Hock_Internal Control

8/16/2019 Hock_Internal Control

http://slidepdf.com/reader/full/hockinternal-control 1/129

Question 1 - CIA 593 I.39 - Internal Auditing

The internal audit activity (IAA) has recently completed an engagement to evaluate the organization's accounts payablefunction. The chief audit executive (CAE) decided to issue a summary in conjunction with the final engagementcommunication. Who is most likely to receive the summary only?

A. Audit committee of the board.

B. Accounts payable manager.C. Controller.D. External auditor.

A. The full audit report should be distributed to everyone who has a direct interest in the audit. This includesthe executive or executives to whom internal audit reports, the person to whom people will reply about thereport, persons responsible for the activities or operations audited, and people who will need to takecorrective action as a result of the audit. The audit committee of the board can appropriately receive asummary report.

B. The full audit report should be distributed to everyone who has a direct interest in the audit. This includes theexecutive or executives to whom internal audit reports, the person to whom people will reply about the report, personsresponsible for the activities or operations audited, and people who will need to take corrective action as a result of theaudit. The accounts payable manager is the person responsible for the accounts payable operation and the person

who will need to take corrective action as a result of the audit.

C. The full audit report should be distributed to everyone who has a direct interest in the audit. This includes theexecutive or executives to whom internal audit reports, the person to whom people will reply about the report, personsresponsible for the activities or operations audited, and people who will need to take corrective action as a result of theaudit. The controller is responsible for the accounting function and is therefore a person to whom the accounts payablemanager will respond about the report.

D. The full audit report should be distributed to everyone who has a direct interest in the audit. This includes theexecutive or executives to whom internal audit reports, the person to whom people will reply about the report, personsresponsible for the activities or operations audited, and people who will need to take corrective action as a result of theaudit. The accounts payable manager is the person responsible for the accounts payable operation and the personwho will need to take corrective action as a result of the audit. The external auditor is a person who has a direct interestin the internal audit.

Question 2 - CIA 598 3.70 - Systems Controls and Security Measures

Computer program libraries can best be kept secure by

A. Installing a logging system for program access.B. Denying access from remote terminals.C. Restricting physical and logical access.D. Monitoring physical access to program library media.

A. Installing a logging system for program access would permit detection of unauthorized access but would not preventit.

B. Denying all remote access via terminals would likely be inefficient and would not secure program libraries againstphysical access.

C. Restricting physical and logical access secures program libraries from unauthorized use, in person andremotely via terminals.

D. Monitoring physical access to program library media would control only unauthorized physical access.

Part 1 : 10/05/14 22:26:24

(c) HOCK international, page 1




An internal auditor who suspects fraud should

A. Determine that a loss has been incurred.B. Interview those who have been involved in the control of assets.C. Recommend whatever investigation is considered necessary under the circumstances.D. Identify the employees who could be implicated in the case.

A. When an internal auditor suspects fraud, it is recommended that he or she should determine the possible effectsand discuss the matter with the appropriate level of management, who should then initiate an investigation.

B. When an internal auditor suspects fraud, it is recommended that he or she should determine the possible effectsand discuss the matter with the appropriate level of management, who should then initiate an investigation.

C. When an internal auditor suspects fraud, it is recommended that he or she should determine the possibleeffects and discuss the matter with the appropriate level of management, who should then initiate aninvestigation.

D. When an internal auditor suspects fraud, it is recommended that he or she should determine the possible effectsand discuss the matter with the appropriate level of management, who should then initiate an investigation.


The personnel department receives an edit listing of payroll changes processed at every payroll cycle. If it does notverify the changes processed, the result could be

A. Inaccurate Social Security deductions.

B. Employees not being asked if they want to contribute to the company pension plan.C. Undetected errors in payroll rates for new employees.D. Labor hours charged to the wrong account in the cost reporting system.

A. Social Security deductions would be correct for any given pay rate because the Social Security deduction is apercentage of an employee's pay. However, if a pay rate were incorrect, the Social Security deduction would beincorrect as well.

B. Checking an edit listing of payroll changes would not give any indication about whether employees have or have notbeen asked if they want to contribute to the company pension plan.

C. If a new employee's payroll rate is not verified after processing, there could be an undetected error in thatemployee's payroll rate. The personnel department is responsible for entering new employees into the systemand entering their pay rates. Therefore, the personnel department should verify that data on every new

employee has been entered correctly.

D. Labor hours would probably not be charged to the wrong account in the cost reporting system as a result of an errorin processing changes, because the labor hours would normally come from the time reporting system.

Question 5 - CMA 1284 5.28 - Internal Auditing

Part 1 : 10/05/14 22:26:24




The use of a generalized audit software package

A. Relieves an auditor of the typical tasks of investigating exceptions, verifying sources of information, and evaluatingreports.B. Is a major aid in retrieving information from computerized files.C. Is a form of auditing around the computer.D. Overcomes the need for an auditor to learn much about computers.

A. The auditor is not relieved of the tasks of investigating exceptions, verifying sources of information, and evaluatingreports because of the use of a generalized audit software package.

B. Generalized Audit Software (GAS) enables auditors to access client data. GAS is designed to permitauditors to process data needed in audits. GAS packages can select sample data from data files, checkcomputations, and search the data files for unusual items.

C. Use of a generalized audit software package provides a means to use the computer in audits, not to audit aroundthe computer.

D. In order to use generalized audit software, an auditor must have some knowledge of computers.

Question 6 - HOCK CMA P1D3 11 - Systems Controls and Security Measures

Which of the following statements is true regarding source code and object code?

A. While source code and object code should correspond, the computer does not require them to correspond.B. Programs are written in object code, which is the language that a programmer uses for coding the program.C. Source code is the machine language that a computer understands.D. A compiler converts object code into source code.

A. This is a true statement. It is possible for a knowledgeable person to make a copy of the source code,rewrite some of the instructions, compile the modified source code into object code, replace the object code

on the computer, and then destroy the modified source code. This results in a program running on thecomputer that does not correspond to the authorized source code. This weakness can be used to commitcomputer fraud if the controls over compiling and cataloging are not adequate.

B. Programs are written in source code.

C. Object code is the language that the computer can understand.

D. A compiler converts the source code that a programmer writes into object code that the computer can understand.

Question 7 - ICMA 10.P1.256 - Systems Controls and Security Measures

In situations where it is crucial that data be entered correctly into an accounting information system, the best method ofdata control would be to use

A. compatibility tests.B. key verification.C. limit checks.D. reasonableness tests.

A.

Part 1 : 10/05/14 22:26:24




A compatibility test is a test to determine whether a system or an application or a website is compatible with otherobjects such as web browsers, operating systems, or hardware platforms. An example of a compatibility test is whenyou attempt to log in to an online webinar or other online application. A compatibility test is run to see if your systemand your browser are compatible with the application. If they are not, you receive a message that you will not be able toconnect until you do something about the incompatibility.

A compatibility test would not be an appropriate way to checkk whether data has been entered correctly into an

accounting information system.

B.

Key verification, or keystroke verification, is the process of inputting the same information twice andcomparing the two inputs. Key verification is nearly always used when changing a password, to confirm thatthe password has been typed correctly.

When it is crucial that data be entered correctly, it makes sense that entering it twice would be the best checkon the accuracy of the input. The example given of changing a password is an example of a situation where itis crucial that the data be entered correctly. If the password is not entered correctly, the person will whoentered it not be able to get into the file using what they think is their password, but which is not thepassword they entered.

C. Limit checks ensure that only data within predefined limits will be accepted by the system when input. For example,the number of days worked in a week cannot exceed 7. When it is crucial that data be entered correctly, a limit checkwould provide very limited assurance and would not be the best method of data control to use.

D. Reasonableness checks compare input with other information in existing records and historical information to detectdata that is not reasonable. When it is crucial that data be entered correctly, a reasonableness test would provide verylimited assurance and would not be the best method of data control to use.

Question 8 - CIA 579 II.5 - Systems Controls and Security Measures

Which of the following should the auditor recommend as the most economical point at which to correct input errors inan online system?

A. Entry of data into each field of a record is completed.B. Entry of data into each record is completed.C. Output data are balanced with computer-produced control totals and delivered to the user.D. Input data are balanced with computer-produced control totals.

A. The most economical point at which to correct input errors in an online system is when the data is firstentered into the system. Thus, the entry of data into each field of a record is the most economical point.

B. The most economical point at which to correct input errors in an online system is when the data is first entered intothe system.

C. The most economical point at which to correct input errors in an online system is when the data is first entered intothe system.

D. The most economical point at which to correct input errors in an online system is when the data is first entered intothe system.

Question 9 - CMA 690 5.9 - Internal Controls

Part 1 : 10/05/14 22:26:24




Marport Company is a manufacturing company that uses forms and documents in its accounting information systemsfor record keeping and internal control.

The departments in Marport's organization structure and their primary responsibilities are:

Accounts Payable -- authorize payments and prepare vouchers.

Accounts Receivable -- maintain customer accounts.Billing -- prepare invoices to customers for goods sold.Cashier -- maintain a record of cash receipts and disbursements.Credit Department -- verify the credit rating of customers.Cost Accounting -- accumulate manufacturing costs for all goods produced.Finished Goods Storeroom -- maintain the physical inventory and related stock records of finished goods.General Accounting -- maintain all records for the company's general ledger.Internal Audit -- appraise and monitor internal controls, as well as conduct operational and management audits.Inventory Control -- maintain perpetual inventory records for all manufacturing materials and supplies.Mailroom -- process incoming, outgoing, and interdepartmental mail.Payroll -- compute and prepare the company payroll.Personnel -- hire employees, as well as maintain records on job positions and employees.Purchasing -- place orders for materials and supplies.Production -- manufacture finished goods.

Production Planning -- decide the types and quantities of products to be produced.Receiving -- receive all materials and supplies.Sales -- accept orders from customers.Shipping -- ship goods to customers.Stores Control -- safeguard all materials and supplies until needed for production.Timekeeping -- prepare and control time worked by hourly employees.

If employee paychecks are distributed by hand to employees, which one of the following departments should beresponsible for the safekeeping of unclaimed paychecks?

A. Production Department in which the employee works or worked.B. Personnel Department.C. Cashier Department.D. Payroll Department.

A. An employee or supervisor in the department in which the employee works or worked could misappropriate anunclaimed check.

B. The Personnel Department fulfills what is in part an authorization function as it is responsible for pay rates. Thus, itshould not perform what is primarily a custodial function as well.

C. The Cashier Department is a part of the treasury function, which should properly be responsible for acustodial function such as safekeeping of unclaimed checks.

D. The Payroll Department fulfills the recordkeeping function. Thus, it should not perform what is primarily a custodialfunction as well.


If Sarah Corp. wants to send an order over the Internet to Lee Inc. for raw materials, which of the following would bethe correct methodology for encrypting the order so that only Lee Inc. will be able to decrypt and read the contents ofthe order?

A. Sarah Corp. would encrypt the message using Lee Inc's private key, and Lee Inc. would decrypt the message usingtheir own public key.

Part 1 : 10/05/14 22:26:24




B. Sarah Corp. would encrypt the message using Sarah Corp's private key, and Lee Inc. would decrypt the messageusing Sarah Corp's public key.C. Sarah Corp. would encrypt the message using Lee Inc's public key, and Lee Inc. would decrypt the message usingtheir own private key.D. Sarah Corp. would request that Lee Inc. email their secret key so that Sarah Corp. could use it to encrypt the orderfor transmission.

A. No one but Lee Inc. should have possession of their private key, so neither Sarah Corp. nor any other companywould ever use Lee Inc's. private key.

B. Because Sarah Corp's public key is available publicly, any message encrypted with Sarah Corp's private key couldbe decrypted by anyone. Sarah Corp. may as well send the order without encryption.

C. This is correct. Lee Inc's public key would be publicly available, and only Lee Inc., using their private key,would be able to decrypt any message encrypted with their public key.

D. Email cannot be trusted to be secure when sending via the Internet, and therefore the secret key could beintercepted and used by a third party to decrypt Sarah Corp's order details.

Question 11 - CIA 1190 II.8 - Internal Controls

An internal auditor found that employee time cards in one department are not properly approved by the supervisor.Which of the following could result?

A. Duplicate paychecks might be issued.B. Employees might be paid for hours they did not work.C. Payroll checks might not be distributed to the appropriate payees.D. The wrong hourly rate could be used to calculate gross pay.

A. Duplicate paychecks would not be issued as a result of the supervisor failing to approve employee time cards.

B. The approval of the supervisor on time cards of employees supervised should prevent employees beingpaid for hours they did not work.

C. Payroll checks would not be distributed to the wrong employees as a result of the supervisor failing to approveemployee time cards.

D. The wrong hourly rate would not be used to calculate gross pay as a result of the supervisor failing to approveemployee time cards.


When attempting to restore computing facilities at an alternate site following a disaster, which one of the followingshould be restored first?

A. Decision support system.B. Online system.C. Operating system.D. Batch system.

A. A decision support system is not the system to restore first. A decision support system would not be usable if it wererestored first.

Part 1 : 10/05/14 22:26:24




B. An online system is not the system to restore first. An online system would not be usable if it were restored first.

C.

The operating system should be restored first, because without the operating system, none of the otherapplications can be run. The operating system serves the following functions:

It provides the user interface that allows the user to communicate with the computer in order to load

programs, access files, and accomplish other tasks.

It provides resource management to manage the hardware and networking resources of the system.

It contains file management programs that control the creation, deletion and access of files and alsokeep track of the physical locations of files on secondary storage devices.

It includes task management programs to manage the accomplishment of the computing tasks. Thisenables multitasking capability, so that several computing tasks, for example keyboarding and printing,can take place at the same time.

It provides utilities and support service to perform housekeeping tasks and file conversion functionssuch as data backup, data recovery, virus protection, data compression and file defragmentation.

D. A batch system is not a system to be restored at all. The term "batch system" describes a type of transactionprocessing system. In a batch system, transactions of a similar type (i.e., accounts receivable receipts) are

accumulated over a period of time such as a day, and then the whole batch is processed to update the master files.


A department store company with stores in 11 cities is planning to install a network so that stores can transmit dailysales by item to headquarters and store salespeople can fill customer orders from merchandise held at the neareststore. Management believes that having daily sales statistics will permit better inventory management than is the casenow with weekly deliveries of sales reports on paper. Salespeople have been asking about online inventory availabilityas a way to retain the customers that now go to another company's stores when merchandise is not available. Theplanning committee anticipates many more applications so that in a short time the network would be used at or near itscapacity.

The planning committee identified several applications that would make the company's stores more competitive. Onewas an on-line gift registry system for customers such as those about to be married. The system would then allowother customers in any of the company's stores to view the information listed in the registry. Once purchased, an itemwould be deleted from the list. In order to maintain adequate security, the system should have the following restrictionson access:

A. Customers and salespeople have update privileges.B. Customers have read privileges; salespeople have update privileges.C. Customers and salespeople have read privileges only.D. Customers have update privileges; sales-people have read privileges.

A. Customers should not have update privileges to prevent them from corrupting data files, intentionally or accidentally.

B. Customers with read privileges can examine the gift registry lists to make their selections, and salespeoplecan update the gift registry with actual purchases.

C. Reserving all system functions for salespeople would restrict access more than is required for adequate securityand would hinder use of the system for maximum benefit.

D. Customers should not have update privileges to prevent them from corrupting data files, intentionally or accidentally.

Part 1 : 10/05/14 22:26:24





The Computer Center of a company processes its prior week's sales invoices, as well as its returns and allowances, atthe end of the week. Cash receipts, however, are processed and deposited daily. Each morning the mail receipts clerkprepares the cash receipts prelist in duplicate. The original prelist goes to the head cashier together with the checksand an adding machine tape. The duplicate copy goes to the accounts receivable supervisor. The separate remittance

advices are sent to the data input clerk. At midday, the head cashier prepares the bank deposit slip which is taken tothe bank. After returning from the bank, the head cashier compares the original prelist to the validated bank depositslip, initials the documents, and files them in chronological order.

The following morning the accounts receivable supervisor receives a summary processing list from the ComputerCenter with various control totals from the nightly accounts receivable update. The total on the prior day's duplicatecash receipts prelist is then compared with the total showing the difference between the prior day's beginning andending accounts receivable subsidiary ledger totals. The amount shown on yesterday's duplicate cash receipts prelistwas $35,532.32. This morning the difference between the beginning and ending subsidiary ledger totals was$35,541.32.

What is the first thing that the accounts receivable supervisor should do to try to resolve the discrepancy in the twoamounts?

A. Compare the accounts receivable subsidiary ledger total with the total in the accounts receivable general ledgeraccount.B. Manually recalculate the total on the cash receipts prelist.C. Send a copy of the prelist and the Summary Processing List to the Internal Audit Department.D. Call the head cashier to determine the amount deposited.

A. The narrative implies that the AR General Ledger Account is updated when the AR subsidiary ledgers are updated.Thus, there would be no difference between these amounts.

B. The external validation in A is better, as well as more efficient.

C. Minor errors should be investigated and corrected by operating personnel.

D. This takes a short period of time and includes external verification of the amount on the cash receipts

prelist. This would prove that an error was made during data input suggesting that further investigative effortshould be concentrated there.

Question 15 - CMA 685 5.28 - Systems Controls and Security Measures

Routines that use the computer to check the validity and accuracy of transaction data during input are called

A. Compiler programs.B. Integrated test facilities.C. Operating systems.D. Edit programs.

A. A compiler translates programs written in a higher level language into machine language. Computer programs areerror tested by using a compiler, which checks for programming language errors. However, a compiler does not checkthe validity or accuracy of transaction data during input.

B. An Integrated Test Facility (ITF) involves the use of test data and the creation of fictitious entities, such as fictitiousemployees, fictitious vendors, fictitious products, and fictitious accounts, within the master files of the computersystem. Or alternatively, a separate, fictitious company may be used. The test data in an ITF are processed along withreal data. No one knows that the data being processed includes these fictitious entries to fictitious records. AnIntegrated Test Facility is used by an auditor to check the operation of programs. By checking them this way, the

Part 1 : 10/05/14 22:26:24




auditor can be sure that the programs being checked are the same programs as those that are being used to processthe real data. However, an Integrated Test Facility does not check the validity or accuracy of transaction data duringinput.

C. The operating system controls the operation of the system but it does not check the validity or accuracy oftransaction data during input.

D. Edit programs or input validation routines are programs that check the validity and accuracy of input data.They perform edit tests by examining specific fields of data and rejecting transactions if their data fields donot meet data quality standards. Edit tests include completeness checks, which ensure that data is input intoall required fields; limit checks, which ensure that only data within predefined limits will be accepted by thesystem; validity checks, which match the input data to an acceptable set of values or match thecharacteristics of input data to an acceptable set of characteristics; overflow checks, which make sure thatthe number of digits entered in a field is not greater than the capacity of the field; key verification, or theprocess of inputting the information again and comparing the two results; and check digits, which can beused for determining whether a number has been transcribed properly. A check digit is a digit that is afunction of the other digits within a set of numbers. If a typographical error is made in input, the check digitwill recognize that something has been input incorrectly.

Question 16 - CIA 1195 I.16 - Internal Controls

A restaurant food chain has over 680 restaurants. All food orders for each restaurant are required to be input into anelectronic device which records all food orders by food servers and transmits the order to the kitchen for preparation. All food servers are responsible for collecting cash for all their orders and must turn in cash at the end of their shiftequal to the sales value of food ordered for their I.D. number. The manager then reconciles the cash received for theday with the computerized record of food orders generated. All differences are investigated immediately by therestaurant. Corporate headquarters has established monitoring controls to determine when an individual restaurantmight not be recording all its revenue and transmitting the applicable cash to the corporate headquarters. Which one ofthe following would be the best example of a monitoring control?

A. Cash is transmitted to corporate headquarters on a daily basis.

B. The restaurant manager reconciles the cash received with the food orders recorded on the computer.C. Management prepares a detailed analysis of gross margin per store and investigates any store that shows asignificantly lower gross margin.D. All food orders must be entered on the computer, and segregation of duties is maintained between the food serversand the cooks.

A. There are five interrelated components that comprise internal control. They are: (1) control environment, (2) riskassessment, (3) control activities, (4) information and communication, and (5) monitoring. Monitoring is an activity ofmanagement. Monitoring assesses the quality of the internal control system's performance over time. Monitoring canbe done in two ways: (1) through ongoing monitoring during normal operations, and (2) separate evaluations bymanagement with the assistance of the internal audit function. If monitoring is done regularly during normal operations,it lessens the need for separate evaluations. Daily transmission of cash to corporate headquarters is a control activitywhich serves as an operational control.

B. There are five interrelated components that comprise internal control. They are: (1) control environment, (2) riskassessment, (3) control activities, (4) information and communication, and (5) monitoring. Monitoring is an activity ofmanagement. Monitoring assesses the quality of the internal control system's performance over time. Monitoring canbe done in two ways: (1) through ongoing monitoring during normal operations, and (2) separate evaluations bymanagement with the assistance of the internal audit function. If monitoring is done regularly during normal operations,it lessens the need for separate evaluations. The manager's reconciliation of cash received with food orders entered isa control activity. A reconciliation is a detective control activity, because it is intended to detect the occurrence of anunwanted event. However, it does not represent a monitoring activity of management.

C. There are five interrelated components that comprise internal control. They are: (1) control environment, (2)

Part 1 : 10/05/14 22:26:24




risk assessment, (3) control activities, (4) information and communication, and (5) monitoring. Monitoring isan activity of management. Monitoring assesses the quality of the internal control system's performance overtime. Monitoring can be done in two ways: (1) through ongoing monitoring during normal operations, and (2)separate evaluations by management with the assistance of the internal audit function. If monitoring is doneregularly during normal operations, it lessens the need for separate evaluations. When management preparesa detailed analysis of gross margin per store and investigates any store that shows a significantly lower grossmargin, it is performing a monitoring activity.

D. There are five interrelated components that comprise internal control. They are: (1) control environment, (2) riskassessment, (3) control activities, (4) information and communication, and (5) monitoring. Monitoring is an activity ofmanagement. Monitoring assesses the quality of the internal control system's performance over time. Monitoring canbe done in two ways: (1) through ongoing monitoring during normal operations, and (2) separate evaluations bymanagement with the assistance of the internal audit function. If monitoring is done regularly during normal operations,it lessens the need for separate evaluations. Segregation of duties is a control activity which serves as a preventivecontrol, because it is intended to prevent the occurrence of an unwanted event. Therefore, it does not represent amonitoring activity of management.


Most of today's computer systems have hardware controls that are built in by the computer manufacturer. Commonhardware controls are

A. Duplicate circuitry, echo check, tape file protection and internal header labels.B. Duplicate circuitry, echo check, and dual reading.C. Duplicate circuitry, echo check, and internal header labels.D. Tape file protection, cryptographic protection, and limit checks.

A. Tape file protection is not a hardware control; it is a data storage control that provides security for computer datastored on tapes by protecting the data from being overwritten. An internal header label is not a hardware control; it is arouting verification procedure that protects against transactions being routed to the wrong computer network systemaddress. Any transaction transmitted over the network must have a header label identifying its destination. Before

sending the transaction, the system verifies that the destination is valid and is authorized to receive data. After thetransaction has been received, the system verifies that the message did go to the destination code in the header.

B. Duplicate circuitry, echo check, and dual reading are part of the error correction systems built intohardware to provide the system with fault tolerance. Duplicate circuitry is the double wiring of key hardwareelements to ensure that if one malfunctions, the other will take over. An echo check is the process of sendingthe received data back to the sending computer to compare with what was actually sent to make sure that it isthe same. In a dual read check, data are read twice during input and compared.

C. Hardware controls are controls installed in computers that can identify incorrect data handling or improper operationof the equipment. An internal header label is not a hardware control. A header label is a routing verification procedurethat protects against transactions being routed to the wrong computer network system address. Any transactiontransmitted over the network must have a header label identifying its destination. Before sending the transaction, thesystem verifies that the destination is valid and is authorized to receive data. After the transaction has been received,

the system verifies that the message did go to the destination code in the header.

D. Hardware controls are controls installed in computers that can identify incorrect data handling or improper operationof the equipment. None of these are hardware controls. Tape file protection is a data storage control that providessecurity for computer data stored on tapes by protecting the data from being overwritten. Cryptographic protectionrelates to the encryption of data sent over a network or the Internet to protect private or confidential data from beingintercepted by unauthorized individuals. A limit check is an edit test that ensures that only data within predefined limitswill be accepted by the system.

Part 1 : 10/05/14 22:26:24





Data processed by a computer system are usually transferred to some form of output medium for storage. However,the presence of computerized output does not, in and of itself, assure the output's accuracy, completeness, orauthenticity. For this assurance, various controls are needed. The major types of controls for this area include

A. Input controls, tape and disk output controls, and printed output controls.B. Activity listings, echo checks, and pre-numbered forms.C. Transaction controls, general controls, and printout controls.D. Tape and disk output controls and printed output controls.

A. Input controls, such as data observation and recording controls, data transcription controls, and edit tests,are designed to ensure that the data are entered into the program correctly. They are important because ifdata are not input correctly, the output will not be correct. Output controls are used to check that input andprocessing has resulted in valid output. Their objective is to assure the output's validity, accuracy, andcompleteness. There are two types of output application controls: (1) Validating processing results, such asactivity (proof) listings and reconciliations; and (2) Printed output controls, such as forms control and outputdistribution controls.

B. Activity listings, echo checks, and pre-numbered forms do not assure the output's accuracy, completeness, orauthenticity.

C. Transaction controls, general controls, and printout controls do not assure the accuracy, completeness, orauthenticity of computer output.

D. Although tape and disk output controls and printed output controls are major types of controls for output, thesealone do not assure the accuracy, completeness, or authenticity of computer output.


There are three components of audit risk: inherent risk, control risk, and detection risk. Inherent risk is

A. The risk that the auditor will not detect a material misstatement that exists in an assertion.B. The risk that the auditor may unknowingly fail to appropriately modify his or her opinion on financial statements thatare materially misstated.C. The susceptibility of an assertion to a material misstatement, assuming that there are no related internal controlstructure policies or procedures.D. The risk that a material misstatement that could occur in an assertion will not be prevented or detected on a timelybasis by the entity's internal control structure policies or procedures.

A. The risk that the auditor will not detect a material misstatement that exists in an assertion is the definition ofdetection risk.

B. The risk that the auditor may unknowingly fail to appropriately modify his or her opinion on financial statements that

are materially misstated is the definition of audit risk.

C. Inherent risk is the susceptibility of an assertion to a material misstatement, assuming that there are norelated internal control structure policies or procedures. Inherent risk is independent of the audit. The lowerthe inherent risk is judged by the auditor to be, the higher can be the detection risk. And the higher theinherent risk is judged by the auditor to be, the lower must be the detection risk.

D. The risk that a material misstatement that could occur in an assertion will not be prevented or detected on a timelybasis by the entity's internal control structure policies or procedures is the definition of control risk.

Part 1 : 10/05/14 22:26:24




Question 20 - CIA 1190 III.19 - Systems Controls and Security Measures

Six months after a disgruntled systems programmer was fired and passwords disabled, the company's mainframe wasbrought to a halt when it suddenly erased all of its own files and software. The most likely way the programmer

accomplished this was by

A. Having an accomplice in the computer center.B. Planting a computer virus through the use of telephone access.C. Returning to the computer center after 6 months.D. Implanting a virus in the operating system and executing it via a backdoor.

A. In these circumstances, it is not likely that there was collusion.

B. The passwords were disabled, so the programmer would not know the new passwords.

C. The programmer was more than likely denied access to the computer center.

D. This is probably the best explanation of how the files and software were suddenly erased. A virus is a

program that alters the way another computer operates. Viruses can damage programs, delete files orreformat the hard disk. A backdoor in a computer system is a method of bypassing normal authentication orsecuring remote access to a computer, while attempting to remain hidden from casual inspection.


Many organizations are critically dependent on information systems to support daily business operations.Consequently, an organization may incur significant loss of revenues or incur significant expenses if a disaster such asa hurricane or power outage causes information systems processing to be delayed or interrupted. A bank, for example,may incur significant penalties as a result of missed payments.

Which of the following management activities is essential to ensure continuity of operations in the event a disaster orcatastrophe impairs information systems processing?

A. Review of insurance coverage.B. Change control procedures.C. Contingency planning.D. Electronic vaulting.

A. Review of insurance coverage is an aspect of risk analysis, and a much narrower concept than contingencyplanning.

B. Change control procedures do not ensure continuity of operations.

C. Contingency planning is a management activity which is essential to ensure continuity of operations in theevent a disaster impairs information systems processing.

D. Electronic vaulting is a technology that may be used to address contingency planning issues.


During the preliminary survey phase of an audit of the organization's production cycle, management stated that the

Part 1 : 10/05/14 22:26:24




sale of scrap was well controlled. Evidence to verify that assertion can best be gained by

A. Comparing the quantities of scrap expected from the production process with the quantities sold.B. Comparing current revenue from scrap sales with industry norms.C. Interviewing persons responsible for collecting and storing the scrap.D. Comparing current revenue from scrap sales with that of prior periods.

A. Comparing the quantities of scrap expected from the production process with quantities sold should verifywhether sale of scrap is well controlled. If the quantities of scrap sold are approximately the same asquantities produced, the sale of the scrap is well controlled.

B. Comparing current revenue from scrap sales with industry norms will not verify that sale of scrap is well controlled.

C. Interviewing persons responsible for collecting and storing scrap will not verify that sale of scrap is well controlled,only that handling of scrap prior to its sale is well controlled.

D. Comparing current revenue from scrap sales with that of prior periods will not verify that sale of scrap is wellcontrolled.


Internal auditing is a dynamic profession. Which of the following best describes the scope of internal auditing as it hasdeveloped to date?

A. Internal auditing has evolved to evaluating all risk management, control, and governance systems.B. Internal auditing has evolved to verifying the existence of assets and reviewing the means of safeguarding assets.C. Internal auditing involves evaluating compliance with laws, regulations, and contracts.D. Internal auditing involves evaluating the effectiveness and efficiency with which resources are employed.

A. The Institute of Internal Auditors (IIA), the U.S. professional organization of internal auditors, has definedinternal auditing as: "an independent, objective assurance and consulting activity designed to add value and

improve an organization's operations. It helps an organization accomplish its objectives by bringing asystematic, disciplined approach to evaluate and improve the effectiveness of risk management, control andgovernance processes."

