IIA-ACCA ACCA CIA Challenge Exam Question and Answers

A new internal audit activity is creating its first charter. According to IIA guidance, which of the following objectives would be appropriate for inclusion in the charter?

According to The MA Global Internal Audit Competency Framework, which of the following areas of training would best assist the internal audit activity in improving its use of tools and techniques?

According to IIA guidance, which of the following statements about working papers is false?

According to the International Professional Practices Framework, which of the following are allowable activities for an internal auditor?

1. Advocating the establishment of a risk management function.

2. Identifying and evaluating significant risk exposures during audit engagements.

3. Developing a risk response for the organization if there is no chief risk officer.

4. Benchmarking risk management activities with other organizations.

5. Documenting risk mitigation strategies and techniques.

Which of the following control methods is effective in reducing the risk of purchasing-scheme fraud?

1. Periodically reviewing the vendor list for unusual vendors and addresses.

2. Segregating duties for amount purchasing, receiving, shipping, and accounting.

3. Validating sequential integrity of purchase orders.

4. Verifying the validity of invoices with post office box addresses.

Which of the following control activities is the most effective to ensure users' levels of access are appropriate for their current roles?

An internal audit activity is using the auditing-by-element approach to audit the organization's controls around corporate social responsibility. Which of the following would be an element for the internal audit activity to consider?

An assurance mapping exercise helps an organization do which of the following?

1. Provide assurance to stakeholders that risks are managed and reported, and regulatory and legal obligations are met.

2. Fulfill best practices in the industry.

3. Identify and address any gaps in the risk management process.

4. Identify fraud.

Which of the following is an example of a risk avoidance strategy?

An organization has implemented a software system that requires a supervisor to approve transactions that would cause treasury dealers to exceed their authorized limit. This is an example of which of the following types of controls?

Non-statistical sampling does not require which of the following?

As a matter of policy, the chief audit executive routinely rotates internal audit staff assignments and periodically interviews the staff to discuss the potential for conflicts of interest. These actions help fulfill which of the following internal audit mandates?

According to IIA guidance, which of the following roles would be appropriate for an internal auditor regarding fraud risk?

1. Identification.

2. Mitigation.

3. Remediation.

4. Reduction.

Which of the following options is the most cost-effective and efficient way for internal auditors to keep current with the latest developments in the internal audit profession?

Which of the following is true regarding the use of a formal risk management framework?

1. It facilitates a methodical approach to risk mitigation.

2. It defines and standardizes the terminology used in risk communication.

3. It establishes the risk tolerance levels to be accommodated in the strategy.

4. It facilitates the alignment of risk mitigation strategies with management priorities.

Forty-five percent of an organization's customer payments are submitted online. Eight percent of online payments are rejected. Executive management decides to outsource its online payment services to a contractor that will assume 75 percent of the total value of rejected payments. The organization estimates $1.25 million customer payments due during the contract period.

Which of the following represents the organization's residual risk for online customer payments due?

According to IIA guidance, which of the following scenarios demonstrates an internal auditor exercising due professional care?

When auditing investments, the auditor identified instruments with which he was unfamiliar. He decided not to select that type of investment in his sample, as he did not have the knowledge needed to A. perform a proper assessment.

B. An auditor was reviewing inventory counts conducted by the warehouse staff. One truck containing an immaterial amount of inventory was off-site and wasn't verified by the auditor.

C. An auditor visited a plant that produces a significant portion of the organization's inventory. The day he arrived, the plant manager was out sick, so the auditor issued the report without interviewing the manager.

D. An auditor in charge needed to have testing completed by the end of the month, but was behind schedule. He identified a junior auditor to conduct the work for him on a complex area of the organization.

Which of the following is considered a violation of The IIA's Code of Ethics?

Which of the following enhances the independence of the internal audit activity?

The internal audit activity is planning a procurement audit and needs to obtain a thorough understanding of the subcontracting process, which can involve multiple individuals in multiple countries.

Which of the following internal audit tools would be most effective to document the process and the key controls?

An IT contractor applied for an internal audit position at a bank. The contractor worked for the bank's IT security manager two years ago. If the audit manager interviewed the contractor and wants to extend a job offer, which of the following actions should the chief audit executive pursue?

