PRIOR EXAM QUESTIONS

1.1 Which ONE of the following alternatives will not lead to the financial director
being held liable in terms of the Companies Act 71 of 2008?
1 Failing to disclose to the board a personal financial interest.
2 Failing to act in good faith and for a proper purpose.
3 Failing to act in the best interest of the company.
4 Failing to inform the board of all environmental law changes.
Section 76(3). The financial director cannot be reasonably expected to know all
environmental laws. A director must not use the position of director to gain an
advantage for him- or herself, or knowingly cause harm to the company; and must
always act in the best interest of the company and communicate to the board any
information that comes to his or her attention that might be relevant.

1.2 Which of the following companies are required by the Companies Act to have
an audit committee?
I State-owned companies.
II Public companies.
III Private companies.
IV Public company that is a subsidiary of a holding company which has an audit
committee, but which will not perform the functions of an audit committee
within the subsidiary.
Section 94. It is not specifically required from private companies (option ii) to have an
audit committee.

Public companies and state-owned companies must have an audit committee as per
the Companies Act No. 71 of 2008. If a holding company is a public company or
state-owned company and has an audit committee, its subsidiaries can also use this
audit committee. As described in option (iv) the subsidiary will have its own audit
committee, as the audit committee functions will not be performed by the audit
committee of the holding company.

1.3 Who is ultimately responsible for ensuring that the company complies with
applicable laws and regulations?
1 The board of directors.
2 The audit committee.
3 The risk committee.
4 All the personnel of the company.
The Board remains the responsible party and should ensure that the company
complies with applicable laws, and considers adherence to non-binding rules, codes
and standards.
1.4 Which one of the following persons will be allowed to be appointed as a
director of Disney Ltd?
1 Mr Peter Pan: He is an emancipated minor and meets all the criteria of the
memorandum of incorporation.
2 Ms Merida: She is a rehabilitated insolvent. She has previously been found
guilty of not paying her parking fines on time and was fined R700.
3 Ms Tinkerbell: She has previously been removed from office as a director due
to misconduct involving untruthfulness. She has never been found guilty of
anything involving theft or fraud.
4 None of the above persons are allowed to be appointed as a director.
Section 67-71. Alternatives 1, 3 and 4 do not comply with section 69.

1.5 When conducting an evaluation of the auditable sustainability risk universe,

internal auditors should first learn where the organisation stands on issues
such as sustainability strategy, governance and operations. Which one of the
following questions is least likely to provide useful information in this regard?
1 Has the organisation established a process for responding to environmental
regulatory and reporting requirements?
2 Has an unqualified audit report been issued by the organisation’s external
auditors?
3 Has the organisation communicated externally the benefits of its sustainability
initiatives and obtained internal assurance on the reported data?
4 Does the organisation take any steps to reduce the cost of waste
management?
The alternatives listed are all governance activities the internal audit activity will be
involved in.

1.6 Inherent risk is measured …

1 at the end of each audit.
2 as if all internal controls in place were fully effective.
3 after the effectiveness of internal controls has been determined.
4 as if no internal controls were in effect.

1.7 The internal audit activity should contribute to the organisation’s governance
process by evaluating the processes through which:
I Ethics and values are promoted.
II Effective organizational performance management and accountability are
ensured.
III Risk and control information is communicated.
IV Activities of the external and internal auditors and management are
coordinated.
The auditors express an opinion on the fairness of the financial statements of the
organisation and thus will not provide information on sustainability strategy,
governance or operations. The other three alternatives all represent questions that
will provide evidence regarding issues mentioned.
1.8 Understanding the business process involves...
1 designing and implementing control structures.
2 defining performance objectives.
3 selecting control strategies.
4 identifying and examining the key activities.
Alternatives 1, 2 and 3 describe some of the roles of management in the business
process.

1.9 Good corporate governance normally includes all but which one of the
following alternatives?
1 Sound practices to keep the business entity accountable to all stakeholders
and the broader society.
2 Ongoing monitoring systems to ensure a proper balance of power within the
organisation.
3 Proper risk management systems and processes to ensure the sustainability
of the organisation.
4 Comprehensive legislature, guiding the practices of the organisation to mirror
good corporate governance principles.
It is not necessary for an organisation to be governed by comprehensive legislature
to have good corporate governance.

1.10 In the position paper issued by the Institute of Internal Auditors (IIA) on the
role of internal audit in enterprise-wide risk management (ERM), guidelines are
given on the roles that the internal auditor should play, provided certain
precautions be taken, and roles that the internal auditor should not accept. One
of the roles that internal auditors should not accept is to…
1 co-ordinate ERM activities.
2 set the risk appetite.
3 provide assurance that risks are correctly evaluated.
4 take a leading role in establishing ERM.
Generally, when deciding on the role internal audit should play, the internal audit
activity should consider whether the activity raises any threats to their independence
and objectivity and whether it is likely to improve the organisation’s risk
management, control and governance processes.

Figure 1, in the Position Paper presents a range of ERM activities and indicates
which roles an effective professional internal audit activity should and should not
undertake.

According to this schedule, alternatives 1 and 4 represent legitimate internal audit

roles with safeguards and alternative 3 represents a core role of internal audit
concerning ERM.

Setting the risk appetite is considered a role the internal audit should not undertake.
1.11 Which one of the following alternatives correctly describes enterprise-wide
risk management?
1 The totality of structures, methodology, procedures and definitions that an
organisation has chosen to use to implement its risk management processes.
2 Processes to identify, assess, manage, and control potential events or
situations, to provide reasonable assurance regarding the achievement of the
organisation’s objectives.
3 The process of bringing together individual processes in groupings to achieve
the organisational objectives.
4 A structured, consistent and continuous process across the organisation for
identifying, assessing, deciding on responses to and reporting on
opportunities and threats that affect the achievement of its objectives.
ERM is defined in the words of alternative 4. What should be emphasised in the
definition of ERM is that it is a process implemented across the organisation to
manage risk. Alternative 1 defines the risk management framework, alternative 2
defines the risk management processes and alternative 3 represents a part of the
management process.

1.12 A university’s executive board invites representatives of the student

community, administrative staff and academic staff to participate in a discussion
on proposed increases in student fees. Which one of the four ethical values
underpinning good corporate governance, as described in King VI, is best
supported by this initiative?
1 Fairness
2 Competence
3 Responsibility
4 Accountability
King IV describes fairness as the governing body should direct the organisation in
such a way that it does not adversely affect the natural environment, society or future
generations.

1.13 According to King IV the responsibilities of the board in respect of risk

governance should involve all but which one of the following activities?
1 The board should treat risk as integral to the way it makes decisions and
executes its duties.
2 The board should delegate to management the responsibility to implement
and execute effective risk management.
3 The board should not disclose the nature and extent of the risks and
opportunities the organisation is willing to take.
4 The board should approve policy that articulate and give effect to its set
direction on risk.
King IV, principle 12 - The nature and extent of the risks and opportunities the
organisation is willing to take should be disclosed without compromising sensitive
information.
1.14 Select the best alternative to complete the following sentence: In a
governance context, stakeholders are considered to be …
1 the shareholders of the company.
2 any group that can affect or be affected by the company’s operations.
3 any group that could affect the company’s financial performance or be
affected by the company’s financial performance.
4 the community in which the company operates.
Alternative 2 best completes the sentence as stakeholders are described as any
group that can affect the company’s operations or be affected by the entity’s
operations.

