4 5888847277501451102

Let’s Connect with Each Other
Web: www.zainacademy.us
Web: www.mzain.org
Email: help@zainacademy.us
Email: help@mzain.org
WhatsApp (Messaging & Call): +92 311 222 4261
International Call: +92 311 222 4261
US & Canada Call: +1 646 979 0865
Facebook: https://www.facebook.com/zainacademy
YouTube: https://www.youtube.com/c/zainacademy
LinkedIn: https://www.linkedin.com/in/mzainhabib/
Twitter: https://twitter.com/mzaincpacmacia
Instagram: https://www.instagram.com/mzain.cpa.cma.cia/
Pinterest: https://www.pinterest.com/mzainhabib/
Amazon: https://www.amazon.com/MUHAMMAD-ZAIN/e/B07K2G2R8M
Telegram: https://t.me/ZainAcademy
Tumblr: https://zainacademy.tumblr.com/ 2
Medium: https://medium.com/@muhammad_zain_cpa_cma_cia
INDEX
Preface…………………………………………………………………………………………………………………..5
Certified Internal Auditor (CIA) – US Basic Information………………………………………….6
Letter from Muhammad Zain…………………………………………..………………………………….17
Section A – Essentials of Internal Auditing……………………..……………………………………21
Sub - Section I – Foundations of Internal Auditing………………..……………………………..22
Sub - Section II – Independence and Objectivity….…………………………………………….143
Sub - Section III – Proficiency and Due Professional Care……………………………………230
Sub - Section IV – Quality Assurance and Improvement Program…………………….…513
Sub - Section V – Governance, Risk Management and Controls…………………….……763
Sub - Section VI – Fraud Risks……………………………………………………………………..……1241
INDEX
Section B – Practice of Internal Auditing…………………..………………………………………1580
Sub - Section I – Managing the Internal Audit Activity…………………………………...…1581
Sub - Section II – Planning the Engagement………………………………………………………1991
Sub - Section III – Performing the Engagement..……………………………………….……...2294
Sub - Section IV – Communicating Engagement Results
and Monitoring Progress………………………………………………………………………………….3083
Section C – Business Knowledge for Internal Auditing………………………………………3498

Sub - Section I – Business Acumen……………………………………..………………………….…3499
Sub - Section II – Information Security……………………………………………………3883
Sub – Section III – Information Technology…………………………………………………….…4078
Books Written By Muhammad Zain……………………………………………….………………….4361
Quotes That Will Change Your Life………………………………………………………………..….4369
PREFACE
All the knowledge possessed by me is a gift from Almighty Allah. The Creator of the Heavens and the earth blessed
me with the success of passing Certified Public Accountant (CPA), Certified Management Accountant (CMA),
Certified Internal Auditor (CIA), and Masters of Business Administration (MBA) exams in 1st attempt. I am profoundly
grateful to my family for providing all the resources and time at their disposal for my enrichment morally, physically,
and spiritually. I am also thankful to my teachers, who delivered their knowledge, wisdom, and experience.
The knowledge, resources, views, facts, and information presented in this book are a voice from my heart bestowed
by Allah and my experience gained during my entire lifetime. I capitalized hours searching the Internet, Blogs, Social
media, and Wikipedia to update my knowledge and notebook as part of my continuous learning objective. I am
highly indebted to contributors to Google, Blogs, Social Media, and Wikipedia for presenting me with the ocean of
knowledge and insights. The more I dived deep into the ocean, the more I concluded that we human beings are only
given limited knowledge, which is unexplored and undiscovered entirely to this date. This curiosity of mankind is
bringing innovations, discoveries, and ideas. Any resemblance to any copyrighted material available on the planet is
purely coincidental and unintentional. I allow the readers of this book to use it for any related educational purpose
and reproduce the contents as long as the original text in this book is unaltered. I give reasonable assurance that the
information provided in this book is correct according to my knowledge and belief. There may be circumstances
where potential readers challenge the information presented. I welcome these challenges to correct me for future
updates.
May the Lord, Master of the day of Judgement and to whom the sovereignty belongs, bless me more and my
readers in this world and in particular in life hereafter (Ameen).
5
CERTIFIED INTERNAL AUDITOR (CIA) - US BASIC INFORMATION
Certified Internal Auditor (CIA) certification is offered by the Institute of Internal Auditors (IIA), US. It is a premium internal auditing
qualification having a global presence. CIA is a symbol of excellence in compliance reporting, risk management, and consultancy.
The IIA releases the primary guidance for the profession, such as International Professional Practices Framework (IPPF), Code of
Ethics, International Standards for the Professional Practice of Internal Auditing. Membership with IIA is not required to earn a CIA
designation. Candidates can save their earned money by not choosing the membership.
Chapters and affiliated institutes hold regular meetings, seminars, and conferences to develop networking, contacts, and social
bonding. It is advisable to attend these types of events to learn about the current practices in internal auditing.
Why Choose CIA

The Certified Internal Auditor (CIA) credential offers many benefits. CIA certification can help you move forward in a focused
direction. CIA certification gives a message that you are a proficient internal auditor who can bring valuable insights and
experience. CIA holders can be entrusted with significant responsibility. CIA also helps in increasing accounting knowledge and skill.
CIA holders earning potential is excellent as compared to non-certified peers. Companies retain talented individuals by giving them
market-based remuneration, bonuses, perks, fringe benefits, vacations. Qualified individuals earning is multiplied if he/she opens
consultancy, compliance or internal auditing firm.
6
Way To Achieve CIA Credential
The candidates must meet the four Es requirement, i.e., Education, Ethics, Examination, and Experience for achieving the CIA
designation. Three years is provided by the Institute to get certified. However, the candidates can apply for one of the three types
of 1-year eligibility extension i.e. hardship, non-hardship, and exam eligibility. Each type of extension has its procedures and fees.
Please refer to the CIA Candidate Handbook as available from the IIA website.
CIA Examination
Candidates have to pass just one exam to become certified. 150 Questions will be asked in 3 hours time period. Each MCQ has to
be solved in 1.2 minutes.
IIA Retired Questions

Test Bank Questions available with all the publishers are retired questions by IIA. 75% of the questions are same with every
publisher. The rest 25% is their creativity.
REMEMBER that actual CIA exam questions are non-disclosed and are not available to anyone.
7
CIA Exam Scoring
The CIA exam is computer-graded. The candidate will receive the result within five minutes of finishing the exam. Scores are
determined by the difficulty level of questions asked and converting the value of questions answered correctly to a scale that
ranges between 250 to 750. A score of at least 600 is required to pass the exam, i.e. 80%. If the questions are of higher IQ level, the
passing score can go below 600, but if the items tested are easy, then passing criteria can go up from 600.
Whether the questions being asked are easy or difficult, I suggest you to target achieving an overall 85% in exams by accurately
attempting the 85 questions correct out of 100 questions.
The trend analysis for several years of CIA exam passing ratio is between 40% to 44%.
Documents Required By IIA
The following documents are required by the Institute when a candidate makes a profile at the Certification Candidate
Management System (CCMS):
A soft copy of an unexpired official passport or national candidate ID card;
A soft copy of degree and transcripts;
A soft copy of the character reference form duly attested.
Pearson VUE www.pearsonvue.com/iia conducts CIA examinations globally. Select the testing center location that is easily
reachable for you.
8
Investment in CIA
Investment in CIA is one time if the candidates passes Challenge Exam in the first attempt. Investment in the CIA is highly rewarding
throughout life.
I highly recommend the candidates to pay their dues through DEBIT CARD only. This way, you will be free from all claims of the
bank and will be much relieved. The target must be to clear the exams in 1st Attempt so that the examination fee is paid only once,
and benefits of opportunity costs can be derived.
Investment in study materials, test bank questions, and lecture videos are separate and vary according to the candidate’s
preferences and study methods.
REMEMBER to subscribe to the study materials and test bank questions that are economical, comprehensive, updated, and
excellent.
9
Difficulty Level of CIA Challenge Exam
CIA Challenge Exam is hard as it will cover the entire topics from CIA Part 1 - Essentials of Internal Auditing, CIA Part 2 – Practice of
Internal Auditing and CIA Part 3 – Business Knowledge for Internal Auditing (except for Financial Management section). CIA
Challenge Exam can be passed easily if the candidates can exhibit the traits of Excellency, Creativity, Passionate, and Patience in
their preparation and, in particular, on exam day.
The Candidates must have a clear vision of their future. They must be able to define their purpose of life. The will to win, the desire
to succeed, the urge to reach full potential – these are the keys that will unlock the door of CIA certification.
The reason that many candidates find it difficult to achieve the CIA is that they are not able to define their goals or ever seriously
consider them as believable or achievable. Champions can tell you where they are going, what they plan to do along the way, and
with whom they will be sharing their adventure.
CIA Challenge Exam – Syllabus
There are three sections in CIA Challenge Exam.
a. Section A – Foundation of Internal Auditing – 35% weightage
b. Section B – Practice of Internal Auditing – 43% Weightage
c. Section C – Business Knowledge for Internal Auditing – 22% Weightage
10
CIA Challenge Exam Preparation Time
It is generally observed that many of the CIA candidates are working executives. They have to allocate time for work, family,
studies, and personal leisure. The candidates are ready for Challenge exam if they can allocate at least 3 hours on weekdays and at
least 6 hours on weekends for four to five months continuously.
The candidates must follow the steps to understand the concepts being part of the syllabus of CIA Challenge Exam.
Read a whole particular section from the study book first with the questioning mind approach. Mark or highlight only the
important paras or sentences in the book.
Attempt the True / False Questions of that particular section presented in the book to bring clarity on the already read topics.
Attempt the Multiple Choice Questions of that particular section from the Test Bank without any time constraints. Focus must be
on selecting the right answers in the first place.
If you attempt any question correctly, proceed to the next question. These questions do not need to be reviewed ever again
because a question once attempted successfully will always be correct in the future.
If any question attempted is wrong in the 1st place, then mark or highlight or flag those questions. Furthermore, there might be
instances in which you have selected the right answer, but you are in doubt about the outcome of the result if attempted later.
These questions also need to be marked or highlighted. These marked questions will form the basis of review, revision, and
rehearsal at a later stage.
11
CIA Challenge Exam Preparation Time……(continued)
Read the explanation of the incorrect answers selected and try to understand the logic of the question and correct answer
explanation.
As you complete 80% of the total questions of a particular section, move to the next section, and repeat the steps from (a) to (d).
Revision of the already learned topics every week is warranted. Dedicate a particular day in a week in which you will only revise the
already learned topics. Read only those paras from the book which have been highlighted. Attempt only those questions from Test
Bank Questions, which have been marked or highlighted. Time Management must come into effect while re-attempting the
questions. Each MCQ has to be attempted in 1.2 minutes. This way you will revise the entire section smartly and anxiety level will
decrease.
As you complete reading and studying all the sections of the CIA Challenge Exam, then focus on completing the 100% of the MCQs
from the Test Bank Questions.
REMEMBER that each topic has an equal chance of selection in the exam. So you have to be prepared for every concept.
ALSO REMEMBER that CIA Challenge Exams are of continuous 3-hour duration. Train your mind to be active for at least 4 hours
during MCQs preparation.
12
The candidates must have updated study materials and test bank questions. The study materials must be simple, concise, and easy to
understand. The majority of finance graduates and working executives prefer self-studies. Select test bank questions of any comprehensive
publisher. Subscribing for more than one publisher’s test bank questions will not help as most of the questions will be repetitive.
Video Lectures are of great aid. They increase the retention power of the candidates by at least 25%. Furthermore, the candidates can view
them later at their ease and convenience. Many of the candidates prefer live classes or online interactive sessions. This can also increase the
odds in your favor exponentially.
Recommended Study Approach
CIA Challenge Exam are computer-based. It is recommended that all your preparation, highlighting, and practice must be on the computer
or laptop. The candidates must avoid the traditional method of studying and making notes via pen and paper. Pen and paper shall be used
only for calculation related purposes while attempting the test bank questions.
The candidates can study at any time of day or night, but my preferable time is early morning daily at 4:30 am. This is the time where
human brain is at a high energy level. This is also the time of great silence.
You will be provided with earplugs in the center and must use them to avoid distractions from the noise of other candidates. Silence also
has its own voice, which you will agree with me on your exam day. Your mind needs to be accustomed to it. Therefore, use good quality of
foam-based earplugs from day 1 of your preparation. You can find these earplugs from your local pharmacy.
You will be provided with black pens at the center and two sheets. Start using a black pen from day 1. Your mind must be able to recognize
and work in a black pen.
Please become familiar with the MCQ screens and navigation of the Pearson VUE Testing Environment before the exams. The tour can be
arranged from your computer. This will make you comfortable on your exam day.
13
How to Answer the MCQs in preparation and exams?
My preferable way of approaching any MCQ is provided below. Ask yourself three bold phrases in every MCQ.
What are the requirements of the question? The requirements of the question are generally presented in the second last or last
line of the question. Read it thoroughly and then reread the whole question to filter out the extra information.
What is the answer? Read twice the answer choices carefully and then select the best answer. Numerical questions require
double-checking of formulas and calculations.
If you do not know the answer, make an educated guess. The educated guess is a technique in which you can filter out the two
options out of four based on your insights. Now the two options left to be paid attention to. Read the requirements of the question
again and then the remaining two answer choices. Select the best one. This way you will increase your odds in favor by 50%.
Attempt all the questions in exams even if the testlet is harder, and time management is crucial. You will not be penalized for any
incorrect choices being made. Your score is determined out of correct questions only. Mark or Flag all those questions which you
want to review in end if the time allows.
14
Pearson VUE Testing Site Visit
After you schedule your appointment with Pearson VUE, visit the center at least three days before the exam to become familiar
with the location. If the center is in a building, make yourself familiar with the security perimeters of the building as well. Make
contingency plans to reach the exam center in case of any unexpected circumstances. Double-check the weather conditions in
advance of the exam day.
Day Before Exam Day
This day is also vital in the candidate’s life. Leave all the review, revisions, or attempting the test bank questions at least 24 hours
before the exam day. CIA is a professional paper and the candidate has to be ready at any time. You have done enough preparation.
Trust in Allah and have confidence in your abilities. You have done enough training. It is now time to showcase your talent.
You will be intimidated to see the materials or revise the test bank questions or watch the lecture videos. Keep aside all these
urges. Divert your mind to the most enjoyable activity. That enjoyable activity can be praying, meditating, walking in the garden, or
even watching a good movie. Arrange all the required documents, clothes, shoes, calculators, funds, and other items in advance.
Charge your cell phone if you plan to travel and navigate by Apps. Mobile Data Connection package must be active. Sleep for at
least 10 hours at night before the exam day.
15
Activities on Exam Day
Take a good shower and wear comfortable clothing according to the weather conditions.
Have a comprehensive meal that is easily digestible and consume any necessary medicines.
Bring printouts of Authorization Letter / Confirmation Letter / Notice to Schedule received through email from Pearson VUE and Institute, mentioning
candidate’s name, section part, exam date, time, and venue.
Two original forms of non-expired identification with photograph and signature are required. Therefore, bring an unexpired and signed passport and national
identity card / driver’s license along with you.
Reach the exam center at least 60 minutes’ prior of your appointment time.
Drink coffee or tea before the exam so that you are charged enough.
Visit the washroom before the start of exam.
The mobile phone has to be switched off and placed in a locker along with wallets.
You will not be given any complimentary breaks during the 3-hour exam. However, you can take one for taking a slight break for recharging yourself, visiting the
washroom and having water. However, the clock will continue to run.
Do not make noise or stand up from the seat without permission. Raise your hand first. The invigilator will visit you, and then you can ask for pens, extra sheets
for working, or taking a break or any malfunction encountered in exams.
Once you finish your exam, review the mark or flagged questions and try to attempt in the remaining time period. Your score is based on the number of
questions you answer correctly. You are not penalized for selecting the wrong answer.
Make sure to submit your exam and watch for the incoming message from the system for acknowledging your submitted questions.
16
LETTER FROM MUHAMMAD ZAIN
06 September 2021
Dear CIA,
May Peace, Blessings, and Mercy of Allah be upon you, to all the Messengers of Allah and, in particular, on the Noble and
Final Messenger Prophet Muhammad (Peace Be Upon Him), his Family, and his Companions.
Be a symbol of excellence in your life. Always dream big and think beyond the dimensions of the Universe. Man is made to
conquer the seven Heavens. Explore the purpose of your existence and discover the enormous potential that is within
oneself. Having faith and trust in Creator will give you the light in the darkness and unchartered territories. There is always
a silver lining beneath the dark skies. A creative mindset makes life simple. Work on your passion by synchronizing your
soul, heart, and mind. We all will die one day, but only a few dare to live the life they wish for.
The Creator has created the entire Universe in six days. There is a great potential to discover the magnificent beauty that
remains unexplored to date. This is only possible by seeking knowledge and applying them in our daily lives.
We are living in end times and witnessing a moment that humanity has not ever experienced before. This is the digital
transformation age. Artificial Intelligence, Blockchain Technology, Cryptocurrency, Business Intelligence, and Big Data are
business norms.
All the information is available in the blink of an eye. Whatever we think in mind comes in front of our screens. These
advancements will change the dynamics of the whole world we live in today. All the traditional and so-called “modern”
methods of doing work will be replaced by cloud computing. The work of accountants, doctors, engineers, pilots will no
longer exist. The irredeemable paper money will be replaced by electronic money. Central Governments will only exist in
name only. Universal Government and a unified taxation system will emerge. Virtual reality will be ordinary. Blind will be
able to see, deaf will be able to hear, without limbs persons will be able to run, and mentally disabled people will utilize the
17
maximum brain capacity through mental chip implants. Teleportation of humans will be done in a blink of an eye.
My advice to all readers around the world is to focus on entrepreneurship after the certification. This is the only way of
survival. Only those businesses are operational who have inelastic demand for their products or services and who are on
cloud computing / virtual workplaces. Furthermore, invest surplus funds in real assets such as Gold, Silver, and property.
They are the effective hedges against inflation and devaluation. They generate positive returns even in times of economic
distress.
I highly recommend that my potential readers pay their interest-bearing debt at the earliest to avoid the debt trap and
never go for this easy money for the foreseeable future, even in the form of credit cards. Housing loans are the blood-
sucking predator. These are all the means to enslave the human race to limit their thinking and imagination capability.
Always spend out of your realized income. Save some funds for your family as a contingency measure.
Allow me the opportunity to present to you the 2022 edition of CIA Challenge Exam Test Bank Questions. This Test Bank
contains the 2,145 MCQs with explanation to the correct and incorrect choices to help you prepare for CIA exams
conducted by IIA.
This CIA Exam Prep is ideal for all persons working in internal auditing, risk management and compliance reporting
positions. It also equally suitable for those candidates who wish to learn the concepts and principles of Internal Audit.
Aspiring entrepreneurs can also benefit from this CIA review course.
Study with complete dedication and commitment. Make the goal of learning something new and different each day.
Replace your fear with curiosity.
18
Let’s work together towards the common goal of earning a Certified Internal Auditor (CIA) credential. My support and
guidance will be with you TILL YOU PASS THE EXAMS. Furthermore, you can ask as many questions as you wish to either
through WhatsApp (+92 311 222 4261) or email (help@zainacademy.us and help@mzain.org), and I will answer to the best
of my ability.
Your work is going to fill a large part of your life and the only way to be truly satisfied is to do what you believe is great
work. The only way to do great work is to love what you do. If you haven’t found it yet, keep looking. Don’t settle. As with
all matters of the heart, you will know when you find it.
Have the courage to follow your heart and intuition. They somehow already know what you truly want to become.
Everything else is secondary.
Your imagination is everything. It is the preview of life’s coming attractions. Only those who believe anything is possible can
achieve things most would consider impossible.
Don’t let the noise of others’ opinions drown out your own inner voice.
Remembering that you are going to die is the best way I know to avoid the trap of thinking you have something to lose. You
are already naked. There is no reason not to follow your heart.
19
Your time is limited, so don’t waste it living someone else’s life.
I dedicate this work to the Prophet Muhammad (Peace Be Upon Him), Mercy to all the Creation, who has been the source
of inspiration and guidance to humanity.
May the Knowledge delivered by me shall be a continuing blessing for me in the Life Hereafter (Ameen).
With Love and Care,
Muhammad Zain
20
22
Sub - Section I Foundations of Internal Auditing
MULTIPLE CHOICE QUESTION NO. 51
Which of the following is an element of authority that should be included in the
internal audit activity's charter?
A. Access to the external auditors' engagement records.