According to IIA guidance, which of the following is least compliant with the requirements regarding an internal auditor's need for objectivity?

An organization is facing a financial downturn and needs to impose major budget reductions to all departments. According to MA guidance, which of the following actions is most appropriate for the board to take to evaluate the potential impact on the internal audit activity?

Sometimes, internal audit staff may partner with operating managers to rank risks. Which of the following outcomes may be the most beneficial aspects of this strategy?

1. Reappraising risks levels.

2. Providing accurate information to management.

3. Marketing the internal audit activity.

4. Planning safeguards for assets in high-risk areas.

Which of the following is true regarding the COSO enterprise risk management framework?

Which of the following characteristics is most important specifically for a global manager to possess in order to be successful?

Which is the least effective form of risk management?

Which of the following principles is shared by both hierarchical and open organizational structures?

1. A superior can delegate the authority to make decisions but cannot delegate the ultimate responsibility for the results of those decisions

2. A supervisor's span of control should not exceed seven subordinates

3. Responsibility should be accompanied by adequate authority

4. Employees at all levels should be empowered to make decisions.

An organization is considering the outsourcing of its business processes related to payroll and information technology functions. Which of the following is the most significant area of concern for management regarding this proposed agreement?

Which of the following examples demonstrates that the internal audit activity uses descriptive analytics in its engagements?

Which of the following statements are true regarding the use of heat maps as risk assessment tools?

1. They focus primarily on known risks, limiting the ability to identify new risks.

2. They rely heavily on objective assessments and related risk tolerances.

3. They are too complex to provide an easily understandable view of key risks.

4. They are helpful but limited in value in a rapidly changing environment.

Which of the following stages of contracting focuses on aligning the markets with objectives of the organization?

Which of the following statements is true regarding the resolution of interpersonal conflict?

When auditing an application change control process, which of the following procedures should be included in the scope of the audit?

1. Ensure system change requests are formally initiated, documented, and approved.

2. Ensure processes are in place to prevent emergency changes from taking place.

3. Ensure changes are adequately tested before being placed into the production environment.

4. Evaluate whether the procedures for program change management are adequate.

During which phase of disaster recovery planning should an organization identify the business units, assets, and systems that are critical to continuing an acceptable level of operations?

Refer to the exhibit.

A company's financial balance sheet is presented below:

The company has net working capital of:

For an engineering department with a total quality management program, important elements of quality management include all of the following except:

Data encryption is an example of which of the following controls?

According to IIA guidance, which of the following steps are most important for an internal auditor to perform when evaluating an organization's social and environmental impact on the local community?

• Determine whether previous incidents have been reported, managed, and resolved.
• Determine whether a business contingency plan exists.
• Determine the extent of transparency in reporting.
• Determine whether a cost/benefit analysis was performed for all related projects.

Which of the following is a primary objective of the theory of constraints?

Which of the following is false with regard to Internet connection firewalls?

An internal auditor performed a review of IT outsourcing and found that the service provider was failing to meet the terms of the service level agreement. Which of the following approaches is most appropriate to address this concern?

According to IIA guidance, which of the following corporate social responsibility (CSR) evaluation activities may be performed by the internal audit activity?

1. Consult on CSR program design and implementation.

2. Serve as an advisor on CSR governance and risk management.

3. Review third parties for contractual compliance with CSR terms.

4. Identify and mitigate risks to help meet the CSR program objectives.

An employee frequently uses a personal smart device to send and receive work-related emails. Which of the following controls would be most effective to mitigate security risks related to these transmissions?

Which of the following factors is considered a disadvantage of vertical integration?

When management uses the absorption costing approach, fixed manufacturing overhead costs are classified as which of the following types of costs?

Which of the following budgets must be prepared first?

Which of the following most accurately describes the purpose of application authentication controls?

Which of the following steps should an internal auditor take during an audit of an organization's business continuity plans?

