Since the Board of Regents of The Institute of Internal Auditors (IIA) initiated the
Certified Internal Auditor® (CIA®) program in December 1972, the CIA
examination has occasionally been revised to reflect changes in the profession
and changes in testing methodology.
Model Exam Questions 2004 reflects content changes due to the modifications to
the CIA syllabus effective with the May 2004 testing cycle. Model Exam
Questions 2004 includes only 100 questions per part, while beginning in
May 2004, the CIA exam will contain 125 questions per part. The 125
questions on the actual exam parts will include up to 25 unscored questions,
which will be used for research purposes. These unscored questions will be
interspersed with the scored questions and will not be identified as unscored
questions. Candidates should therefore answer all 125 questions to the best of
Model Exam Questions 2004 is intended as a means of familiarizing interested
parties with the content and format of the CIA exam. It is not meant to replace the
material supplied by any of the third-party providers of CIA exam review
materials. The questions in this publication, whether new or adapted from earlier
CIA exams, are simply representative of the format, length, and content of
questions that a CIA candidate can expect to see on future exams. A current or
future CIA exam candidate's success or failure in answering these questions
should not be taken as any form of guarantee of that candidate's results on an
actual CIA exam.
If there are any significant changes in the format or content of the CIA exam in
the future, the Certification Department will make those changes known through
our Web site (www.theiia.org) and/or through mailings to current CIA
For further information on the CIA program, please visit the “Certification”
heading on the Web site listed above, or contact The IIA’s Customer Service
Center for a brochure:
The Institute of Internal Auditors
Customer Service Center
247 Maitland Avenue
Altamonte Springs, Florida 32701-4201, USA
Part I: The Internal Audit Activity’s Role in Governance, Risk, and Control
Model Exam Questions ................................................................................... I - 1
Solutions (with cross-reference to topics tested) .......................................... I - 17
Part II: Conducting the Internal Audit Engagement
Model Exam Questions .................................................................................. II - 1
Solutions (with cross-reference to topics tested) ......................................... II - 17
Part III: Business Analysis and Information Technology
Model Exam Questions ................................................................................. III - 1
Solutions (with cross-reference to topics tested) ........................................ III - 13
Part IV: Business Management Skills
Model Exam Questions .................................................................................IV - 1
Solutions (with cross-reference to topics tested) ........................................IV - 13
Certified Internal Auditor (CIA)
The following pages provide detailed topic outlines for each part of the Certified Internal Auditor
(CIA) examination. Candidates are advised to plan their study based on the detailed topic
outlines, rather than limiting their study to those topics that appear on the enclosed Model Exam
The CIA examination tests knowledge of the specified topics at two levels of competency, as
Awareness – Candidate exhibits awareness of basic facts/terminology and an appreciation of
the broad nature and fundamentals of the topic being tested. Candidates are not expected to
have detailed knowledge of topics listed.
Proficiency – Candidate is able to exhibit the ability to apply specific knowlede to areas likely to
be encountered and to deal with these areas without extensive recourse to technical research
or assistance. Candidates are expected to demonstrate a thorough understanding of the
principles, practices, and procedures of the topic being tested.
The detailed topic outlines which follow note the required level of competency for each topic
Please note that the CIA exam tests The IIA’s Professional Practices Framework (PPF). The
PPF consists of three categories of guidance. The first category (Mandatory Guidance) consists
of core materials: the IIA Code of Ethics and the International Standards for the Professional
Practice of Internal Auditing (with the Glossary). These will be tested as mandatory. (Example:
Which of the following is required according to the Standards?) Guidance in the second
category (Practice Advisories) is strongly recommended and endorsed by The IIA but is not
mandatory. While the Practice Advisories are not mandatory, candidates are expected to know
them at the proficiency level. In responding to exam questions, candidates should note that
Practice Advisories will be treated as correct practices and will be accepted as the appropriate
method of performance. The third category of guidance (Development & Practice Aids) will not
be specifically tested as part of the PPF. However, some of these materials may be used as
references for exam questions on the topic areas that they cover.
PART I: THE INTERNAL AUDIT ACTIVITY'S ROLE IN
GOVERNANCE, RISK, AND CONTROL
A. Comply with The IIA’s Attribute Standards (15-25%) [Proficiency level]
1. Define purpose, authority, and responsibility of the internal audit activity
a. Determine if the purpose, authority, and responsibility of the internal audit activity are
clearly documented and approved.
b. Determine if the purpose, authority, and responsibility of the internal audit activity are
communicated to the engagement clients
c. Demonstrate an understanding of the purpose, authority, and responsibility of the internal
2. Maintain independence and objectivity
a. Foster independence
1) Understand organizational independence
2) Recognize the importance of organizational independence
3) Determine if the internal audit activity is properly aligned to achieve organizational
b. Foster objectivity
1) Establish policies to promote objectivity
2) Assess individual objectivity
3) Maintain individual objectivity
4) Recognize and mitigate impairments to independence and objectivity
3. Determine if the required knowledge, skills, and competencies are available
a. Understand the knowledge, skills, and competencies that an internal auditor needs to
b. Identify the knowledge, skills, and competencies required to fulfill the responsibilities of the
internal audit activity
4. Develop and/or procure the necessary knowledge, skills, and competencies collectively required
by the internal audit activity
5. Exercise due professional care
6. Promote continuing professional development
a. Develop and implement a plan for continuing professional development for internal audit
b. Enhance individual competency through continuing professional development
7. Promote quality assurance and improvement of the internal audit activity
a. Establish and maintain a quality assurance and improvement program
b. Monitor the effectiveness of the quality assurance and improvement program
c. Report the results of the quality assurance and improvement program to the board or other
d. Conduct quality assurance procedures and recommend improvements to the performance
of the internal audit activity
8. Abide by and promote compliance with The IIA Code of Ethics.
B. Establish a Risk-based Plan to Determine the Priorities of the Internal Audit Activity (15-25%)
1. Establish a framework for assessing risk
2. Use the framework to:
a. Identify sources of potential engagements (e.g., audit universe, management request,
b. Assess organization-wide risk
c. Solicit potential engagement topics from various sources
d. Collect and analyze data on proposed engagements
e. Rank and validate risk priorities
3. Identify internal audit resource requirements
4. Coordinate the internal audit activity’s efforts with:
a. External auditor
b. Regulatory oversight bodies
c. Other internal assurance functions (e.g., health and safety department)
5. Select engagements
a. Participate in the engagement selection process
b. Select engagements
c. Communicate and obtain approval of the engagement plan from board
C. Understand the Internal Audit Activity’s Role in Organizational Governance (10-20%)
1. Obtain board’s approval of audit charter
2. Communicate plan of engagements
3. Report significant audit issues
4. Communicate key performance indicators to board on a regular basis
5. Discuss areas of significant risk
6. Support board in enterprise-wide risk assessment
7. Review the positioning of the internal audit function within the risk management framework
within the organization.