B. Internal auditing involves much more than just verifying the existence of assets and reviewing the means ofsafeguarding assets.

C. Internal auditing involves much more than just evaluating compliance with laws, regulations, and contracts.

D. Internal auditing involves much more than just evaluating the effectiveness and efficiency with which resources areemployed.


A certified internal auditor (CIA) is the chief audit executive (CAE) for a large city and is planning the engagement workschedule for the next year. The city has a number of different funds, some that are restricted in use by governmentgrants and some that require compliance reports to the government. One of the programs for which the city hasreceived a grant is job retraining and placement. The grant specifies certain conditions a participant in the programmust meet to be eligible for the funding.

The CAE plans an engagement to verify that the job retraining program complies with applicable grant provisions. One

Part 1 : 10/05/14 22:26:24






B. Data input manipulation (e.g. intentionally mis-entering information).C. Sabotaging the servers that run the data processing (e.g. unplugging the servers or removing their hard drives).D. Data being stolen on removable storage devices (e.g. hard drive, USB memory).

A. Once a skimming routine is inserted in the accounting system, it will run without any further intervention bythe programmer.

B. This cannot occur repeatedly without direct action by the person mis-entering the data.

C. Physically sabotaging a system requires direct action and cannot be carried out repeatedly without repeatedsabotage efforts.

D. Stealing data on removable storage requires direct action each time data is stolen and removed from the companypremises.

Question 27 - CIA 1193 II.13 - Internal Auditing

Senior management has requested a compliance audit of the organization's employee benefits package. Which of the

following is considered the primary engagement objective by both the chief audit executive and senior management?

A. The level of organizational contributions is adequate to meet the program's demands.B. Individual programs are operating in accordance with contractual requirements and government regulations.C. Participation levels support continuation of individual programs.D. Benefit payments, when appropriate, are accurate and timely.

A. The level of organizational contributions is not the primary objective of a compliance audit of an organization'semployee benefits, although it would be included in such an audit.

B. The purpose of a compliance audit is to determine to what degree an organization is operating in an orderlyway, effectively and visibly conforming to certain specific requirements of its policies, procedures, standards,or laws and governmental regulations. Thus, determination of whether individual programs are operating in

accordance with contractual requirements and government regulations is an appropriate objective for acompliance audit of employee benefits.

C. A determination of whether participation levels support continuation of individual employee benefit programs is notthe primary objective of a compliance audit of employee benefits, although it would be included in such an audit.

D. Determination of whether benefit payments are accurate and timely is not the primary objective of a complianceaudit of employee benefits, although it would be included in such an audit.


The Computer Center of a company processes its prior week's sales invoices, as well as its returns and allowances, atthe end of the week. Cash receipts, however, are processed and deposited daily. Each morning the mail receipts clerkprepares the cash receipts prelist in duplicate. The original prelist goes to the head cashier together with the checksand an adding machine tape. The duplicate copy goes to the accounts receivable supervisor. The separate remittanceadvices are sent to the data input clerk. At midday, the head cashier prepares the bank deposit slip which is taken tothe bank. After returning from the bank, the head cashier compares the original prelist to the validated bank depositslip, initials the documents, and files them in chronological order.

The following morning the accounts receivable supervisor receives a summary processing list from the ComputerCenter with various control totals from the nightly accounts receivable update. The total on the prior day's duplicate

Part 1 : 10/05/14 22:26:24




cash receipts prelist is then compared with the total showing the difference between the prior day's beginning andending accounts receivable subsidiary ledger totals. The amount shown on yesterday's duplicate cash receipts prelistwas $35,532.32. This morning the difference between the beginning and ending subsidiary ledger totals was$35,541.32.

What is the most likely reason for the difference between the two amounts?

A. An irregularity occurred during data output.B. A transposition error occurred.C. The total on the cash receipts prelist was miscalculated.D. A remittance advice was recorded twice.

A. If an error or irregularity had occurred, it would have been likely during data input, not output.

B. The amount of a discrepancy between two batch totals often provides a clue about the error. When adifference can be divided evenly by 9, a transposition error may have occurred during data input where thecolumn amounts in two adjacent columns are exchanged. Other possibilities to consider include: looking fortransactions exactly equal to the amount of the discrepancy or transactions equal to half of the discrepancy.In the later case, a transaction may have been incorrectly debited or credited.

C. If the prior day's cash receipts prelist were wrong, the Head Cashier is likely to have discovered and reported this

either when preparing the bank deposit or after agreeing the prelist to the validated bank deposit.

D. The nature of the discrepancy, a small number in an even dollar amount evenly divisible by 9, suggests that doublerecording is less likely than a transposition error.


When management agrees with a finding and has agreed to take corrective action, the appropriate treatment is to

A. Include the finding and recommendation, irrespective of management's agreement.B. Omit the finding and recommendation.C. Report that management has agreed to take corrective action.D. Report that management has already taken corrective action.

A. The finding and recommendation should be included, but so should the fact that management has agreed to takecorrective action.

B. When management agrees with a finding and has agreed to take corrective action, the audit report should includethis agreement as one of the results of the audit.

C. When management agrees with a finding and has agreed to take corrective action, the audit report shouldinclude this agreement as one of the results of the audit.

D. The corrective action has not yet been taken, so it is incorrect to state that it has been taken.


One of the financial statement auditor's major concerns is to ascertain whether internal control is designed to providereasonable assurance that

A. Profit margins are maximized, and operational efficiency is optimized.

Part 1 : 10/05/14 22:26:24




B. Corporate morale problems are addressed immediately and effectively.C. The chief accounting officer reviews all accounting transactions.D. Financial reporting is reliable.

A. While it is important to maximize profits and optimize operational efficiency, this is not one of a financial statementauditor's major concerns.

B. Corporate morale problems are not relevant to a financial statement audit.

C. It is not necessary that the chief accounting officer review all accounting transactions. Therefore, this is not one of afinancial statement auditor's major concerns.

D. Internal control is a method, or process, that is carried out by an entity's board of directors, management,and other personnel, and designed to provide reasonable assurance that objectives in the following fourcategories will be achieved: (1) effectiveness and efficiency of operations; (2) reliability of financial reporting;(3) compliance with applicable laws and regulations; and (4) safeguarding of assets. The concerns of thefinancial statement auditor will relate to no. 2, reliability of financial reporting.




Accounts Payable -- authorize payments and prepare vouchers. Accounts Receivable -- maintain customer accounts.Billing -- prepare invoices to customers for goods sold.Cashier -- maintain a record of cash receipts and disbursements.Credit Department -- verify the credit rating of customers.Cost Accounting -- accumulate manufacturing costs for all goods produced.Finished Goods Storeroom -- maintain the physical inventory and related stock records of finished goods.General Accounting -- maintain all records for the company's general ledger.Internal Audit -- appraise and monitor internal controls, as well as conduct operational and management audits.Inventory Control -- maintain perpetual inventory records for all manufacturing materials and supplies.Mailroom -- process incoming, outgoing, and interdepartmental mail.Payroll -- compute and prepare the company payroll.Personnel -- hire employees, as well as maintain records on job positions and employees.Purchasing -- place orders for materials and supplies.Production -- manufacture finished goods.Production Planning -- decide the types and quantities of products to be produced.Receiving -- receive all materials and supplies.Sales -- accept orders from customers.Shipping -- ship goods to customers.Stores Control -- safeguard all materials and supplies until needed for production.

Timekeeping -- prepare and control time worked by hourly employees.

The initiation of the purchase of materials and supplies would be the responsibility of the

A. Stores Control Department.B. Purchasing Department.C. Inventory Control Department.D. Production Department.

A. Stores Control safeguards the materials and supplies until they are needed for production. They do not maintaininventory records or initiate purchase requisitions.

Part 1 : 10/05/14 22:26:24




B. The Purchasing Department places orders, but they do not initiate them. Orders are initiated and authorized byothers.

C. The Inventory Control Department maintains perpetual inventory records for all manufacturing materialsand supplies. Therefore, it would be in a position to know when supplies are getting low and would beresponsible for initiating a purchase requisition.

D. The Production Department manufactures the goods, obtaining its materials from the Stores Control Department. Itdoes not initiate requests for purchases.

Question 32 - ICMA 10.P1.243 - Internal Controls

The basic concepts implicit in internal accounting controls include the following.

The cost of the system should not exceed benefits expected to be attained.

The overall impact of the control procedure should not hinder operating efficiency.

Which one of the following internal accounting controls recognizes these two factors?

A. Management responsibility.B. Limitations.C. Methods of data processing.D. Reasonable assurance.

A. This answer is not correct. See the correct answer for a complete explanation.

B. This answer is not correct. See the correct answer for a complete explanation.

C. This answer is not correct. See the correct answer for a complete explanation.

D.

The goal of internal control is to provide reasonable assurance that the company's objectives will be achievedin the areas of (1) effectiveness and efficiency of operations, (2) reliability of financial reporting, and (3)compliance with applicable laws and regulations. It is not the goal of internal control to provide a guaranteethat the company's objectives will be achieved in these areas.

The idea of reasonable assurance recognizes that it is not possible for an internal control system to guaranteethat it will detect every error or prevent every error. This limitation exists because of cost/benefit issues andbecause controls should not be so cumbersome that they prevent the business from operating. As a result,not every possible control will be implemented. Some may not be implemented because management hasdecided that the cost to do them would be greater than any potential loss that could result from not doingthem. Some may not be implemented because management has decided that to do them would hinderoperating efficiency too much.

Because internal control is not expected to provide a guarantee but only to provide reasonable assurance, it isreasonable to omit some control procedures for those reasons.


The automated system contains a table of pay rates which is matched to the employee job classifications. The best

Part 1 : 10/05/14 22:26:24








Assume your company is considering purchasing a small toxic waste disposal company. As an internal auditor, you arepart of the team doing a due diligence review for the acquisition. The scope of the assignment would most likely notinclude

A. Assessment of the efficiency of the waste company's operations and profitability.B. A review of the purchased company's procedures for acceptance of waste material and comparison with legalrequirements.

C. Analysis of the company's compliance with, and disclosure of, loan covenants.D. An evaluation of the merit of lawsuits currently filed against the waste company.

A. A due diligence engagement is an engagement to confirm company records, both financial and those of ownershipof property, utilized especially when a unit is being acquired, merged or sold. Assessment of the efficiency of the wastecompany's operations and profitability is appropriate in a due diligence review by auditors.

B. A due diligence engagement is an engagement to confirm company records, both financial and those of ownershipof property, utilized especially when a unit is being acquired, merged or sold. A review of the target company'scompliance with legal requirements for acceptance of waste material is appropriate in a due diligence review byauditors.

C. A due diligence engagement is an engagement to confirm company records, both financial and those of ownershipof property, utilized especially when a unit is being acquired, merged or sold. Analysis of the target company's

compliance with, and disclosure of, loan covenants is appropriate in a due diligence review by auditors.

D. A due diligence engagement is an engagement to confirm company records, both financial and those ofownership of property, utilized especially when a unit is being acquired, merged or sold. An auditor would nothave the legal expertise to evaluate the merit of lawsuits currently filed against the target company.


The primary difference between operational engagements and financial engagements is that in the former the internalauditors

A. Are not concerned with whether the client entity is generating information in compliance with financial accountingstandards.B. Start with the financial statements of the client entity and works backward to the basic processes involved inproducing them.C. Are seeking to help management use resources in the most effective manner possible.D. Can use analytical skills and tools that are not necessary in financial engagements.

A. Internal auditors are concerned with the integrity and reliability of presented financial reports. Making sure thepresented financial statements are in accordance with accounting standards is important in operational engagements.

B. Internal auditors start with the financial statements and work back when conducting a financial engagement.

C. The primary difference between financial and operational engagements is that in the former the internal

auditor is seeking to form an opinion on the fairness of the financial statements, whereas, operationalengagements involves evaluating the efficiency and economical use of the organization's resources.

D. Analytical skills and tools are necessary in financial engagements.


Part 1 : 10/05/14 22:26:24




Which of the following is an essential factor in evaluating the sufficiency of evidence? The evidence must

A. Be convincing enough for a prudent person to reach the same decision.B. Be based on references that are considered reliable.C. Bear a direct relationship to the finding and include all of the elements of a finding.D. Be well documented and cross-referenced in the working papers.

A. If evidence is sufficient, it means that enough information has been gathered to enable another person tocome to the same conclusions as the auditor.

B. If evidence is sufficient, it means that enough information has been gathered to enable another person to come tothe same conclusions as the auditor. Information that is based on references that are considered reliable is competentevidence, but that does not constitute sufficiency.

C. If evidence is sufficient, it means that enough information has been gathered to enable another person to come tothe same conclusions as the auditor. Information that bears a direct relationship to the finding and includes all of theelements of a finding is relevant evidence, but that does not constitute sufficiency.

D. If evidence is sufficient, it means that enough information has been gathered to enable another person to come tothe same conclusions as the auditor. Documentation and cross-referencing, while important, do not constitutesufficiency.


When conducting fraud investigations, internal auditors should

A. Clearly indicate the extent of the internal auditors' knowledge of the fraud when questioning suspects.B. Assign personnel to the investigation in accordance with the engagement schedule established at the beginning ofthe fiscal year.C. Assess the probable level of, and the extent of complicity in, the fraud within the organization.D. Perform its investigation independent of lawyers, security personnel, and specialists from outside the organizationwho are involved in the investigation.

A. When interviewing someone who may be involved in fraud, an auditor should not reveal what he or she alreadyknows. One way of determining whether the interviewee is truthful and wants to cooperate is to ask questions to whichthe auditor already knows the answer.

B. Fraud investigations are unexpected and therefore cannot be scheduled. When a fraud investigation is necessary,the personnel assigned should be those most qualified to investigate the particular situation.

C. When conducting fraud investigations, internal auditors should assess the probable level of, and the extentof complicity in, the fraud within the organization. It is important to know how many people may be involvedand who they are.

D. It is important that all parties involved in a fraud investigation coordinate their efforts.


A determination of cost savings is most likely to be an objective of a(n):

Part 1 : 10/05/14 22:26:24




DUPLICATE QUESTION

A. Compliance engagement.B. Operational engagement.C. Financial engagement.D. Program-results engagement.

A. A compliance engagement is concerned with determining to what degree an organization is operating in an orderlyway, effectively and visibly conforming to certain specific requirements of its policies, procedures, standards, or lawsand governmental regulations. Thus a determination of cost savings would not be an objective of a complianceengagement.

B. An operational engagement focuses on examining and evaluating systems of internal control, overallcompany operations, and the quality of performance in carrying out assigned responsibilities. Thus adetermination of cost savings will most likely be an objective of an operational engagement.

C. A financial engagement focuses on the safeguarding of assets and the reliability and integrity of the financialstatements. Thus a determination of cost savings would not be an objective of a financial engagement.

D. A program-results engagement is concerned with evaluating the accomplishment of objectives for a specificprogram. Thus a determination of cost savings would not be an objective of a program-results engagement.


When an organization has strong internal control, management can expect various benefits. The benefit least likely tooccur is

A. Elimination of employee fraud.B. Availability of reliable data for decision-making purposes.C. Some assurance of compliance with the Sarbanes-Oxley Act of 2002.D. Reduced cost of an external audit.

A. While strong internal control can limit employee fraud, complete elimination of employee fraud is notpossible, and so this cannot be considered a benefit of a strong internal control system.

B. Strong internal control will result in the benefit of better, more accurate data for decision making.

C. Strong internal control will result in some assurance of compliance with the Sarbanes-Oxley Act of 2002, and thusthat is a benefit.

D. Reduced cost of external audits is a benefit that is likely to occur as a result of strong internal control.


To enhance communications with top management, some internal auditing activities include a summary report witheach written audit report. What information should be included in such a summary report?

A. Internal auditing's assessment of the adequacy of internal controls.B. The same information as the written report but in diagram form.C. Only that information needed to resolve the disagreements between the auditees and internal auditing.D. Highlights of the audit results.

Part 1 : 10/05/14 22:26:24




A. An assessment of the adequacy of internal controls is not a summary.

B. The same information as is contained in the written report in diagram form is not a summary.

C. Information to resolve disagreements between the auditees and internal auditing is not a summary.

D. Highlights of the audit results constitutes a summary of the audit report.


Effective internal control

A. Is unaffected by changing circumstances and conditions encountered by the organization.B. Reduces the need for management to review exception reports on a day-to-day basis.C. Eliminates risk and potential loss to the organization.D. Cannot be circumvented by management.

A. As circumstances and conditions change, changes in internal controls are required.

B. An effective internal control structure should prevent exceptions as well as detect exceptions after the fact.Thus, with an effective internal control structure, management's need to review exception reports daily shouldbe reduced.

C. No internal control structure, no matter how effective, can guarantee the complete elimination of risk and potentialloss to the organization.

D. Internal controls can be overridden by managers.

Question 45 - CIA 597 I.19 - Systems Controls and Security Measures

Which of the following computerized control procedures would be most effective in ensuring that data uploaded frompersonal computers to a mainframe are complete and that no additional data is added?

A. Batch control totals, including control totals and hash totals.B. Field-level edit controls that test each field for alphanumerical integrity.C. Passwords that effectively limit access to only those authorized to upload the data to the mainframe computer.D. Self-checking digits to ensure that only authorized part numbers are added to the database.

A. Batch control totals, including control totals with hash controls would be most effective in ensuring thatdata uploaded from personal computers to the mainframe are complete and that no additional data are added.These controls would provide the best information on the completion of the data transfer.

B. Field-level edit controls that test each field for alphanumerical integrity are input controls, but they would not ensurethat the data transfer is complete.

C. Passwords are effective in limiting unauthorized personnel, but would not ensure that the data transfer is complete.

D. Self-checking digits would detect erroneous part numbers, but would not ensure that the data transfer is complete.

Part 1 : 10/05/14 22:26:24





A critical aspect of a disaster recovery plan is to be able to regain operational capability as soon as possible. In order toaccomplish this, an organization can have an arrangement with its computer hardware vendor to have a fullyoperational facility available that is configured to the user's specific needs. This is best known as a(n)

A. Cold site.

B. Uninterruptible power system.C. Hot site.D. Parallel system.

A. A cold site is a facility that can be used to install computer equipment if needed, but it is not fully operational.

B. An uninterruptible power system (UPS) is a backup power source that kicks in automatically in the event of a poweroutage to prevent loss of data.

C. A hot site is a backup facility that has a computer system that is similar to the one used regularly and isfully operational and thus immediately available.

D. A parallel system is a system that is identical to the main system.


An internal audit of the payroll function revealed several instances in which a payroll clerk had added fictitiousemployees to the payroll and deposited the checks in accounts of close relatives. What control should have preventedsuch actions?

A. Establishing a policy to deal with close relatives working in the same department.B. Having the treasurer's office sign payroll checks.C. Allowing changes to the payroll to be authorized only by the personnel department.D. Using time cards and attendance records in the computation of employee gross earnings.

A. Establishing a policy for the hiring of close relatives would not prevent a payroll clerk from adding fictitiousemployees to the payroll and keeping and depositing their paychecks.

B. Having the treasurer's office sign payroll checks would not prevent a payroll clerk from adding fictitious employees tothe payroll and keeping and depositing their paychecks.

C. Only the personnel department should be authorized to make changes to the payroll, while only the payrolldepartment should process payroll checks. Furthermore, to prevent an unauthorized person from adding aname of a fictitious employee to the payroll, payroll records should be reconciled with the active employee listfrom the personnel department each payday.

D. Using time cards and attendance records would not prevent a payroll clerk from adding fictitious employees to thepayroll and keeping and depositing their paychecks.


Which one of the following represents a lack of internal control in a computer-based system?

A. Provisions exist to protect data files from unauthorized access, modification, or destruction.B. Programmers have access to change programs and data files when an error is detected.

Part 1 : 10/05/14 22:26:24




C. Any and all changes in applications programs have the authorization and approval of management.D. Provisions exist to ensure the accuracy and integrity of computer processing of all files and reports.

A. g., passwords and restricted rights, represent good internal control, not a lack of internal control.

B. Programmers are the individuals who write, test and document the systems. However, once a program hasbeen written, tested and documented, the programmer should have no further access to the program or to the

data files. If any change is necessary, management should authorize and approve the change.

C. It is essential that any and all changes in applications programs have the authorization and approval of management.

D. Provisions exist to ensure the accuracy and integrity of computer processing of all files and reports.


A major impact of the Foreign Corrupt Practices Act of 1977 is that registrants subject to the Securities Exchange Actof 1934 are now required to

A. Keep records that reflect the transactions and dispositions of assets and to maintain a system of internal accountingcontrols.B. Provide access to records by authorized agencies of the federal government.C. Prepare financial statements in accord with international accounting standards.D. Produce full, fair, and accurate periodic reports on foreign commerce and/or foreign political party affiliations.

A. The Foreign Corrupt Practices Act of 1977 (substantially revised in 1988) was enacted in response todisclosures of questionable payments that had been made by large companies. The payments were eitherillegal political contributions or payments to foreign officials that bordered on bribery. The FCPA makes itillegal to offer or authorize corrupt political payments (bribes) to any foreign official, foreign party chief orofficial or a candidate for political office in a foreign country, or to make corrupt payments through anintermediary while knowing that all or part of the payment will go to a foreign official. The company mustensure that all transactions are in accordance with management's general, or specific, authorization and are

recorded properly. Corporate management is required to maintain books, records and accounts thataccurately and fairly reflect transactions and to develop and maintain a system of internal accounting control.The internal control requirements were included in the Act because of the fundamental premise that effectiveinternal control should provide a deterrent to illegal payments.

B. The Foreign Corrupt Practices Act contains no such provision.

C. The Foreign Corrupt Practices Act contains no such provision.

D. The Foreign Corrupt Practices Act contains no such provision.


The chief executive officer wants to know whether the purchasing function is properly meeting its charge to "purchasethe right materials at the right time in the right quantities." Which of the following types of engagements addresses thisrequest?

A. An operational engagement relating to the purchasing function.B. A full-scope engagement relating to the manufacturing operation.C. A compliance engagement relating to the purchasing function.D. A financial engagement relating to the purchasing department.

Part 1 : 10/05/14 22:26:24




A. An operational audit involves examining and evaluating systems of internal control, overall companyoperations, and the quality of performance in carrying out assigned responsibilities.

B. While a full-scope engagement relating to the manufacturing operation would include determining whether thepurchasing function is properly meeting its charge to "purchase the right materials at the right time in the rightquantities," it would encompass much more than that.

C. A compliance engagement determines to what degree an organization is operating in an orderly way, effectively andvisibly conforming to certain specific requirements of its policies, procedures, standards, or laws and governmentalregulations. A compliance engagement relating to the purchasing function would not be able to determine whether thepurchasing function is properly meeting its charge to "purchase the right materials at the right time in the rightquantities."

D. The purpose of a financial statement audit is to evaluate the assertions made by management on the organization'sfinancial statements and to issue an opinion on the fairness of the statements. A financial engagement would not beable to determine whether the purchasing function is properly meeting its charge to "purchase the right materials at theright time in the right quantities."

Question 51 - ICMA 10.P1.253 - Internal Auditing

Which one of the following types of audits would be most likely to focus on objectives related to the efficient use ofresources?

A. Compliance audit.B. Independent audit.C. Operational audit.D. Information systems audit.

A.

A compliance audit is performed in order to determine whether an organization is conforming to certain specific

requirements of its policies, procedures, standards, or laws and governmental regulations.

Thus, a compliance audit would not focus on objectives related to the efficient use of resources.

B.

The purpose of the independent audit is to evaluate the assertions made by management on the organization’sfinancial statements and to issue an opinion on the fairness of the statements. An independent audit is performed byoutside, independent auditors, not by internal auditors.

An independent audit would not focus on objectives related to the efficient use of resources.

C.

The purpose of an operational audit is examining and evaluating systems of internal control, overall companyoperations and the quality of performance in carrying out assigned responsibilities. The internal auditorscompare the results of the operations with standards for performance or output. The focus of an operationalaudit is on the three "E"s: efficiency, effectiveness and economy.

Thus, an operational audit would be most likely to focus on objectives related to the efficient use of resources.

D. A system systems audit involves auditing the controls in place for information systems. Thus, an informationsystems audit would not focus on objectives related to the efficient use of resources.

Part 1 : 10/05/14 22:26:24





Backup and recovery controls are crucial to ensuring the reliability of a teleprocessing network. When reviewing thecontrols over backup and recovery, which of the following would not be included?

A. Use and adequacy of encryption processes.B. Adequacy of user data file backups on the LAN.C. Adequacy of documents/manuals informing all personnel of their backup and recovery responsibilities.D. Controls over hardware and software failures.

A. Encryption is a communication control for security, and not related to backup and recovery.

B. Data file backups are critical and the auditor would review the adequacy to the backup files.

C. Documented responsibilities for backup and recovery personnel and knowledge of their responsibilities are veryimportant in the backup and recovery process. Auditors would review the documentation and knowledge ofresponsibilities.

D. The controls over hardware and software failures are included in the review of backup and recovery.


Management wishes to include in its internal controls over factory payroll a procedure to ensure that employees arepaid only for work actually performed. To meet this objective, which of the following internal control actions would bemost appropriate?

A. Compare piecework records with inventory additions from production.B. Keep unclaimed paychecks in a vault.C. Use time cards.

D. Have supervisors distribute paychecks to employees in their sections.

A. Comparing piecework records with inventory additions is a cross-check on factory production performed. Ifemployees are being paid on a piece-work basis, this could be used to ensure that payments are made onlyfor work performed.

B. Keeping unclaimed paychecks in a vault will not ensure that employees are paid only for work actually performed.Furthermore, if the paychecks are legitimate and are truly unclaimed, most states have escheat laws that requireunclaimed property to be turned over the state after a period of time.

C. A time card may be falsified by having another employee punch it.

D. Having supervisors distribute paychecks to their employees will not ensure that employees are paid only for workactually performed.


One characteristic of an effective internal control structure is the proper segregation of duties. The combination ofresponsibilities that would not be considered a violation of segregation of functional responsibilities is

A. Preparation of paychecks and check distribution.

Part 1 : 10/05/14 22:26:24




B. Signing of paychecks and custody of blank payroll checks.C. Approval of time cards and preparation of paychecks.D. Timekeeping and preparation of payroll journal entries.

A.

The rule in segregation of duties is that one person should not be in a position to commit fraud and also to cover it up.

If one person were to prepare the paychecks and also distribute them, no second person would have a chance to seethem before they were distributed. The opportunity would exist to commit fraud without anyone noticing.

Furthermore, the following four functions must always be done by different people: (1) Authorizing a transaction; (2)Recording the transaction, preparing source documents, maintaining journals; (3) Keeping physical custody of therelated asset - for instance, receiving checks in the mail; and (4) The periodic reconciliation of the physical assets tothe recorded amounts for those assets. In the example of the combination of preparation of paychecks and checkdistribution, payroll preparation is a recordkeeping function, whereas the distribution of payroll checks is a custodyfunction. Thus, these two jobs should be performed by different people.

B.

The rule in segregation of duties is that one person should not be in a position to commit fraud and also to cover it up.If the person who has custody of blank payroll checks has the authority to sign paychecks, that person could write a

check to anyone at all and sign it, and no one else would see it.

Furthermore, the following four functions must always be done by different people: (1) Authorizing a transaction; (2)Recording the transaction, preparing source documents, maintaining journals; (3) Keeping physical custody of therelated asset - for instance, receiving checks in the mail; and (4) The periodic reconciliation of the physical assets tothe recorded amounts for those assets. In the example of the combination of signing paychecks and custody of blankpayroll checks, the custody of the payroll checks (which by themselves are not assets) is a recordkeeping function,whereas the signing of the payroll checks is a custodianship function. Thus, these two jobs should be performed bydifferent people.

C.

The rule in segregation of duties is that one person should not be in a position to commit fraud and also to cover it up.

A person who approves time cards and also prepares the paychecks could approve hours that an employee had notworked and then pay that employee. No one else would be looking at the paychecks or the backup to the paychecks.Therefore, the opportunity to commit fraud would exist.

Furthermore, the following four functions must always be done by different people: (1) Authorizing a transaction; (2)Recording the transaction, preparing source documents, maintaining journals; (3) Keeping physical custody of therelated asset - for instance, receiving checks in the mail; and (4) The periodic reconciliation of the physical assets tothe recorded amounts for those assets.

In the example of the combination of approval of time cards and preparation of paychecks, approval of time cardscomes under the classification of authorizing a transaction, whereas preparation of paychecks is classified asrecordkeeping. Thus, these two jobs should be performed by different people.

D.

The rule in segregation of duties is that one person should not be in a position to commit fraud and also tocover it up.

Timekeeping and preparation of payroll journal entries are two duties that can be done by the same person.Preparation of payroll journal entries is creating the entries to the accounting system that are used to recordthe payroll. It does not involve writing the payroll checks. So a person who records time for others can alsocreate the entries to record the payroll in the accounting system, because there is nothing in those two dutiesthat would give that person any additional opportunity to commit fraud and also cover it up.

Part 1 : 10/05/14 22:26:24






A. Only copy number 1 is legal.B. Only copy number 2 is legal.C. Neither copy is legal.D. Both copies are legal.

A. A backup copy is legal under the copyright law.

B. Any copy other than a backup copy is illegal and is a license violation.

C. One of the copies is indeed legal.

D. Only copy number 1 is legal.


Which of the following individuals would normally not receive an internal auditing report related to a review of thepurchasing cycle?

A. The director of purchasing.B. The independent external auditor.C. The general auditor.D. The chairman of the board of directors.

A. The director of purchasing should properly receive an internal audit report related to a review of the purchasing cyclebecause the report should be distributed to everyone who has a direct interest in the audit. This includes the executiveor executives to whom internal audit reports, the person to whom people will reply about the report, personsresponsible for the activities or operations audited, and people who will need to take corrective action as a result of theaudit.

B. The internal audit report should be distributed to everyone who has a direct interest in the audit. The independentexternal auditor would have a direct interest in the audit and thus should receive a copy of the report.

C. The audit report should be distributed to everyone who has a direct interest in the audit. This includes the executiveor executives to whom internal audit reports, the person to whom people will reply about the report, personsresponsible for the activities or operations audited, and people who will need to take corrective action as a result of theaudit.

