Wiley CIA P2 MCQs

WILEY PART 2 DOMAIN 1
1.Risk-based internal auditing approach does not apply to which of the following?
A.Assurance audit engagements

B.Consulting audit engagements
C.Compliance audit of laws, rules, and regulations
D.Compliance audit of a company's policies and procedures
The Answer C is Correct

The risk-based internal auditing approach does not apply to compliance with governmental laws, rules,
and regulations (LRRs) because they are mandatory in nature and because companies have no choice in
implementing them. Hence, LRRs must be audited regardless of their risk levels. In other words, LRRs
cannot be labeled as high, medium, or low risk, and they cannot be prioritized by risk with only
high-risk LRRs reviewed and low-risk LRRs ignored.
A.Incorrect. Review of assurance audit engagements can be risk based because senior management and
internal audit management can decide what to audit and when to audit based on a risk assessment.
B.Incorrect. Review of consulting audit engagements can be risk based because senior management
and internal audit management can decide what to audit and when to audit based on a risk assessment.
D.Incorrect. Review of compliance with a company's policies and procedures can be risk based because
some policies could be high risk, some could be medium risk, and others could be low risk.
2.Which of the following is a useful tool when internal auditors are coordinating their audit work
with internal and external service providers in governance, risk, and control areas?
A.Assurance map
B.Control map
C.Risk map
D.Governance map
The Answer A is Correct

Assurance maps are organization-wide and coordinated exercises involving mapping assurance
coverage provided by multiple parties (both inside and outside) against key or significant risks facing
the organization so that duplicate efforts, missed risks, and assurance gaps can be identified and
monitored.
The chief audit executive, senior management, and the board need assurance maps to ensure proper
coordination among diverse risk activities.
B.Incorrect. Control maps show an organization's understanding of its critical control points and major
controls at those control points.
C.Incorrect. Risk maps show an organization's understanding of its risk profiles and risk appetite.
D.Incorrect. Governance maps show an organization's understanding of its board of directors’ oversight,
stewardship, and fiduciary roles and responsibilities.
3.When selecting people to work in the internal audit department, the vetting process does not
apply to which of the following?
A.External assessors
B.Audit contractors
C.Guest auditors
D.External service providers

Guest auditors are insiders, borrowed from nonaudit departments for temporary work in the audit
department. They go back to their departments after completing their work in the audit department.
Hence, guest auditors do not need a vetting process because they have already gone through an internal
hiring and screening process.
A.Incorrect. External assessors are outsiders who are carefully screened, selected, and hired (vetted) for
a specific audit work to ensure that they are qualified to do the work.
B.Incorrect. Audit contractors are outsiders who are carefully screened, selected, and hired (vetted) for
a specific audit work to ensure that they are qualified to do the work.
D.Incorrect. External service providers are outsiders who are carefully screened, selected, and hired
(vetted) for a specific audit work to ensure that they are qualified to do the work.
4.A 360-degree review of an internal auditor's performance assessment includes which of the
following?
I. Peer auditors
II. Audit clients
III. Audit supervisors
IV. Audit managers
A.III
B.IV
C.III and IV
D.I, II, III, and IV
The Answer D is Correct

A 360-degree review is a comprehensive review of an auditor's performance as seen by many others,
such as peer auditors (colleagues), audit clients, audit supervisors, and audit managers. This includes
all the people an auditor connected with or worked with, either directly or indirectly, who can say
something about the auditor's job performance.
A.Incorrect. This is a partial answer. More reviewers are needed.

B.Incorrect. This is a partial answer. More reviewers are needed.
C.Incorrect. This is a partial answer. More reviewers are needed.
5.The best way to protect data on personal computers against ransomware attacks is to:
A.Store a company backup data on a cloud storage system.

B.Store central backup data on local flash drives.
C.Store central backup data on central servers.
D.Store local backup data on local servers.

Once a company's personal computer (PC) is under a ransomware attack, the only way to not pay a
ransom amount to hackers is to store a backup copy of the PC data on a cloud storage system way
before the attack. This approach keeps the PC data far away from it in an uninfected condition and is
available as a ready backup to recover from the damage. In other words, the cloud storage acts as a data
insurance.
B.Incorrect. Local flash drives could be infected if they are constantly connected to personal
computers.
C.Incorrect. Central servers could be infected if they are constantly connected to personal computers.
D.Incorrect. Local servers could be infected if they are constantly connected to personal computers.
6.Which of the following is not a common form of ransomware attack methods?
A.Malicious email attachments

B.Exploit kits
C.Brute force attacks
D.Malicious email links

Brute force attacks are used to crack passwords. They are not common ransomware attacks because
there are so many sophisticated attacks available to break passwords. Also, brute force attacks are
unsophisticated traditional methods whereas ransomware attacks are much more modern and
sophisticated attacks and are much more damaging than the brute force attacks. Ransomware attacks
are very damaging to individuals and organizations and often are undetectable.
A.Incorrect. Malicious email attachments are common ransomware attack methods. Ransomware
attacks are very damaging to individuals and organizations and often are undetectable.
B.Incorrect. Exploit kits are common ransomware attack methods. Ransomware attacks are very
damaging to individuals and organizations and often are undetectable.
D.Incorrect. Malicious email links are common ransomware attack methods. Ransomware attacks are
very damaging to individuals and organizations and often are undetectable.
7.Which of the following mobile device policy is not risky to user organizations?
A.Bring your own device (BYOD)

B.Bring your own applications (BYOA)
C.Choose your own device (CYOD)
D.Wear your own device (WYOD)

