PI. SI.

Topic C: Assurance and Consulting Services

Q 1. The nature and scope of an assurance audit are determined by the

A. senior manager—the person authorizing the assessment.

B. process owner—the person directly involved with the process, system, or other subject matter.
C. end user—the person using the assessment.
D. internal auditor—the person making the assessment.

Q 2. The senior management of an organization has requested that the internal audit activity provide ongoing
internal control training for all managerial personnel. This is best addressed by

A. an emergency consulting engagement agreement.

B. an informal consulting engagement agreement.
C. a special consulting engagement agreement.
D. a formal consulting engagement agreement.

Q 3. The primary intent of internal audit assurance activities is to

A. reduce risks to acceptable levels.

B. provide advice, generally at the request of the engagement client.
C. evaluate the achievement of operational targets.
D. assess evidence relevant to the subject matter of interest and provide conclusions.

Q 4. Which consulting activity would be appropriately performed by the internal audit function?

A. Installing systems of control

B. Designing systems of control
C. Drafting procedures for systems of control
D. Reviewing systems of control before implementation

Q 5. Guidance for assurance and consulting services is provided in what component of the International
Professional Practices Framework?

A. Attribute Standards
B. Performance Standards
C. Implementation Standards
D. Operational Standards

Q 6. Participation in a standing committee would refer to what category of consulting services?

A. Formal
B. Informal
C. Emergency
D. Special

Page 1 of 7
Q 7. The IIA publishes three types of Standards to guide adherence to its International Professional Practices
Framework. Which type expands guidance and provides requirements applicable to assurance and consulting
engagements?

A. Attribute Standards
B. Implementation Standards
C. Performance Standards
D. Assurance Standards

Q 8. What type of auditing engagement is considered advisory in nature and is generally performed at the
specific request of an engagement client?

A. Attribute
B. Assurance
C. Consulting
D. Implementation

Q 9. In some organizations, managers insist that an internal auditing function is not needed to provide a critical
assessment of the organization's operations. A management attitude such as this will most probably have an
adverse effect on the internal auditing function's

A. performance appraisals.
B. effectiveness.
C. operating budget variance.
D. policies and procedures.

Q 10. Which of the following is true of consulting engagements?

I. Assurance engagements and consulting engagements do not exclude one another, nor do they exclude
other kinds of appropriate services that draw upon the discipline of internal audit.

II. Consulting engagements often derive from assurance engagements and vice versa.

III. The auditor engaged in consulting may gain increased knowledge of the organization's processes while
not impairing the attribute of objectivity.

IV. Internal auditors may enter into formal engagements with the organization.

A. I only
B. I and II only
C. I, II, and III only
D. I, II, III, and IV

Other Practice Questions

Q 1. All of the following are characteristics of a consulting engagement except
A. results require mandatory reporting to a third party.
B. there are typically only two parties involved.
C. the internal auditor may assist in the design of corrective actions.
D. the scope of the audit may be to improve process efficiency or effectiveness.

Page 2 of 7
Q 2. Successful consultative communication in an internal audit is partially based on feedback from the
individual being audited regarding the actions of auditors during the audit. The feedback
A. will keep audit customers on the defensive regarding the auditors?
B. should go only to senior management as a means of reviewing the auditors.
C. should go to both management and the auditors to ensure business value is being added.
D. should go only to the auditors to help them improve their audit performance.

Q 3. A hospital is evaluating the purchase of software to integrate a new cost accounting system with its
existing financial accounting system. Which of the following describes the most effective way for the internal
audit activity to be involved in the procurement process?
A. The internal audit activity evaluates whether performance specifications are consistent with the
hospital's needs.
B. The internal audit activity evaluates whether the application design meets internal development and
documentation standards.
C. The internal audit activity determines whether the prototyped model is validated and reviewed with
users before production use begins.
D. The internal audit activity has no involvement since the system has already been developed externally.

Q 4. Which of the following is a consulting, rather than an assurance, role for internal auditors?
A. Teaching management about risk and control tools and techniques
B. Evaluating the effectiveness of controls and managing key risks
C. Designing and evaluating risk management processes
D. Assessing and reporting on risks in a reliable manner

Q 5. During the course of a business process review, an internal auditor may

A. provide advice on appropriate controls during system design.
B. lead a system design team.
C. decide which controls to select.
D. oversee the implementation of recommended controls.

