An internal auditor fails to discover an employee fraud during an assurance engagement. The non discovery is likely to suggest a violation of internal auditing standards if it was the result of a
Answer (D) is correct. The internal audit activity evaluates the adequacy and effectiveness of controls (Standard 2130.A1). Moreover, the internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement (Standard 2130). Thus, an internal auditor must not simply assume that controls are adequate and effective.
Of the following, the primary objective of compliance testing is to determine whether
Answer (C) is correct. Internal auditors should assess compliance in specific areas as part of their role in organizational governance. Compliance testing can be used to determine whether laws and regulations are being adhered to, as well as whether internal controls are functioning as designed.
Which of the following is most likely to be regarded as a strength in internal control in a traditional external audit?
Answer (A) is correct. The external auditor’s traditional role is to perform an audit to determine whether the externally reported financial statements are fairly presented. Thus, a financial audit by the internal audit activity is relevant to the traditional external audit because it is an engagement in which the reliability and integrity of financial information is evaluated. Such an engagement is consistent with internal auditing standards. According to Standard of controls in responding to risks within the organization’s governance, operations, and information systems. This evaluation extends to the (1) reliability and integrity of financial and operational information; (2) effectiveness and efficiency of operations; (3) safeguarding of assets; and (4) compliance with laws, regulations, and contracts.
In evaluating the effectiveness and efficiency with which resources are employed, an internal auditor is responsible for
Answer (A) is correct. The internal audit activity evaluates the controls encompassing governance, operations, and information systems. This evaluation includes the effectiveness and efficiency of operations (Standard 2120.A1). Moreover, the internal auditors must “ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished” (Standard 2210.A3).
Which of the following best describes the internal audit activity’s purpose in evaluating the adequacy of risk management, control, and governance processes?
Answer (C) is correct. “Adequacy of risk management, control, and governance processes is present if management has planned and designed them in a manner that provides reasonable assurance that the organization’s objectives and goals will be achieved efficiently and economically. Efficient performance accomplishes objectives and goals in an accurate, timely, and economical fashion. Economical performance accomplishes objectives and cost) commensurate with the risk exposure. Reasonable assurance is provided if the most cost-effective measures are taken in the design and implementation stages to reduce risks and restrict expected deviations to a tolerable level. Thus, the design process begins with the establishment of objectives and goals. This is followed by connecting or interrelating concepts, parts, activities, and people in such a manner as to operate together to achieve the established objectives and goals” (PA 2100-1).
The status of the internal audit activity should be free from the effects of irresponsible policy changes by management. The most effective way to ensure that freedom is to
Answer (A) is correct. The purpose, authority, and responsibility of the internal audit activity should be formally defined in a charter, consistent with the Standards, and approved by the board (Standard 1000). The charter should establish the internal audit activity’s position within the organization; authorize access to records, personnel, and physical properties relevant to the performance of engagements; and define the scope of internal audit activities (PA 1000-1). Approval of the charter by the board protects the internal audit activity from management actions that could weaken its status.
Independence is most likely impaired by an internal auditor’s
Answer (A) is correct. When the internal audit activity or an individual internal auditor is responsible for, or management is considering assigning, an operation that might be the subject of an engagement, independence and objectivity may be impaired. The internal auditor should consider the following factors in assessing the effect on independence and objectivity: The IIA Code of Ethics, the Standards, the expectations of the stakeholders, the internal audit activity’s charter, required disclosures, and subsequent coverage of the activities or responsibilities accepted (PA 1130.A1-2).
Which of the following activities is not presumed to impair the objectivity of an internal auditor? I. Recommending standards of control for a new information system application. II. Drafting procedures for running a new computer application to ensure that proper controls are installed. III. Performing reviews of procedures for a new computer application before it is installed.
Answer (D) is correct.
The internal auditor’s objectivity is not adversely affected when (s)he
recommends standards of control for systems or reviews procedures
before they are implemented. Designing, installing, drafting procedures
for, or operating systems is presumed to impair objectivity (PA 1130.A1-
A certified internal auditor is the chief audit executive for a large city and is planning the
engagement work schedule for the next year. The city has a number of different funds, some that are
restricted in use by government grants and some that require compliance reports to the government. One of
the programs for which the city has received a grant is job retraining and placement. The grant specifies
certain conditions a participant in the program must meet to be eligible for the funding
The internal auditors randomly select participants in the job retraining program for the past
year to verify that they had met all the eligibility requirements. This type of engagement is
Answer (A) is correct.
The scope of work of internal auditing includes assurance services that
involve evaluating the risk exposures and controls relating to the
organization’s governance, operations, and information systems. This
evaluation extends to risk exposures and controls regarding compliance
with laws, regulations, and contracts. It also includes determining
whether the organization is in compliance, that is, whether the activities
are complying with the appropriate requirements. The internal auditors
are verifying that participants in the job retraining program comply with
the eligibility requirements.
Senior management has requested a compliance audit of the organization’s employee benefits package. Which of the following is considered the primary engagement objective by both the chief audit executive and senior management?
Answer (B) is correct. The internal audit activity evaluates risk exposures related to governance, operations, and information systems regarding, among other things, compliance with laws, regulations, and contracts. Based on the risk assessment, the internal audit activity evaluates the adequacy and effectiveness of controls encompassing governance, operations, and information systems. This evaluation should include, among other things, compliance with laws, regulations, and contracts (Standards 2110.A2 and 2120.A1). Operation in accordance with contracts and regulations takes precedence over all other objectives because it relates to the most basic aspects of the programs.