8. Monitor compliance with the corporate code of conduct/business practices
9. Report on the effectiveness of the control framework
10. Assist board in assessing the independence of the external auditor
11. Assess ethical climate of the board
12. Assess ethical climate of the organization
13. Assess compliance with policies in specific areas (e.g., derivatives)
14. Assess organization’s reporting mechanism to the board
15. Conduct follow-up and report on management response to regulatory body reviews
16. Conduct follow-up and report on management response to external audit
17. Assess the adequacy of the performance measurement system, achievement of corporate
18. Support a culture of fraud awareness and encourage the reporting of improprieties
D. Perform Other Internal Audit Roles and Responsibilities (0-10%) [Proficiency level]
a. Investigate and recommend resolution for ethics/compliance complaints
b. Determine disposition of ethics violations
c. Foster healthy ethical climate
d. Maintain and administer business conduct policy (e.g., conflict of interest)
e. Report on compliance
2. Risk Management
a. Develop and implement an organization-wide risk and control framework
b. Coordinate enterprise-wide risk assessment
c. Report corporate risk assessment to board
d. Review business continuity planning process
a. Determine privacy vulnerabilities
b. Report on compliance
4. Information or physical security
a. Determine security vulnerabilities
b. Determine disposition of security violations
c. Report on compliance
E. Governance, Risk, and Control Knowledge Elements ( 15-25%)
1. Corporate governance principles [Awareness level]
2. Alternative control frameworks [Awareness level]
3. Risk vocabulary and concepts [Proficiency level]
4. Risk management techniques [Proficiency level]
5. Risk/control implications of different organizational structures [Proficiency level]
6. Risk/control implications of different leadership styles [Awareness level]
7. Change management [Awareness level]
8. Conflict management [Awareness level]
9. Management control techniques [Proficiency level]
10. Types of control (e.g., preventive, detective, input, output) [Proficiency level]
F. Plan Engagements (15-25%) [Proficiency level]
1. Initiate preliminary communication with engagement client
2. Conduct a preliminary survey of the area of engagement
a. Obtain input from engagement client
b. Perform analytical reviews
c. Perform benchmarking
d. Conduct interviews
e. Review prior audit reports and other relevant documentation
f. Map processes
g. Develop checklists
3. Complete a detailed risk assessment of area (prioritize or evaluate risk/control factors)
4. Coordinate audit engagement efforts with
a. External auditor
b. Regulatory oversight bodies
5. Establish/refine engagement objectives and identify/finalize the scope of engagement
6. Identify or develop criteria for assurance engagements (criteria against which to audit)
7. Consider the potential for fraud when planning an engagement
a. Be knowledgeable of the risk factors and red flags of fraud
b. Identify common types of fraud associated with the engagement area.
c. Determine if risk of fraud requires special consideration when conducting an engagement
8. Determine engagement procedures
9. Determine the level of staff and resources needed for the engagement.
10. Establish adequate planning and supervision of the engagement.
11. Prepare engagement work program
Format: 125 multiple-choice questions
PART II: CONDUCTING THE INTERNAL AUDIT ENGAGEMENT
A. Conduct Engagements (25-35%) [Proficiency level]
1. Research and apply appropriate standards:
a. IIA Professional Practices Framework (Code of Ethics, Standards, Practice Advisories)
b. Other professional, legal, and regulatory standards
2. Maintain an awareness of the potential for fraud when conducting an engagement
a. Notice indicators or symptoms of fraud
b. Design appropriate engagement steps to address significant risk of fraud
c. Employ audit tests to detect fraud
d. Determine if any suspected fraud merits investigation
3. Collect data
4. Evaluate the relevance, sufficiency and competence of evidence
5. Analyze and interpret data
6. Develop workpapers
7. Review workpapers
8. Communicate interim progress
9. Draw conclusions
10. Develop recommendations when appropriate
11. Report engagement results
a. Conduct exit conference
b. Prepare report or other communication
c. Approve engagement report
d. Determine distribution of report
e. Obtain management response to report
12. Conduct client satisfaction survey
13. Complete performance appraisals of engagement staff
B. Conduct Specific Engagements (25-35%) [Proficiency level]
1. Conduct assurance engagements
a. Fraud investigation
1) Determine appropriate parties to be involved with investigation
2) Establish facts and extent of fraud (e.g., interviews, interrogations, and data analysis)
3) Report outcomes to appropriate parties
4) Complete a process review to improve controls to prevent fraud and recommend
b. Risk and control self-assessment
1) Facilitated approach
2) Questionnaire approach
3) Self-certification approach
c. Audits of third parties and contract auditing
d. Quality audit engagements
e. Due diligence audit engagements
f. Security audit engagements
g. Privacy audit engagements
h. Performance (key performance indicators) audit engagements
i. Operational (efficiency and effectiveness) audit engagements
j. Financial audit engagements
k. Information technology (IT) audit engagements
1) Operating systems
2) Application development
a) Application authentication
b) Systems development methodology
c) Change control
d) End user computing
3) Data and network communications/connections (e.g., LAN, VAN, and WAN)
4) Voice communications
5) System security (e.g., firewalls, access control)
6) Contingency planning
8) Functional areas of IT operations (e.g., data center operations)
9) Web infrastructure
10) Software licensing
11) Electronic funds transfer (EFT)/Electronic data interchange (EDI)
13) Information protection/viruses
15) Enterprise-wide resource planning (ERP) software (e.g., SAP R/3)
l. Compliance audit engagements
2. Conduct consulting engagements
a. Internal control training
b. Business process review
d. Information technology (IT) and systems development.