B. Access to records, personnel, and physical properties relevant to the
performance of engagements.
C. Identification of the organizational units in which engagements are to be
performed.
D. Samples of the types of disclosures that should be made to the audit
committee.
123
ANSWER TO QUESTION NO. 51
CORRECT ANSWER IS B . Its Explanation is
This would be included in the internal audit activity's charter.
INCORRECT CHOICES EXPLANATION

Explanation for Choice A:
This would not be included in the internal audit activity's charter.
Explanation for Choice C:
This would not be included in the internal audit activity's charter.
Explanation for Choice D:
This would not be included in the internal audit activity's charter. 124
Which of the following would be permissible under The IIA’s Code of Ethics?
A. An auditor did not report significant observations about illegal activity to the
board because management indicated that it would resolve the issue.
B. After praising an employee in a recent audit engagement communication, an
auditor accepted a gift from the employee.
C. An auditor used audit-related information in a decision to buy stock issued by
the employer corporation.
D. In response to a subpoena, an auditor appeared in a court of law and disclosed
confidential, audit-related information thatcould potentially damage the auditor’s
organization.
125
CORRECT ANSWER IS D . Its Explanation is
Auditors must exhibit loyalty to the organization but must not be a party to any
illegal activity. Thus, auditors must comply with legal subpoenas.

Rule of Conduct 1.3 prohibits auditors from knowingly being a party to any illegal or improper activity.
Significant observations of illegal activity should be reported to the board.
Explanation for Choice B:
Rule of Conduct 2.2 prohibits auditors from accepting anything that might be presumed to impair the
auditor’s professional judgment.
126
Rule of Conduct 3.2 prohibits auditors from using audit information for personal gain.
According to the IIA Code of Ethics, which of the following are four principles
relevant to the professional care that internal auditors should apply in their
practice of internal auditing?
A. Judgment, interest, authority, and experience.

B. Trust, communication, value, and performance.
C. Integrity, objectivity, confidentiality, and competency.
D. Reliance, evaluation, information, and service.
127
CORRECT ANSWER IS C . Its Explanation is
These are the four principles that are included in the IIA's Code of Ethics.

These are not the four principles that are included in the IIA's Code of Ethics.
These are not the four principles that are included in the IIA's Code of Ethics.
These are not the four principles that are included in the IIA's Code of Ethics. 128
An internal auditing team has made observations and recommendations that
should significantly improve a division’s operating efficiency. Out of appreciation of
this work, and because it is the holiday season, the division manager presents the
in-charge internal auditor with a gift of moderate value. Which of the following
best describes the action prescribed by The IIA Code of Ethics?
A. Not accept it if the gift is presumed to impair the internal auditor's judgment.
B. Not accept it prior to submission of the final engagement communication.
C. Not accept it, regardless of other circumstances, because its value is significant.
D. Accept it, regardless of other circumstances, because its value is insignificant.
129
CORRECT ANSWER IS A . Its Explanation is
Rule of Conduct 2.2 states that internal auditors shall not accept anything that may
impair, or be presumed to impair their professional judgment. Thus, the gift should not
be accepted if it presumes to impair the internal auditor’s judgment.

The timing of accepting the gift is irrelevant.
The Rule of Conduct states that the internal auditor shall not accept "anything" that may impair, or be
presumed to impair judgment.
The Rule of Conduct states that the internal auditor shall not accept "anything" that may impair, or be
130
presumed to impair judgment.
According to the IIA Code of Ethics, the principle of integrity requires internal
auditors to do which of the following?
A. Be prudent in the use and protection of the information acquired in the course
of their duties.
B. Respect and contribute to the legitimate and ethical objectives of the
organization.
C. Continually improve their proficiency, effectiveness, and quality of services.
D. Not accept anything that may impair or be presumed to impair their
professional judgment.
131
This is a requirement of the principle of Integrity.

This is a requirement of the principle of Confidentiality.
This is a requirement of the principle of Competency.
This is a requirement of the principle of Objectivity
132
Which of the following actions taken by a chief audit executive (CAE) could be
considered professionally ethical under the IIA Code of Ethics?
A. To save organizational resources, the CAE limits procedures at foreign branches to

confirmations from branch managers that no major personnel changes have occurred.
B. The CAE refuses to provide information about organizational operations to his
father, who is a part owner.
C. The CAE decides to delay an engagement at a branch so that his nephew, the branch
manager, will have time to "clean things up."
D. To save organizational resources, the CAE cancels all staff training for the next 2
years on the basis that all staff are too new to benefit from training.
133
Rule of Conduct 3.1 states that internal auditors shall be prudent in the use and protection of
information acquired in the course of their duties. Thus, refusing to provide information about
operations to the CAE's father would be appropriate since the information could be used for insider
trading.

Rule of Conduct 4.2 states that internal auditors shall perform internal auditing services in accordance with the International Standards for the
Professional Practice of Internal Auditing. Based on the Standards, information should be sufficient, reliable, relevant, and useful to achieve the
engagement objectives.
Rule of Conduct 1.1 states that internal auditors shall perform their work with honesty, diligence, and responsibility. Deciding to delay an
engagement so the branch manager (his nephew) will have time to "clean things up" would not be considered professionally ethical.
Rule of Conduct 4.3 states that internal auditors shall continually improve their proficiency and the effectiveness and quality of their services.
Canceling staff training for the next two years would not contribute to improving the staff’s proficiency, effectiveness, or quality of their services. 134
An internal auditor who encounters an ethical dilemma not explicitly addressed by
The IIA’s Code of Ethics should always:
A. Seek the counsel of the audit committee before deciding on an action.

B. Act consistently with the employing organization’s code of ethics, even if such
action would not be consistent with The IIA’s Code of Ethics.
C. Take action consistent with the principles embodied in The IIA’s Code of Ethics.
D. Seek counsel from an independent attorney to determine the personal
consequences of potential actions.
135
This is consistent with the concepts embodied in The IIA’s Code of Ethics.

It would not be practical to seek the audit committee’s advice for all potential dilemmas. Further, the advice might not be
consistent with the profession’s standards.
If the organization’s standards are not consistent with, or as high as, the profession’s standards, the professional internal
auditor should abide by the standards of the profession.
The auditor must act consistently with the spirit embodied in The IIA’s Code of Ethics. It would not be practical to seek the
advice of legal counsel for all ethical decisions. Ethics is a moral and professional concept, not just a legal concept. 136
Which of the following is a Core Principle for the Professional Practice of Internal
Auditing?
A. Maintain confidentiality.
B. Develop consistency in internal audit practices.
C.Is appropriately positioned and adequately resourced.
D. Promote an ethical culture in the internal audit profession.
137
This is one of the 10 Core Principles.

This is a principle of The IIA’s Code of Ethics but not one of the Core Principles.
This is not a Core Principle, nor is it something even desirable across the internal audit profession, as practice
will vary depending on organizational environment, culture, and level of maturity of the audit function.
This is the purpose of The IIA’s Code of Ethics.
138
The function of internal auditing, as related to internal financial reports,
would be to:
A. Identify inadequate controls that increase the likelihood of unauthorized

expenditures.
B. Determine if there are any employees expending funds without authorization.
C. Review the expenditure items and match each item with the expenses incurred.
D. Ensure compliance with reporting procedures.
139
Internal auditors are responsible for identifying inadequate controls.

This would be a function of the personnel and/or finance departments.
There is no expected match of funds flows with expense items in a single time period.
The Standards do not require internal auditors to ensure compliance with reporting procedures.
140
An auditor, nearly finished with an engagement, discovers that the director of marketing
has a gambling habit. The gambling issue is not directly related to the existing engagement
and there is pressure to complete the current engagement. The auditor notes the problem
and forwards the information to the CAE but performs no further follow-up. The auditor’s
actions would:
A. Be in violation of the Standards because the auditor did not properly follow up on a red
flag that might indicate the existence of fraud.
B. Be in violation of The IIA’s Code of Ethics for withholding meaningful information.
C. Not be in violation of either The IIA’s Code of Ethics or Standards.
D. Be in violation of both The IIA’s Code of Ethics for withholding meaningful information
and Be in violation of the Standards because the auditor did not properly follow up on a
red flag that might indicate the existence of fraud. 141
There is no violation of either the Code of Ethics or the Standards.

The auditor has documented a red flag that may be important in a subsequent engagement. This does not violate the
Standards.
The auditor is not withholding information because the information has been forwarded to the CAE. The information may
be useful in a subsequent engagement in the marketing area.
The auditor is not withholding information because the information has been forwarded to the CAE. The information may
be useful in a subsequent engagement in the marketing area.
The auditor has documented a red flag that may be important in a subsequent engagement. This does not violate the
142
Standards.
143
Sub - Section II Independence and Objectivity
Which of the following activities undertaken by the internal auditor might
be in conflict with the standard of independence?
A. External audit liaison.

B. Product development team leader.
C. Risk management consultant.
D. Ethics advocate.
210
In some circumstances, such as a product development team, the role of team leader or
member may conflict with the independence attribute of the internal audit activity. The
auditor can participate as a consultant to the team but should not participate as a team leader.

This does not conflict with the independence of the internal audit activity as the internal and external audit
functions both share information and work collaboratively outside the influence of management.
This does not conflict with the independence of the internal audit activity.
To improve the ethical climate, the internal auditor should assume the role of ethics advocate, which therefore
does not conflict with the independence of the internal audit activity.
211
Organizational independence exists if the CAE reports [Blank A] to the CEO or similar level
of the organization as long as the internal audit activity [Blank B] without interference
A. Blank A: functionally; Blank B: controls the scope and performance of work and
reporting of results.
B. Blank A: functionally; Blank B: approves the internal audit budget and risk-based
internal audit plan.
C. Blank A: administratively; Blank B: controls the scope and performance of work and
reporting of results.
D. Blank A: administratively; Blank B: approved the internal audit budget and risk-based
internal audit plan.
212
IIA Standard 1110 states that the CAE “must confirm to the board, at least annually, the organizational independence of
the internal audit activity.” Organizational independence exists if the CAE: Reports functionally to the board, has direct and
unrestricted access to the board, reports administratively to the CEO or a similar head of the organization, or reports
administratively to some other organizational level so long as the internal audit activity controls the scope of work,
performance of the work, and the reporting of results without interference.

See the correct answer for an explanation.
213
Which of the following describes the chief audit executive's optimal
reporting line to enhance the independence of the internal audit activity?
A. Administrative reporting to the chief financial officer.

B. Functional reporting to the audit committee.
C. Administrative reporting to the board.
D. Functional and administrative reporting to the president of the
organization.
214
In the proper reporting structure, the CAE should report functionally to

the audit committee and administratively to the CEO.

Administrative reporting should be to the CEO.
Administrative reporting should be to the CEO.
Administrative reporting should be to the CEO and functional reporting should be to the audit
committee. 215
The independence of the internal audit department may be impaired in which
of the following situations?
A. The CAE reports functionally to the board of directors.

B. The CAE has an established reporting relationship with the audit committee.
C. The internal audit department has responsibility for the organization’s risk
and compliance areas.
D. The internal audit department has unrestricted access to information,
people, and records throughout the organization.
216
The interpretation of Standard 1112 notes that organizational independence may be impaired or appear to
be impaired if the CAE assumes roles/responsibilities outside of internal auditing. Standard 1112 states that if
this occurs, safeguards must be in place to limit impairments to independence or objectivity.

Standard 1110 interpretation states: “Organizational independence is effectively achieved when the CAE reports functionally to the board.”
According to IIA Practice Guide, Independence and Objectivity, direct and unrestricted access to the governing body allows the internal
activity to be insulated form possible threats to independence.
This would not impair the independence of the internal audit department.
217
The call center of an organization has requested that the internal audit department
review procedures and controls during the implementation of a new process. The
CAE should:
A. Accept the engagement but indicate to management that, because

recommending controls impairs independence, future engagements in the area will
be impaired.
B. Not accept the engagement because recommending controls would impair
future objectivity regarding this operation.
C. Not accept the engagement because internal audit activities are presumed to
have expertise regarding accounting controls, not process controls.
D. Accept the engagement because individual objectivity will not be impaired. 218
Recommending standards of control for systems or reviewing procedures prior to implementation does
not impair objectivity (PA 1120-1). Additionally, if the engagement is deemed to involve consulting
services, objectivity is not required provided that any impairment thereof is disclosed to the client prior
to acceptance of the engagement (Standard 1130.C2). See also IIA Practice Guide, Independence and
Objectivity.
According to PA 1120-1, recommending controls will not adversely affect the internal auditor’s objectivity.
According to PA 1120-1, recommending controls will not adversely affect the internal auditor’s objectivity. The auditor’s objectivity is
considered impaired if the auditor designs, installs, drafts procedures for, or operates such systems.
The internal audit activity should be able to evaluate the adequacy and effectiveness of controls encompassing the organization’s
governance, operations, and information systems (Standard 2120.A1).
219
An internal auditor assigned to audit a vendor’s compliance with product quality
standards is the brother of the vendor’s controller. The auditor should:
A. Notify the CAE of the potential conflict of interest.

B. Accept the assignment, but disclose the relationship in the engagement final
communication.
C. Notify the vendor of the potential conflict of interest.
D. Accept the assignment, but avoid contact with the controller during fieldwork.
220
Practice Advisory 1130-1 states that internal auditors should report to the CAE any
situations in which a conflict of interest or bias is present or may reasonably be inferred.

Situations of potential conflict of interest or bias should be avoided, not merely disclosed.
Conflicts of interest should be reported to the CAE, not the vendor or engagement client.
Even if the auditor avoided contact with the controller, there would still be the appearance of conflict of interest.
221
In which of the following situations would an auditor potentially lack objectivity?
A. An auditor reviews the procedures for a new electronic data interchange

connection to a major customer before it is implemented.
B. An auditor recommends standards of control and performance measures for a
contract with a service organization for the processing of payroll and employee
benefits.
C. A former purchasing assistant performs a review of internal controls over
purchasing four months after being transferred to the internal audit activity.
D. A payroll accounting employee assists an auditor in verifying the physical
inventory of small motors.
222
Practice Advisory 1130.A1-1 states that persons transferred to the internal audit activity
should not be assigned to audit those activities that they previously performed until at
least one year has elapsed.

An internal auditor’s objectivity is not adversely affected when the auditor reviews procedures before they are
implemented.
An internal auditor’s objectivity is not adversely affected when the auditor recommends standards of control for systems
before they are implemented.
Use of staff from other areas to assist the internal auditor does not impair objectivity, especially when the staff is from
223
outside the area being audited.
In which of the following situations does the internal auditor potentially lack
objectivity?
A. An internal auditor recommends standards of control and performance

measures for contracting with a service organization.
B. Four months after being transferred to the internal audit activity, a former
purchasing assistant performs a review of internal controls over purchasing.
C. A payroll accounting employee assists an internal auditor in verifying the
physical inventory of small motors.
D. An internal auditor reviews the procedures for a new electronic data
interchange connection for a customer before itis implemented.
224
In order to maintain objectivity, an internal auditor should not be involved in an engagement in
an area where they have worked in the past 12 months. In this situation, the internal auditor's
objectivity would be impaired in respect to the purchasing department.

This is not a potential impairment to the objectivity of the internal auditor.
This is not a potential impairment to the objectivity of the internal auditor.
This is not a potential impairment to the objectivity of the internal auditor. 225
When reviewing a report prepared by an internal auditor who has a personal
friend employed in the area being audited, a chief audit executive's primary
focus would be to ensure which of the following?
A. The report is clearly worded and avoids unnecessary detail, redundancy, and
wordiness.
B. The report is fair, impartial, and unbiased.
C. The report is easily understood and findings are presented in a logical
manner.
D. The report is free from errors and misstatements.
226
When there are concerns about the objectivity of the internal auditor, the primary focus during the review of the
report will be making certain that the report is fair, impartial and unbiased. The other choices will also be
addressed, but in this situation, the fairness, impartiality and being unbiased are the most important
considerations.

While this will be reviewed, this is not the primary focus of the review in this situation.
227
According to the International Professional Practices Framework, the
independence of the internal audit activity is achieved through:
A. Human relations and communications.

B. Organizational status and objectivity.
C. Staffing and supervision.
D. Continuing professional development and due professional care.
228
According to Practice Advisory 1110-1, organizational status and objectivity permit members
of the internal audit activity to render the impartial and unbiased judgments essential to the
proper conduct of engagements.

Human relations and communications relate to the professional proficiency of the internal auditor.
Staffing and supervision relate to the professional proficiency of the internal audit activity.
Continuing professional development and due professional care relate to the professional proficiency of the internal auditor.
229
230
Sub - Section III Proficiency and Due Professional Care
Which one of the following is not included in the internal audit charter?
A. Risk assessment of the internal audit activity.

B. Authority of the internal audit activity.
C. Responsibility of the internal audit activity.
D. Purpose of the internal audit activity.
489
A risk assessment is not appropriate for inclusion in the internal audit

charter.

The appropriate contents of the internal audit charter are the purpose, authority, and responsibility of the internal audit
activity.
activity.
activity. 490
After the chief audit executive receives approval from the board to offer
consulting services, what should be done?
A. The internal audit charter should be amended.

