12/27/2015 Wiley CMA Test Bank Part 1

Question 1:
(1E2-AT47)

Managing and mitigating organization-wide risks finally rests with which of the
following management concepts?
Chain of authority.
Chain of accountability.
Chain of responsibility.
Chain of delegation.

The chain of accountability refers to the level of ownership over an organization. It

states that the ultimate accountability in an organization rests at the top level of the
management hierarchy. This means that top-level management is in a better
position to manage and mitigate organization-wide risks. The chain of accountability
is much stronger than the chains of authority, responsibility, and delegation because
individuals are made strictly accountable for their actions and inactions.

Question 2:
(1E2-AT13)

Regarding fraud, internal auditors cannot guarantee which of the following?

That they can prevent fraud.
That they can detect fraud.
That they can correct fraud.
All of the above.

It is true that internal auditors cannot guarantee that they can prevent, detect, or
correct fraud in their organization, because management is fully responsible for
doing such things. The main reason is that internal auditors test internal controls
through sampling tests, compliance tests, and substantive tests, not examining
every transaction in full detail, which would be cost prohibitive, ineffective,
inefficient, and unnecessary.
Usually fraud occurs when internal controls fail or failed to detect. It is difficult to
detect, especially when management disguises it.

Question 3:
(1E2-AT48)

Which of the following will not help in identifying the overall risks to the internal audit
function?
Barrier analysis.
Root-cause analysis.
Assurance maps.
http://app.efficientlearning.com/pv5/v8/cmatb2015p1.html?u=bbde91ad­06e8­409c­b57a­2650e3c520ef#_assess_studyquestions 1/15
12/27/2015 Wiley CMA Test Bank Part 1

Risk maps.

Barrier analysis, as it relates to the business activity of organizational change,

identifies key determinants of (barriers to) human behavioral change in employees
to help focus on their behaviors that have not changed, despite repeated
management's efforts to change. The four key determinants of human behavior are
self-efficacy, social norms, positive consequences, and negative consequences.
Hence, barrier analysis will not help in identifying the overall risks to the internal
audit function.

Question 4:
(1E2-AT59)

All of the following are examples of hard controls except:

Management philosophy.
Budgets.
Dual controls.
Written approvals.

Management philosophy is an example of a soft control.

Question 5:
(1E2-AT12)

Internal audit's scope gap can be minimized or reduced in which of the following
phases of an audit process?
Audit program.
Audit fieldwork.
Audit preliminary survey.
Audit reporting.

A scope gap is the difference between the expected scope and the actual scope. The
audit scope and audit objectives are developed during the preliminary survey phase,
which is the first phase of the audit process. Potential risks and exposures, goals, and
standards for the audited area are also identified and gathered during the
preliminary survey phase. The audit scope should indicate what is included in and
what is excluded from the audit work, thus minimizing and reducing the scope gap.

Question 6:
(1E2-AT32)

Internal auditors should not assume which of the following roles?

Control facilitators.
Control developers.
Control advisors.
Control reviewers.

Internal auditors should not become control developers because it is management's

responsibility to design, develop, and maintain controls in the organization. By
developing controls, internal auditors can lose their independence and objectivity.
http://app.efficientlearning.com/pv5/v8/cmatb2015p1.html?u=bbde91ad­06e8­409c­b57a­2650e3c520ef#_assess_studyquestions 2/15
12/27/2015 Wiley CMA Test Bank Part 1

Question 7:
(1E2-AT19)

Selecting high-impact and high-visibility auditable activities to audit requires which of

the following approaches?
Risk based.
Process based.
Knowledge based.
Experience based.

Audits and controls reduce risks and protect assets. By definition, high-impact and
high-visibility activities are high risk due to their nature. Hence, they require a risk-
based review approach to ensure that all potential and possible risks are managed
properly.

Question 8:
(1E2-AT61)

Which of the following is common between feed-forward controls and feedback

controls?
Budgets.
Employee training programs.
Final quality inspection.
Inventory forecasting.