CYOD differs from BYOD by allowing end users to select from a predetermined and approved list of
personal device types for work rather than using any device. This is not a risky policy because devices
are company-approved devices.
A.Incorrect. BYOD is a policy that permits employees to bring personally owned devices to their
workplace and use them to access restricted company data, information, and applications. This is a
risky policy because devices are not company-approved devices.
B.Incorrect. BYOA is a policy similar to BYOD that involves employees using third-party applications
in the workplace or on a work device. This is a risky policy because devices are not company-approved
devices.
D.Incorrect. WYOD is a program similar to BYOD that allows end users to use personal wearable
devices (watches and virtual reality goggles) to perform a company's tasks and functions. This is a
risky policy because devices are not company-approved devices.
8.Regarding web-based advertising, click fraud is related to which of the following metrics?
A.Pay per bounce

B.Pay per click
C.Pay per lead
D.Pay per load
The Answer B is Correct

Web advertisers get paid for running a company's web advertisement based on the number of potential
customers clicking on the advertisement. Generally, the greater the number of browser clicks made, the
greater the level of customer interest and the greater the payments to advertisers. The click activity
could result in click fraud, or it could indicate genuine interest.
A.Incorrect. Pay per bounce is not a relevant metric here because the term “bounce” is used in the
context of bounced emails and being bounced out of websites.
C.Incorrect. The pay-per-lead metric refers to paying some money for each sales lead.
D.Incorrect. The pay-per-load metric deals with page loading time on a website.
9.When an organization is hit by a ransomware attack, which of the following can be higher than
the ransomware money demanded by hackers?
A.Prevention costs
B.Detection costs
C.Administrative costs
D.Recovery costs
Many organizations are learning that total recovery costs are much higher than ransomware payments
made to hackers due to extensive damage caused, working with backup data, working with technical
consultants and law enforcement authorities, and restoring the system and data files to the stage before
the attack. In addition, the costs of lost sales, profits, employee morale, customer goodwill, and
employee productivity must be considered as part of the recovery costs. An organization's response
program and incident readiness make a big difference between its success or failure in handling
ransomware attacks.
A.Incorrect. Often ransomware attacks cannot be prevented because they are so vicious and sudden.
B.Incorrect. Often ransomware attacks cannot be detected because they are so aggressive and hidden.
C.Incorrect. Administrative costs, such as negotiating with hackers regarding payment amounts and
doing other nontechnical activities, are part of recovery costs.
10.Between authentication and encryption activities, which one of the following items is more
secure than the other three items?
A.Authenticate and encrypt

B.Authenticate then encrypt
C.Encrypt and authenticate
D.Encrypt then authenticate

The important issue here is which step should be done first and which should be done next. Encrypting
a plaintext should be done first. Later, authentication is done with a time gap. This is very secure.
A.Incorrect. Authentication and encryption at the same time is out of sequence and does not provide
security. Encryption should be done first. For security, there should be a time gap between encryption
and authentication.
B.Incorrect. Authentication first and encryption next is out of sequence and does not provide security.
Encryption should be done first. For security, there should be a time gap between encryption and
authentication.
C.Incorrect. Encryption and authentication should not be done at the same time as it does not provide
security. For security, there should be a time gap between encryption and authentication.
11.Which of the following is an example of a single point of failure?
A.Cloud storage
B.Working storage
C.Secondary storage
D.Closed storage

Because all the data is stored and concentrated in one place, cloud storage is subject to a single point of
failure, which is a risky situation. This means that if an attacker breaks into the cloud storage, all
customer data can be lost or stolen. Hence, cloud storage requires strong, layered, and defense-in-depth
security controls. On a positive note, cloud backup storage can act as a faster recovery mechanism in
case of a ransomware attack.
B.Incorrect. Working storage is that portion of storage, usually computer main memory (i.e., central
processing unit), reserved for the temporary results of computer operations.
C.Incorrect. Secondary storage consists of nonvolatile auxiliary memory, such as disks or tapes, used
for the long-term storage of computer programs and data.
D.Incorrect. Closed storage refers to the storage of classified information within an accredited
government facility where the documents containing classified information are stored in approved
secure containers. This storage is closed to the outside world.
12. Which of the following is likely to utilize the assurance maps the most?
A.External assurance function

B.Internal risk management function
C.Internal audit function
D.Internal compliance review function

Internal auditors are the most likely to utilize assurance maps to their fullest extent. This is because the
internal audit function has several responsibilities, such as providing comprehensive reviews and
evaluations; coordinating between internal and external service providers; and assuring the board and
senior management about governance, risk management, and control processes.
A. Incorrect. The external assurance function may use assurance maps, but not the most of the choices
provided.
B.Incorrect. The internal risk management function may use assurance maps, but not the most of the
choices provided.
D.Incorrect. The internal compliance review function may use assurance maps, but not the most of the
choices provided.
13.Regarding construction audits, contract leakages are handled better in which of the following
construction audit phases?
A.Preconstruction audit
B.Interim construction audit
C.Postconstruction audit
D.Comprehensive construction audit

Contract leakages occur due to overpayments, billing errors, and erroneous payments made to
contractors and subcontractors. These overpayments are due to misunderstandings, misinterpretations,
or misapplications of contractual terms and conditions. The sooner one can detect these contract
leakages, the better off it is for all parties. The preconstruction phase is the right place and the right
time to address these issues in order to avoid contract leakages.
B. Incorrect. The interim construction audit phase is too late to avoid contract leakages.
C.Incorrect. The postconstruction audit phase is too late to avoid contract leakages.
D.Incorrect. The comprehensive construction audit phase is too late to avoid contract leakages.
14.Which of the following is the major decision point to make regarding outsourcing an internal
audit function?
A.What to outsource
B.When to outsource
C.Where to outsource
D.Whom to outsource

What to outsource is the major decision point because management needs to decide which part of the
internal audit function to outsource. That is: Is it the information technology audits? The consulting
audit engagements? or: The compliance audit engagements? Another relevant question is: Is it a partial
or a full outsource?
B.Incorrect. When to outsource is not the major decision point; it is a minor point that follows the
major point.
C.Incorrect. Where to outsource is not the major decision point; it is a minor point that follows the
major point.
D.Incorrect: Whom to outsource is not the major decision point; it is a minor point that follows the
major point.
15.Due diligence reviews do not mean:
A.Exercising extraordinary care.