1.15 Good corporate governance depends on …

1 The board and management’s understanding of the King IV and COSO
reports.
2 the board and management’s understanding of the organisation’s pursuance
of objectives that are in the interest of the company and its stakeholders.
3 management’s commitment to comply with Acts and regulations such as the
Companies Act, the Public Finance Management Act and treasury regulations.
4 the audit committee’s understanding of its responsibility with regard to the
organisation’s performance.
The core function of an organisation’s management is to manage and direct the
organisation in such a way that its objectives, which should be in the interest of the
organisation and its stakeholders are achieved.

The International Standards for the Practice of Internal Auditing describe governance
as “the combination of processes and structures implemented by the board to inform,
direct, manage and monitor the activities of the organisation toward the achievement
of its objectives”. Good governance does not depend on the board and
management’s understanding of King IV and COSO (alternative 1), their commitment
to comply with legislation and regulations (alternative 3) or the audit committee’s
oversight (alternative 4), even though each of these alternatives contribute to good
corporate governance.

Good corporate governance depends on management’s pursuance to act in the best

interest of the organisation. Alternative 2 is therefore the correct answer.

1.16 The first step in understanding the reality of corporate governance in any
company is to...
1 read and understand the latest King, Cadbury, COSO and COCO reports.
2 read the statement on internal control in the annual financial statements.
3 consult with the external auditors on compliance with the Sarbanes-Oxley Act.
4 understand the ownership structure of the organisation.
Although COSO clearly indicates that internal control, to some degree, is the
responsibility of everyone in the organisation, the CEO assumes primary
responsibility for the system of internal controls. The “tone at the top” is set by the
CEO and filters down from there to senior management, line management and
ultimately to all of the individuals in an organisation. Each party involved in the
governance of organisations should understand its specific role and responsibility.
1.17 The services of internal auditors and external auditors have some things in
common, but there are also many key differences. Which one of the following
alternatives is true when comparing internal and external auditing services
with each other?
1 The appointment of an external auditing firm is a legal requirement of the
Municipal Finance Management Act (MFMA), as is the requirement for an
internal audit activity.
2 Being responsible for the monitoring of the combined assurance efforts within
organisations, internal auditors are likely to be the only ones seeking active
cooperation between the internal and external auditors.
3 Both internal and external auditors would be concerned with the effect of
errors and misstatements on the financial statements of an organisation.
4 Since the external auditors technically work for the shareholders of a
company, the scope of their work tends to be broader than the scope of the
internal auditors.
Both the internal and external auditors are concerned with the occurrence and effect
of errors and misstatements that affect the final accounts. The external auditor is
concerned with the impact these may have on the audit report, whereas the internal
auditor would focus on the weaknesses in the internal control system that may have
led to the resultant errors. Alternative 1 is incorrect. Since the Auditor General is
responsible for the statutory audit of municipalities, the appointment of an external
auditing firm is not required by the Municipal Finance Management Act.

Alternative 2 is incorrect. Both parties will seek cooperation. The external auditors,
for instance, would want to place reliance on the internal auditors ‟ assessment of
internal control and their knowledge of the organisation and will seek their
cooperation.

Alternative 4 is incorrect. The scope of the internal auditors is wider than that of the
external auditors. The external auditors focus on the financial systems and reporting,
whereas the internal auditors focus on the whole organisation, including its financial
systems and operational systems.

1.18 The external audit report pointed out that a company’s back-up procedures
are inadequate and that the company faces the risk of being out of business for a
substantial time should one of its servers be damaged. On instruction of the
board of directors, the head of information technology obtained off-site back
up facilities at a reasonable price and workshops were held where staff were
trained to maintain proper backup of their work. In their follow-up report, the
internal auditors should comment that appropriate steps have been taken to ...
1 terminate the risk.
2 treat the risk.
3 tolerate the risk.
4 transfer the risk.
The organisation has acted to treat the risk. Alternatives 1, 3 and 4 are incorrect for
the following reasons: The controls are not flawless, and the risk therefore cannot be
considered as having been “terminated”. The risk has been dealt with. Management
has therefore decided not to tolerate the risk but to act. The company did not take
out insurance but implemented control measures to limit the risk. They therefore did
not “transfer” the risk.
1.19 A review of an organisation’s code of conduct revealed that it contained
comprehensive guidelines designed to inspire high levels of ethical behaviour.
The review also revealed that employees were knowledgeable of its provisions.
However, some employees still did not comply with the code. What element
should a code of conduct contain to enhance its effectiveness?
1 periodic review and acknowledgement by all employees
2 employee involvement in its development
3 public knowledge of its contents and purpose
4 provisions for disciplinary action in the event of violations
Alternative 1 is incorrect. That would ensure employee knowledge of the code; that is
not the issue here. Alternative 2 is incorrect. That would ensure employee
acceptance of the code; that is not the issue here.

Alternative 3 is incorrect. Public knowledge might influence the behaviour of

professionals but is not likely to help in the case of general employees.

Alternative 4 is correct. Compliance is more likely if employees know they will be

taken to task for violations.

1.20 An internal audit director initiated an audit of the corporate code of ethics
and the environment for ethical decision-making. Which of the following
would most likely be considered inappropriate regarding the scope and/or
recommendations of the audit?
1 a review of the corporate code of ethics and a comparison to other corporate
codes
2 a survey of corporate employees, asking general questions regarding the
ethical quality of corporate decision-making
3 administration of an anonymous “ethics test” to determine if employees know
of unethical behaviour or have acted unethically themselves
4 a survey of the board of directors to determine members’ level of support for a
corporate code of ethics
Alternative 1 is incorrect. This would be included in the normal scope of this type of
audit.

Alternative 2 is incorrect. Surveys of employees are not prohibited by the Standard

2100.

Alternative 3 is incorrect. An ethics test is not prohibited by the Standard 2100.

Alternative 4 is correct. Not much benefit is gained by surveying the board of

directors since members’ views will be biased for this audit.
1.21 The Committee of Sponsoring Organisations (COSO) defines the
objectives that all businesses strive for as ...
1 economy and efficiency of operations, reliable financial and operational data
and compliance with laws and regulations.
2 economy and efficiency of operations, safeguarding of assets and compliance
with laws and regulations.
3 safeguarding of assets, reliable financial and operational data and compliance
with laws and regulations.
4 economy and efficiency of operations, reliable financial and operational data
and safeguarding of assets.

COSO defines internal control as follows:

“Internal control is a process, effected by an entity’s board of directors, management
and other personnel, designed to provide reasonable assurance regarding the
achievement of objectives in the following categories:
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations”

Alternative 1 is correct as it corresponds with the COSO definition. The COSO

definition does not include safeguarding of assets as a category within which
objectives should be achieved. All the other alternatives include safeguarding of
assets and are therefore incorrect.