Budgets are a common item between feed-forward controls and feedback controls
because budgets work as proactive controls and reactive controls.

Question 9:
(1E2-AT40)

All of the following are examples of soft controls except:

Tone at the top.
Vision.
Verification.
Communication.

Verification of some activity or document is an example of a hard control.

Question 10:
(1E2-AT49)

The real success of an internal audit engagement depends on which of the following?
Audit evidence.
Audit scope.
Audit working papers.
Audit testing.

http://app.efficientlearning.com/pv5/v8/cmatb2015p1.html?u=bbde91ad­06e8­409c­b57a­2650e3c520ef#_assess_studyquestions 3/15
12/27/2015 Wiley CMA Test Bank Part 1

Establishing an audit scope is a make-or-break point because the entire audit work is
based on the audit scope. Scope is a guiding light to a specific audit work. An audit
will be successful when the audit scope is complete; otherwise, it will fail.

Question 11:
(1E2-AT58)

All of the following are examples of soft controls except:

Ethical climate.
Integrity.
Segregation of duties.
Culture.

Segregation of duties is an example of a hard control.

Question 12:
(1E2-AT50)

Which of the following is not a leading practice to protect the reputation risk of an
internal audit function?
Performing a risk assessment exercise.
Implementing a quality assurance program.
Protecting the internal audit brand.
Establishing management review of audit findings.

Establishing an effective management review of audit findings is a leading practice in

mitigating risks of audit failures and does not itself protect the reputation risk. This
leading practice should make a company management to review, accept, and own
the audit findings.

Question 13:
(1E2-AT56)

Which of the following is required when the collected internal audit evidence does not
meet the standards of evidence?
Sufficiency evidence.
Competence evidence.
Corroborative evidence.
Relevance evidence.

When the collected audit evidence does not meet the standards of evidence,
additional (corroborative) evidence is required before expressing an audit opinion.

Question 14:
(1E2-AT33)

Management overrides can be loosely interpreted as which of the following?

Management interventions.
Management representations.

http://app.efficientlearning.com/pv5/v8/cmatb2015p1.html?u=bbde91ad­06e8­409c­b57a­2650e3c520ef#_assess_studyquestions 4/15
12/27/2015 Wiley CMA Test Bank Part 1

Management assertions.
Management assurances.

Management interventions can be loosely interpreted as management overrides, but

they are different. Management interventions represent management's action to
depart from prescribed policies or procedures for legitimate purposes. Both
management overrides and management interventions bypass controls; the former
is done for illegitimate purposes, and the latter is done for legitimate purposes.

Question 15:
(1E2-AT14)

The best way to develop the scope of a specific internal audit engagement is through
a:
Standard design.
Custom design.
General design.
Detail design.

The scope of internal auditing is flexible in that it can be custom designed to fit the
specific needs of a company's management.

Question 16:
(1E2-AT29)

The internal audit charter does not include which of the following?
Audit's role and position.
Chief audit executive's reporting relationship.
Coordination with external auditors.
Access to organization's records.

Coordinating the external auditors and other auditors (e.g., regulatory auditors) with
the internal auditors is a routine responsibility of the chief audit executive. As such, it
would not be included in the internal audit charter.

Question 17:
(1E2-AT53)

Which of the following risk protection concepts of internal audit deal with layered
protections going horizontally?
Defense in depth.
Defense in breadth.
Defense in technology.
Defense in time.

Defense in breadth means providing layered protections going horizontally. In

regard to internal audit's work, it refers to collecting audit evidence from related and
affected departments of an organization (i.e., departments in the same level of
horizontal hierarchy) in the same rigor as the department being audited. This

http://app.efficientlearning.com/pv5/v8/cmatb2015p1.html?u=bbde91ad­06e8­409c­b57a­2650e3c520ef#_assess_studyquestions 5/15
12/27/2015 Wiley CMA Test Bank Part 1

approach provides a stronger defense for the audit function in the eyes of auditees
and others.

Question 18:
(1E2-AT57)

Which of the following statements is incorrect?