D. The audit report should be distributed to everyone who has a direct interest in the audit. This includes theexecutive or executives to whom internal audit reports, the person to whom people will reply about the report,persons responsible for the activities or operations audited, and people who will need to take correctiveaction as a result of the audit. The board of directors usually should receive a summary report.


In which section of the final report should the internal auditor describe the audit objectives?

A. Condition.B. Purpose.C. Criteria.D. Scope.

A. The conditions found by the auditor are what actually exists (as compared and contrasted with what conditions

Part 1 : 10/05/14 22:26:24




should exist). The audit objectives are not part of the "Conditions" section of the audit report.

B. The audit objectives should be described in the "Purpose" section of the audit report.

C. The objectives of the audit are not part of the "Criteria" section of the audit report. The criteria section of the auditreport contains information on what conditions should exist, i.e., the standards, measures, or expectations used inevaluating audit findings, or "what should be" the conditions that the actual conditions are to be compared and

contrasted with.

D. The objectives of the audit are not part of the "Scope" section of the audit report. The scope section of the auditreport contains information to identify what activities were audited, time period audited, and the extent and nature of theauditing that was performed.


As organizations become more computer integrated, management is becoming increasingly concerned with the qualityof access controls to the computer system. Which of the following provides the most accountability? Option I Option II Option III Option IV

Restrictaccess by:

Individuals Groups Individuals Departments

Identifycomputer data at:

Field level Workstation WorkstationIndividualrecord level

Restrictaccess:

Need to knowRight to know

Normalprocessingby employeetype

Items identifiedas processedby department

Identifyusers by:

Password Password

Key access toworkstation,or passwordon workstation

Departmentalpassword

Limitability to:

Delete,add, or modify data

Add or deletefiles

Add, delete,

or modifydata storedat workstation

Add, delete,

or modify datanormallyprocessed bydepartment

A. Option IV.B. Option IIIC. Option II.D. Option I.

A. Access to a computer system should be restricted to individuals who have a need to know, and the access shouldbe consistent with their responsibility. The system should also be restricted at the field level, instead of at theworkstation level. The problem with workstations is that they are connected to a larger network, and security may notbe adequate. In addition, passwords should be required to identify the user; and users should be limited to deleting,

adding and modifying data.

B. Access to a computer system should be restricted to individuals who have a need to know, and the access shouldbe consistent with their responsibility. The system should also be restricted at the field level, instead of at theworkstation level. The problem with workstations is that they are connected to a larger network, and security may notbe adequate. In addition, passwords should be required to identify the user; and users should be limited to deleting,adding and modifying data.

C. Access to a computer system should be restricted to individuals who have a need to know, and the access shouldbe consistent with their responsibility. The system should also be restricted at the field level, instead of at the

Part 1 : 10/05/14 22:26:24






B. A review of interim financial statements as directed by an underwriting firm.C. An operational audit of a division of an organization to determine if divisional management is complying with lawsand regulations.D. A review of financial statements and related disclosures in conjunction with a potential acquisition.

A. A review of operations as requested by the audit committee to determine whether the operations comply with auditcommittee and organizational policies is not a due diligence review.

B. A review of interim financial statements as directed by an underwriting firm is not a due diligence review.

C. An operational audit of a division of an organization to determine if divisional management is complying with lawsand regulations is not a due diligence review.

D. A due diligence engagement is an investigative analysis of the financial and operating activities of an entityin connection with a proposed major transaction, such as a business combination. A due diligenceengagement includes review of the company's strategic overview, business overview, accounting andinformation systems, sales, risk management, tax issues, and any other matters of importance in determiningwhether there is justification for the transaction.


Which one of the following is the best reason for developing a computer security plan?

A. All possible threats associated with the data processing equipment are identified.B. The user departments can be assured that control policies are in place and their data files are secure.C. A company can select the set of control policies and procedures that optimize computer security relative to cost.D. Recovery from the damage associated with any identified threats can be assured.

A. It is not possible to identify all possible threats associated with data processing equipment.

B. Just because a computer security plan has been developed, that does not mean it has been implemented or thatuser departments can be assured of anything.

C. Developing a computer security plan gives management the opportunity to select the set of control policiesand procedures that will safeguard physical facilities and provide for the safety, privacy, and integrity of thedata while balancing the costs against the benefits.

D. It is not possible to have complete assurance of recovery from damage associated with any identified threats.


In one company, the application systems must be in service 24 hours a day. The company’s senior management and

information systems management have worked hard to ensure that the information systems recovery plan supports thebusiness disaster recovery plan. A crucial aspect of recovery planning for the company is ensuring that:

A. Changes to systems are tested thoroughly before being placed into production.B. Organizational and operational changes are reflected in the recovery plans.C. Management personnel can fill in for operations staff should the need arise.D. Capacity planning procedures accurately predict workload changes.

A. It is vital that changes to systems be tested thoroughly before being placed into production, but that is not a part ofrecovery planning.

Part 1 : 10/05/14 22:26:24






D. An interim report should be issued during the audit process whenever there is something that needs to beaddressed immediately, if there is a need to change the scope of the audit, or simply to keep people informed when theaudit process is a long one. An interim report does not eliminate the need for a final report.


The internal audit activity (IAA) for a chain of retail stores recently concluded an engagement to evaluate salesadjustments in all stores in the Southeast region. The engagement revealed that several stores are costing theorganization substantial sums in duplicate credits to customers' charge accounts. The final engagementcommunication published 8 weeks after the engagement was concluded, incorporated the internal auditors'recommendations to store management that should prevent duplicate credits to customers' accounts. Which of thefollowing standards has been disregarded in the above case?

A. The internal auditors should have implemented appropriate corrective action as soon as the duplicate credits werediscovered.B. The follow-up actions were not adequate.C. The final engagement communication was not timely.D. Internal auditor recommendations should not be included in the final engagement communication.

A. Internal auditors make recommendations; they do not implement corrective action.

B. No information is given on follow-up actions, so the adequacy of follow-up actions cannot be evaluated.

C. An oral report or interim written report should have been issued immediately to management, alerting themto the duplicate credit problem. Waiting until 8 weeks after the engagement to communicate recommendationsregarding the problem was unacceptable.

D. Internal auditor recommendations should be included in the final engagement communication.


Auditors document their understanding of internal control with questionnaires, flowcharts, and narrative descriptions. Aquestionnaire consists of a series of questions concerning controls that auditors consider necessary to prevent ordetect errors and irregularities. The most appropriate question designed to contribute to the auditors' understanding ofthe completeness of the expenditure cycle would concern the

A. Qualifications of accounting personnel.B. Use and accountability of prenumbered checks.C. Disposition of cash receipts.D. Internal verification of quantities, prices, and mathematical accuracy of sales invoices.

A. Qualifications of accounting personnel are unrelated to the controls over the expenditure cycle.

B. In understanding the completeness of the expenditure cycle, the auditor is interested in whether all thetransactions have been recorded. If prenumbered checks are used sequentially, a gap in check numberswould be something for the auditor to investigate, because it may mean that there are unrecordedtransactions.

C. Cash receipts are unrelated to the expenditure cycle and can contribute nothing to the auditors' understanding of thecompleteness of the expenditure cycle.

D. Verification of sales invoices will not contribute to an understanding of the completeness of the expenditure cycle,

Part 1 : 10/05/14 22:26:24




because sales invoices are part of the revenue cycle.


Which of the following statements is most accurate regarding the data security of an on-line computer systemprotected by an internal user-to-data access control program?

A. The use of this type of access control software will eliminate any significant control weaknesses.B. Access to data is controlled by restricting specific terminals to specific applications.C. Access to data is controlled by restricting specific applications to specific files.D. Security will be dependent upon the controls over the issuance of user ID’s and user authentication.

A. The use of access software alone does not address all access security risks.

B. This is a terminal-to-data authorization technique.

C. This is a job-to-data authorization technique.

D. This effective administration of user ID’s and authentication procedures is the key to enforcing personalaccountability, the basis for the user-to-data authorization technique.


Corporate directors, management, external auditors, and internal auditors all play important roles in creating a propercontrol environment. Top management is primarily responsible for

A. Establishing a proper environment and specifying an overall internal control structure.B. Reviewing the reliability and integrity of financial information and the means used to collect and report suchinformation.C. Implementing and monitoring controls designed by the board of directors.D. Ensuring that external and internal auditors adequately monitor the control environment.

A. It is management's responsibility to establish the proper control environment and to design an overallinternal control structure.

B. Whereas management is responsible for establishing the proper control environment and designing an overallinternal control structure, it is the responsibility of internal auditing to review the reliability and integrity of financialinformation and the means used to collect and report such information.

C. Although the board of directors has oversight responsibility, it is not the responsibility of the board of directors todesign the controls.

D. Management's responsibility is not to ensure that external and internal auditors adequately monitor the controlenvironment, because monitoring the control environment is not a responsibility of auditors. Management'sresponsibility is to monitor the control environment itself.


An internal auditor noted that several shipments were not billed. To prevent recurrence of such nonbilling, the

Part 1 : 10/05/14 22:26:24




organization should

A. Undertake a validity check with customers as to orders placed.B. Numerically sequence and independently account for all controlling documents (such as packing slips and shippingorders) when sales journal entries are recorded.C. Undertake periodic tests of gross margin rates by product line and obtain explanations of significant departures fromplanned rates.

D. Release product for shipment only on the basis of credit approval by the credit manager or other authorized person.

A. This would not prevent shipments from going out without being invoiced.

B. Packing slips should be produced for every shipment, and an invoice should be produced for everypacking slip. If packing slips and invoices are numerically sequenced and accounted for when sales journalentries are recorded, unrecorded shipments or unauthorized shipments should be prevented or detected.

C. Although tests of gross margin rates can be used as an analytical procedure after the fact, it is not an effective wayto prevent shipments from going out without being invoiced.

D. This would not prevent shipments from going out without being invoiced.


Which one of the following would not be considered an internal control structure policy or procedure relevant to afinancial statement audit?

A. Comparison of physical inventory counts to perpetual inventory records.B. Maintenance of control over unused checks.C. Timely reporting and review of quality control results.D. Periodic reconciliation of perpetual inventory records to the general ledger control account.

A. The periodic comparison of physical inventory counts to perpetual inventory records is important to ensure theaccuracy of the financial statements.

B. Maintenance of control over unused checks is a very important internal control, because it is a method ofsafeguarding assets.

C. While timely reporting and review of quality control results is important to the manufacturing process, thisis not an internal control structure policy or procedure that is relevant to a financial statement audit.

D. The periodic reconciliation of perpetual inventory records to the general ledger control account is important toensure the accuracy of the financial statements.


As an internal auditor for a multinational chemical producer, you have been assigned to an engagement at a localplant. This plant is similar in age, siting, and construction to two other plants owned by the same organization that havebeen recently cited for discharge of hazardous wastes. In addition, you are aware that chemicals manufactured at theplant release toxic by-products. Assume that you have evidence that the plant is discharging hazardous wastes. As acertified internal auditor (CIA), what is the appropriate communication requirement in this situation?

A. Send a copy of your engagement communication to the appropriate regulatory agency.B. Issue an interim engagement communication to the appropriate levels of management.

Part 1 : 10/05/14 22:26:24




C. Note the issue in your working papers but do not report it.D. Ignore the issue because the regulatory inspectors are better qualified to assess the danger.

A. An internal auditor is not responsible for submitting a copy of the internal engagement communication to regulatoryauthorities.

B. Whenever a problem that requires immediate attention is discovered in an internal audit, an oral report or

interim written report should be issued immediately to management, alerting them to the problem. In thiscase, the problem is a violation of a law.

C. This is a violation of a law, and it needs to be reported immediately to management in either an oral report or aninterim report.

D. An internal auditor should evaluate controls relating to compliance with laws, regulations, and contracts.


An internal auditor is conducting interviews of three employees who had access to a valuable asset that has

disappeared. In conducting the interviews the internal auditor should

A. Not indicate that management will forgo prosecution if restitution is made.B. Conduct the interviews in a group.C. Respond to non-cooperation by threatening adverse consequences of such behavior.D. Allow a suspect to return to work after the interview so as not to arouse suspicions.

A. An internal auditor should not indicate that management will forgo prosecution if restitution is made.

B. People should be interviewed individually in order to obtain their independent statements.

C. Threats are not productive. An attitude of seeking the truth is appropriate.

D. An internal auditor should not allow a suspect to return to work, because doing so could give the suspect anopportunity to destroy evidence. A suspect should be suspended pending further investigation.


A purpose of the internal auditors' exit interview with appropriate levels of management is to

A. Generate commitment for appropriate managerial action.B. Present the final engagement communication to the chief executive officer.C. Inform members of the board of engagement results.D. Obtain information to evaluate internal control.

A. It is a courtesy to review the report with the person or department being audited, so the auditee knows whatis being sent to his or her supervisors and will not be surprised by the report. This review may also allow theauditee to identify any inaccuracies in the report. The internal auditor and the auditee are present at thismeeting, and one effect of the meeting should be to generate commitment from the auditee for appropriatecorrective action.

B. It is a courtesy to review the report with the person or department being audited, so the auditee knows what is beingsent to his or her supervisors and will not be surprised by the report. This review may also allow the auditee to identifyany inaccuracies in the report. The internal auditor and the auditee are present at this meeting. The chief executive

Part 1 : 10/05/14 22:26:24




officer is not present.

C. It is a courtesy to review the report with the person or department being audited, so the auditee knows what is beingsent to his or her supervisors and will not be surprised by the report. This review may also allow the auditee to identifyany inaccuracies in the report. The internal auditor and the auditee are present at this meeting. The members of theboard of directors are not present.

D. Obtaining information to evaluate internal control is done at the beginning of an audit, not at the end.


Which of the following audit procedures provides the best evidence about the collectibility of notes receivable?

A. Examination of notes for appropriate debtors' signatures.B. Examination of cash receipts records to determine promptness of interest and principal payments.C. Reconciliation of the detail of notes receivable and the provision for uncollectible amounts to the general ledgercontrol.D. Positive confirmation of note receivable balances with the debtors.

A. Examination of notes for appropriate debtors' signatures establishes that the notes were documented correctly andthat the documentation is valid. However, it does not provide evidence of their collectibility.

B. Examination of cash receipts records to determine promptness of interest and principal payments providesthe best evidence for the collectibility of the notes receivable. A history of late payments creates question asto whether any individual note is collectible.

C. Reconciliation of the detail of notes receivable and the provision for uncollectible amounts to the general ledgercontrol establishes that the general ledger balance is equal to the total of the detail supporting it. It does not provideevidence of the collectibility of the notes receivable.

D. Balance confirmation provides evidence that the notes receivable exist, but it does not provide evidence of theircollectibility.


Appropriate control over obsolete materials requires that they be

A. Carried at cost in the accounting records until the actual disposition takes place.B. Determined by an approved authority to be lacking in regular usability.C. Sorted, treated, and packaged before disposition takes place, in order to obtain the best selling price.D. Retained within the regular storage area.

A. When inventory has been determined to be obsolete, it should be valued at the lower of cost or market. If marketvalue is lower than historical cost, the amount used for the market value is normally net realizable value, which is theexpected selling price less costs to sell.

B. An accountant or auditor is not the appropriate person to determine when inventory is obsolete. Thatdetermination should be made by someone with the necessary knowledge to make the determination.Furthermore, the person who makes the determination of inventory's usability should be a different personfrom the person who has custody over the inventory and also should be a different person from the one whoauthorizes its disposal. Otherwise, a person with the authority to declare inventory unusable and thereforevalueless might subsequently "dispose" of it by selling it and pocketing the proceeds.

Part 1 : 10/05/14 22:26:24




C. There is no such rule. While sorting, treating and packaging may be appropriate in some cases, in other cases thiswould not be appropriate because the costs of these actions may be more than the inventory could be sold for.

D. Obsolete materials should be stored in an area that is separate from usable inventory.


A director of internal auditing has to determine how an organization can be divided into auditable activities. Which ofthe following is an auditable activity?

A. A system.B. An account.C. A procedure.D. All of the answers given.

A. While a system is an auditable activity, it is not the only auditable activity in the list.

B. While an account is an auditable activity, it is not the only auditable activity in the list.

C. While a procedure is an auditable activity, it is not the only auditable activity in the list.

D. Procedures, systems, and accounts are all auditable activities.


The authority of the internal audit activity is limited to that granted by

A. Management and the board.

B. The audit committee and the chief financial officer.C. Senior management and the Standards.D. The board and the controller.

A. Management and the board of directors grant authority to the internal audit activity.

B. No single officer and no single committee grant authority to the internal audit activity.

C. The Standards do not grant authority to the internal audit activity.

D. No single manager grants authority to the internal audit activity.


The effectiveness of an audit assignment is related to the findings and the action taken on those findings. Which of thefollowing activities contributes to assignment effectiveness?

A. Adhering to a time budget.B. Conducting an exit interview with auditees.C. Having budget revisions approved by the project supervisor.D. Preparing weekly time reports.

Part 1 : 10/05/14 22:26:24




A. Adhering to a time budget is important for audit efficiency and economy, but it does not contribute to assignmenteffectiveness.

B. It is a courtesy to review the report with the person or department being audited, so the auditee knowswhat is being sent to his or her supervisors and will not be surprised by the report. This review may also allowthe auditee to identify any inaccuracies in the report. The internal auditor and the auditee are present at thismeeting, and one effect of the meeting should be to generate commitment from the auditee for appropriatecorrective action.

C. Having budget revisions approved by the project supervisor is important for audit efficiency, but it does notcontribute to assignment effectiveness.

D. Preparing weekly time reports is important for audit efficiency, but it does not contribute to assignment effectiveness.


Which of the following features of a large manufacturer's organizational structure is a control weakness?

A. The chief financial officer is a vice president who reports to the chief executive officer.B. The controller and treasurer report to the chief financial officer.C. The information systems department is headed by a vice president who reports directly to the president.D. The audit committee of the board consists of the chief executive officer, the chief financial officer, and a majorshareholder.

A. It is appropriate for the chief financial officer to report to the chief executive officer.

B. It is appropriate for the controller and the treasurer to report to the chief financial officer.

C. It is appropriate for the vice president in charge of information systems to report directly to the president.

D. According to Sarbanes-Oxley, the audit committee must consist of directors who are independent of

management. Thus, the chief executive officer and the chief financial officer may not be included.


Control risk is the risk that a material misstatement in an account will not be prevented or detected on a timely basis bythe client's internal control structure policies or procedures. The best control procedure to prevent or detect fictitiouspayroll transactions is

A. To use and account for prenumbered payroll checks.B. Internal verification of authorized pay rates, computations, and agreement with the payroll register.C. Personnel department authorization for hiring, pay rate, job status, and termination.

D. Periodic independent bank reconciliations of the payroll bank account.

A. The use of pre-numbered payroll checks is a control procedure that ensures that all checks are accounted for in theaccounting records. However, it would not prevent or detect fictitious payroll transactions.

B. Although these are important controls, they would not prevent or detect fictit ious payroll transactions.

C. The personnel department should authorize all hiring, pay rates, job status changes, and terminations. Thisis the authorization function, and it should be separate from the recording function, which is performed by thepayroll department.

Part 1 : 10/05/14 22:26:24




D. Reconciliations of the payroll bank account would not prevent or detect fictitious payroll transactions.


An engagement performed at an organization's payroll department has revealed various control weaknesses. Theseweaknesses along with recommendations for corrective actions were addressed in the final engagementcommunication. This communication should be most useful to the organization's

A. Treasurer.B. President.C. Audit committee of the board of directors.D. Payroll manager.

A. The full audit report should be distributed to everyone who has a direct interest in the audit. This includes theexecutive or executives to whom internal audit reports, the person to whom people will reply about the report, personsresponsible for the activities or operations audited, and people who will need to take corrective action as a result of theaudit. The treasurer is not responsible for the payroll function.

B. The full audit report should be distributed to everyone who has a direct interest in the audit. This includes theexecutive or executives to whom internal audit reports, the person to whom people will reply about the report, personsresponsible for the activities or operations audited, and people who will need to take corrective action as a result of theaudit. The president is not responsible for the payroll function.

C. The full audit report should be distributed to everyone who has a direct interest in the audit. This includes theexecutive or executives to whom internal audit reports, the person to whom people will reply about the report, personsresponsible for the activities or operations audited, and people who will need to take corrective action as a result of theaudit. The audit committee of the board of directors is not responsible for the payroll function.

D. The full audit report should be distributed to everyone who has a direct interest in the audit. This includesthe executive or executives to whom internal audit reports, the person to whom people will reply about thereport, persons responsible for the activities or operations audited, and people who will need to take

corrective action as a result of the audit. The payroll manager has responsibility for the payroll function andthus this communication should be most useful to that person.


In the performance of an internal audit, audit risk is best defined as the risk that an auditor

A. Might not select documents that are in error as part of the examination.B. May fail to detect a significant error or weakness during an examination.C. May not be able to properly evaluate an activity because of its poor internal accounting controls.D. May not have the expertise to adequately audit a specific activity.

A. If an auditor did not select documents that were in error and therefore concluded that the population was accurate,when in fact there were numerous errors in it, that would be a "Type II error," or "beta risk," because the population hasbeen accepted incorrectly. This is not audit risk.

B. Audit risk is the risk that an auditor will give an unqualified (everything is fine) opinion, when in reality thereis one or more than one material misstatement.

C. If an auditor were not able to properly evaluate an activity because of its poor internal accounting controls, controlrisk would be assessed as very high. This would increase audit risk, since audit risk is the product of inherent risk,

Part 1 : 10/05/14 22:26:24






management their findings, along with suggestions and recommendations for improvement. This is done bymeans of a written, formal internal audit report.

B. While the external auditors may review internal audit reports in order to determine their potential reliance on theinternal auditors for their independent audit, this is not the primary reason for having written, formal internal auditreports.

C. The responsibility of internal auditors is to compare "what is" with "what should be" and report to management theirfindings, along with suggestions and recommendations for improvement. The internal auditor has no authority to directsenior management to take corrective action.

D. An audit report does not need to be a written, formal report in order for the auditee to provide a response.


A utility company with a large investment in repair vehicles would most likely implement which internal control to reducethe risk of vehicle theft or loss?

A. Physically inventory vehicles and reconcile the results with the accounting records.B. Review insurance coverage for adequacy.C. Systematically account for all repair work orders.D. Maintain vehicles in a secured location with release and return subject to approval by a custodian.

A. Periodically taking a physical inventory and reconciling the results with the accounting records is an importantdetective control. However, it will not prevent loss or theft.

B. Insurance provides for reimbursement of losses, but it does not prevent loss or theft.

C. Systematically accounting for repair work orders will not affect the risk of loss or theft of vehicles.

D. Maintaining the vehicles in a secured location with release and return approved by a custodian is apreventive control, because it requires the approval of the custodian for any release or return of vehicles.


Which one of the following input controls or edit checks would catch certain types of errors within the payment amountfield of a transaction?

A. Check digit.B. Echo check.C. Limit check.D. Record count.

A. A check digit is used for determining whether a number has been input properly. A check digit is a digit (for example,the last digit in a series of numbers) that is a function of the other digits within the set of numbers. If a typographicalerror is made in input, the check digit should recognize that something has been input incorrectly because the checkdigit won't "check." This would only work with numbers that can be known in advance, however, such as part numbersor account numbers, so that the check digit checking process could be properly programmed and the numbers couldbe assigned correctly. Payment amounts can be any amount at all, and there would be no way to use a check digit withthat because there would be nothing to check against.

B. Echo check is the process of sending the received data back to the sending computer to compare with what was

Part 1 : 10/05/14 22:26:24




actually sent to make sure that it is the same. For example, a CPU will send a signal to the printer, and the printer, priorto printing, will send a signal back to the CPU stating that the proper print position has been activated.

C. A limit and range check is simply a maximum or minimum number for a record. For example, the number ofdays worked in a week cannot exceed 7.

D. A record count counts the number of records processed.


During an operational engagement, the internal auditors compare the current staffing of a department with establishedindustry standards to

A. Evaluate the adequacy of the established internal controls for the department.B. Identify bogus employees on the department's payroll.C. Assess the current performance of the department and make appropriate recommendations for improvement.D. Determine whether the department has complied with all laws and regulations governing its personnel.

A. An operational audit does involve examining and evaluating systems of internal control. However, the internalauditors would not compare the current staffing of a department with established industry standards for the purpose ofevaluating the adequacy of the established internal controls for the department. There is no connection between thetwo things.

B. An operational audit involves examining and evaluating systems of internal control, overall company operations, andthe quality of performance in carrying out assigned responsibilities. Thus the focus would not be on identifying bogusemployees on the department's payroll.

C. An operational audit involves examining and evaluating systems of internal control, overall companyoperations, and the quality of performance in carrying out assigned responsibilities. The focus of anoperational audit is on efficiency, effectiveness and economy. Thus, the internal auditors would compare thecurrent staffing of a department with established industry standards in order to assess the current

performance of the department and make appropriate recommendations for improvement.

D. An operational audit involves examining and evaluating systems of internal control, overall company operations, andthe quality of performance in carrying out assigned responsibilities. The focus of an operational audit is on efficiency,effectiveness and economy. Thus in an operational audit, the internal auditors would not compare the current staffingof a department with established industry standards for the purpose of determining whether the department hascomplied with all laws and regulations governing its personnel. Not only would the first not achieve the second, butdetermining whether the department has complied with laws and regulations in its personnel function would be thefocus of a compliance audit, not an operational audit.


An internal auditor discovered an error in a receivable due from a major stockholder. The receivable's balanceaccounts for less than 1% of the company's total receivables. Would the auditor be likely to consider the error to bematerial?

A. Yes, because a related party is involved.B. Yes, if audit risk is low.C. No, because a small dollar amount is in error.D. No, if there will be further transactions with this stockholder.

Part 1 : 10/05/14 22:26:24




A. Audit risk and materiality are used to determine the nature, timing, and extent of audit procedures to becompleted, as well as their evaluation. Audit risk is the risk that an auditor will give an unqualified (everythingis fine) opinion, when in reality there is one or more than one material misstatement. The risk of a materialmisstatement is the calculated result of the multiplication of three risk factors. These three risks are (1)inherent risk, the risk that is natural in an element of the financial statements or the function being audited,assuming that there are no controls; (2) control risk, the risk that an internal control will not prevent or detecta material misstatement in a timely manner; and (3) detection risk, the risk that an auditor will not detect a

material misstatement in the financial statements through their audit testing. Since related party transactionshave a higher inherent risk than other transactions, the audit risk will be higher than with other transactions.Therefore, the auditor is more likely to consider the error to be material.

B. Audit risk and materiality are used to determine the nature, timing, and extent of audit procedures to be completed,as well as their evaluation. Audit risk is the risk that an auditor will give an unqualified (everything is fine) opinion, whenin reality there is one or more than one material misstatement. The risk of a material misstatement is the calculatedresult of the multiplication of three risk factors. These three risks are (1) inherent risk (the risk that is natural in anelement of the financial statements or the function being audited, assuming that there are no controls); (2) control risk(the risk that an internal control will not prevent or detect a material misstatement in a timely manner); and (3) detectionrisk (the risk that an auditor will not detect a material misstatement in the financial statements through their audittesting). Since related party transactions have a higher inherent risk than other transactions, the audit risk will actuallybe higher in this situation. When audit risk is higher, an auditor is more likely to consider the error to be material.

C. Audit risk and materiality are used to determine the nature, timing, and extent of audit procedures to be completed,as well as their evaluation. Audit risk is the risk that an auditor will give an unqualified (everything is fine) opinion, whenin reality there is one or more than one material misstatement. The risk of a material misstatement is the calculatedresult of the multiplication of three risk factors. These three risks are (1) inherent risk, the risk that is natural in anelement of the financial statements or the function being audited, assuming that there are no controls; (2) control risk,the risk that an internal control will not prevent or detect a material misstatement in a timely manner; and (3) detectionrisk, the risk that an auditor will not detect a material misstatement in the financial statements through their audittesting. Since related party transactions have a higher inherent risk than other transactions, the audit risk will be higherthan with other transactions. Therefore, the auditor is more likely to consider the error to be material even though theamount of the error is small.

D. Audit risk and materiality are used to determine the nature, timing, and extent of audit procedures to be completed,as well as their evaluation. Audit risk is the risk that an auditor will give an unqualified (everything is fine) opinion, when

in reality there is one or more than one material misstatement. The risk of a material misstatement is the calculatedresult of the multiplication of three risk factors. These three risks are (1) inherent risk, the risk that is natural in anelement of the financial statements or the function being audited, assuming that there are no controls; (2) control risk,the risk that an internal control will not prevent or detect a material misstatement in a timely manner; and (3) detectionrisk, the risk that an auditor will not detect a material misstatement in the financial statements through their audittesting. Since related party transactions have a higher inherent risk than other transactions, the audit risk will actuallybe higher than with other transactions and will increase with further transactions with the same stockholder. Whenaudit risk is higher, an auditor is more likely to consider the error to be material.


A multinational corporation has an office in a foreign branch with a monetary transfer facility. Effective internal controlrequires that

A. The branch manager not deliver payroll checks to employees.B. The person making wire transfers not reconcile the bank statement.C. Foreign currency translation rates be computed separately by two branch employees in the same department.D. The hiring of individual branch employees be approved by the headquarters office.

A. Distributing payroll checks to employees is a custody function. Assuming the branch manager does not have anyother duties that are incompatible with performing a custody function, there is nothing wrong with the branch manager

Part 1 : 10/05/14 22:26:24




distributing payroll checks to employees.

B. People who make disbursements should not also reconcile the bank statement. Making disbursements is acustody function, whereas reconciling the bank statement is a reconciliation function. If the same person wereto perform both of these functions, that person could have an opportunity to misappropriate funds andconceal the misappropriation.

C. Foreign currency translation rates are set by the market and can be checked and verified, but they are notcomputed.

D. Having the headquarters office approve the hiring of individual branch employees does not relate to internal controlbut rather to where authority in the organization is assigned.


An internal auditor would trace copies of sales invoices to shipping documents in order to determine that

A. Customer shipments were billed.B. The subsidiary accounts receivable ledger was updated.C. Shipments to customers were also recorded as receivables.D. Sales that are billed were also shipped.

A. Since the tracing is starting with copies of sales invoices and then comparing them to shipping documents, thisprocedure would not determine that all shipments to customers have been billed.