1.22 Within the Criteria on Control (CoCo), commitment is defined as criteria

which…
1 promotes an understanding of an organisation’s direction.
2 addresses an organisation’s competence.
3 promotes a belief in the organisation’s identity and values.
4 facilitates the organisation’s evolution.
CoCo (criteria of control) was developed by the Canadian Institute of Chartered
Accountants (CICA) and is now an international standard. The CoCo principles,
when organised according to the four groupings of the CICA criteria of control,
indicate that commitment has to do with a belief in the organisation’s identity and
values. Alternative 3 is therefore the correct answer. Alternative 1 relates to purpose,
alternative 2 relates to capability and alternative 4 relates to monitoring and learning.

1.23 Auditors regularly evaluate controls and control procedures. Which one of the
following best describes the concept of control, as recognised by internal
auditors?
1 Control represents specific procedures that accountants and auditors design
to ensure the correctness of processing.
2 Management takes action to enhance the likelihood that established goals
and objectives will be achieved.
3 Control procedures should be designed from the bottom up to ensure
attention to detail.
4 Management regularly discharges personnel who do not perform according to
expectations.
Alternative 2 is correct as this is the definition of control contained in the International
Standards for the Professional Practice of Internal Auditing. Alternative 1 is incorrect.
Control as a concept is broader than processing controls and is designed by
management, not by auditors. Alternative 3 is also incorrect because some control
procedures may be designed from the bottom up, but the concept of control flows
from management down through the organisation. Alternative 4 is incorrect because
it indicates the management style practised, but it is not a comprehensive definition
or example of the concept of control.

1.24 Corporate directors, management, external auditors and internal auditors all
play important roles in creating a proper control environment. Top management
is primarily responsible for ...
1 implementing and monitoring controls designed by the board of directors.
2 ensuring that external and internal auditors adequately monitor the controls.
3 establishing a proper environment and specifying an overall internal control
structure.
4 reviewing the reliability and integrity of financial information and the means
used to collect and report such information.
Alternative 3 is correct because it provides the best definition of top management’s
responsibility. Alternatives 1, 2 and 4 are incorrect. The board may establish criteria
for controls, but usually does not design controls as such (alternative 1).
Management cannot pass its responsibilities for control to the internal auditors
(alternative 2). Alternative 4 represents a function that is assigned to internal
auditing.

1.25 According to the International Standards for the Professional Practice of

Internal Auditing, the purpose of an internal auditor’s review of the
effectiveness of the system of internal control is to ascertain that ...
1 financial and operating data are reliable.
2 the cost of control is not exceeding the benefit of having it.
3 the organisation’s goals and objectives have been achieved.
4 the system is functioning as intended.
According to the International Standards for the Professional Practice of Internal
Auditing, Standard 2130, the effectiveness of the system of internal control is to
ascertain whether the system is functioning as intended. Alternatives 1, 2 and 3 are
incorrect because they address the adequacy, cost-efficiency and quality of
performance of the system of internal control, respectively, and not its effectiveness.

1.26 Which one of the following controls is least likely to limit the theft or
diversion of materials and/or equipment from a building site?
1 The owner assigns a project manager onsite to monitor the job.
2 Internal auditors perform periodic reviews to determine contract compliance
and to search for irregularities.
3 The company displays its fraud hotline number on all building sites.
4 The finance section requests signed delivery notes prior to processing
payments to building material suppliers.
Requesting signed delivery notes before payment will only ensure that the building
materials have been delivered at the building site. It will not serve any purpose in
limiting the theft that takes place after the delivery. Alternative 4 is therefore the
correct answer. The other alternatives may all in some way limit theft on the building
site.
1.27 Unlike normal internal audit procedures, a fraud investigation is geared to
detection. Which one of the following tasks will not be performed by an internal
auditor during a fraud investigation?
1 Looking for evidence supporting an identified irregularity.
2 Reassuring management.
3 Determining the particulars of the irregularity.
4 Acting as a gatherer of information.
The aim of a fraud investigation is not to provide assurance to management, but to
search for and/or investigate identified irregularities. During such an investigation,
internal auditors will look for evidence supporting identified irregularities, determine
the of an irregularity and gather information.

1.28 Which one of the following warning signals will indicate that external fraud
may have occurred?
1 Goods or services are invoiced to the organisation at higher prices than those
quoted.
2 Missing records or vouchers, which could indicate attempts to hide irregular
transactions.
3 Shortfalls in cash flow that may be the result of the transfer of funds.
4 Client enquiries regarding errors on accounts and statements of account.
Internal fraud is committed by people working for (employed by) an organisation,
whereas external fraud is committed against the organisation by outside parties.
Alternative 1 represents fraud committed by the organisation’s suppliers, i.e. external
to the organisation. The other alternatives all represent fraud that is committed within
the organisation.

1.29 Jack Black, the head of procurement, bought his wife a BMW for Christmas
and he bought himself a Jaguar after returning from their cruise in the
Mediterranean. His lifestyle has changed significantly over the last few months.
An extravagant lifestyle and conspicuous consumption may be…
1 of no concern to the auditor.
2 proof that fraud is occurring.
3 evidence of a worker who works hard and who is enjoying the benefits of this
hard work.
4 a red flag that fraud could be occurring.
Extravagant lifestyles should be a red flag to the auditor, indicating the possibility of
fraud. They do not prove that fraud has taken place (alternative 2) but should be of
concern to the auditor (alternative 1) and the auditor should not negate the possibility
of rationalising that the employee has earned it (alternative 3).

The following scenario pertains to questions 1.30 and 1.31:

You are reviewing a working paper, prepared by one of your colleagues, listing key
aspects of your organisation’s control environment. The following are some of the
aspects listed:
 (i) The executive management team has continuity and good working relations
and credibility among employees.
(ii) Management supervision in the format of a walk around is encouraged
through-out the organisation.
(iii) Efforts are made to ensure buy-in and counter any inertia for the risk
management process across the organisation.
(iv) Both the internal and external auditors have good communication with all
levels of management and a clear platform to discuss issues of concern.
(v) Complaints from customers and other parties are carefully considered.
(vi) Staff attitude surveys are used to promote good morale among staff and
action is taken to improve known problems.

1.30 If the key aspects listed above were to be categorised according to the
components of the control framework as described in the COSO model;
indicate the two aspects that fall under the component of “Monitoring”.
The COSO model identifies the following components of the control framework:
control environment, risk assessment, control activities, monitoring and information
and communication. Spencer Pickett, section 4.2 explains each of these components
and gives examples of actions taken in each. Aspects ii and v form part of
monitoring. Aspect ii relates to the control environment, aspect iii to risk
management, aspect iv to information and communication and aspect vi to the
control environment.