Feed-forward control = Proactive control.
Post-control = Reactive control.
Current control = Legacy control.
Pre-control = Proactive control.

One cannot say or assume that all current controls are legacy controls, although
some current controls could be legacy controls. If never revisited for improvement,
legacy controls could be ineffective, inefficient, or simply outdated. Hence, legacy
controls need to be improved for better controls.

Question 19:
(1E2-AT27)

Which of the following is an example of an administrative reporting item between the

chief audit executive (CAE) and his or her superior?
Audit's budgetary limitations.
Audit's annual budget plans.
Audit activity's independence.
Audit's failure reasons.

Annual budget plans of internal audit are administrative reporting items between
the CAE and his or her superior (chief executive officer) to obtain the latter's
approval.

Question 20:
(1E2-AT41)

Which of the following is not a contributing factor leading to internal audit failures?
Management gap.
Data gap.
Competency gap.
Communication gap.

A gap is the difference between expected outcomes and actual outcomes. Data gaps
identify problems in data-quality attributes, such as accuracy, completeness,
availability, timeliness, and usefulness of data. As such, data gaps cannot contribute
to internal audit failures.

Question 21:
(1E2-AT5)

Which of the following is the most important risk factor to consider when internal
auditors are performing a detailed risk assessment of auditable activities in an
organization?
http://app.efficientlearning.com/pv5/v8/cmatb2015p1.html?u=bbde91ad­06e8­409c­b57a­2650e3c520ef#_assess_studyquestions 6/15
12/27/2015 Wiley CMA Test Bank Part 1

Quality of the internal control system.

Competence of management.
Integrity of management.
Competence of customers.

The quality of the internal control system is the most important risk factor to
consider when internal auditors are performing a detailed risk assessment of
auditable activities in an organization. This is because the internal control system
forms a nucleus and guides all the activities of an organization where the former
affects the latter.

Question 22:
(1E2-AT15)

Management controls are also known as which of the following?

Accounting controls.
Financial controls.
Administrative controls.
Internal controls.

Management controls are also known as internal controls due to their broader
perspective and to their effect on the entire organization.

Question 23:
(1E2-AT60)

Which of the following is not an example of feedback controls?

Employee exit interviews.
Employee performance appraisal reporting.
Direct supervision.
Customer surveys.

Direct supervision is an example of a current control, not a feedback control,

because supervision is provided directly and readily as things are happening.

Question 24:
(1E2-AT18)

Budget controls are not usually reviewed during which of the following audits?
Compliance audit.
Operational audit.
Financial audit.
Consulting audit.

Consulting audits are advisory in nature and specific to meet the needs of customers
and clients. Hence, budget controls, which are financial in nature, are not reviewed
in consulting audits.

http://app.efficientlearning.com/pv5/v8/cmatb2015p1.html?u=bbde91ad­06e8­409c­b57a­2650e3c520ef#_assess_studyquestions 7/15
12/27/2015 Wiley CMA Test Bank Part 1

Question 25:
(1E2-AT38)

Which of the following is not a tool to evaluate soft controls?

Counting.
Questionnaires.
Interviews.
Workshops.

Counting, whether manual counting or system counting, is an example of a tool to

evaluate hard controls, which are formal, tangible, and objective in nature.

Question 26:
(1E2-AT34)

A fully approved internal audit plan for the current year is already in place for a large
internal auditing department. Which of the following offers a final approval of the
specific scope of an internal audit engagement?
Audit director.
Senior auditor.
Audit supervisor.
Audit manager.

The audit manager can approve the scope of a specific audit engagement because
he or she might be managing the audit supervisor, senior auditor, and audit staff
assigned to the specific audit. The audit manager is responsible and accountable for
the successful completion of the specific audit engagement work.

Question 27:
(1E2-AT46)

Internal auditors can add a greater value to their organizations by doing more:
Compliance audits.
Operational audits.
Financial audits.
Consulting audits.