B. The CAE should get approval from the internal auditors.
C. The CAE should begin performing consulting services.
D. The board should develop appropriate policies and procedures for
conducting such engagements.
491
The purpose, authority, and responsibility of the internal audit activity must be formally defined in
an internal audit charter (Attr. Std. 1000). The nature of consulting services must be defined in the
internal audit charter.

The CAE does not need to get additional approval from the internal auditors. Only board approval is required.
After the CAE receives board approval, the internal audit charter must be amended and the CAE must establish
policies and procedures.
The CAE must establish policies and procedures to guide the internal audit activity.
492
The internal audit charter includes all of the following except
A. The nature of the chief audit executive’s relationship with the board.
B. The internal auditor’s responsibility to provide assurance and consulting
services.
C. The organization’s core values, mission, and vision statements.
D. A formal definition of the purpose, authority, and responsibility of the
internal audit activity.
493
The core values, mission, and vision statements of the organization are not included in the internal audit charter. The
interpretation of Standard 1000, defines the internal audit charter as “a formal document that defines the internal audit activity’s
purpose, authority, and responsibility. The internal audit charter establishes the internal audit activity’s position within the
organization, including the nature of the chief audit executive’s functional reporting relationship with the board; authorizes access
to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal
audit activities. Final approval of the internal audit charter resides with the board.”
The nature of the chief audit executive’s functional reporting relationship with the board is defined in the internal audit charter. This
includes the CAE’s functional and administrative reporting lines and the level of authority required for the internal audit activity to perform
engagements and fulfill its agreed-upon objectives and responsibilities.
The internal audit charter for the internal audit activity defines the internal audit activity’s purpose, authority, and responsibility. The
internal audit activity’s responsibility to provide the organization with assurance and consulting services is defined in the internal audit
charter.
The internal audit charter includes a formal definition of the purpose, authority, and responsibility of the internal audit activity. 494
The
internal audit charter should be discussed among the CAE, senior management, and the board to mutually agree upon (1) the internal
The chief audit executive (CAE) is best defined as the
A. Inspector general.
B. Person responsible for overseeing the contract with the outside provider of
internal audit services.
C. Outside provider of internal audit services.
495
The CAE is a person in a senior position responsible for effectively managing the internal audit
activity in accordance with the internal audit charter and the mandatory elements of the IPPF (The
IIA Glossary).

The specific job title of the chief audit executive may vary across organizations (The IIA Glossary).
The term “chief audit executive” is defined broadly because (1) the internal audit activity may be
insourced or outsourced and (2) many different titles are used in practice.
The internal audit activity may be insourced. 496
Which of the following is not appropriate for inclusion in the internal audit
charter?
A. The nature of the chief audit executive’s functional reporting relationship

with the board.
B. Authorization of internal audit access to records, personnel, and physical
properties.
C. Authorization of the board to approve the charter.
D. Definition of the scope of internal audit activities.
497
Final approval of the internal audit charter resides with the board. The board has
this power inherently.

The nature of the chief audit executive’s functional reporting relationship with the board is one of the
elements to be included in the internal audit charter.
Authorization of internal audit access to records, personnel, and physical properties is one of the elements to
be included in the internal audit charter.
Definition of the scope of internal audit activities is one of the elements to be included in the internal audit
charter. 498
The organizational position of the internal audit activity should be free from the
effects of irresponsible policy changes by management. The most effective way to
ensure that freedom is to
A. Develop written policies and procedures to serve as standards of performance for
the internal audit activity.
B. Establish an audit committee within the board.
C. Adopt policies for the functioning of the internal audit activity.
D. Have the internal audit charter approved by the board.
499
The internal audit charter is a formal document that defines the internal audit activity’s purpose,
authority, and responsibility. Final approval of the internal audit charter resides with the board
(Inter. Std. 1000).

Written policies and procedures serve to guide the internal auditor but have little effect on management.
The establishment of an audit committee alone does not ensure the status of the internal audit activity.
Adoption of policies for the functioning of the internal audit activity does not protect its organizational position.
500
Which one of the following must be included in the internal audit charter?
A. Number of full-time internal audit employees deemed to be the necessary

minimum.
B. Internal audit responsibility.
C. Internal audit objectivity.
D. Chief audit executive’s compensation plan.
501
The purpose, authority, and responsibility of the internal audit activity must be formally
defined in an internal audit charter.

The staffing of the internal audit activity is determined by the CAE and the board; it is not an
appropriate matter to include in the internal audit charter.
Objectivity is an attribute of individual auditors and is not included in the internal audit charter.
The CAE’s compensation plan is not an appropriate matter to include in the internal audit charter. 502
The chief audit executive has assigned an internal auditor to perform a year-end
engagement to evaluate payroll records. The internal auditor has contacted the
director of compensation and has been refused access to necessary documents. To
avoid this problem,
A. Internal auditing should be required to report to the CEO of the organization.

B. Access to records relevant to performance of engagements should be specified
in the internal audit activity’s charter.
C. Board approval should be required for all scope limitations.
D. By following the long-range planning process, access to all relevant records
should be guaranteed.
503
Specific guidelines are written in the internal audit activity’s charter authorizing access to records, personnel,
and physical properties relevant to the performance of engagements (Inter. Std. 1000). Such provisions
reduce the likelihood of scope limitations.

The internal audit activity need not report to a specific individual in the organization, although reporting
administratively to the CEO is desirable.
The internal audit activity must inform the board of any scope limitations, but the board’s approval is not
required.
Following the long-range planning process provides no guarantee of access. 504
Internal auditing has planned an engagement to evaluate the effectiveness of the quality assurance
function as it affects the receipt of goods, the transfer of the goods into production, and the scrap
costs related to defective items. The engagement client argues that such an engagement is not
within the scope of the internal audit activity and should come under the purview of the quality
assurance department only. What is the most appropriate response?
A. Because quality assurance is a new function, seek the approval of management as a mediator to
set the scope of the engagement.
B. Terminate the engagement because it will not be productive without the client’s cooperation.
C. Indicate that the engagement will evaluate the function only in accordance with the standards
set by, and approved by, the quality assurance function before beginning the engagement.
D. Refer to the internal audit activity’s charter and the approved engagement plan that includes the
area designated for evaluation in the current time period.
505
The written charter, approved by the board, defines the scope of internal audit
activities.

The engagement client does not determine the scope of this type of assurance engagement. A scope limitation
imposed by the client might prevent the internal audit activity from achieving its objectives.
The internal auditors must conduct the engagement and communicate any scope limitations to management and
the board.
Other objectives may be established by management and the internal auditors. The engagement is not limited to
the specific standards set by the quality assurance department. It considers such standards in the development of
the engagement program. 506
To prevent misunderstandings, engagement clients must
A. Define the level of authority required by internal auditors for each engagement.
B. Authorize access to records, personnel, and physical properties relevant to the
engagement.
C. Be informed of the internal audit activity’s purpose, authority, and responsibility.
D. Establish the internal audit activity’s position within the organization.
507
Engagement clients must be informed of the internal audit activity’s purpose, authority, and responsibility to
prevent misunderstandings about access to records and personnel. The CAE, senior management, and the
board mutually agree upon the internal audit charter. The charter defines (1) the internal audit objectives and
responsibilities and (2) the expectations for the internal audit activity.

The level of authority required for each engagement within the internal audit activity is mutually agreed upon by the CAE, senior
management, and the board, and is defined in the internal audit charter.
Engagement clients do not authorize the internal auditor’s activity but must be informed of the internal auditor’s authority. The
internal audit charter authorizes access to records, personnel, and physical properties relevant to the performance of
engagements. Final approval of the internal audit charter resides with the board.
The internal audit charter, not the engagement client, establishes the internal audit activity’s position within the organization.
508
The transportation department of a publicly held company has asked the internal audit
activity to review the design specifications for a proposed new warehouse and repair
facility. The best reason for the internal audit activity to decline the request is
A. The CEO and the head of the transportation department are neighbors and belong
to the same social clubs.
B. The transportation department’s budget is immaterial to the organization’s total
budget.
C. Such a review does not fall within the authority granted in the internal audit charter.
D. The internal audit activity performed a thorough review of the transportation
department the previous year.
509
The internal audit activity’s purpose, authority, and responsibility are specifically granted in the form of a
written charter approved by the board.

An attitude of independence is required for internal auditors, not for auditees and management.
Internal audit engagements are scheduled based on a risk assessment, only one of the elements of
which is monetary materiality.
Internal audit engagements are scheduled based on a risk assessment, not simply time elapsed since
the last engagement.
510
An element of authority that must be included in the charter of the internal audit
activity is
A. Identification of the organizational units where engagements are to be

performed.
B. Access to records, personnel, and physical properties relevant to the
performance of engagements.
C. Identification of the types of disclosures that should be made to the board.
D. Access to the external auditor’s engagement records.
511
The charter establishes the internal audit activity’s position within the organization, including the
nature of the chief audit executive’s functional reporting relationship with the board; authorizes
access to records, personnel, and physical properties relevant to the performance of engagements;
and defines the scope of internal audit activities.

The audit schedule is based on a risk assessment; it is thus inappropriate to designate specific
engagement areas in the internal audit charter.
Disclosure to the board is an obligation, not an element of authority.
Access to the external auditor’s engagement records cannot be guaranteed. 512
513
Sub - Section IV Quality Assurance and Improvement Program

Quality program assessments may be performed internally or externally. A
distinguishing feature of an external assessment is its objective to
A. Determine whether internal audit services meet professional standards.

B. Set forth the recommendations for improvement.
C. Provide independent assurance.
D. Identify tasks that can be performed better.
741
External assessments must be conducted at least once every 5 years by a qualified, independent
reviewer or review team from outside the organization. Individuals who perform the external
assessment are free of any obligation to, or interest in, the organization whose internal audit activity is
assessed.

An internal assessment will determine whether internal audit services meet professional standards.
An internal assessment will set forth recommendations for improvement.
An internal assessment will identify tasks that can be performed better.
742

Periodic internal assessments of the internal audit activity primarily serve the
needs of
A. The board of directors.

B. The chief audit executive (CAE).
C. The internal audit activity’s staff.
D. Senior management.
743
Those conducting internal assessments generally should report to the CAE while performing the
reviews and communicate directly to the CAE.

The directors are secondary users of a periodic internal assessment.
The internal audit activity staff are secondary users of a periodic internal assessment.
Senior management is a secondary user of a periodic internal assessment.
744

An external assessment of an internal audit activity contains an expressed opinion.
The opinion may apply to
A. Only to the effectiveness of the internal auditing coverage.

B. Only to the internal audit activity’s conformance with the Standards.
C. Only to the adequacy of internal control.
D. Conformance with the Standards and an assessment for each standard.
745
External assessments of an internal audit activity contain an expressed opinion or conclusion on overall
conformance with the Standards and possibly an assessment for each standard or series of standards.
An external assessment also includes, as appropriate, recommendations (corrective action plans) for
improvement.

The scope of an external assessment extends to more than the effectiveness of the internal auditing coverage.
An opinion may be expressed on the Standards and an assessment may be made for each standard or series of
standards.
An external assessment addresses the internal audit activity, not the adequacy of the organization’s controls.
746

Which of the following is only part of an internal audit activity’s quality assurance
program rather than being included as part of other responsibilities of the chief audit
executive (CAE)?
A. Each individual internal auditor’s performance is appraised at least annually.

B. Management approves a formal charter establishing the purpose, authority, and
responsibility of the internal audit activity.
C. Supervision of an internal auditor’s work is performed throughout each audit
engagement.
D. The CAE provides information about and access to internal audit working papers to
the external auditors to enable them to understand and determine the degree to
which they may rely on the internal auditors’ work.
747
The CAE develops and maintains a quality assurance and improvement program (Attr. Std. 1300) that includes
(1) external assessments and (2) ongoing and periodic internal assessments. Ongoing monitoring is
incorporated into the routine policies and practices used to manage the internal audit activity. Among the
processes used in ongoing internal assessments is engagement planning and supervision (IG 1311).

Individual performance appraisals are part of a CAE’s responsibility for personnel management and development.
A CAE’s responsibility to seek approval of a charter to establish the authority, purpose, and responsibility of the
internal audit activity is not part of a quality assurance program.
Providing working papers to the external auditors relates to the responsibility of the CAE to coordinate with
external auditors. 748

The interpretation related to quality assurance given by the Standards is that
A. External assessments can provide senior management and the board with
independent assurance about the quality of the internal audit activity.
B. Appropriate follow-up to an external assessment is the responsibility of the chief
audit executive’s immediate supervisor.
C. Supervision is limited to the planning, examination, evaluation, communication,
and follow-up process.
D. The internal audit activity is primarily measured against The IIA’s Code of Ethics.
749
External assessments provide an independent and objective evaluation of the

internal audit activity’s compliance with the Standards and Code of Ethics.

The communication of final results of an external assessment should include the CAE’s responses. These include
corrective action plans.
Supervision begins with planning and continues throughout the engagement.
The external assessment considers the internal audit activity’s conformance with the Standards and the Code of
Ethics. 750

Potential conflicts of interest with the quality assurance assessment team
should be disclosed to
A. Internal audit activity.

B. Chief audit executive.
C. Internal audit staff.
D. Senior management and the board.
751
The chief audit executive must communicate the results of the quality assurance and improvement
program to senior management and the board. Disclosures should include the qualifications and
independence of the assessor(s) or assessment team, including potential conflicts of interest.

Potential conflicts of interest with the quality assurance assessment team should not be disclosed to the internal
audit activity.
The chief audit executive should disclose the potential conflicts of interest with the quality assurance assessment
team to the appropriate parties.
Potential conflicts of interest with the quality assurance assessment team should not be disclosed to the internal
audit staff. 752

Following an external assessment of the internal audit activity, who is (are)
responsible for communicating the results to the board?
A. Chief audit executive.

B. Audit committee.
C. External auditors.
D. Internal auditors.
753
The chief audit executive must communicate the results of the QAIP to senior
management and the board

The chief audit executive (not the audit committee) is responsible for communicating the results of external
assessments to the board.
The chief audit executive (not external auditors) is responsible for communicating the results of external
assessments to the board.
The chief audit executive (not internal auditors) is responsible for communicating the results of external
assessments to the board. 754

The chief audit executive’s disclosure to senior management and the board
regarding the QAIP should include all of the following except
A. Corrective action plans.

B. Scope and frequency of external assessments.
C. Conclusions of assessors.
D. Checklists or automation tools used.
755
Attribute Standard 1320, Reporting on the Quality Assurance and Improvement Program, states, “The chief audit
executive must communicate the results of the quality assurance and improvement program to senior
management and the board. Disclosure should include (1) the scope and frequency of both the internal and
external assessments; (2) the qualifications and independence of the assessor(s) or assessment team, including
potential conflicts of interest; (3) conclusions of assessors; and (4) corrective action plans.” Checklists or
automation tools used do not require disclosure.

Corrective action plans should be disclosed to senior management and the board.
The scope and frequency of external assessments should be disclosed to senior management and the board.
Conclusions of assessors should be disclosed to senior management and the board.
756

Internal auditors may include in their audit report that their activities conform with
The IIA Standards.
They may use this statement only if
A. An independent external assessment of the internal audit activity is conducted

annually.
B. Senior management or the board is accountable for implementing a quality
program.
C. External assessments of the internal audit activity are made by external auditors.
D. It is supported by the results of the quality program.
757
The chief audit executive may state that the internal audit activity conforms with the International
Standards for the Professional Practice of Internal Auditing only if the results of the quality assurance
and improvement program support this statement.

An independent external assessment of the internal audit activity must be conducted at least once
every 5 years.
The CAE must develop and maintain a QAIP that covers all aspects of the internal audit activity.
Assessments also may be made by others who are (1) independent, (2) qualified, and (3) from outside -
the organization.
758

Which of the following is the appropriate response when nonconformance with the
Code of Ethics or the Standards impacts the overall scope or operation of the
internal audit activity?
A. External assessments of the organization’s quality assurance and improvement

program must be performed annually.
B. The chief audit executive must disclose the nonconformance and the impact to
senior management and the board.
C. Senior management must reevaluate the qualifications and independence of the
assessor(s).
D. The internal audit activity must reinforce expectations outlined in the audit plan.
759
Attribute Standard 1322, Disclosure on Nonconformance, states, “When nonconformance with the Code of Ethics
or the Standards impacts the overall scope or operation of the internal audit activity, the chief audit executive must
disclose the nonconformance and the impact to senior management and the board.” Nonconformance of this type
refers to the overall internal audit activity and not to specific engagements.
External assessments must be conducted at least once every five years, not annually, by a qualified, independent assessor or
assessment team from outside the organization.
According to Attribute Standard 1310, Reporting on the Quality Assurance and Improvement Program, the qualifications and
independence of the assessor(s) or assessment team, including potential conflicts of interest, should be disclosed to senior
management and the board by the chief audit executive. But this is not the appropriate response when nonconformance with the
Code of Ethics or the Standards impacts the overall scope or operation of the internal audit activity.
Reinforcing expectations outlined in the audit plan is not the appropriate response when nonconformance with the Code of Ethics
or the Standards impacts the overall scope or operation of the internal audit activity. 760

Which of the following would demonstrate that the internal audit activity is in
compliance with IIA practices?
A. The results of periodic internal assessments are communicated at least twice a year.
B. The results of external assessments are communicated upon their completion.
C. The chief audit executive determines the form and content of the results
communicated.
D. The results of ongoing monitoring are communicated upon their completion.
761
“To demonstrate conformance with the Definition of Internal Auditing and the Standards, and
application of the Code of Ethics, the results of external and periodic internal assessments are
communicated upon completion of such assessments and the results of ongoing monitoring are
communicated at least annually. The results include the assessor’s or assessment team’s evaluation
with respect to the degree of conformance”.
The results of periodic internal assessments are communicated upon their completion.
The form, content, and frequency of communicating the results of the quality assurance and improvement program is
established through discussions with senior management and the board and considers the responsibilities of the internal
audit activity and chief audit executive as contained in the internal audit charter.
The results of ongoing monitoring are communicated at least annually.
762
763
Sub - Section V Governance, Risk Management and Controls

According to the Standards, what is the role of internal audit as it relates to risk
management?
A. Identify and assess significant risks within the organization.

B. Determine the risk appetite of the organization.
C. Communicate relevant risk information to the appropriate people within the
organization.
D. Evaluate the effectiveness of the risk management process.
1219
According to Standard 2120, “The internal audit activity must evaluate the effectiveness
and contribute to the improvement of risk management processes.”

According to Standard 2120 - Risk Management, this is one of the areas that internal audit would assess in determining the effectiveness of
risk management processes.
1220

It is not uncommon for organizations to develop a formal risk appetite statement.
Which of the following would not be included in the statement?
A. Management compensation packages are regularly reviewed by the board’s

remuneration committee before being approved by the board.
B. The company will use derivative instruments only for hedging purposes.
C. The company will not give additional trade credit to creditors whose accounts
are more than 40 days past due.
D. The company may not keep more than 20% of its cash in a single bank.
1221
Formalizing risk appetite means putting it in writing so that there is little confusion
about the board and management’s attitude toward risk. Determining the level of
management remuneration is a function of the company’s remuneration
committee.
See the correct answer for an explanation. 1222

Companies respond to risk differently depending upon impact and likelihood.
What would be a company’s risk response if the company decided to self-insure
its employees’ health care?
A. Strategize the risk.