1. Evaluate the business continuity plans for adequacy and currency.

2. Prepare a business impact analysis regarding the loss of critical business.

3. Identify key personnel who will be required to implement the plans.

4. Identify and prioritize the resources required to support critical business processes.

The percentage of sales method, rather than the percentage of receivables method, would be used to estimate uncollectible accounts if an organization seeks to:

A chief audit executive (CAE) was asked to participate in the selection of an external auditor. Which of the following would not be a typical responsibility for the CAE?

Within an enterprise, IT governance relates to the:

1. Alignment between the enterprise's IT long term plan and the organization's objectives.

2. Organizational structures of the company that are designed to ensure that IT supports the organization's strategies and objectives.

3. Operational plans established to support the IT strategies and objectives.

4. Role of the company's leadership in ensuring IT supports the organization's strategies and objectives.

In order to provide useful information for an organization's risk management decisions, which of the following factors is least important to assess?

Which of the following is the best example of a compliance risk that is likely to arise when adopting a bring-your-own-device (BYOD) policy?

The chief audit executive of a medium-sized financial institution is evaluating the staffing model of the internal audit activity (IAA). According to IIA guidance, which of the following are the most appropriate strategies to maximize the value of the current IAA resources?

• The annual audit plan should include audits that are consistent with the skills of the IAA.

• Audits of high-risk areas of the organization should be conducted by internal audit staff.

• External resources may be hired to provide subject-matter expertise but should be supervised.

• Auditors should develop their skills by being assigned to complex audits for learning opportunities.

Which of the following behaviors could represent a significant ethical risk if exhibited by an organization's board?

1. Intervening during an audit involving ethical wrongdoing.

2. Discussing periodic reports of ethical breaches.

3. Authorizing an investigation of an unsafe product.

4. Negotiating a settlement of an employee claim for personal damages.

After finalizing an assurance engagement concerning safety operations in the oil mining process, the audit team concluded that no key controls were compromised. However, some opportunities for improvement were noted. Which of the following would be the most appropriate way for the chief audit executive (CAE) to report these results?

The chief audit executive (CAE) of a small internal audit activity (IAA) plans to test conformance with the Standards through a quality assurance review. According to the Standards, which of the following are acceptable practice for this review?

1. Use an external service provider.

2. Conduct a self-assessment with independent validation.

3. Arrange for a review by qualified employees outside of the IAA.

4. Arrange for reciprocal peer review with another CAE.

An audit identified a number of weaknesses in the configuration of a critical client/server system. Although some of the weaknesses were corrected prior to the issuance of the audit report, correction of the rest will require between 6 and 18 months for completion. Consequently, management has developed a detailed action plan, with anticipated completion dates, for addressing the weaknesses. What is the most appropriate course of action for the chief audit executive to take?

An internal auditor has been assigned to facilitate a risk and control self-assessment for the finance group. Which of the following is the most appropriate role that she should assume when facilitating the workshop?

A chief audit executive is preparing interview questions for the upcoming recruitment of a senior internal auditor. According to IIA guidance, which of the following attributes shows a candidate's ability to probe further when reviewing incidents that have the appearance of misbehavior?

Which of the following is the primary reason the chief audit executive should consider the organization's strategic plans when developing the annual audit plan?

Which of the following is not a primary purpose for conducting a walk-through during the initial stages of an assurance engagement?

Which of the following conditions are necessary for successful change management?

1. Decisions and necessary actions are taken promptly.

2. The traditions of the organization are respected.

3. Changes result in improvement or reform.

4. Internal and external communications are controlled.

Due to a recent system upgrade, an audit is planned to test the payroll process. Which of the following audit objectives would be most important to prevent fraud?

A chief audit executive (CAE) is determining which engagements to include on the annual audit plan. She would like to consider the organization's attitude toward risk and the degree of difficulty in achieving objectives. Which of the following resources should the CAE consult?

After the team member who specialized in fraud investigations left the internal audit team, the chief audit executive decided to outsource fraud investigations to a third party service provider on an as needed basis. Which of the following is most likely to be a disadvantage of this outsourcing decision?

For which of the following fraud engagement activities would it be most appropriate to involve a forensic auditor?

An organization's internal audit plan includes a recurring assurance review of the human resources (HR) department. Which of the following statements is true regarding preliminary communication between the auditor in charge (AIC) and the HR department?

