QUIZ CHAPTER 5

Select the best answer for each of the following questions.

1. In assessing organizational risk in a manufacturing organization, which of the following would

have the greatest long-range impact on the organization?
d. Product quality.
Product quality presents the most significant risk to the long-term success of a manufacturing
organization. Advertising budget, production scheduling, and inventory policy have secondary
and short-term impacts on long-term objectives, but alone would not determine long-range
success.
2. Internal auditors often prepare process maps and reference portions of these maps to narrative
descriptions of certain activities. This is an appropriate procedure to:
b. Obtain the understanding necessary to test the process.
Process mapping is a tool used to gain the necessary understanding that supports the internal
auditor's testing approach. A process map itself cannot determine whether the system can
produce reliable information; that requires additional assessment and evaluation. Also, it does
not document whether or not the systems meet international auditing standards (in fact,
auditing standards have to do with what the auditors do, not characteristics of the control
system itself). Finally, the process map itself does not determine whether the system meets
management's objectives; that requires further assessment and evaluation.
3. What is a business process?
b. The set of connected activities linked with each other for the purpose of achieving an
objective or goal.
Business processes are activities related to each other with the intent of achieving an objective
or goal.

Use the chart to answer questions 4 through 6.

GAMBAR

4. If a risk appears in the bottom right of quadrant II in the above risk control map, it means that:
b. The controls may be excessive relative to the risk.
Following cost/benefit principles, processes with lower risk significance should generally have
fewer resources devoted to managing those risks. Since the control effectiveness is high in this
question, the controls may be excessive relative to the risk.
5. If a risk appears in the middle of quadrant IV in the above risk control map, it means that:
a. There is an appropriate balance between risk and control.
Since the risk significance is so high, it is very important that the organization have high control
effectiveness.
6. Which of the following circumstances would concern the internal auditor the most?
c. A risk in the upper left corner of quadrant III.
This risk is highly significant but control effectiveness is low, indicating the risk is not likely to be
managed to an acceptable level.
7. Which of the following are business processes?
I. Strategic planning.
II. Review and write-off of delinquent loans.
III. Safeguarding of assets.
IV. Remittance of payroll taxes to the respective tax authorities.
c. I, II, and IV.
 All of these choices could be part of an organization's business processes. Safeguarding of assets
is an important control objective, but it is not a business process.
8. Which of the following symbols in a process map will most likely contain a question?
b. Diamond.
A diamond symbol represents a decision that is made; therefore, a question is typically included
in the symbol.
9. After business risks have been identified, they should be assessed in terms of their inherent:
a. Impact and likelihood.
Inherent impact and likelihood are the common risk assessment criteria.
10. In a risk by process matrix, a process that helps to manage a risk indirectly would be shown to
have:
b. A secondary link.
When a process manages a risk in an indirect manner, it is considered a secondary link.
11. A major upgrade to an important information system would most likely represent a high:
b. Internal risk factor.
An important information system upgrade would represent a significant change in operations,
processes, personnel, or technology, which is factor #8 in Exhibit 5-12.
12. Which of the following is true regarding business process outsourcing?
d. Management’s controls to ensure the outsourcing provider meets contractual performance
requirements should be tested by the internal audit function.
Outsourcing a business process does not allow management to abdicate responsibility for
ensuring the process operates effectively. Therefore, performance requirements should be built
into the outsourcing contract. Compliance with performance requirements is a relevant and
important internal audit activity. The internal audit function should consider outsourced
processes as part of the audit universe and take a proactive approach, reviewing risk and control
activities prior to implementation. Outsourcing the process does not remove the operational
risks. The internal auditor still needs to consider the risks to the organization and address those
risks in the risk assessment process. The independent outside auditor is not required to consider
risks that are not related to the financial statements and, thus, may not be interested in all
outsourced processes.
13. A company has recently outsourced its payroll process to a thirdparty service provider. An audit
team was scheduled to audit payroll controls in the annual audit plan prepared prior to the
outsourcing. What action should the audit team take, considering the outsourcing decision?
c. Review only the company’s controls over data sent to and received from the third-party
service provider.
Management of the company is still accountable for the risks, so controls at the third-party
processor and the user organization are both important. As the controls at the third party and
the user organization interact, both must be reviewed. Although the process is being performed
outside the organization, the third party is an extension of the organization’s payroll process. The
risk here may actually increase because an external party controls part of the control
environment.
14. Which flowcharting symbol indicates the start or end of a process?
c. Oval.
An oval is used to indicate the start or end of a flow.
15. How does a control manage a specific risk?
c. It reduces either likelihood or impact or both.
A control can reduce event likelihood, or reduce the event impact, or both. In each case, the risk
is lessened.
NOTHING IN BOOK

16. What is a business process?

A business process is the set of connected activities linked with each other for the purpose of
achiev-ing an objective or goal
17. What are operating processes?
Operating processes are the core processes through which the organization achieves its primary
objectives.
18. What is the difference between a top-down and bottom-up approach to understanding business
processes?
A top-down approach begins at the entity level with the organization’s objectives, and then
identifies the key processes critical to the success of each of the organization’s objectives. A
bottom-up approach begins by looking at all processes directly at the activity level, and then
aggregates the identified pro-cesses across the organization.
19. How does an organization determine the key objectives of a business process?
The key objectives for a process can be identified by determining the following for the process:
a. Why does the process exist?
b. How does this process contribute to the success of the organization’s strategy?
c. How are people expected to act?
d. What else does the process do that is important to management?