B. Retain the risk.
C. Avoid the risk.
D. Transfer the risk.
1223
If a company decides to self-insure its employees for health care, it is retaining the risk.
If there are health issues with its employees, then the company would pay for those
issues out of its own money.


Many organizations use electronic funds transfer to pay their suppliers instead
of issuing checks. Regarding the risks associated with issuing checks, which of
the following risk management techniques does this represent?
A. Transferring.
B. Controlling.
C. Accepting.
D. Avoiding.
1225
By eliminating checks, the organization avoids all risk associated with them.

Risk is not transferred to anyone else; it is eliminated.
Eliminating checks does not represent an ongoing control.
Eliminating checks avoids instead of accepts the associated risk.
1226

According to the 2017 COSO publication, Enterprise Risk Management: Integrating
with Strategy and Performance, when should enterprise risk management take
place?
A. At the same time as the organization's strategies and objectives are being set for
the coming period.
B. At the same time as the organization's strategies and objectives are being set for
the coming period and on an ongoing basis.
C. Before the organization's strategies and objectives are set for the coming period.
D. Immediately after the organization’s strategies and objectives have been set for
the coming period.
1227
Enterprise risk management enhances strategy selection when it is integrated with strategy selection. Integrating ERM with strategy
selection enables the organization to consider the risks inherent in the strategy under consideration, whether the strategy will align with
the organization’s mission, vision, and values, and whether it might have unintended consequences.
Furthermore, enterprise risk management is an ongoing activity. Review and revision is an important component of ERM. As part of its
regular review of the organization’s performance, management should consider how well the components of its enterprise risk
management are functioning over time. If substantial changes occur, management should consider what revisions are needed.

Enterprise risk management enhances strategy selection when it is integrated with strategy selection. However,
enterprise risk management is also an ongoing activity. It is not something that can be done once.
Enterprise risk management should not take place before the organization's strategies and objectives are set.
Enterprise risk management should not be treated as an add-on activity after a strategy has been chosen.
1228

Which of the following enterprise risk management (ERM) components
influences the risk consciousness of an organization's people and is the basis for
all other ERM components?
A. Governance and culture.

B. Information and communication.
C. Performance.
D. Objective setting.
1229
The governance and culture of the organization is what sets the organization's
tone in respect to risk management.

Information and communication is not the component of ERM that influences the risk consciousness of the
organization.
Performance is not the component of ERM that influences the risk consciousness of the organization.
Objective setting is not the component of ERM that influences the risk consciousness of the organization.
1230

When assessing the risk associated with an activity, an internal auditor should:
A. Update the risk management process based on risk exposures.

B. Provide assurance on the management of the risk.
C. Determine how the risk should best be managed.
D. Design controls to mitigate the identified risks.
1231
Assurance services involve the internal auditor’s objective assessment of

management’s risk management activities and the degree to which they are
effective.

Designing and updating the risk management process is the role of management.
Determining how unacceptable risk should be managed is the role of management.
Designing controls would impair the internal auditor’s independence.
1232

Which of the following would be a preventive control?
A. Comparing a bank deposit slip with the total cash received as noted on a
prelisting sheet prepared in the mail room.
B. Approving customer credit prior to shipping merchandise.
C. Reviewing the sequence of pre-numbered documents.
D. Scanning the general ledger for accounts with unusually high or low
balances.
1233
Approving a customer before shipping merchandise is a preventive control as it

should prevent shipping merchandise to customers who will not be able to pay.

Comparing a bank deposit slip with the total cash received as noted on a prelisting sheet prepared in the mail room
is not a preventive control.
Reviewing the sequence of pre-numbered is not a preventive control.
Scanning the general ledger for accounts with unusually high or low balances is detective control, not a preventive
control.
1234

Which of the following statements is correct regarding corporate compensation systems and
related bonuses?
I. A bonus system should be considered part of the control environment of an organization and
should be considered in formulating are port on internal control.
II. Compensation systems are not part of an organization’s control system and should not be
reported as such.
III. An audit of an organization’s compensation system should be performed independently of
an audit of the control system over other functions that impact corporate bonuses.
A.II only.
B.III only.
C.II and III only.
D.I only.
1235
I. Correct. Compensation systems influence behavior and should be considered an integral part of an organization’s control
structure. Thus, it should be considered as an important part of the control structure.
II. Incorrect. Compensation systems are part of the organization’s control systems.
III. Incorrect. Audits of the compensation systems can be combined with an audit over other functions that impact
corporate bonuses
See the correct answer for an explanation
1236

Several years ago a senior member in the accounting area developed a software
application that automates a simple, yet time-saving task. Over time, the application
has been adopted by other users in accounting, and these other users have
encouraged the original author to maintain the application, adapting it as needed
when new systems are introduced. Which of the following controls for this situation
would be most effective and efficient?
A. Recommend policy changes that freeze further adoption and work on the software.
B. Recommend that the application be replaced by a commercially developed product.
C. Analyze the application to ensure that it is, in fact, the most efficient solution to the
work problem.
D. Ensure complete, accurate, and updated documentation of the application.
1237
The application appears to do the task well, so limiting its use, verifying its effectiveness, and replacing it are
probably not the most effective and efficient controls. Ensuring that the application’s design and subsequent
modifications are documented would be most effective. This helps protect the function against the eventual loss of
its author’s expertise if the employee retires or leaves the organization, as well as control the impact of
modifications to the program. If the application does not include application authentication controls, this would
also be a good recommendation.
1238

A specific objective of an audit of an organization’s expenditure cycle is to determine if
all goods paid for have been received and charged to the correct account. This
objective would address which of the following primary objectives identified in the
Standards?
I. Reliability and integrity of financial and operational information.
II. Compliance with laws, regulations, and contracts.
III. Effectiveness and efficiency of operations.
IV. Safeguarding of assets.
A.I and II only.

B.I and IV only.
C.II, III, and IV only.
D. I, II, and IV only.
1239
I. Correct. According to Standard 2130.A1: “The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to
risks within the organization’s governance, operations, and information systems regarding the:
Achievement of the organization’s strategic objectives;
Reliability and integrity of financial and operational information;
Effectiveness and efficiency of operations and programs;
Safeguarding of assets; and
Compliance with laws, regulations, policies, procedures, and contracts.”
The specific engagement objective of determining if goods are charged to the appropriate account would address the objective regarding the
reliability and integrity of information.
IV. Correct. The specific engagement objective of determining if all goods paid for have been received would address the objective regarding
safeguarding of assets.

Explanation for Choice D: 1240
1241
Sub - Section VI Fraud Risks
How does fraud awareness training support fraud prevention?
A. Reduces opportunities to commit fraud.

B. Facilitates the testing of controls.
C. Helps develop credible responses to potential risks.
D. Limits rationalization.
1558
An individual justifies fraudulent actions by rationalization. Fraud awareness training minimizes
rationalization by (1) supporting the ethical tone at the top, (2) promoting an anti-fraud
environment, and (3) emphasizing that the organization does not tolerate misconduct of any
kind.

Fraud awareness training does not reduce opportunities to commit fraud.
Fraud awareness training does not facilitate the testing of controls.
Controls help develop credible responses to potential risks, not fraud awareness training.
1559
The internal auditors’ responsibility regarding fraud includes all of the following
except
A. Determining whether the control environment sets the appropriate tone at top.
B. Ensuring that fraud will not occur.
C. Being aware of activities in which fraud is likely to occur.
D. Evaluating the effectiveness of control activities.
1560
Control is the principal means of preventing fraud, and management is responsible for
establishing and maintaining internal control. Thus, internal auditors cannot give
absolute assurance that noncompliance or fraud does not exist.

Internal auditing is responsible for evaluating the organization’s control environment.
The internal auditor should have sufficient knowledge of fraud indicators and be alert to opportunities that could
allow fraud.
Assessing the design and operating effectiveness of fraud-related controls is the responsibility of internal auditing.
1561
The primary purpose of operating a fraud hotline within an organization is
to
A. Measure how well organizational units are achieving the organization’s

goals.
B. Reduce total costs of operations.
C. Concentrate on areas that deserve attention.
D. Establish channels of communication for people to report suspected
improprieties.
1562
Fraud-related information and communication practices promote fraud risk

management. For example, hotlines are a convenient way for employees to report
suspected improprieties.
The primary purpose of operating a fraud hotline is not to measure how well organizational units are
achieving the organization’s goals.
Reducing total costs of operating the organization is not the primary purpose of a fraud hotline.
Concentrating on areas that deserve attention and less attention on areas operating as expected is not
the primary purpose of a fraud hotline. 1563
Which of the following is not a responsibility of internal auditors regarding fraud
prevention, deterrence, and detection?
A. Support audit committee oversight in ensuring management has implemented

an effective system of internal controls.
B. Monitor the annual disclosure of whether the organization has a code of ethics
that covers its chief executive officer (CEO) and senior financial officers.
C. Raise fraud awareness within the organization, including encouraging the audit
committee and senior management to set the proper “tone at the top.”
D. Develop an approach the organization can use to sustain anti-bribery principles
in every country in which the organization operates.
1564
Management, not the internal auditors, is responsible for establishing and maintaining
effective controls to deter and prevent fraud. Translating the organization’s corruption
prevention principles across operations is a management responsibility.

Internal auditors are responsible for supporting audit committee oversight in ensuring management has implemented effective internal
controls regarding fraud prevention.
Internal auditors are responsible for monitoring the annual disclosure of whether the organization has a code of ethics that covers its CEO
and senior financial officers.
Internal auditors are responsible for raising fraud awareness within the organization, including encouraging the audit committee and
senior management to set the proper “tone at the top.”
1565
A chief audit executive (CAE) suspects that several employees have used desktop
computers for personal gain. In conducting an investigation, the primary reason that
the CAE chose to engage a forensic information systems auditor rather than using the
organization’s information systems auditor is that a forensic information systems
auditor would possess
A. Superior analytical skills that would facilitate the identification of computer abuse.
B. Knowledge of what constitutes evidence acceptable in a court of law.
C. Knowledge of the computing system that would enable a more comprehensive
assessment of the computer use and abuse.
D. Superior documentation and organization skills that would facilitate in the
presentation of findings to senior management and the board.
1566
The distinguishing characteristic of forensic auditing is the knowledge needed to testify as an
expert witness in a court of law. Although a forensic auditor may possess the other attributes
listed, the organization’s information systems auditor may also possess these skills or knowledge
elements.
A forensic auditor would not necessarily have analytical skills that are superior to those of the organization’s
auditor.
The organization’s information systems auditor would probably have more knowledge of the organization’s
computing systems than a forensic auditor.
A forensic auditor would not necessarily have organizational skills that are superior to those of the organization’s
auditor. 1567
Assume that subsequent investigation shows that previously issued financial
statements were materially misstated due to the improper recognition of sales. The
internal auditor’s next step should be to
A. Inform the external auditor, senior management, and the board.

B. Inform divisional management of the preliminary observation, but wait until a
formal engagement communication is issued to inform the board.
C. Inform senior management and the board.
D. Immediately inform the external auditor and the divisional manager.
1568
The results of a fraud investigation may indicate that fraud has had a previously undiscovered materially
adverse effect on the financial position and results of operations of an organization for 1 or more years
on which financial statements have already been issued. Internal auditors should inform appropriate
management and the audit committee of the board of directors of such a discovery.

The auditor should inform senior management, the board, and the audit committee.
1569
Why does The IIA’s Code of Ethics in Rule of Conduct 4.2 require that due
professional care be used in obtaining information to support an engagement
opinion?
A. To require honesty in performing work.

B. If internal auditors were permitted to communicate engagement results without
obtaining sufficient information, they would be in a position to accept fees or gifts
from engagement clients.
C. To preclude any conflict of interest.
D. Sufficient, reliable, relevant, and useful information lends credibility to the
opinion.
1570
Engagements must be performed with proficiency and due professional care (Attr. Std. 1200), and the engagement results must be
communicated (Perf. Std. 2400). Engagement results include observations, conclusions, opinions, recommendations, and action
plans. If internal auditors expressed opinions or otherwise communicated engagement results without substantive investigation
and compliance with the Standards, such communications would be meaningless. The Standards are therefore incorporated by
reference into The IIA’s Code of Ethics by Rule of Conduct 4.2. Thus, internal auditors must identify sufficient, reliable, relevant,
and useful information to achieve the engagement’s objectives

Rule of Conduct 1.1 requires honesty, diligence, and responsibility in the performance of work.
Rule of Conduct 2.2 prohibits accepting anything that may impair or be presumed to impair the professional judgment of an
internal auditor.
A separate ethics rule prohibits conflicts of interest. Rule of Conduct 2.1 states, “Internal auditors shall not participate in any
activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those
activities or relationships that may be in conflict with the interests of the organization.” 1571
During a review of contracts, a chief audit executive (CAE) suspects that a supplier
was given an unfair advantage in bidding on a contract. After learning that the chief
executive officer (CEO) of the company is a member of the supplier’s board of
directors, how should the CAE proceed?
A. Obtain supporting documentation and present the finding to the chair of the
audit committee.
B. Immediately notify the board of directors.
C. Submit a draft report to senior management, excluding the CEO.
D. Contact the organization’s external auditors for assistance.
1572
A conflict of interest is an undisclosed, personal economic interest in a transaction that
adversely affects the organization. After determining the existence of such a conflict on the
part of a senior manager, the CAE should obtain supporting documentation and present the
finding to the chair of the audit committee.

The CAE should obtain supporting documentation before informing the audit committee or the board.
The CEO is a member of senior management. Other members of senior management may receive a final report that
has been reviewed and approved by legal counsel.
External auditors should not be contacted. External auditors may be given a final report that has been reviewed
and approved by legal counsel. 1573
When interviewing an individual suspected of fraud, the interviewer should
A. Lock the door to ensure no one will interrupt the interview.

B. Ensure the suspect’s supervisor is present during the interview.
C. Pay attention to the wording choices of the suspect.
D. Ask if the suspect committed the fraud.
1574
Through his or her choice of words, a suspect can reveal much without meaning to. Excessive
and/or inappropriate use of the passive voice or of impersonal pronouns may indicate a desire
to be detached from the topic.

Although the area in which the fraud interview takes place should be private, the suspect should not feel that (s)he
is in a room in which no one can come to his or her aid.
The presence of the suspect’s supervisor may inhibit honest communication on the suspect’s part.
Directly asking the suspect if (s)he committed the fraud is not appropriate. The questioner should appear confident
that (s)he already has all the relevant facts and not provide the suspect with an opportunity to deny the fraud.
1575
Which of the following statements is correct regarding audit engagement work paper
documentation for a fraud investigation?
1. All incriminating evidence should be included in the work papers.
2. All important testimonial evidence should be reviewed to ensure that it provides
sufficient basis for the conclusions reached.
3. If interviews are held with a suspected perpetrator, written transcripts or statements
should be included in the work papers.
A. 2 only.
B. 1 only.
C. 1, 2, and 3.
D. 2 and 3 only. 1576
Internal auditors must document relevant information to support the conclusions and engagement
results(Perf. Std. 2330). Incriminating evidence, important testimonial evidence, and interviews
with suspected perpetrators are clearly relevant and should be documented.

All incriminating evidence should be included in the work papers, and if interviews are held with a suspected
perpetrator, written transcripts or statements should be included in the work papers.
All important testimonial evidence should be reviewed to ensure that it provides sufficient basis for the conclusions
reached, and if interviews are held with a suspected perpetrator, written transcripts or statements should be
included in the work papers.
All incriminating evidence should be included in the work papers. 1577
Forensic auditing differs from internal auditing because forensic auditing
A. Relies more heavily on investigative skills.

B. Concentrates less on legal issues.
C. Places less emphasis on communication skills.
D. Focuses on error identification and prevention.
1578
Forensic auditing is the use of accounting and auditing knowledge and skills in matters having civil
or criminal legal implications. Engagements involving fraud, litigation support, and expert witness
testimony are examples. Forensic auditing requires investigative and accounting skills. The
investigative skills are required to collect, analyze, and evaluate financial evidence. These skills
differentiate forensic auditing from internal auditing.
Forensic auditing applies accounting facts gathered through auditing procedures to legal problems. Thus,
forensic auditing focuses heavily on legal issues.
Although both forensic and internal auditing require written and oral communication skills, these skills are
more critical in forensic auditing.
Internal auditing, not forensic auditing, focuses on error identification and prevention. 1579
Sub - Section I Managing
the Internal Audit Activity
This Section has weightage of 20%

in exams and contains the 173
Multiple Choice Questions (MCQs).
1581
Sub - Section I Managing the Internal Audit Activity
Which of the following is true of benchmarking?
A. It is typically accomplished by comparing an organization’s performance with

the performance of its closest competitors.
B. It is accomplished by comparing an organization’s performance to that of the
best-performing organizations.
C. It can be performed using either qualitative or quantitative comparisons.
D. It is normally limited to manufacturing operations and production processes.
1969
Benchmarking involves a comparison against industry leaders or “world-class” operations.
Benchmarking either uses industry wide figures (to protect the confidentiality of information
provided by participating organizations) or figures from cooperating organizations.
Explanation for A:
Benchmarking involves a comparison against industry leaders or “world-class” operations. Benchmarking either
uses industry wide figures (to protect the confidentiality of information provided by participating organizations) or
figures from cooperating organizations.
Explanation for C:
Benchmarking requires measurements, which involve quantitative comparisons.
Explanation for D:
Benchmarking can be applied to all of the functional areas in a company. In fact, because manufacturing often
tends to be industry-specific, whereas things like processing an order or paying an invoice are not, there is greater
opportunity to improve by learning from global leaders. 1970
Senior representatives for a manufacturing company are reimbursed for 100 percent
of their cellular telephone bills. Cellular telephone costs vary significantly from
representative to representative and from month to month, complicating the
budgeting and forecasting processes. Management has requested that the internal
auditors develop a method for controlling these costs. Which of the following would
most appropriately be included in the scope of the consulting project?
A. Control self-assessment involving sales representatives.

B. Business process review of procurement and payables routines.
C. Performance measurement and design of the budgeting and forecasting processes.
D. Benchmarking with other cellular telephone users.
1971
A business process review (BPR) assesses the performance of administrative and financial
processes, such as within procurement and payables. BPR considers process effectiveness and
efficiency, including the presence of appropriate controls, to mitigate business risk. Because
the objective is to control cellular phone costs, BPR is the appropriate tool to use in this area.