1.31 Which one of the components of the control framework as described in the
COSO model is not addressed by any of the key aspects extracted from the
working paper, as per the scenario above?
1 1 Information and communication.
2 Control activities.
3 Risk assessment.
4 Control environment.
Considering the discussion in question 1.30, the aspect not addressed in the
scenario is control activities

1.32 Detailed findings should contain…

1 1 all of the information uncovered in the audit.
2 graphics, charts and financial tabulations of the audit results.
3 only the findings which management accepted.
4 enough information for the reader of the audit report to understand the
findings.
Standard 2420 clearly sets out the quality and criteria of communications. This will
also influence the nature of detailed findings compiled by the internal auditor.
1.33 An internal auditor is examining inventory control in a merchandising division
with annual sales of R3 000 000 and a 40% gross profit rate. Tests show that 2%
of the monetary amount of purchases do not reach inventory because of
breakage and employee theft. Adding certain controls costing R35 000 annually
could reduce these losses to 0.5% of purchases. Should the controls be
recommended?
1 Yes, because the projected saving exceeds the cost of the added control.
2 No, because the cost of the added controls exceeds the projected savings.
3 Yes, because the ideal system of internal control is the most extensive one.
4 Yes, regardless of the cost-benefit considerations, because the situation
involves employee theft.

Controls must be subject to cost-benefit criterion. The annual cost of these inventory
controls is R35 000, but the cost savings is only R27 000 [(2,0% -0,5%) x {R3 000
000 sales x (1.0 – 0.4 gross profit rate)}]. Hence, the cost exceeds the benefit and
the controls should not be recommended.

Alternative 1 is incorrect. Cost exceeds the benefit. Alternative 3 is incorrect. The

ideal system is subject to the cost-benefit criterion. The most extensive system of
internal controls may not be cost effective. Alternative 4 is incorrect. Cost-benefit
considerations apply even to employee theft.

1.34 The Chief Audit Executive (CAE) of an organisation has just completed a risk
assessment process, identified the areas with the highest risks, and assigned an
audit priority to each. Which of the following conclusions logically follow(s)
from such a risk assessment and is/are consistent with the IIA Standards?

I Items should be quantified as to risk in the rank order of quantifiable rand

exposure to the organisation.
II The risk priorities should be in order of major control deficiencies.
III The risk process, though quantified, is the result of professional judgment
about both
IV exposures and probability of occurrences.
The risk process is a result of professional judgment. Any of the other alternatives
containing either conclusions I or II are incorrect. Conclusion I is incorrect because
risk represents the probability that an event or action may adversely affect the
organisation. Although it may be convenient to quantify those risks into rand values
for ranking purposes, they are not required to be quantified. Conclusion II is incorrect
because the risk priorities do not necessarily mean that there are major control
deficiencies in the area. The auditor may use the exposures as a basis to evaluate
the controls, but the controls may be in place.

1.35 Which one of the following risk responses reflects a change from
acceptance to sharing?
1 An insurance policy on a manufacturing plant was not renewed.
2 Management purchased insurance on previously uninsured property.
3 Management sold a manufacturing plant.
4 After employees stole numerous inventory items, management implemented
mandatory background checks on all employees.
The categories of risk responses under the COSO ERM Model are avoidance,
retention (Acceptance), reduction, sharing and exploitation. If management does not
insure a building, the response is acceptance. Ordinary acceptance is based on a
judgement that the cost of another response is excessive. However, once
management purchases insurance, the risk is shared with an outside party.

Alternative 1 is incorrect. Not renewing insurance represents a change from risk

sharing to risk acceptance.

Alternative 3 is incorrect. Selling property avoids all the risks of ownership

Alternative 4 is incorrect. Management originally accepted the risk of employee theft

by not implementing pre-hire investigation. Conducting background checks on all
employees reduces the risk of theft.

1.36 Experience has shown that certain conditions in an organisation are

symptoms of possible management fraud. Which one of the following conditions
would not be considered an indicator of possible fraud?
1 1 Managers regularly assuming subordinates’ duties.
2 Managers dealing in matters outside their profit centre’s scope.
3 Managers not complying with corporate directives and procedures.
4 Managers subject to formal performance reviews on a regular basis.

1.37 Which one of the following describes the most effective preventive control to
ensure proper handling of cash receipts?
1 1 Have bank reconciliations prepared by an employee not involved with cash
collections and then have it reviewed by a supervisor.
2 One employee issues a pre-numbered receipt for all cash collections; another
employee reconciles the daily total of pre-numbered receipts to the bank
deposits.
3 Use predetermined totals (hash totals) of cash receipts to control posting
routines.
4 The employees who receives customer mail receipts prepares the daily bank
deposit, which is then deposited by another employee.
Alternative 4 is correct. This would be an internal control strength. Alternatives 1, 2,
and 3 are incorrect as each of the alternatives is a symptom of possible fraud.

1.38 Which one of the following activities performed by a payroll clerk is a control
weakness rather than a control strength?
1 The payroll clerk has custody of the cheque signature stamp machine.
2 The payroll clerk prepares the payroll register.
3 The payroll clerk forwards the payroll register to the chief accountant for
approval.
4 The payroll clerk draws the payroll cheque on a separate payroll cheque
account.
Payroll cheques should be signed by someone who is not involved in timekeeping,
recordkeeping or payroll preparation.
1.39 Which one of the following describes a control weakness?
1 Purchasing procedures are well designed and are followed unless otherwise
directed by the purchasing supervisor.
2 Pre-numbered blank purchase orders are secured within the purchasing
department.
3 Normal operational purchases fall in the range from R1000 to R2000 requiring
one signature with two signatures required for purchases over R2000.
4 The purchasing agents invests in a publicly traded unit trust that includes the
shares of one of the company’s suppliers in its portfolio.
A well-designed control system that is set aside at management’s discretion, can be
equivalent to no controls in terms of risk.

1.40 Which one of the following would assist in ensuring that unnecessary
purchases of inventory are not made?
1 Competitive bidding
2 Approved price lists
3 Predetermined inventory levels and re-order quantities
4 Negotiated vendor contracts
Inventory is ordered only when supplies reach the predetermined inventory level.
This helps prevent ordering unnecessary inventory.
1.41 What do you call the process used by representatives of the stakeholders in
an organisation to provide oversight of all business processes administered by
the organisation’s management?
1. Governance

1.42 The IAA should contribute to the organisation’s governance process by

evaluating the processes through which:
I Ethics and values are promoted
II Effective organisational performance management and accountability are
ensured.
III Risk and control information is communicated
IV Activities of the external and internal auditors and management are
coordinated

1.43 In South Africa good corporate depends on..

1. The board and management’s understanding of the organisation’s pursuance
of objectives that are in the interests of the company and its stakeholders.

1.44 In relation to the inclusive approach to corporate governance, which of the

following would be regarded as stakeholders of a company?
I Suppliers of goods to the company
II The commissioner of the SARS
III The hourly paid employees

1.45 Which of the following is not a role of the IAA in best practices governance
activities?
1 Ensure the timely implementation of audit recommendations

1.46 Which of the following is not an appropriate member of the audit committee?
1 The organisation’s vice president of operations
1.47 Which one of the following statements regarding corporate governance is
incorrect?
1 The dilution of shareholders’ wealth resulting from employee share options or
employee performance bonuses is an accounting issue rather than a
corporate governance issue.