Q 6. Systems development audits include reviews at various points to ensure that development is properly
controlled and managed. The reviews should include all of the following except
A. determining if system, user, and operations documentation conforms to formal standards.
B. conducting a technical feasibility study on the available hardware, software, and technical resources.
C. verifying the use of controls and quality assurance techniques for program development, conversion,
and testing.
D. examining the level of user involvement at each stage of implementation.

Q 7. When the labor cost accounting component of the application was first implemented, it did not meet
certain business requirements in the department and had to be substantially rewritten. Which one of the
following risks associated with End User Computing (EUC) application development could have led directly to
this result?
A. End-user applications may not receive the independent testing associated with traditional
development.
B. End-user applications may not be adequately documented to facilitate review.
C. There may be insufficient review and analysis of user needs when user and analyst functions are no
longer separate.
D. Segregation of duties would be inadequate if programmer and operator functions were performed by
the same person.

Page 3 of 7
Q 8. An internal auditor notes that production is often stopped or hampered because raw materials inventory is
not present when needed. Which of the following statements are true based on this information alone?

I. The internal auditor should investigate the quality of communication between production planners and
purchasing agents.
II. The internal auditor should recommend that management implement an economic order quantity (EOQ)
model to better manage inventory and meet production needs.
III. The internal auditor should attempt to quantify the costs to the organization related to this problem.

A. I only.
B. I and II.
C. I and III.
D. II and III.

Q 9. In forming a team to investigate an organization's potential adoption of an activity based costing system,
the best reason to include an internal auditor on the team would be the auditor's knowledge of
A. Activities and cost drivers.
B. Information processing procedures.
C. Current product cost structures.
D. Internal control alternatives.

Q 10. The scope of a consulting engagement performed by internal auditors should

A. Be sufficient to address the objectives agreed upon with the client.
B. Exclude areas that might be the subject of subsequent assurance engagements.
C. Be limited to activities within the current operating period.
D. Be preapproved in conjunction with the annual plan of consulting engagements.

Q 11. A company's cellular phone costs vary significantly by sales representative and by month. Which of the
following would be the most appropriate approach for a consulting project concerning this issue?
A. Control self-assessment involving sales representatives.
B. Benchmarking with other cellular phone users.
C. Business process review of cellular phone needs.
D. Performance measurement and design of the budgeting process.

Q 12. The internal audit activity can be involved with systems development continuously, immediately prior to
implementation, after implementation, or not at all. An advantage of continuous internal audit involvement
compared to the other types of involvement is that
A. The cost of audit involvement can be minimized.
B. There are clearly defined points at which to issue audit comments.
C. Redesign costs can be minimized.
D. The threat of lack of audit independence can be minimized.

Q 13. A bank is developing an integrated customer information system. The type of audit involvement that would
most likely help avoid implementation of a system that does not cover all types of accounts would be
A. A design review.
B. An application control review.
C. A source code review.
D. An access control review.

Page 4 of 7
Q 14. During which of the following systems development stages would it be most useful for an internal auditor
to be involved?
A. Coding and testing.
B. User acceptance and post implementation.
C. Design and implementation.
D. Testing and user acceptance.

Q 15. Which of the following types of internal audit consulting engagements is an example of a facilitation
service?
I. Conducting control self-assessment workshops.
II. Participating on standing committees.
III. Reviewing regulatory compliance.
IV. Benchmarking.
V. Estimating savings from outsourcing processes.
A. I and IV only.
B. I, III, and IV only.
C. II, III, and V only.
D. I, II, III, IV, and V.

Q 16. Which of the following is true regarding the internal audit activity's management of a third-party consulting
engagement?
A. The consultant should be empowered to lead the engagement as deemed necessary to meet the audit
objectives.
B. The internal auditor should understand the work of the consultant and ensure that audit objectives are
being met.
C. The consultant should issue the final audit report if the auditor does not have the technical expertise to
discuss the issues.
D. The auditor may provide advice but has no responsibility for the final audit report issued by the
consultant.

Q 17. When internal auditors provide consulting services, scope of the engagement is primarily determined by
A. Internal auditing standards
B. The audit engagement team.
C. The engagement client
D. The internal audit activity's charter.

Page 5 of 7
Answers- - PI. SI. Topic C: Assurance and Consulting Services
1D. Although all of these people are involved in the assurance audit, only the internal auditor has the
responsibility for determining the nature and the scope of the audit.

2D. Managerial training should be planned and continuous. It should be subject to a consulting agreement that
is formal and written to ensure that the needs and expectations of those who will be trained are recognized
and satisfied.