B.Exercising reasonable care.
C.Exercising due care.
D.Exercising standard care.

The people who are conducting diligence reviews need not exercise extraordinary care; ordinary care is
good enough.
B.Incorrect. The people who are conducting diligence reviews need to exercise reasonable care only.
This can lead to a good due diligence defense to a defendant.
C.Incorrect. The people who are conducting diligence reviews need to exercise due care only. This can
lead to a good due diligence defense to a defendant.
D. Incorrect. The people who are conducting diligence reviews need to exercise standard care, meaning
meeting minimum standards of work, not maximum standards. This can lead to a good due diligence
defense to a defendant.
16. Which of the following is not applicable to a due diligence review?
A.Due process
B.Due care
C.Due regard
D.Standard care

Due process is the legal principle that governmental agencies must respect all of the legal rights that are
owed to all citizens per the law. Hence, due process does not apply to due diligence reviews done by
individual organizations or individuals.
B.Incorrect. Due care applies to due diligence reviews, and they go together.
C.Incorrect. Due regard applies to due diligence reviews. Due regard requires giving equal respect to
and showing equal interest in all people.
D.Incorrect. Standard care applies to due diligence reviews. Standard care is minimum care.
17.Which of the following is the common element between outsourcing vendors and third-party
service providers?
A.Contractors
B.Due diligence reviews
C.Contract
D.Service

Due diligence reviews are the common element required, whether the review is done for an outsourced
vendor or a third-party service provider. Conducting a due diligence review is good business practice
as it provides a safety valve for the hiring organization (i.e., less risk).
A.Incorrect. The nature and the type of contractors could be different between outsourced vendor work
and third-party service work.
C.Incorrect. The nature and the type of contract (i.e., the legal document with terms and conditions)
could be different between outsourced vendor work and third-party service work.
D.Incorrect. The nature and the type of service (i.e., technology, supply, or distribution service) could
be different between outsourced vendor work and third-party service work.
18.Due diligence reviews are not performed with:
A.Due care.
B.Absolute care.
C.Reasonable care.
D.Possible care.

Correct. Due diligence reviews are not performed with absolute care, which is too much to expect.
A.Incorrect. Due diligence reviews are performed with due care that any prudent person would do.
C.Incorrect. Due diligence reviews are performed with reasonable care that any prudent person would
do.
D.Incorrect. Due diligence reviews are performed with possible care that any prudent person would do.
19.The scope of value-for-money (VFM) audits includes which of the following elements?
i. Expertise
ii. Economy
iii. Efficiency
iv. Effectiveness
A.I only
B.I and II
C.III and IV

The scope of VFM audits includes all four elements of expertise, economy, efficiency, and
effectiveness. Here, “expertise” refers to the combined knowledge, skills, and abilities that auditors
possess in conducting VFM audits. “Economy” refers to the use of resources in a cost-effective manner.
“Efficiency” refers to the use of resources in a productive manner. “Effectiveness” refers to the use of
resources to achieve the intended objectives.
A.Expertise is the only one element of the scope of VFM audits. Here, “expertise” refers to the
combined knowledge, skills, and abilities that auditors possess in conducting VFM audits.
B.Incorrect. Economy is the only one element of the scope of VFM audits. Here, “economy” refers to
the use of resources in a cost-effective manner.
C.Incorrect. Efficiency and effectiveness are only two elements of the scope of VFM audits. Here,
“efficiency” refers to the use of resources in a productive manner. “Effectiveness” refers to the use of
resources to achieve the intended objectives.
20.Which one of the following items considers all the other three items in concert?
A.Vulnerabilities
B.Threats
C.Risks
D.Controls

Correct. Vulnerabilities → Threats → Risks → Controls
A.Incorrect. Vulnerabilities → Threats → Risks → Controls

B.Incorrect. Vulnerabilities → Threats → Risks → Controls
C.Incorrect. Vulnerabilities → Threats → Risks → Controls
21.When conducting identify theft activities, fraudsters use which of the following to perpetrate
identity fraud?
A.Mobile texting
B.SMS texting
C.Pretexting
D.MMS texting
Pretexting is the tool that fraudsters use to perpetrate identity theft with a prepared and known text
based on stolen information. It is a specifically targeted example of a social engineering scheme. The
fraudster calls a bank to find out additional information on a bank customer's account that was stolen.
A.Incorrect. Mobile texting is a generic and broad meaning of texting and is not specifically targeted.
B.Incorrect. SMS texting is short message service (SMS) texting and is not specifically targeted.
D.Incorrect. MMS texting is multimedia messaging service (MMS) texting and is not specifically
targeted.
22.Which of the following can help victims recover from ransomware attacks?
A.Encryption key
B.File and system backups
C.Decryption key
D.Patched and updated software

