1.

Which of the following risk management techniques best describes the strategy of obtaining

insurance to protect against losses due to bad weather conditions?

A. Risk avoidance

B. Risk reduction

C. Risk acceptance

D. Risk sharing

2. An internal auditor believes that the internal audit activity's independence is impaired. Which

of the following actions should the internal auditor take first?

A. Report the impairment to senior management

B. Discuss the impairment with the audit manager

C. Ascertain the best approach to disclose the impairment.

D. Decide on the extent of impact of the impairment

* If independence or object ivi ty is impai red in fact or appearance, the details of the impai rment
must be disclosed to appropr iate par t ies. The nature of the disclosure will depend upon the
i mp a i r men t .

3. According to IIA guidance, the internal audit activity must be free from interference in which
of the following areas in order to maintain organizational independence?

A. Monitoring resources.

B. Compensating the chief audit executive.

C. Determining scope.

D. Allocating internal costs.

* The internal audi t act ivi ty must be free from interference in determining the scope of internal
audi t ing, performing work, and communicat ing resul ts. The chief audi t execut ive must disclose
such interference to the board and discuss the implicat ions
4. Which of the following practices is generally most effective to protect internal audit
objectivity?

A. Ensuring regular documentation of auditor skills and experience in the workpapers.

B. Basing performance evaluations heavily on customer satisfaction surveys.

C. Prohibiting auditors from accepting gifts from audit clients or potential clients.

D. Ensuring that auditors have a balance of both operational and internal audit responsibilities.

To help manage threats to objectivity, as required by Standard 1100 – Independence and

Objectivity,

* CAE may create relevant policies and procedures, such as a policy about internal audi tors
receiving gifts, favors, and rewards.

* Fur thermore, the CAE may requi re internal audi tors to complete a form disclosing potent ial
conflicts of interest and impai rments to object ivi ty, and should consider these disclosures when
assigning internal audi tors to engagements.

* In addi t ion, when developing policies and procedures, the CAE should carefully consider how
performance measures and the system of compensat ion may influence internal audi tors’
object ivi ty in repor t ing observat ions and conclusions.

* Trainings about how internal audi tors should address impai rments to object ivi ty may be helpful.

Ensur ing that audi tors are not assigned to audi t engagements where they have a personal or
f i na nc i a l i n t e r e s t .

5 What is the primary purpose of The IIA's Code of Ethics?

A. Communicate specific activities appropriate to the performance of internal auditing

B. Promote ethical culture within corporations and other business organizations

C. Establish mandatory standards of competence for the practice of internal auditing

D. Establish principles and expectations governing behavior of individuals and organizations

in the conduct of internal auditing.

* The Code of Ethics states the pr inciples and expectat ions governing the behavior of individuals
and organizat ions in the conduct of internal audi t ing. It descr ibes the minimum requi rements for
conduct and behavioral expectat ions rather than specific act ivi t ies.

* The purpose is to promote an ethical cul ture in the profession of internal audi t ing.
6 What is the primary reason a chief audit executive should dedicate time and resources to
support continuing professional development of internal audit staff?

A. To ensure that internal audit staff maintains high overall job satisfaction.

B. To ensure that internal audit staff acquired continuing professional education credits timely.

C. To ensure that top risks are mitigated to an acceptance level.

D. To ensure that internal audit staff have the competency to address high-priority risks.

7 Which of the following requests, if accepted by the internal audit activity, would impair its
independence?

A. A request to develop workshops on corporate governance for management.

B. A request to act as liaison with external auditors.

C. A request to determine appropriate risk management responses for management.

D. A request to provide counseling services on ethical matters.

8 Which of the following situations is most likely to threaten the independence of the internal
audit activity?

A. The chief audit executive reports functionally to the board and administratively to the CEO.

B. The annual budget for the internal audit activity is approved by the chief financial officer.

C. The internal audit activity is completely outsourced to an external service provider.

D. The internal audit manager provides consulting services to the procurement department, where
she worked during the prior year.

9 Which of the following controls would be most useful to prevent an employee from using the
organization's funds for inappropriate expenditures and falsifying financial records to conceal the
fraud?

A. Segregating duties in the payroll processes.

B. Confirming receipt of goods or services.

C. Performing background checks on newly hired employees.

D. Requiring management approval for expenses.

10 Due to unfavorable economic conditions management decided to postpone new investments
for the next year. Which of the following best describes the risk management strategy used to
address this situation?

A. Risk mitigation

B. Risk avoidance

C. Risk reduction

D. Risk transfer

11 An internal auditor is reviewing the results of an employee survey at a mining company. Which
of the following would alert the auditor to a potential ethics issue?

A. Women account for 20% of the total number of employees in the company.

B. Thirty percent of employees feel confident in raising concerns without a fear of retaliation.

C. Most employees believe that transparent and fair decision-making forms the basis of business
ethics.

D. Employees with longer work experience believe that they deserve more privileges than
new hires.

12 Which of the following techniques should an internal auditor use in order to conduct an
effective interview?

A. Use technical language to establish credibility with the employee being interviewed

B. Avoid straightforward questions to make the person being interviewed think before answering

C. Prepare the next question while the interviewee is responding to demonstrate preparedness

D. Appear confident but not arrogant during the interview to show professionalism

13 Which of the following describes a primary responsibility for the internal audit activity in
helping management maintain effective controls?

A. Promoting continuous evaluation

B. Promoting continuous monitoring

C. Promoting continuous improvement

D. Promoting continuous reporting

Assessing the controls, Recommending improvements, Monitoring the implementation

14 Which of the following is an example of risk monitoring to ensure a system is performing as

intended?

A. Checking the progress of risk treatment plans

B. Considering the consequence and likelihood of risks

C. Documenting the risks and their areas of impact

D. Communicating to management about risks

15 Which of the following is an indicator that the organization’s risk management process is
effective?

A. The organization s risk appetite mission, and objectives are dearly outlined.

B. The organization s risk management practices are assessed as mature.

C. The organization has adopted risk management frameworks and global models.

D. The organization s significant risks are identified and adequately assessed

* Determining whether r isk management processes are effect ive is a judgment resul t ing from the
internal audi tor’s assessment that:

Organizat ional object ives suppor t and align wi th the organizat ion’s mission.

Significant r isks are ident ified and assessed.

Appropr iate r isk responses are selected that align r isks wi th the organizat ion’s r isk appet i te.

Relevant r isk informat ion is captured and communicated in a t imely manner across the
organizat ion, enabling staff, management, and the board to carry out thei r responsibili t ies.