3D. Assurance services involve the internal auditor’s objective assessment of evidence to provide an
independent opinion or conclusions regarding a process, system, or other subject matter.

4D. Reviewing systems, even before implementation, is an activity appropriately performed by the internal
audit function, and it does not impair objectivity. The other three options are presumed to impair either
objectivity or independence.

5C. Guidance for assurance and consulting services are provided in the Implementation Standards. These
expand upon the Attribute and Performance Standards by providing the requirements applicable to
assurance or consulting services, as noted by the use of A or C in the standard's number.

6B. Internal auditors may conduct consulting services as part of their normal or routine activities or in response
to management requests. Informal consulting services include routine activities—such as participation in
standing committees, limited-life projects, or ad hoc meetings—and routine information exchange.

7B. Implementation Standards expand upon the Attribute and Performance Standards by providing the
requirements applicable to assurance or consulting services.

8C. Consulting services are advisory in nature and are generally performed at the specific request of an
engagement client. The nature and scope of the consulting engagement are subject to agreement with the
engagement client. Assurance services involve the internal auditor's objective assessment of evidence to
provide opinions or conclusions regarding an entity, operation, function, process, system, or other subject
matter. The other two answer choices are Standard types, not types of audit engagements.

9B. In this type of situation, management is highly averse to analysis or possible criticism of its actions, and this
will inhibit the internal audit department's effectiveness.

10D. All of these statements are true. The IIA defines consulting as "advisory and related client services
activities, the nature and scope of which are agreed with the client, are intended to add value and improve an
organization's governance, risk management, and control processes without the internal auditor assuming
management responsibility. Examples include counsel, advice, facilitation, and training." Oftentimes, consulting
engagements are performed at the request of management to help ensure that the objectives have been
established, risks have been identified, and controls have been put in place to make the operation successful.

Answers - - Other Practice Questions

1 (A). Mandatory reporting to a third party is required in assurance engagements. Consulting services are
advisory in nature and are generally performed at the specific request of an engagement client. The nature and
scope of the consulting engagement are subject to agreement with the engagement client. Consulting services
generally involve two parties: (1) the person or group offering the advice—the internal auditor; and (2) the
person or group seeking and receiving the advice—the engagement client. 2-1-C7-53-1013

Page 6 of 7
2 (C). Both management and auditors should be involved in improving the image of internal audit in the
organization. Involving the individuals being audited should reduce conflict and defensiveness and make the
audit more participative. 2-1-C7-54-2013

3 (A). The internal audit activity should be involved to ensure the existence of performance specifications
consistent with the hospital's needs because incomplete or erroneous specifications may result in the
acquisition of unusable software or unenforceable contract terms with the software vendor.
2-1-C9-121-2013
4 (A). Educating management about the risk and control tools and techniques used by the internal audit activity
and sharing those tools is a consulting role for internal auditors. The other items are all assurance roles.
2-1-C9-122-2013

5 (A). A business process review falls in the consulting category of engagements. During a consulting
engagement (as it is in an assurance engagement), an internal auditor cannot assume management
responsibilities, make decisions, or execute transactions as if he or she was part of management. Providing
advice is acceptable as long as there is a clear understanding that management has responsibility for accepting
or rejecting the advice. The other responsibilities would significantly impair the auditor’s future ability to
objectivity evaluate the system. Item: 2-1-C9-128

6 (B). A feasibility study should be conducted in the systems analysis stage. Item: 2-1-C9-136

7 (C). Without formal systems analysts, user-developed applications have no independent review. In addition,
it may be difficult for users to specify complete requirements. Item: 2-1-C9-138

8. Answer (C) is correct. The condition attribute of the engagement observation is that stockouts are occurring.
To determine the cause attribute of the observation, the internal auditor should consider the coordination
between those responsible for scheduling production and those responsible for obtaining needed resources. The
internal auditor should also attempt to quantify the costs of the problem to establish the effect attribute of the
observation. This information is helpful in estimating the maximum benefit to be obtained by expending
resources to correct the condition. However, the internal auditor should not recommend implementation of an
EOQ. First, there is not enough information to justify it. Second, EOQs do not determine a level of safety stock.
Finally, more sophisticated materials requirements planning systems are available. Source: CIA 1196 I-10

9. Answer: D

10. Answer: A

11. Answer: C

12. Answer: C

13. Answer: A

14. Answer: C

15. Answer: A

16. Answer: B

17. Answer: C

Page 7 of 7