File and system backups, especially maintained in a cloud storage system, are like insurance policies.
When computer files are infected with ransomware, a backup version of the files is the best way to
recover the critical data.
A.Incorrect. Hackers encrypt the victims’ files with an encryption key so that victims cannot use the
files until they pay a ransom amount. An encryption key does not help victims recover from
ransomware attacks.
C.Incorrect. Hackers decrypt victims’ encrypted files with a decryption key after victims pay the
ransom amount. A decryption key does not help recover from ransomware attacks.
D.Incorrect. Using patched and updated software is a good practice, but it alone cannot help victims
recover from ransomware attacks.
23.Which of the following could be treated as a legal contract?
A.A letter of intent

B.A memorandum of understanding
C.A memorandum of meeting
D.A letter of introduction

A letter of intent could be treated as a legal contract or not. It depends on whether the letter of intent
document is specific (narrow) or general (broad) in nature. When a specific letter of intent contains
very detailed information about the scope and nature of work, work completion dates, who is doing
what work, money payments, and milestone dates, then it is considered a legal contract. These details
meet all the elements of a contract. If a letter of intent document is general and vague, then it is not a
legal contract because it does not have all the element of a contact. Simply stated, a general letter of
intent is not binding, and a specific letter of intent is binding.
B.Incorrect. A memorandum of understanding is not considered a legal contract because it does not
have all the elements of a contract.
C.Incorrect. A memorandum of meeting is not considered a legal contract because it does not have all
the elements of a contract.
D.Incorrect. A letter of introduction is not considered a legal contract because it does not have all the
elements of a contract.
24.Cyberthreats and cyberattacks on all types of organizations have occurred during which of
the following web generations?
A.Web 1.0
B.Web 2.0
C.Web 3.0
D.Web 4.0
Web 2.0 presents read-write features, blogs, wikis, tweets, and others. Cyberthreats and cyberattacks
have become common with malware and spyware software.
A.Incorrect. Web 1.0 provided basic features, such as browsing, static web format, and mostly
read-only features.
C.Incorrect. Web 3.0 has become the personal, portable, and executable web.
D.Incorrect. Web 4.0 focuses on mobile web connections.
25.Social media platforms or networks were born during which web generation?
A.Web 1.0
B.Web 2.0
C.Web 3.0
D.Web 4.0

Web 2.0 presents read-write features, blogs, wikis, tweets, and others. Cyberthreats and cyberattacks
have become common with malware and spyware software.
A.Incorrect. Web 1.0 provided basic features, such as browsing, static web format, and mostly
read-only features.
C.Incorrect. Web 3.0 has become the personal, portable, and executable web.
D.Incorrect. Web 4.0 focuses on mobile web connections.
26.Which of the following can perform click fraud in online marketing advertisements?
A.Web beacons
B.Bots
C.Cookies
D.Web bugs

Bots are computer programs that reside on a computer and provide remote command and control access
via a variety of protocols, including Internet Relay Chat (IRC), HTTP, instant messaging, and
peer-to-peer protocols. Bots can support illicit activities, such as pay-per-click services, resulting in
click fraud in marketing an online advertisement. This means that bots perform the illegal clicks that
dishonest people do. This, in turn, increases the number of clicks made because payments are based on
each click.
A.Incorrect. Web beacons cannot perform click fraud as they are the same as the web bugs. Web
beacons are placed on web pages and websites to track the use of web servers and collect web
addresses.
C.Incorrect. Cookies cannot perform click fraud. Cookies are used to uniquely identify website visitors.
D.Incorrect. Web bugs cannot perform click fraud as they are the same as web beacons. They are
placed on web pages and websites to track the use of web servers and collect web addresses.
27.An internal auditor has misplaced or lost her digital tablet during audit-related travel. Which
of the following actions can keep her tablet safe and secure?
I. Activate global positioning system (GPS) feature.
II. Disable Bluetooth services.
III. Enable a remote-wiping feature.
IV. Disable Wi-Fi services.
A.I only
B.I and II
C.I and III
D.II and IV

Activating a GPS feature can locate the lost tablet, which is not enough. Enabling a remote-wiping
feature can erase the data on the tablet so that valuable information could not get into the wrong hands.
A.Incorrect. This is a partial answer.

B.Incorrect. This is a partial answer.
D.Incorrect. Disabling Bluetooth services and Wi-Fi services are good security protections when not
using mobile devices.
28.Regarding mobile devices, the features of which one of the following items is different from
the features of the other three items?
A.Jailbreaking
B.Tampering
C.Jamming
D.Rooting

Jamming is an attack in which a mobile device is used to emit electromagnetic energy on a wireless
network's frequency to make the network unusable. Jamming is used in denial-of-service attacks.
Jamming attacks can take place based on how a mobile device was designed and developed;
jailbreaking, tampering, and rooting attacks can take place based on what users are doing to their
mobile devices.
A.Incorrect. Jailbreaking is removing the limitations imposed on a device by the manufacturer, often
through the installation of custom operating system components or other third-party software.
Jailbreaking makes a device more vulnerable to attacks because it removes important safeguards
against malware attacks. Some users prefer to bypass the operating system's lockout features in order to
install apps that could be malicious in nature. Doing jailbreaking is risky.
B.Incorrect. Tampering is modifying data, software, firmware, or hardware without authorization.
Modifying data in transit, inserting tampered hardware or software into a supply chain, repackaging a
legitimate app with malware, modifying network or device configuration (e.g., jailbreaking or rooting a
phone) are examples of tampering. Doing tampering is risky.
D.Incorrect. Rooting, similar to jailbreaking, is removing the limitations imposed on a device by the
manufacturer, often through the installation of custom operating system components or other
third-party software. Rooting makes a device more vulnerable to attacks because it removes important
safeguards against malware attacks. Some users prefer to bypass the operating system's lockout
features in order to install apps that could be malicious in nature. Doing rooting is risky.
29.Which of the following can help hackers evade detection?
A.Scripting tools
B.Antivirus software
C.Intrusion detection system
D.Intrusion prevention system