Explanation for A:
Neither control self-assessment nor performance measurement will address management’s objective of controlling
costs.
Explanation for C:
Neither control self-assessment nor performance measurement will address management’s objective of controlling
costs.
Explanation for D:
Although benchmarking may have some applicability, it is not the most appropriate tool. 1972
An auditor is reviewing an organization’s plan for developing a
performance scorecard. Which of the following potential performance
measures should the auditor recommend excluding from the performance
scorecard?
A. Product innovation.
B. Employee development.
C. Market share.
D. Customer satisfaction.
1973
Innovations in the production of goods or services do not typically lend

themselves to ongoing performance measurement.

Explanation for B:
Key results in employee development help predict the ability to attract and retain good employees.
Explanation for C:
Key results in market share track changes to the organization’s competitive position.
Explanation for D:
Key results in customer satisfaction help predict future sales.
1974
If a department outside the internal audit activity is responsible for reviewing a
function or process, the internal auditors should:
A. Yield the responsibility for assessing the function or process to the other
department.
B. Ignore the work of the other department and proceed with an independent
audit.
C. Reduce the scope of the audit because the work has already been performed by
the other department.
D. Consider the work of the other department when assessing the function or
process.
1975
Review and testing of the other department’s procedures may reduce necessary audit
coverage of the function or process.

Explanation for A:
The internal audit activity’s overall responsibility for assessing the function or process is not affected by
the other department’s coverage.
Explanation for B:
Concentrating on the function or process might lead to a duplication of efforts.
Explanation for C:
The internal auditor cannot rely on the work of others without verifying the results. 1976
Using the internal audit department to coordinate regulatory examiners’ efforts
is beneficial to the organization because internal auditor scan:
A. Supply evidence of adequate compliance testing through internal audit work

papers and reports.
B. Influence the regulatory examiners’ interpretation of law to match corporate
practice.
C. Perform fieldwork for the regulatory examiners and thus reduce the amount
of time regulatory examiners are onsite.
D. Recommend changes in scope to limit bias by the regulatory examiners.
1977
Internal auditors have immediate access to work papers and reports, which can supply
evidence of compliance testing to the regulatory examiners.

Explanation for B:
Internal auditors should not attempt to influence regulators’ interpretations of law.
Explanation for C:
Internal auditors should not perform fieldwork for regulatory examiners.
Explanation for D:
Internal auditors should not attempt to influence the scope of work of the regulatory examiners. This
would be unethical and a violation of The IIA’s Code of Ethics. 1978
What is the first step in establishing an effective internal audit
performance measurement process?
A. Define internal audit effectiveness.

B. Interview key internal and external stakeholders.
C. Propose specific measures of effectiveness and efficiency.
D. Align the internal audit process with performance measurement
processes used throughout the organization.
1979
The first step is to define internal audit effectiveness, based on the Definition of Internal
Auditing, the Code of Ethics, the Standards, existing charters, internal audit deliverables
that the activity has agreed to produce, and internal consensus.

Explanation for B:
Explanation for C:
Explanation for D:
1980
Which of the following audit objectives would be appropriate in an audit
of the efficient use of an organization's facilities?
A. To determine whether rates to lease office space for the organization

are reasonable when compared to market lease rates.
B. To determine whether employees are satisfied with the allocation of
office space among departments.
C. To determine whether the actual capacity is reasonable compared to
the needed capacity.
D. To determine whether facilities are procured competitively.
1981
Measuring actual capacity to needed capacity is a measure of the efficiency of the use
of an organization's facilities.

Explanation for A:
This is not a measure of the efficiency of the use of an organization's facilities.
Explanation for B:
Explanation for D:
1982
An internal audit team is performing a due diligence audit to assess plans for a
potential merger/acquisition. Which of the following would be the least valid
reason for a company to merge with or acquire another company?
A. To reduce labor costs.

B. To respond to government policy.
C. To increase stock prices.
D. To diversify risk.
1983
Increased stock price is a result of a merger or acquisition that is seen to benefit the
company, but it is not a primary reason for doing the acquisition or merger.

Explanation for A:
Gaining economies of scale by reducing labor costs is a primary reason for acquiring or merging with
another company.
Explanation for B:
Responding to government policy is a primary reason for mergers and acquisitions.
Explanation for D:
The diversification of risk is a primary reason a company acquires or mergers with another company.1984
Inherent risk and control risk differ from detection risk in that they
A. Arise from the misapplication of auditing procedures.

B. Exist independently of the financial statement audit.
C. Can be changed at the auditor's discretion.
D. May be assessed in either quantitative or non-quantitative terms.
1985
Inherent risk is the risk that there is an error in the first place. Control risk is the risk that the internal
controls will fail to detect the error. Detection risk is the risk that the auditor will not detect the error.
The auditor assesses inherent and control risk, but the auditor is notable to do anything to influence
(change) these risks. Detection risk is the only risk that can be changed at the auditor’s discretion by
altering the nature, timing, or extent of the audit procedures.
Explanation for A:
Misapplication of auditing procedures affects detection risk, but not inherent or control risk.
Explanation for C:
Inherent and control risk cannot be changed at the auditor's discretion.
Explanation for D:
All three types of risk can be assessed either quantitatively or non-quantitatively.
1986
During an audit, information is uncovered that could have a significant impact
on the organization's competitiveness. According to IIA guidance, when is it
appropriate for the internal auditor to communicate this information to
management?
A. After the auditor has decided that the information is substantial and credible.
B. After the auditor has formulated recommendations.
C.As soon as the auditor has determined that communicating the information is
not a violation of the organization's code of conduct.
D. Immediately, because of the sensitivity of the information.
1987
Even when information would have a significant impact on the organization's

competitiveness, the IAA should determine that the information is substantial and
credible before communicating it to management.
Explanation for B:
The auditor does not need to wait until they have formed recommendations to communicate
information that could have as significant impact on the organization's competitiveness to
management.
Explanation for C:
Before communicating the information to management, the IAA should determine that the information
is credible and material.
Explanation for D: 1988
Who has primary responsibility for providing information to the audit
committee on the professional and organizational benefits of coordinating
internal audit assurance and consulting activities with other assurance and
consulting activities?
A. The CEO.
B. The external auditor.
C. The CAE.
D. Each assurance and consulting function.
1989
The CAE should provide the audit committee with information on the coordination with and
oversight of other control and monitoring functions.

Explanation for A:
The CEO would not normally be responsible for planning, work, and coordination related to internal audit
assurance and consulting engagements or coordination with other assurance and consulting activities.
Explanation for B:
The responsibility for ensuring that the internal audit activity’s professional and organizational responsibilities
maximize the benefits that can be achieved from coordination with other assurance consulting activities lies with
the CAE, according to Standard 2050. Comments on this should be reported by the CAE to the audit committee.
Explanation for D:
Not all other assurance and consulting activities are organizationally responsible to the audit committee for their
work, and they may not have the opportunity to report information directly to the audit committee. 1990
Sub - Section II Planning the
Engagement
This Section has weightage of 20% in
exams and contains the 140 Multiple
Choice Questions (MCQs).
1991
Sub - Section II Planning the Engagement
If an auditor’s preliminary evaluation of internal controls results in an
observation that controls may be inadequate, the next step would be to:
A. Note an exception in the engagement final communication if losses have

occurred.
B. Expand audit work before the preparation of an engagement final
communication.
C. Implement the desired controls.
D. Prepare a flowchart depicting the internal control system.
2272
If the preliminary evaluation indicates control problems, the auditor usually decides to
perform some expanded testing.

Explanation for A:
The auditor is not ready to make a report until more work has been performed.
Explanation for C:
Auditors do not implement controls; that is a function of management.
Explanation for D:
If a flowchart were necessary, the auditor would have prepared one during the preliminary
evaluation.
2273
In which phase(s) of the internal audit engagement can data analytics be used?
I. Planning the individual engagement.
II. Testing the effectiveness and efficiency of controls.
III. Assessing risk to determine which areas of the organization to audit.
A.I only.
B.II only.
C.I and III only.
D.I, II, and III.
2274
Data analytics can be used in all phases of the audit process, although many times it is used for
testing the effectiveness and efficiency of controls. Internal audit data analytics can also be used as
part of continuous auditing and can be performed throughout the year.

Explanation for A:
The use of data analytics is not limited to planning individual engagements. Data analytics can be used to test the
effectiveness of controls and assess risk to prioritize which areas to audit.
Explanation for B:
The use of data analytics is not limited to testing the effectiveness and efficiency of controls. Data analytics can be used to
design scope and plan testing for individual engagements as well as assess risk within the audit universe to prioritize which
areas to audit.
Explanation for C:
The use of data analytics is not limited to assessing risk to determine which areas to audit. Data analytics can be used to
design scope and plan testing for individual engagements as well as test the effectiveness of controls within an audit. 2275
Which of the following factors should an internal auditor consider when planning
an audit of an activity?
A. The qualifications of management, the significant risks, and the control system.
B. The objectives of the activity, the significant risks, and the control system.
C. The number of employees involved, the control system, and the
recommendations of external auditors.
D. The objectives of the activity, the number of employees involved, and the
control system.
2276
These are main factors to take into account when planning an engagement.

Explanation for A:
The qualifications of management is not a main factor in planning an engagement.
Explanation for C:
The number of employees involved and the recommendations of external auditors are not main factors in planning an
engagement.
Explanation for D:
The number of activities is not a main factor in planning an engagement.
2277
A CAE would most likely use risk assessment for audit planning because it provides:
A. A list of auditable activities in the organization.

B. A listing of potentially adverse effects on the organization.
C. The probability that an event or action may adversely affect the organization.
D.A systematic process for assessing and integrating professional judgment about
probable adverse conditions.
2278
This is an appropriate rationale.

Explanation for A:
This is used in the risk assessment process but is not the rationale for using risk assessment.
Explanation for B:
Such a listing might convince the CAE of the need for risk assessment but is not provided by the process.
Explanation for C:
This is one definition of risk.
2279
The chief audit executive (CAE) for an organization has just completed a risk assessment
process, identified the areas with the highest risks, and assigned an engagement priority to
each. Which of the following conclusions most logically follow(s) from such a risk assessment?
I. Items should be quantified as to risk in the rank order of quantifiable monetary exposure to
the organization.
II. The risk priorities should be in order of major control deficiencies.
III. The risk assessment process, though quantified, is the result of professional judgments
about both exposures and probability of occurrences.
A.I only.
B.I, II, and III.
C.II and III only.
D.III only.
2280
Audit work schedules are based on, among other factors, an assessment of risk and exposure. Prioritizing is needed
to make decisions for applying resources. A variety of risk models exist to assist the CAE. Most risk models use risk
factors, such as impact, likelihood, materiality, asset liquidity, management competence, quality of and adherence
to internal controls, degree of change or stability, timing and results of last engagement, complexity, and employee
and government relations (PA 2010-1).
Explanation for A:
The risk assessment process is based on a number of factors, including professional judgment about exposure and probability of
occurrence. Conclusions I & II state specific criteria that may not be consistent with the internal auditor's professional judgment.
Explanation for B:
Explanation for C:
2281
Which of the following represent(s) appropriate internal audit action in response to the risk
assessment process?
I. The low-risk areas may be delegated to the external auditor, but the high-risk areas should be
performed by the internal audit activity.
II. The high-risk areas should be integrated into an engagement work schedule along with the high-
priority requests of senior management and the audit committee.
III. The risk analysis should be used in determining an annual engagement work schedule;
therefore, the risk analysis should be performed only on an annual basis.
A.II only.
B.I only.
C.III only.
D.I and III only. 2282
Risk assessment is part of the planning process. Higher perceived risk areas are generally given
higher priority than lower perceived risk areas. Requests by senior management, the audit
committee, and the governing are also considered in establishing engagement work schedule
priorities.
Explanation for B:
Work with the external auditor should be coordinated in order to minimize duplication of work effort.
Explanation for C:
Risk analysis should be performed anytime there is a change in the work environment.
Explanation for D:
Risk analysis should be performed anytime there is a change in the work environment, and work with the external
auditor should be coordinated in order to minimize duplication of the work effort.
2283
A bank internal auditor wants to determine whether all loans are supported by sufficient
collateral, properly aged regarding current payments, and accurately categorized as current or
noncurrent. The best audit procedure to accomplish these objectives would be to:
A. Select a discovery sample of all loan applications to determine whether each application
contains a statement of collateral.
B. Use generalized audit software to read the total loan file, age the file by last payment due,
and extract a statistical sample stratified by the current and aged population. Examine each
loan selected for proper collateralization and aging.
C. Select a block sample of all loans in excess of a specified dollar limit and determine if they
are current and properly categorized. For each loan approved, verify aging and categorization.
D. Select a sample of payments made on the loan portfolio and trace them to loans to see if
the payments are properly applied. For each loan identified, examine the loan application to
determine that the loan has proper collateralization.
2284
This is the best procedure because it takes a sample from the total loan file and tests to
determine that the loan is properly categorized as well as properly collateralized and aged.

Explanation for A:
This is an inefficient audit procedure because it samples from loan applications, not loans approved.
Explanation for C:
This sample only deals with large dollar items and does not test for proper collateralization.
Explanation for D:
This would be an ineffective procedure because it is based only on loans for which payments are currently being
made. It does not include loans that should have been categorized differently because payments are not being
made.
2285
Writing an engagement work program occurs at which stage of the engagement?
A. During the planning stage.

B. Subsequent to evaluating risk management and control systems.
C. At the end of each engagement when the standard work program should be
revised for the next engagement to ensure coverage of noted problem areas.
D.As the engagement is performed.
2286
Internal auditors write the engagement work program during the planning stage. Internal
auditors must develop a plan for each engagement, including the engagement's objectives,
scope, timing, and resource allocations (Standard 2200).

Explanation for B:
The work program must be written in planning stage.
Explanation for C:
It is allowed to revise the work program at the end of the engagement for the next engagement, but the work
program must still be written in the planning stage.
Explanation for D:
The work program must be written in the planning stage.
2287
As part of a preliminary survey of the purchasing function, an auditor read the
department’s policies and procedures manual. The auditor concluded that the
manual described the processing steps well and contained an appropriate internal
control design. The next engagement objective was to determine the operating
effectiveness of internal controls. Which procedure would be most appropriate in
meeting this objective?
A. Prepare a flowchart.
B. Perform a substantive test.
C. Prepare a system narrative.
D. Perform a test of controls.
2288
Tests of controls, also known as compliance tests, help an auditor determine whether controls are being
followed and are effective. For instance, a policy may require that all large transactions be approved by
a manager. As a test of controls, the auditor may sample large transactions and review whether
manager approval was obtained and whether the proposed transaction meets all the criteria that the
manager was supposed to verify.
Explanation for A:
Flowcharts are most appropriate for studying internal control design. The audit objective is whether the controls are in place and
effective, which indicates the need for a test of controls.
Explanation for B:
Substantive tests are tests to determine whether an objective has been achieved and do not necessarily test internal controls.
Explanation for C:
System narratives are most appropriate for studying internal control design. The audit objective is whether the controls are in
place and effective, which indicates the need for a test of controls.
2289
Audit engagement programs testing internal controls should:
A. Be generalized to fit all situations without regard to departmental lines.

B. Reduce costly duplication of effort by ensuring that every aspect of an operation
is examined.
C. Be tailored for the audit of each operation.
D. Be generalized so as to be usable at various international locations of an
organization.
2290
A tailored program will be more relevant to an operation than will a generalized program.

Explanation for A:
A generalized program cannot take into account variations resulting from changing circumstances and varied
conditions.
Explanation for B:
Every aspect of an operation need not be examined—only those likely to conceal problems and difficulties.
Explanation for D:
A generalized program cannot take into account variations in circumstances and conditions.
2291
If electronic funds transfer (EFT) is used to pay vendor invoices, which of the following
computer- assisted audit procedures would an auditor use to determine if any payments
were made twice?
I. Identification of EFT transactions to the same vendor for the same dollar amount.
II. Extraction of EFT transactions with unauthorized vendor codes.
III. Testing of EFT transactions for reasonableness.
IV. Searching for EFT transactions with duplicate purchase order numbers.
A. I and IV only.
B. III and IV only.
C. I and II only.
D. II and III only. 2292
I, IV. Correct. These tests can identify duplicate payments.
II, III. Incorrect. Selection of transactions with unauthorized vendor codes and testing of transactions
for reasonableness do not identify duplicate payments.

Explanation for B:
Explanation for C:
Explanation for D:
2293
Sub - Section III Performing
the Engagement
This Section has weightage of 40% in
exams and contains the 344 Multiple
Choice Questions (MCQs). 2294
Sub - Section III Performing the Engagement
Which of the following steps works against effective listening?
A. Understanding the speaker’s steps to reach a solution.

B. Recognizing the speaker’s emotion.
C. Helping the speaker to complete the point.
D. Asking appropriate questions.
3059
By interrupting the speaker, even with good intentions, the listener may inhibit further
communication and may be jumping to unwarranted conclusions.

Explanation for A:
Listening to how a person is solving the problem allows the provision of comments on process as well as
content.
Explanation for B:
Listening for emotions enables the detection of strong emotions inhibiting rational problem resolution
and the likelihood of consensus.
Explanation for D:
Asking thoughtful questions shows that one is listening deeply and encourages people to arrive at their
own solutions. 3060
Data-gathering activities such as interviewing operating personnel, identifying
standards to be used to evaluate performance, and assessing risks inherent in a
department’s operations are typically performed in which phase of an audit
engagement?
A. Engagement program development.

B. Preliminary survey.
C. Fieldwork.
D. Examination and evaluation of evidence.
3061
These activities are normally accomplished during the preliminary survey phase.

Explanation for A:
The activities described must be performed before the engagement program can be developed.
Explanation for C:
The activities described must be performed before the fieldwork can be undertaken.
Explanation for D:
The activities described must be performed before the evidence can be examined or evaluated.
3062
Which of the following best describes the primary purpose of exit conferences?
A. To elicit audit client concerns.

B. To preview the audit report.
C. To validate audit findings and conclusions.
D. To present audit results.
3063
This is the primary purpose of the exit interview.

Explanation for A:
This is not the primary purpose of the exit interview.
Explanation for B:
The exit conferences presents, it does not preview, the audit results.
Explanation for C:
This is not the primary purpose of the exit interview.
3064
An internal auditor is using an internal control questionnaire as part of a
preliminary survey. Which of the following is the best reason for the auditor to
interview management regarding the questionnaire responses?
A. Interviewing is the least costly audit technique when a large amount of

information is involved.
B. Interviews provide the opportunity to insert questions to probe promising
areas.
C. Interviews are the most efficient way to upgrade the information to the level
of objective evidence.
D. Interviewing is the only audit procedure that does not require confirmation
of the information obtained.
3065
If additional information is needed after receiving the questionnaire, an interview is an
effective method to get that additional information.