B. Tracing copies of sales invoices to shipping documents will not determine that the subsidiary accounts receivableledger was updated.

C. Tracing copies of sales invoices to shipping documents will not determine that all shipments to customers have alsobeen recorded as receivables.

D. If all the invoices in the sample can be correctly matched with shipping documents then there is someassurance that all or most items billed are also shipped.


Which of the following statements is (are) correct regarding the deterrence of fraud?I.The primary means of deterring fraud is through an effective control system initiated by senior management.

II.Internal auditors are responsible for assisting in the deterrence of fraud by examining and evaluating the adequacyof the internal control system.

III.Internal auditors should determine whether communication channels provide management with adequate andreliable information regarding the effectiveness of the control system and the occurrence of unusual transactions.

A. II only.B. I and II only.C. I, II, and III.D. I only.

A. An internal audit program that evaluates the adequacy of the internal control system is important, but it is not theonly listed activity that is correct regarding the deterrence of fraud.

B. An effective control system and an internal audit program that evaluates the adequacy of the internal control system

Part 1 : 10/05/14 22:26:24




are important. However, they are not the only listed activities that are correct regarding the deterrence of fraud.

C. An effective control system, an internal audit program that evaluates the adequacy of the internal controlsystem, and an adequate communication channel to provide management with reliable information regardinginternal control issues are all important deterrents to fraud.

D. An effective control system initiated by senior management is important, but it is not the only listed activity that is

correct regarding the deterrence of fraud.


Which of the following is a proper element in an audit findings section of a report?

A. Significance of deficiencies.B. Engagement plan.C. Personnel used.D. Status of findings from prior reports.

A. The significance of deficiencies found is an audit finding and does belong in the audit findings section ofthe audit report.

B. The engagement plan does not belong in the audit findings section of the audit report.

C. Personnel used does not belong in the audit findings section of the audit report.

D. The status of findings from prior reports (i.e., corrective actions taken) does not belong in the audit findings sectionof the audit report.


Organizational independence in the processing of payroll is achieved by functional separations that are built into thesystem. Which one of the following functional separations is not required for internal control purposes?

A. Separation of timekeeping from payroll preparation.B. Separation of payroll preparation and maintenance of year-to-date records.C. Separation of personnel function from payroll preparation.D. Separation of payroll preparation and paycheck distribution.

A. Separation of timekeeping from payroll preparation is required for internal control purposes because a person doingboth jobs could enter fraudulent hours for an employee and then also do the input and prepare the paycheck to paythat employee for the fraudulent hours. The rule in segregation of duties is that one person should not be in a positionto commit fraud and also to cover it up, which can happen if there is no second person involved in the process, looking

at the timekeeping data.

B.

The rule in segregation of duties is that one person should not be in a position to commit fraud and also tocover it up. It would be appropriate for the person who prepares the payroll to also maintain year-to-daterecords. There is nothing in these two duties that would give one person doing both of them an opportunity tocommit fraud and also to cover it up.

Furthermore, payroll preparation and maintenance of year-to-date records are both recordkeeping functions

Part 1 : 10/05/14 22:26:24




and for that reason, they are not incompatible. It is acceptable for both functions to be performed by the sameperson.

C. The personnel function is an authorization function, whereas payroll preparation is a recordkeeping function. Thesetwo functions are incompatible and should be separated.

D. The rule in segregation of duties is that one person should not be in a position to commit fraud and also to cover it

up. If one person were to prepare the payroll and also distribute the paychecks, no second person would have achance to see them before they were distributed. The opportunity would exist to commit fraud without anyone noticing.


Which one of the following statements regarding internal auditing responsibility and authority is incorrect?

A. Internal auditors are expected to comply with standards of professional conduct.B. Internal auditors are responsible to service the organization.C. The understandability of audit reports is the responsibility of internal auditors.D. Follow-up on actions noted in audit findings is not required of internal auditors.

A. The practice of internal auditing is governed by the International Standards for the Professional Practice of Internal Auditing promulgated by the Institute of Internal Auditors. Internal auditors are expected to comply with these standards.

B. The responsibility of the internal auditor is to review and appraise policies, procedures, plans and records for thepurpose of informing and advising management. Unlike external auditors, whose responsibility is to issue an opinion onthe accuracy and fairness of management’s assertions regarding the financial statements, the responsibility of theinternal auditor is to compare "what is" in the company with "what should be" in the company and report tomanagement their findings. In addition to their findings, the internal auditor develops and communicates suggestionsand recommendations for improvement.

C.

The chief audit executive must communicate results of the engagement to the appropriate parties (Internal AuditingStandard No. 2440). Communications must be accurate, objective, clear, concise, constructive, complete, and timely(Internal Auditing Standard No. 2420). Clear communications are easily understood and logical, avoiding unnecessarytechnical language and providing all significant and relevant information.

D. Internal Auditing Standards require that internal auditors follow up on the actions taken by auditees inregards to any deficiencies found. The auditor should determine that either corrective action has been taken,or that management has assumed the risk of not taking corrective action.


While performing an operational audit of the firm's production cycle, an internal auditor discovers that, in the absenceof specific guidelines, some engineers and buyers routinely accept vacation trips paid by certain of the firm's vendors.Other engineers and buyers will not accept even a working lunch paid for by a vendor. Which of the following actionsshould the internal auditor take?

A. Informally counsel the engineers and buyers who accept the vacation trips. This helps prevent the possibility ofkickbacks, while preserving good auditor-auditee relations.B. None. The engineers and buyers areprofessionals. It is inappropriate for an internal auditor to interfere in what isessentially a personal decision.C. Formally recommend that the organization establish a corporate code of ethics. Guidelines of acceptable conduct,

Part 1 : 10/05/14 22:26:24




within which individual decisions may be made, should be provided.D. Issue a formal deficiency report naming the personnel who accept vacations but make no recommendations.Corrective action is the responsibility of management.

A. It is the responsibility of the internal auditor to make a formal report of all deficiencies found in the audit.

B. It is the responsibility of the internal auditor to make a formal report of all deficiencies found in the audit.

C. Since the organization has no specific guidelines, the auditor's report should include a recommendationthat a code of ethics be adopted in order to provide employees with guidelines for acceptable conduct.

D. Since the organization has no specific guidelines, the deficiency is not that some engineers and buyers routinelyaccept vacation trips paid by certain of the firm's vendors. The deficiency is that the organization has no corporatecode of ethics to provide personnel with guidelines for acceptable conduct.


A mortgage broker prepared sample mortgage payment schedules on a personal computer to illustrate different

payment plans to prospective loan customers. The schedules were especially helpful for loans with variable ratesbecause the schedules illustrated how loan balances would fluctuate over multi-year horizons with different interest ratetrends. The mortgage company's literature was not nearly as helpful, and the broker was convinced the scheduleshelped customers understand and appreciate the sophisticated loan types, which led to more loans.

The potential risk of erroneous logic in the schedules could best be minimized by:

A. Adequate independent testing of the application.B. Designing control procedures for sharing the schedules.C. Ensuring adequate backup procedures for the application.D. Requiring adequate documentation for the schedules.

A. Any potential risk of erroneous logic in the schedules could be minimized by adequate independent testingof the application to detect any errors that the broker could not recognize.

B. To the extent the schedules are shared with other brokers, there should be adequate control procedures, but thatwould not detect or correct logic errors in the schedules.

C. The application should have adequate backup procedures, but that would not detect or correct logic errors in theschedules.

D. There should be adequate documentation for the schedules, but that would not detect or correct logic errors in theschedules.


To control daily operating costs, an organization decreased the number of times a messenger service was used eachday. Despite those measures, the monthly bill continued to increase. What procedure should the internal auditor use todetect whether improper services were being billed?

A. Scan ledger accounts and messenger invoices.B. Reconcile a sample of messenger invoices to pickup receipts.C. Observe daily use of the messenger service.D. Test the mathematical accuracy of a sample of messenger invoices.

Part 1 : 10/05/14 22:26:24




A. Scanning ledger accounts and messenger invoices will not detect whether the company is being billed by themessenger service for services not received.

B. Reconciling a sample of messenger invoices to pickup receipts should detect whether the company isbeing billed by the messenger service for services not received.

C. While observing daily use of the messenger service might detect whether the company is being billed by the

messenger service for services not received, it is not a cost-effective means of testing because it would require toomuch time in observation.

D. Testing the mathematical accuracy of a sample of messenger invoices will not detect whether the company is beingbilled by the messenger service for services not received.


Which of the following situations is most likely to be the subject of a written interim report to management of adepartment being audited?

A. Open burning at a subsidiary plant is a possible violation of pollution regulations.B. The auditors have decided to substitute survey procedures for some of the planned detailed review of certainrecords.C. 70% of the planned audit work has been completed with no significant adverse findings.D. The audit program has been expanded because of indications of possible fraud.

A. An interim report should be issued during the audit process whenever there is something that needs to beaddressed immediately, or if there is a need to change the scope of the audit, or simply to keep peopleinformed when the audit process is a long one. Open burning at a subsidiary plant which is a possibleviolation of pollution regulations is a situation in which an interim report is indicated because it is somethingthat needs to be addressed immediately.

B. An interim report should be issued during the audit process whenever there is something that needs to be

addressed immediately, if there is a need to change the scope of the audit, or simply to keep people informed when theaudit process is a long one. The auditors' decision to substitute survey procedures for some of the planned detailedreview of certain records is not a situation in which an interim report should be issued.

C. An interim report should be issued during the audit process whenever there is something that needs to beaddressed immediately, if there is a need to change the scope of the audit, or simply to keep people informed when theaudit process is a long one. No significant adverse findings after 70% of the planned audit work has been completed isnot a situation in which an interim report should be issued.

D. An interim report should be issued during the audit process whenever there is something that needs to beaddressed immediately, if there is a need to change the scope of the audit, or simply to keep people informed when theaudit process is a long one. While an indication of possible fraud implies that additional investigation is required, it isnot a situation in which an interim report should be issued.


An internal auditor has just completed an engagement and is in the process of preparing the final engagementcommunication. The observations in the final engagement communication should include

A. Statements of opinion about the cause of an observation.B. Statements concerning potential future events that may be helpful to the engagement client.

Part 1 : 10/05/14 22:26:24




C. Statements of both fact and opinion developed during the course of the engagement.D. Pertinent factual statements concerning the control weaknesses uncovered during the course of the engagement.

A. The final engagement communication should contain observations that are objective and factual. A statement ofopinion about the cause of an observation is inappropriate.

B. The final engagement communication should contain observations that are objective and factual. A statement

concerning potential future events is inappropriate.

C. The final engagement communication should contain observations that are objective and factual.

D. The final engagement communication should contain observations that are objective and factual. Pertinentfactual statements concerning the control weaknesses uncovered during the course of the engagement wouldbe appropriately included.


It has been established that an internal auditing charter is one of the more important factors positively affecting the

internal auditing department's independence. Which of the following would not be an important element to include inthe Charter?

A. The scope of internal auditing activities.B. The departmennt's access to personnel within the organization.C. The department's access to records within the organization.D. The length of tenure for the chief audit executive.

A. The charter defines the scope of internal audit activities.

B. The charter authorizes access to personnel within the organization.

C. The charter authorizes the internal audit activity's access to records within the organization.

D. The charter does not specify the length of tenure of the chief audit executive.


An electric utility company records capital and maintenance expenditures through the use of a computerized projecttracking system. Labor, material, and overhead are charged to the applicable project number. Monthly reports areproduced which detail individual charges to each project, and expenditure totals are provided for the current month,fiscal year, and project life to date.

In order to prevent maintenance materials from being charged incorrectly to capital projects, the accounting information

system should:

A. Use tables of project numbers and material requirements.B. Verify that the project number being entered contains the required number of characters.C. Require internal file labels for inventory transactions.D. Authenticate the user identification and verify the input location.

A. Tables of predefined project numbers and material requirements would allow only acceptable jobs to berecorded.

Part 1 : 10/05/14 22:26:24




B. Verifying the number of characters does not prevent incorrect charges, only incomplete ones.

C. Internal file labels address processing of data, not the prevention of data errors.

D. System security does not address data accuracy.


In a well designed internal control system, two tasks that should be performed by different persons are

A. Posting of amounts from both the cash receipts journal and cash payments journal to the general ledger.B. Distribution of payroll checks and approval of sales returns for credit.C. Recording of cash receipts and preparation of bank reconciliations.D. Approval of bad debt write-offs, and reconciliation of the accounts payable subsidiary ledger and controlling account.

A. Posting to the general ledger is a recordkeeping function, and the fact that posting is done for both cash receiptsand cash payments does not create an incompatibility, since they are different functions.

B. Even though distribution of payroll checks is a custodial function and approval of sales returns is an authorizationfunction, since the two functions are unrelated, there is no incompatibility between them.

C. Recording of cash receipts is a recordkeeping function and preparation of bank reconciliations is areconciliation function. If the same person were to perform both functions, that person could misappropriatecash payments and conceal the misappropriation by falsifying the reconciliation.

D. Since approval of bad debt write-offs is an accounts receivable authorization function and reconciliation of accountspayable is an accounts payable reconciliation function, there is no incompatibility between the two functions.


Minimizing the likelihood of unauthorized editing of production programs, job control language, and operating systemsoftware can best be accomplished by

A. Effective network security software.B. Database access reviews.C. Compliance reviews.D. Good change-control procedures.

A. The purpose of network security software is to provide logical controls over the network.

B. Frequently, the purpose of database reviews is to determine if: (1) users have gained access to database areas forwhich they have no authorization, and (2) authorized users can access the database using programs that provide them

with unauthorized privileges to view and/or change information.

C. The purpose of compliance reviews is to determine whether an organization has complied with applicable internaland external procedures and regulations.

D.

Change control is the process of strictly controlling changes to a system or program. All changes shouldrequire authorization by the appropriate personnel, and when a system or program is changed, the changesshould not be made to the copy of the program that is being used, but rather to a copy. And any changes must

Part 1 : 10/05/14 22:26:24




also be properly reflected in all of the related documentation to ensure that changes have a minimal impact onprocessing and results in minimal risk to the system.

Program change control comprises: (1) maintaining records of change authorizations, code changes, and testresults; (2) adhering to a systems development methodology (including documentation); (3) authorizingchangeovers of subsidiary and headquarters' interfaces; and (4) restricting access to authorized source andexecutable codes.


An auditor noted that the accounts receivable department is separate from other accounting activities. Credit isapproved by a separate credit department. Control accounts and subsidiary ledgers are balanced monthly. Similarly,accounts are aged monthly. The accounts receivable manager writes off delinquent accounts after 1 year, or sooner ifa bankruptcy or other unusual circumstances are involved. Credit memoranda are prenumbered and must correlatewith receiving reports. Which of the following areas could be viewed as an internal control weakness of the aboveorganization?

A. Monthly aging of receivables.B. Credit approvals.C. Handling of credit memos.D. Write-offs of delinquent accounts.

A. Monthly aging of receivable is not a control weakness but is an appropriate control procedure.

B. Credit is approved by a separate credit department, which is appropriate segregation of duties.

C. The controls on credit memoranda are appropriate. The credit memoranda are prenumbered and also there is aprocedure in place to verify that the goods being credited to the customer were in fact received back from the customer.

D. If the accounts receivable manager is both approving the write-offs of delinquent accounts and performingthe write-off, this is a weakness in internal control. The person who authorizes a transaction should be

different from the person who records the transaction.


The data entry staff of National Manufacturing Inc. has responsibility for converting all of the plant's shippinginformation to computerized records. The information flow begins when the shipping department sends a copy of ashipping order to the data entry staff. A data entry operator scans the shipping order information onto a hand-held datastorage device. Verification clerks then check the computerized record with the original shipping orders. When a givenbatch of files has been reviewed and corrected, as necessary, the information is uploaded to the company's mainframesystem at the home office.

The most effective way to visualize and understand this set of activities would be through the use of a

A. document flowchart.B. Gantt chart.C. program flowchart.D. decision table.

A. A document flowchart would be the best way to visualize and understand this set of activities. A flowchartis used to show visually the stages of a process. Flowcharts are usually used in computer systems or otherbusiness applications. They provide step-by-step information to help the people using them understand the

Part 1 : 10/05/14 22:26:24




steps of a project or a system. A document flowchart traces the movement of a document, such as an internalmemo, payroll information or interoffice mail, through a system. It shows how a document passes from onepart of the company to another.

B.

A Gantt chart is a type of bar chart used to illustrate a schedule for a project with several tasks, each of which has a

start and finish date, and some of which may depend on the previous completion of another task.

In a Gantt chart, a project is divided into parts and activities or tasks that are plotted on a chart with the tasks listed onthe left side and time across the top or bottom. The tasks are then placed into the time frame during which they need tobe completed, showing their start and finish dates. Gantt charts can be used to show current project status usingpercentage-complete shadings in the bars.

A Gantt chart would not be an appropriate way to visualize and understand this set of activities, because the variousactivities as described here are ongoing. They don't have specific start and finish dates.

C. A program flowchart would not be an appropriate way to visualize and understand this set of activities. A programflowchart demonstrates how a program works within a system. Using boxes of different shapes and arrows, it showsall user-interaction pathways. Program charts can be very large and complex. However, they are useful for mapping anentire program.

D.

A decision table would not be an appropriate way to visualize and understand this set of activities. A decision table isused as an aid in making decisions. A decision table shows possible sets of conditions and the actions resulting fromthem when the logic can be easily presented in table format. They can also be used to verify the completeness andconsistency of a process involving different actions under different conditions. Decision tables work better thandecision trees for very complex or extensive sets of conditions.


Which of the following statements regarding security of electronic mail is correct?

A. All messages on the Internet are encrypted thereby providing enhanced security.B. Passwords are effective in preventing casual access to another's electronic mail.C. Passwords are not needed with discretionary access control.D. Supervisory-level access to the file server containing electronic messages would not give access to the filecontaining electronic mail messages without first decrypting the security control log.

A. Messages on the Internet are not encrypted. It is the sender and receiver's responsibility to encrypt confidentialinformation.

B. Passwords are effective against the casual intruder.

C. Discretionary access does not completely eliminate the need for passwords.

D. If someone gains access to the server, they can download the file of messages and gain access to the messageswithout working with any security log.


Part 1 : 10/05/14 22:26:24




Internal audit reports should contain the purpose, scope, and results. The audit results should contain the criteria,condition, effect, and cause of the finding. The cause can best be described as

A. Reason for the difference between the expected and actual conditions.B. Resultant evaluations of the effects of the findings.C. The risk or exposure because of the condition found.D. Factual evidence that the internal auditor found.

A. The reason for difference between expected conditions and actual conditions is the cause of the finding.

B. Resultant evaluations of the effects of the findings are not the cause of the finding.

C. The risk or exposure because of a condition found is not the cause of the finding.

D. Factual evidence is not the cause of the finding.


Your firm has recently converted its purchasing cycle from a manual process to an online computer system. Which ofthe following is a probable result associated with conversion to the new automatic system?

A. The firm's risk exposures are reduced.B. Traditional duties are less segregated.C. Processing errors are increased.D. Processing time is increased.

A. Converting to an online system does not reduce the firm's risk exposures.

B. Manual systems usually have distinct segregation of duties, i.e., authorization, recording, physical custodyof assets, and periodic reconciliation. However, in a computer system this distinction is not always as clearsince the computer might print the checks, record the transaction and reconcile the account balances.

C. If the computer system is error free then processing errors will be decreased.

D. An advantage of converting to an online system is the reduction of processing time.


Which one of the following would be most effective in deterring the commission of fraud?

A. Hiring ethical employees, employee training, and segregation of duties.B. Employee training, segregation of duties, and punishment for unethical behavior.

C. Policies of strong internal control and punishments for unethical behavior.D. Policies of strong internal control, segregation of duties, and requiring employees to take vacations.

A. Employers really cannot tell whether a potential employee is ethical or unethical, so hiring only ethical employees isan impossibility. Employee training is important for having a competent workforce, but it does not deter fraud.

B. Employee training is important for having a competent workforce, but it does not deter fraud. Punishment forunethical behavior is also not an effective deterrent to fraud. The punishment takes place after the unethical behaviortakes place, so it has not prevented the unethical behavior. Furthermore, unethical behavior does not necessarilyindicate fraud is taking place; and an employee who is committing fraud may appear to be the most ethical person on

Part 1 : 10/05/14 22:26:24




the staff.

C. Punishment for unethical behavior is not an effective deterrent to fraud. The punishment takes place after theunethical behavior takes place, so it has not prevented the unethical behavior. Furthermore, unethical behavior doesnot necessarily indicate fraud is taking place; and an employee who is committing fraud may appear to be the mostethical person on the staff.

D. Policies of strong internal control are essential, because if a company has weak internal controls, it isputting itself at risk for employee theft. Segregation of duties is one of the most important internal controls. Itensures that no individual is given so much responsibility that he or she is in a position to both perpetrateand conceal a fraud. Requiring vacations is also effective and important, because it gives other employeesand managers access to what the vacationing employee has been doing. A person who is committing frauddoesn't want to be away from their job responsibilities, because they usually need to do something every dayto keep the fraud covered up. If employees know they are required to be totally away from their workplacecontinuously for a certain amount of time every year, they will be less likely to embark upon a course of actionthat they know will require them to be there every day.


Which of the following application controls would offer reasonable assurance that inventory data were completely andaccurately entered?

A. Check digits.B. Limit checking.C. Batch totals.D. Sequence checking.

A. A check digit allows the computer to automatically reject incorrect entries. The cumber-some computation requiredto establish the check digit, however, tends to limit its use to a few key entries. Check digits are never used to testaccuracy of input for an entire grouping of input.

B. Limit checks are useful to determine whether an entry is within acceptable limits only. Such limitation makes the limitcheck unusable to test the accuracy of input.

C. Batch total checks provide a reasonably good test for completeness and accuracy of input.

D. Sequence checking provides a reasonably good test for completeness of input but does not test accuracy.

Question 113 - CIA 1196 III.30 - Internal Auditing

The proper organizational role of internal auditing is to

A. Perform studies to assist in the attainment of more efficient operations.B. Assist the external auditor in order to reduce external audit fees.C. Serve as an appraisal function to examine and evaluate activities as a service to the organization.D. Serve as the investigative arm of the board of directors.

A. One of the roles of internal auditing is the performance of studies to assist in the attainment of more efficientoperations. However, primary role of internal auditing is much more than this.

B. Although external audit fees may be reduced as a result of the internal auditing activities, this is not the primary roleof internal auditing.

Part 1 : 10/05/14 22:26:24




C. The primary role of the internal audit activity is to assist the management of a company in its responsibilityof maintaining effective controls by evaluating the effectiveness of those controls. In this role, it serves as anappraisal function that adds value to operations.

D. The role of internal auditing is not limited to serving as the investigative arm of the board. The internal audit activityassists the management of a company in its responsibility of maintaining effective controls by evaluating theeffectiveness of those controls.


Which of the following credit approval procedures would be the basis for developing a deficiency finding for awholesaler?

A. Customers not meeting trade-credit standards are shipped merchandise on a cash-on-delivery (C.O.D.) basis only.B. An authorized signature from the credit department, denoting approval of the customer's credit, is to appear on allcredit-sales orders.C. Trade-credit standards are reviewed and approved by the finance committee of the board of directors.

D. Salespeople are responsible for evaluating and monitoring the financial condition of prospective and continuingcustomers.

A. Requiring customers who do not meet trade-credit standards to purchase on a C.O.D. basis is a commonprocedure, not a basis for developing a deficiency finding.

B. Requiring an authorized signature from the credit department denoting approval of the customer's credit is a controlstrength, not the basis for a deficiency finding.

C. Having the finance committee of the board of directors review and approve trade-credit standards is a controlstrength and would not lead to a deficiency finding.

D. Salespeople should not be responsible for monitoring customers' financial condition. Salespeople makecontact with customers and potential customers, make sales and provide customer service where

appropriate. If salespeople are responsible for credit approval, their conflict of interest (desire to make thesale) could lead to inappropriate approvals. There should be a separate credit approval function.


The cash receipts function should be separated from the related record keeping in an organization to

A. Minimize undetected misappropriations of cash receipts.B. Establish accountability when the cash is first received.C. Prevent paying cash disbursements from cash receipts.D. Physically safeguard the cash receipts.

A. If the same person is both receiving cash and posting cash receipts to customers' accounts, that personcould pocket a payment and then conceal it by falsifying the account records.

B. Accountability for cash receipts can be established by having the person who receives the cash prepare a receipt foreach item.

C. Segregating the cash receipt function from the record keeping function would not prevent the payment of cashdisbursements from cash receipts.

Part 1 : 10/05/14 22:26:24




D. Segregation of duties relating to the cash receipts function does not physically safeguard the cash receipts. Keepingcash receipts in a locked box would be one way to physically safeguard them.


During an engagement to review payments under a construction contract with a local firm, the internal auditor found arecurring monthly reimbursement for rent at a local apartment complex. Each reimbursement was authorized by thesame project engineer. The internal auditor found no provision for payment of temporary living expenses in theconstruction contract. Discussion with the project engineer could not resolve the matter. The internal auditor should

A. Wait until the engineer is surrounded by plenty of witnesses and then inquire about the payments.B. Complete the engagement as scheduled, noting the recurring reimbursement in the working papers.C. Call the engineer into a private meeting to confront the situation.D. Inform the chief audit executive.

A. Publicly raising the issue could subject the internal auditor or organization to a defamation suit.

B. The internal auditor found no provision for payment, so this could be an indication of fraud. Thus, the appropriate

authorities within the organization should be informed.

C. Discussion with the project engineer did not resolve the matter.

D. When an internal auditor suspects wrongdoing, the appropriate authorities within the organization shouldbe informed. The CAE has the responsibility to report immediately any incident of significant fraud to seniormanagement and the board.


Which of the following is an indication that a computer virus is present?

A. Inadequate backup, recovery, and contingency plans.B. Frequent power surges that harm computer equipment.C. Numerous copyright violations due to unauthorized use of purchased software.D. Unexplainable losses of or changes to data.

A. Inadequate backup, recovery, and contingency plans are weaknesses of operational planning.

B. Power surges are primarily caused by power supply problems.

C. Numerous copyright violations are compliance problems.

D. Unexplainable losses of, or changes to data are an indication of computer viruses.


Which one of the following methods for the distribution of employees' paychecks would provide the best internalcontrol for the organization?

A. Distribution of paychecks directly to each employee by a representative of the Human Resource department.

Part 1 : 10/05/14 22:26:24




B. Delivery of the paychecks to each department supervisor, who in turn would distribute paychecks directly to theemployees in his/her department.C. Direct deposit in each employee's personal bank account.D. Distribution of paychecks directly to each employee by the payroll manager.

A. Representatives of the Human Resources department authorize transactions that add employees to the payroll,change pay and effect other key transactions. Therefore, human resource employees must not have access to

paycheck distribution, nor to timekeeping or payroll functions. The Human Resource department must beorganizationally separate from the payroll office and payroll functions. So having a representative of Human Resourcesdistribute paychecks would be a violation of the principal of segregation of duties.

B. This would be an acceptable method of distributing paychecks, as long as controls are in place to minimize thepotential for theft or fraudulent distribution of paychecks, such as payments made to fictitiouis or terminatedemployees. The person who distributes the checks should not also have authority to authorize payroll checks.However, this is not the method from among those given that provides for the best internal control for the organization.

C. Direct deposit to each employee's personal bank account provides the best internal control overdistribution of paychecks. It lessens the risk of damaged, lost or stolen payroll checks because no checks aredistributed. The only thing distributed is a statement of earnings. If earnings are deposited electronically intoemployees' accounts, it is important that deposit records be reconciled to a list of active employees at everypay date so that persons whose employment has been terminated do not continue receiving payroll deposits.

Cancellation of direct deposit processing should be part of employment termination procedures, and aterminated employee should receive his or her final paycheck in the form of a physical check instead of adirect deposit, as evidence of the direct deposit cancellation.

D. The payroll manager has oversight over the processing and production of the payroll. The function of payrollprocessing must be segregated from the function of paycheck distribution. Therefore, having the payroll managerdistribute paychecks would be a violation of the principle of segregation of duties.


Most large-scale computer systems maintain at least three program libraries: production library (for running programs);source code library (maintains original source coding); and test library (for programs which are being changed). Whichof the following statements is correct regarding the implementation of sound controls over computer program libraries?

A. Only the program librarian should be allowed to make changes to the production library.B. The computer operator should have access to both the production library and the source code library to assist indiagnosing computer crashes.C. Users should have access to the test library to determine whether all changes are properly made.D. Only programmers should have access to the production library.

A. Program librarians are accountable for the programs in the production library. Thus, only the programlibrarian should be allowed to make changes.

B. The computer operator should not have access to both the production library and the source code library. If

computer operators did have access to both program libraries, they could make unauthorized changes to the computerprograms.

C. Users should not have access to the test library. Users may not have the proper skills to make necessary changes.

D. Proper control states that programmers should not have access to the production library.

Part 1 : 10/05/14 22:26:24







Accounts Payable -- authorize payments and prepare vouchers. Accounts Receivable -- maintain customer accounts.Billing -- prepare invoices to customers for goods sold.Cashier -- maintain a record of cash receipts and disbursements.Credit Department -- verify the credit rating of customers.Cost Accounting -- accumulate manufacturing costs for all goods produced.Finished Goods Storeroom -- maintain the physical inventory and related stock records of finished goods.General Accounting -- maintain all records for the company's general ledger.Internal Audit -- appraise and monitor internal controls, as well as conduct operational and management audits.Inventory Control -- maintain perpetual inventory records for all manufacturing materials and supplies.Mailroom -- process incoming, outgoing, and interdepartmental mail.Payroll -- compute and prepare the company payroll.Personnel -- hire employees, as well as maintain records on job positions and employees.Purchasing -- place orders for materials and supplies.

Production -- manufacture finished goods.Production Planning -- decide the types and quantities of products to be produced.Receiving -- receive all materials and supplies.Sales -- accept orders from customers.Shipping -- ship goods to customers.Stores Control -- safeguard all materials and supplies until needed for production.Timekeeping -- prepare and control time worked by hourly employees.

Multiple copies of the purchase order are prepared for record keeping and distribution with a copy of the purchaseorder sent to the vendor and one retained by the Purchasing Department. In addition, for proper informational flow andinternal control purposes, a version of the purchase order would be distributed to the

A. Accounts Payable, Receiving, and Stores Control Departments.B. Accounts Payable, Receiving, and Production Planning Departments.

