An external auditor’s primary consideration when assessing a company’s internal control structure policies and procedures is whether they
Answer (D) is correct. Management makes certain assertions about the financial statements (existence, rights and obligations, etc.). The goal of an audit is to assess the fair presentation of the financial statements. The auditor’s consideration of the client’s system of internal control is a means to that end.
Which one of the following statements most accurately explains the difference between the internal audit department’s responsibilities in reviewing compliance and their responsibilities in operational auditing?
Answer (A) is correct. This statement is true. Compliance reviews are a means of ensuring that the organization complies with laws, rules and regulations, while operational audits are conducted primarily to identify operational problems and enhance efficiency and effectiveness of operations.
Accounting control should provide reasonable assurance about the achievement of management’s objectives. The concept of internal controls providing “reasonable assurance” recognizes that
Answer (C) is correct. Since accounting control should provide reasonable assurance about the achievement of management’s objectives, the concept of internal controls provides that reasonable assurance should not adversely affect efficiency or profitability. In many cases, management’s objectives deal with either efficiency or profitability, so providing reasonable assurance should not impede the achievement of those objectives.
In a compliance audit, the internal auditor is most likely to
Answer (D) is correct. Compliance does involve internal auditors determining whether the company’s hiring practices are in conformity with laws regarding fair hiring and proper dismissal of employees. It follows that the internal auditors will conduct follow-up and report on management’s hiring practices in response to the laws regarding fair hiring and proper dismissal of employees.
Which one of the following statements best describes the objective of an operational audit?
Answer (D) is correct. Operational auditing is a review of a function within an enterprise to appraise the efficiency and economy of operations and the effectiveness with which those functions achieve their objectives.
Which one of the following best represents an example of information that internal auditors should report to the board of directors?
Answer (B) is correct. The internal audit activity must report to upper management and the board of directors certain types of incidents that come to its attention. These include fraud, illegal acts, material weaknesses and significant deficiencies in internal control, and significant penetrations of information security systems. All of these categories are examples of items that could adversely affect the organization.
When determining which controls to audit, an internal auditor should focus primarily on the relevance of those controls to the
Answer (B) is correct. Since auditors should determine which controls present the greatest risk that a company’s internal control will fail to prevent or detect a material misstatement in the financial statements, and audit objectives should be established to verify that these controls are working property, the auditor should focus primarily on the relevance of those controls to the audit objectives that have been identified.
In order to achieve independence, the internal audit function should
Answer (C) is correct. The audit committee plays an important role in maintaining the control environment by approving the charter and overseeing the work of the internal audit activity. Generally, the internal audit function is headed by the chief audit executive (CAE), who reports directly to the CEO and the board of directors. In order to improve independence, the internal audit function can report directly to the audit committee. The CAE should have direct, unhindered access to the board of directors. All of this helps achieve independence in the internal audit function.
Which of the following is not a threat to information systems?
Answer (D) is correct. Trojan horses and worms are threats to computerized systems. Data theft is a threat to any system. Serendipity is essentially a nonsense answer in that the word means the fortunate discovery of something good
Data processed by a computer system are usually transferred to some form of output medium for storage. However, the presence of computerized output does not, in and of itself, ensure the output’s accuracy, completeness, or authenticity. For this assurance, various controls are needed. The major types of controls for this area include
Answer (D) is correct. Input controls provide reasonable assurance that data received for processing have been properly authorized, converted into machine-sensible form, and identified, and that data have not been lost, suppressed, added, duplicated, or otherwise improperly changed. Input controls also relate to rejections, correction, and resubmission of data that were initially incorrect. Output controls provide assurance that the processing result is accurate and that only authorized personnel receive the output.