16 Which of the following should be considered in developing a risk and control model for use
in an engagement?

A. The risk and control model should be globally accepted by the profession.

B. The risk and control model should be strictly adhered to in performing the engagement.

C. The risk and control model should be tailored to the organization that will be the subject
of the engagement.

D. The risk and control model should be developed individually by the auditor for use on
individual audit projects within the planned engagement.
17 Which of the following would be the most suitable internal control framework for an
organization to adopt?

A. A framework that specifies common best practices for an organization to evaluate and
benchmark.

B. A framework that specifies correct and incorrect business methodologies.

C. A framework with precise specifications for how controls and processes should be employed.

D. A framework that offers step-by-step guidance for remedial action for all organization types.

18 A new chief audit executive realized that the internal audit charter has not been updated in
five years and only includes the Core Principles for the Professional Practice of Internal Auditing,
the Code of Ethics, and the Standards. What mandatory component is missing?

A. Statement of Independence.

B. Operating Procedures of Internal Auditing.

C. Definition of Internal Auditing.

D. Attestation of Quality Assurance.

* The mandatory nature of the Core Pr inciples for the Professional Pract ice of Internal Audi t ing,
the Code of Ethics, the Standards, and the Defini t ion of Internal Audi t ing must be recognized in
t h e i n t e r na l a u d i t c h a r t e r .

19 Which following best describes a consulting engagement rather an assurance engagement?

A. Bank internal auditors review an activity checklist to determine that the loan officer followed
proper procedures.

B. The chief financial officer asks for the internal auditor's opinion regarding whether the new
accounting pronouncements were properly and comprehensively adopted

C. An internal auditor is assigned to assess whether a proposed new initiative to convert a

customer service system would be cost effective.

D. Senior management asks the internal audit activity to review compliance with customer data
security regulations

An assurance engagement is one in which an internal auditor provides an opinion on whether the
organization has complied with certain standards or regulations
20 According to IIA guidance, which policy, established by the chief audit executive, would most
likely ensure internal audits are conducted with due professional care?

A. The initial review of workpapers should be conducted after the final engagement report is
issued.

B. Independent internal assessments of the internal audit activity should be performed by entry-
level staff as part of on-the-job training.

C. Internal audit staff should be informed regularly of changes to policies and procedures.

D. Training documents should be destroyed at the end of the year to create space for the next
year's training documents.

* To ensure due professional care is applied, the CAE must establish policies and procedures
(Standard 2040), which generally incorporate the Mandatory Guidance of the IPPF and provide a
systemat ic and disciplined approach to the engagement process. The CAE may requi re individual
audi tors to sign forms acknowledging that they understand policies and procedures

21 The chief audit executive (CAE) annually develops a budget and resource plan and submits it
to the board for approval. This action best fulfills which of the following responsibilities of the
CAE?

A. The responsibility to maintain organizational independence.

B. The responsibility to perform engagements with due professional care.

C. The responsibility to communicate corrective action plans to the board.

D. The responsibility to define the purpose of the internal audit activity.

* Organizat ional independence is effect ively achieved when the chief audi t execut ive repor ts
funct ionally to the board. Examples of funct ional repor t ing to the board involve the board:

- Approving the internal audi t char ter;

- Approving the r isk based internal audi t plan;

- Approving the internal audi t budget and resource plan;

- Receiving communicat ions from the chief audi t execut ive on the internal audi t act ivi ty’s
p e r f o r m a nc e

- Approving decisions regarding the appointment and removal of the chief audi t execut ive;
 - Approving the remunerat ion of the chief audi t execut ive

22 A new internal audit activity is considering the adoption of a risk and control framework.
Which of the following is the most appropriate consideration during this process?

A. The framework should not be developed by the internal audit activity

B. The framework should apply to individual projects rather than the organization as a whole

C. The framework should always be tailored to the organization

D. The framework should require fewer resources to implement

23 Which of the following actions would be most effective to help an internal auditor determine
how successful the organization has been in communicating the existence of its ethics hotline?

A. Reviewing the number of anonymous hotline allegations against employee complaints.

B. Surveying employees to determine whether they are aware of the hotline.

C. Benchmarking the average time to investigate hotline complaints.

D. Tracking the number of hotline allegations per total number of employees.

24 Which of the following would best describe a control implemented to detect cash register
disbursement fraud in a large retail store?

A. Separate the duties of processing and authorizing refunds on merchandise

B. Post signs in the register area prompting customers to ask for and examine their sales receipts

C. Periodically count the cash in the register and compare it to the expected amount

D. Use cash registers with internal tapes that are tamper proof and that require a manager to
process voids or refunds

25 An organization is conducting a fraud risk assessment as part its risk management program.
Which of the following steps is the organization most likely to perform first?

A. Identify relevant fraud risk factors.

B. Identify potential fraud schemes.

C. Identify existing controls for preventing and detecting fraud.

D. Identify red flags by conducting data analysis.

Risk factor->Risk scheme->Exist ing Cont rol->Assess Cont rol->Red flag by data analysis

26 According to IIA guidance, which of the following corporate social responsibility (CSR)
evaluation activities may be performed by the internal audit activity?

1. Consult on CSR program design and implementation. / 2. Serve as an advisor on CSR

governance and risk management. / 3. Review third parties for contractual compliance with CSR
terms. / 4. Identify and mitigate risks to help meet the CSR program objectives.

A. 1,2, and 3,

27 In which of the following ways can a whistleblower hotline serve as a preventive control?

A. Third parties who operate the hotline ensure anonymity for whistle blowers.

B. Whistleblower tips help discover wrongdoings and violations of the code of conduct.

C. Potential perpetrators of fraud know that their actions can be reported easily.

D. Better investigation protocols are triggered by the whistleblower hotline.

28 Which of the following statements is true regarding the role of the internal audit activity in
the organization's risk management process?

A. The internal audit activity should not be responsible for developing the organization's risk
management framework, even with appropriate safeguards. -> legitimate w/ safeguards

B. The internal audit activity is typically responsible for alerting operational management to
emerging risks and changes in regulatory scenarios

C. The internal audit activity may coach management on risk response scenarios if safeguards
have been implemented. -> w/ safeguards

D. The internal audit activity should avoid giving assurance regarding the accuracy of risk
evaluations if safeguards have not been implemented. -> core role

* Co r e r o l e

- Giving assurance on the RM processes / - Giving assurance that r isks are correct ly evaluated

- Evaluat ing the RM processes / - Reviewing the management of key r isks

* W / S a f eg ua r d s

- Coaching management on r isk response / - Maintaining&Developing the ERM framework

- Developing RM st rategy for board approval

29 Which of the following relates to the concept of due professional care?

A. An auditor attempts to obtain information needed to complete an assurance engagement but

is denied access.