C. Accounts Payable, Receiving, and Inventory Control Departments.D. Accounts Payable, Accounts Receivable, and Receiving Departments.

A. The Stores Control Department does not need copies of purchase orders.

B. The Production Planning Department does not have a need to receive copies of purchase orders.

C. The Accounts Payable Department needs copies of purchase orders to check the vendor's invoice; theReceiving Department needs copies of purchase orders with quantities omitted, so the count of itemsreceived should be honest; and the Inventory Control Department needs copies of purchase orders in order toknow what orders have been placed.

D. The Accounts Receivable Department does not have a need to receive copies of purchase orders.


Determining that audit objectives have been met is part of the overall supervision of an audit assignment and is theultimate responsibility of the

A. Chief Audit ExecutiveB. Staff internal auditor.

Part 1 : 10/05/14 22:26:24




C. Internal auditing supervisor.D. Audit committee.

A. The overall supervision of an audit assignment is the ultimate responsibility of the chief audit executive(CAE).

B. The overall supervision of an audit assignment is not the ultimate responsibility of the staff internal auditor.

C. The overall supervision of an audit assignment is not the ultimate responsibility of an internal auditing supervisor.

D. The overall supervision of an audit assignment is not the ultimate responsibility of the audit committee.


Which of the following is a possible disadvantage when the draft engagement communication is provided to localmanagement for review and comment?

A. The engagement client will have an opportunity to rebut observations and recommendations.

B. The engagement client may take corrective action before the final communication is issued.C. Discussion of the report might center unduly on words rather than on the substantive issues.D. Genuine consideration for the engagement client will be demonstrated.

A. The possibility of the engagement client rebutting observations and recommendation would be considered anadvantage.

B. The engagement client taking corrective action before the final communication would be considered an advantage.

C. One of the disadvantages of providing the draft of the engagement communication to the client is that theywill attempt to change the report or will start arguing the points raised in the report.

D. Exhibiting genuine consideration for the engagement client would be considered an advantage.


For an internal audit department to be considered as a relevant internal control by the external auditor, the internalauditor must

A. Be independent of the accounting function.B. Be cost effective.C. Perform operational audits.D. Use statistical sampling procedures.

A. For an external auditor to consider an internal audit department to be a relevant internal control, it must beindependent of the accounting function. The chief internal auditor function should report to the board ofdirectors or to a member of senior management outside of the accounting function.

B. Cost effectiveness has nothing to do with relevancy as an internal control.

C. Whether or not an internal audit department performs operational audits has nothing to do with its relevancy as aninternal control.

D. Statistical sampling procedures are one type of procedure performed by an auditor. They have nothing to do with

Part 1 : 10/05/14 22:26:24




whether an external auditor would consider the internal audit department as a relevant internal control.


While planning an audit, an internal auditor establishes audit objectives to describe what is to be accomplished. Whichof the following is a key issue to consider in developing audit objectives?

A. The qualifications of the audit staff selected for the engagement.B. The auditee's objectives and control structure.C. Recommendations of the auditee's employees.D. The recipients of the audit report.

A. The selection of audit staff members can only be done after the audit objectives have been developed.

B. The auditee's objectives and control structure are key issues to consider in developing audit objectives.

C. Recommendations of the auditee's employees are not key issues to consider in developing audit objectives.

D. The recipients of the audit report are not key issues to consider in developing audit objectives.


A proper segregation of duties requires

A. That an individual authorizing a transaction maintain custody of the asset that resulted from the transaction.B. That an individual authorizing a transaction records it.C. That an individual maintaining custody of an asset be entitled to access the accounting records for the asset.D. That an individual recording a transaction not compare the accounting record of the asset with the asset itself.

A. Segregation of duties requires just the opposite: an individual authorizing a transaction should not be the sameperson who maintains custody of assets.

B. Segregation of duties requires just the opposite: an individual authorizing a transaction should not be the sameperson who records it.

C. The person who maintains custody of an asset should not be entitled to access the accounting records for the asset. Accessing the accounting records for the asset would be a reconciliation function or a recordkeeping function, and bothof these should be separate from the custody function.

D. An individual performing the recordkeeping function should not be able to compare the accounting recordof the asset with the asset itself, because this is a reconciliation function and the reconciliation functionshould be separate from the recordkeeping function.


To minimize the risk that agents in the purchasing department will use their positions for personal gain, theorganization should

A. Specify that all items purchased must pass value-per-unit-of-cost reviews.

Part 1 : 10/05/14 22:26:24




B. Direct the purchasing department to maintain records on purchase prices paid, with review of such being requiredeach 6 months.C. Rotate purchasing agent assignments periodically.D. Request internal auditors to confirm selected purchases and accounts payable.

A. Value-per-unit-of-cost reviews would not prevent purchasing agents from using their positions for personal gain.

B. Reviewing records on purchase prices paid would not prevent purchasing agents from using their positions forpersonal gain.

C. Rotating purchasing agent assignments periodically will limit the risk of agents using their positions forpersonal gain, because it will discourage long-term agent relationships with particular vendors.

D. Requesting confirmation by auditors of selected purchases and accounts payable would not prevent purchasingagents from using their positions for personal gain.


Online access controls are critical for the successful operation of today's computer systems. To assist in maintainingcontrol over such access, many systems use tests that are maintained through an internal access control matrixconsisting of

A. Authorized user code numbers and passwords.B. Authorized user code numbers, passwords, lists of all files and programs, and a record of the type of access eachuser is entitled to have to each file and program.C. A list of controls in the online system and a list of those individuals authorized to change and adjust these controlsalong with a complete list of files in the system.D. A completeness test, closed loop verification, and a compatibility test.

A. Although these two items are access controls, this is not the most complete list of items that are access controls.

B. These are all access controls.

C. A list of individuals authorized to change and adjust the controls is not an access control.

D. Completeness tests and closed loop verification are not access controls. A completeness test will not let processingproceed if a data item is not complete. Closed loop verification is an online data entry check which uti lizes display andchecking of data entry items.


The procedure requiring preparation of a prelisting of incoming cash receipts, with copies of the prelist going to the

cashier and to accounting, is an example of which type of control?

A. Directive.B. Detective.C. Corrective.D. Preventive.

A. Prelisting incoming cash receipts is a preventive control which is designed to prevent undesirable events fromoccurring, not a directive control, which is designed to ensure the occurrence of a desirable event.

B. Prelisting incoming cash receipts is a preventive control which is designed to prevent undesirable events from

Part 1 : 10/05/14 22:26:24




occurring, not a detective control, which is designed to expose an error or a fraud after it occurs.

C. Prelisting incoming cash receipts is a preventive control which is designed to prevent undesirable events fromoccurring, not a corrective control designed to correct undesirable events after they occur.

D. Prelisting incoming cash receipts is a preventive control designed to prevent undesirable events fromoccurring. In this case, an undesirable event is the disappearance of cash payments. The prelist should be

made at the earliest possible time, in order to establish accountability for the cash.

Question 129 - CIA 598 1.9 - Internal Auditing

Which of the following best describes an auditor’s responsibility after noting some indicators of fraud?

A. Expand activities to determine whether an investigation is warranted.B. Report the matter to the audit committee and request funding for outside specialists to help investigate the possiblefraud.C. Consult with external legal counsel to determine the course of action to be taken, including the approval of theproposed audit program to make sure it is acceptable on legal grounds.

D. Report the possibility of fraud to top management and ask them how they would like to proceed.

A. In conducting audit assignments, the internal auditor should have sufficient knowledge of fraud to identifyred flags indicating fraud may have been committed. If fraud is indicated then the internal auditor shouldexpand activities to determine whether an investigation is warranted.

B. The auditor should first expand work to determine the existence of fraud before reporting the matter to topmanagement. At this point, the auditor only has suspicions of fraud, given the red flags. More work should beperformed before consulting with management, external legal counsel, or the audit committee.

C. The auditor should first expand work to determine the existence of fraud before reporting the matter to topmanagement. At this point, the auditor only has suspicions of fraud, given the red flags. More work should beperformed before consulting with management, external legal counsel, or the audit committee.

D. The auditor should first expand work to determine the existence of fraud before reporting the matter to topmanagement. At this point, the auditor only has suspicions of fraud, given the red flags. More work should beperformed before consulting with management, external legal counsel, or the audit committee.


Which of the following activities is outside the scope of internal auditing?

A. Assessing an operating department's effectiveness in achieving stated organizational goals.B. Evaluating controls over compliance with laws and regulations.

C. Ascertaining the extent to which objectives and goals have been established.D. Safeguarding of assets.

A. Assessing an operating department's effectiveness in achieving stated organizational goals is an internal auditingactivity.

B. Evaluating controls over compliance with laws and regulations is an internal auditing activity.

C. Ascertaining the extent to which objectives and goals have been established is an internal audit activity.

Part 1 : 10/05/14 22:26:24




D. The specific safeguarding of assets is the responsibility of management. However, from an internalauditing standpoint, internal auditors should evaluate and assess whether assets are safeguarded.


Which of the following controls would assist in detecting an error when the data input clerk records a sales invoice as$12.99 when the actual amount is $122.99?

A. Batch control totals.B. Sign check.C. Limit check.D. Echo check.

A. The other controls would not find this error.

B. This control checks for positive or negative field restrictions.

C. This would only work if the two amounts were reversed, and there was a dollar limit on invoices.

D. This is a hardware control that checks for accuracy in data transmission; it is not an input control.


Internal auditors regularly evaluate controls and control procedures. Which of the following best describes the conceptof control as recognized by internal auditors?

A. Control represents specific procedures that accountants and auditors design to ensure the correctness ofprocessing.B. Control procedures should be designed from the "bottom up" to ensure attention to detail.C. Management takes action to enhance the likelihood that established goals and objectives will be achieved.D. Management regularly discharges personnel who do not perform up to expectations.

A. Control encompasses much more than controls designed to ensure the correctness of processing. Furthermore,control is designed and instituted by management, not by accountants or auditors.

B. While control procedures may be designed from the bottom up, the concept of control flows from the top down.

C. A control is any action taken by management to enhance the likelihood that established goals andobjectives will be achieved.

D. This is not the definition of a control.


In order to control purchasing and accounts payable, an information system must include certain source documents.For a manufacturing organization, these documents should include

A. Receiving reports and vendor invoices.B. Purchase requisitions, purchase orders, inventory reports of goods needed, and vendor invoices.

Part 1 : 10/05/14 22:26:24






D.

The audit report should be distributed to everyone who has a direct interest in the audit. This includes the executive orexecutives to whom internal audit reports, the person to whom people will reply about the report, persons responsiblefor the activities or operations audited, and people who will need to take corrective action as a result of the audit.

A sales representative is not in this group and thus should not receive a copy of the audit report.


One objective of an audit of the purchasing function is to determine the cost of late payment of invoices containingsales discounts. The appropriate population from which a sample would be drawn is the file of

A. Purchase orders.B. Paid vendor invoices.C. Receiving reports.D. Canceled checks.

A. Purchase orders would give the date an item was ordered, the quantity ordered, and the anticipated price. Theywould not show whether the vendor offered a discount or whether payment was made within the discount period.

B. Paid vendor invoices would show the invoice date, the amount invoiced, any discount offered for promptpayment, amount paid and date paid.

C. Receiving reports would give the date an item was received and the quantity that was received. They would notshow whether the vendor offered a discount or whether payment was made within the discount period.

D. Canceled checks would give the date and the amount of payment. They would not indicate whether the vendoroffered a discount or whether payment was made within the discount period.


Shipments are made from the warehouse based on customer purchase orders. The matched shipping documents andpurchase orders are then forwarded to the billing department for sales invoice preparation. The shipping documentsare neither accounted for nor prenumbered. Which of the following substantive tests should be extended as a result ofthis control weakness?

A. Trace a sample of purchase orders to the related sales invoices.B. Trace quantities and prices on the sales invoice to the customer purchase order and test extensions and footings.C. Select bills of lading from the warehouse and trace the shipments to the related sales invoices.D. Foot the sales register and trace the total to the general ledger.

A. Tracing a sample of purchase orders to the related sales invoices would not test to see whether all shipments arebeing billed.

B. Tracing quantities and prices on the sales invoice to the customer purchase order and testing extensions andfootings would not test to see whether all shipments are being billed.

C. Since shipping documents are neither accounted for nor prenumbered, it is likely that some shipments willleave the warehouse without being billed. Selecting bills of lading from the warehouse and tracing theshipments to the related customer invoices is a test to see whether all shipments are being billed.

Part 1 : 10/05/14 22:26:24




D. Footing the sales register and tracing the total to the general ledger would not test to see whether all shipments arebeing billed.


A company has computerized sales and cash receipts journals. The computer programs for these journals have beenproperly debugged. The auditor discovered that the total of the accounts receivable subsidiary accounts differsmaterially from the accounts receivable control account. This could indicate

A. Credit memoranda being improperly recorded.B. Receivables not being properly aged.C. Lapping of receivables.D. Statements being intercepted prior to mailing.

A. If subsidiary accounts are being credited for returns but the general ledger account is not being credited,this would cause material differences between the total of the accounts receivable subsidiary accounts andthe accounts receivable control account. This can occur easily if an incorrect procedure is being used torecord returns. The auditor should query the people who process the credits to customers' accounts to findout what procedure is being used and should investigate what accounting entries result from that procedure.

B. If receivables are being aged improperly, this would not affect customer balances or the general ledger controlaccount balance.

C. Lapping of receivable would not result in a difference between the subsidiary accounts and the general ledgercontrol account. Lapping of receivables occurs when an employee pockets a payment received on one customer'saccount and then applies a payment made by another customer to the first customer's account, and on and on. If thatis occurring, the total of the subsidiary accounts will reconcile with the general ledger control account, but they will bothbe incorrect because of the theft.

D. Interception of customer statements might be a sign that fraud is taking place, but it would not cause the subsidiaryaccounts to not reconcile with the control account.


All administrative and professional staff in a corporate legal department prepare documents on terminals connected toa file server on the LAN. The best control over unauthorized access to sensitive documents in the system is

A. Required entry of passwords for access to the system.B. Periodic server backup and storage in a secure area.C. Physical security for all disks containing document files.D. Required entry of passwords for access to individual documents.

A. Requiring passwords for access to the system permits all departmental personnel to have access to all documentsin the system.

B. Periodic server backup and storage in a secure area would not prevent unauthorized access to sensitive documentsin the system.

C. The information is contained in the hard drive, not on disks.

D. The best control over unauthorized access to sensitive documents is to require entry of passwords foraccess to individual documents.

Part 1 : 10/05/14 22:26:24





The treasurer makes disbursements by check and reconciles the monthly bank statements to accounting records.Which of the following best describes the control impact of this arrangement?

A. Controls will be enhanced because the treasurer will have two opportunities to discover inappropriate disbursements.B. Internal control will be enhanced because these are duties that the treasurer should perform.C. The treasurer will be in a position to make and conceal unauthorized payments.D. The treasurer will be able to make unauthorized adjustments to the cash account.

A. The following four functions must always be done by different people: (1) Authorizing a transaction; (2) Recordingthe transaction, preparing source documents, maintaining journals; (3) Keeping physical custody of the related asset -for instance, receiving checks in the mail; and (4) The periodic reconciliation of the physical assets to the recordedamounts for those assets. Having the treasurer both make disbursements and reconcile the checking account is acontrol weakness, not a control enhancement, because the treasurer is in a position to both make and concealunauthorized payments.

B. The following four functions must always be done by different people: (1) Authorizing a transaction; (2) Recording

the transaction, preparing source documents, maintaining journals; (3) Keeping physical custody of the related asset -for instance, receiving checks in the mail; and (4) The periodic reconciliation of the physical assets to the recordedamounts for those assets. In the example of the combination of making disbursements by check (a custody function)and reconciling the checking account (a reconciliation function), we have the treasurer performing two duties that arenot compatible.

C. The following four functions must always be done by different people: (1) Authorizing a transaction; (2)Recording the transaction, preparing source documents, maintaining journals; (3) Keeping physical custodyof the related asset - for instance, receiving checks in the mail; and (4) The periodic reconciliation of thephysical assets to the recorded amounts for those assets. Because the treasurer is performing two duties thatare not compatible, making disbursements by check (a custody function) and reconciling the checkingaccount (a reconciliation function), the treasurer is in a position to make and conceal unauthorized payments.

D. The question does not state that the treasurer has access to the accounting records. Thus there is no basis forsaying that the treasurer would be able to make unauthorized adjustments to the cash account.


A company with several hundred stores has a network for the stores to transmit sales data to headquarters. Thenetwork is also used for:

vendors to submit reorders

stores to transmit special orders to headquarters

regional distribution centers to communicate delivery and out-of-stock information to the stores

the national office to distribute training materialsstore, regional, and national personnel to share any information they think helpful.

In order to accommodate the large volume of transmissions, large stores have their own satellite receiving/transmittingstations. Small stores use leased lines.

The information systems and audit directors also agreed that maintaining the integrity of the system that kept inventorydata was crucial for distributing correct product quantities to stores. The best way to ensure the integrity of thisapplication software is through:

Part 1 : 10/05/14 22:26:24




A. Change controls for inventory software.B. Monitoring software for the network.C. Audit trails for items sold and received.D. Access controls for terminals in the receiving department.

A. Change controls are the set of procedures that ensure that only authorized, tested programs are run inproduction. If change controls are being followed, an unauthorized person would not be able to make a

change in a program that would alter the way it performed its processing.

B. Monitoring software is designed to monitor performance (human or machine) for specified functions such as numberof tasks performed or capacity utilized.

C. Audit trails permit audits of transaction updates to data files, not programs.

D. Access control ensures that only authorized persons have access to specific or categories of information resources,but is not enough by itself to ensure integrity of application software.


Which of the following statements about Trojan horses is false?

A. A Trojan horse can be received from an email or the Internet.B. A Trojan horse can appear as a desirable software program or utility.C. A Trojan horse does not replicate itself.D. A Trojan horse will immediately cause a computer to exhibit symptoms after it is infected.

A. This is a true statement. A Trojan horse can also be received via a USB drive, CD or DVD, Local Area Network, orvirtually any other source connected to a computer or plugged into a computer.

B. This is a true statement. A Trojan horse gets its name because it appears to be useful, when in fact there is adanger hidden inside.

C. This is a true statement. A Trojan horse must be actively transmitted and installed.

D. A computer infected with a Trojan horse may not exhibit any symptoms until the Trojan horse is activatedby a particular event or command. Even after the Trojan horse is activated, the resulting behavior may notcause any abnormal symptoms, such as the Trojan collecting data and secretly sending it via the Internet toanother computer.


Which one of the following represents a weakness in the internal control system of an electronic data processing

system?

A. The systems analyst designs new systems and supervises testing of the system.B. The data control group reviews and tests procedures and handles the reprocessing of errors detected by thecomputer.C. The accounts receivable clerk prepares and enters data into the computer system and reviews the output for errors.D. The computer operator executes programs according to operating instructions and maintains custody of programsand data files.

A. Systems analysts are responsible for reviewing the current system to make sure that it is meeting the needs of the

Part 1 : 10/05/14 22:26:24




organization, and when it is not, they will provide the design specifications to the programmers of the new system.Programmers write, test and document the systems. As long as the systems analyst is not actual doing the testing ofthe system but only supervising it, this is not an internal control weakness.

B. This is not a weakness in the internal control system of an electronic data processing system. The data controlgroup is responsible for detecting and correcting errors. Reviewing and testing procedures is a part of detecting errors,and reprocessing of errors is part of correcting errors.

C.

This is not a weakness in the internal control system of an electronic data processing system. The accounts receivableclerk is recording transactions. Checking one's work is part of doing a job, and the accounts receivable clerk isresponsible for entering data correctly. So reviewing the output for errors is an appropriate part of entering data into thecomputer system.

As long as the accounts receivable clerk is not also authorizing the transactions, receiving payments on accounts in themail, or doing reconciliations, i.e., reconciling the individual account balances to the accounts receivable general ledgeraccount, there is no conflict.

D. A person who has unlimited access to a computer, its programs, and its data could execute a fraud and atthe same time conceal it. The computer operator should not have custody of programs and data files. The

computer operator should perform the actual operation of the computers for processing the data only. Thelibrarian should maintain the documentation, programs and data files.


Management can best strengthen internal control over the custody of inventory stored in an off-site warehouse byimplementing

A. Regular reconciliation of physical inventories to accounting records.B. Reconciliations of transfer slips to/from the warehouse with inventory records.

C. Regular confirmation of the amount on hand with the custodian of the warehouse.D. Increases in insurance coverage.

A. Regular physical inventory should be taken and the results compared with accounting inventory records.

B. Reconciliation of transfer slips with inventory records is not the same as reconciliation of physical inventory withinventory records in the accounting system.

C. Confirmation of the amount on hand from the custodian of the warehouse does not substitute for taking a physicalinventory, because confirmation from the custodian does not prove that the inventory is physically present.

D. Insurance can reimburse a business after a loss but it does not strengthen internal control over custody of inventory.Furthermore, if a business makes too many claims against its insurance, its insurance premiums may becomeprohibitively high or insurance may be unobtainable at any cost.


ABC is a major retailer with over 52 department stores. The marketing department is responsible for:

Conducting marketing surveys

Recommending locations for new store openings

Part 1 : 10/05/14 22:26:24




Ordering products and determining retail prices for the products

Developing promotion and advertising for each line of products

Determining the pricing of special sale items

The marketing department has separate product managers for each product line. Each product manager is given apurchasing budget by the marketing manager. Product managers are not rotated among product lines because of the

need to acquire product knowledge and to build relationships with vendors. A subsection of the department doesmarketing surveys.

In addition to ordering and pricing, the product managers also determine the timing and method of product delivery.Products are delivered to a central distribution center where goods are received, retail prices are marked on theproduct, and the goods are segregated for distribution to stores.

Receiving documents are created by scanning in receipts; the number of items scanned in are reconciled with the pricetags generated and attached to products. The average product spends between 12 and 72 hours in the distributioncenter before being loaded on trucks for delivery to each store. Receipts are recorded at the distribution center, thusthe company has not found the need to maintain a receiving function at each store.

Each product manager is evaluated on a combination of sales and gross profit generated from their product line. Manyproducts are seasonal and individual store managers can require that seasonal products be "cleared out" to make

space for the next season's products.

Requests for purchases beyond those initially budgeted by the marketing manager must be approved by the marketingmanager. Which of the following statements regarding this control procedure is correct?

The procedureI.should provide for the most efficient allocation of scarce organizational resources.

II.is a detective control procedure.III.is not necessary because each product manager is evaluated on profit generated, and thus this control is redundant.

A. III only.B. I only.C. II and III.D. I, II, and III.

A. The company must keep purchases within the limits of available financing, and it must allocate its limited warehouseand display space among its various merchandise lines. This control is not redundant because the evaluation ofmanagers on profit generated does nothing to control the allocation of these two resources.

B. The company must keep purchases within the limits of available financing, and it must allocate its limitedwarehouse and display space among its various merchandise lines. Having the product manager approveadditional purchases beyond those initially budgeted provides a means to allocate the company's resourcesin order to maximize the organization's total return.

C. Approval of requests for purchases beyond those initially budgeted by the marketing manager is not a detectivecontrol; it is a preventive control. The company must keep purchases within the limits of available financing, and it mustallocate its limited warehouse and display space among its various merchandise lines. This control is not redundantbecause the evaluation of managers on profit generated does nothing to control the allocation of these two resources.

D. Approval of requests for purchases beyond those initially budgeted by the marketing manager is not a detectivecontrol; it is a preventive control. The company must keep purchases within the limits of available financing, and it mustallocate its limited warehouse and display space among its various merchandise lines. This control is not redundantbecause the evaluation of managers on profit generated does nothing to control the allocation of these two resources.


Part 1 : 10/05/14 22:26:24






regulations.

D. Reviewing prior-year working papers would be an effective method to learn about the applicable laws andregulations.


A validation check used to determine if a quantity ordered field contains only numbers is an example of a(n)

A. Data security control.B. Input control.C. Audit trail control.D. Processing control.

A. Data security control ensures that only identified and authorized personnel are permitted to access and use thecomputer system.

B. Validation checks are input controls. Input controls provide some reasonable assurance that the data

inputted has the proper authorization, has been converted to machine-sensible form, and has been identified.

C. Audit trail control is used to ensure that all relevant audit information has been recorded.

D. Processing control provide some reasonable assurance that processing has been properly completed, as intended.




Assume the difference occurred because the input clerk keyed in the wrong amount during data input. Which of the

following would most likely detect such an error?

A. Check digit verification.B. A sequence check.C. Batch total controls.D. A field check.

A. Check digit verification is used when a self-checking digit is included in an identification number. It can detect errorsin fields, such as account or inventory numbers.

B. A sequence check looks for numerical or alphabetical sequence discrepancies.

Part 1 : 10/05/14 22:26:24




C. Computerized batch processing environments need batch total controls to detect errors that cannot bediscovered through other input edit checks. The other listed controls would not detect an input error in adollar amount, they are designed to detect other errors.

D. A field check detects if the input characters are of the expected type (i.e., alpha, numeric, or A/N)


In auditing computer-based systems, the integrated test facility (ITF)

A. Is a set of specialized software routines that are designed to perform specialized audit tests and store auditevidence.B. Allows the auditor to assemble test transactions and run them through the computer system to test the integrity ofcontrols on a sample data base.C. Is a concurrent audit technique that establishes a special set of dummy master files and enters transactions to testthe programs using the dummy files during regular processing runs.D. Uses an audit log to record transactions and data having special audit significance during regular processing runs.

A. An integrated test facility is not a set of specialized software routines.

B. An integrated test facility involves more than just test data.

C. An integrated test facility (ITF) involves the use of test data but also the creation of fictitious entities, suchas fictitious employees, fictitious vendors, fictitious products, and fictitious accounts, within the master filesof the computer system. Or alternatively, a separate, fictitious company may be used. The major differencebetween test data and an ITF is that the test data in an ITF are processed along with real data, which makes ita concurrent audit technique. No one knows that the data being processed includes these fictitious entries tofictitious records. In this way, the auditor can be sure that the programs being checked are the sameprograms as those that are being used to process the real data. The difficulty with using the ITF approach isthat the fictitious transactions have to be excluded from the normal outputs of the system in some way.

Careful planning is required to make sure that the ITF data do not become mixed in with the real data,corrupting the real data.

D. An integrated test facility does not use an audit log to record transactions and data having special audit significanceduring regular processing runs.


Confidential data can be securely transmitted over the internet by using

A. single-use passwords.

B. encryption.C. digital signatures.D. firewalls.

A. A single-use password is a password that is valid for only one login session or transaction. If an intruder manages tointercept a single-use password that has already been used to log into a service or to conduct a transaction, he or shewill not be able to use it again, because it will no longer be usable. Single-use passwords do not enable confidentialdata to be securely transmitted over the internet, however, because they do not prevent the data from beingintercepted while being transmitted.

Part 1 : 10/05/14 22:26:24




B. Encryption is the best protection against internet traffic being intercepted, resulting in data leaks.Encryption converts data into a code, and then a key is required to convert the code back to data.Unauthorized people can receive the coded information, but without the proper key, they cannot read it. Thus,an attacker may be able to see where the traffic came from and where it went but not the content.

C.

A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message orthe signer of a document. It can also be used to ensure that the original content of the message or document that wassent has not been changed. The ability to ensure that the original signed message arrived means that the sendercannot easily say later that he never sent it or that he sent something different. A digital signature can be used with anykind of message, whether it is encrypted or not, so that the receiver can be sure of the sender's identity and that themessage arrived without being changed.

However, a digital signature does not provide security for confidential data that is being sent over the internet, becauseit does not prevent the data from being intercepted while being transmitted.

D. A firewall serves as a barrier between the internal and the external networks and prevents unauthorized access tothe internal network. It does not enable confidential data to be securely transmitted over the internet, because it doesnot prevent the data from being intercepted while being transmitted.


Managers at a consumer products company purchased personal computer software from only recognized vendors,and prohibited employees from installing nonauthorized software on their personal computers. To minimize thelikelihood of computer viruses infecting any of its systems, the company should also

A. Institute program change control procedures.B. Recompile infected programs from source code backups.C. Test all new software on a stand-alone personal computer.D. Restore infected systems with authorized versions.

A. Instituting program change control procedures is a good control practice, but it does not minimize the likelihood ofcomputer viruses inflecting the system.

B. The procedure of recompiling infected programs from source code backups does not minimize the likelihood ofcomputer viruses infecting the system.

C. This would be the best method to minimize the likelihood of computer viruses infecting any of its systems.The program should be quarantined since it's possible that even the vendor's software can be infected.

D. Restoring infected systems with authorized versions will be done when the system is already infected. Thus, it doesnot minimize the likelihood of computer viruses infecting the system.


A mail-order retailer of low-cost novelty items is receiving an increasing number of complaints from customers aboutthe wrong merchandise being shipped. The order code for items has the format wwxxyyzz . The major category is ww ,xx is the minor category, yy identifies the item, and zz identifies the catalog. In many cases, the wrong merchandisewas sent because adjacent characters in the order code had been transposed. The best control for decreasing thenumber of orders with the wrong merchandise is to

Part 1 : 10/05/14 22:26:24




A. Require customers to specify the name for each item they order.B. Use a master file reference for all order codes to verify the existence of items.C. Separate the parts of the order code with hyphens to make the characters easier to read.D. Add check-digits to the order codes and verify them for each order.

A. Requiring customers to specify the name for each item they order would not allow the company to detect erroneouscodes.

B. Using a master file reference for all order codes to verify the existence of items would not solve the problem oftransposed characters.

C. Separating the parts of the order code with hyphens would make the characters easier to read, but would not solvethe problem of transposed characters.

D. The best control for decreasing the number of orders with the wrong merchandise is to add check-digits tothe order codes and verify them for each order. The digit is generated by applying an alogrithm to the code.During the input process, the check digit is recomputed by applying the same algorithm to the code actuallyentered.


Which one of the following is most likely to be considered a reportable condition?