More of consulting audits add greater value to their organizations because those
audit results will improve an organization's governance, risk management, and
control processes.

Question 28:
(1E2-AT30)

Which of the following gives the final approval of the internal audit charter document?
Board of directors.
Chief executive officer.
Executive committee.
External auditors.

http://app.efficientlearning.com/pv5/v8/cmatb2015p1.html?u=bbde91ad­06e8­409c­b57a­2650e3c520ef#_assess_studyquestions 8/15
12/27/2015 Wiley CMA Test Bank Part 1

The board of directors gives the final approval of the internal audit charter document
to establish its official status in the organization.

Question 29:
(1E2-AT16)

What is the effect of combining a compliance audit, an operational audit, and a

financial audit into one big assurance audit?
Additive effect.
Dilution effect.
Multiplicative effect.
Synergistic effect.

Assurance audits result when compliance audits, operational audits, and financial
audits are combined into one big audit, yielding reduced audit results due to
summarized audit scope; this is called the dilution effect (2+2 = 3). Combined audits
may not achieve the same audit results as separate audits, because separate audits
have detailed scope.

Question 30:
(1E2-AT52)

Which of following is not a standard statistical method?

Random sampling.
Judgment sampling.
Attribute sampling.
Variable sampling.

Although internal auditors use the judgment sampling method during their audit
work when other methods are not applicable, judgment sampling does not lend
itself to quantitative analysis by standard statistical methods. Judgment sampling is
a qualitative sampling method, not a quantitative sampling method.

Question 31:
(1E2-AT45)

When an internal auditor with education and experience in law works with the human
resource department of a company about employee lawsuits, the auditor is
conducting a(n):
Compliance audit.
Operational audit.
Financial audit.
Consulting audit.

A consulting audit is advisory in nature and is generally performed at the specific

request of an engagement client. When an internal auditor with education and
experience in law works with the human resource department of a company about
employee lawsuits, the auditor is conducting a consulting audit in the form of
counseling services to the human resource department.

http://app.efficientlearning.com/pv5/v8/cmatb2015p1.html?u=bbde91ad­06e8­409c­b57a­2650e3c520ef#_assess_studyquestions 9/15
12/27/2015 Wiley CMA Test Bank Part 1

Question 32:
(1E2-AT22)

Which of the following is not fully accountable for managing and mitigating risks
throughout the organization?
Board of directors.
Internal audit management.
Executive management.
Functional management.

Internal audit management is fully responsible for reviewing and reporting risks to
an organization's management but is not accountable in the same way as the other
types of management.

Question 33:
(1E2-AT17)

Which of the following represents the extreme level of risk resulting from internal
control breakdowns in an organization?
Lack of employee disciplinary procedures.
Lack of social community involvement.
Lack of competitive advantage.
Lack of management's interest.

Lack or loss of competitive advantage represents the extreme level of risk resulting
from internal control breakdowns in an organization because it could result in
decreased sales, decreased market share, and increased quality problems in
products and services.

Question 34:
(1E2-AT54)

Which of the following is not an example of feed-forward controls?

Performance plans.
Performance metrics.
Performance scorecards.
Performance dashboards.

Performance dashboards are examples of feedback controls. Dashboards are visual

diagrams showing performance results through reports on an after-the-fact basis.

Question 35:
(1E2-AT31)

The chief audit executive (CAE) is required to confirm annually the organizational
independence of the internal audit activity. Which of the following receives that
confirmation?
Governance committee.
Chief executive officer.
Finance committee.
http://app.efficientlearning.com/pv5/v8/cmatb2015p1.html?u=bbde91ad­06e8­409c­b57a­2650e3c520ef#_assess_studyquestions 10/15
12/27/2015 Wiley CMA Test Bank Part 1

Board of directors.

The CAE is required to confirm annually to the full board of directors about the
organizational independence of the internal audit activity from other parts of the
organization for objectivity and independence reasons.

Question 36:
(1E2-AT39)

Which of the following is not a hard skill?

Technical skill.
Functional skill.
Problem-solving skill.
Leadership skill.