B. The appointment of the chief audit executive is ratified by the board.

C. An auditor demonstrates a good understanding of the steps involved in carrying out a

consulting engagement.

D. The internal audit resource plan is only approved by the chief financial officer.

* Internal audi tors must exercise due professional care by consider ing the:

- Extent of work needed to achieve the engagement's object ives;

- Relat ive complexi ty, mater iali ty, or significance of matters

- Adequacy and effect iveness of governance, r isk management, and cont rol processes;

- Probabili ty of significant errors, fraud, or noncompliance; and

- Cost of assurance in relat ion to potent ial benefi ts.

* Internal audi tors must exercise due professional care dur ing a consul t ing engagement by
c o ns i d e r i ng t h e :

- Needs and expectat ions of clients, including the nature/t iming/ communicat ion of resul ts

- Relat ive complexi ty and extent of work needed to achieve the engagement's object ives

- Cost of the consul t ing engagement in relat ion to potent ial benefi ts.

30 Internal controls belong to which risk response category?

A. Reduction.

B. Avoidance.

C. Sharing.

D. Acceptance.
31 During a monthly internal audit staff meeting, the chief audit executive (CAE) decided to
reinforce the importance of internal audit staff being objective in their work. Which of the
following examples would be most appropriate for the CAE to include as part of the meeting
presentation?

A. Statistical sampling techniques should always be used to pull unbiased sampling for testing.

B. Fieldwork completed by internal auditors should be appropriately reviewed.

C. Internal auditors should avoid using the lunch room simultaneously with audit clients.

D. During the audit review period, there should be no nonaudit dialogues with the audit
client.

32 Which of the following would a chief audit executive most likely use to identify a need for
improvement in a staff internal auditor's business acumen?

A. A quality assessment review.

B. An internal audit client survey.

C. A control self-assessment.

D. A peer review of the internal audit activity.

33 The internal audit activity was denied access to expenditure and budget reports because
they were considered to be confidential. This situation would result in which of the following
limitations of the internal audit activity?

A. Independence / B. Integrity / C. objectivity / D. Authority

34 An experienced internal auditor is planning an assurance engagement of the organization's

sales activities. During process walkthroughs and interviews, many sales representatives expressed
concerns about management's escalating demands to meet the organization's sales goals. which
of the following is the best application of due professional care in planning the engagement?

A. Disregard the complaints because the information isn't reliable and isn't sufficient to support
engagement conclusions and results.

B. Consider the significance of the risks related to the complaints and develop appropriate
assurance procedures in work programs.

C. Disregard the complaints because using them would violate the confidentiality principle.

D. Discuss management's needs and expectations related to including the complaints in the audit
scope.

35 An internal auditor assessed that the risk of steel theft at a plant is high. In response, the
plant's management introduced a number of controls, including fences around the facility, a metal
detector at the entrance, and monthly steel inventory counts. If the controls operate as intended,
which of the following outcomes would the internal auditor hope to see?

A. The inherent risk will be mitigated to a level lower than the residual risk.

B. The inherent risk will be reduced to an acceptable level.

C. The residual risk will be reduced to an acceptable level.

D. The residual risk will be eliminated

36 An engagement supervisor notes that an internal auditor usually documents and submits draft
audit reports for review without giving the process owners the opportunity to state their position
on the issues raised. How should the engagement supervisor respond?

A. Encourage the auditor to continue this practice, as it demonstrates objectivity.

B. Encourage the auditor to improve communication skills.

C. Encourage the auditor to conduct post-engagement surveys to obtain the audit client's
position on the issues raised.

D. Encourage the auditor to sign the draft reports before submitting them.

37 Which of the following best describes a proactive role for the internal audit activity with regard
to the organization's ethics program?

A. Becoming a voting member of the organization's internal ethics council.

B. Performing an annual organization-wide employee survey.

C. Reviewing all departmental ethics-related policies.

D. Conducting annual ethics training for all employees.

* The CAE should ensure that all audi t work is performed in full compliance wi th and meets the
intent of, the Code. The CAE may assume proact ive roles such as becoming a nonvot ing member
of an ethics council or conduct ing ethics t raining sessions.

* The internal audi t act ivi ty may also play roles such as host ing the organizat ion’s whist leblowing
h o t l i n e o r c o n d u c t i n g f r a u d i n ve s t i g a t i o n s .
IIA Standard 2110.A1 requi res that the internal audi t act ivi ty evaluate the design, implementat ion,
and effect iveness of the organizat ion’s ethics-related object ives, programs, and act ivi t ies

At a minimum, the internal audi t act ivi ty should per iodically assess the state of the organizat ion’s
ethical climate and the effect iveness of i ts st rategies, tact ics, communicat ions, and other processes
i n a c h i e v i ng t h e d e s i r e d s t a t e .

Assessment methods include:

• An ent i ty-wide review of ethics-related policies and processes.

• An ent i ty-wide employee survey.

• An audi t project employee survey.

• Informally including ethical climate in ent i ty-wide and audi t project r isk assessments and in the
e xe c u t i o n o f a u d i t p r o j e c t s .

When audi tors evaluate the “design, implementat ion, and effect iveness of the organizat ion’s ethics
-related object ives, programs and act ivi t ies,” an impor tant and challenging att r ibute is
effect iveness.

For example, Internal audi tors can test the design of a t raining program by compar ing i t to “best
pract ice” models. Internal audi tors can test the implementat ion of a t raining program by checking
the qualificat ions of the inst ructors, not ing the percentage of employees who have taken the
t raining, examining attendee evaluat ions, quizzing employees later.

38 An external assessment was performed as part of the organization's quality assurance and
improvement program. Which of the following conclusions confirms that the internal audit activity
is in conformance with the Standards'?

A. The chief audit executive is well qualified and has responsibilities over operational areas that
the internal audit activity assesses.

B. Periodic self-assessments are assigned to entry-level internal audit staff to support their
continuing professional development.

C. All audit workpapers are reviewed and signed by the engagement supervisor before the
audit report is issued.

D. Employees who rotate into the internal audit activity from other areas of the organization are
assigned to audit areas where they previously worked, to take advantage of their operational
expertise and experience.
39 Which of the following is ultimately responsible for the continuing professional development of
internal audit activity staff?

A. Individual internal auditors. / B. Chief audit executive. / C. Board of directors. / D. CEO.

Standard 1230 – Cont inuing Professional Development

To cont inue thei r professional development, internal audi tors may want to reflect on thei r job
requi rements, including the t raining policies and the professional educat ion requi rements. And
Reflect ing on career goals may help internal audi tors wi th long-term planning of thei r professional
development.