e. Design of performance measurement systems
C. Monitor Engagement Outcomes (5-15%) [Proficiency level]
1. Determine appropriate follow-up activity by the internal audit activity
2. Identify appropriate method to monitor engagement outcomes
3. Conduct follow-up activity
4. Communicate monitoring plan and results
D. Fraud Knowledge Elements (5-15%)
1. Discovery sampling [Awareness level]
2. Interrogation techniques [Awareness level]
3. Forensic auditing [Awareness level]
4. Use of computers in analyzing data [Proficiency level]
5. Red flags [Proficiency level]
6. Types of fraud [Proficiency level]
E. Engagement Tools (15-25%)
1. Sampling [Awareness level]
a. Nonstatistical (judgmental)
2. Statistical analyses (process control techniques) [Awareness level]
3. Data gathering tools [Proficiency level]
4. Analytical review techniques [Proficiency level]
a. Ratio estimation
b. Variance analysis (e.g., budget vs. actual)
c. Other reasonableness tests
5. Observation [Proficiency level]
6. Problem solving [Proficiency level]
7. Risk and control self-assessment (CSA) [Awareness level]
8. Computerized audit tools and techniques [Proficiency level]
a. Embedded audit modules
b. Data extraction techniques
c. Generalized audit software (e.g., ACL, IDEA)
d. Spreadsheet analysis
e. Automated workpapers (e.g., Lotus Notes, Auditor Assistant)
9. Process mapping including flowcharting [Proficiency level]
Format: 125 multiple-choice questions
PART III: BUSINESS ANALYSIS AND INFORMATION TECHNOLOGY
A. Business Processes (15-25%)
1. Quality management (e.g., TQM) [Awareness level]
2. The International Organization for Standardization (ISO) framework [Awareness level]
3. Forecasting [Awareness level]
4. Project management techniques [Proficiency level]
5. Business process analysis (e.g., workflow analysis and bottleneck management, theory of
constraints) [Proficiency level]
6. Inventory management techniques and concepts [Proficiency level]
7. Marketing- pricing objectives and policies [Awareness level]
8. Marketing- supply chain management [Awareness level]
9 Human Resources (Individual performance management and measurement; supervision;
environmental factors that affect performance; facilitation techniques; personnel
sourcing/staffing; training and development; safety) [Proficiency level]
10. Balanced scorecard [Awareness level]
B. Financial Accounting and Finance (15-25%)
1. Basic concepts and underlying principles of financial accounting (e.g., statements, terminology,
relationships) [Proficiency level]
2. Intermediate concepts of financial accounting (e.g., bonds, leases, pensions, intangible assets,
R&D) [Awareness level]
3. Advanced concepts of financial accounting (e.g., consolidation, partnerships, foreign currency
transactions) [Awareness level]
4. Financial statement analysis [Proficiency level]
5. Cost of capital evaluation [Awareness level]
6. Types of debt and equity [Awareness level]
7. Financial instruments (e.g., derivatives) [Awareness level]
8. Cash management (treasury functions) [Awareness level]
9. Valuation models [Awareness level]
a. Inventory valuation
b. Business valuation
10. Business development life cycles [Awareness level]
C. Managerial Accounting (10-20%)
1. Cost concepts (e.g., absorption, variable, fixed) [Proficiency level]
2. Capital budgeting [Awareness level]
3. Operating budget [Proficiency level]
4. Transfer pricing [Awareness level]
5. Cost-volume-profit analysis [Awareness level]
6. Relevant cost [Awareness level]
7. Costing systems (e.g., activity-based, standard) [Awareness level]
8. Responsibility accounting [Awareness level]
D. Regulatory, Legal, and Economics ( 5-15%) [Awareness level]
1. Impact of government legislation and regulation on business
2. Trade legislation and regulations
3. Taxation schemes
5. Nature and rules of legal evidence
6. Key economic indicators
E. Information Technology (IT) (30-40%) [Awareness level]
1. Control frameworks (e.g., SAC, COBIT)
2. Data and network communications/connections (e.g., LAN , VAN, and WAN)
3. Electronic funds transfer (EFT)
5. Electronic data interchange (EDI)
6. Functional areas of IT operations (e.g., data center operations)
8. Information protection (e.g., viruses, privacy)
9. Evaluate investment in IT (cost of ownership)
10. Enterprise-wide resource planning (ERP) software (e.g., SAP R/3)
11. Operating systems
12. Application development
13. Voice communications
14. Contingency planning
15. Systems security (e.g., firewalls, access control)
17. Software licensing
18. Web infrastructure
Format: 125 multiple-choice questions
PART IV: BUSINESS MANAGEMENT SKILLS
A. Strategic Management (20-30%) [Awareness level]
1. Global analytical techniques
a. Structural analysis of industries
b. Competitive strategies (e.g., Porter's model)
c. Competitive analysis
d. Market signals
e. Industry evolution
2. Industry environments
a. Competitive strategies related to:
1) Fragmented industries
2) Emerging industries
3) Declining industries
b. Competition in global industries
2) Evolution of global markets
3) Strategic alternatives
4) Trends affecting competition
3. Strategic decisions
a. Analysis of integration strategies
b. Capacity expansion
c. Entry into new businesses
4. Portfolio techniques of competitive analysis
5. Product life cycles
B. Global Business Environments (15-25%) [Awareness level]
1. Cultural/legal/political environments
a. Balancing global requirements and local imperatives
b. Global mindsets (personal characteristics/competencies)
c. Sources and methods for managing complexities and contradictions
d. Managing multicultural teams
2. Economic/financial environments
a. Global, multinational, international, and multilocal compared and contrasted
b. Requirements for entering the global market place
c. Creating organizational adaptability
d. Managing training and development.
C. Organizational Behavior (15-25%) [Awareness level]
a. Relevance and implication of various theories
b. Impact of job design, rewards, work schedules, etc.
a. The process
b. Organizational dynamics
c. Impact of computerization
c. New configurations (e.g., hourglass, cluster, network)
D. Management Skills (20-30%) [Awareness level]
1. Group dynamics
a. Traits (e.g., cohesiveness, roles, norms, groupthink)
b. Stages of group development
c. Organizational politics
d. Criteria and determinants of effectiveness
2. Team building
a. Methods used in team building
b. Assessing team performance
3. Leadership skills
a. Theories compared and contrasted
b. Leadership grid (topology of leadership styles)
4. Personal time management
E. Negotiating (5-15%) [Awareness level]
1. Conflict resolution
b. Compromise, forcing, smoothing, etc.
2. Added-value negotiating
b. Specific steps
Format: 125 multiple-choice questions
Certified Internal Auditor (CIA)
Model Exam Questions
Part I - The Internal Audit Activity's Role
in Governance, Risk, and Control
Part I Model Exam Questions: 100
Questions on actual CIA Exam Part I: 125
(see explanation in “Foreword” on page iii)
Time allowed for completion of CIA Exam Part I: 210 minutes
Instructions such as those that follow will be listed on the cover
of each CIA examination. Please read them carefully.