A. An inventory control clerk at a manufacturing plant has the ability to steal one completed television set frominventory a year. The theft probably will never be detected.B. The petty cash custodian has the ability to steal petty cash. Documentation for all disbursements from the fund mustbe submitted with the request for replenishment of the fund.C. An accounts receivable clerk, who approves sales returns and allowances, receives customer remittances anddeposits them in the bank. Limited supervision is maintained over the employee.D. A clerk in the invoice processing department fails to match a vendor's invoice with its related receiving report.Checks are not signed unless all appropriate documents are attached to a voucher.

A. This would probably not be a reportable condition, because the amount of potential theft is probably not material.

B. If the requirement for documentation of disbursements from the fund includes the requirement that thedocumentation be approved, and if the approving signature is matched against specimen signatures on file, and if thepetty cash fund is reconciled regularly, any theft from the fund will be detected.

C. An accounts receivable clerk who receives customer remittances, deposits funds in the bank, and who hasthe authority to approve sales returns and allowance is a reportable condition. The clerk could steal acustomer remittance and cover up the theft by approving a credit memo to the customer's account.

D. If the receiving report is not included with the backup to the check, the check will not be signed. This is a detectivecontrol as well as a preventive control. It would detect the oversight and prevent a check from being sent out that mightpossibly not be legitimate. Thus, this would not be a reportable condition.

Question 154 - CIA QZP2B.2 - Internal Auditing

The risk that an auditor's procedures will lead to the conclusion that a material misstatement does not exist in anaccount balance when, in fact, such misstatement does exist is:

A. Detection risk.

Part 1 : 10/05/14 22:26:24




B. Inherent risk.C. Audit risk.D. Control risk.

A. Detection risk is the risk that the auditor will not detect a material misstatement. Detection risk is affectedby the auditor's procedures and can be changed at his or her discretion.

B. Inherent risk is the risk that there is an error in the first place.

C. Audit risk is the risk that the auditor will give an unqualified opinion, when in fact; there is a material misstatement inthe area being audited.

D. Control risk is the risk that the internal controls will not detect, or prevent the error.




Accounts Payable -- authorize payments and prepare vouchers. Accounts Receivable -- maintain customer accounts.Billing -- prepare invoices to customers for goods sold.Cashier -- maintain a record of cash receipts and disbursements.Credit Department -- verify the credit rating of customers.Cost Accounting -- accumulate manufacturing costs for all goods produced.Finished Goods Storeroom -- maintain the physical inventory and related stock records of finished goods.General Accounting -- maintain all records for the company's general ledger.Internal Audit -- appraise and monitor internal controls, as well as conduct operational and management audits.Inventory Control -- maintain perpetual inventory records for all manufacturing materials and supplies.Mailroom -- process incoming, outgoing, and interdepartmental mail.Payroll -- compute and prepare the company payroll.Personnel -- hire employees, as well as maintain records on job positions and employees.Purchasing -- place orders for materials and supplies.Production -- manufacture finished goods.Production Planning -- decide the types and quantities of products to be produced.Receiving -- receive all materials and supplies.Sales -- accept orders from customers.Shipping -- ship goods to customers.Stores Control -- safeguard all materials and supplies until needed for production.Timekeeping -- prepare and control time worked by hourly employees.

The document that is the authorization to initiate the manufacture of goods is referred to as a

A. Production order.B. Bill of materials.C. Raw materials requisition.D. Daily production schedule.

A. The Production Planning Department would use a Production Order to authorize the ProductionDepartment to manufacture certain items.

B. A bill of materials is the list of component parts that go into the manufacture of each item of finished goods. It is notan authorization to initiate manufacturing.

Part 1 : 10/05/14 22:26:24




C. The Production Department would request raw materials by means of a raw materials requisition, but the rawmaterials requisition would not authorize the initiation of manufacturing.

D. The daily production schedule is used for production planning. It is not an authorization to initiate manufacturing.


A computer program will not generate month-end balances if transactions are missing. This is an example of a:

A. Preventive control.B. Corrective control.C. Detective control.D. Discretionary control.

A. A preventive control is designed to prevent errors from occurring.

B. See the correct answer for the explaantion.

C. See the correct answer for the explanation.

D. See the correct answer for the explanation.


The most critical aspect of separation of duties within information systems (IS) is between

A. Project leaders and programmers.B. Management and users.C. Programmers and computer operators.D. Programmers and systems analysts.

A. This is not the most critical aspect of separation of duties with information systems.

B. This is not the most critical aspect of separation of duties with information systems.

C. Programmers are the individuals who write, test and document the systems. Computer operators performthe actual operation of the computers for processing the data. Computer operators should not haveprogramming functions and should not be able to program. Programmers should not have access to thecomputers and programs that are in actual use for processing. The most critical separation of duties isbetween programmers and computer operators.

D. This is not the most critical aspect of separation of duties with information systems.


An audit committee of the board of directors of an organization is being established. Which of the following is normallya responsibility of the committee with regard to the internal audit activity?

A. Approval of engagement work programs.

Part 1 : 10/05/14 22:26:24




B. Determination of engagement observations appropriate for specific engagement communications.C. Development of the annual engagement work schedule.D. Approval of the selection and dismissal of the chief audit executive.

A. Approval of the engagement work programs will be the responsibility of the IAA staff.

B. The determination of engagement observations for specific engagement communications will be the responsibility of

the IAA staff.

C. Developing the annual engagement work schedule is the responsibility of the CAE and IAA staff.

D. Independence is enhanced if the audit committee either approves or dismisses the chief audit executive.The audit committee is a subcommittee of the board and is made up of outside directors.


In an automated payroll processing environment, a department manager substituted the time card for a terminatedemployee with a time card for a fictitious employee. The fictitious employee had the same pay rate and hours worked

as the terminated employee. The best control technique to detect this action using employee identification numberswould be a

A. Hash total.B. Record count.C. Batch total.D. Subsequent check.

A. A hash total is a meaningless sum of numbers in a batch, such as the sum of all the employee I.D. numbers.A hash total would detect a substituted employee time card, because the employee I.D. number of thesubstituted employee would be different from the employee I.D. number of the original employee.

B. A record count is a total of the number of records processed. Whereas a record count could detect that oneadditional employee had been paid, the question asks for the best control technique to detect the action usingemployee identification numbers. A record count would not include employee identification numbers.

C. The question asks for the best control technique to detect this action using employee identification numbers. Abatch total of the total payroll amount or the total hours worked would not utilize employee identification numbers.

D. While a subsequent check of the output from the payroll might detect the substitution, a hash total is a better controltechnique because it would detect the substitution more quickly and reliably.


An objective report is one that is described as

A. Through content and tone, designed to help the auditee as well as the organization.B. Logical and easily understood.C. To the point and free of unnecessary detail.D. Factual, unbiased, and free from distortion.

A. This is the definition of a constructive report, not an objective report.

B. This is the definition of a clear report, not an objective report.

Part 1 : 10/05/14 22:26:24




C. This is the definition of a concise report, not an objective report.

D. "Objective" as used here means "without bias or prejudice." An objective report is factual, unbiased, andfree from distortion.


Which of the following is not an appropriate member of an audit committee?

A. The vice president of the local bank used by the organization.B. An academic specializing in business administration.C. A retired executive of a firm that had been associated with the organization.D. The organization's vice president of operations.

A.

Requirements for audit committee members are:

1. They must be independent. That is, they must not be employed by the company in any capacity other than as amember of the audit committee, the board of directors, or any other board committee.

2. One member of the audit committee must have accounting or financial management expertise.

3. All members of the audit committee must be financially literate.

The vice president of the local bank would be an independent director and, as the vice president of a bank, would befinancially literate. Thus, this person would be an appropriate member of the audit committee.

B.





An academic specializing in business administration would be an independent director and with knowledge of businessadministration would be financially literate. Thus, this person would be an appropriate member of the audit committee.

C.





A retired executive of a firm that had been associated with the organization would be an independent director and asan executive, would be financially literate. Thus, this person would be an appropriate member of the audit committee.

D.


1. They must be independent. That is, they must not be employed by the company in any capacity otherthan as a member of the audit committee, the board of directors, or any other board committee.


Part 1 : 10/05/14 22:26:24







In an order-entry system, in which manually prepared source documents are entered online for immediate processing,which of the following is an example of an appropriate input-output control?

A. Password authorization procedure.B. Backup and recovery procedures.

C. Hash total verification.D. Check-digit validation procedure.

A. Password authorization is a general control that controls access to the system.

B. Backup and recovery procedures are general controls.

C. Hash total is appropriate for batch processing, but not for online processing.

D. Self-checking digits is used for error detection, e.g., incorrect identification numbers. It applies analgorithm to an input field and then applying the same algorithm to the code already entered to compare them.Thus, check digit is an appropriate input-output control.


ABC is a major retailer with over 52 department stores. The marketing department is responsible for

Conducting marketing surveys.

Recommending locations for new store openings.

Ordering products and determining retail prices for the products.

Developing promotion and advertising for each line of products.

Determining the pricing of special sale items.

The marketing department has separate product managers for each product line. Each product manager is given a

purchasing budget by the marketing manager. Product managers are not rotated among product lines because of theneed to acquire product knowledge and to build relationships with vendors. A subsection of the department doesmarketing surveys.

In addition to ordering and pricing, the product managers also determine the timing and method of product delivery.Products are delivered to a central distribution center where goods are received, retail prices are marked on theproduct, and the goods are segregated for distribution to stores.

Receiving documents are created by scanning in receipts; the number of items scanned in are reconciled with the pricetags generated and attached to products. The average product spends between 12 and 72 hours in the distributioncenter before being loaded on trucks for delivery to each store. Receipts are recorded at the distribution center, thusthe company has not found the need to maintain a receiving function at each store.

A control deficiency associated with the given scenario is

A. There is no receiving function located at individual stores.B. Evaluating product managers by total gross profit generated by product line will lead to dysfunctional behavior.C. The product manager negotiates the purchase price and sets the selling price.D. The store manager can require items to be closed out, thus affecting the potential performance evaluation ofindividual product managers.

A. There should be a receiving function at each individual store to make sure that products shipped to thestores are received. Items could get lost in transit or deliberately diverted by an employee with knowledge thatthere was no check on the receipt of items. The receiving reports from the individual stores should be

Part 1 : 10/05/14 22:26:24




compared with shipping reports of items shipped to the stores to detect any discrepancy.

B. Since product managers are responsible for negotiating purchase prices and setting selling prices, it is appropriatethat they be evaluated according to gross profit generated by their product lines. This establishes accountability.

C. Since product managers are evaluated on gross profit generated by the product(s) they manage, it is appropriatethat the product managers negotiate the purchase prices and set the selling prices.

D. Since many products are seasonal, it is appropriate that the seasonal products be cleared out in a timely manner tomake space for the next season's products. For the company as a whole, this practice will maximize profits.


Which one of the following accounting and management techniques is least likely to assist internal auditors inappraising the efficiency with which resources are being used by respective profit centers?

A. Flexible Budgets.B. Activity-based management.

C. Joint cost allocations.D. Cost Variance Analysis.

A. Flexible budgets would assist internal auditors in appraising the efficiency with which resources are being used byrespective profit centers, if they are compared with actual results.

B. Activity-based management uses activity analysis and activity-based costing data to improve the value of thecompany’s products and services and to increase the company’s competitiveness. Activity-based management wouldassist internal auditors in appraising the efficiency with which resources are being used by respective profit centers.

C. Joint cost allocations allocate joint manufacturing costs to individual products that are produced through asingle process that is used to begin the production of what becomes two or more separate products. They arehelpful in determining the costs for each product in order to determine pricing and profitability of individual

products. Joint cost allocations would not do anything to assist internal auditors in appraising the efficiencywith which resources are being used by respective profit centers.

D. Variances are a comparison between the budgeted results of the company and the actual results of the company.The more detailed levels of variance analysis determine, to a greater extent, the cause for the difference. Costvariance analysis would assist internal auditors in appraising the efficiency with which resources are being used byrespective profit centers.


An operational engagement relating to the production function includes a procedure to compare actual costs with

standard costs. The purpose of this engagement procedure is to

A. Assess the reasonableness of standard costs.B. Determine the accuracy of the system used to record actual costs.C. Assist management in its evaluation of effectiveness and efficiency.D. Measure the effectiveness of the standard cost system.

A. An operational engagement is concerned with examining and evaluating systems of internal control, overallcompany operations, and the quality of performance in carrying out assigned responsibilities. The purpose of anoperational engagement is to assist management in its evaluation of effectiveness and efficiency. A comparison

Part 1 : 10/05/14 22:26:24




between actual costs and standard costs will not necessarily fulfill that purpose.

B. An operational engagement is concerned with examining and evaluating systems of internal control, overallcompany operations, and the quality of performance in carrying out assigned responsibilities. The purpose of anoperational engagement is to assist management in its evaluation of effectiveness and efficiency. A comparisonbetween actual costs and standard costs will not necessarily fulfill that purpose.

C. An operational engagement is concerned with examining and evaluating systems of internal control, overallcompany operations, and the quality of performance in carrying out assigned responsibilities. The purpose ofan operational engagement is to assist management in its evaluation of effectiveness and efficiency. Acomparison between actual costs and standard costs can be used to fulfill that purpose.

D. An operational engagement is concerned with examining and evaluating systems of internal control, overallcompany operations, and the quality of performance in carrying out assigned responsibilities. The purpose of anoperational engagement is to assist management in its evaluation of effectiveness and efficiency. A comparisonbetween actual costs and standard costs will not necessarily fulfill that purpose.


In a well-designed internal control structure where the cashier receives remittances from the mail room, the cashiershould not

A. Deposit remittances daily at a local bank.B. Endorse the checks.C. Post the receipts to the accounts receivable subsidiary ledger cards.D. Prepare the bank deposit slip.

A. The cashier keeps physical custody of the assets received, and depositing remittances daily at a local bank is part ofthe custody function.

B. It is appropriate for the person who receives checks as remittances by mail to endorse the checks with a restrictiveendorsement. This should be done as soon as the checks are received, to prevent them being negotiated by anunauthorized party if they are stolen. A restrictive endorsement is an endorsement stamp that says "For Deposit Only"and gives the name of the account to which the check must be deposited.

C. The cashier keeps physical custody of the assets received, and posting the receipts to the accountsreceivable ledger cards is a recordkeeping function, not a custody function. The person performing thecustody function should have no access to the customer records. If that person did have access to customerrecords, that person could perform a fraudulent activity called "lapping." In lapping, an employee receives acash payment on a customer's account. Instead of applying the cash payment to that customer's account,though, the employee pockets the cash. The employee would then apply the next check that comes in onanother customer's account to the first customer's account instead of to the correct customer's account; andapply a third customer's payment to the second customer's account, and so forth. The customers would seethe amount they paid credited on their accounts, but it would not be their payment that was being credited tothem. The employee could continue pocketing cash receipts like that for some time.

D.

The cashier keeps physical custody of the assets received, and preparing the bank deposit slip is part of the custodyfunction.

However, this would be true only for checks received, not for cash. Remittances received from the mailroom should beonly checks, because cash would not be received through the mail. It would be acceptable for the person receivingchecks to immediately endorse them with a restrictive endorsement and then to prepare the bank deposit slip. It wouldnot be appropriate for a person receiving cash to also prepare the deposit slip, however, because it would be very easy

Part 1 : 10/05/14 22:26:24




for that person to pocket some of the cash. There is much more potential for fraud with cash than there is with checks.


General controls are designed to ensure that a company's control environment is stable and well managed. Which ofthe following is not an example of general controls?

A. Using reasonableness checks to detect if data is inconsistent with past transactions.B. Equipment controlsC. Access controlsD. Segregation of duties within the data processing function.

A. Reasonableness checks are an example of input controls, which are application controls, not generalcontrols.

B. Equipment controls are general controls that can identify incorrect data handling or improper operation of theequipment.

C. Access controls pertain to controlling access to both physical equipment and logical data, and are an importantgeneral control.

D. General organization controls include segregation of duties.


One control objective of the financing or treasury cycle is the proper authorization of company transactions dealing withdebt and equity instruments. Which of the following controls would best meet this objective?

A. Use of an underwriter in all cases of new issue of debt or equity instruments.B. The company serves as its own registrar and transfer agent.C. Separation of responsibility for custody of funds from recording of the transaction.D. Written company policies requiring review of major funding/repayment proposals by the board of directors.

A. Use of an underwriter for issuance of debt or equity instruments is not a control that would meet the objective ofproper authorization of debt and equity transactions.

B. The company serving as its own registrar and transfer agent is not a control that would meet the objective of properauthorization of debt and equity transactions.

C. Custody of funds relates to safeguarding of assets, not to proper authorization of debt or equity transactions.

D. Proper authorization of company transactions relating to debt and equity instruments would be met by a

requirement that major funding and repayment proposals be reviewed by the board of directors. A policy ofrequiring this review is the first step, although the policy also needs to be carried out.


When an internal auditor expresses an opinion as to the efficiency and effectiveness of an entity’s activities and makesrecommendations for improvements, the auditor is conducting a(n)

Part 1 : 10/05/14 22:26:24




A. financial statement audit of a public company.B. financial statement audit of a municipality.C. operational audit.D. compliance audit.

A.

The purpose of a financial statement audit is to evaluate the assertions made by management on the organization’sfinancial statements and to issue an opinion on the fairness of the statements. A financial statement audit is performedby outside, independent auditors, not by internal auditors.

In an independent financial statement audit, the auditor would not express an opinion as to the efficiency andeffectiveness of an entity’s activities and make recommendations for improvements.

B.

The purpose of a financial statement audit is to evaluate the assertions made by management on the organization’sfinancial statements and to issue an opinion on the fairness of the statements. A financial statement audit is performedby outside, independent auditors, not by internal auditors.

In an independent financial statement audit, the auditor would not express an opinion as to the efficiency and

effectiveness of an entity’s activities and make recommendations for improvements.

C.

The purpose of an operational audit is examining and evaluating systems of internal control, overall companyoperations and the quality of performance in carrying out assigned responsibilities. The internal auditorscompare the results of the operations with standards for performance or output. The focus of an operationalaudit is on the three "E"s: efficiency, effectiveness and economy.

In an operational audit, the internal auditor would express an opinion as to the efficiency and effectiveness ofan entity’s activities and make recommendations for improvements.

D.

A compliance audit is performed in order to determine whether an organization is conforming to certain specificrequirements of its policies, procedures, standards, or laws and governmental regulations.

Thus, in a compliance audit, the auditor would not express an opinion as to the efficiency and effectiveness of anentity’s activities and make recommendations for improvements.


Which one of the following situations represents an internal control weakness in accounts receivable?

A. Customers' statements are mailed monthly by the accounts receivable department.B. Delinquent accounts are reviewed only by the sales manager.C. Internal auditors confirm customer accounts periodically.D. The cashier is denied access to customers' records and monthly statements.

A. This is not an internal control weakness. Customer statements should be mailed monthly by the accounts receivabledepartment.

B. If delinquent accounts are reviewed only by the sales manager, this is an internal control weakness. Thesales manager may have a conflict of interest, not wanting to report an account as delinquent if it means

Part 1 : 10/05/14 22:26:24




additional sales cannot be made to that customer. Delinquent accounts should be reviewed regularly by thecredit manager and the accounts receivable manager.

C. Confirming customer account balances periodically is an important internal control procedure.

D. This is not an internal control weakness but is an important segregation of duties.


A company with several hundred stores has a network for the stores to transmit sales data to headquarters. Thenetwork is also used for:

vendors to submit reorders,

stores to transmit special orders to headquarters,

regional distribution centers to communicate delivery and out-of-stock information to the stores,

the national office to distribute training materials,

store, regional, and national personnel to share any information they think helpful.

In order to accommodate the large volume of transmissions, large stores have their own satellite receiving/transmittingstations. Small stores use leased lines.

The information systems director is concerned that someone might be able to enter fictitious orders from storeterminals. Of the following, the best control for minimizing the likelihood of such an occurrence is to:

A. Require change control procedures for programs.B. Encrypt outward bound transmissions from the stores.C. Enforce password control procedures for users.D. Encourage employees to report suspicious activity.

A. Requiring change control for programs ensures that program changes are authorized, tested, and documented.

B. Encrypting transmissions from the stores would increase the difficulty of eavesdropping on the transmissions butwould not deter someone from entering bogus transactions.

C. Enforcing password control procedures would make it more difficult for an unauthorized person, such as acompetitor intending to disrupt the distribution patterns, to gain prolonged entry.

D. Encouraging store employees to report suspicious activity is a good practice, but such activity might go undetected.


A control designed to catch errors at the point of data entry is

A. A check digit.B. A batch total.C. Checkpoints.D. A record count.

A. A check digit is used for determining whether a number has been input properly. A check digit is a digit thatis a function of the other digits within a set of numbers. If a typographical error is made in input, the checkdigit should recognize that something has been input incorrectly.

Part 1 : 10/05/14 22:26:24




B. A batch total is a total of one field for all items in a batch. It is a control total, but it will not catch errors at the point ofdata entry.

C. A checkpoint is a control procedure that is performed several times per hour, and during that time, the networksystem will not accept posting. It stops and backs up all the data and other information needed to restart the system.This checkpoint is recorded on separate media. Then, if a hardware failure occurs, the company simply reverts to thelast saved copy, and reprocesses only the transactions that were posted after that checkpoint. A checkpoint will not

catch errors at the point of data entry.

D. A record count is a total of all the records processed. It is a control total, but it will not catch errors at the point ofdata entry.


To test whether debits to accounts receivable represent valid transactions, the auditor should compare items in the

A. Accounts receivable ledger with sales documentation.B. Sales journal with the accounts receivable ledger.

C. Accounts receivable ledger with the cash receipts journal.D. Cash receipts documentation with the accounts receivable ledger.

A. Sales documentation (i.e., customer purchase order, shipping documents) compared with debits to theaccounts receivable ledger would test whether debits to accounts receivable represent valid salestransactions.

B. Although comparing items in the sales journal with the accounts receivable ledger would test whether credit saleshad been properly recorded in the accounts receivable ledger, it would not test whether debits to accounts receivablerepresent valid sales transactions.

C. Comparing the accounts receivable ledger with the cash receipts journal would verify that cash receipts had beenrecorded as credits to accounts receivable. However, it would not test whether debits to accounts receivable representvalid sales transactions.

D. Comparing cash receipts documentation with the accounts receivable ledger would verify that cash payments fromcustomer had been properly recorded as credits to accounts receivable. However, it would not test whether debits toaccounts receivable represent valid sales transactions.


In securing the client/server environment of an information system, a principal disadvantage of using a single levelsign-on password is the danger of creating a(n)

A. administrative bottleneck.B. lock-out of valid users.C. single point of failure.D. trap door entry point.

A. A single level sign-on password allows users to log in to all of the different systems in the organization (accounting,email, shipping, and so forth) with the same username and password. Creating an administrative bottleneck is not adanger of using a single level sign-on password.

B. A single level sign-on password allows users to log in to all of the different systems in the organization (accounting,email, shipping, and so forth) with the same username and password. Creating a lock-out of valid users is not a danger

Part 1 : 10/05/14 22:26:24




of using a single level sign-on password.

C.

The definition of "single point of failure" is a single part of a system, which, if it fails, will result in theunavailability of the entire system. Usually, the term is used to refer to hardware and software. However, it canbe applied to password authentication, as well.

A single level sign-on password allows users to log in to all of the different systems in the organization(accounting, email, shipping, and so forth) with the same username and password. However, all of the loginswould go through one single unified authentication server. If the unified password authentication server wereto go down, users would lose access to all services because nobody could authenticate to anything. On theother hand, if each password system were truly separate, then if one password authentication server were togo down, users would lose access only to whatever specific password authentication system went down butnot to everything.

A single level sign-on password improves security, because users don't have several different passwords toremember. Having several different passwords to remember leads people to write them down to keep them allstraight. Writing passwords down can permit the passwords to be stolen. Furthermore, with just onepassword authentication system, you don't have to worry about login hacks on all of the different systems,

ust the main one. But the tradeoff is a "single point of failure."

D.

A single level sign-on password allows users to log in to all of the different systems in the organization (accounting,email, shipping, and so forth) with the same username and password. Creating a trapdoor entry point is not a danger ofusing a single level sign-on password.

A trapdoor entry point is a secret, undocumented entry point into a program used to grant access without normalmethods of access authentication. While that may sound like something negative, it may be necessary. For example,in an accounting application there may be a need to make a correction in a data file that has become corrupted insome way. If restoring from a backup will not work for whatever reason, the only way to fix it is to gain direct entry tothe data file and make the necessary corrections manually.


Which of the following is a technical computer crime that requires sophisticated knowledge of computers and/ornetworks?

A. Denial of service.B. Dumpster diving.C. Phishing.D. Social engineering.

A. A denial of service (DOS) attack involves overwhelming a server or cluster of servers to the point that they

are unable to respond to legitimate requests, thereby making them unavailable for normal usage. A DOSattack certainly requires a reasonable amount of technical and network skills to successfully execute.

B. Dumpster diving requires no computer knowledge whatsoever, only the willingness to get a little bit dirty.

C. Phishing refers to deceiving others into revealing personal and/or sensitive information such as credit card numbers,social security numbers, passwords, etc., usually through an email message. This requires no sophisticated technicalknowledge beyond being able to send an email.

D. Social engineering refers to using social tactics to gain information. For example, an employee from one company

Part 1 : 10/05/14 22:26:24






It is important to maintain proper segregation of duties in a computer environment. Which of the following accesssetups is appropriate for updating production data and modifying production programs?

A. Users can update production data and both users and application programmers can modify production programs.B. Users can modify production programs and application programmers can update production data.C. Users can update production data.D. Users can update production data and application programmers can modify production programs.

A. None of these access rights would be appropriate. Application programmers should not have access to productiondata and only the change control unit should be able to modify production programs.

B. Application programmers should never have update access to production data. Users have no need to changeproduction programs.

C. Users need to update data through applications programs.

D. Application programmers should not be able to directly change production programs. They should submit changesto the change control unit for placing into production.


Program documentation is a control designed primarily to ensure that

A. Data have been entered and processed.B. Programmers have access to the tape library or information on disk files.C. Programs do not make mathematical errors.D. Programs are kept up to date and perform as intended.

A. Program documentation does not ensure that data has been entered and processed.

B. After a program has been written, approved and documented, programmers should not have any further access to it.

C. Program documentation will not ensure that programs do not have "bugs" in them.

D. Program documentation includes descriptions of the programs, program flowcharts, program listings ofsource code, input and output forms, change requests, operator instructions and controls. Documentationprovides a basis for effective operation, use, audit, and future system enhancements. Program documentationis needed for diagnosing and correcting programming errors; and it provides a basis for reconstruction of thesystem in case of damage or destruction. Examining software documentation, such as system flowcharts,program flowcharts, data flow diagrams, and decision tables can also be a control, because it makes sure thatthe programs are complete in their data manipulation.


Passwords for personal computer software programs are designed to prevent

A. Incomplete updating of data files.B. Unauthorized use of the software.C. Unauthorized access to the computer.D. Inaccurate processing of data.

A. Passwords are concerned with preventing the unauthorized use of software, not with preventing incomplete updating

Part 1 : 10/05/14 22:26:24




of data files.

B. Passwords are designed to prevent the unauthorized use of software.

C. Passwords do not prevent the unauthorized access to the computer.

D. Passwords are concerned with preventing the unauthorized use of software, not with the inaccurate processing of

data.


The practice of maintaining a test program library separate from the production program library is an example of

A. An organizational control.B. A concurrency control.C. An input control.D. Physical security.

A. Organizational control includes the proper segregation of duties. Thus, the practice of maintaining a testprogram library separate from the production program library is an example of an organizational control.

B. Concurrency control is the process of managing the situation when two or more programs are trying to access thesame information at the same time.

C. Input controls provide assurance that the data inputted has the proper authority, and has not be lost, added orchanged.

D. Physical security is also an organizational control, but it refers to the restriction on physical access, not theseparation of test program library from the production program library.


Which of the following observations, made during the preliminary survey of a local department store's disbursementcycle, reflects a control strength?

A. Individual department managers use prenumbered forms to order merchandise from vendors.B. The receiving department is given a copy of the purchase order complete with a description of goods, quantityordered, and extended price for all merchandise ordered.C. Individual department managers are responsible for the movement of merchandise from the receiving dock tostorage or sales areas as appropriate.D. The treasurer's office prepares checks for suppliers based on vouchers prepared by the accounts payabledepartment.

A. Purchasing should not be done by individual department managers. The individual department managers shouldinstead prepare purchase requisitions and send them to the purchasing department, which should be responsible forissuing a purchase order.

B. The copy of the purchase order that the receiving department has should not include the quantity ordered or the unitor extended prices. This enhances the probability that the receiving department will submit the correct count.

C. Individual managers should not be responsible for the movement of merchandise because the receiving departmentshould move the merchandise to a storage area.

Part 1 : 10/05/14 22:26:24




D. The treasurer's office should prepare vendor checks (the custody function), while accounting for payablesis a recording function.


Payroll systems should have elaborate controls to prevent, detect, and correct errors and unauthorized tampering. Thebest set of controls for a payroll system includes

A. Batch and hash totals, record counts of each run, proper separation of duties, special control over unclaimedchecks, and backup copies of activity and master files.B. Employee supervision, batch totals, record counts of each run, and payments by check.C. Sign tests, limit tests, passwords and user codes, online edit checks, and payments by check.D. Passwords and user codes, batch totals, employee supervision, and record counts of each run.

A. Batch totals for hours worked and dollar totals, hash totals of employee identification numbers, and recordcounts of each run should be utilized to check for accuracy and completeness. A system of control overunclaimed checks should be in place. Segregation of duties is essential, with the four functions of authorizingtransactions, recording transactions, keeping custody of the assets, and reconciliation of the physical assetsto the recorded amounts being performed by different people. Backup copies of all activity and master filesare essential so that data will not be lost.

B. This is not the best answer because it is missing one more important controls.

C. This is not the best answer because it is missing one more important controls.

D. This is not the best answer because it is missing one more important controls.


An audit of the receiving function at the company's distribution center revealed inadequate control over receipts. Whichof the following controls would be appropriate for the receiving function?

A. To ensure adequate separation of duties, the warehouse receiving clerk should work independently from thewarehouse manager.B. Ensure that the warehouse receiving department has a true copy of the original purchase order.C. Require that all receipts receive the approval of the warehouse manager.D. Ensure that the warehouse receiving department has a purchase order copy with the units described, but bothprices and quantities omitted.