An individual internal audi tor may use a self-assessment tool, such as the Competency Framework,
as a basis for creat ing a professional development plan. Typically, the internal audi tor discusses
the plan wi th the chief audi t execut ive (CAE), and the two may agree to use the professional
development plan as the basis for developing measures of the internal audi tor’s performance (i.e.,
key performance indicators), which could be incorporated into supervisory reviews, client surveys,
and annual performance reviews.

Ul t imately, the individual internal audi tor is responsible for conforming wi th Standard 1230.

40 According to HA guidance, which of the following is true regarding independence and

objectivity for small internal audit activities?

A. The chief audit executive (CAE) may consider including a disclaimer on independence in
audit reports.

B. The CAE may consider greater involvement of those with suitable knowledge of audit practice.

C. Conformance with this Standard is not dependent upon the size of the internal audit activity.

D. Due to the small size of the internal audit activity, having an external assessment once every
seven years is acceptable.

* When issuing a repor t where independence or object ivi ty could not be achieved sat isfactor ily,
the CAE has the obligat ion to disclose this fact in the audi t repor t -> Independence or Object ivi ty

* When scheduling internal assessments, small internal audi t act ivi t ies may need to consider
greater involvement of those wi th sui table knowledge of internal audi t pract ice. -> QAIP
* Conformance wi th this Standard is not dependent upon the size of the audi t act ivi ty and should
present no unique challenges for the small audi t act ivi ty.-> Purpose, Author i ty, and Responsibili ty
41 Which of the following statements is true regarding how the scope of a consulting
engagement should be established?

A. The engagement client should be able to determine the scope to be applied to the
engagement

B. The internal auditor should establish a scope that does not impair her objectivity

C. Any attempts by the engagement client to limit the scope should be considered a scope
limitation

D. The scope should include reviewing the effectiveness of the internal control environment

42 An internal auditor in a busy internal audit activity reviews her continuing professional
development records toward the end of the year and is concerned to find she has undertaken
limited training and formal professional development. Which of the following actions is the most
appropriate for her to take?

A. Remind the chief audit executive (CAE) that he is responsible for her continuing professional
development and needs to address the issue

B. Contact her professional organization and explain that she does not need formal professional
development, as she is being developed sufficiently through undertaking audit engagements.

C. Accept that she is unlikely to meet continuing professional development requirements but look
to attend training courses at the next available time.

D. Accept that she is responsible for her own continuing professional development, develop
a professional plan, and discuss it with the CAE.

43 An internal auditor believes that a weakness exists in the control environment relating to the
delegation of authority and responsibility within the management structure. Which of the
following actions should the internal auditor first consider in this matter?

A. Recommend a control change and obtain management support.

B. Evaluate the potential Impact on related controls.

C. Address the risk with senior management and the board.

D. Develop and communicate the scope and evaluation criteria to be used by management.

* 1. Gather more informat ion-reviewing policies, interviewing management -> 2. assess the r isk
a nd c o ns i d e r t he potent ial impact-> 3. b a sed on t he assessment, should develop
recommendat ions -> 4. Consider discussing thei r finding and recommendat ions wi th management
44 Which of the following qualifies as an acceptable consulting service provided by the internal
audit activity?

A. Develop training and system rollout plans in response to the results of the change readiness
assessment of a new sales distribution model

B. Lead a risk self-assessment session for laboratory managers to help identify inherent risks and
provide recommendations on how to evaluate the risks

C. Audit a third party cloud service provider to review the effectiveness of governance and
management controls in providing secure services to its customers

D. Conduct a post-implementation assessment of the enterprise resource planning system to

determine whether project objectives were met and to identify opportunities to maximize
potential benefits

45 A chief audit executive (CAE) was asked by senior management to establish and manage a risk
management function. A new chief risk officer was hired a year later to assume these
responsibilities. As this function was included in the current annual audit plan, the CAE engaged
an external resource for a risk management engagement. Which of the following potential threats
to objectivity was the CAE likely addressing?

A. Self-review threat.

when an audi tor reviews his or her own work performed dur ing a previous audi t or
c o ns u l t i ng e ng a g e m e n t

B. Advocacy threat.

a r i s e f r o m a u d i t o r s a c t i n g b i a s e d i n p r o m o t i n g o r a d vo c a t i n g f o r o r a g a i n s t t h e a u d i t
client to the point that subsequent object ivi ty may be compromised.

C. Familiarity threat.

ar ise because of an audi tor’s long-term relat ionship wi th the audi t client

D. Personal relationship threat.

ar ise when an audi tor is a close fr iend of the manager or an employee of the audi t client
46 Which statement is accurate regarding reporting on the quality assurance and improvement
program (OAIP) to conform with the International Standards for the Professional Practice of
Internal Auditing?

A. The chief audit executive (CAE) should report all stages of the OAlP's development and
key milestones.

B. The CAE should report only corrective action plans that meet external assessor or stakeholder
requirements.

C. The CAE should establish the form and content of program communication so that it is in
alignment with the internal audit activity charter.

D. The CAE should disclose program details only after both internal and external assessments
have been completed.

47 While preparing the audit plan for an automobile manufacturing company, the chief audit
executive (CAE) noted that the company's engineering department received a high risk ranking.
However, the internal audit activity is understaffed, and current staff do not possess the necessary
skills to adequately assess the effectiveness of the engineering department. What is the most
appropriate course of action for the CAE to take?

A. Include the engineering department on the audit plan, use the available internal audit
resources to conduct the review, and exclude procedures that cannot be adequately assessed.

B. Advise management to accept the assessed risk until the internal auditors are able to review
the area adequately.

C. Recruit internal auditors with the required competencies and wait until they are employed
before including this audit on the internal audit plan.

D. Proceed with a review of the engineering department but supplement the internal audit
team with nonauditors from an external engineering company who have the required skills
to assist
48 Which of the following is a detective control?

A. An organization requires certain employees who occupy sensitive positions to sign attestation
to the code of conduct on an annual basis. -> Preventive Control

B. A compliance specialist carries out quarterly reviews of an organization's compliance with

regulatory requirements.

C. A front desk officer in an organization requires that visitors are identified by the host before
access is granted. -> Access Control

D. An internal audit activity deploys audit management policies and procedures for team
members. -> Directive Control

* A prevent ive cont rol is designed to prevent errors or omissions from occurr ing in the fi rst place.

* An access cont rol is designed to rest r ict access to cer tain areas or informat ion to author ized
i nd i v i d u a l s o n l y

* A di rect ive cont rol is a type of cont rol that tells individuals what they should or should not do.
By deploying audi t management policies and procedures, the internal audi t act ivi ty is providing
g u i d a nc e t o t e a m m e m b e r s o n h o w a u d i t s s h o u l d b e c o nd u c t e d .