Leadership skill is an example of a soft skill.

Question 37:
(1E2-AT55)

Regarding roles and responsibilities, which of the following is different between the
management accounting function and the internal auditing function?
Internal controls.
Staff roles.
Accounting controls.
Independence and objectivity.

Independence and objectivity factors are what differentiate the management

accounting function from the internal auditing function. The internal audit activity
must be independent and the internal auditors must be objective in performing their
work. Independence allows internal auditors to carry out their work freely and
objectively. Independence is achieved through organizational status and objectivity.

Question 38:
(1E2-AT43)

Internal control primarily is a:

Policy issue.
Procedure issue.
People issue.
Technical issue.

Internal control primarily is a people issue because it is people who install and
deinstall the internal controls.

Question 39:
(1E2-AT26)

Which of the following is an example of an administrative reporting item between the

chief audit executive (CAE) and his or her superior?

http://app.efficientlearning.com/pv5/v8/cmatb2015p1.html?u=bbde91ad­06e8­409c­b57a­2650e3c520ef#_assess_studyquestions 11/15
12/27/2015 Wiley CMA Test Bank Part 1

CAE compensation.
CAE removal.
Audit staff's compensation.
Audit's scope limitations.

Compensation of the Internal audit staff is an example of an administrative reporting

item between the CAE and his or her superior (chief executive officer).

Question 40:
(1E2-AT25)

Which of the following is not a functional reporting item between the chief audit
executive (CAE) and his or her superior?
Approving the audit charter.
Approving the audit manual.
Approving the audit risk assessment program.
Approving the audit plan.

The audit manual is a routine, low-level document. As such, it should be approved by

the CAE's administrative superior, not by the board of directors. The audit manual is
updated periodically for the audit staff's use. This is an administrative reporting
item.

Question 41:
(1E2-AT23)

Which of the following represents an unacceptable reporting relationship of the chief

audit executive (CAE) in a publicly held corporation?
The chief accounting officer.
The chief operating officer.
The chief administrative officer.
All of the above.

The CAE should report to a management position at the highest level of the
management hierarchy to obtain an independence status from the rest of the
organization (i.e., CEO). The chief accounting officer, the chief operating officer, and
the chief administrative officer positions are not at the highest level in the
management hierarchy.

Question 42:
(1E2-AT24)

Which of the following is the acceptable reporting relationship of the chief audit
executive (CAE) in a publicly held corporation?
Single reporting.
Dual reporting.
Pseudo-reporting.
Shadow reporting

http://app.efficientlearning.com/pv5/v8/cmatb2015p1.html?u=bbde91ad­06e8­409c­b57a­2650e3c520ef#_assess_studyquestions 12/15
12/27/2015 Wiley CMA Test Bank Part 1

A dual-reporting relationship occurs when the CAE reports functionally to the board
of directors and administratively to the organization's chief executive officer. This
type of relationship facilitates organizational independence of the internal audit
function.
Time Spent:Due2:52
to its unique missionScore
and vision,
22% the internal
Restartaudit function
End is very
different from that of50 Answered
the other functions in a company. Note that dual reporting
0
violates the unity of command
Unanswered principle, meaning that one subordinate should
report to only one superior. Dual reporting is also called matrix reporting, as found in
a project management environment, where a team member administratively reports
to the project manager and functionally reports to the functional department
manager.

Question 43:
(1E2-AT37)

Which of the following is not a tool to evaluate hard controls?

Flowcharts.
Self-assessments.
System narratives.
Testing.

Self-assessments are examples of tools to evaluate soft controls, which are informal,
intangible, and subjective in nature.

Question 44:
(1E2-AT21)

Regarding lines of defenses available in managing and mitigating risks to internal

audit function, which of the following represents the last line of defense?
Less costly, more effective, appropriate timing, and best results.
Less costly, medium effective, appropriate timing, and medium results.
More costly, less effective, inappropriate timing, and worst results.
Average cost, average effective, appropriate timing, and average results.