1. The AIC should notify HR management when the draft audit plan is being developed, as a courtesy.

2. The AIC should notify HR management before the planning stage begins.

3. The AIC should schedule formal status meetings with HR management at the start of the engagement.

4. The AIC should finalize the scope of the engagement before communicating with HR management.

When forming an opinion on the adequacy of management's systems of internal control, which of the following findings would provide the most reliable assurance to the chief audit executive?

• During an audit of the hiring process in a law firm, it was discovered that potential employees' credentials were not always confirmed sufficiently. This process remained unchanged at the following audit.

• During an audit of the accounts payable department, auditors calculated that two percent of accounts were paid past due. This condition persisted at a follow up audit.

• During an audit of the vehicle fleet of a rental agency, it was determined that at any given time, eight percent of the vehicles were not operational. During the next audit, this figure had increased.

• During an audit of the cash handling process in a casino, internal audit discovered control deficiencies in the transfer process between the slot machines and the cash counting area. It was corrected immediately.

Which of the following situations would justify the removal of a finding from the final audit report?

It is close to the fiscal year end for a government agency, and the chief audit executive (CAE) has the following items to submit to either the board or the chief executive officer (CEO) for approval. According to IIA guidance, which of the following items should be submitted only to the CEO?

Which of the following actions are appropriate for the chief audit executive to perform when identifying audit resource requirements?

1. Consider employees from other operational areas as audit resources, to provide additional audit coverage in the organization.

2. Approach an external service provider to conduct internal audits on certain areas of the organization, due to a lack of skills in the organization.

3. Suggest to the audit committee that an audit of technology be deferred until staff can be trained, due to limited IT audit skills among the audit staff.

4. Communicate to senior management a summary report on the status and adequacy of audit resources.

A large investment organization hired a chief risk officer (CRO) to be responsible for the organization's risk management processes. Which of the following people should prioritize risks to be used for the audit plan?

If observed during fieldwork by an internal auditor, which of the following activities is least important to communicate formally to the chief audit executive?

According to IIA guidance,which of the following is true about the supervising internal auditor's review notes?

• They are discussed with management prior to finalizing the audit.

• They may be discarded after working papers are amended as appropriate.

• They are created by the auditor to support her fieldwork in case of questions.

• They are not required to support observations issued in the audit report.

An internal auditor is assessing the organization's risk management framework. Which of the following formulas should he use to calculate the residual risk?

A)

B)

C)

D)

Which of the following components should be included in an audit finding?

1. The scope of the audit.

2. The standard(s) used by the auditor to make the evaluation.

3. The engagement's objectives.

4. The factual evidence that the internal auditor found in the course of the examination.

Which of the following is a justifiable reason for omitting advance client notice when planning an audit engagement?

While conducting an audit of a third party's Web-based payment processor, an internal auditor discovers that a programming error allows customers to create multiple accounts for a single mailing address. Management agrees to correct the program and notify customers with multiple accounts that the accounts will be consolidated. Which of the following actions should the auditor take?

1. Schedule a follow-up review to verify that the program was corrected and the accounts were consolidated.

2. Evaluate the adequacy and effectiveness of the corrective action proposed by management.

3. Amend the scope of the subsequent audit to verify that the program was corrected and that accounts were consolidated.

4. Submit management's plan of action to the external auditors for additional review.

An internal auditor notes that employees continue to violate segregation-of-duty controls in several areas of the finance department, despite previous audit recommendations. Which of the following recommendations is the most appropriate to address this concern?

According to IIA guidance, which of the following procedures would be least effective in managing the risk of payroll fraud?

Which of the following best illustrates the primary focus of a risk-based approach to control self-assessment?

An internal auditor and engagement client are deadlocked over the auditor's differing opinion with management on the adequacy of access controls for a major system. Which of the following strategies would be the most helpful in resolving this dispute?

According to IIA guidance, which of the following is ultimately responsible for seeing that the internal control system of an organization's social responsibility program is effective?

According to IIA guidance, which of the following statements is true regarding periodic internal assessments of the internal audit activity?

Which of the following professional development approaches would offer internal auditors the most opportunities to broaden their engagement experiences?