49 Senior management is eager to assess the organization's risks with regard to electricity sales
processes, but the senior management team does not know where to start. How can the internal
audit activity assist?

A. Outsource the identification of best practices for risk management to an external third party.

B. Perform an audit engagement to identify risk management practices deployed in electricity

sales processes.

C. Recommend reporting the lack of risk management to government authorities and request
guidance.

D. Facilitate a self-assessment workshop with the employees responsible for process

execution.

Facilitating a self-assessment workshop involves engaging with the employees responsible for the
electricity sales processes to identify the risks inherent in their day-to-day activities. This process
allows the internal audit activity to gain an understanding of the risks facing the organization, as well
as the controls in place to mitigate those risks. It also helps to raise awareness of risk management
practices among employees.
50 According to IIA guidance, which of the following statements is true regarding consulting
engagements performed by the internal audit activity?

A. Consulting engagements typically involve four or five parties: the internal audit activity,
engagement client, senior management, board, and sometimes the external auditor.

B. The scope of a consulting engagement is determined by either the engagement supervisor or

chief audit executive, and it is finalized prior to beginning fieldwork.

C. According to the Standards, internal auditors are permitted to carry out certain management
functions during a consulting engagement.

D. A preliminary risk assessment may not be needed for consulting engagements, because
the expectations and objectives of the engagement are determined by the engagement client.

* Consul t ing services are advisory in nature and are generally performed at the specific request of
an engagement client. The nature and scope of the consul t ing engagement are subject to
agreement wi th the engagement client. Consul t ing services generally involve two par t ies: (1) the
person or group offer ing the advice — the internal audi tor, and (2) the person or group seeking
a nd r e c e i v i ng t h e a d v i c e — t h e e ng a g e m e n t c l i e n t . W h e n p e r f o r m i ng c o ns u l t i ng s e r v i c e s t h e
internal audi tor should maintain object ivi ty and not assume management responsibili ty.

* 2210.A1 - Internal audi tors should conduct a preliminary assessment of the r isks relevant to the
act ivi ty under review. Engagement object ives should reflect the resul ts of this assessment.

* 2210.A2 - The internal audi tor should consider the probabili ty of significant errors, i rregular i t ies,
noncompliance, and other exposures when developing the engagement object ives.

* 2210.C1 - Consul t ing engagement object ives should address r isks, cont rols, and governance
processes to the extent agreed upon wi th the client

51 During an assurance engagement, an internal auditor identified that a developer of the

organization's enterprise resource planning (ERP) system had intentionally modified the
production code to commit a fraudulent transaction. Which control activity should be
implemented to prevent such issues in the future?

A. Segregate duties between code development and migrating changes into production.

B. Conduct fraud training for the IT team responsible for the ERP system.

C. Penalize the developer who committed the fraud by terminating employment.

D. Restrict developers' access to the ERP system's test environment.

52 During fieldwork, an internal auditor located a significant internal control issue. Without
identifying the origins of the issue, the auditor concluded the engagement and included the issue
in the final audit report. To enhance audit quality, which of the following skills should the internal
auditor improve?

A. Business acumen.

B. Critical thinking.

C. Communication.

D. Audit report writing.

53 The internal audit activity is undergoing a self-assessment as part of its quality assurance and
improvement program. Which of the following observations must be addressed in order for the
internal audit activity to achieve conformance with the Standards?

A. The internal audit charter does not identify which audit services are outsourced

B. The internal audit charter has not been reviewed by the legal department

C. The internal audit charter has not been approved by the board within the past year

D. The internal audit charter does not describe the authority of the internal audit activity

54 Which of the following would best serve to deter unethical behavior and encourage internal
auditors to be objective in their work?

A. A requirement that internal auditors undergo objectivity training periodically

B. Periodic communications reminding internal auditors of Standards requirements

C. A review of the final audit report by the audit committee

D. Ongoing monitoring and periodic internal quality assessments

55 Which of the following statements best represents the duo professional care that is required of
internal auditor's?

A. Internal auditors should perform assurance procedures to ensure that all significant risks are
identified.

B. Internal auditor should not perform consulting engagements for operations for which they had
previous responsibilities.
C. Internal auditors should consider the cost of assurance in relation to the potential benefits.

1220.A1- Internal audi tors must exercise due professional care by consider ing the:

Extent of work needed to achieve the engagement's object ives;

Relat ive complexi ty, mater iali ty, or significance of matters to which assurance procedures are
applied;

Adequacy and effect iveness of governance, r isk management, and cont rol processes;

Probabili ty of significant errors, fraud, or noncompliance; and

Cost of assurance in relat ion to potent ial benefi ts.

1220.A2 - In exercising due professional care internal audi tors must consider the use of
technology-based audi t and other data analysis techniques.

1220.A3- Internal audi tors must be aler t to the significant r isks that might affect object ives,
operat ions, or resources. However, assurance procedures alone, even when performed wi th due
professional care, do not guarantee that all significant r isks will be ident ified.

1220.C1- Internal audi tors must exercise due professional care dur ing a consul t ing engagement by
c o ns i d e r i ng t h e :

Needs and expectat ions of clients, including the nature, t iming, and communicat ion of
e ng a g e m e n t r e s u l t s ;

Relat ive complexi ty and extent of work needed to achieve the engagement's object ives; and

C o s t o f t h e c o n s u l t i n g e n g a g e m e n t i n r e l a t i o n t o p o t e n t i a l b e n e f i t s.

56 Which of the following are some of the requirements of the quality assurance and
improvement program (QAIP)?

A. The OAIP should be conducted at least once every three years, and must be performed by an
external assessor.

B. The OAIP should be conducted on an ongoing basis, and can be completed as a self-
assessment

C. The QAIP should include both internal assessments performed by staff and external
assessments performed by independent, objective individuals

D. The OAIP should be performed with scoping limitations established by the board.
(-> THE QAIP should cover all aspects of the IAA)
57 Which of the following is an indicator that the internal audit activity does not fully conform
with the Standards?

A. The quality assurance and improvement program identified several opportunities for the
internal audit activity to make improvements.

B. In lieu of an external assessment, the internal audit activity performed a self-assessment with
independent external validation.

C. During an internal quality assessment, it was identified that rotational auditors often perform
consulting engagements for areas of the organization where they had previous responsibilities.

D. External assessments are performed every five years by a competent internal audit team
from the organization's parent company.

* Individuals from another depar tment of the organizat ion, al though organizat ionally separate

from the internal audi t act ivi ty, are not considered independent for the purpose of conduct ing

an external assessment. In the public sector, internal audi t act ivi t ies in separate ent i t ies wi thin

the same t ier of government are not considered independent if they repor t to the same CAE.