Scripting tools (e.g., JavaScript, VBScript, cross-site scripting, and cross-zone scripting) are tools of
the trade for bad actors, hackers, attackers, or intruders in cyberspace to conduct malicious acts.
Scripting tools can help bad actors to evade detection. Scripting tools are computer programs and
commands written by hackers.
B.Incorrect. Antivirus software can help detect bad actions and protect users.
C.Incorrect. Intrusion detection systems can help detect bad incidents and protect users.
D.Incorrect. Intrusion prevention systems can help prevent bad incidents and protect users.
30.Regarding cybersecurity, defenders are attack-victim organizations and offenders are the
hackers attacking individuals and organizations. Which of the next represents a strategic aspect
that is completely opposite for defenders and offenders?
A.Expertise
B.Resources
C.Attack surface
D.Tool kits

An attack surface is the total amount of cyberspace available for a hacker to exploit or target
individuals or organizations. The attack surface is the strategic aspect for hackers. Defenders’
objectives are to reduce the attack surface to be as small as possible; hackers’ objectives are to expand
attack surfaces to be as large as possible. So, defenders’ objectives and hackers’ objectives reflect
diverse or opposite viewpoints. The attack surface is a strategic workspace for hackers to launch
attacks.
A.Incorrect. Both defenders and offenders want higher levels of expertise (i.e., technical knowledge
and skills). However, expertise represents an operational aspect for offenders, not a strategic aspect.
B.Incorrect. Both defenders and offenders want greater amounts of resources (i.e., money, time, and
staff). However, resources represent an operational aspect for offenders, not a strategic aspect.
D.Incorrect. Both defenders and offenders want several types of tool kits (i.e., hardware and software)
available to them. However, tool kits represent an operational aspect for offenders, not a strategic
aspect.
Tool kits represent an operational aspect for hackers, not a strategic aspect.
31.Management of a cyberattack victim organization needs to pay great attention to which of the
following before developing cybersecurity technical strategies to defend against attackers?
A.Attack-in-depth strategies
B.Attackers’ detection-evasion tactics
C.Attackers’ technical savvy
D.Attackers’ destructive behavior

Management of an organization that has suffered a cyberattack must understand a great deal about the
attackers, whether they are insiders (e.g., employees and contractors) or outsiders (e.g., hackers and
intruders). Management needs to understand the attackers’ ambition, disruptive behavior, opportunities,
and resources. In other words, organizations need to ask what assets attackers want that they have? And
how to protect that asset from attacks?
A.Incorrect. An attack-in-depth strategy is what attackers formulate and implement to achieve their
goals.
B.Incorrect. Detection-evasion tactics are those tools and practices that attackers use to hide or evade
detection by the victim organization so attackers have more time to continue or expand their attack
surface.
C.Incorrect. Attackers with a higher levels of technical savvy can do a lot more damage than attackers
with a low level of technical savvy.
32.What is the real reason why hackers succeed in their various types of cyberattacks?
A.They use sophisticated attack-in-depth strategies.

B.They use stronger detection-evasion tools.
C.They outsmart an organization's information technology (IT) staff.
D.They nullify the organization's anti-malware tools.

The real reason for hackers succeed in their cyberattacks is that they outsmart an organization's ITIT
staff in terms of technical knowledge, skills, and abilities.
A.Incorrect. It is true that some hackers do use sophisticated attack-in-depth strategies that are updated
frequently. This is not the real reason for their success, however.
B.Incorrect. It is true that some hackers do use stronger detection-evasion tools such as scripts. This is
not the real reason for their success, however.
D.Incorrect. Hackers can kill the effectiveness and functionality of anti-malware tools so they don't
work as expected. This is not the real reason for their success, however.
33.Which of the following can provide the strongest security control mechanism?
A.Passwords
B.One-time passwords
C.Passcode
D.Passphrases

One-time passwords provide the strongest security control mechanism because they are not reusable.
A.Incorrect. Regular passwords are basic, weak, and reusable, not the strongest security control
mechanism.
C.Incorrect. Regular passcodes are basic, weak, and reusable, not the strongest security control
mechanism.
D.Incorrect. Regular passphrases are basic, weak, and reusable, not the strongest security control
mechanism.
34.Which of the following can act as the strongest security control mechanism in a multifactor
authentication process?
A.Passwords
B.Biometrics
C.Passcodes
D.Personal identification numbers

Biometrics, when combined with other security controls such as passwords, passcodes, or passphrases,
provide the strongest security control mechanism in a multifactor authentication process because
biometrics cannot be compromised. Biometrics represent one factor in a multifactor authentication and
provide a strong security control when compared to passwords, passcodes, and personal identification
numbers (PINs). For example, a multifactor authentication process is a combination of something you
know and something you are (e.g., user ID, PIN, password, passcode, passphrase, and biometric
sample).
A.Incorrect. Regular passwords are basic, weak, and reusable, not the strongest security control
mechanism even in a multifactor authentication process because they can be broken. Regular
passwords represent a one-factor authentication.
C.Incorrect. Regular passcodes are basic, weak, and reusable, not the strongest security control
mechanism even in a multifactor authentication process because they can be broken. Regular passcodes
represent a one-factor authentication.
D.Incorrect. Regular personal identification numbers (PINs) are basic, weak, and reusable, not the
strongest security control mechanism even in a multifactor authentication process because they can be
broken. Regular PINs represent a one-factor authentication.
35.Which of the following is not a variant of phishing attacks?
A.Spear phishing
B.Vishing
C.Smishing
D.SIM card swapping