A. Having the receiving clerk work independently of the warehouse manager is not a control but is in fact a risk,because the clerk would be working without supervision.

B. The warehouse receiving department should have a copy of the purchase order, but its copy should not includeprices and quantities.

C. Shipment receipts should be backed up by authorized purchase orders, not the warehouse manager's approval.

D. The receiving clerk should have access to authorized purchase orders in order to make sure that onlyauthorized shipments are accepted. Prices and quantities should not appear on this copy in order to increasethe likelihood that the count of received items will be accurate.

Part 1 : 10/05/14 22:26:24





One of the steps in assessing control risk in a computerized information control system is identifying necessarycontrols to prevent data from being lost, added, duplicated, or altered during processing. An example of this type ofcontrol is the

A. Review of data output by data control groups.B. Use of external and internal file labels.C. Use of control totals, limit and reasonableness checks, and sequence tests.D. Authorization and approval of data in user departments and screening of data by data control groups.

A. While review of data output by data control groups is a control, it is not a control that is used during the processingof the data.

B. Labels, both external and internal, are used to identify a file. External labels are the gummed labels attached to theoutside of a disk or other media that identify its contents. Internal labels identify the contents by means of anidentification within the data file that can be read by the computer.

C. Processing controls are controls designed to ensure that processing has occurred properly and that no

transactions have been lost or incorrectly added. Control totals are of various kinds, but they all involvecomparison of counts at various points with the correct count. A limit check, or a reasonableness check, testsa value to determine whether it falls within a prescribed range. A sequence test verifies that records are in thecorrect sequence.

D. While authorization of data, approval of data, and screening of data are controls, they are not controls that are usedduring the processing of the data.


The scope statement of an internal audit report should

A. Communicate the internal auditor's evaluation of the effect of the findings on the activities reviewed.B. Identify the audited activities and describe the nature and extent of auditing performed.C. State the factual evidence that the auditor found in the course of the examination.D. Define the standards, measures, or expectations used in evaluating audit findings.

A. The internal auditor's evaluation of the effect of the findings on the activities reviewed is not part of the "scope"statement of an internal audit report. That is contained in the "conclusions" section of the audit report.

B. The "scope" section of the audit report contains information to identify what activities were audited, timeperiod audited, and the extent and nature of the auditing that was performed.

C. The factual evidence that the auditor found in the course of the examination are not part of the "scope" statement ofan internal audit report. That is contained in the "conditions" section of the audit report.

D. Information on the standards, measures, or expectations used in evaluating audit findings is not part of the "scope"statement of an internal audit report. They are contained in the "criteria" section of the report, which is "what should be"the conditions that the actual conditions are to be compared and contrasted with.


Part 1 : 10/05/14 22:26:24




The chief audit executive (CAE) uncovers a significant fraudulent activity that appears to involve the executive vicepresident to whom the CAE reports. Which of the following best describes how the CAE should proceed?

A. Report the facts to the chief executive officer and the audit committee.B. Notify regulatory authorities and police.C. Interview the executive vice president to obtain essential evidence.D. Conduct an investigation to ascertain whether the executive vice president is involved in the fraudulent activity.

A. When an internal auditor suspects fraud, he or she should determine the possible effects and discuss thematter with the appropriate level of management, who should then initiate an investigation.

B. When an internal auditor suspects fraud, he or she should determine the possible effects and discuss the matterwith the appropriate level of management, who should then initiate an investigation.

C. When an internal auditor suspects fraud, he or she should determine the possible effects and discuss the matterwith the appropriate level of management, who should then initiate an investigation.

D. When an internal auditor suspects fraud, he or she should determine the possible effects and discuss the matterwith the appropriate level of management, who should then initiate an investigation.


Organizational independence is required in the processing of customers' orders in order to maintain an internal controlstructure. Which one of the following situations is not a proper separation of duties in the processing of orders fromcustomers?

A. Approval by Credit Department of a sales order prepared by the Sales Department.B. Shipping of goods by the Shipping Department that have been retrieved from stock by the Finished GoodsStoreroom Department.C. Approval of a sales credit memo because of a product return by the Sales Department with subsequent posting tothe customer's account by the Accounts Receivable Department.D. Invoice preparation by the Billing Department and posting to customers' accounts by the Accounts ReceivableDepartment.

A. Approval by the Credit Department of a sales order prepared by the Sales Department is an appropriate segregationof duties, if the merchandise is being sold on credit.

B. Shipping of goods by the Shipping Department that have been retrieved from stock by the Finished GoodsStoreroom Department is an appropriate segregation of duties.

C. The Sales Department should not have authority to approve a sales credit memo because of a productreturn. Credit memos should be approved only upon receipt of a receiving report evidencing the product'sreturn, and the approval should not come from the Sales Department because of the potential for bookingsales in one period and reversing them the next.

D. Invoice preparation by the Billing Department and posting to customers' accounts by the Accounts ReceivableDepartment is an appropriate segregation of duties, if the two tasks are separate functions. (The two activities wouldbe separate if a manual accounting system is being used. However, in most computerized accounting systems today,preparation of invoices and posting to customers' accounts are both parts of the Order Entry function. One set of inputsboth produces the invoices and posts them to customers' accounts.)


Part 1 : 10/05/14 22:26:24




Application controls are broken down into three categories. What are those three categories?

A. Access controls, equipment controls, and general operating procedures.B. Input, processing and output controls.C. Data recording, data transcription and edit tests.D. Edit tests, hash totals, and prenumbered forms.

A. These are all types of general controls that relate to the general transaction processing environment.

B. Application controls pertain to specific individual applications and are designed to prevent, detect andcorrect errors in transactions as they flow through the input , processing , and output stages of work.

C. These are classifications of input controls.

D. These are examples of application controls.


A controller became aware that a competitor appeared to have access to the company's pricing information. Theinternal auditor determined that the "leak of information" was occurring during the electronic transmission of data frombranch offices to the head office. Which of the following controls would be most effective in preventing the leak ofinformation?

A. Use of passwords.B. Asynchronous transmission.C. Encryption.D. Use of fiber optic transmission lines.

A. Use of passwords will control access at the sending location, and will limit access to the head office computer.Passwords, however, will not prevent someone from "tapping into" the transmission line.

B. Asynchronous transmission does not prevent theft of data, it speeds up the transmission process.

C. Encryption is the conversion of data into a code. You may be able be able to access the data by "tappinginto" the transmission line. However, you need an encryption "key" in order to understand the data being sent.

D. Fibre optic transmission lines will improve the quality of the transmission, but will not prevent theft of data.


Which of the following activities represents both an appropriate personnel department function and a deterrent topayroll fraud?

A. Authorization of additions and deletions from the payroll.B. Distribution of paychecks.C. Authorization of overtime.D. Collection and retention of unclaimed paychecks.

A. Authorization of additions to and deletions from the payroll should come from the personnel department.

B. The personnel department performs the authorization function. Therefore, it should not also perform the custodialfunction of distributing paychecks.

Part 1 : 10/05/14 22:26:24




C. Overtime should be authorized by an employee's supervisor, since he/she is in a position to know whether theemployee actually worked the overtime.

D. Collection and retention of unclaimed paychecks is a custodial function, and it should not be performed by thepersonnel department, which performs the authorization function.


Controls can be classified according to the function they are intended to perform; for example, to discover theoccurrence of an unwanted event (detective), to avoid the occurrence of an unwanted event (preventive), or to ensurethe occurrence of a desirable event (directive). Which of the following is a directive control?

A. Requiring all members of the internal auditing department to be CIAs.B. Recording every transaction on the day it occurs.C. Monthly bank statement reconciliations.D. Dual signatures on all disbursements over a specific dollar amount.

A. Requiring all members of the internal auditing department to be CIAs is a directive control. It increases theprobability that the internal auditors will have the requisite knowledge, experience and professionalism toperform their jobs.

B. Recording every transaction on the day it occurs is a preventive control.

C. Monthly bank statement reconciliations are detective controls, not directive controls. A bank reconciliation is used todetect errors on either the accountholder's part or on the bank's part after they have occurred.

D. Requiring dual signatures on all disbursements over a specific dollar amount is a preventive control.


An internal auditor reports directly to the board of directors. The auditor discovered a material cash shortage. Whenquestioned, the person responsible explained that the cash was used to cover sizable medical expenses for a child andagreed to replace the funds. Because of the corrective action, the internal auditor did not inform management. In thisinstance, the auditor

A. Has both organizational independence and objectivity.B. Does not have either organizational independence or objectivity.C. Does not have organizational independence but has objectivity.D. Has organizational independence, but not objectivity.

A. Not reporting the misappropriation of funds is an indication that the auditor does not have objectivity.

B. Since the internal auditor reports directly to the board of directors, the auditor does have organizationalindependence.

C. The auditor reports directly to the board of directors, and thus the auditor does have organizational independence.However, not reporting the misappropriation of funds is an indication of a lack of objectivity.

D. Since the internal auditor reports directly to the board of directors, the auditor does have organizationalindependence. However, not reporting the misappropriation of funds is an indication of a lack of objectivity.

Part 1 : 10/05/14 22:26:24





When assessing a company’s internal control structure policies and procedures, the primary consideration is whetherthey

A. prevent management override.

B. reflect management’s philosophy and operating style.C. relate to the control environment.D. affect the financial statement assertions.

A. Section 404 of the Sarbanes-Oxley Act requires each annual report filed with the SEC to contain an assessment bymanagement of the adequacy of the company’s internal control over financial reporting. The internal control reportmust (1) state the responsibility of management for establishing and maintaining an adequate internal control structureand procedures for financial reporting; and (2) contain an assessment of the effectiveness of the internal controlstructure and procedures of the company for financial reporting as of the end of its most recent fiscal year.

The primary consideration of management in this assessment is how well the company’s internal control policies andprocedures provide adequate internal control over financial reporting.

B. Section 404 of the Sarbanes-Oxley Act requires each annual report filed with the SEC to contain an assessment bymanagement of the adequacy of the company’s internal control over financial reporting. The internal control reportmust (1) state the responsibility of management for establishing and maintaining an adequate internal control structureand procedures for financial reporting; and (2) contain an assessment of the effectiveness of the internal controlstructure and procedures of the company for financial reporting as of the end of its most recent fiscal year.

Management's philosophy and operating style is one component of the control environment; it is not the primaryconsideeration of management in its assessment of the adequacy of the company's internal over financial reporting.The primary consideration of management in this assessment is how well the company’s internal control policies andprocedures provide adequate internal control over financial reporting.

C. Section 404 of the Sarbanes-Oxley Act requires each annual report filed with the SEC to contain an assessment bymanagement of the adequacy of the company’s internal control over financial reporting. The internal control reportmust (1) state the responsibility of management for establishing and maintaining an adequate internal control structure

and procedures for financial reporting; and (2) contain an assessment of the effectiveness of the internal controlstructure and procedures of the company for financial reporting as of the end of its most recent fiscal year.

The primary consideration of management in this assessment is how well the company’s internal control policies andprocedures provide adequate internal control over financial reporting.

D. Section 404 of the Sarbanes-Oxley Act requires each annual report filed with the SEC to contain anassessment by management of the adequacy of the company’s internal control over financial reporting. Theinternal control report must (1) state the responsibility of management for establishing and maintaining anadequate internal control structure and procedures for financial reporting; and (2) contain an assessment ofthe effectiveness of the internal control structure and procedures of the company for financial reporting as ofthe end of its most recent fiscal year.

The primary consideration of management in this assessment is how well the company’s internal control

policies and procedures provide adequate internal control over financial reporting.


The primary responsibility for establishing and maintaining internal control rests with

A. The treasurer.

Part 1 : 10/05/14 22:26:24




B. Management.C. The controller.D. The internal auditor.

A. The treasurer does not have the primary responsibility for establishing and maintaining internal control.

B. Internal control is a method, or process, that is carried out by an entity's board of directors, management,

and other personnel, and designed to provide reasonable assurance that the company's objectives will beachieved.

C. The controller does not have the primary responsibility for establishing and maintaining internal control.

D. Though the internal auditor does a lot of work in respect to the internal control system, the internal auditor is notresponsible for establishing and maintaining internal control.


A means of ensuring that payroll checks are drawn for properly authorized amounts is to

A. Conduct periodic floor verification of employees on the payroll.B. Require supervisory approval of employee time cards.C. Witness the distribution of payroll checks.D. Require that undelivered checks be returned to the cashier.

A. While conducting periodic floor verification of employees on the payroll will confirm that the employees exist, it woulddo nothing to ensure that their payroll checks are drawn for properly authorized amounts.

B. It is appropriate to require supervisory approval of employee time cards, because supervisors are in aposition to know whether their employees' time is being reported accurately.

C. Witnessing the distribution of payroll checks does not ensure that the payroll checks are for the correct amounts.

D. While requiring undelivered checks to be returned to the cashier is a good control procedure, it does nothing toensure that the payroll checks are for the proper amounts.


Preventing someone with sufficient technical skill from circumventing security procedures and making changes toproduction programs is best accomplished by

A. Reviewing reports of jobs completed.B. Comparing production programs with independently controlled copies.

C. Providing suitable segregation of duties.D. Running test data periodically.

A. The reviews of jobs processed will disclose access, but will not prevent it.

B. Comparison of production programs and controlled copies will disclose changes, but will not prevent them.

C. When duties are separated, users cannot obtain a detailed knowledge of programs and computer operatorscannot gain unsupervised access to production programs.

Part 1 : 10/05/14 22:26:24




D. Periodic running of test data will detect changes, but will not prevent them.

Question 200 - CMA Sample Q4.11 - Internal Auditing

Which one of the following statements concerning concurrent auditing techniques is not correct?

A. They allow faster detection of unauthorized transactions.B. They are most useful in complex online systems in which audit trails have either become diminished or are verylimited.C. They allow monitoring a system on a continuous basis for fraudulent transactions.D. They are standard components of generic software packages.

A. Concurrent auditing techniques typically use specialized programs with auditor-defined parameters that are appliedto transactions during processing. The program uses analytical techniques and data mining to detect unusual patterns.If the program identifies unusual activities, it alerts the auditor, enabling the auditor to review and investigate theunusual transaction virtually immediately. Thus, concurrent auditing techniques allow faster detection of unauthorizedtransactions.

B. Under real-time accounting systems, transactions are transmitted, processed, and accessed electronically. Thus,audit trails can easily become diminished or very limited. Concurrent auditing techniques, which use specializedprograms with auditor-defined parameters that are applied to transactions during processing, are most useful in thiskind of environment.

C. Concurrent auditing techniques typically use specialized programs with auditor-defined parameters that are appliedto transactions during processing. The program uses analytical techniques and data mining to detect unusual patterns.If the program identifies unusual activities, it alerts the auditor, enabling the auditor to review and investigate theunusual transaction virtually immediately. Thus, concurrent auditing techniques do permit monitoring a system on acontinuous basis for fraudulent transactions.

D.

Concurrent auditing techniques are instructions embedded within application or system software, such as adatabase management system, that auditors use to collect audit evidence about the reliability of anapplication while the application is actually processing data.

Concurrent auditing techniques are not standard components of generic software packages. Concurrentauditing techniques require the use of specialized programs with auditor-defined parameters that are appliedto transactions during processing to detect unusual patterns.

In applications where accuracy is vital, concurrent auditing techniques may be executed continuously; or,they may be executed only periodically. They collect information which can be reported immediately to theauditor, or it can be stored and reported periodically.


A disaster plan should specify all of the following except:

A. Where in the office the disaster recovery plan is stored.B. The employees who will participate in disaster recovery.C. What facilit ies will be used in the course of recovery.D. The priority of the services that need to be restored.

Part 1 : 10/05/14 22:26:24




A. In the event of a disaster, the office may not be accessible, or may not even exist anymore. All members ofthe disaster recovery team should each keep a current copy of the plan at home.

B. This is a part of a disaster recovery plan. In addition to specifying who should participate, the plan should alsooutline each person's responsibilities and should designate a first and second in command.

C. This is part of a disaster recovery plan.

D. This is part of a disaster recovery plan.


Contingency plans for information systems should include appropriate backup agreements. Which of the followingarrangements would be considered too vendor-dependent when vital operations require almost immediate availabilityof computer resources?

A. A "cold and hot site" combination arrangement.B. A "hot site" arrangement.

C. Using excess capacity at another data center within the organization.D. A "cold site" arrangement.

A. A "cold and hot site" combination arrangement is where the hot sit is first used until the cold site is prepared. Thus, itis not too vendor-dependent.

B. A "hot site" arrangement must be fully operational and immediately available. A "hot site" arrangement cannot be toovendor-dependent.

C. Using excess capacity at another data center within the organization ensures that assets needed for backup areavailable. Thus, it is not too vendor-dependent.

D. A "cold site" is a facility where power and space are available to install processing equipment, but it is notimmediately available. If an organization uses a cold site, its disaster recovery plan must includearrangements to get computer equipment installed there quickly. Thus, a "cold site" arrangement is toovendor-dependent because the company has to rely on the vendor for timely delivery of the equipment.


Change control typically includes procedures for separate libraries for production programs and for test versions ofprograms. The reason for this practice is to

A. Promote efficiency of system development.B. Permit unrestricted access to programs.

C. Segregate incompatible duties.D. Facilitate user input on proposed changes.

A. Separating libraries for production programs and for test versions of programs would require a specific policy orprocedure. Thus, separating these functions may in fact decrease efficiency of system development.

B. Separating production and test versions of programs will not permit unrestricted access to programs.

C. Separating production and test versions of programs is the means of restricting access to productionprograms to individual users. Thus, the effect is a separation of incompatible duties, such as programmers

Part 1 : 10/05/14 22:26:24




and operators.

D. Separating production and test versions of programs will not facilitate user input on proposed changes.


A large property insurance company has regional centers that customers call to report claims. Although the regionalcenters are not located in areas known to be prone to natural disasters, the company needs a disaster recovery planthat would restore call answering capacity in the event of a disaster or other extended loss of service. The best plan forrestoring capacity in the event of a disaster would be to reroute call traffic to:

A. Non-affected regional centers.B. A third-party service center.C. A hot site that duplicates regional facilities.D. A cold site that duplicates regional facilities.

A. Rerouting call traffic to non-affected regional centers is the best approach because it minimizes cost,maximizes the company's control over the reconfiguration, and permits calls to be answered by the

company's skilled personnel.

B. Rerouting call traffic to a third-party service center would be overly expensive because of personnel cost, andservice center personnel would not be trained for the company's calls.

C. Duplicating regional facilities in a hot site would provide space, equipment, and some software but would be overlyexpensive and would still not provide personnel.

D. Duplicating regional facilities in a cold site would be overly expensive and would still not provide equipment,software, or personnel.


Which of the following would not be considered an objective of the audit closing or exit conference?

A. To resolve conflicts.B. To identify concerns for future audits.C. To identify management's actions and responses to the findings.D. To discuss the findings.

A. Resolving conflicts is an objective of the audit closing or exit conference.

B. Identifying concerns for future audits is not an objective of the audit closing or exit conference.

C. Identifying management's actions and responses to the findings is an objective of the audit closing or exitconference.

D. Discussing the findings is an objective of the audit closing or exit conference.


Part 1 : 10/05/14 22:26:24




Which one of the following situations represents a strength of internal control for purchasing and accounts payable?

A. Invoices are approved for payment by the purchasing department.B. Vendors' invoices are matched against purchase orders and receiving reports before a liability is recorded.C. Prenumbered receiving reports are issued randomly.D. Unmatched receiving reports are reviewed on an annual basis.

A. The purchasing department should not approve invoices for payment. The accounts payable department shouldapprove invoices for payment, based on a review of all the supporting documentation which includes the purchaserequisition, the purchase order, and the receiving report/packing slip.

B. Vendor's invoices should be matched against purchase requisitions, purchase orders, and receivingreports before any liability is recorded. When the payment has been approved, the accounts payabledepartment should prepare a voucher, which is an internal document that is the authorization for payment.

C. Receiving reports should be prenumbered and should be issued sequentially, not randomly, so that a missing reportor a report out of sequence can be investigated.

D. Unmatched receiving reports should be reviewed more frequently than annually.




Which of the following is most likely not a true statement about the company?

A. The grandfather-father-son technique can be used as a file protection procedure in this system.B. If the two control totals agree, the amount posted to each subsidiary ledger account is correct.C. On the last day of the month, sales are understated.D. If a customer is required to prepay for a custom order, the subsidiary ledger account will have a credit balance.

A. This is typically used for batch processing

B. The totals could agree, but individual payments could be posted to wrong accounts. This would not becaught by the above procedures.

C. See the correct answer for the explanation.

D. These derive from the logic of the narrative.

Part 1 : 10/05/14 22:26:24





Which of the following activities performed by a payroll clerk is a control weakness rather than a control strength?

A. Draws the paychecks on a separate payroll checking account.B. Has custody of the check signature stamp machine.C. Prepares the payroll register.

D. Forwards the payroll register to the chief accountant for approval.

A. Drawing paychecks on a separate payroll checking account is a control strength rather than a weakness.

B. A payroll clerk is involved in payroll preparation. The payroll checks should be signed by someone elsewho has the authority to do so. Therefore, the payroll clerk having custody of the check signature stamp is aviolation of segregation of duties.

C. Preparation of the payroll register is an appropriate duty for a payroll clerk.

D. The payroll clerk giving the payroll register to the chief accountant for approval is an appropriate control. Thus it is acontrol strength rather than a weakness.


An internal auditor would most likely judge a misstatement in an account balance to be material if it involves

A. An unverified routine transaction.B. A related party.C. An unusual transaction for the company.D. A large percentage of net income.

A. Although an unverified routine transaction would indicate increased audit risk, the existence of an unverified routinetransaction does not, by itself, mean that the amount is material.

B. Although a transaction with a related party would indicate increased audit risk, the existence of a related partytransaction does not, by itself, mean that the amount is material.

C. Although an unusual transaction would indicate increased audit risk, the existence of an unusual transaction doesnot, by itself, mean that the amount is material.

D. A misstatement that amounts to a large percentage of net income is material, regardless of any othercircumstances.


An internal auditor has uncovered illegal acts committed by a member of senior management. According to theStandards , such information

A. May be disclosed in a separate report and distributed to all senior management.B. Should be excluded from the internal auditor's report and discussed orally with the senior manager.C. May be disclosed in a separate report and distributed to the company's audit committee of the board of directors.D. Must be immediately reported to the appropriate local authorities.

A. Information about illegal acts committed by a member of senior management should be reported to the senior

Part 1 : 10/05/14 22:26:24




manager's superior and to the board of directors, but not distributed to all senior management.

B. Illegal acts by a member of senior management should be reported immediately to the manager's superior and tothe company's audit committee of the board of directors. The auditor should not discuss the matter with the seniormanager who has committed the illegal acts.

C. Information about illegal acts committed by a member of senior management should be reported

immediately to the senior manager's superior and to the audit committee of the board of directors.

D. Internal auditors are responsible to report illegal acts and other matters to their management and board of directors,but not to local authorities. If the company is publicly held, the matter wil l need to be reported to appropriate regulatoryauthorities.


One payroll audit objective is to determine if there is proper segregation of duties. Which of the following activities areincompatible?

A. Hiring employees and authorizing changes to pay rates.B. Signing and distributing payroll checks.C. Preparing attendance data and preparing the payroll.D. Preparing the payroll and filing payroll tax forms.

A. A manager who has the authority to hire a person usually also has the authority to determine changes to theperson's rate of pay, within company guidelines.

B. Signing payroll checks and distributing them may be performed by the same person with no concerns for internalcontrol objectives.

C. The person who prepares attendance data should not be the same person who also prepares the payroll,because of the opportunity to create a fictitious employee and then pay that fictitious employee without itbeing noticed.

D. The person who prepares the payroll is in the best position to file payroll taxes, and there is no incompatibilitybetween those two functions that would violate proper segregation of duties.


In order to properly segregate duties, which function within the computer department should be responsible forreprocessing the errors detected during the processing of data?

A. Data control group.

B. Computer programmer.C. Systems analyst.D. Department manager.

A. Segregation of duties within information systems means that information systems must be separated fromuser departments, and responsibilities within the information systems department should be separated. Whenan error is detected during the processing of data, the error should be referred to the user department forcorrection. The data control group follows up to make sure the error is corrected and the data is reprocessed.

B.

Part 1 : 10/05/14 22:26:24




Segregation of duties within information systems means that information systems must be separated from userdepartments, and responsibilities within the information systems department should be separated. When an error isdetected during the processing of data, the error should be referred to the user department for correction.

Computer programmers are responsible for writing, testing and documenting the systems, and for modifying programsand data file structures. The computer programmers should not have access to live data and should not bereprocessing data after the user department has made the correction.

C.

Segregation of duties within information systems means that information systems must be separated from userdepartments, and responsibilities within the information systems department should be separated. When an error isdetected during the processing of data, the error should be referred to the user department for correction.

Systems analysts are responsible for reviewing the system to make sure it is meeting the organization's needs and forproviding design specifications to programmers of a new system when the existing system is no longer meeting theorganization's needs. The systems analysts should not have access to live data and should not be reprocessing dataafter the user department has made the correction.

D. Segregation of duties within information systems means that information systems must be separated from userdepartments, and responsibilities within the information systems department should be separated. When an error is

detected during the processing of data, the error should be referred to the user department for correction. Thedepartment manager is not responsible for processing data and should not be reprocessing the data after the userdepartment has made the correction.


The best preventive measure against a computer virus is to

A. Prepare and test a plan for recovering from the incidence of a virus.B. Allow only authorized software from known sources to be used on the system.

C. Compare software in use with authorized versions of the software.D. Execute virus exterminator programs periodically on the system.

A. Preparing and testing a plan for recovering from the incidence of a virus is a corrective measure, not a preventivemeasure.

B. The best preventive measure is to allow only authorized software from known sources to be on the system.It is expected that authorized software will be virus free.

C. Comparing software in use with authorized versions of the software is a detective measure, not a preventivemeasure.

D. Executing virus exterminator programs is a detective measure, not a preventive measure.


Summary written audit reports are ordinarily intended for

A. High-level management and/or the audit committee.B. Independent external auditors only.C. Local operating management.

Part 1 : 10/05/14 22:26:24






A. Codification of best practices of the treasury function in relevant industries is a good criterion against which to judgecurrent operations.

B. Organizational policies and procedures delegating authority and assigning responsibilities are a good criterionagainst which to judge current operations.

C. Since the operations of the treasury function as documented during the last engagement may not have

been in compliance with organizational policies and procedures, these operations are not a desirable criterionagainst which to judge current operations.

D. Textbook illustrations of generally accepted good treasury function practices are good criteria against which to judgecurrent operations.

Question 217 - CIA 5/94 P4 Q9 - Internal Controls

On January 1, a company establishes a petty cash account and designates one employee as petty cash custodian.The original amount included in the petty cash fund is $500, and it will be used to make small cash disbursements. Thefund will be replenished on the first of each month, after the petty cash custodian presents receipts for disbursementsto the general cashier. The following disbursements are made in January. The balance in the petty cash box at the endof January is $163.

Office supplies - $173Postage - $112Entertainment - $42

Which of the following is not an appropriate procedure for controlling the petty cash fund?

A. Upon receiving petty cash receipts as evidence of disbursements, the general cashier issues a company check tothe petty cash custodian, rather than cash, to replenish the fund.B. The petty cash custodian obtains signed receipts from each individual to whom petty cash is paid.C. Surprise counts of the fund are made from time to time by a superior of the petty cash custodian to determine that

the fund is being accounted for satisfactorily.D. The petty cash custodian immediately files the original, unchanged receipts by category of expenditure after theirpresentation to the general cashier, so that variations in different types of expenditures can be monitored.

A. The company does not want to have excess amounts of cash on hand in the office and therefore the petty cashshould be replenished (refilled) by issuance of a company check rather than from another cash source that the generalcashier has access to.

B. Obtaining signed receipts from the recipients of the petty cash money is a good control in the petty cash system.

C. Surprise counts of petty cash are an effective control tool, helping to ensure that the petty cash custodian does notborrow money from petty cash for short periods of time.

D. After the petty cash custodian receives receipts, the receipts should be somehow identified as paid so that

the same receipt is not paid twice. Filing them by category is good, but this answer says that the receipts areunchanged. The receipts should be marked that they have been paid.


Which of the following procedures would enhance the control structure of a computer operations department?

Part 1 : 10/05/14 22:26:24




I. Periodic rotation of operators.II. Mandatory vacations.III. Controlled access to the facility.IV. Segregation of personnel who are responsible for controlling input and output.

A. I, II, III.B. I, II.

C. III, IV.D. All of the above choices would enhance the control structure.

A. Periodic rotation of operators, mandatory vacations and controlled access to the facility would enhance the controlstructure of a computer operations department. However, these are not the only procedures listed that would do so.

B. Periodic rotation of operators and mandatory vacations would enhance the control structure of a computeroperations department. However, these are not the only procedures listed that would do so.

C. Controlled access to the facility and segregation of personnel who are responsible for controlling input and outputwould enhance the control structure of a computer operations department. However, these are not the only procedureslisted that would do so.

D. All of the above practices are effective control measures. Periodic rotation and mandatory vacations

provide other personnel with the ability to detect operator problems. Controlled access and segregation ofduties allow for the separation of incompatible functions.


The audit committee strengthens the control processes of an organization by

A. Approving internal audit activity policies.B. Using the chief audit executive as a major resource in selecting the external auditors.C. Assigning the internal audit activity responsibility for interaction with governmental agencies.D. Following up on recommendations made by the chief audit executive.

A. Approving internal audit activity policies does not strengthen the control process.

B. According the Sarbanes-Oxley, the audit committee is to be directly responsible for the appointment, compensation,and oversight of the registered public accounting firm employed to perform the audit.

C. Assigning the internal audit activity responsibility for interaction with governmental agencies does not strengthen thecontrol process.

D. The audit committee should provide support to the internal auditors. One way to do this is to follow up onrecommendations made by the chief audit executive.


A company’s management is aware that it cannot foresee every contingency even with the best planning. Managementbelieves, however, that a more thorough recovery plan increases the ability to resume operations quickly after aninterruption and thus to:

A. Fulfill its obligations to customers.B. Maintain the same level of employment.

Part 1 : 10/05/14 22:26:24




C. Receive the maximum benefit from planning.D. Minimize the cost of facility repair.

A. The better the recovery plans, the more likely the company would be to resume operations quickly andfulfill its obligations to customers.