1.48 A university’s executive board invites representatives of the student

community, administrative staff and academic staff to participate in a discussion
on proposed increases in student fees. Which one of the following four ethical
values underpinning good corporate governance, as described in King IV, is best
supported by this initiative?
1 Fairness

1.49 The first step in understanding the reality of corporate governance in any
company is to
1 Understanding the ownership structure of the organisation

1.50 The major issue embedded in fraud structure of modern corporations that has
contributed to the corporate governance problem has been
1 The separation of ownership from control

1.51 Which one of the following statements is incorrect?

1 SOX states that all business records, including electronic records and
messages must be saved for not less than ten (10) years

1.52 During an engagement to evaluate the organisation’s accounts payable

function, an internal auditor plans to confirm balances with suppliers. Which one
of the following alternatives is the source of authority for such contacts with
organisations outside the organisation?
1 The internal audit activity’s charter

1.53 Indicate the alternative that best describes how objectivity for internal auditors
is achieved.
1 Through an independent mental attitude while performing the audit.

1.54 An internal auditor has some suspicion, but no evidence, of potential

misstatement of financial statements. The internal auditor has failed to exercise
due professional care if (s)he…
1 did not test for possible misstatement because the engagement work
programme had already been approved by the audit manager.

1.55 A chief audit executive (CAE) has reviewed credentials, checked references,
and interviewed a candidate for a position in the internal audit activity. The CAE
concludes that the candidate has a thorough understanding of internal audit
techniques, accounting and finance. However, the candidate has limited
knowledge of economics and information technology. Which action is most
appropriate?
1 Offer the candidate a position if other staff members possess sufficient
knowledge in economics and information technology.
1.56 A certified internal auditor (CIA) is working in a non-internal audit position as
the director of the Purchasing Department. As part of his duties, the CIA signs a
contract to procure a large order from the supplier with the best price, quality and
performance. Shortly after signing the contract, the supplier presents the CIA with
a gift of significant monetary value. Which one of the following statements
regarding the acceptance of the gift is correct?
1 Acceptance of the gift would violate the Code of Ethics and would be
prohibited for a CIA

1.57 The best reason for establishing a code of conduct within an organisation is
that such codes….
1 Express standards of individual behaviour for members of the organisation

1.58 Which of the following values is not one of the values needed by a company
to be a “responsible corporate citizen” according to the King IV report
1 Openness

1.59 In terms of the Sarbanes-Oxley Act (SOX), management’s report on internal

control over financial reporting is required to include
1 a statement of the responsibility of management for establishing and
maintaining an adequate internal control structure and procedures for financial
reporting

1.60 Which one of the following would you not regard to be a direct role played by
professional societies in the development of internal auditing
1 Development of an efficient system of internal control

1.61 The best reason for establishing a code of conduct within an organisation is
that such codes
1 express standards of individual behaviour for members of the organisation

1.62 Which statement represents the most important benefit internal audit has to
the organisation’s management
1 Assurance that there is reasonable control over the day-to-day operations of
the organisation

1.63 A new internal audit staff member was requested to perform an internal audit
in an area with which she was not familiar. In addition, owing to time constraints
there was no supervision of this audit. She was given the assignment because it
represented a good learning experience, but the audit area was clearly beyond
her competence. Nevertheless, she prepared comprehensive working papers and
reported the results to management. Which of the following statements is
correct?
1 The internal audit function violated the IIA Standards by not providing
adequate supervision.
1.64 A medium-sized publicly owned organisation operating in country Z has grown
to a size which the directors of the organisation believe warrants the
establishment of an internal auditing function. Country Z has legislated internal
auditing requirements for government-owned organisations. The organisation has
therefore changed its articles of association to reflect the establishment of the
internal audit function. The directors have decided that the chief audit executive
(CAE) must be a certified internal auditor (CIA) and will report directly to the
newly established audit committee of the board of directors
1 The CAE will report to the audit committee of the board of directors

1.65 An internal audit director initiated an audit of the corporate code of ethics and
the environment for ethical decision making. Which of the following would most
likely be considered inappropriate regarding the scope and/or recommendations
of the audit?
1 A survey of the board of directors to determine members’ level of support for a
corporate code of ethics.

1.66 The internal audit activity should contribute to the organisation’s governance
process by evaluating the processes through which:
I Ethics and values are promoted
II Effective organisational performance management and accountability are
ensured.
III Risk and control information is communicated

1.67 Ensuring effective corporate governance practices is the responsibility of ...

1 The board of directors, shareholders, managers and employees

1.68 According to King IV, which one of the following activities would not normally
be a responsibility of the audit committee
1 The induction of, and ongoing training and development of directors.

1.69 Which one of the following persons may be appointed as a director

1 A body corporate (juristic person)
2 A rehabilitated insolvent
3 A person who has been convicted of fraud in England and imprisoned for two
years without the option of a fine, but who completed his sentence a year ago

1.70 According to the International Professional Practices Framework (IPPF),

which of the following is part of the minimum requirements for an internal audit
engagement’s final communication?
1 Purpose of the engagement
2 Results of the engagement
3 Summaries
1.71 A Certified Internal Auditor (CIA) is working in a non-internal auditing position
as the director of purchasing. The CIA signed a contract to procure a large order
from the supplier with the best price, quality, and performance. Shortly after
signing the contract, the supplier presented the CIA with a very expensive set of
golf clubs. Which one of the following statements with regard to the acceptance
of the golf clubs is correct
1 Acceptance of the golf clubs would violate the Institute of Internal Auditor’s
Code of Ethics.

1.72 An internal audit activity has scheduled an engagement relating to a

construction contract. One portion of this engagement will include comparing
materials purchased with those specified in the engineering drawings. The
internal audit activity does not have anyone on staff with sufficient expertise to
complete this procedure. The chief audit executive should
1 engage an engineering consultant to perform the comparison

1.73 Complete the following sentence by selecting the alternative which would
result in an internal auditor’s objectivity being impaired. The internal auditor…
1 Designed and implemented procedures for disposal of reclaimed paper waste

1.74 An internal audit director initiated an audit of the corporate code of ethics and
the environment for ethical decision making. Which of the following would most
likely be considered inappropriate regarding the scope and/or recommendations
of the audit
1 A survey of the board of directors to determine members’ level of support for a
corporate code of ethics.