Subscriber identity module (SIM) card swapping involves an identity thief approaching a wireless
carrier with fake proof of identity and obtains a duplicate SIM card for a victim's mobile/cell phone to
perpetrate fraud. The wireless carrier deactivates the original SIM card and issues a replacement one.
Then the fraudster uses the new SIM card and carries out unauthorized and illegal account transactions
without the victim's knowledge.
A.Incorrect. Spear phishing or whaling is a variant of phishing attacks. It is a very serious and targeted
attack.
B.Incorrect. Vishing is a variant of phishing attacks. It uses voicemail to attack.
C.Incorrect. Smishing is a variant of phishing attacks. It uses text messages to attack.
36.Risk-based internal audit plans are directly related to which of the following?
A.Risk profiles
B.Risk registers
C.Risk appetite
D.Risk maturity

Risk appetite is the amount and level of risk that an organization is prepared to accept in pursuit of its
objectives, and before action is deemed necessary to reduce the risk. Organizations manage those risks
in relation to their risk appetites. Hence, an organization should develop risk-based internal audit plans
to accommodate its risk appetite.
A.Incorrect. Risk profiles show all the significant (material) risks and key risks that an organization is
exposed to. Risk ownership is derived from risk profiles. Risk profiles are not related to risk-based
audit plans.
B.Incorrect. Risk registers are risk logs that document all risks below an organization's strategic level
(i.e., operational and functional level risks). Risk registers show a complete inventory of all types of
risks and are not related to risk-based audit plans.
D.Incorrect. Risk maturity deals whether an organization's risk management framework is complete or
incomplete, effective or ineffective, and old or new. It also asks whether the current maturity fits with
the current business. Risk maturity is not related to risk-based audit plans.
37.Risk-based internal audit plans should focus on which of the following?
A.Business size risk

B.Business complexity risk
C.Business risk appetite
D.Business managers’ tolerance for risk

Business risk appetite reflects the total risks facing an organization and is equal to risk universe, which,
in turn, equal to audit universe. Audit plans are developed from the audit universe.
A.Incorrect. Business size risk is a part of a business risk appetite.

B.Incorrect. Business complexity risk is a part of a business risk appetite.
D.Incorrect. Business managers’ tolerance for risk is a part of a business risk appetite.
38.Which of the following is the least important deciding factor when outside auditors plan to
rely on the work of internal auditors?
A.Budget for the internal audit department

B.Independence of the internal audit department
C.Objectivity of internal auditors
D.Competency of internal auditors

Generally speaking, budget is the most important financial factor to operate a business function,
operation, or department. But budget is the least important deciding factor here because it has nothing
to do external auditors’ evaluating the fitness of internal auditors’ work.
B.Incorrect. Independence of the internal audit department is one of the most important deciding
factors.
C.Incorrect. Objectivity of internal auditors is one of the most important deciding factors.
D.Incorrect. Competency of internal auditors is one of the most important deciding factors.
39.Regarding consulting audit engagements, which of the following objectively results in “lessons
learned” insights?
A.Retrospective reviews
B.Prospective reviews
C.Hindsight reviews
D.Contemporary reviews

Lessons, whether good or bad, are learned based by objective reviewing past work products (reports),
approaches, and outcomes, such as fraud, bribes, cyberattacks, and data breaches. Retrospective
reviews, which are comprehensive, move from the present to the past.
B.Incorrect. Prospective reviews are look-forward and before-the-fact reviews focusing on the future.
These limited reviews move from the present to the future.
C.Incorrect. Hindsight reviews are look-afterward and what-went-wrong subjective reviews focusing
on the past due, in part, based on individual's memory, gut feeling, and second-guessing. These narrow
reviews move from the present to the past.
D.Incorrect. Contemporary reviews are look-now and what-can-go-wrong reviews focusing on the
present. These customized reviews move from the past to the present.
40.Regarding related-party transactions, which of the following is a major concern for internal
auditors and external auditors?
A.Lack of arm's-length transactions

B.Insufficient disclosures of transactions
C.Unclear executive compensation arrangements
D.Unaccounted transactions with shareholders

Insufficient disclosures of transactions are a major concern of related-party transactions due to their
conflicting motives and opposing objectives.
A.Incorrect. This is not a major concern.

C.Incorrect. This is not a major concern.
D.Incorrect. This is not a major concern.
41.Which of the following is the first step to take after the board and senior management of a
publicly held corporation decide to outsource its internal audit function?
A.Review the charter and bylaws of the outsourced provider.

B.Perform a due diligence review on the outsourced provider.
C.Review professionalism of the outsourced provider's staff members.
D.Conduct a thorough background check of the outsourced provider.