Likewise, individuals from a related organizat ion (e.g., a parent organizat ion; an affiliate in the

same group of ent i t ies; or an ent i ty wi th regular oversight, supervision, or quali ty assurance

responsibili t ies wi th respect to the subject organizat ion) are not considered independent.

58 Which of the following statements best describes a functional difference between external
auditors and internal auditors?

A. Internal auditors evaluate past achievements to understand whether controls are operating
effectively, and external auditors focus on the accuracy of financial reporting.

B. Internal auditors provide assurance about the sufficiency of controls to manage risks
including risks of failure to achieve future goals, and external auditors evaluate the accuracy
and understandability of financial reporting.

C. internal auditors are always employed by the organization, rather than outsourced, and external
auditors are never employed by the organization but contracted independently.

D. Internal auditors are most directly concerned with the detection of fraud, while external
auditors are most directly concerned with the prevention of fraud.

59 Which of the following would be most helpful to measure whether an internal audit activity
successfully provides risk-based assurance?

A. Percentage of highly significant risks covered by internal audit plan.

B. Percentage of previously unknown risks identified per engagement.

C. Percentage of internal audit staff skilled in alignment with the organization's structure and key
risks.

D. Percentage of observations made in assurance engagements compared to advisory

engagements.

Internal audit provides assurance on the effectiveness of risk management, control, and governance
processes. The internal audit plan should be risk-based and prioritize the most significant risks facing
the organization. Therefore, the percentage of highly significant risks covered by the internal audit
plan is a key performance indicator that can be used to measure the effectiveness of the internal audit
activity in providing risk-based assurance.

60 When performing an audit of the risk management process an auditor makes the observations
listed below. Which poses the greatest risk to the organization?

A. The identified risks have not undergone a detailed review to ensure completeness in the past
two years.

B. The controls in place to mitigate the risks are not tested on an annual basis to confirm
operating effectiveness.

C. The process in place to identify and evaluate new risks to the organization is informal and
poorly documented.

D. The identified risks have not been ranked to establish their importance and risk management
priority.

61 According to MA guidance, which of the following is true with regard to the internal audit
charter?

1. It specifies the minimum resources needed for assurance engagements.

2. It requires final approval from senior management.

3. It defines the internal audit activity's authority and responsibilities.

4. It describes the expectations for communicating the results of a quality assurance and
Improvement program.

The mandatory nature of the Core Principles, the Code of Ethics, the Standards, and the Definition
of Internal Auditing must be recognized in the internal audit charter.

62 Which of the following items related to the quality assurance and improvement program
should the chief audit executive report to the board?

A. Ongoing monitoring results

B. Periodic management assessment results

C. Annual risk assessment results

D. Internal auditors' training evaluation results

Internal Assessment – Ongoing monitoring(at least annually), Periodic Self assessment

External Assessment – Full external assessment, Self-assessment w/ independent external

validation

63 The chief audit executive (CAE) is drafting the annual internal audit plan and seeks input from
senior management and the external auditor prior to submitting it for approval to the board.
According to MA guidance, which of the following statements is true regarding this scenario?

A. The CAE's actions are likely to impair the Independence of the internal audit activity.

B. The CAE acted appropriately, and the independence of the internal audit activity was not
impaired.

C. The CAE should have developed the audit plan without outside influence to maintain objectivity.

D. The CAE acted appropriately, as he has authority to determine who reviews and approves the
audit plan.

* The chief audit executive must establish a risk-based plan to determine the priorities of the
internal audit activity, consistent with the organization's goals.

2010.A1 – The internal audit activity's plan of engagements must be based on a documented risk
assessment, undertaken at least annually. The input of senior management and the board must
be considered in this process.

2010.A2 – The chief audit executive must identify and consider the expectations of senior
management, the board, and other stakeholders for internal audit opinions and other conclusions.
2010.C1 - The chief audit executive should consider accepting proposed consulting engagements
based on the engagement's potential to improve management of risks, add value, and improve
the organization's operations. Accepted engagements must be included in the plan.

64 According to MA guidance, which of the following is an appropriate role for the internal audit
activity?

A. Coaching management in responding to risks.

B. Implementing risk responses on management's behalf.

C. Imposing risk management processes.

D. Setting the risk appetite.

65 Which of the following organizational practices is likely to be a part of a corporate social

responsibility program?

A. A mining company practices backfilling and planting trees after mining within an area.

B. A construction company ensures that its workers are paid at the regulated minimum wage.

C. A foods manufacturer sources cheap raw materials to generate higher profits for distribution to
its employees.

D. A bank listed on the national stock exchange consistently pays dividends to its shareholders.

66 The chief audit executive (CAE) decided to conduct a self-assessment with independent
validation. Which of the following is the most likely reason the CAE selected this course of action?

A. The audit committee requested the self assessment for quality assurance purposes

B. The staff auditors have the necessary knowledge and experience to conduct the review

C. The internal audit activity is relatively small in size and is due for an external assessment

D. The internal audit activity is due for a self-assessment which is specifically required at least
once every five years

* External assessments must be conducted at least once every five years by a qualified,
independent reviewer or review team from outside the organizat ion. Another opt ion for external
assessment is a self-assessment wi th external validat ion by an independent fi rm. This is a means
to lower the cost.

67 An internal auditor at a multinational organization is reviewing the effectiveness of the

organization's risk management framework. In this scenario, which of the following statements
is true?

A. The auditor should consider local cultures and customs in various regions when assessing
control effectiveness.

B. Regardless of their location, employees at all levels share responsibility for designing effective
controls to mitigate risks.

C. To achieve an effective internal control environment, the organization's risk management plan
must be documented and communicated to all levels throughout each region.

D. Setting clear objectives is a precondition to effectively identifying, assessing, and

responding to the organization's risks.

68 According to The IIA's Competency Framework, which competency is considered mandatory

minimum for internal auditors to possess when performing internal audit engagements?

A. To recognize red flags that indicate fraud.

B. To recommend controls to prevent fraud.

C. To apply forensic auditing techniques to detect fraud.

D. To evaluate the potential for fraud.

70 The internal audit activity is responsible for conducting fraud investigations. A potential fraud
instance was identified during an audit engagement. The chief audit executive appoints a lead
investigator. Which of the following would most likely be the next step?