Explanation for A:
Interviewing is probably not the most cost effective method to collect a large amount of information
because of the costs of both the interviewee and interviewer involved.
Explanation for C:
Information collected from an interviewee is only the perspective of that person and it may not be
objective.
Explanation for D:
Information obtained in an interview still needs to be confirmed.
3066
What computer-assisted audit technique would an auditor use to identify a
fictitious or terminated employee?
A. Exception testing for payroll deductions.

B. Tagging and tracing of payroll tax-rate changes.
C. Recalculations of net pay.
D. Parallel simulation of payroll calculations.
3067
This type of computer-assisted audit technique (CAAT) program can identify employees who have no
deductions. This is important because fictitious or terminated employees will generally not have any
deductions.
Explanation for B:
In this type of CAAT program, certain actual transactions are “tagged,” and as they proceed through the system, a data file
is created that traces the processing through the system and permits an auditor to subsequently review that processing.
This would not, however, identify a fictitious or terminated employee.
Explanation for C:
A CAAT program can recalculate amounts such as gross pay, net pay, taxes and other deductions, and accumulated or used
leave times. These recalculations can help determine if the payroll program is operating correctly or if employee files have
been altered, but they would not identify a fictitious or terminated employee.
Explanation for D:
In a parallel simulation, data that were processed by the engagement client’s system are reprocessed through the auditor’s
program to determine if the output obtained matches the output generated by the client’s system. This technique might
identify problems with the client’s processing but would not identify a fictitious or terminated employee. 3068
In which of the following situations would observation not provide the
most compelling audit evidence?
A. Verification of the existence of production equipment.

B. Identification of excess inventory.
C. Analysis of the security of a storeroom or facility.
D. Documentation of a production or accounting process.
3069
Observation would not provide excellent evidence about excess inventory because the auditor
would usually also need to confirm through other sources that the amount of inventory is
excessive.

Explanation for A:
Observation would provide the most compelling evidence for the verification of the existence of production
equipment.
Explanation for C:
Observation would provide the most compelling evidence about the security of a storeroom or facility.
Explanation for D:
Observation would provide the most compelling evidence about the documentation of a production or
accounting process. 3070
An internal auditor observes that controls over the perpetual inventory system are
weak. An appropriate engagement response is to
A. Increase the testing of the inventory controls.

B. Perform turnover ratio tests.
C. Apply gross profit analyses by product lines and compare the results with prior-
years' information for reasonableness.
D. Recommend that a physical inventory count be scheduled.
3071
The most appropriate response would be to recommend a physical inventory count.

Observing a physical inventory count would be the most persuasive form of information.

Explanation for A:
If the internal auditor observes that controls are weak then increasing the testing of controls would
probably be inefficient.
Explanation for B:
Performing turnover ratio tests would not provide sufficient information.
Explanation for C:
Applying gross profit analyses would not be sufficient. 3072
A flowchart of process activities and controls may provide:
A. Information on the extent of a past fraud.

B. Information on where fraud could occur.
C. An indication of where fraud has occurred in a process.
D. No information related to fraud prevention.
3073
By indicating control weaknesses, flowcharts show where fraud may occur.

Explanation for A:
Flowcharts do not provide any evidence of the extent of fraud.
Explanation for C:
Other procedures would be needed to detect where fraud has occurred.
Explanation for D:
Flowcharts provide evidence of where fraud can occur. Flowcharts therefore help in prevention.
3074
Reviewing an edit listing of payroll changes processed during each payroll
cycle would most likely reveal:
A. A failure to offer employees an opportunity to contribute to their

pension plan.
B. Undetected errors in the payroll rates of new employees.
C. Labor hours charged to the wrong account in the cost reporting system.
D. Inaccurate payroll deductions.
3075
Only a category such as new employee would generate a payroll change. By reviewing the
list of changes to the payroll information during a period, unauthorized changes to payroll
rates would be discovered.

Explanation for A:
This is not applicable to a listing of payroll changes.
Explanation for C:
This data should come from the time reporting system (timecard or timesheet). It is not a payroll
change.
Explanation for D:
The computer calculates this. It is not a change and would not be on the list. 3076
A company uses a linear regression formula (Y = a + b(x)) to estimate its total
manufacturing costs. The formula used by the company is
Y = $66,067.18 + $0.40(x).
Assuming the regression formula holds true, if the company planned to increase
production by 20% from 200,000 to 240,000 units, the company could expect
per unit manufacturing costs to:
A. Increase by some amount greater than 5%.
B. Decrease by some amount greater than 8%.
C. Decrease by some amount greater than 20%.
D. Increase by some amount greater than 15%.
3077
At a production level of 200,000 units, per unit cost is $0.73. If we increase production by 20%, the cost goes down to
$0.6753. This represents a decrease of just over 8%. Tip: At a production level of 200,000 units, variable cost is greater
than its fixed cost. Because of this, we know that decreases in per unit cost would have to be lower than the increase in
production. Therefore, we can automatically eliminate "Decrease by some amount greater than 20%" as an answer. Also,
because fixed cost ($66,067.18) stays fixed, we know that per unit costs have to decrease, not increase. Therefore, we can
eliminate "Increase by some amount greater than 5%" and "Increase by some amount greater than 15%" as possible
answers. Thus, the only answer left is "Decrease by some amount greater than 8%.“ Therefore, without having to do a
calculation, you could determine the correct answer.

Explanation for A:
Explanation for C:
Explanation for D:
3078
A company uses a linear regression formula (Y = a + b(x)) to estimate its total
manufacturing costs. The formula used by the company is
Y = $66,067.18 + $0.40(x).
If R for the formula is 0.9470, the proportion of the total variation in (Y) that can
be explained by variations in (x) is:
A. 5.30%
B. 10.32%
C. 89.68%
D. 94.70%
3079
The coefficient of determination R is the proportion of the total variation in the dependent
variable (Y) that can be explained by variations in the independent variable (x). Therefore, if we
square R, then the correct answer is 0.8968.

Explanation for A:
Explanation for B:
Explanation for D:
3080
When conducting a performance appraisal of an internal auditor who has been a
below-average performer, it is not appropriate to:
A. Document the appraisal.

B. Notify the internal auditor of the upcoming appraisal several days in advance.
C. Use objective, impartial language.
D. Use generalizations.
3081
It is not appropriate to use generalizations when giving a performance appraisal to a below-average
performer. Rather, the evaluator must cite specific information and be prepared to support assertions
with evidence.

Explanation for A:
In a performance appraisal of a below-average performer, it is appropriate and advisable to notify the employee of
the upcoming appraisal, use objective language, and document the appraisal.
Explanation for B:
the upcoming appraisal, use objective language, and document the appraisal.
Explanation for C:
the upcoming appraisal, use objective language, and document the appraisal. 3082
3083
Sub - Section IV Communicating Engagement Results and
Monitoring Progress
An audit committee is concerned that management is not addressing all internal audit
observations and recommendations. What should the audit committee do to address
this situation?
A. Require the chief executive officer to report why action has not been taken.
B. Require all managers to confirm when they have taken action.
C. Require managers to provide detailed action plans with specific dates for addressing
audit observations and recommendations.
D. Require the chief audit executive to establish procedures to monitor progress.
3482
Monitoring Progress
The CAE is responsible for establishing appropriate procedures for monitoring the
progress by management on all internal audit observations and recommendations. This
responsibility should be written into its charter by the audit committee, and progress
should be reported at each audit committee meeting.
Explanation for A:
Explanation for B:
Explanation for C:
3483
Monitoring Progress
A coefficient of correlation of −0.90 means that:
A. The relationship between the variables is strong and positive.

B. The relationship between the variables is strong and negative.
C. None of the other choices are correct.
D. The relationship between the variables is weak.
3484
Monitoring Progress
The coefficient of correlation is expressed as a number between -1 and +1.
Therefore, the relationship between the variables is strong and negative.

Explanation for A:
Explanation for C:
Explanation for D:
3485
Monitoring Progress
Information is considered sufficient when:
A. It is well-documented and crossed-referenced in the working papers.

B. It is directly related to the engagement observations and includes all of the
elements of an engagement observation.
C. It is based on references considered reliable.
D. It is convincing enough that a prudent person would reach the same conclusion.
3486
Monitoring Progress
Sufficient information is information that is factual, adequate, and convincing so
that a prudent, informed person would reach the same conclusion as the internal
auditor.

Explanation for A:
Explanation for B:
Explanation for C:
3487
Monitoring Progress
Auditors must be effective listeners, especially when asking complex questions. To
improve their listening, auditors should take care to do all of the following except:
A. Hold questions. Allow the speaker ample time to respond.

B. Put the speaker at ease. A nervous speaker will be difficult to understand.
C. Avoid all questions until the speaker has concluded.
D. Stop talking. It is very difficult to listen and talk at the same time.
3488
Monitoring Progress
If the person waits until the speaker has concluded, it is possible that important
questions will be forgotten and not asked. Also, asking questions while the speaker
is talking may provide needed clarification.

Explanation for A:
Explanation for B:
Explanation for D:
3489
Monitoring Progress
An internal auditor is interviewing an employee. While listening to the interviewee,
the internal auditor should:
A. Prepare a response to the interviewee.

B. Integrate the incoming information from the interviewee with information that
is already known.
C. Make sure all details, as well as the main ideas of the interviewee, are
remembered.
D. Take mental notes on the speaker’s non-verbal communication because it is
more important than what is being said.
3490
Monitoring Progress
The mind can process information faster than most people speak. Therefore, the internal
auditor can sort through information that he/she already knows with new information
from the interviewee. This puts the internal auditor in a position to respond to the
interviewee.
Explanation for A:
Explanation for C:
Explanation for D:
3491
Monitoring Progress
An auditor is conducting a survey of perceptions and beliefs of employees concerning
an organization's healthcare plan. The best approach to selecting a sample would be
to:
A. Focus on people who are likely to respond so that a larger sample can be obtained.
B. Use monetary-unit sampling according to employee salaries.
C. Use stratified sampling where the strata are defined by marital and family status,
age, and salaried/hourly status.
D. Focus on managers and supervisors because they can also reflect the opinions of
the people in their departments.
3492
Monitoring Progress
Because different employees probably have different situations, needs, and
experiences, stratified sampling would best ensure that are presentative sample
would result.

Explanation for A:
Explanation for B:
Explanation for D:
3493
Monitoring Progress
A senior internal auditor has been approached by the CAE to interview a potential
candidate. The CAE likes the candidate but would like a second opinion. During the
interview process, the senior internal auditor should not:
A. Ask open-ended questions, because they require more than a “yes” or “no”
answer.
B. Ask the candidate about their political affiliation.
C. Ask the candidate about his or her background experience.
D. Ask the candidate how he or she would react in a given situation.
3494
Monitoring Progress
A person’s political affiliation is unrelated to the performance of internal auditing.

Explanation for A:
Explanation for C:
Explanation for D:
3495
Monitoring Progress
Sales representatives for a manufacturing company are reimbursed for 100 percent of
their mobile phone bills. Mobile phone costs vary significantly from representative to
representative and from month to month, complicating the budgeting and forecasting
processes. Management has requested that the internal auditors develop a method
for controlling these costs. Which of the following would most appropriately be
included in the scope of the consulting project?
A. Benchmarking with other mobile phone users.

B. Control self-assessment involving sales representatives.
C. Performance measurement and design of the budgeting and forecasting processes.
D. Business process review (BPR) of procurement and payables routines.
3496
Monitoring Progress
A business process review (BPR) assesses the performance of administrative and financial
processes, such as within procurement and payables. BPR considers process effectiveness
and efficiency, including the presence of appropriate controls to mitigate business risk.
Because the objective is to control mobile phone costs, BPR is the appropriate tool to use.
Explanation for A:
Explanation for B:
Explanation for C:
3497
Sub - Section I Business Acumen
An employee’s need to self-actualization would be met by:
A. Regular positive feedback.

B. Attractive pension provisions.
C. Challenging new job assignments.
D. Good working conditions.
3854
CORRECT ANSWER IS C. Its Explanation is
Challenging new job assignments would meet an employee’s self-actualization

needs.

Regular positive feedback would meet an employee’s esteem needs.
Attractive pension provisions would meet an employee’s physiological needs.
Good working conditions would meet an employee’s physiological needs.
3855
An internal audit manager has a small team of auditors, but each individual is self-
motivated and could be termed a "high achiever." The manager has been given a
particularly difficult assignment. Even for a high achiever, the probability that this job
can be completed by one individual by the required deadline is low. Select the best
course for the internal audit manager.
A. Assign two employees to moderate the risk of failure.

B. Assign all employees to ensure the risk of failure is low.
C. Ask company management to cancel the job.
D. Assign one individual since high achievers thrive on high risks.
3856
CORRECT ANSWER IS A. Its Explanation is
High achievers want to do things better than ever done before, they avoid very easy or very difficult
tasks, and don't like to succeed by chance. They thrive when the job includes personal responsibility,
feedback, and moderate risks, according to McClelland's Theory of Needs. Therefore, it is not a good
idea to assign the job to only one high achiever when the probability of successful completion by a
required deadline is very low.

High achievers perform best in circumstances with moderate risks.
High achievers perform best in circumstances with moderate risks.
High achievers perform best when given moderate risks, not extremely difficult assignments.
3857
Which of the following is not an effective leadership technique?
A. Value differences.
B. Follow written procedures at all times.
C. Serve as a model of the behavior expected from others.
D. Value accountability.
3858
CORRECT ANSWER IS B. Its Explanation is
Focusing on internal process is a habit of administration and not of leadership.

Seeking synergies from diversity is an effective leadership habit.
Recursive leadership is important to gaining trust.
This ensures high-value activities.
3859
Which of the following is not an advantage of decentralization?
A. Greater uniformity in decisions is achieved.

B. Motivation of managers increases.
C. Problems can be resolved immediately.
D. Decisions are more easily made.
3860
Increased uniformity in decisions is an advantage of centralization.

Increase in managers’ motivation is an advantage of decentralization.
Immediacy of problem resolution is an advantage of decentralization.
Ease of decision-making is an advantage of decentralization. 3861
A means of limiting production delays caused by equipment breakdown and
repair is to:
A. Preauthorize equipment maintenance and overtime pay.

B. Establish a preventive maintenance program for all production equipment.
C. Schedule production based on capacity planning.
D. Plan maintenance activity based on an analysis of equipment repair work
orders.
3862
A preventive maintenance program will reduce equipment breakdowns and

repairs.

Standing authorizations of work orders and overtime will not address the problem posed.
Scheduling production based on capacity utilization ignores other important factors such as demand.
Budgeting maintenance department activities based on previous work orders will not prevent
equipment breakdowns and repairs.
3863
Common uses for data analytics within internal audit may include all of the
following except:
A. Identify ghosts on the payroll.

B. Identify invalid expense report items.
C. Identify suspect timesheets.
D. Identify theft of inventory.
3864
CORRECT ANSWER IS D. Its Explanation is
Data analytics can be used to evaluate compliance with expense report policies, identify potentially
fictitious employees, and in accurate employee time reporting. However, it may not be able to readily
identify inventory theft, because the inventory would need to be identified and the balance would have
to be constantly known without counting inventory. Furthermore, inventory could be misplaced instead
of being stolen.
Data analytics can be used to identify potentially fictitious employees (e.g., employees who have not accessed a building, never taken sick
leave or vacation, with the same address or bank account number).
Data analytics can be used to evaluate compliance with expense report policies (e.g., expense type greater than policy amount; expenses
when logging in locally).
Data analytics can be used to identify employee time reporting errors (e.g., regular/overtime when the employee did not enter the
building, more hours than physically possible or allowed by regulation).
3865
Which of the following is not a category of Big Data?
A. Structured data.
B. Semi-structured data.
C. Hybrid data.
D. Unstructured data.
3866
Big Data refers to vast datasets that are too large to be analyzed using standard software tools and
so require new processing technologies, called data analytics. Big Data can be broken down into
three categories:
Structured data is in an organized format that enables it to be input into a relational database
management system and analyzed. Examples include the data in CRM or ERP systems, such as
transaction data, customer data, financial data, employee data, and vendor data.
Unstructured data has no defined format or structure. It is typically free-form and text-heavy,
making in-depth analysis difficult. Examples include word processing documents, email, call center
communications, contracts, audio and video, photos, data from radio-frequency identification
(RFID) tags, and information contained on websites and social media.
Semi-structured data has some format or structure but does not follow a defined model. Examples
include XML files, CSV files, and most server log files.
3867
Big Data can be broken down into three categories, one of which is structured data. Structured data is in an
organized format that enables it to be input into a relational database management system and analyzed. Examples
include the data in CRM or ERP systems, such as transaction data, customer data, financial data, employee data,
and vendor data.
Big Data can be broken down into three categories, one of which is semi-structured data. Semi-structured data has
some format or structure but does not follow a defined model. Examples include XML files, CSV files, and most
server log files.
Big Data can be broken down into three categories, one of which is unstructured data. Unstructured data has no
defined format or structure. It is typically free-form and text-heavy, making in-depth analysis difficult. Examples
include word processing documents, email, call center communications, contracts, audio and video, photos, data
from radio-frequency identification(RFID) tags, and information contained on websites and social media.
3868
The saying “garbage in, garbage out” is a negative assessment of which attribute of
Big Data?
A. Its veracity.
B. Its variety.
C. Its velocity.
D. Its volume.
3869
“Garbage in, garbage out” means that poor quality data leads to inaccurate analysis and results. Veracity refers to
the accuracy of data, or the extent to which it can be trusted for decision making. Data must be objective and
relevant to the decision at hand in order to have value for use in making decisions. However, various distributed
processes—such as millions of people signing up online for services or free downloads—generate data, and the
information they input is not subject to controls or quality checks. If biased, ambiguous, irrelevant, inconsistent,
incomplete, or even deceptive data is used in analysis, poor decisions will result. Controls and governance over
data to be used in decision-making are essential to ensure the data’s accuracy.
“Garbage in, garbage out” is not a negative assessment of the variety of data. Variety of data refers to the diverse forms of data
that organizations create and collect.
“Garbage in, garbage out” is not a negative assessment of the velocity of data. Velocity of data refers to the speed at which data is
generated and changed, also called its flow rate.
“Garbage in, garbage out” is not a negative assessment of the volume of data. Volume of data refers to the amount of data3870
that
exists.
The process of gathering and analyzing data in a way that produces meaningful
information that can be used to aid in decision-making is known as
A. Data analytics.
B. Data cleansing.
C. Data mart.
D. Data mining.
3871
Data analytics is the process of gathering and analyzing data in a way that produces meaningful
information that can be used to aid indecision-making. Data analytics includes efficiently collecting,
aggregating, analyzing, and utilizing data.

Data cleansing or data cleaning is the process of detecting and correcting (or removing) corrupt or inaccurate records from a record set,
table, or database.
A data mart is a subsection of a data warehouse that provides users with analytical capabilities for a restricted set of data.
Data mining is the use of statistical techniques to search large data sets to extract and analyze data in order to discover previously
unknown, useful patterns, trends, and relationships within the data that go beyond simple analysis and that can be used to make decisions.
3872
Prescriptive analytics is considered to be the most impactful and complex type
of data analytics. Which of the following questions is no tone of the questions
management may be able to determine the answer to using prescriptive
analytics?
A. Why will it happen?