Performing a due diligence review on the outsourced provider should be the first step to take because
this review indicates whether the outsourced provider has what it takes to operate the internal audit
function. This review is a professional fitness test.
A.Incorrect. Reviewing the charter and bylaws of the outsourced provider could be done after a due
diligence review.
C.Incorrect. Reviewing professionalism of the outsourced provider's staff members could be part of the
due diligence review.
D.Incorrect. Conducting a thorough background check of the outsourced provider could be the last step
to take before hiring or engaging the outsourced provider.
42.Which of the following is the major common concern to internal auditors and external
auditors?
A.Governance
B.Risk management
C.Internal controls
D.Compliance with regulations

Internal auditors and external auditors have a major common concern in the area of internal controls.
Internal auditors review internal controls as part of their operational audits; external auditors review
internal controls as part of their financial audit, which is a part of the attestation audit.
A.Incorrect. Internal auditors review the governance area as part of their internal audit plan, but
external auditors review the governance area only as requested by their clients. In other words,
reviewing governance is not a part of the routine attestation audit of external auditors.
B.Incorrect. Internal auditors review the risk management area as part of their internal audit plan, but
external auditors review the risk management area only as requested by their clients. In other words,
reviewing risk management is not a part of the routine attestation audit of external auditors.
D.Incorrect. Internal auditors and regulatory auditors examine compliance with regulations. Review of
compliance with regulations is not a part of external auditors’ routine attestation audit, but they could
review the area based on client requests.
43.Which one of the following items drives the other three items when conducting
value-for-money (VFM) audits?
A.Expertise
B.Economy
C.Efficiency
D.Effectiveness

Expertise drives the other three items of economy, efficiency, and effectiveness, which are the four
pillars of a VFM audit. Here, expertise refers to the combined knowledge, skills, and abilities that
auditors possess in conducting the VFM audits.
B.Incorrect. Economy refers to the use of resources in a cost-effective manner. Economy is driven by
expertise.
C.Incorrect. Efficiency refers to the use of resources in a productive manner. Efficiency is driven by
expertise.
D.Incorrect. Effectiveness refers to the use of resources to achieve the intended objectives.
Effectiveness is driven by expertise.
44.Regarding mobile security, encryption can be used to protect which of the following to prevent
data loss?
I. Data at rest
II. Data in motion
III. Data in processing
IV. Data in use
A.I and II
B.II and III
C.I and IV
D.III and IV

Encryption provides confidentiality for and integrity of sensitive information and can be used to protect
data at rest and data in motion (i.e., data in transit). “Data at rest” means data are temporarily or
permanently stored on internal storage devices and external storage devices (e.g., cloud storage) and/or
in volatile or nonvolatile memory.
B.Incorrect. Encryption can be applied to data in motion, not to data in processing. “Data in
processing” means that data are being acted on by an automated process, such as a program or
command.
C.Incorrect. Encryption can be applied to data at rest, not to data in use. “Data in use” means data are
actively being updated, modified, or used by end users.
D.Incorrect. Encryption cannot be applied to data in processing or data in use. “Data in processing”
means that data are being acted on by an automated process, such as a program or command. “Data in
use” means data are actively being updated, modified, or used by end users.
45.Which of the following statement is true about audit assurance?
A.It is the same as quality assurance.

B.It is the inverse of audit risk.
C.It is the same as statistical assurance.
D.It is the complement of control risk.

The audit assurance level is the inverse of audit risk, where the latter is based on an auditor's judgment.
For example, if allowable audit risk is 5%, then the audit assurance level is 95%. (i.e., 100% – 5%).
Note that the assurance level is not same as confidence level, which relates to an individual sample.
A.Incorrect. Quality assurance in manufacturing deals with establishing quality plans, objectives, and
outcomes.
C.Incorrect. Statistical assurance deals with mathematics, probabilities, mean (average), mode, median,
and variances.
D.Incorrect. This choice is not relevant to audit assurance.
46.The IIA Standard 2050, Coordination, refers to which of the following to provide assurance as
a first line of defense over risks and controls?
A.Internal auditors
B.Senior managers
C.Risk managers
D.Operations managers

Operations managers and their employees provide a first line of defense because they are close to the
action at frontline operations, a form of line function.
A.Incorrect. Internal auditors provide the third line of defense and perform a review and evaluation
function.
B.Incorrect. Senior managers provide the second line of defense and perform an oversight function.
C.Incorrect. Risk managers provide the second line of defense and perform a staff function.
47.Which of the following provides a safety valve to management when planning to acquire,
merge, and consolidate with other businesses?
A.Due diligence reviews

B.Security audits
C.Contract audits
D.Quality audits

The purpose of due diligence reviews is to provide a safety valve to management that is planning to
acquire, merge, or consolidate its business with other businesses. These reviews provide comfort levels
or assurance levels indicating that everything is done properly.
B.Incorrect. Security audits do not provide a safety valve.

C.Incorrect. Contract audits do not provide a safety valve.
D.Incorrect. Quality audits do not provide a safety valve.
48.Engagement results from which of the following engagements are fed into the other three
types of engagements?
A.Operational engagement
B.Compliance engagement
C.Consulting engagement
D.Financial engagement

Consulting engagements are advisory in nature and provide great insights to clients. Because of the
broad scope of work, consulting auditors can bring their work observations and results to share with
other auditors, such as assurance, compliance, financial, performance, and IT auditors, and others.
A.Incorrect. The scope of operational engagement is narrow and specific, and its results could not be
fed into other types of audit engagements.
B.Incorrect. The scope of compliance engagement is narrow and specific, and its results could not be
fed into other types of audit engagements.
D.Incorrect. The scope of financial engagement is narrow and specific, and its results could not be fed
into other types of audit engagements.
49.Which of the following statement is not true about bitcoins?
A.Bitcoins use a distributed ledger.

B.Bitcoins use a centralized ledger.
C.Bitcoins use a decentralized ledger.
D.Bitcoins use a community ledger.

A ledger is a chronological listing of all business transactions in one place to provide a clear and
complete picture of all transactions. Bitcoins do not use a centralized ledger.
A.Incorrect. Bitcoins do use a distributed ledger.