A. Ask internal auditors to gather all relevant information and evidence.

B. Identify and interview witnesses first and potential suspects later.

C. Conduct a fraud risk assessment to identify the most vulnerable areas.

D. Determine the competencies needed and assess whether team members have a conflict of
Interest.

71 Which of the following accurately describes the concept of inherent risk?

A. Risk factors that exist when controls are in place and operating effectively

B. Internal risk factors assuming no controls are in place

C. Risk factors that cannot be mitigated because they are innate to a process

D. Combination of internal and external risk factors in their pure state assuming no controls
are in place

Internal audi tors should est imate both inherent r isk — the r isk that exists if no cont rols were in
place — and residual r isk. The dist inct ion is impor tant because managementtends to think
pr imar ily in terms of residual r isk, but internal audi tors need to be able to consider whether r isk
mi t igat ion techniques are effect ively designed and operat ing. Internal audi t ’s r isk assessments star t
by consider ing inherent r isk, the combinat ion of internal and external r isks in thei r pure,
uncont rolled state

Which of the following frauds is most likely to occur in the accounts payable function?

A. Fictitious vendors are entered into the system, possibly resulting in improper
disbursements.

-> Segregation of duties in vendor management needed

B. Bad debt expense is intentionally omitted from the financial statements.

C. Certain costs are capitalized, rather than expensed.

D. A related party receives benefits not appropriate in an arm's-length transaction.

-> Likelihood: M / Due diligent for related-party transactions needed

73 Which of the following would most likely be classified as a consulting engagement?

A. Examining the internal control effectiveness of the marketing department

B. Assessing the adequacy of the IT system's business process design

C. Facilitating a self-assessment of the organizations business risk and control identification

D. Reviewing the application controls in the human resources system

74 According to IIA guidance, which of the following actions by the chief audit executive (CAE)
best demonstrates the organizational independence of the internal audit activity?

A. The CAE seeks senior management approval of the internal audit charter

B. The CAE obtains senior management's approval to hire staff

C. The CAE reports significant issues to the organization's CEO

D. The CAE provides the board with an annual budget for approval

According to the IIA's International Professional Practices Framework, the chief audit executive (CAE)
must demonstrate organizational independence by reporting significant issues to the organization's
highest level of management, such as the CEO or the board. This ensures that the internal audit
activity is not impeded in its ability to carry out its responsibilities and provides a safeguard against
retaliation or pressure from lower levels of management.

75 Which of the following most accurately describes corporate social responsibility at an

organization?

A. An organizational locus on improving the overall environment, even it is to the detriment of

the local community.

B. A philosophy driven by employees that flows up to senior management and the board of
directors.

C. An overall commitment of the organization to improve the quality of life for not only the
employees but the community at large.

D. A policy of ensuring that the organization is socially responsible, even if it leads to

unprofitability due to increased costs.

76 Which of the following survey questions would be most effective to identify ethics violations
within the organization?
A. Are the performance targets in your department realistic and attainable?

B. Do your coworkers have the knowledge, skills, and training needed to perform their job duties?

C. Does your supervisor comply with laws and regulations affecting the organization?

D. Do you have sufficient resources, tools, and time to accomplish your work objectives?

77 If the skills and competencies are not present within the internal audit activity to complete an
ad-hoc assurance engagement, which of the following is an acceptable resolution?

A. Politely decline the engagement due to a lack of qualified staff available at the time.

B. Complete the engagement as requested, with the best of the current staffs abilities.

C. Consider using employees from other departments in the organization on the audit team.

D. Change the scope of the testing to ensure that only available staff proficiencies are used

78 Which combination of strategies would provide the best evaluation of the effectiveness of the
organization's risk assessment activity?

1. Interview staff at various levels to discuss the organization's objectives, significant risks,
and risk appetite.

2. Review board meeting minutes to determine whether the significant risks identified are
communicated timely to the board.

3. Evaluate the adequacy and timeliness of management remediation actions by reviewing

the control design, testing the controls, and reviewing monitoring procedures.

4. Review the professional development plans of internal audit staff to ensure all are competent to
assess the organization's risk assessment activity.

79 An internal auditor is reviewing employee travel expenses from the previous six months for
fraud. Which of the following tests would best detect instances where personal travel has been
claimed?

A. Verifying whether claims have been properly authorized for payment

B. Verifying whether claims are properly supported by invoices or other documents.

C. Confirming that all claims are within the limits of the organization's travel policy.

D. Reconciling claims against business requests that were approved by supervisors

80 Which of the following internal control components has COSO identified as the most
important?

A. Info and communication / B. Risk assessment / C. Control activities D. Control

environment

COSO (Committee of Sponsoring Organizations of the Treadway Commission) identifies five

components of internal control: 1.Control environment, 2.risk assessment, 3.control activities,
4.information and communication, and 5.monitoring activities. Control environment is
considered the foundation of internal control and is considered the most important component.
It sets the tone for the organization, influences the control consciousness of its people, and is
the foundation for all other components of internal control.

81 According to IIA guidance, which of the following is accurate regarding the chief audit
executive's (CAE's) requirement to report the results of quality assessments?

1. The CAE must report the results of external assessments at least annually.

2. The CAE must report the results of ongoing monitoring at least annually.

3. The CAE must report the results of quality assessments to senior management.

4. The CAE must report the results of quality assessments to the board.

82 A risk assessment showed that the cost of addressing a particular risk in the organization's
human resources department is greater than the perceived benefit. Which risk response approach
should the organization take in this scenario?

A. Reduce the risk.

B. Transfer the risk.

C. Accept the risk.

D. Share the risk.

There are four common r isk response types: avoid, share or t ransfer, mi t igate, and accept.

A good example of avoidance would be to completely disengage from a market due to

geopoli t ical instabili ty in a region of the wor ld.

Share/Transfer Somet imes organizat ions choose to share or t ransfer r isk wi th/to another par ty.
This may be done by purchasing insurance policies or by forming business arrangements, such as
joint ventures or other par tnerships. A share or t ransfer r isk response can be a good opt ion when
t h e o t h e r p a r t y h a s s p e c i f i c r i s k m a na g e m e n t c o m p e t e nc i e s , s u c h a s f a m i l i a r i t y i n a p a r t i c u l a r
geographical market (e.g., a U.S. based company that wishes to expand in a Lat in Amer ican
market).

Mi t igat ion involves creat ing cont rols — or improving exist ing cont rols — to close a cont rol
design or execut ion gap. Mi t igat ion tends to be the r isk response internal audi tors most
frequent ly recommend as a course of act ion related to an audi t observat ion. At t imes mi t igat ion
may be overused when other r isk response types are better.

Accept Risk acceptance is used when other r isk response opt ions are unavailable or not opt imal.
Risk owners acknowledge the r isk exists but "accept" the r isk wi th minimal response. If the cost of
other r isk responses exceeds the value that would be gained, a r isk acceptance st rategy may be
appropr iate.

83 Which of the following is the internal audit activity expected to do with respect to the
organization's governance processes?

