Questions and Answers of Internal Auditing Assurance

Who is responsible for implementing ERM?a. The chief financial officer.b. The chief audit executive.c. The chief compliance officer.d. Management throughout the organization.
Risk assessment most commonly focuses on two criteria—impact and likelihood. As an organization’s risk assessment process evolves, what other criteria might be valuable to consider and why?
Which of the following is not a potential value driver for implementing ERM?a. Financial results will improve in the short run.b. There will be fewer surprises from year to year.c. There will be
One of your classmates, I. M. Motivated, consistently carries a very heavy class load. In addition to his already heavy class load, he is contemplating applying for an internal audit internship at a
How does COSO define risk appetite?
Which of the following is the best reason for the CAE to consider the organization’s strategic plan in developing the annual internal audit plan?a. To emphasize the importance of the internal
It may be easier for some to understand ERM by thinking about five “everyday questions” that can be used to apply risk management thinking:a. What are we trying to accomplish (what are our
What is inherent risk? What is residual risk?
When senior management accepts a level of residual risk that the CAE believes is unacceptable to the organization, the CAE should:a. Report the unacceptable risk level immediately to the chair of the
What are COSO’s five categories of risk response?
The CAE is asked to lead the enterprise risk assessment as part of an organization’s implementation of ERM. Which of the following would not be relevant with respect to protecting the internal
In what forms might risk information be communicated?
An internal audit engagement was included in the approved internal audit plan. This is considered a moderately high-risk audit based on the internal audit function’s risk model. It is currently on
What are typical ERM responsibilities of:a. The board of directors?b. Management?c. The chief risk officer?d. Financial executives?e. The internal audit function?f. The independent outside auditors?
When assessing the risk associated with an activity, an internal auditor should:a. Determine how the risk should best be managed.b. Provide assurance on the management of the risk.c. Update the risk
What are the 11 risk management principles identified in ISO 31000?
One of the challenges of ERM in an organization that has a centralized structure is that:a. It may be difficult to raise awareness of the impact of work actions on other employees or work areas.b.
What are the five components of the ISO 31000 risk management framework?
The function of the chief risk officer is most effective when he or she:a. Manages risk as a member of senior management.b. Shares the management of risk with line management.c. Shares the management
What five activities are included in the ISO 31000 risk management process?
In exhibit 4-3, why are some of the balls representing risks clustered together while some are not? Governance Controls & Management-Oversight Controls Process-Level
Enterprise risk management:a. Guarantees achievement of business objectives.b. Requires establishment of risk and control activities by internal auditors.c. Involves the identification of events with
What are some ERM assurance activities the internal audit function may perform? What are some ERM consulting activities the internal audit function may perform if appropriate safeguards are
What is a business process? What are operating processes?
In assessing organizational risk in a manufacturing organization, which of the following would have the greatest long-range impact on the organization?a. Advertising budget.b. Production
How would an oil exploration and production company differ from a global retail company like Wal-Mart in terms of how it organizes business processes?
What is a project and how is it different from a business process?
Internal auditors often prepare process maps and reference portions of these maps to narrative descriptions of certain activities. This is an appropriate procedure to:a. Determine the ability of the
What is a business process?a. How management plans to achieve the organization’s objectives.b. The set of connected activities linked with each other for the purpose of achieving an objective or
What are five of the most important business processes and business risks for a large automobile manufacturer like Toyota?
Select a company that has undergone an initial public offering within the last five years and obtain the prospectus (these are usually available on the company’s website, EDGAR for companies listed
What are the management and support processes that are common to most organizations?
If internal audit resources are limited to conducting only one audit at a divisional location, should a high-risk process that was audited last year at this location be audited in lieu of a
CPI’s internal audit function uses the Assessment area in TeamMate+ to develop its annual risk-based internal audit plan. The planning process begins with the internal audit function’s
What is included in an organization’s business model?
If a risk appears in the bottom right of quadrant II in the above risk control map, it means that:a. There is an appropriate balance between risk and control.b. The controls may be excessive relative
The objectives of Sargon Products’ purchasing process are to obtain the right goods, at the right price, at the right time. What are the significant risks to achievement of these objectives?
Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization, is an auditing standard for service organizations. SSAE 16 was issued in April 2010, and
What is the difference between a top-down and bottom-up approach to understanding business processes?
If a risk appears in the middle of quadrant IV in the above risk control map, it means that:a. There is an appropriate balance between risk and control.b. The controls may be excessive relative to
Think about the sales and cash receipts process of a men’s or women’s clothing store where you shop.a. What are the key objectives of this process?b. What are the key risks that threaten the
How does an organization determine the key objectives of a business process?
Which of the following circumstances would concern the internal auditor the most?a. A risk in the lower left corner of quadrant I.b. A risk in the lower right corner of quadrant II.c. A risk in the
Payswell Company, a small manufacturer, has been in business for 10 years. Senior management is thinking about outsourcing the company’s payroll process.a. What are three important objectives of a
What are two commonly used methods for documenting processes? Describe each.
Which of the following are business processes?I. Strategic planning.II. Review and write-off of delinquent loans.III. Safeguarding of assets.IV. Remittance of payroll taxes to the respective tax
What are the two common factors used when assessing risks?
Which of the following symbols in a process map will most likely contain a question?a. Rectangle.b. Diamond.c. Arrow.d. Oval.
After a risk assessment is completed, the next steps involve linking the risks to what two things?
What must the CEO and CFO of a publicly traded company do to comply with the U. S. Sarbanes-Oxley Act of 2002?