1. Place your candidate number on the 4. All references to the Professional Practices
answer sheet in the space provided. Framework refer to The IIA’s Professional
2. Do not place extraneous marks on the Practices Framework, which includes the
answer sheet. Standards and the Practice Advisories. All
3. Be certain that changes to answers are references to Standards refer to the
completely erased. International Standards for the Professional
Practice of Internal Auditing outlined in The
IIA’s Professional Practices Framework.
Failure to follow these instructions and the
"Instructions to Candidates" guidelines could adversely
affect both your right to receive the results of this examination
and your future participation in the Certified Internal Auditor program.
All papers submitted in completion of any part of this
examination become the sole property of The Institute of Internal Auditors, Inc.
Candidates may not disclose the contents of this exam unless expressly authorized
by the Certification Department.
1. Which of the following is not true with regard 6. Which of the following actions would be a
to the internal audit charter? violation of auditor independence?
a. It defines the authorities and a. Continuing on an audit assignment at a
responsibilities for the internal audit division for which the auditor will soon be
activity. responsible as the result of a promotion.
b. It specifies the minimum resources b. Reducing the scope of an engagement
needed for the internal audit activity. due to budget restrictions.
c. It provides a basis for evaluating the c. Participating on a task force which
internal audit activity. recommends standards of control for a
d. It should be approved by senior new distribution system.
management and the board. d. Reviewing a purchasing agent's contract
drafts prior to their execution.
2. Which engagement-planning tool is general in
nature and is used to ensure adequate audit 7. As part of a company-sponsored award
coverage over time? program, an internal auditor was offered an
a. The long-range schedule. award of significant monetary value by a
b. The engagement program. division in recognition of the cost savings that
c. The audit activity’s budget. resulted from the auditor's recommendations.
d. The audit activity’s charter. According to the Professional Practices
Framework, what is the most appropriate
3. The function of internal auditing, as related to action for the auditor to take?
internal financial reports, would be to: a. Accept the gift since the engagement is
a. Ensure compliance with reporting already concluded and the report issued.
procedures. b. Accept the award under the condition that
b. Review the expenditure items and match any proceeds go to charity.
each item with the expenses incurred. c. Inform audit management and ask for
c. Determine if there are any employees direction on whether to accept the gift.
expending funds without authorization. d. Decline the gift and advise the division
d. Identify inadequate controls that increase manager's superior.
the likelihood of unauthorized
expenditures. 8. In which of the following situations would an
auditor potentially lack objectivity?
4. Audit committees are most likely to participate a. An auditor reviews the procedures for a
in the approval of: new electronic data interchange
a. Audit staff promotions and salary connection to a major customer before it
increases. is implemented.
b. The internal audit report observations and b. A former purchasing assistant performs a
recommendations. review of internal controls over
c. Audit work schedules. purchasing four months after being
d. The appointment of the chief audit transferred to the internal audit activity.
executive. c. An auditor recommends standards of
control and performance measures for a
5. According to the Professional Practices contract with a service organization for
Framework, the independence of the internal the processing of payroll and employee
audit activity is achieved through: benefits.
a. Staffing and supervision. d. A payroll accounting employee assists an
b. Continuing professional development and auditor in verifying the physical inventory
due professional care. of small motors.
c. Human relations and communications.
d. Organizational status and objectivity.
9. A CIA, working as the director of purchasing, 12. A chief audit executive (CAE) has been
signs a contract to procure a large order from requested by the audit committee to conduct
the supplier with the best price, quality, and an engagement at a chemical factory as soon
performance. Shortly after signing the as possible. The engagement will include
contract, the supplier presents the CIA with a reviews of health, safety, and environmental
gift of significant monetary value. Which of the (HSE) management and processes. The CAE
following statements regarding the acceptance knows that the internal audit activity does not
of the gift is correct? possess the HSE knowledge necessary to
a. Acceptance of the gift would be prohibited conduct such an engagement. The CAE
only if it were non-customary. should:
b. Acceptance of the gift would violate the a. Begin the engagement and incorporate
IIA Code of Ethics and would be HSE training into next year’s planning to
prohibited for a CIA. prepare for a follow-up engagement.
c. Since the CIA is not acting as an internal b. Suggest to the audit committee that the
auditor, acceptance of the gift would be factory’s own HSE staff conduct the
governed only by the organization’s code engagement.
of conduct. c. Seek permission from the audit committee
d. Since the contract was signed before the to obtain appropriate support from an
gift was offered, acceptance of the gift HSE professional.
would not violate either the IIA Code of d. Defer the engagement and tell the audit
Ethics or the organization’s code of committee that it will take several months
conduct. to train internal audit staff for such an
10. An internal auditor assigned to audit a
vendor’s compliance with product quality 13. To ensure that due professional care has been
standards is the brother of the vendor’s taken at all times during an engagement, the
controller. The auditor should: internal auditor should always:
a. Accept the assignment, but avoid contact a. Ensure that all financial information
with the controller during fieldwork. related to the audit is included in the audit
b. Accept the assignment, but disclose the plan and examined for nonconformance
relationship in the engagement final or irregularities.
communication. b. Ensure that all audit tests are fully
c. Notify the vendor of the potential conflict documented.
of interest. c. Consider the possibility of
d. Notify the chief audit executive of the nonconformance or irregularities at all
potential conflict of interest. times during an engagement.
d. Communicate any noncompliance or
11. The Standards require that internal auditors irregularity discovered during an
possess which of the following skills? engagement promptly to the audit
I. Internal auditors should understand
human relations and be skilled in dealing 14. In an assurance engagement of treasury
with people. operations, an internal auditor is required to
II. Internal auditors should be able to consider all of the following issues except:
recognize and evaluate the materiality a. The audit committee has requested
and significance of deviations from good assurance on the treasury department’s
business practices. compliance with a new policy on use of
III. Internal auditors should be experts on financial instruments.
subjects such as economics, commercial b. Treasury management has not instituted
law, taxation, finance, and information any risk management policies.
technology. c. Due to the recent sale of a division, the
IV. Internal auditors should be skilled in oral amount of cash and marketable securities
and written communication. managed by the treasury department has
increased by 350 percent.
a. II only. d. The external auditors have indicated
b. I and III only. some difficulties in obtaining account
c. III and IV only. confirmations.
d. I, II, and IV only.