1.75 Which one of the following is not a principle of leadership, ethics and
corporate citizenship
1 The board should lead ethically and effectively
2 The board should ensure that the company is and is seen to be, a responsible
corporate citizen
3 The board should ensure that the company is managed efficiently and
effectively to maximise shareholder’s wealth.
4 The board should govern the ethics of the company in a way that supports the
establishment of an ethical climate

1.76 According to the International Standards for the Professional Practice of

Internal Auditing (Standards), the organisational status of the internal audit
activity
1 is best when the reporting relationship is direct to the audit committee.
1.77 In applying the Rules of Conduct set forth in the IIA Code of Ethics, the
following is expected of internal auditors
1 Not to be duly influenced by their own interest in forming judgments

1.78 An element of authority that should be included in the charter of an internal

audit activity is ...
1 access to records, personnel, and physical properties relevant to the
performance of the internal audit activity’s engagements
1.79 Indicate which one of the following alternatives forms part of the role and
activities of the internal auditor with regard to the area of internal auditing
1 Operating independently from the normal policy making function

1.80 The best reason for establishing a code of conduct within an organisation is
that such codes
1 Express standards of individual behaviour for members of the organisation

1.81 According to King IV, the responsibilities of the board, with respect to risk
governance, should involve all accept which one of the following activities
1 The board should secure its risk management policy to prevent outsiders from
obtaining classified information.
2 The board should express its responsibility for risk in the board charter.
3 The board should demonstrate that it has dealt with the governance of risk
comprehensively.
4 The board should exercise leadership to prevent risk management from
becoming a series of activities that are detached from the realities of the
company’s business

1.82 The King IV report refers to integrated reporting. The concept of integrated
reporting refers to the company reporting upon
1 financial performance as well as the sustainability of the company.

1.83 Which one of the following statements in respect of the Public Finance
Management Act 1 of 1999 (PFMA) is incorrect
1 The term “Financial misconduct” is not defined in the PFMA or the Treasury
Regulations
2 The accounting officer must take effective and appropriate disciplinary steps
against any official who commits an act which undermines the financial
management and internal control system of the public entity
3 The Municipal Finance Management Act (MFMA) regulates the direction and
control of local government.
4 The term “fruitless and wasteful expenditure” is defined in the PFMA as
expenditure, other than unauthorised expenditure, incurred in contravention of
or that is not in accordance with a requirement of any applicable legislation

1.84 Internal auditors should be prudent in their relationships with persons and
organisations external to their employees. Which of the following activities will
most likely not adversely affect internal auditors’ ethical behaviour
1 Accepting compensation from professional organisations for consulting work.

1.85 Which one of the following is not a component of the International

Professional Practices Framework (IPPF)?
1 The definition of internal auditing
2 The code of ethics
3 Internal audit methodology
4 The International Standards of the Professional Practice of Internal Auditing
1.86 Which principles does the Code of Ethics require internal auditors to apply
and uphold
1 Integrity, objectivity, confidentiality and competence.

1.87 The internal audit activity had to perform an audit to determine whether the
organisation was in compliance with a particular set of laws and regulations. The
audit did not reveal any issues of non-compliance but did reveal that the
organisation did not have an established system to ensure compliance with the
applicable laws and regulations. The internal auditor’s responsibility is to:
I. Report that no significant compliance issues were noted.
II. Report that the organisation has a significant control deficiency because
management has not established a system to ensure compliance.
III. Meet with management to determine what follow-up action would be
taken.
IV. Monitor to determine that follow-up action has been taken

1.88 During an engagement to review payments in terms of a construction contract

with a local firm, the internal auditor found a recurring monthly reimbursement to
an engineer for rent at a local security complex. Each reimbursement was
authorised by the same project engineer. The internal auditor found no provision
for payment of temporary living expenses in the construction contract. Discussion
with the project manager could not resolve the matter. The internal auditor should
1 inform the CAE and obtain his advice with regard to further action required.

1.89 Recommendations in audit reports may, or may not, actually be implemented.

Which one of the following best describes the role of internal auditing in following
up on audit recommendations?
1 Internal audit should follow-up to ensure that appropriate action is taken on
the areas for which recommendations were issued

1.90 An internal auditor has just completed an engagement and is in the process of
preparing the final engagement communication. The observations in the final
engagement communication should include
1 pertinent factual statements concerning the control weaknesses uncovered
during the course of the engagement.

1.91 Which of the following factors is least likely to be considered in determining

the audit work schedule?
1 Engagement work programs.
1.92 The Standards for the Professional Practice of Internal Auditing require written
policies and procedures to guide the audit staff. Which of the following
statements is false with respect to this requirement
1 The form and content of written policies and procedures, should be
appropriate to the size of the department.
2 All internal audit departments should have a detailed policies and procedures
manual.
3 Formal administrative and technical audit manuals may not be needed by all
internal auditing departments.
4 A small internal auditing department may be managed informally through
close supervision and written memos

1.93 Which one of the following is the best source for an internal audit team to use
in identifying common external risks faced by a company
1 Questionnaires
2 Review lists or reminder lists
3 Flowcharts
4 Research reported in professional journals and textbooks.

1.94 The most persuasive evidence to test the existence of newly acquired delivery
trucks would be
1 Physical examination

1.95 A flowchart of process activities and controls may provide

1 information on where fraud could occur.

1.96 In an internal audit report, which attribute should the recommendation address
1 Cause

1.97 An internal auditor has just completed an engagement and is in the process of
preparing the final engagement communication. The observations in the final
engagement communication should include
1 pertinent factual statements concerning the control weaknesses uncovered
during the course of the engagement

1.98 A disgruntled former employee calls the CAE to report misappropriation of

funds by the supervisor of cash operations. Engagement tests subsequently
verify the allegations. Which action should the CAE proceed with based upon the
above information?
1 Inform the treasurer and CFO of the suspected fraud.
1.99 Development of engagement observations, conclusions, and
recommendations involve comparing the condition with the relevant standard or
criterion. Which of the following choices best represents an appropriate standard
or criterion to support engagement observations, conclusions, and
recommendations?
1 A quality standard operating procedure (number and date) for the department.
2 An internal accounting control principle cited and copied from a public
accounting reference.
3 A sound industry practice, based on the internal auditor’s knowledge and
experience obtained during many engagement assignments within the
organization.
4 All of the answers above represent an appropriate standard or criterion to
support engagement observations, conclusions, and recommendations.

1.100 A chief audit executive’s activity report should

1 compare engagements completed with engagements planned

1.101 In which of the following circumstances would it be appropriate for the internal
audit activity to use consultants with expertise in medical benefits?
i. Conducting an audit of the organisation’s estimate of its liability for the
post-retirement benefits which include medical care benefits.
ii. Comparing the cost of the organisation’s medical care programme with
other programmes offered by the industry.
iii. Performing an internal quality assurance review of the internal audit
activity.

1.102 If an engagement client’s operating standards are vague and thus subject to
interpretation, the internal auditor must
1 seek agreement with management as to the criteria to be used to measure
operating performance

1.103 In audit planning, internal auditors should review all relevant information.
Which of the following sources of information would most likely help identify
suspected violations of environmental regulations
1 Review of correspondence between the organisation and governmental
agencies.

