1) Which of the following is not a category of objectives of internal control per the COSO Internal Control Framework?
A) Reliability of financial reporting
B) Achievement of strategic objectives
C) Effectiveness and efficiency of operations
D) Compliance with laws and regulations
E) All of the above are categories of objectives of internal control
2) The internal audit activity's role in the risk management process of an organization may not encompass:
A) No role
B) Auditing the risk management process as part of the internal audit plan.
C) Facilitating identification of risks
D) Accountability for risk management
E) Participation on oversight committees, monitoring activities, and status reporting.
3) The IIA Code of Ethics specifically prohibits a CAE from receiving stock options.
A) True
B) False
4) Which of the following is true about internal vs. external auditing?
A) Internal auditing reports to the external auditors
B) Internal auditing is more focused on financial reporting than external auditing
C) Many of the tool and techniques in auditing are common to both internal and external auditing
D) External auditors cannot rely on any of the work done by internal auditing
E) Both have the same definition of the term "independence."
5) Which of the following is not part of the definition of internal auditing?
A) Risk management
B) Governance
C) Consulting
D) Add value
E) Implement internal controls
6)Which of the following is true about ERM?
A) The COSO ERM Framework is the only approved ERM framework in the U.S.
B) 90% of all corporations have implemented the entire COSO ERM Framework
C) The COSO ERM Framework is part of the COSO Internal Controls Framework
D) An effective ERM process will guarantee the enterprise will achieve its business objectives
E) None of the above is true
7) In which situation does the internal auditor lack objectivity?
A) The internal auditor recommends standards of performance for an outsourcing contract
B) The internal auditor discusses the status of a system implementation over lunch at a vendor conference
C) The internal auditor performs a review of internal controls over the treasury function eight months after being transferred from that department to internal auditing
D) The internal auditor reviews audit findings with the CAE prior to issuing the final audit report
E) All of the above
8) In the three lines of defense model, the primary responsibility for maintaining effective internal controls belongs to:
A) The audit committee
B) The CEO
C) Internal auditing
D) The risk management function
E) Operational management
9) Which of the following is a change to the updated COSO Internal Control Framework from the 1992 version?
A) The definition of internal controls
B) The 17 principles
C) The three categories of control objectives
D) The five integrated components
E) The importance of management judgment
10) According to the IPPF, an internal auditor assigned to an audit engagement:
A) Must be an expert in the area being audited
B) Must be proficient and exercise due professional care
C) Cannot have a relative working anywhere in the company
D) Must be a Certified Internal Auditor
E) Is responsible for detecting fraud
11) Which of the following about how internal auditing adds value is not true?
A) Different levels in the organization have different opinions as to how internal auditing can best add value
B) What is considered value add in one organization may not be considered value add in another organization
C) For any organization consulting is considered to be higher value add than assurance services
D) How internal auditing can best add value changes over time
E) Internal auditing is limited by resources, staff size and expertise in where and how they can add value
12) The manager of data processing requested your assistance on a new computerized accounts payable system being developed. He has two requests:
a) Internal auditing makes suggestions during the development of the system.
b) Internal auditing assists in the installation of the system and approves the system after making a final review.
Which of the following statements is correct?
A) The auditors can provide assistance in both areas without violating the Code of Ethics.
B) The auditors can assist in a) but not b) without violating the Code of Ethics
C) The auditors can assist in b) but not a) without violating the Code of Ethics
D) The auditors would violate the Code of Ethics by providing any of the requested assistance
E) The Code of Ethics is not applicable to the requests from the manager of data processing
13) Which of the following is not a legitimate role for internal auditing in cloud computing?
A) Reviewing personnel transition and end-user training plans
B) Providing assurance on IT general controls
C) Reviewing service level agreements
D) Ongoing monitoring of vendor performance
E) Implementing the cloud computing strategy
14) Which of the following is not cited in week 3 as a limitation of a system of internal controls?
A) Cost/benefits trade-offs in establishing controls
B) Average age of senior management
C) Management overrides
D) Collusion
E) Lack of training in control procedures
15) In reviewing the governance process which of the following is not applicable to the role of top management?
A) Organizational structure
B) Board oversight
C) Corporate culture
D) Management control systems
E) All of the above
16) Which of the following is true about the IPPF?
A) By law in the U.S. internal auditing departments must comply withall the IIA Standards.
B) Interpretations are not considered to be mandatory guidance
C) The Code of Ethics is part of the Standards
D) Independence as defined in the IPPF is a concept dealing with an unbiased mental attitude
E) All of the above are not true
17) Which area can risk management and internal auditing not collaborate?
A) Sharing available resources
B) Being jointly accountable for risk management
C) Assessing and monitoring risks
D) Sharing work products
E) Cross-leveraging expertise
18) Which are the following is not considered to be a difference between ERM and traditional approaches to risk management?
A) ERM encompasses all areas of organizational exposure to risk
B) ERM manages risks holistically as an interrelated portfolio across the organization
C) ERM is still evolving but traditional risk management is fully defined and established
D) ERM views risk management as a source of competitive advantage
E) All of the above are differences
19) Without effective general computing controls, relianceon IT systems may not be possible?
A) True
B) False
20) Which of the following about outsourcing is not true?
A) According to COSO ERM the risk can be assumed by the service provider
B) The level of risk increases when key business operations are outsourced
C) The organization should consider the risk of performing the function internally and compare it to the risk of outsourcing
D) Managing the relationship is more difficult because the service provider may limit the client's ability to observe and assess controls
E) All of the above are true
21) Which of following is true about Governance, Risk Management and Compliance?
A) It should be implemented as a technology solution
B) Internal auditing has primary responsibility for ensuring the organization has implemented GRC
C) Each component of GRC has to be at the same level of maturity
D) Integrating GRC is a gradual process
E) All of the above are true
22) Based on the IPPF Standards which of the following does internal auditing not have responsibility for in the area of governance?
A) Assessing how well the organization promotes ethical values
B) Assessing information technology governance
C) Being a key sponsor of GRC
D) Making recommendations to ensure effective organizational performance management
E) All of the above are responsibilities of internal auditing
23) Which of the following is not an element of IT governance?
A) Risk management
B) Application controls
C) Resource Management
D) Performance management
E) None of the above
24) Which of the following would be considered a bad risk management practice?
A) Driven from the top down
B) Tailored to the organization
C) Primarily focused on hard controls
D) Integrated in the system of management
E) All of the above
25) It is always preferable to use quantitative techniques to assess risk.
A) True
B) False.