B. What needs to happen in order to take advantage of what will happen?
C. What will happen?
D. What will never happen?
3873
Prescriptive analytics make use of structured and unstructured data and apply rules to predict what will happen and to prescribe what
needs to happen in order to take advantage of the predicted events. For example, prescriptive analytics might generate a sales forecast
and then use that information to determine what additional production lines and employees are needed to meet the sales forecast.
In addition to anticipating what will happen and determining what needs to happen, prescriptive analytics can help determine why it will
happen.
Prescriptive analytics does not answer the question “What will never happen?”.
Prescriptive analytics make use of structured and unstructured data and apply rules to predict what will happen and to prescribe what needs to happen in
order to take advantage of the predicted events. In addition to anticipating what will happen and determining what needs to happen, prescriptive analytics can
help determine why it will happen.
3874
Which of the following is true of individual decision-making, compared to group
decision-making?
A. Individual decision-making is more conservative.

B. Individual decision-making generates more alternatives.
C. Individual decision-making evaluates more complete information.
D. Individual decision-making increases the perceived legitimacy of the decision.
3875
Individual decision-making does tend to be more conservative than group

decision making.

Group decision-making generates more alternatives.
Group decision-making evaluates more complete information.
Group decision-making increases the perceived legitimacy of the decision. 3876
Following a decision to change the composition of several work teams,
management encounters significant resistance to the change from members of the
teams. The most likely reason for the resistance is:
A. The breakup of existing teams.

B. Understaffing for the tasks involved.
C. The selection of a more costly approach to performing the assigned tasks.
D. Possible inefficiencies of the new arrangement.
3877
Members of cohesive work groups often exert pressure to resist changes that threaten
to break up the group.

Issues of under- or over-staffing for a task represent symptoms of resistance to change but not the actual or root
cause of the problem.
Citing cost factors also represents an “acceptable” rationale to block the implementation of a new approach.
Complaints about “why it will not work” virtually always represent an “acceptable” roadblock to a plan that has
unacceptable behavioral consequences.
3878
Departmentalization may be performed by:
I. Function.
II. Product.
III. Geography.
A.I only.
B.I and II only.
C.I, II, and III.
D.II only.
3879
I, II, III. Correct. Departmentalization may be performed by function, product, or

geography.

Activity-based costing (ABC) is increasingly more feasible because of technological
advances that allow managers to obtain better and more timely information at
relatively low cost. For this reason, a manufacturer is considering using bar-code
identification for recording information on parts used by the manufacturer. A
reason to use bar codes rather than other means of identification is to ensure that
A. Vendors use the same part numbers.

B. Vendors use the same identification methods.
C. The movement of parts is easily and quickly recorded.
D. The movement of all parts is recorded.
3881
Through the use of bar codes the movement and location of a product may be
tracked quickly and easily without human involvement.

Just because a bar code system is used does not mean that vendors will use the same part numbers.
Just because a bar code system is used does not mean that vendors will use the same identification methods.
Just because the unit has a bar code on it does not mean that the bar code will be read and the movement of
the unit tracked each time it is moved.
3882
Sub - Section II Information Security
Which of the following cybersecurity risks can secretly gather personal data by
recording keystrokes in order to harvest banking details, credit card information
and passwords?
A. Phishing.
B. Spyware.
C. Pay-per-click abuse.
D. Ransomware.
4055
Spyware is a type of malware that can secretly gather personal data, such as recording keystrokes in order to
harvest banking details, credit card information, and passwords.
Phishing is not a cybersecurity risk that can secretly gather personal data. Phishing uses spam email to deceive people into
disclosing sensitive personal information such as credit card numbers, bank account information, Social Security numbers,
or passwords.
Pay-per-click abuse is not a cybersecurity risk that can secretly gather personal data. Pay-per-click abuse refers to
fraudulent clicks on paid online search ads (for example, on Google or Bing) that drive up the target company’s advertising
costs. It can also cause the company’s ads to be pushed off the search engine site if a maximum-clicks threshold is
reached, resulting in lost business as well as inflated advertising costs.
Ransomware is not a cybersecurity risk that can secretly gather personal data. Ransomware is a particularly dangerous
type of malware that encrypts data on a system and then demands a ransom (a payment) for decryption. If the ransom is
not paid, the data is lost forever. 4056
Which of the following is not part of the internal auditors' role as the third line of
defense?
A. Auditing IT controls.
B. Reporting deficiencies in controls to senior management and the board.
C. Conducting cybersecurity risk assessments of third parties.
D. Creating an inventory of information assets.
4057
This is a responsibility of operational management in the first line of defense.

Auditing IT controls would be one of the primary objectives as the third line of defense.
This is a usual responsibility of the internal auditor, independent of the third line of defense model.
This would fall under the responsibilities of the internal auditor as part of the third line of defense.
4058
Which of the following is not part of the role of the internal auditor when
evaluating the effective of physical controls and security?
A. Implementing controls to correct control gaps.

B. Evaluating "worse case" scenarios.
C. Reviewing industry-wide incident statistics.
D. Analyzing past incidents.
4059
While the auditor should report exposures due to control gaps and may even make
recommendations for how to close the gaps, the internal auditor should not implement
the controls.
Physical security includes not only everyday situations but also worst case and disaster scenarios. Planning for worst case
scenarios requires identifying what the worst cases are.
Risk cannot be completed eliminated, so it is helpful to know if controls and risk exposure are consistent with similar
companies.
Analyzing past incidents is an effective way for the internal auditor to gain an understanding of the risks, controls, and gaps
in the controls.
4060
Which of the following security controls would best prevent unauthorized access to
sensitive data through an unattended data terminal directly connected to a
mainframe?
A. Use of a screensaver with a password.

B. Use of workstation scripts.
C. Automatic logoff of inactive users.
D. Encryption of data files.
4061
Automatic logoff of inactive users may prevent the viewing of sensitive data on an
unattended data terminal.

Data terminals do not normally use screensaver protection.
Scripting is the use of a program to automate a process such as startup.
Encryption of data files will not prevent the viewing of data on an unattended data terminal.
4062
Which of the following is incorrect with respect to access controls?
A. A combination of strategies will provide the strongest form of access controls.

B. Keys as physical controls are the weakest and also the most expensive form of
access controls.
C. Some access controls can be used to maintain employee time and attendance
records.
D. Some access controls overlap between logical and physical access controls.
4063
Keys are the least expensive way to manage physical access (not the most expensive way) but
are also the weakest way because key scan be copied.

A combination of access controls would automatically increase the strength of the control. More security controls
would need to be breached to gain access.
Biometric access systems can record when employees have entered and left the premises. Thus, they can be used
to maintain employee time and attendance records.
It is true that some access controls can serve as both physical access controls and logical access controls. A
biometric access system requires hardware such as a reader (a physical access control) along with a physical
characteristic such as blood vessel patterns on the retina, handprints, or voice authentication (logical access
4064
controls) to authorize access.
Utility programs can be used to read files that contain all authorized access user
codes for a server. A control to prevent this is:
A. A password hierarchy.
B. A peer-to-peer network.
C. Internally encrypted passwords.
D. Logon passwords.
4065
Internally encrypted passwords are controls designed to preclude users browsing the
password file with a utility software application.
A password hierarchy represents a set of interrelated authorization codes to distinguish between action
privileges such as reading, adding, or deleting records.
A peer-to-peer network is a system that relies on a series of equal microcomputers for processing.
Logon passwords represent the initial user authorization access codes to the typical system.
4066
Which of the following statements about a firewall is false?
A. A firewall can block port scans from finding computers on a company's network.
B. Firewalls act as a barrier between the internal and external network.
C. Firewalls can be either hardware-based or software-based.
D. Firewalls are an effective barrier from phishing attacks.
4067
Firewalls are not an effective barrier against phishing attacks. A phishing attack involves tricking
someone into divulging information, and a firewall cannot help prevent someone from releasing private
information. A firewall's purpose is to prevent unauthorized access to the company internal network.

This is a true statement. Port scans would be unable to reach the computers on the company's network
through the firewall.
This is the definition of a firewall.
This is a true statement. Firewalls can either be a software program installed on a computer either as part of
the operating system, or as a separate utility. Firewalls can also be a physical piece of equipment that is
installed between the internal network and the Internet. 4068
To reduce security exposure when transmitting proprietary data over
communication lines, a company should use:
A. Cryptographic devices.
B. Authentication techniques.
C. Callback procedures.
D. Asynchronous modems.
4069
Cryptographic devices protect data in transmission over communication lines.

Authentication techniques confirm that valid users have access to the system.
Callback procedures are used to ensure incoming calls are from authorized locations.
Asynchronous modems handle data streams from peripheral devices to a central processor.
4070
Which of the following is not considered a smart device?
A. Amazon Fire Tablet

B. HP Laptop
C. Apple iPhone
D. Samsung Tablet
4071
Computers are not considered smart devices.

The Amazon Fire tablet is an Android-based tablet with the usual tablet capabilities.
The iPhone and Android phones are the two most popular types of smart devices in use.
Samsung tablets run Android OS, a very popular smart device operating system.
4072
Which of the following is a non-technical type of cybersecurity attack?
A. Password attack.
B. Buffer overflow attack.
C. Denial of service.
D. Dumpster diving.
4073
Two types of cybersecurity attacks can be of a non-technical nature:
Social engineering: An individual may pose as a trustworthy co-worker, perhaps someone from the company's IT support
department, and politely ask for passwords or other confidential information.
Dumpster diving: Sifting through a company's trash may be done in order to find information that can be used either to
break into its computers directly or to assist in social engineering.
Dumpster diving is a personal, in-person, or non-technical type of cybersecurity risk.
A password attack is an attempt to break into a system by guessing passwords. It is not a non-technical type of cyber security attack.
A buffer overflow attack is designed to send more data than expected to a computer system, causing the system to crash, permitting the
attacker to run malicious code, or even allowing for a complete takeover of the system. It is not a non-technical type of cybersecurity
attack.
A Denial of Service (DOS) attack occurs when a website or server is accessed so frequently that legitimate users cannot connect to it. It is
not a non-technical type of cybersecurity attack.
4074
The best defense against a phishing attack is
A. employee education.
B. anti-sniffers.
C. virus scans.
D. a firewall.
4075
Phishing is a high-tech scam that uses spam email to deceive people into disclosing
sensitive personal information such as credit card numbers, bank account information,
Social Security numbers, or passwords. Sophisticated phishing scams can create emails
that look like the information request is coming from a trusted source, such as state or
local government, a bank, or even a coworker. The best defense against phishing in a
business is employee education, awareness, and common sense. Potential recipients need
to know not to respond to any email that requests personal or financial information or a
password and not to click on any link given in such an email that could take them to a
spoofed website where they would be asked to enter that information.
4076
Anti-sniffers are not a defense against a phishing attack. Phishing is a high-tech scam that uses spam email to deceive
people into disclosing sensitive personal information such as credit card numbers, bank account information, Social
Security numbers, or passwords. Sophisticated phishing scams can create emails that look like the information request is
coming from a trusted source, such as state or local government, a bank, or even a coworker.
Virus scans are not a defense against a phishing attack. Phishing is a high-tech scam that uses spam email to deceive
people into disclosing sensitive personal information such as credit card numbers, bank account information, Social
Security numbers, or passwords. Sophisticated phishing scams can create emails that look like the information request is
coming from a trusted source, such as state or local government, a bank, or even a coworker.
A firewall is not a defense against a phishing attack. Phishing is a high-tech scam that uses spam email to deceive people
into disclosing sensitive personal information such as credit card numbers, bank account information, Social Security
numbers, or passwords. Sophisticated phishing scams can create emails that look like the information request is coming
from a trusted source, such as state or local government, a bank, or even a coworker.
4077
Sub - Section III Information Technology
An appropriate technique for planning and controlling manufacturing
inventories, such as raw materials, components, and subassemblies, whose
demand depends on the level of production is:
A. Linear programming.
B. Material requirements planning.
C. Regression analysis.
D. Capital budgeting.
4331
Material requirements planning (MRP) is a planning and controlling technique for

managing dependent-demand manufacturing inventories.

Linear programming is a mathematical technique for maximizing or minimizing a given objective subject
to certain constraints.
Regression analysis is a statistical procedure for estimating the relation between variables.
Capital budgeting is used for analyzing and evaluating long-term capital investments. 4332
Which of the following are disadvantages of Enterprise Resource Planning (ERP) systems?
I. Re-engineering business processes for the new ERP system is usually required, which is time-
consuming.
II. Converting data from existing systems to the new ERP system is costly.
III. Information technology staff costs increase.
IV. An ERP transition can lead to system failures and cause disruptions in various departments of the
organization.
V. An ERP system has ongoing costs for hardware, system maintenance, and upgrades.
VI. Data duplication is reduced.
A.I, II, III, IV, and V only.

B.I, II, III, IV, V, and VI.
C.I, II, and III only.
D.I, II, IV, and V only.
4333
Disadvantages of an ERP system include:

Business re-engineering (developing business-wide integrated processes for the new ERP system) is
usually required to implement an ERP system and it is time-consuming and requires careful planning (I).
Converting data from existing systems into the new ERP system can be time-consuming and costly and,
if done incorrectly, can result in an ERP system that contains inaccurate information (II).
An unsuccessful ERP transition can result in system-wide failures that disrupt production, inventory
management, and sales, leading to huge financial losses. Customers who are inconvenienced by the
implementation may leave. Because the entire business relies on the new ERP system, it is critical that it
be completely functional and completely understood by all employees before it “goes live.” No
opportunities are available to “work out the bugs” or “learn the ropes” when the entire business relies
on the one system. (IV) Ongoing costs after implementation include hardware costs, system
maintenance costs, and upgrade costs (V).
4334
Information technology staff costs usually decrease due to centralizing computer resources instead of each department
maintaining its own systems and IT staff. So III, "information technology staff costs increase," is not correct.
Data duplication is reduced with an ERP system (VI), but that is an advantage, not a disadvantage, so it should not be
included.
The new ERP system may lead to system failures and business disruption (IV), a disadvantage that is omitted in this answer
choice.
An ERP system has ongoing costs, including hardware costs, system maintenance costs, and upgrade costs (V), a
disadvantage that is omitted in this answer choice. 4335
Which of the following is false with respect to the COBIT maturity model?
A. It is used for comprehensive assessment, gap analyses, and improvement

planning.
B. It helps professionals explain where IT process management shortcomings
exist.
C. It permits analysis of IT processes from a nonexistent stage to an optimized
process stage.
D. It focuses on both capability and performance.
4336
The COBIT maturity model focuses only on capability. It does not focus on
performance.

This is a true statement about the COBIT maturity model.
This is a true statement about the COBIT maturity model.
This is a true statement about the COBIT maturity model. 4337
IT governance and control frameworks have been developed to provide models, or
sets of standardized guidelines, for the management of IT resources and processes.
Frameworks provide numerous benefits to an organization.
Which of the following is not a benefit of using an IT governance framework?
A. The framework provides a higher likelihood of implementing effective governance

and controls.
B. The framework breaks down groups into objectives and activities.
C. The framework provides a benchmark for assessing risks and controls.
D. The framework identifies specific roles and responsibilities that need to be met.
4338
A framework does not break down groups into objectives and activities. It is the other way around: a
framework breaks down objectives and actions into groups.
For example, COBIT 2019, an information and technology framework for the governance and management of
enterprise information and technology, breaks down objectives and actions into the following components of
an IT governance system and provides specific guidance for each component.
Processes: the practices and activities needed to achieve IT goals.
Organizational structures: the decision-making entities in the enterprise.
Principles, policies, and frameworks: to provide guidance for day-to-day management.
Information needed for effective guidance.
Culture, ethics, and behavior of the enterprise and the individuals in it.
People, skills, and competencies, which are important for making good decisions, for corrective action, and
for successful completion of activities.
Services, infrastructure, and applications: the infrastructure, technology, and applications used to provide the
governance system for information and technology processing. 4339
One of the benefits of using an IT governance and control framework is that it increases the
likelihood of implementing effective governance and controls.
One of the benefits of using an IT governance and control framework is that it provides a
benchmark for assessing risks and controls.
One of the benefits of using an IT governance and control framework is that it identifies specific
roles and responsibilities that need to be met.
4340
According to COBIT 2019, which statement represents a key distinction between management
and governance?
A. Management involves consideration of stakeholder needs and evaluation of conditions and

options in order to determine enterprise objectives, whereas governance involves planning,
building, running, and monitoring activities in order to achieve the enterprise objectives as set
by management.
B. Governance is the responsibility of the board of directors under the leadership of its Audit
Committee, whereas management is the responsibility of executive management under the
leadership of the chair of the board of directors.
C. The responsibility of governance is prioritization and decision-making to set direction,
whereas the responsibility of management is performance and compliance.
D. Governance is the responsibility of the board of directors under the leadership of the chair
of the board of directors, whereas management is the responsibility of executive management
under the leadership of the chief executive officer.
4341
Governance is the responsibility of the board of directors under the leadership of the chair
of the board of directors. It involves ensuring that stakeholder needs are considered;
conditions and options are evaluated in order to determine balanced, agreed-upon
enterprise objectives; prioritization and decision-making are used to set direction; and
performance and compliance are monitored in terms of the agreed-upon direction and
enterprise objectives.
Management is the responsibility of the executive management under the leadership of
the chief executive officer. It involves planning, building, running, and monitoring activities
in accordance with the direction set by the body responsible for governance such as the
board of directors, in order to achieve the enterprise objectives.
4342
Governance is the responsibility of the board of directors, and it involves ensuring that stakeholder
needs are considered and that conditions and options are evaluated in order to determine enterprise
objectives. Management involves planning, building, running, and monitoring activities in order to
achieve the enterprise objectives as set by the board of directors.
Governance is the responsibility of the board of directors under the leadership of the chair of the board
of directors. Management is the responsibility of executive management under the leadership of the
chief executive officer.
One of the responsibilities of governance is to ensure that prioritization and decision-making are used
to set direction. Another responsibility of governance is to ensure that performance and compliance are
monitored in terms of the agreed-upon direction and enterprise objectives.
4343
The best evidence that contingency planning is effective is to have:
A. Comprehensive documentation of the plan.

B. Successful testing of the plan.
C. Signoff on the plan by the internal audit activity.
D. No processing interruptions during the past year.
4344
The only way to know whether contingency planning has been effective is to test the plan by
simulating an interruption or by conducting a paper test with a walkthrough of recovery
procedures.
A contingency plan may have comprehensive documentation, but until the plan is tested, an organization has no
indication of its effectiveness.
Audit signoff is one indicator of plan quality, but until the plan is tested, an organization has no indication of its
effectiveness.
The absence of processing interruptions indicates nothing about the interruptions that might occur in the future,
especially those that are not under the organization’s control. 4345
Which of the following best describes the primary reason that organizations
develop contingency plans for their IT operations?
A. To ensure the safety of important records and data files.