15. To promote a positive image within an 17. An auditor, nearly finished with an
organization, a chief audit executive (CAE) engagement, discovers that the director of
planned to conduct assurance engagements marketing has a gambling habit. The gambling
that highlighted potential costs to be saved. issue is not directly related to the existing
Negative observations were to be omitted from engagement and there is pressure to complete
engagement final communications. Which the current engagement. The auditor notes the
action taken by the CAE would be considered problem and forwards the information to the
a violation of the Standards? chief audit executive but performs no further
follow-up. The auditor’s actions would:
I. The focus of the audit engagements was a. Be in violation of the IIA Code of Ethics
changed without modifying the charter or for withholding meaningful information.
consulting the audit committee. b. Be in violation of the Standards because
II. Negative observations were omitted from the auditor did not properly follow up on a
the engagement final communications. red flag that might indicate the existence
III. Cost savings recommendations were of fraud.
highlighted in the engagement final c. Not be in violation of either the IIA Code
communications. of Ethics or Standards.
d. Both a and b.
a. I only.
b. I and II only. 18. In selecting an instructional strategy for
c. I and III only. developing internal audit staff, a chief audit
d. II and III only. executive should begin by reviewing:
a. Organizational objectives.
16. A chief audit executive (CAE) for a very small b. Learning content.
internal audit department has just received a c. Learners’ readiness.
request from management to perform an audit d. Budget constraints.
of an extremely complex area in which the
CAE and the department have no expertise. 19. Which of the following activities are designed
The nature of the audit engagement is within to provide feedback on the effectiveness of an
the scope of internal audit activities. internal audit function?
Management has expressed a desire to have
the engagement conducted in the very near I. Proper supervision.
future because of the high level of risk II. Proper training.
involved. Which of the following responses by III. Internal assessments.
the CAE would be in violation of the IV. External assessments.
a. Discuss with management the possibility a. I, II, and III only.
of outsourcing the audit of this complex b. I, II, and IV only.
area. c. I, III, and IV only.
b. Add an outside consultant to the audit d. II, III, and IV only.
staff to assist in the performance of the
audit engagement. 20. The most important reason for the chief audit
c. Accept the audit engagement and begin executive to ensure that the internal audit
immediately, since it is a high-risk area. department has adequate and sufficient
d. Discuss the timeline of the audit resources is to:
engagement with management to a. Ensure that the function is adequately
determine if sufficient time exists in which protected from outsourcing.
to develop appropriate expertise. b. Demonstrate sufficient capability to meet
the audit plan requirements.
c. Establish credibility with the audit
committee and management.
d. Fulfill the need for effective succession
21. Which of the following is part of an internal 24. A chief audit executive is reviewing the
audit activity’s quality assurance program, following enterprise-wide risk map:
rather than being included as part of other
responsibilities of the chief audit executive LIKELIHOOD
(CAE)? Remote Possible Likely
a. The CAE provides information about and Critical Risk A Risk B
access to internal audit workpapers to the Major Risk D
external auditors to enable them to Minor Risk C
understand and determine the degree to
which they may rely on the internal Which of the following is the correct
auditors' work. prioritization of risks, considering limited
b. Management approves a formal charter resources in the internal audit activity?
establishing the purpose, authority, and a. Risk B, Risk C, Risk A, Risk D.
responsibility of the internal audit activity. b. Risk A, Risk B, Risk C, Risk D.
c. Each individual internal auditor's c. Risk D, Risk B, Risk C, Risk A.
performance is appraised at least d. Risk B, Risk C, Risk D, Risk A.
d. Supervision of an internal auditor's work 25. Which of the following represents the best risk
is performed throughout each audit assessment technique?
engagement. a. Assessment of the risk levels for future
events based on the extent of uncertainty
22. A chief audit executive (CAE) uses a risk of those events and their impact on
assessment model to establish the annual achievement of long-term organizational
audit plan. Which of the following would be an goals.
appropriate action by the CAE? b. Assessment of inherent and control risks
and their impact on the extent of financial
I. Maintain ongoing dialogue with misstatements.
management and the audit committee. c. Assessment of the risk levels of current
II. Ensure that the schedule of audit priorities and future events, their effect on
remains unchanged. achievement of the organization’s
III. Employ only quantitative methods to objectives, and their underlying causes.
determine risk weightings. d. Assessment of the risk levels of current
IV. Revise the risk assessment and audit and future events, their impact on the
priorities as warranted. organization’s mission, and the potential
for elimination of existing or possible risk
a. III only. factors.
b. I and II only.
c. I and IV only. 26. Which of the following is the best reason for
d. III and IV only. the chief audit executive to consider the
strategic plan in developing the annual audit
23. When a risk assessment process has been plan?
used to construct an audit engagement a. To ensure that the internal audit plan
schedule, which of the following should receive supports the overall business objectives.
attention first? b. To ensure that the internal audit plan will
a. The external auditors have requested be approved by senior management.
assistance for their upcoming annual c. To make recommendations to improve
audit. the strategic plan.
b. A new accounts payable system is d. To emphasize the importance of the
currently undergoing testing by the internal audit function.
information technology department.
c. Management has requested an 27. In assessing organizational risk in a
investigation of possible lapping in manufacturing environment, which of the
receivables. following would have the most long-range
d. The existing accounts payable system impact on the organization?
has not been audited over the past year. a. Production scheduling.
b. Inventory policy.
c. Product quality.
d. Advertising budget.
28. When assessing the risk associated with an 31. If a department outside of the internal audit
activity, an internal auditor should: activity is responsible for reviewing a function
a. Determine how the risk should best be or process, the internal auditors should:
managed. a. Consider the work of the other
b. Provide assurance on the management of department when assessing the function
the risk. or process.
c. Update the risk management process b. Ignore the work of the other department
based on risk exposures. and proceed with an independent audit.
d. Design controls to mitigate the identified c. Reduce the scope of the audit since the
risks. work has already been performed by the
Use the following information to answer d. Yield the responsibility for assessing the
questions 29 through 30. function or process to the other
During the planning phase, a chief audit department.
executive (CAE) is evaluating four audit
engagements based on the following factors: the 32. Who has primary responsibility for providing
engagement’s ability to reduce risk to the information to the audit committee on the
organization, the engagement’s ability to save the professional and organizational benefits of
organization money, and the extent of change in coordinating internal audit assurance and
the area since the last engagement. The CAE has consulting activities with other assurance and
scored the engagements for each factor from low to consulting activities?
high, assigned points, and calculated an overall a. The external auditor.
ranking. The results are shown below with the b. The chief audit executive.
points in parenthesis: c. The chief executive officer.
d. Each assurance and consulting function.