1.104 A flowchart of process activities and controls may provide

1 information on where fraud could occur

1.105 An exception report for management is an example of which of the following

1 Detective control

1.106 One purpose of the exit meeting with the auditee is for the internal auditor to
1 review and verify the appropriateness of the engagement communication
based upon the auditee's input
1.107 An internal audit activity’s evaluation of sales and contracts revealed that a
bribe had been paid to secure a major contract. There was a strong possibility
that a senior executive manager had authorised the bribe. Which of the following
best describes the proper distribution of the completed final engagement
communication
1 The report must be distributed to the board and the CAE should decide
whether further distribution is appropriate.

1.108 Recent criticism of an internal auditing activity suggested that audit coverage
was not providing adequate feedback to senior management on the processes
used in the organisation’s key lines of business. The problem was further defined
as lack of feedback on the recent implementation of automated support systems.
Which two functions does the CAE need to improve?
1 Planning and communication

1.109 Understanding the business process involves

1 Identifying and examining the key activities

1.110 To verify the proper value of costs charged to real property records for
improvements to the property, the best source of information is
1 Original invoices supporting entries into the accounting records

1.111 An internal auditor is evaluating the marketing function. The organisation has
engaged a medium-sized local advertising agency to place advertisements in
magazine publications. As part of the review of the engagement working papers,
the internal audit supervisor is evaluating the evidence collected. To assess the
legality of the advertisements and its compliance with fair trade regulations, the
internal auditor reviewed the wording of the advertisements and interviewed the
organisation’s advertising manager, the product marketing director (who may not
have been objective), and five of the organisation’s largest customers (who may
not have been knowledgeable). The supervisor can justifiably conclude that the
evidence obtained by the internal auditor is
1 Insufficient

1.112 An internal control questionnaire consists of a series of questions relating to

controls normally required to prevent or detect errors and fraud that may occur for
each type of transaction. Which of the following is not an advantage of such a
questionnaire?
1 An internal control questionnaire is flexible in design and application

1.113 During an engagement to review payments in terms of a construction contract

with a local firm, the internal auditor found a recurring monthly reimbursement to
an engineer for rent at a local security complex. Each reimbursement was
authorised by the same project engineer. The internal auditor found no provision
for payment of temporary living expenses in the construction contract. Discussion
with the project manager could not resolve the matter. The internal auditor should
1 Inform the CAE and obtain his advice with regard to further action required

1.114 The internal audit activity had to perform an audit to determine whether the
organisation was in compliance with a particular set of laws and regulations. The
 audit did not reveal any issues of non-compliance but did reveal that the
organisation did not have an established system to ensure compliance with the
applicable laws and regulations. The internal auditor’s responsibility is to
I Report that no significant compliance issues were noted.
II Report that the organisation has a significant control deficiency because
management has not established a system to ensure compliance.
III Meet with management to determine what follow-up action would be taken.
IV Monitor to determine that follow-up action has been taken

1.115 During an internal audit of the manufacturing division of a defence contractor,

the internal auditor comes across a scheme that looks like the company is
inappropriately adding costs to a cost-plus governmental contract. The internal
auditor discusses the matter with senior management, who suggest that the
internal auditor seek an opinion from legal counsel. Legal counsel indicates that
the practice is questionable, but they offer the opinion that the practice is not
technically in violation of the government contract. Based on the legal counsel’s
decision, the internal auditor decides to omit any discussion of the practice in the
formal internal audit report that goes to management and the audit committee,
but does communicate legal counsel’s decision to management informally.
Indicate which one of the following statements is correct
1 The internal auditor did violate the Code of Ethics. It is a violation because all
important information, even if resolved, should be reported to the audit
committee

1.116 The Standards for the Professional Practice of Internal Auditing require written
policies and procedures to guide the audit staff. Which of the following
statements is false with respect to this requirement?
1 The form and content of written policies and procedures, should be
appropriate to the size of the department.
2 All internal audit departments should have a detailed policies and procedures
manual.
3 Formal administrative and technical audit manuals may not be needed by all
internal auditing departments.
4 A small internal auditing department may be managed informally through
close supervision and written memos

1.117 Which method of evaluating internal controls during the preliminary review
provides the auditor with the best visual grasp of a system and a means for
analyzing complex operations?
1 A flowcharting approach

1.118 In evaluating the validity of different types of audit evidence which one of the
following conclusions is incorrect
1 Recomputation, although highly valid, is limited in usefulness due to its limited
scope.
2 The validity of documentary evidence is independent of the effectiveness of
the control system in which it was created.
3 Internally created documentary evidence is considered less valid than
externally created documentary evidence.
 4 The validity of confirmations varies directly with the independence of the party
receiving the confirmation

1.119 Confirmations are a highly regarded form of audit evidence. Confirmation

would be most effective in addressing the existence assertion for the
1 inventory held on consignment

1.120 Recommendations in audit reports may, or may not, actually be implemented.

Which one of the following best describes the role of internal auditing in following
up on audit recommendations
1 Internal audit should follow-up to ensure that appropriate action is taken on
the areas for which recommendations were issued.

1.121 he chief audit executive(CAE) routinely reports to the board as part of the
board meeting agenda each quarter. Senior management has asked to review
this presentation before each board meeting so that any issues or questions can
be discussed beforehand. The CAE needs to
1 Provide information to senior management that pertains only to completed
engagements and observations available in published engagement
communications

1.122 Internal auditors need to determine if management has established criteria for
ascertaining whether goals and objectives have been accomplished. If the
internal auditor determines that such criteria are inadequate or non-existent,
which one of the following actions would be appropriate?
I Report the inadequacies to the appropriate level of management and
recommend appropriate courses of action.
II Recommend alternative sources of criteria to management, such as
acceptable industry standards

1.123 A final internal audit report is most useful to executive management when it
1 provides an overall, appropriately supported opinion about the operations
reviewed

1.124 During which stage of an internal audit engagement will the internal auditor
determine whether the procedures and practices followed by the organisation are
in line with basic authority, guidelines and legislation that are applicable
1 Fieldwork

1.125 Engagement observations and recommendations emerge through a process

of comparing “what should be” with “what is”. In determining “what should be”
during an engagement to review an organisation’s treasury function, which of the
following is the least desirable criterion against which to judge current operations
1 The operations of the treasury function as documented during the last
engagement

1.126 In testing the write-off of a deteriorated piece of equipment, the best evidence
of the condition of the equipment would be
1 A physical inspection of the actual piece of equipment
1.127 The internal auditor is considering performing a risk analysis as a basis for
determining the areas of the organisation where engagements should be
performed. Which one of the following statements is true regarding risk analysis
1 The extent to which management judgments are required in an area could
impact the risk assessment of the internal auditor. Risk Based auditing.

1.128 The internal auditor is considering performing a risk analysis as a basis for
determining the areas of the organisation where engagements should be
performed. Which one of the following statements is true regarding risk analysis
1 The extent to which management judgments are required in an area could
impact the risk assessment of the internal auditor.

1.129 The scope of enterprise risk management (ERM) encompasses which of the
following?
(i) creating opportunities.
(ii) analysing strengths.
(iii) focusing on weaknesses

1.130 Based on the results shown below for 100 simulations of the introduction of a
new product, the company should?
Net profit before tax (R5 000) R0 R5 000 R10 000 R15 000
Frequency 0.30 0.30 0.20 0.15 0.05
1. Expect to make a profit if the product is introduced.