B. To reduce the cost of insurance.
C. To ensure that critical transactions can be processed in the event of any type
of disaster.
D. To plan for sources of capital for recovery from any type of disaster.
4346
The primary reason for a contingency plan is to restore critical transaction processing to
ensure continuity of operations within a reasonable amount of time.

This would be the primary reason for data and record backups.
This could be considered a secondary reason for a contingency plan. There is a better choice
for the primary reason that organizations develop contingency plans for their IT operations.
Sources of capital are rarely included in a contingency plan.
4347
Systems development audit engagements include reviews at various points to ensure
that development is properly controlled and managed. The reviews should include all
of the following except:
A. Verifying the use of controls and quality assurance techniques for program
development, conversion, and testing.
B. Conducting a technical feasibility study on the available hardware, software, and
technical resources.
C. Determining if system, user, and operations documentation conforms to formal
standards.
D. Examining the level of user involvement at each stage of the development process.
4348
A feasibility study should be conducted in the systems analysis stage.

This ensures the quality in the development process at various points.
Without good documentation, an information system may be difficult, if not impossible, to
operate, maintain, or use.
The involvement of users in the development process at various points is important.
4349
Database administrators use the Entity-Relationship Model to plan and analyze
relational database files and records. Which of the following is not one of the most
important relationship types (or cardinalities) used by database administrators in
planning and analyzing relational database files and records?
A. One-to-many.
B. Many-to-many.
C. One-to-one.
D. None of the above.
4350
All of the answer choices are important types of relationships used by database administrators in
planning and analyzing relational database files and records. An entity relationship diagram utilizes
symbols to represent the relationships between and among the different entities in the database. The
three most important relationship types are one-to-one, one-to-many, and many-to-many. These
relationship types are known as database cardinalities and show the nature of the relationship between
the entities in the different files or tables within the database.
One-to-many is an important type of relationship used by database administrators in planning and analyzing relational database files and
records.
Many-to-many is an important type of relationship used by database administrators in planning and analyzing relational database files and
records.
One-to-one is an important type of relationship used by database administrators in planning and analyzing relational data base files and
records.
4351
Data in a database is structured in various levels from the lowest level to the
highest level. Arrange the following data elements according to their hierarchical
levels, from the lowest level to the highest level:
File Field Record Database
A. Field, file, record, database.

B. Field, record, file, database.
C. Database, field, record, file.
D. Field, record, database, file.
4352
A data field is the first level in the data hierarchy. A field is information that describes one attribute of an item, or
entity, in the database such as a person or an object.
A record is the second level in the data hierarchy. A database record contains all the information about one item, or
entity, in the database.
A file, also called a table, is the third level of the data hierarchy. A table is a set of common records.
A complete database is the highest level. Several related files or tables make up a database.
A file is a higher level than a record in the data hierarchy.
The database is the highest level in the data hierarchy, not the lowest.
The database is the highest level in the data hierarchy.
4353
Which of the following statements is false with respect to data definition
language (DDL)?
A. Data definition language is used to update the stored data in the database.
B. Data definition language is used to specify and define data fields.
C. Data definition language is used to create the database schema.
D. Data definition language is used to create a description of the database
organization.
4354
Updating the stored data in the database is accomplished by a data manipulation language (DML), not a data
definition language.
A data definition language (DDL) is used in database development to create the database schema, create a
description of the database organization, and to specify and define data fields, records, and files or tables.

This is incorrect because it is a true statement. A data definition language (DDL) is used in database development to specify and define data
fields, records, and files or tables.
This is incorrect because it is a true statement. A data definition language (DDL) is used in database development to create the database
schema.
This is incorrect because it is a true statement. A data definition language (DDL) is used in database development to create a description of
the database organization.
4355
An ERP (Enterprise Resource Planning) system enables the same information to be
available across all departments such as purchasing, production, delivery, and
sales. This can help in
A. All of the above.

B. Reducing wasted time.
C. Lowering production costs.
D. Minimizing duplication of effort.
4356
All of the above may be improved with an ERP system. An Enterprise Resource Planning (ERP) system is usually a suite of integrated
applications that is used to collect, store, manage, and interpret data across the organization. Often the information is available in real
time. The applications share data, facilitating information flow among business functions. Communication and coordination are improved
across departments, leading to greater efficiencies in production, planning, and decision-making that can lead to lower production costs,
lower marketing expenses, and other efficiencies such as reducing redundancies and wasted time. Data duplication is reduced and labor
required to create inputs and distribute and use system outputs is reduced. Potential errors caused by inputting the same data multiple
times are reduced.

Wasted time can be reduced with an ERP system because communication and coordination are improved across departments, leading to
efficiencies.
Production costs can be lowered with an ERP system because the improvement in communication and coordination across departments
can lead to greater efficiencies in production. However, production costs are not the only thing that can be improved by an ERP system.
Duplication of effort is minimized with an ERP system. However, that is not the only thing that can be improved by an ERP system.
4357
Which of the following is not a component of a governance system over
information and technology according to the COBIT 2019framework?
A. Processes.
B. Information.
C. Risk assessment.
D. Organizational structures.
4358
Risk assessment is not a component of a governance system over information and technology according to the COBIT
2019framework.
The COBIT 2019 framework defines seven components of an information and technology governance system as follows:
Processes - a set of practices and activities needed to support achievement of IT-related goals.
Organizational structures - the primary decision-making entities in the enterprise.
Principles, policies, and frameworks - practical guidance for day-to-day management of the enterprise.
Information - the information produced and used by the enterprise.
Culture, ethics, and behavior - the culture of the enterprise and the ethics and behavior of both the enterprise and the
individuals init.
People, skills, and competencies - necessary for making good decisions, for corrective action, and successful completion of
activities.
Services, infrastructure, and applications - the infrastructure, technology, and applications used to provide the governance
system for information and technology processing.
4359

Processes, the set of practices and activities needed to support achievement of IT-related goals, is
a component of a governance system over information and technology according to the COBIT
2019 framework.
Information produced and used by the enterprise that is needed for effective governance of the
enterprise is a component of a governance system over information and technology according to
the COBIT 2019 framework.
Organizational structures, the primary decision-making entities within an enterprise, is a
component of a governance system over information and technology according to the COBIT 2019
framework.
4360
BOOKS WRITTEN BY
MUHAMMAD ZAIN
4361
LIST OF BOOKS PUBLISHED SINCE FEBRUARY 2017
CIA Challenge Exam Test Bank Questions (06 September 2021)
Web: https://zainacademy.us/product/cia-challenge-exam-test-bank-questions-2022/
Web: https://mzain.org/product/cia-challenge-exam-test-bank-questions-2022/
CIA Part 2 Test Bank Questions (26 August 2021)

Web: https://zainacademy.us/product/cia-part-2-test-bank-questions-2022/
Web: https://mzain.org/product/cia-part-2-test-bank-questions-2022/
CIA Part 1 Test Bank Questions 2022 (16 August 2021)

CPA Auditing and Attestation 2021 (26 July 2021)

Web: https://zainacademy.us/product/cpa-auditing-and-attestation-2021/
Web: https://mzain.org/product/cpa-auditing-and-attestation-2021/
4362
CIA Review Complete 2021 (15 June 2021)
Web: https://zainacademy.us/product/cia-review-complete-2021/
Web: https://mzain.org/product/cia-review-complete-2021/
CIA Part 2 Practice of Internal Auditing 2021 (05 May 2021)

Web: https://zainacademy.us/product/cia-part-2-practice-of-internal-auditing-2021/
Web: https://mzain.org/product/cia-part-2-practice-of-internal-auditing-2021/
CIA Challenge Exam Study Book 2021 (03 May 2021)

Web: https://zainacademy.us/product/cia-challenge-exam-study-book-2021/
Web: https://mzain.org/product/cia-challenge-exam-study-book-2021/
CIA Part 1 Essentials of Internal Auditing 2021 (23 April 2021)

Web: https://zainacademy.us/product/cia-part-1-essentials-of-internal-auditing-2021/
Web: https://mzain.org/product/cia-part-1-essentials-of-internal-auditing-2021/ 4363
CIA Part 3 Business Knowledge for Internal Auditing 2021 (14 April 2021)
Web: https://zainacademy.us/product/cia-part-3-2021/
Web: https://mzain.org/product/cia-part-3-2021/
CMA Preparation Pack 2021 (24 March 2021)

Web: https://zainacademy.us/product/cma-preparation-pack-2021/
Web: https://mzain.org/product/cma-preparation-pack-2021/
CMA Part 1 Preparation Pack 2021 (22 March 2021)
Web: https://zainacademy.us/product/cma-part-1-preparation-pack-2021/
Web: https://mzain.org/product/cma-part-1-preparation-pack-2021/
CMA Part 2 Preparation Pack 2021 (12 February 2021)
Web: https://zainacademy.us/product/cma-part-2-preparation-pack-2021/
Web: https://mzain.org/product/cma-part-2-preparation-pack-2021/
CIA Challenge Exam Test Bank Questions 2021 (26 November 2020)
Web: https://zainacademy.us/product/cia-challenge-exam-2021/
Web: https://mzain.org/product/cia-challenge-exam-2021/
4364
CIA Part 3 Test Bank Questions 2021 (22 November 2020)
CIA Part 1 Test Bank Questions 2021 (28 September 2020)

CIA Part 2 Test Bank Questions 2021 (10 September 2020)

Web: https://zainacademy.us/product/cia-part-2-test-bank-2021/
CMA Part 2 Strategic Financial Management 2020 (21 April 2020)

Web: https://zainacademy.us/product/cma-part-2-2020/
Web: https://mzain.org/product/cma-part-2-strategic-financial-management-2020/
4365
CMA Part 1 Financial Planning, Performance and Analytics 2020 (01 February 2020)
Web: https://zainacademy.us/product/cma-part-1-study-book-2020/
Web: https://mzain.org/product/cma-part-1-financial-planning-performance-and-analytics-2020/
CIA Part 2 Test Bank Questions 2020 (24 December 2019)



4366
CIA Part 2 Practice of Internal Auditing 2020 (25 September 2019)
CIA Part 1 Essentials of Internal Auditing 2020 (12 September 2019)

Web: https://mzain.org/product/cia-part-1-essentials-of-internal-auditing-2020/
CPA Business Environment and Concepts (BEC) 2019 (22 July 2019)
Web: https://zainacademy.us/product/cpa-business-environment-and-concepts-bec-2019/
Web: https://mzain.org/product/cpa-business-environment-and-concepts-bec-2019/
CIA Part 2 Practice of Internal Auditing 2019 (11 April 2019)

Web: https://zainacademy.us/product/cia-part-2-practice-of-internal-auditing-2019/
4367
CIA Part 1 Essentials of Internal Auditing 2019 (17 February 2019)
Web: https://zainacademy.us/product/cia-part-1-essentials-of-internal-auditing-2019/
Web: https://mzain.org/product/cia-part-1-essentials-of-internal-auditing-2019/
CIA Part 3 Business Knowledge for Internal Auditing 2019 (05 January 2019)
Web: https://zainacademy.us/product/cia-part-3-business-knowledge-for-internal-auditing-2019/
Web: https://mzain.org/product/cia-part-3-business-knowledge-for-internal-auditing-2019/
Certified Management Accountant (CMA) Part 1 2019 (07 October 2018)
Web: https://zainacademy.us/product/cma-part-1-financial-reporting-planning-performance-and-control-
2019/
Web: https://mzain.org/product/cma-part-1-financial-reporting-planning-performance-and-control-2019/
Certified Management Accountant (CMA) Part 2 2019 (13 September 2018)

Web: https://zainacademy.us/product/cma-part-2-financial-decision-making-2019/
Web: https://mzain.org/product/cma-part-2-financial-decision-making-2019/
4368
4369
QUOTES THAT WILL CHANGE YOUR LIFE
These are the quotes that have made me what I am today. You can also be the one in your
Universe:
• We are born in one day. We die in one day. We can change in one day. And we can fall in love in
one day Anything can happen in just one day.
The finest of the brains are in an extreme level of slavery. For them, career and job are
important than financial freedom and peace of soul. You will be replaced in a day or two when
you leave this world for eternal life. Not understanding this point will lead to a dead-end tunnel.
Seek certification to change your world, well-being, and, most important yourself.
• Excellence, Creativity, Passion, and Patience are key ingredients to become a Star.
• Get up and Hustle. Chase your dreams. Turn your dreams into reality by showing up every day.
4370
• Have Confidence. You can do it. You have the capacity and potential to reach the top. Just
believe in your abilities and chase your dream.
• Dream is what seen by an open eye, not with the closed one.
• Dreams don’t work unless you do.
• What we learn becomes a part of who we are.
• The right way to start your day is to focus on end goal.
• Sometimes the bad things that happen in our lives put us directly on the path to the best things
that will ever happen to us.
• A creative man is motivated by the desire to achieve, not by the desire to beat others.
• Twenty years from now you will be more disappointed by the things that you didn’t do than by
the ones you did do. So throw off the bowlines. Sail away from the safe harbor. Catch the trade
winds in your sails. Explore. Dream. Discover.
4371
• It does not matter how slow you go. So long as you don’t stop.
• It is never too late to begin.
• If it scares you, it might be a good thing to try.
• There is only you and your camera. The limitations in your photography are in yourself, for what
we see is what we are.
• Creativity is Intelligence having fun.
• All progress takes place out of comfort zone, so when are you starting.
• Everything you have ever wanted is on the other side of fear.
• When everything seems to be going against you, remember that the airplane takes off against
the wind, not with it.
4372
• Unexpected kindness is the most powerful, least costly, and most underrated agent of human
change.
• Sometimes courage is the quiet voice at the end of the day saying I will try again tomorrow.
• Sometimes you win, sometimes you learn.
• Do something today that your future self will thank you for.
• The past has no power over the present moment. So forget about your failures and start a new
day.
• Most of the important things in the world have been accomplished by people who have kept on
trying when there seemed to be no help at all.
• Your imagination is everything. It is the preview of life’s coming attractions. Only those who
believe anything is possible can achieve things most would consider impossible.
• Don’t let the noise of others’ opinions drown out your own inner voice.
• Have the courage to follow your heart and intuition. They somehow already know what you
truly want to become. Everything else is secondary.
4373
• Your time is limited, so don’t waste it living someone else’s life.
• Remembering that you are going to die is the best way I know to avoid the trap of thinking you
have something to lose. You are already naked. There is no reason not to follow your heart.
• Your work is going to fill large part of your life and the only way to be truly satisfied is to do
what you believe is great work. The only way to do great work is to love what you do. If you
haven’t found it yet, keep looking. Don’t settle. As with all matters of the heart, you will know
when you find it.
• Success doesn’t come from what you do occasionally. It comes from what you do consistently.
• If opportunity doesn’t knock, build a door.
• The things you regret most in life are the risks you didn’t take.
• Every successful person was once an unknown person that refused to give up on their dream.
• Life is too short to be working for someone else’s dream.
4374
• It always seems impossible until it’s done.
• Innovation distinguishes between a leader and a follower.
• Success is not final; failure is not fatal. It is the courage to continue that counts.
• Every problem is a gift. Without problems, we would not grow.
• There is no shortage of remarkable ideas, what’s missing is the will to execute them.
• Forget past mistakes. Forget failures. Forget everything except what you are going to do now
and do it.
• Many of life’s failure are people who did not realize how close they were to success when they
gave up.
• If something is important enough, or you believe something is important enough, even if you
are scared, you will keep going.
4375
• The best way to predict the future is to create it.
• The only strategy that is guaranteed to fail is not taking risks.
• Only those who will risk going too far can possibly find out how far one can go.
• Don’t waste words on people who deserve your silence. Sometimes the most powerful thing
you can say is nothing at all.
4376

4 5888847277501451102

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

4 5888847277501451102

Uploaded by

Copyright:

Available Formats

Let’s Connect with Each Other

Section C – Business Knowledge for Internal Auditing………………………………………3498

Why Choose CIA

IIA Retired Questions

With Love and Care,

A. Access to the external auditors' engagement records.

This would be included in the internal audit activity's charter.

INCORRECT CHOICES EXPLANATION

INCORRECT CHOICES EXPLANATION

A. Judgment, interest, authority, and experience.

INCORRECT CHOICES EXPLANATION

INCORRECT CHOICES EXPLANATION

This is a requirement of the principle of Integrity.

INCORRECT CHOICES EXPLANATION

A. To save organizational resources, the CAE limits procedures at foreign branches to

INCORRECT CHOICES EXPLANATION

A. Seek the counsel of the audit committee before deciding on an action.

INCORRECT CHOICES EXPLANATION

This is one of the 10 Core Principles.

INCORRECT CHOICES EXPLANATION

A. Identify inadequate controls that increase the likelihood of unauthorized

Internal auditors are responsible for identifying inadequate controls.

INCORRECT CHOICES EXPLANATION

There is no violation of either the Code of Ethics or the Standards.

INCORRECT CHOICES EXPLANATION

A. External audit liaison.

INCORRECT CHOICES EXPLANATION

INCORRECT CHOICES EXPLANATION

A. Administrative reporting to the chief financial officer.

In the proper reporting structure, the CAE should report functionally to

INCORRECT CHOICES EXPLANATION

A. The CAE reports functionally to the board of directors.

INCORRECT CHOICES EXPLANATION

A. Accept the engagement but indicate to management that, because

A. Notify the CAE of the potential conflict of interest.

INCORRECT CHOICES EXPLANATION

A. An auditor reviews the procedures for a new electronic data interchange

INCORRECT CHOICES EXPLANATION

A. An internal auditor recommends standards of control and performance

INCORRECT CHOICES EXPLANATION

INCORRECT CHOICES EXPLANATION

A. Human relations and communications.

INCORRECT CHOICES EXPLANATION

A. Risk assessment of the internal audit activity.

A risk assessment is not appropriate for inclusion in the internal audit

INCORRECT CHOICES EXPLANATION

A. The internal audit charter should be amended.

INCORRECT CHOICES EXPLANATION

INCORRECT CHOICES EXPLANATION

A. The nature of the chief audit executive’s functional reporting relationship

INCORRECT CHOICES EXPLANATION

INCORRECT CHOICES EXPLANATION

A. Number of full-time internal audit employees deemed to be the necessary

INCORRECT CHOICES EXPLANATION

A. Internal auditing should be required to report to the CEO of the organization.

INCORRECT CHOICES EXPLANATION

INCORRECT CHOICES EXPLANATION

INCORRECT CHOICES EXPLANATION

INCORRECT CHOICES EXPLANATION

A. Identification of the organizational units where engagements are to be

INCORRECT CHOICES EXPLANATION

MULTIPLE CHOICE QUESTION NO. 113

A. Determine whether internal audit services meet professional standards.