34.

Developing a risk-based audit plan requires a risk assessment. Under the model of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal ControlIntegrated Framework, which one of the following explains how risk assessment is addressed?

Select one:

A. It expands the risk assessment concept by comparing it to competitor audits.

B. It is essentially the same as the traditional model, but is codified in steps that are reported.

C. It expands the risk assessment concept by identifying five interrelated components of internal control.

D. It is narrower and it provides concrete steps which are recommended and differ by industry.

36.

A risk-based auditing approach is deemed to be a top-down approach because

Select one:

A. It involves an external review of known potential threats to the organization and then developing an organizational response to those threats.

B. It involves review of each departments dependence on financial controls, compliance with federal statutes and audit history.

C. It involves review of the current financial controls and compliance to regulations as determined by external auditors.

D. It involves identifying and analyzing material risks to the achievement of the organizations objectives and then determining how the risks should be managed.

38.

An independent auditor has been given the task of evaluating internal controls at Side West Company (Side West). The auditor has determined that Side West's board of directors has endorsed a framework requiring management to have documented internal reporting controls to ensure efficient operations, accuracy of financial statements, and compliance with regulations. The framework is applied at the entity and divisional levels, but not the operating unit or functional levels. The program is new so it has not yet been monitored. The auditor is likely to report that

Select one:

A. The selected method aligns with the Committee of Sponsoring Organizations of the Treadway Commission's (COSO) Internal ControlIntegrated Framework because it is applied at the entity level. Monitoring is not a requirement.

B. The selected method does not align with the Committee of Sponsoring Organizations of the Treadway Commission's (COSO) Internal ControlIntegrated Framework because it must also be applied at the operating unit and functional levels and it must be monitored.

C. The selected method aligns with the Committee of Sponsoring Organizations of the Treadway Commission's (COSO) Internal ControlIntegrated Framework because it is applied at the entity level. Monitoring will be required after the framework has been in place for one year.

D. The selected method does not align with the Committee of Sponsoring Organizations of the Treadway Commission's (COSO) Internal ControlIntegrated Framework. It must also be applied at the operating unit level, but not the functional level. Regular monitoring must be implemented.

39.

Which one of the following statements is correct regarding a business continuity plan (BCP)?

Select one:

A. A BCP generally concentrates on one key function or process of an organization.

B. The BCP concept is used only with for-profit businesses.

C. The BCP concept involves eliminating the internal, external, and project exposures that could negatively impact operations.

D. A BCP is about sustaining operations so an organization isn't irrevocably harmed by an uncontrollable risk.