Audit Reduction Savings Changes 33. Using the internal audit department to
1 High (3) Medium (2) Low (1) coordinate regulatory examiners’ efforts is
2 High (3) Low (1) High (3) beneficial to the organization because internal
3 Low (1) High (3) Medium (2) auditors can:
4 Medium (2) Medium (2) High (3) a. Influence the regulatory examiners’
interpretation of law to match corporate
29. Which audit engagements should the CAE practice.
pursue if all factors are weighed equally? b. Recommend changes in scope to limit
a. 1 and 2 only. bias by the regulatory examiners.
b. 1 and 3 only. c. Perform fieldwork for the regulatory
c. 2 and 4 only. examiners and thus reduce the amount of
d. 3 and 4 only. time regulatory examiners are on-site.
d. Supply evidence of adequate compliance
testing through internal audit workpapers
30. If the organization has asked the CAE to
consider the cost savings factor to be twice as
important as any other factor, which
engagements should the CAE pursue? 34. A chief audit executive would most likely use
a. 1 and 2 only. risk assessment for audit planning because it
b. 1 and 3 only. provides:
c. 2 and 4 only. a. A systematic process for assessing and
d. 3 and 4 only. integrating professional judgment about
probable adverse conditions.
b. A listing of potentially adverse effects on
c. A list of auditable activities in the
d. The probability that an event or action
may adversely affect the organization.
35. In deciding whether to schedule the 38. The internal audit activity has recently
purchasing or the personnel department for an experienced the departure of two internal
audit engagement, which of the following auditors who cannot be immediately replaced
would be the least important factor? due to budget constraints. Which of the
a. There have been major changes in following is the least desirable option for
operations in one of the departments. efficiently completing future engagements,
b. The audit staff has recently added an given this reduction in resources?
individual with expertise in one of the a. Using self-assessment questionnaires to
areas. address audit objectives.
c. There are more opportunities to achieve b. Employing information technology in audit
operating benefits in one of the planning, sampling, and documentation.
departments than in the other. c. Eliminating consulting engagements from
d. The potential for loss is significantly the engagement work schedule.
greater in one department than in the d. Filling vacancies with personnel from
other. operating departments that are not being
36. The internal audit activity of a large
corporation has established its operating plan 39. If the annual audit plan does not allow for
and budget for the coming year. The operating adequate review of compliance with all
plan is restricted to the following categories: a material regulations affecting the company, the
prioritized listing of all engagements, staffing, internal audit activity should:
a detailed expense budget, and the a. Ensure that the board of directors and
commencement date of each engagement. senior management are aware of the
Which of the following best describes the limitation.
major deficiency of this operating plan? b. Include a memo with the audit planning
a. Requests by management for special file listing the reasons for the lack of
projects are not considered. coverage.
b. Opportunities to achieve operating c. Document that regulations not included
benefits are ignored. will be reviewed in the subsequent year.
c. Measurability criteria and targeted dates d. Decrease the scope of operational and
of completion are not provided. financial audits to make additional audit
d. Knowledge, skills, and disciplines time available.
required to perform work are ignored.
40. Which of the following comments is correct
37. To improve audit efficiency, internal auditors regarding the assessment of risk associated
can rely upon the work of external auditors with two projects that are competing for limited
that is: audit resources?
a. Performed after the internal audit
engagement. I. Activities that are requested by the audit
b. Primarily concerned with operational committee should always be considered
objectives and activities. higher risk than those requested by
c. Coordinated with internal audit activity. management.
d. Conducted in accordance with the IIA II. Activities with higher dollar budgets
Code of Ethics. should always be considered higher risk
than those with lower dollar budgets.
III. Risk should always be measured by the
potential dollar or adverse exposure to the
a. I only.
b. II only.
c. III only.
d. I and III only.
41. Which of the following activities undertaken by 45. Which of the following represents the best
the internal auditor might be in conflict with the governance structure?
standard of independence? Operating Executive Internal
a. Risk management consultant. Management Management Auditing
b. Product development team leader. a. Responsibility Oversight Advisory
c. Ethics advocate. for risk role role
d. External audit liaison. b. Oversight Responsibility Advisory
role for risk role
42. The internal audit activity should contribute to c. Responsibility Advisory Oversight
the organization’s governance process by for risk role role
evaluating the processes through which: d. Oversight Advisory Responsibility
role role for risk
I. Ethics and values are promoted.
II. Effective organizational performance 46. Which of the following is not a responsibility of
management and accountability are the chief audit executive?
ensured. a. To communicate the internal audit
III. Risk and control information is activity’s plans and resource
communicated. requirements to senior management and
IV. Activities of the external and internal the board for review and approval.
auditors and management are b. To coordinate with other internal and
coordinated. external providers of audit and consulting
services to ensure proper coverage and
a. I only. minimize duplication.
b. IV only. c. To oversee the establishment,
c. II and III only. administration, and assessment of the
d. I, II, III, and IV. organization’s system of risk management
43. In a well-developed management environment, d. To follow up on whether appropriate
the internal audit activity would: management actions have been taken on
a. Report the results of an audit engagement significant reported risks.
to line management as well as to senior
management. 47. Which statement most accurately describes
b. Conduct initial audits of new computer how criteria are established for use by internal
systems after they have begun operating. auditors in determining whether goals and
c. Interface primarily with senior objectives have been accomplished?
management, minimizing interactions with a. Management is responsible for
line managers who are the subjects of establishing the criteria.
internal audit work. b. Internal auditors should use professional
d. Focus primarily on asset management standards or government regulations to
and report results to the audit committee. establish the criteria.
c. The industry in which a company
44. Which of the following best describes an operates establishes criteria for each
internal auditor's purpose in reviewing the member company through benchmarks
organization’s existing risk management, and best practices for that industry.
control, and governance processes? d. Appropriate accounting or auditing
a. To help determine the nature, timing, and standards, including international
extent of tests necessary to achieve standards, should be used as the criteria.
b. To ensure that weaknesses in the internal 48. Which of the following is not a role of the
control system are corrected. internal audit activity in best practice
c. To provide reasonable assurance that the governance activities?
processes will enable the organization's a. Support the board in enterprise-wide risk
objectives and goals to be met efficiently assessment.
and economically. b. Ensure the timely implementation of audit
d. To determine whether the processes recommendations.
ensure that the accounting records are c. Monitor compliance with the corporate
correct and that financial statements are code of conduct.
fairly stated. d. Discuss areas of significant risks.
49. Assessments of the independence of an 52. Management and the board of directors are
organization’s external auditors should: responsible for following up on observations
a. Be carried out only when the external and recommendations made by the external
auditor is appointed. auditors. What role, if any, should the internal
b. Not include any participation by the audit activity have in this process?
internal audit activity. a. The internal audit activity should have no
c. Include the internal audit activity only role in this process in order to ensure
when the external auditor is appointed. independence.
d. Include the internal audit activity at the b. The internal audit activity should only
time of appointment and regularly become involved if the chief audit
thereafter. executive has sufficient evidence that the
follow-up is not occurring.