This represents the last line of defense available either to an internal audit function
or to any other function. A first line of defense is always preferred over the second or
the last defense. The last line of defense can be more costly, less effective, timed
inappropriately, and offer worst results.

Question 45:
(1E2-AT36)

Due diligence reviews can be performed during which of the following audits?
Compliance and consulting audits.
Financial and compliance audits.
Operational and financial audits.
Consulting and operational audits.

Due diligence reviews provide a safety valve to management that is planning to

acquire, merge, or consolidate with other businesses (i.e., consulting audit).These
reviews can also be applied, for example, when starting a new joint venture, when
http://app.efficientlearning.com/pv5/v8/cmatb2015p1.html?u=bbde91ad­06e8­409c­b57a­2650e3c520ef#_assess_studyquestions 13/15
12/27/2015 Wiley CMA Test Bank Part 1

complying with laws and regulations, when purchasing land, or when selling a
business in full or in part (i.e., compliance audit). The goal is to assure the company's
senior management and the board of directors that all applicable laws and
regulations are met (e.g., employment and environmental laws and regulations) and
that all potential risks and exposures are addressed and minimized. Hence, due
diligence reviews are performed during compliance and consulting audits.

Question 46:
(1E2-AT42)

All of the following are contributing factors to a false assurance coming from an
internal audit to others except:
Measurement gap.
Communication gap.
Expectation gap.
Competency gap.

False assurance is a level of confidence or assurance based on perceptions or

assumptions rather than on facts. False assurance has nothing to do with the
measurement gap, where it identifies problems in measuring something of
importance (e.g., production counts, inventory counts, and claims counts).

Question 47:
(1E2-AT28)

The internal audit charter does not include which of the following?
Audit purpose.
Audit engagement.
Audit authority.
Audit responsibility.

Managing an individual audit engagement is one of the routine responsibilities of the

chief audit executive (CAE) and would not be included in the audit charter because
the charter is a formal and permanent document for the audit function. The audit
charter is a high-level document whereas the audit engagement is a low-level
document.

Question 48:
(1E2-AT20)

All of the following are examples of nonsampling work except:

Probabilities.
Observations.
Inquiries.
Inspections.

Standard statistical methods use sampling techniques that are based on

probabilities for selecting samples. Statistical sampling methods use probability
concepts and mathematical equations. Nonsampling work does not use such
concepts and equations.
http://app.efficientlearning.com/pv5/v8/cmatb2015p1.html?u=bbde91ad­06e8­409c­b57a­2650e3c520ef#_assess_studyquestions 14/15
12/27/2015 Wiley CMA Test Bank Part 1

Question 49:
(1E2-AT35)

Internal auditors can design, develop, implement, and maintain which of the
following?
Control systems.
Computer systems.
Audit systems.
Audit trail systems.

Audit systems (e.g., generalized audit software and test data generator software) are
planned, designed, developed, implemented, maintained, and owned by the internal
audit department for its own use by the audit staff to perform their audit work.
However, internal auditors should not be involve in the planning, designing,
developing, implementing, and maintaining of control systems, computer systems,
and audit trail systems because internal auditors do not own those systems.

Question 50:
(1E2-AT44)

Which of the following is the common item causing overall risks to the internal audit
function?
Management gap.
Competency gap.
Compliance gap.
Expectation gap.

A gap is the difference between what is expected and what is real. A competency gap
is the common item causing audit failures, audit's false assurances, and audit's loss
of reputation, the three broad categories of overall risks to the internal audit
function. A competency gap is the difference between expected competencies in
terms of knowledge, skills, and abilities (KSAs) and the actual KSAs. The audit
director needs to reduce the competency gap in the audit staff, audit supervisors,
and audit managers, including him- or herself, by acquiring the needed KSAs.

Back to Top   Restart Study Session   End Study Session

http://app.efficientlearning.com/pv5/v8/cmatb2015p1.html?u=bbde91ad­06e8­409c­b57a­2650e3c520ef#_assess_studyquestions 15/15