1.131 Insurance companies are beginning to receive hospitalisation claims directly

from hospitals via computer media, implying that no paper is transmitted from the
hospital to the insurance company. Which of the following controls would be most
effective in detecting fraud in such an environment?
1 Develop monitoring programs to identify unusual types of claims or an
unusual number of claims by demographic classes for investigation by the
claims department

1.132 Which one of the following policies is most likely to result in an environment
conducive to the occurrence of fraud
1 Unreasonable sales and production goals

1.133 When assessing the risk associated with an activity, an internal auditor should
1 provide assurance on the management of the risk, Risk based auditing

1.134 An internal auditor found that employee time records are not properly
approved by the supervisor. Which one of the following could result?
1 Employees might be paid for hours they did not work

1.135 Three types of risks that are considered in a risk-based audit approach are.
1 Inherent risk, control risk and detection risk.
1.136 To formulate an opinion on the overall adequacy of the risk management
process, internal auditors must satisfy themselves that the organisation’s risk
management process addresses five key objectives
1 The Internal Audit Charter incorporates high risk areas and is approved by
management

1.137 An internal auditor has uncovered illegal acts committed by a member of

senior management. Such information
1 may be disclosed in a separate communication and distributed to the board.

1.138 In an organisation with a separate division that is primarily responsible for the
prevention of fraud, the internal audit activity is responsible for which one of the
following alternatives?
1 Examining and evaluating the adequacy and effectiveness of that division’s
actions taken to prevent fraud

1.139 Below is a section from PQM Limited’s risk register:

Risk/ Opportunity Possible profit/loss Probability
I R (8 000) 0.3
II R (6 000) 0.55
III R1 000 0.15
In relation to the internal audit plan, where would the internal audit activity focus
most of its limited resources?
1 Risk 2

1.140 Two organisations have recently merged. The audit committee has asked the
internal auditors from both organisations to assess risks that should be
addressed after the merger. One manager has suggested that the engagement
teams jointly examine the organisational culture and the “tone at the top” to
identify control risks associated with the proposed merger. Which one of the
following statement is true
1 The organisational culture is not a part of the control environment and
therefore should not be considered for a proposed engagement.
2 Although the organisational culture could be considered part of the control
environment, the assessment of such an environment would be highly
subjective and therefore not useful.
3 Differences in the organisational culture should be systemically identified
because the difference may present major risks to the success of the merger.
However, identifying difference is not an appropriate activity because it is
political and subjective.
4 None of the answers are correct.

1.141 The purpose of the internal audit activity’s evaluation of the effectiveness of
existing risk management processes is to determine that
1 Management directs processes so as to provide reasonable assurance of
achieving objectives. Risk based auditing.
1.142 Two major retail companies, both publicly trading and operating in the same
geographic area, have recently merged. Both companies are approximately the
same size and have in-house internal audit departments. Company B has
invested heavily in information technology and has electronic data interchange
with its major vendors.

The audit committee has asked the internal auditors from both companies to
analyse the risk areas that should be addressed after the merger. The chief audit
executive (CAE) of company B has suggested that the two departments have a
planning meeting to share audit programmes, the scope of audit coverage and
copies of the audit reports that were delivered to their audit committees.
Management has also suggested that the internal auditors review the
compatibility of the companies’ two computer systems and control philosophy for
individual store operations.

Which one of the following would be the least important risk factor when
considering the ability to integrate the two companies’ computer systems?
1 The number of programmers and systems analysts employed by each
company.

1.143 What is a moral advantage associated with the possibility of exposing fraud
and errors during an internal audit
1 Frequent internal audits ensure that there will be fewer errors due to the
improved accuracy of the staff.

1.144 Fraud was recently discovered in the sales department. After finalisation of
the fraud investigation, the management of the sales department requested you
as the internal auditor to assist them with improving their current policies and
procedures. To best fulfil your responsibility as an internal auditor, you should.
1 recommend specific improvements to the policy and procedures.

1.145 The responsibility to identify, assess and manage risk lies primarily with
1 Management of the organisation

1.146 The director of internal auditing for an organisation has just completed a risk
assessment process, identified the areas with the highest risks, and assigned an
audit priority to each. Which of the following conclusions logically follow/s from
such a risk assessment and is/are consistent with the IIA standards
I The risk priorities should be in order of major control deficiencies
II The risk process, though quantified, is the result of professional judgements
about both exposures and probability of occurrences

1.147 A significant employee fraud took place shortly after an internal audit. The
internal auditor may not have properly fulfilled the responsibility for the deterrence
of fraud by failing to note and report that
1 there are no written policies describing prohibited activities and the action
required whenever violations are discovered.
1.148 In the course of their work, internal auditors must be alert for fraud and other
forms of white-collar crime. The important characteristic that distinguishes fraud
from other varieties of white-collar crime is that
1 fraud encompasses an array of irregularities and illegal acts that involve
intentional misrepresentation

1.149 The purpose of the internal audit activity’s evaluation of the effectiveness of
existing risk management processes is to determine that
1 Management directs processes so as to provide reasonable assurance of
achieving objectives.

1.150 The action taken by management to enhance risk management and increase
the likelihood that the organisation’s established objectives and goals will be
achieved can best be described as
1 Control

1.151 Which one of the following statements reflects an internal auditor’s

responsibility for detecting errors and fraud? An internal auditor
1 should design the audit to provide reasonable assurance of detecting
significant errors and fraud.

1.152 Which one of the following activities represents both an appropriate personnel
department function and a deterrent to payroll fraud?
1 Authorisation of additions and deletions from the payroll.

1.153 In testing payroll transactions, an auditor discovers that four out of a statistical
sample of one hundred selected time cards were not signed by the appropriate
supervisor. To evaluate the materiality or significance of this control deficiency,
the internal auditor should
1 compute an upper precision limit and compare it with the tolerable rate.

1.154 Many organisations are taking Enterprise Risk Management seriously. The
term ERM refers to integration of risk management initiatives
1 across the organisation on a macro level.

1.155 Which one of the following alternatives represents a warning sign (red flag)
that may point to embezzlement of cash
1 Lost deposit slips

1.156 Indicate the alternative that best completes the following sentence: Upon
obtaining factual documentation of unethical business conduct by the vice
president, to whom the chief audit executive (CAE) reports, the CAE should do
the following:
1 Report the facts to the chief executive officer and the audit committee.
1.157 Which are specifically regarded by the King IV report as one of the
characteristics of ethical leadership?
1 Responsibility
2 Transparency
3 Accountability
4 Fairness
5 Integrity
6 Competence

1.158 The King IV Report portrays corporate governance as:

1 The exercise of ethical and effective leadership

1.159 Which one is not a principle of leadership, ethics and corporate citizenship
1 The board should ensure that the company is managed efficiently and
effective to maximise shareholder’s wealth

1.160