In the United States, Sarbanes-Oxley legislation put responsibility for the design, maintenance, and effective operation of internal control squarely on the shoulders of senior management,
After business risks have been identified, they should be assessed in terms of their inherent:a. Impact and likelihood.b. Likelihood and probability.c. Significance and severity.d. Significance and
What are the four responses an organization can take toward a risk?
In a risk by process matrix, a process that helps to manage a risk indirectly would be shown to have:a. A key link.b. A secondary link.c. An indirect link.d. No link at all.
What is the difference between a key link and a secondary link?
A major upgrade to an important information system would most likely represent a high:a. External risk factor.b. Internal risk factor.c. Other risk factor.d. Likelihood of future systems problems.
How can the risk factor approach be used to identify areas of high risk in an organization?
Which of the following is true regarding business process outsourcing?a. Outsourcing a core, high-risk business process reduces the overall operational risk.b. Outsourced processes should not be
What are the two basic types of factors typically used when following the risk factor approach? What other factors are commonly considered?
A company has recently outsourced its payroll process to a third party service provider. An audit team was scheduled to audit payroll controls in the annual audit plan prepared prior to the
What two axes are typically used in a risk control map? Explain what the two parallel dashed lines in exhibit 5-16 signify.Exhibit 5-16 Critical RISK SIGNIFICANCE Low Low 1 Critical CONTROL
When conducting an assurance engagement, once the objectives are known, what are the three primary steps involved in determining the tests to perform to assess whether the risks threatening the
Which flowcharting symbol indicates the start or end of a process?a. Arrow.b. Diamondc. Oval.d. Rectangle.
How does a control manage a specific risk?a. It reduces the likelihood of the event giving rise to the risk.b. It reduces the impact of the event giving rise to the risk.c. It reduces either
What practices should organizations follow to ensure effective risk management and control of outsourced business processes?
Which of the following best describes an internal auditor’s purpose in reviewing the organization’s existing governance, risk management, and control processes?a. To help determine the nature,
An audit report contains the following observations:a. A service department’s location is not well suited to allow adequate service to other units.b. Employees hired for sensitive positions are not
Controls mitigate risks that threaten objectives and thus provide reasonable assurance that objectives will be achieved. Risks encompass both threats of bad things happening and threats of good
What is a framework? What are the internal control frameworks recognized globally by management, independent outside accountants/auditors, and internal audit professionals?
What is residual risk?a. Impact of risk.b. Risk that is under control.c. Risk that is not managed.d. Underlying risk in the environment.
To meet waste discharge standards, a factory implements a control system designed to prevent the release of wastewater that does not meet those standards. One of the controls requires chemical
The requirement that purchases be made from suppliers on an approved vendor list is an example of a:a. Preventive control.b. Detective control.c. Compensating control.d. Monitoring control.
An organization has a goal to prevent the ordering of inventory quantities in excess of its needs. One individual in the organization wants to design a control that requires a review of all purchase
How does COSO define internal control?
An effective system of internal controls is most likely to detect a fraud perpetrated by a:a. Group of employees in collusion.b. Single employee.c. Group of managers in collusion.d. Single manager.
COSO is quoted in this chapter as follows: “…internal auditors provide assurance and advisory support to management on internal control…the internal audit function includes evaluating the
What are objectives? What three categories of objectives are set forth in the COSO framework?
The control that would most likely ensure that payroll checks are written only for authorized amounts is to:a. Conduct periodic floor verification of employees on the payroll.b. Require the return of
An internal auditor plans to conduct an audit of the adequacy of controls over investments in new financial instruments. Which of the following would not be required as part of such an engagement?a.
What does the control environment comprise?
Appropriate internal control for a multinational corporation’s branch office that has a department responsible for the transfer of money requires that:a. The individual who initiates wire transfers
What does risk assessment involve?
What are control activities? What types of control activities are present in a well-designed system of internal controls?
Who has primary responsibility for the monitoring component of internal control?a. The organization’s independent outside auditor.b. The organization’s internal audit function.c. The
What is high-quality information? Why must high-quality information be communicated?
Reasonable assurance, as it pertains to internal control, means that:a. The objectives of internal control vary depending on the method of data processing used.b. A well-designed system of internal
When are monitoring activities most effective? Who performs monitoring activities? What distinguishes separate evaluations from ongoing monitoring activities?
Which of the following best exemplifies a control activity referred to as independent verification?a. Reconciliation of bank accounts by someone who does not handle cash or record cash
What are the 17 principles of internal control defined by COSO?
COSO’s Internal Control Framework consists of five internal control components and 17 principles for achieving effective internal control. Which of the following is/are (a) principle(s)?I. The
The risk assessment component of internal control involves the:a. Independent outside auditor’s assessment of residual risk.b. Internal audit function’s assessment of control deficiencies.c.
What responsibilities do the following groups of people have regarding internal control?■ Management.■ The board of directors.■ Internal auditors.■ Others in the organization.■ The
What does “limitations of internal control” mean? Provide examples of limitations that are inherent to internal control.
When assessing the risk associated with an activity, an internal auditor should:a. Determine how the risk should best be managed.b. Provide assurance on the management of the risk.c. Update the risk
What is inherent risk? What is controllable risk? What is residual risk?
Determining that engagement objectives have been met is ultimately the responsibility of the:a. Internal auditor.b. Audit committee.c. Internal audit supervisor.d. CAE.
How does internal auditors’ perspective of internal control differ from management’s perspective?
An adequate system of internal controls is most likely to detect an irregularity perpetrated by a:a. Group of employees in collusion.b. Single employee.c. Group of managers in collusion.d. Single
How do entity-level controls differ from process-level and transaction-level controls?
What is a key control? What is a secondary control? What is a compensating control?

Showing 500 - 600 of 602