A. Formally audit all governance activities.

B. Provide strategic guidance on the organizational processes to senior management.

C. Achieve agreement with the board regarding the range of activities, depth of review, and
time period to include in the assessment.

D. Audit against the governance structures and practices widely used in the industry.

85 Which of the following practices is generally most effective to protect internal audit objectivity?

A. Ensuring regular documentation of auditor skills and experience in the workpapers.

B. Basing performance evaluations heavily on customer satisfaction surveys.

C. Prohibiting auditors from accepting gifts from audit clients or potential clients.

D. Ensuring that auditors have a balance of both operational and internal audit responsibilities.

86 According to The IIA's Code of Ethics, an internal auditor who has a romantic relationship with
an audit client violates which of the following rules of conduct?

A. Confidentiality.

B. Independence.
C. Integrity.

D. Objectivity.

87 Which of the following is a primary benefit of implementing a governance risk management

and compliance framework within an organization?

A. Fewer internal audits

B. More effective interviews

C. Automated risk management strategy tools

D. Reduced assurance costs

88 Who has the ultimate responsibility of implementing the organization's governance system?

A. Stakeholders

B. The board

C. The chief executive officer

D. Internal auditors

89 Which of the following offers the feast evidence that the internal audit activity has achieved
organizational independence?

A. An independent third party has assessed the organization's system of internal controls to be
adequate and effective.

B. The chief audit executive reports both functionally and administratively to the CEO.

C. The internal audit charter is drafted properly and approved by the appropriate parties.

D. The mission statement and strategy of the internal audit activity demonstrates alignment to
organizational objectives.

90 Which of the following statements demonstrates that internal auditors are in conformance with
the standard of due professional care?

A. Internal auditors have shown they have the freedom to carry out their responsibilities.
B. Internal auditors have demonstrated the skills needed to carry out the audit engagement.

C. Internal auditors have strictly followed a formal audit process in conducting their work.

D. Internal auditors have demonstrated an unbiased mental attitude.

Proficiency is a collective term that refers to the knowledge, skills, and other competencies
required of internal auditors to effectively carry out their professional responsibilities. It
encompasses consideration of current activities, trends, and emerging issues, to enable relevant
advice and recommendations.

Internal auditors must apply the care and skill expected of a reasonably prudent and competent
internal auditor. Due professional care does not imply infallibility

91 According to IIA guidance, which of the following best demonstrates due professional care?

A. Staffing audit engagements with internal auditors who possess professional designations.

B. Relying on prior audit work to save planning time and costs.

C. Performing assurance procedures to guarantee all significant risks are identified.

D. Assessing the cost of assurance in relation to the potential benefits.

* Internal audi tors must exercise due professional care dur ing a consul t ing engagement by
c o ns i d e r i ng t h e :

- Needs and expectat ions of clients, including the nature/t iming/ communicat ion of resul ts

- Relat ive complexi ty and extent of work needed to achieve the engagement's object ives

- Cost of the consul t ing engagement in relat ion to potent ial benefi ts.

NO.92 Which of the following circumstances would most likely be considered a potential red flag
for fraud by the internal audit activity?

A. The monthly payroll reports are not vetted to ensure terminated employees have been
removed from the payroll system

B. The volume of nonroutine journal entries has steadily increased over time.

C. The database of approved suppliers has not been reviewed the last year
D. The recent employee survey indicates that some employees remain unaware of the
organization's whistle blower hotline.

93 In addition to her internal audit activity responsibilities, the chief audit executive has been
asked to oversee the organization's insurance function. Which of the following responses is most
appropriate?

A. Welcome the additional responsibility, as it represents an opportunity to gain more information

for future audits.

B. Revise the internal audit charter to include oversight of the insurance function, ensuring that all
of her responsibilities are properly documented.

C. Report the request to the board and recommend alternate processes to obtain assurance
related to insurance activities.

D. Promptly remove the organization's insurance function from the audit universe.

94 Which of the following statements is the most appropriate for a chief audit executive to
include in the internal audit policy manual in order to promote objectivity?

A. Internal auditors may conduct a financial effectiveness engagement in a business unit at any
point after being transferred from that area.

B. Internal auditors may conclude that a business unit's current control environment is adequate
and effective if the review of the prior year's workpapers and audit report supports that
conclusion.

C. Internal auditors may conduct an engagement in a business unit at any point after providing a
training workshop in that area.

D. Internal auditors should limit the scope of an engagement if they become aware of a
potential impairment of their objectivity in order to reduce the potential impact of the
impairment on the engagement results.

95 A financial services organization's board is assessing increased regulations and its effect on
current industry lending practices. Which of the following committees would help the board
identify and assess the effects of the increased regulations?

A. Quality committee.

B. Audit committee.

C. Risk committee.
D. Governance committee.

96 An internal audit activity is taking steps to promote professional development among the

staff, and is in the process of implementing a mentorship program. According to HA guidance,

which

of the following is important for a successful mentorship program?

A. It is best if the mentor is the chief audit executive.

B. Mentor meeting documentation should be retained in personnel files.

C. It should target both new hires and highly experienced staff.

D. Meetings with mentors should be formal and scheduled.

Answer: D

NO.97 An internal auditor is finalizing an audit report on the effectiveness of the organization's

overall system of internal control. Several audit tests were performed, and the only issue identified

was that the CEO frequently asks employees to make exceptions or bypass the organization's

standard written policies and procedures. Which of the following conclusions is most appropriate
for

the auditor to report?

A. The auditor should indicate that the system of internal control is not effective.

B. The auditor should indicate that the system of internal control is generally effective, except for
the

minor issue identified.

C. The auditor should indicate that the system of internal control is effective.

D. The auditor cannot express a conclusive opinion in the audit report.

Answer: A

NO.98 Which of the following should play a leading role in overseeing ihe ethical atmosphere of
an

organization?

A. Internal audit activity.

B. Operating management.

C. Senior management.

D. Board of directors.

Answer: D

NO.99 The collaborating style for conflict resolution, where the parties promote assertiveness and

work together to develop a mutually beneficial solution, is best used in which of the following

situations?

A. Parties are confident of the solution and are ready to defend it.

B. There is a high level of trust among the parties.

C. Resolution is time sensitive and a quick decision is necessary.

D. The issue is more important to one patty than the others.

Answer: B

NO.100 Which of the following is an appropriate roe fa the internal audit activity?

A. Ensuring the organization's key risks are managed through appropriate controls.

B. Assisting the organization in maintaining effective controls.

C. implementing new controls to promote continuous improvement

IT Certification Guaranteed, The Easy Way!

23

D. Validating control assessments performed by the external auditor.

Answer: A