B. The company may or may not maintain the same level of employment after a disaster. For example, a disaster that

destroys productive capacity in one plant may lead to layoffs.

C. The maximum benefit from planning is that it prompts action to avoid the most likely or most devastating events withthe potential to interrupt business. Management would be delighted if planning ensured that business was neverinterrupted and thus that the recovery plan was never invoked.

D. Thorough planning may or may not minimize the cost of facility repair. That is, the best approach may be to undergomore expensive repair sooner in order to resume operations sooner.


If a corporation may be violating federal and state laws governing environmental concerns, which one of the followingtypes of audit will best assist in ascertaining whether such situations may exist?

A. Compliance Audit.B. Management Audit.C. Financial audit.D. Operational audit.

A.

A compliance audit will assist in ascertaining whether a corporation is violating federal and state lawsgoverning environmental concerns. A compliance audit is performed in order to determine whether anorganization is conforming to certain specific requirements of its policies, procedures, standards, or laws and

governmental regulations.

B.

The management audit is a fairly recent concept in internal auditing. Management audits are compliance audits pluscause-and-effect analysis. They result in change. In a compliance audit, the requirements are accepted by the auditoras given by the auditee. In a management audit, the requirements are challenged. In a compliance audit, the auditorassesses whether the requirements are being implemented. In a management audit, the auditor assesses whether therequirements are effective and suitable. Compliance audits are designed for high-risk and third party applications, suchas determining whether laws are being complied with. Management audits are generally limited to internal applications,where management has set requirements and the internal auditor examines those requirements.

A management audit would not be appropriate for ascertaining whether a corporation is violating federal and state lawsgoverning environmental concerns, because the laws are given and are not subject to an auditor's determination as to

whether they are appropriate or not.

C.

A financial audit will not assist in ascertaining whether a corporation is violating federal and state laws governingenvironmental concerns.

The purpose of an internal financial audit is to analyze the economic activity of an entity as measured and reported byaccounting methods. It is not the same as the purpose of an independent, external audit of the financial statements.The purpose of the independent audit is to evaluate the assertions made by management on the organization’s

Part 1 : 10/05/14 22:26:24




financial statements and to issue an opinion on the fairness of the statements. A financial audit performed by aninternal auditor is not performed for the purpose of issuing an opinion on the fairness of the financial statements,although the internal auditors may perform many of the same activities.

A financial audit performed by the internal audit activity usually is done on one specific area of the organization. Areaswhere internal auditing evaluations may be used by the independent auditors are evaluations of cash controls,accounts receivable, accounts payable, and other financial activities.

D.

An operational audit will not assist in ascertaining whether a corporation is violating federal and state laws governingenvironmental concerns.

The purpose of an operational audit is examining and evaluating systems of internal control, overall companyoperations and the quality of performance in carrying out assigned responsibilities. The internal auditors compare theresults of the operations with standards for performance or output. The focus of an operational audit is on the three"E"s: efficiency, effectiveness and economy.


Which one of the following situations represents an internal control weakness in the payroll department?

A. Payroll records are reconciled with quarterly tax reports.B. Paychecks are distributed by the employees' immediate supervisor.C. Payroll department personnel are rotated in their duties.D. The timekeeping function is independent of the payroll department.

A. Reconciling payroll records with quarterly tax reports is an internal control strength, not a weakness.

B. If supervisors are permitted to distribute paychecks, a supervisor could terminate an employee but notreport the termination, then continue to clock the employee in and out and receive the employee's paycheck.

C. Rotation of payroll department personnel is an internal control strength, not a weakness.

D. The timekeeping function should be independent of the payroll department, so this represents a control strength, nota control weakness.


Management believes that some specific sales commissions for the year were too large. The accuracy of the recordedcommission expense for specific salespersons is best determined by

A. Calculating commission ratios.B. Tests of overall reasonableness.C. Use of analytical procedures.D. Computation of selected sales commissions.

A. Since management is questioning specific sales commissions, calculating commission ratios would not be useful,since the ratios would be based on total sales and total commissions rather than on the sales made by andcommissions paid to specific sales persons.

B. Since management is questioning specific sales commissions, tests of overall reasonableness would not be useful,since the tests would be based on totals rather than specific transactions.

Part 1 : 10/05/14 22:26:24




C. Since management is questioning specific sales commissions, use of analytical procedures would not be useful,since the analytical procedures would be based on totals rather than specific transactions.

D. Since management is questioning specific sales commissions, the accuracy of the recorded commissionfor specific salespersons will be best determined by recomputing a sample of commissions for thesalespeople whose commissions are in question.

Question 224 - CIA 1196 III.35 - Internal Auditing

Which of the following is not a true statement about the relationship between internal auditors and external auditors?

A. There may be periodic meetings between internal and external auditors to discuss matters of mutual interest.B. Internal auditors may provide audit programs and working papers to external auditors.C. Oversight of the work of external auditors is the responsibility of the chief audit executive.D. There may be an exchange of audit reports and management letters between internal and external auditors.

A. In order to assure timely and efficient completion of the work, sufficient meetings should be scheduled between

internal and external auditors.

B. Coordination between internal auditors and external auditors may require internal auditors to provide theirengagement work programs and working papers to external auditors.

C. It is not the responsibility of the CAE to oversee the work of the external auditors. The audit committee ofthe board has this oversight responsibility.

D. Exchange of internal audit communications and external auditors' management letters is necessary as part of thecoordination between internal auditors and external auditors.


A computer virus is different from a "Trojan Horse" because the virus can

A. erase executable files.B. corrupt data.C. replicate itself.D. alter programming instructions.

A.

Both viruses and Trojan horses can erase executable files.

A virus is a program that alters the way another computer operates. Viruses can damage programs, delete files orreformat the hard disk.

A Trojan horse is any program that does something besides what a person believes it will do. A Trojan horse canappear to be something desirable, but in fact it contains malicious code that, when triggered, will cause loss or eventheft of data.

B.

Both viruses and Trojan horses can corrupt data.

Part 1 : 10/05/14 22:26:24






C.

To be considered a virus, a virus must meet two criteria: 1) It must execute itself. A virus often places its owncode in the path of the execution of another program. And 2) it must replicate itself. A virus can replace otherexecutable files with a copy of the virus-infected file.

A Trojan Horse does not replicate itself.

D.

Both viruses and Trojan horses can alter programming instructions.




The principal impetus for the enactment of the Foreign Corrupt Practices Act by the U.S. Congress was to

A. prevent the bribery of foreign officials by U.S. firms seeking to do business overseas.B. require mandatory documentation of the evaluation of internal controls by the independent auditors.C. discourage unethical behavior by foreigners employed by U.S. firms.D. promote the mandates issued by the United Nations with regard to global trade between its member nations.

A. The Foreign Corrupt Practices Act of 1977 (substantially revised in 1988) was enacted in response todisclosures of questionable payments that had been made by large companies. Investigations by the SEC hadrevealed that over 400 U.S. companies had made questionable or illegal payments in excess of $300 million toforeign government officials, politicians and political parties. The payments were either illegal politicalcontributions or payments to foreign officials that bordered on bribery.

B. This was not the principal impetus for the enactment of the Foreign Corrupt Practices Act by the U.S. Congress.

C. This was not the principal impetus for the enactment of the Foreign Corrupt Practices Act by the U.S. Congress.

D. This was not the principal impetus for the enactment of the Foreign Corrupt Practices Act by the U.S. Congress.


A manufacturing organization uses hazardous materials in production of its products. An audit of these hazardousmaterials may include:

I.Recommending an environmental management system as a part of policies and procedures.

Part 1 : 10/05/14 22:26:24




II. Verifying the existence of "cradle to grave" (creation to destruction) tracking records for these materials.III. Using consultants to avoid self-incrimination of the firm in the event illegalities were detected in an environmental

audit.IV. Evaluating the cost provided for in an environmental liability accrual account.

A. I and II only.B. I, II and IV.

C. II only.D. III and IV.

A. Recommending an environmental management system as a part of policies and procedures and verifying theexistence of "cradle to grave" tracking records for hazardous materials are not the only items listed that could beincluded in a hazardous materials audit.

B. A hazardous materials audit may include recommending an environmental management system as a part ofpolicies and procedures, verifying the existence of "cradle to grave" tracking records for hazardous materials,and evaluating the cost provided for in an accrual account for environmental liability for hazardous materials.

C. Verifying the existence of "cradle to grave" tracking records for hazardous materials is not the only item listed thatcould be included in a hazardous materials audit.

D. Using consultants to avoid self-incrimination of the firm in the event illegalities are detected in an environmentalaudit is neither appropriate nor necessary. There is no requirement for internal auditors to report to external parties anyviolations of environmental laws they may discover.


According to the Standards, audit findings are the result of

A. Determining the impact on the organization of what should be.B. Analyzing differences between organizational and departmental objectives.

C. Comparing what should be with what is.D. The internal auditor's conclusions (opinions).

A. Audit findings are not the result of determining the impact on the organization of what should be.

B. Audit findings are not the result of analyzing differences between organizational and departmental objectives.

C. Audit findings are the result of internal auditors having compared "what is" with "what should be." Theaudit findings are to be reported management along with suggestions and recommendations for improvement.

D. Audit findings are not the result of the internal auditor's conclusions (opinions).



Part 1 : 10/05/14 22:26:24





The company probably uses which of the following processing systems:

A. On-line credit check inquiries.B. Batch processing for cash receipts and sales invoices.C. Real-time processing for cash receipts, batch processing for sales invoices.D. Remote batch processing for cash receipts.

A. This isn't discussed, nor is it likely considering the technological state of the described systems.

B. Batch processing is probably used.

C. Cash receipts are not updated immediately as they occur.

D. It's not a remote location.


Which of the following controls would be the most appropriate means to ensure that terminated employees had beenremoved from the payroll?

A. Mailing checks to employees' residences.B. Reconciling payroll and time-keeping records.C. Establishing computerized limit checks on payroll rates.D. Establishing direct-deposit procedures with employees' banks.

A. Mailing checks to employees' homes does nothing to verify whether all the paychecks are valid. Using thisprocedure, terminated employees who had not been removed from the payroll would continue to receive paychecks.

B. If an employee has been terminated but the employee has not been removed from the payroll, areconciliation of payroll records with time-keeping records should detect it.

C. This procedure would detect excessive pay to current employees but not inappropriate pay to terminated employees.

D. Establishing direct-deposit procedures with employees' banks does nothing to verify whether all the paychecks arevalid. Using this procedure, terminated employees who had not been removed from the payroll would continue toreceive paychecks.


Which one of the following would be considered an accounting control rather than an administrative control?

A. Marketing analysis of sales generated by advertising projects.B. Maintenance of control over unused checks.C. Timely reporting and review of quality control results.D. Maintenance of statistical production analyses.

Part 1 : 10/05/14 22:26:24






The mail clerk is performing the custody function (receiving the payment), and Accounts Receivable is performing therecording function (posting to the subsidiary ledger).

D.

This is an appropriate segregation of duties. Proper segregation of duties requires that different people perform thefunctions of authorizing a transaction, recording the transaction which includes preparing source documents, keepingphysical custody of the related asset, and periodic reconciliation of the physical assets to their recorded amounts.

The mail clerk is performing the custody function (receiving the payment), and the Cashier is performing the recordingfunction (preparation of the deposit slip which will be the source document for recording the transaction).


The status of the internal audit activity should be free from the effects of irresponsible policy changes by management.The most effective way to assure that freedom is to

A. Adopt policies for the functioning of the internal audit activity.B. Develop written policies and procedures to serve as standards of performance for the internal audit activity.C. Establish an audit committee within the board.D. Have the internal audit charter approved by the board.

A. Adopting policies for the functioning of the internal audit activity will not protect it from actions by management thatcould weaken its status and effectiveness.

B. Developing written policies and procedures to serve as standards of performance for the internal audit activity willnot protect it from actions by management that could weaken its status and effectiveness.

C. Establishing an audit committee within the board will not, by itself, give the internal audit activity protection fromactions by management that could weaken its status and effectiveness.

D. The charter should establish the internal audit activity's purpose, authority, responsibility, and positionwithin the organization, and it should be approved by the board. This approval gives the internal audit activityprotection from actions by management that could weaken its status and effectiveness.


An employee in the receiving department keyed in a shipment from a remote terminal and inadvertently omitted thepurchase order number. The best systems control to detect this error would be

A. Batch total.B. Completeness test.

C. Sequence check.D. Reasonableness test.

A. Batch control totals are any type of control total or count applied to a specific group of transactions, such as totalsales dollars in a batch of billings. Batch control totals are used to ensure that all input is processed correctly by thecomputer, but they will not detect missing input. If the purchase order number were omitted, a batch control total wouldnot detect the omission.

B. A completeness test is an input validation routine that checks and ensures that data is input into allrequired fields. If the purchase order number were omitted, a completeness test would detect the omission

Part 1 : 10/05/14 22:26:24




and give the user a message that the input was missing.

C. A sequence check is a type of verification that is performed to help ensure that data is in the proper order. If apurchase order number were omitted, a sequence check would not detect the omission.

D. A reasonableness test ensures that only data within predefined limits will be accepted by the system. If a purchaseorder number were omitted, a reasonableness test would not detect the omission.

Question 235 - IIA, adapted CIA H30 - Systems Controls and Security Measures

Which of the following is a malicious program, the purpose of which is to reproduce itself throughout the network, andcan possibly produce a denial of service attack by excessively utilizing system resources?

A. Virus.B. Worm.C. Logic bomb.D. Trojan horse.

A. A virus is a program that alters the way another computer operates, but it is not an independent program that canreproduce itself throughout the network. A virus spreads by inserting copies of itself into the executable code ordocuments.

B. A worm is an independent program that replicates itself from system to system without the use of any hostfile. The difference between a worm and a virus is that the worm does not require the use of an infected hostfile, while the virus does require the spreading of an infected host file. Worms generally exist inside of otherfiles, often Word or Excel documents. However, worms use the host file differently from viruses. Usually theworm releases a document that has the "worm" macro inside the document. The entire document spreadsfrom computer to computer, so the entire document is, in essence, the worm.

C. A logic bomb is a malicious program that is activated when some particular condition occurs (e.g., could be a date,or system operation).

D. A Trojan horse is an independent program that is disguised as legitimate software. They may look useful orinteresting to an unsuspecting user, but are actually harmful when executed.


A department store company with stores in 11 cities is planning to install a network so that stores can transmit dailysales by item to headquarters and store salespeople can fill customer orders from merchandise held at the neareststore. Management believes that having daily sales statistics will permit better inventory management than is the casenow with weekly deliveries of sales reports on paper. Salespeople have been asking about online inventory availabilityas a way to retain the customers that now go to another company's stores when merchandise is not available. The

planning committee anticipates many more applications so that in a short time the network would be used at or near itscapacity.

As the planning committee identified the many applications that the proposed network could support, the committeerealized that a significant risk could be:

A. Lack of enthusiasm for installing and using the new network in the stores.B. Inability to obtain needed network components from vendors as usage increases.C. Patent and trademark violations when using new application software.D. Incomplete, inadequately tested, or unauthorized application software.

Part 1 : 10/05/14 22:26:24




A. On the contrary, management has stated its intention to install the network, salespeople have been asking forfeatures that the network could provide, and the planning committee has identified many potential applications.

B. Given the standard nature of the network, it is unlikely that the company would not be able to obtain neededcomponents from vendors as usage increases.

C. These types of violations do not occur with in-house development.

D. The pressure for the department store company to be competitive is so great that there may be a significantrisk that application software could be incomplete, inadequately tested, or unauthorized.


The reporting of accounting information plays a central role in the regulation of business operations. The importance ofsound internal control practices is underscored by the Foreign Corrupt Practices Act of 1977 which requires publiclyowned U.S. corporations to maintain systems of internal control that meet certain minimum standards. Preventivecontrols are an integral part of virtually all accounting processing systems, and much of the information generated bythe accounting system is used for preventive control purposes. Which one of the following is not an essential elementof a sound preventive control system?

A. Sound personnel practices.B. Documentation of policies and procedures.C. Separation of responsibilities for the recording, custodial, and authorization functions.D. Implementation of state-of-the-art software and hardware.

A. Sound personnel practices contribute to sound control systems. Organizations with effective control environmentstransmit guidance to their employees both verbally and by example, communicating the entity's values, standards andcode of conduct; and they follow up on violations. There are mechanisms to encourage employee reporting ofsuspected violations, and disciplinary actions are taken when employees fail to report them. Formal and clearlycommunicated policies and procedures that result in shared values and teamwork are followed at all times, withoutexception. The competence level needed for particular jobs is specified, competent people are hired and retained, and

authority and responsibility are appropriately assigned. Internal control is an explicit or implicit part of everyone's jobdescription, and all individuals in the organization realize that they will be held accountable.

B. Documented policies and procedures are an important part of a sound control system. Formal and clearlycommunicated policies and procedures that result in shared values and teamwork should be followed at all times,without exception.

C. Separation of responsibilities for the recording, custodial, and authorization functions is an essential element of asound preventive control system, because without such separation of responsibilities, a person could commit a fraudand conceal it.

D. Implementation of state-of-the-art software and hardware is not necessary for an organization to have asound control system.


Which of the following statements regarding encryption is true?

A. It is impossible to intercept encrypted data sent over the Internet.B. Secret key systems use two different keys, one for encryption and one for decryption.C. A message encrypted with Company Q's public key can only be decrypted with Company Q's private key.

Part 1 : 10/05/14 22:26:24




D. Encryption is a 100% guarantee that data being transmitted cannot be read by an unintended third party.

A. Quite to the contrary, it is very easy to intercept encrypted data. Encryption makes it difficult for transmitted data tobe read, but it does nothing to prevent interception. There is a better answer among the choices here.

B. A secret key system uses the same key for encryption and decryption. A public/private key system uses twodifferent keys.

C. This is a true statement. Only the matching private key can decrypt a message encrypted with the publickey. This is an essential part of the SSL system used on the Internet for secure web sites.

D. There are two problems with this answer. First and foremost, encryption is only as good as the secrecy of theencryption keys used in the encryption. If the encryption keys are lost, stolen or otherwise revealed to third parties,those third parties will be able to read the encrypted messages. Secondly, while encryption is mathematically verydifficult to break, it is not impossible given enough time, skill and determination.


From a modern internal auditing perspective, which one of the following statements represents the most importantbenefit of an internal auditing activity to management?

A. Assurance that there is reasonable control over day-to-day operations.B. Assurance that the organization is complying with legal requirements.C. Assurance that fraudulent activities will be detected.D. Assurance that published financial statements are correct.

A. Internal audit activities can assist the management of a company in its responsibility of maintainingeffective controls by evaluating the effectiveness of those controls with the goal of continuous improvement.

B. Internal audit activities cannot assure compliance with legal requirements.

C. Internal audit activities cannot assure that fraudulent activities will be detected.

D. Internal audit activities cannot assure that published financial statements are correct.


Which of the following statements about a firewall is false?

A. Firewalls are an effective barrier from phishing attacks.B. Firewalls act as a barrier between the internal and external network.C. A firewall can block port scans from finding computers on a company's network.

D. Firewalls can be either hardware-based or software-based.

A. Firewalls are not an effective barrier against phishing attacks. A phishing attack involves tricking someoneinto divulging information, and a firewall cannot help prevent someone from releasing private information. Afirewall's purpose is to prevent unauthorized access to the company internal network.

B. This is the very basic definition of a firewall.

C. This is a true statement. Port scans would be unable to reach the computers on the company's network through thefirewall.

Part 1 : 10/05/14 22:26:24




D. This is a true statement. Firewalls can either be a software program installed on a computer either as part of theoperating system, or as a separate utility. Firewalls can also be a physical piece of equipment that is installed betweenthe internal network and the Internet.


The internal auditor recognizes that certain limitations are inherent in any internal control system. Which one of thefollowing scenarios is the result of an inherent limitation of internal control?

A. A security guard allows one of the warehouse employees to remove company assets from the premises withoutauthorization.B. The comptroller both makes and records cash deposits.C. An employee, who is unable to read, is assigned custody of the firm's computer tape library and run manuals thatare used during the third shift.D. The firm sells to customers on account, without credit approval.

A. If two employees (the security guard and the warehouse employee) collude to defraud their employer, acontrol based on segregation of functions can be rendered ineffective. This is an inherent limitation of internalcontrol.

B. This is not an inherent limitation of internal control, because it could and should be avoided through adequatesegregation of duties.

C. Assignment of an employee who is unable to read to a job requiring reading is avoidable through adequate testingof potential employees. Therefore, it is not an inherent limitation of internal control.

D. This is not an inherent limitation of internal control, because it could and should be avoided through adequate creditapproval of sales.


In the organization of the information systems function, the most important separation of duties is

A. Having a separate information officer at the top level of the organization outside of the accounting function.B. Assuring that those responsible for programming the system do not have access to data processing operations.C. Not allowing the data librarian to assist in data processing operations.D. Using different programming personnel to maintain utility programs from those who maintain the applicationprograms.

A. Having a separate information officer at the top level of the organization outside of the accounting function is not asa critical separation of duty as between programmers and data processors.

B. The separation of duties is critical in a IS control environment. Programmers and analysts are responsiblefor designing, writing, testing and documenting the system, but they should not have access to dataprocessing operations.

C. Librarians maintain the documentation, programs and data files, but they should not have access to equipment.Furthermore, librarians can assist in data processing operations.

D. Having a policy where different programmers would maintain different programs would not be an effective controlfunction. Typically, programmers handle all kinds of different programs.

Part 1 : 10/05/14 22:26:24




Question 243 - CIA 597 III.35 - Internal Controls

Control self-assessment is a process that involves employees in assessing the adequacy of controls and identifyingopportunities for improvement within an organization. Which of the following are reasons to involve employees in thisprocess?I. Employees become more motivated to do their jobs right.II. Employees are objective about their jobs.III. Employees can provide an independent assessment of internal controls.IV.Managers want feedback from their employees.

A. II and IV.B. III and IV.C. I and II.D. I and IV.

A. Employees are not generally objective about their jobs.

B. While it is true that managers want feedback from their employees, it is not true that employees can provide an

independent assessment of internal controls. The fact that they are employees makes them not independent.

C. Employees are not generally objective about their jobs.

D. Involving employees in assessing internal controls can serve as a motivator to them to seek continuousimprovement in their jobs. Furthermore, since employees are often closer to the actual work being done thanmanagers, their feedback can provide management with insights into control weaknesses.


Which of the following controls could be used to detect bank deposits that are recorded but never made?

A. Establishing accountability for receipts at the earliest possible time.B. Linking receipts to other internal accountabilities (i.e., collections to either accounts receivable or sales).C. Consolidating cash receiving points.D. Having bank reconciliations performed by a third party.

A. Establishing accountability for receipts at the earliest possible time should be done before the deposit is prepared orthe entry to reflect the receipt is posted. However, it would not detect bank deposits that are recorded but never made.

B. Linking receipts to other internal accountabilities is done before the deposit is prepared or the entry to reflect thereceipt is posted. It would not detect bank deposits recorded but never made.

C. Consolidation of cash receiving points is done before the deposit is prepared or the entry to reflect the deposit isposted. It would not detect bank deposits recorded but never made.

D. Since a bank reconciliation compares the bank statement with the company records, a bank reconciliationprepared by a person not involved in preparing the deposit or posting the entry to reflect the receipt woulddetect whether bank deposits that have been recorded have not been made.


Part 1 : 10/05/14 22:26:24




A company is very conscious of the sensitive nature of company information. Because company data is valuable, themost important thing that the security administrator should monitor is:

A. Access to operational data by privileged users.B. Multiple access to data by data owners.C. Management authorization of modified access.D. Data owner specification of access privileges.

A. The security administrator should report access to data or resources by privileged users so that the accesscan be monitored for appropriate and authorized usage.

B. Multiple access to data by data owners, the individuals responsible for creating and maintaining specific data, is anormal occurrence.

C. Management authorization of modified access is expected as needs or conditions change and is not an eventtypically reported.

D. Data owner specification of access privileges is normal and is typically maintained by the system and need not bereported by the security administrator.


In a database system, locking of data helps preserve data integrity by permitting transactions to have control of all thedata needed to complete the transactions. However, implementing a locking procedure could lead to

A. Unrecoverable transactions.B. Rollback failures.C. Deadly embraces (retrieval contention).D. Inconsistent processing.

A. Unrecoverable transactions occur if there is a power failure or another fault during processing, and a transaction ortransactions are only partially processed. Rollback processing is used to prevent any transactions from being written todisk until they are complete. At its first opportunity, the program automatically rolls itself back to its pre-fault state byundoing any partial posting that took place prior to the aborted processing.

B. Rollback processing is used to prevent any transactions being written to disk until they are complete. If there is apower failure or another fault during processing, at its first opportunity, the program automatically rolls itself back to itspre-fault state by undoing any partial posting that took place prior to the aborted processing. A rollback failure would bea failure to undo this partial posting.

C. A deadly embrace (also called a deadlock) occurs when two different applications or transactions eachhave a lock on data that is needed by the other application or transaction. Neither process is able to proceed,because each is waiting for the other to do something. In these cases the system must have a method ofdetermining which transaction goes first, and then it must let the second transaction be completed using theupdated information after the first transaction.

D. Implementing a locking procedure does not lead to inconsistent processing. A locking procedure would, in fact,result in consistent processing, because each transaction has access to all the files and data that it needs in order tobe processed.


Part 1 : 10/05/14 22:26:24






Accounts Payable -- authorize payments and prepare vouchers. Accounts Receivable -- maintain customer accounts.

Billing -- prepare invoices to customers for goods sold.Cashier -- maintain a record of cash receipts and disbursements.Credit Department -- verify the credit rating of customers.Cost Accounting -- accumulate manufacturing costs for all goods produced.Finished Goods Storeroom -- maintain the physical inventory and related stock records of finished goods.General Accounting -- maintain all records for the company's general ledger.Internal Audit -- appraise and monitor internal controls, as well as conduct operational and management audits.Inventory Control -- maintain perpetual inventory records for all manufacturing materials and supplies.Mailroom -- process incoming, outgoing, and interdepartmental mail.Payroll -- compute and prepare the company payroll.Personnel -- hire employees, as well as maintain records on job positions and employees.Purchasing -- place orders for materials and supplies.Production -- manufacture finished goods.Production Planning -- decide the types and quantities of products to be produced.

Receiving -- receive all materials and supplies.Sales -- accept orders from customers.Shipping -- ship goods to customers.Stores Control -- safeguard all materials and supplies until needed for production.Timekeeping -- prepare and control time worked by hourly employees.

Responsibility for following up on any problems regarding orders of production materials and supplies, such as ordersfor which no acknowledgment has been received, orders overdue, partial orders, damaged or substandardmerchandise received on an order, etc., would be entrusted to the

A. Purchasing Department.B. Production Planning Department.C. Receiving Department.D. Stores Control Department.

A. The Purchasing Department is responsible for following up on any problems regarding orders ofproduction materials and supplies.

B. The Production Planning Department is responsible for the manufacturing. They are not responsible for following upon problems with purchase orders.

C. The receiving department receives the order, but after it has been received and recorded, they do not haveresponsibility for following up on problems regarding the orders.

D. The Stores Department is responsible for safeguarding all materials and supplies after they are received and untilthey are needed for production.


Which of the following is not an example of a physical access control?

A. Having the computer center be protected from natural disasters as much as possible.B. Having access to the computer center be controlled by a security guard who can open the locked doors only by"buzzing in" authorized personnel.C. Requiring scanning of magnetic ID cards to enter the computer center, with all access being logged automatically.

Part 1 : 10/05/14 22:26:24




D. Shredding confidential documents when they are no longer needed.

A. This is an example of a physical control because it pertains to keeping the computer equipment safe from damageor loss due to natural disasters.

B. This is an example of a physical control because it pertains to controlling physical access to the computerequipment.

C. This is an example of a physical control because it pertains to controlling physical access to the computerequipment.

D. While shredding sensitive documents when they are no longer needed is a very important output control, itdoes not pertain to the physical security of the computing equipment.


An operational audit report that deals with the scrap disposal function in a manufacturing company should address

A. Whether the physical inventory count of the scrap material agrees with the recorded amount.B. Whether the scrap material inventory is reported as a current asset.C. The efficiency and effectiveness of the scrap disposal function and include any findings requiring corrective action.D. Whether the scrap material inventory is valued at the lower of cost or market.

A. An operational audit is concerned with examining and evaluating systems of internal control, overall companyoperations, and the quality of performance in carrying out assigned responsibilities. Whether the physical inventorycount of the scrap material agrees with the recorded amount is part of a financial statement audit, not an operationalaudit.

B. An operational audit is concerned with examining and evaluating systems of internal control, overall companyoperations, and the quality of performance in carrying out assigned responsibilities. How the scrap material inventory isreported on the financial statements is part of a financial statement audit, not an operational audit.

C. An operational audit is concerned with examining and evaluating systems of internal control, overallcompany operations, and the quality of performance in carrying out assigned responsibilities. Auditors willcompare the results of the operations with a standard level of behavior or output that has been set. The focusof an operational audit is on efficiency, effectiveness and economy. The internal auditor will makerecommendations about how to improve the process or operation.

D. An operational audit is concerned with examining and evaluating systems of internal control, overall companyoperations, and the quality of performance in carrying out assigned responsibilities. Whether the scrap materialinventory is valued at the lower of cost or market is part of a financial statement audit, not an operational audit.


In an internal audit of a purchasing department, which of the following ordinarily would be considered a risk factor?

A. Purchases are made against blanket or open purchase orders for certain types of items.B. Purchases are made from parties related to buyers or other company officials.C. Purchase specifications are developed by the department requesting the material.D. There is a failure to rotate purchases among suppliers included on an approved vendor list.

A. When appropriate to do so, making purchases against blanket or open purchase orders is not a control risk.

Part 1 : 10/05/14 22:26:24




B. Making purchases from related parties is a control risk because the purchasing agent may have a conflictof interest.

C. The department requesting the material would be expected to develop the purchase specifications, and thus thisdoes not represent a control risk.

D. Rotating purchases among approved suppliers is not a usual control procedure, and therefore failure to rotate

suppliers is not a control risk. However, the use of an approved list of vendors is appropriate because it helps to ensurequality of materials and reliability of supplies.

Part 1 : 10/05/14 22:26:24

Documents

Hock_Internal Control