipients by social worker.
Then sort the payments by common addresses and names.
B. Implement an integrated test facility and monitor transactions throughout the year
to identify unusual items.
C. Implement the snapshot approach and tag transactions that are related to the social
worker identified with the unusually large increases.
D. Use generalized audit software to take a random sample of recipients and
investigate by sending confirmations to them to determine whether they had
received proper payments.
fb
.c
om
/c
ia
ao
ffi
ci
al
Answer (A) is correct. Generalized audit software (GAS) is appropriate for such
routine computer tasks as extracting, sorting, comparing, and summarizing data.
Sorting payments by social worker and by addresses and names is the best
procedure because it efficiently determines whether an obvious fraudulent pattern
exists in the payments under the control of the social worker.
Answer (B) is incorrect. An integrated test facility (ITF) is designed to test the
correctness of processing, not whether only valid recipients are receiving
payments.
Answer (C) is incorrect. The snapshot technique would not provide much
information about fraudulent items currently contained in the file. Like the ITF,
the snapshot technique concentrates on the processing of data, not the validity of
new recipients.
Answer (D) is incorrect. Sending confirmations to the recipients listed on the file
should not be the first approach used. If the recipients are indeed fraudulent, the
social worker will receive the confirmation (all sent to a common address) and
will be able to respond positively.
Copyright 2013 Gleim Publications Inc.
Printed for Sanja Knezevic
Page 406
Gleim CIA Test Prep: Part 2 - Internal Audit Practice
(720 questions)
[697] Gleim #: 7.4.86
Two merging retail enterprises agree to share data on store operations. The data reveal
that three stores in Organization A are characterized by:
Significantly lower gross margins,
Higher-than-average sales volume, and
Higher levels of empl