50. During a review of contracts, a chief audit c. The internal audit activity should establish
executive (CAE) suspects that a supplier was a monitoring process to review the
given an unfair advantage in bidding on a adequacy and effectiveness of
contract. After learning that the chief executive management’s follow-up actions.
officer (CEO) of the company is a member of d. The internal audit activity should become
the supplier's board of directors, how should involved only if specifically requested by
the CAE proceed? management or the board of directors.
a. Submit a draft report to senior
management, excluding the CEO. 53. The primary reason that a bank would
b. Contact the organization's external maintain a separate compliance function is to:
auditors for assistance. a. Better manage perceived high risks.
c. Obtain supporting documentation and b. Strengthen controls over the bank’s
present the finding to the chairperson of investments.
the audit committee. c. Ensure the independence of line and
d. Immediately notify the board of directors. senior management.
d. Better respond to shareholder
51. Company A has a formal corporate code of expectations.
ethics while company B does not. The code of
ethics covers such things as purchase 54. The function of the chief risk officer (CRO) is
agreements and relationships with vendors as most effective when the CRO:
well as many other issues to guide individual a. Manages risk as a member of senior
behavior within the company. Which of the management.
following statements can be logically inferred? b. Shares the management of risk with line
I. Company A exhibits a higher standard of c. Shares the management of risk with the
ethical behavior than does company B. chief audit executive.
II. Company A has established objective d. Monitors risk as part of the enterprise risk
criteria by which an employee’s actions management team.
can be evaluated.
III. The absence of a formal corporate code 55. To minimize potential financial losses
of ethics in company B would prevent a associated with physical assets, the assets
successful audit of ethical behavior in that should be insured in an amount that is:
company. a. Supported by periodic appraisals.
b. Determined by the board of directors.
a. II only. c. Automatically adjusted by an economic
b. III only. indicator such as the consumer price
c. I and II only. index.
d. II and III only. d. Equal to the book value of the individual
56. Which of the following statements is correct 60. What is residual risk?
regarding corporate compensation systems a. Impact of risk.
and related bonuses? b. Risk that is under control.
c. Risk that is not managed.
I. A bonus system should be considered d. Underlying risk in the environment.
part of the control environment of an
organization and should be considered in Use the following information to answer
formulating a report on internal control. questions 61 through 62.
II. Compensation systems are not part of an The marketing department for a major retailer
organization's control system and should assigns separate product managers for each
not be reported as such. product line. Product managers are responsible for
III. An audit of an organization’s ordering products and determining retail pricing.
compensation system should be Each product manager’s purchasing budget is set
performed independently of an audit of by the marketing manager. Products are delivered
the control system over other functions to a central distribution center where goods are
that impact corporate bonuses. segregated for distribution to the company’s 52
department stores. Because receipts are recorded
a. I only. at the distribution center, the company does not
b. II only. maintain a receiving function at each store. Product
c. III only. managers are evaluated on a combination of sales
d. II and III only. and gross profit generated from their product lines.
Many products are seasonal and individual store
57. Which of the following statements regarding managers can require that seasonal products be
corporate governance is not correct? removed to make space for the next season's
a. Corporate control mechanisms include products.
internal and external mechanisms.
b. The compensation scheme for 61. Which of the following is a control deficiency in
management is part of the corporate this situation?
control mechanisms. a. The store manager can require items to
c. The dilution of shareholders’ wealth be removed, thus affecting the potential
resulting from employee stock options or performance evaluation of individual
employee stock bonuses is an accounting product managers.
issue rather than a corporate governance b. The product manager negotiates the
issue. purchase price and sets the selling price.
d. The internal auditor of a company has c. Evaluating product managers by total
more responsibility than the board for the gross profit generated by product line will
company’s corporate governance. lead to dysfunctional behavior.
d. There is no receiving function located at
58. The activity of trading futures with the objective individual stores.
of reducing or controlling risk is called:
a. Insuring. 62. Requests for purchases beyond those initially
b. Hedging. budgeted must be approved by the marketing
c. Short-selling. manager. This procedure:
I. Should provide for the most efficient
59. Enterprise risk management: allocation of scarce organizational
a. Guarantees achievement of resources.
organizational objectives. II. Is a detective control procedure.
b. Requires establishment of risk and control III. Is unnecessary because each product
activities by internal auditors. manager is evaluated on profit generated.
c. Involves the identification of events with
negative impacts on organizational a. I only.
objectives. b. III only.
d. Includes selection of the best risk c. II and III only.
response for the organization. d. I, II, and III.
I - 10
63. An organization's management perceives the 68. An organization is changing to a quality
need to make significant changes. Which of assurance program that incorporates quality
the following factors is management least throughout the process. This is very different
likely to be able to change? from its years of dependence on quality control
a. The organization's members. at the end of the process. This type of change
b. The organization's structure. is a:
c. The organization's environment. a. Cultural change.
d. The organization's technology. b. Product change.
c. Structural change.
64. Many organizations use electronic funds d. Organizational change.
transfer to pay their suppliers instead of
issuing checks. Regarding the risks associated 69. A chief audit executive plans to make changes
with issuing checks, which of the following risk that may be perceived negatively by the audit
management techniques does this represent? staff. The best way to reduce resistance would
a. Controlling. be to:
b. Accepting. a. Develop the new approach fully before
c. Transferring. presenting it to the audit staff.
d. Avoiding. b. Ask the chief executive officer (CEO) to
approve the changes and have the CEO
65. Which of the following goals sets risk attend the departmental staff meeting
management strategies at the optimum level? when they are presented.
a. Minimize costs. c. Approach the staff with the general idea
b. Maximize market share. and involve them in the development of
c. Minimize losses. the changes.
d. Maximize shareholder value. d. Get the internal audit activity’s clients to
support the changes.
66. Of the following reasons for employees to
resist a major change in organizational 70. During a meeting of an internal audit project
processes, which is least likely? team, two members of the team disagree, and
a. Threat of loss of jobs. one accuses the other of trying to advance
b. Required attendance at training classes. personal interests over the interests of the
c. Breakup of existing work groups. audit. The audit manager should:
d. Imposition of new processes by senior a. Discipline both auditors after the meeting
management without prior discussion. for their lack of professional conduct.
b. Continue the meeting but speak to the
67. All of the following would be part of a factory’s accusing auditor later regarding the
control system to prevent release of waste inappropriate conduct.
water that does not meet discharge standards c. Meet with both auditors after the meeting
except: to resolve the conflict and the
a. Performing chemical analysis of the inappropriate behavior.
water, prior to discharge, for components d. Stop the meeting and refer the matter to
specified in the permit. the entire team for discussion.
b. Specifying (by policy, training, and
advisory signs) which substances may be 71. The control that would most likely ensure that
disposed of via sinks and floor drains payroll checks are written only for authorized
within the factory. amounts is to:
c. Periodically flushing sinks and floor drains a. Conduct periodic floor verification of
with a large volume of clean water to employees on the payroll.
ensure pollutants are sufficiently diluted. b. Require the return of undelivered checks
d. Establishing a preventive maintenance to the cashier.
program for the factory’s pretreatment c. Require supervisory approval of
system. employee time cards.
d. Periodically witness the distribution of
I - 11
72. Which of the following controls would prevent at the end of the manufacturing process.
the ordering of quantities in excess of an 76. The requirement that purchases be made from
organization’s needs? suppliers on an approved vendor list is an
a. Review of all purchase requisitions by a example of a:
supervisor in the user department prior to a. Preventive control.
submitting them to the purchasing b. Detective control.
department. c. Corrective control.
b. Automatic reorder by the purchasing d. Monitoring control.
department when low inventory level is
indicated by the system. 77. Appropriate internal control for a multinational
c. A policy requiring review of the purchase corporation’s branch office that has a
order before receiving a new shipment. monetary transfer unit requires that:
d. A policy requiring agreement of the a. The individual who initiates wire transfers
receiving report and packing slip before not reconcile the bank statement.
storage of new receipts. b. The branch manager receive all wire
73. Which of the following observations by an c. Foreign currency rates be computed
auditor is most likely to indicate the existence separately by two different employees.
of control weaknesses over safeguarding of d. Corporate management approve the
assets? hiring of monetary transfer unit
I. A service department's location is not well
suited to allow adequate service to other 78. Which of the following best describes a
units. preliminary survey?
II. Employees hired for sensitive positions a. A standardized questionnaire used to
are not subjected to background checks. obtain an understanding of management
III. Managers do not have access to reports objectives.
that profile overall performance in relation b. A statistical sample to review key
to other benchmarked organizations. employee attitudes, skills, and knowledge.
IV. Management has not taken corrective c. A walk-through of the financial control
action to resolve past engagement system to identify risks and the controls
observations related to inventory controls. that can address those risks.
d. A process used to become familiar with
a. I and II only. activities and risks in order to identify
b. I and IV only. areas for engagement emphasis.
c. II and III only.
d. II and IV only. 79. During a preliminary survey, an auditor found
that several accounts payable vouchers for
74. A control likely to prevent purchasing agents major suppliers required adjustments for
from favoring specific suppliers is: duplicate payment of prior invoices. This would
a. Requiring management’s review of a indicate:
monthly report of the totals spent by each a. A need for additional testing to determine
buyer. related controls and the current exposure
b. Requiring buyers to adhere to detailed to duplicate payments made to suppliers.
material specifications. b. The possibility of unrecorded liabilities for
c. Rotating buyer assignments periodically. the amount of the overpayments.
d. Monitoring the number of orders placed c. Insufficient controls in the receiving area
by each buyer. to ensure timely notice to the accounts
payable area that goods have been
75. Which of the following would minimize defects received and inspected.
in finished goods caused by poor quality raw d. The existence of a sophisticated accounts
materials? payable system that correlates
a. Documented procedures for the proper overpayments to open invoices and
handling of work-in-process inventory. therefore requires no further audit
b. Required material specifications for all concern.
c. Timely follow-up on all unfavorable usage
d. Determination of the amount of spoilage
I - 12
80. Which of the following procedures should be 84. An internal auditor plans to conduct an audit of
performed as part of a preliminary review in an the adequacy of controls over investments in
audit of a bank’s investing and lending new financial instruments. Which of the
activities? following would not be required as part of
a. Review reports of audits performed by such an engagement?
regulatory and outside auditors since the a. Determine if policies exist which describe
last internal audit engagement. the risks the treasurer may take and the
b. Interview management to identify types of instruments in which the
changes made in policies regarding treasurer may make investments.
investments or loans. b. Determine the extent of management
c. Review minutes of the board of directors’ oversight over investments in
meetings to identify changes in policies sophisticated instruments.
affecting investments and loans. c. Determine whether the treasurer is getting
d. All of the above. higher or lower rates of return on
investments than are treasurers in
81. During an assessment of the risk associated comparable organizations.
with sales contracts and related commissions, d. Determine the nature of controls
which of the following factors would most likely established by the treasurer to monitor
result in an expansion of the engagement the risks in the investments.
a. An increase in product sales, along with 85. If a department’s operating standards are
an increase in commissions. vague and thus subject to interpretation, an
b. An increase in sales returns, along with auditor should:
an increase in commissions. a. Seek agreement with the departmental
c. A decrease in sales commissions, along manager as to the criteria needed to
with a decrease in product sales. measure operating performance.
d. A decrease in sales returns, along with an b. Determine best practices in the area and
increase in product sales. use them as the standard.
c. Interpret the standards in their strictest
82. An auditor, experienced in air-quality issues, sense because standards are otherwise
discovered a significant lack of knowledge only minimum measures of acceptance.
about legal requirements for controlling air d. Omit any comments on standards and the
emissions while interviewing the manager of department’s performance in relationship
the environmental, health, and safety (EHS) to those standards, because such an
department. The auditor should: analysis would be inappropriate.
a. Alter the scope of the engagement to
focus on activities associated with air 86. If an auditor's preliminary evaluation of internal
emissions. controls results in an observation that controls
b. Share extensive personal knowledge with may be inadequate, the next step would be to:
the EHS manager. a. Expand audit work prior to the preparation
c. Take note of the weakness and direct of an engagement final communication.
additional questions to determine the b. Prepare a flowchart depicting the internal
potential effect of the lack of knowledge. control system.
d. Report potential violations in this area to c. Note an exception in the engagement
the appropriate regulatory agency. final communication if losses have
83. Which of the following is an appropriate d. Implement the desired controls.
statement of an audit engagement objective?
a. To observe the physical inventory count.
b. To determine whether inventory stocks
are sufficient to meet projected sales.
c. To search for the existence of obsolete
inventory by computing inventory turnover
by product line.
d. To include information about stockouts in
the engagement final communication.
I - 13