C.Incorrect. Bitcoins do use a decentralized ledger.
D.Incorrect. Bitcoins do use a community ledger.
50.During consulting engagements, internal auditors should focus on which of the following?
A.Evidence chain
B.Value chain
C.Critical chain
D.Incident chain

A value chain can either create or destroy value. It is a series of business processes or steps that follow
each other in succession to form a solid chain that is unbroken and long lasting.
A.Incorrect. An evidence chain is used in legal cases and forensic analysis.

C.Incorrect. A critical chain is used in project management and in manufacturing.
D.Incorrect. An incident chain is used to link or track an attacker's bad behavior.
51.Economy, as it relates to organizations, is closely related to which of the following?
A.Performance
B.Efficiency
C.Effectiveness
D.Economics

Economy deals with the use of resources in a cost-effective manner, using a cost-benefit analysis.
Efficiency deals with producing more goods (outputs) with less resources in a productive manner. Both
economy and efficiency deal with increased quantity of goods produced using fewer resources. The
same concept applies to services.
A.Incorrect. Performance is achieving the expected or targeted goals and objectives effectively and
efficiently.
C.Incorrect. Effectiveness refers to the use of resources to achieve the intended objectives.
D.Incorrect. Economics deals with the allocation and utilization of scarce resources (e.g., men, money,
materials, and machinery; 4Ms) to produce goods and provide services.
52.Which of the following statements are true about bitcoin transactions?

i. Transactions cannot be changed.
ii. Transactions cannot be deleted.
iii. Transactions cannot be updated.
iv. Transactions cannot be trusted.
A.II only
B.I, II, and IV
C.IV only

Unfortunately, bitcoin transactions cannot be changed, deleted, or updated. They can only be created
and read. Moreover, bitcoin transactions cannot be trusted because the systems are permission-less.
A.Incorrect. It is partially true.

C.Incorrect. It is partially true.
D.Incorrect. It is partially true.
53.Which of the following items should be analyzed and focused on first?
A.Vulnerabilities
B.Threats
C.Risks
D.Controls

Correct. Vulnerabilities → Threats → Risks → Controls

D.Incorrect. Vulnerabilities → Threats → Risks → Controls
54.Which of the following are the common variants of ransomware attacks?

I. Bots and botnets
II. Spam emails
III. Drive-by downloads
IV. Malvertizing
I only
I and II
I, II, and IV
I, II, III, and IV

Bots and, botnets, spam emails, drive-by downloads, and malvertizing are common types of
ransomware attacks. Bots and botnets can spread through computer networks at a faster rate than other
attacks. Ransomware attacks can infect computers when a user clicks a spam email. Drive-by
downloads are the transfer of malicious software to a victim's computer without any action by the
victim. Malvertizing is the use of malicious advertisements on legitimate websites without any action
from the user, using an adware software.
A.Incorrect. Bots and botnets are types of ransomware attacks because they can spread through
computer networks at a faster rate than other attacks.
B.Incorrect. Bots and botnets and spam emails are common types of ransomware attacks. Bots and
botnets can spread through computer networks at a faster rate than other attacks. Ransomware attacks
can infect computers when a user clicks a spam email.
C.Incorrect. Bots and botnets, spam emails, and malvertizing are common types of ransomware attacks.
Bots and botnets can spread through computer networks at a faster rate than other attacks. Ransomware
attacks can infect computers when a user clicks a spam email. Malvertizing is the use of malicious
advertisements on legitimate websites without any action from the user, using an adware software.
55. The U.S. Securities and Exchange Commission (SEC) and the U.S. Sarbanes-Oxley Act
(SOX) did not recommend which of the following to become the financial expert representing the
audit committee of a publicly held corporation?
A.Internal auditor
B.External auditor
C.Principal financial officer
D.Principal accounting officer

Both the SEC and SOX do not recommend that the internal auditor be the financial expert sitting on the
audit committee.
B.Incorrect. Both the SEC and SOX do recommend that the external auditor be the financial expert
sitting on the audit committee.
C.Incorrect. Both the SEC and SOX do recommend that the principal financial officer be represent the
financial expert sitting on the audit committee.
D.Incorrect. Both the SEC and SOX do recommend that the principal accounting officer be the
financial expert sitting on the audit committee.
56.According to the U.S. Securities and Exchange Commission (SEC) and the U.S.
Sarbanes-Oxley Act (SOX), what is the proper term for when a chief executive officer (CEO) and
chief financial officer (CFO) need to give up their bonuses and incentives based on financial
results that later had to be restated or proved to be fraudulent?
A.Pushback provision
B.Clawback provision
C.Pullback provision
D.Rollback provision

The clawback provision requires that the CEO and CFO of a corporation give up bonuses and
incentives received based on financial results of their company that later had to be restated or were
found to be fraudulent. There is a bad intent on the part of the company management.
A.Incorrect. There is no bad intent with the pushback provision. For example, some governmental
policies and laws can be pushed back if citizens protest them.
C.Incorrect. There is no bad intent with the pullback provision. For example, retailers can pull back
some merchandise from their store shelves if they are deemed to be unsafe.
D.Incorrect. There is no bad intent with the rollback provision. For example, retailers can roll back
their merchandise provision or some laws can be rolled back if citizens protest them.
57.According to the U.S. Securities and Exchange Commission (SEC) and the U.S.
Sarbanes-Oxley Act (SOX), what is the term used when a company misrepresents the dates on
which stock options were granted to executives and employees?
A.End-of-year dating
B.Backdating
C.End-of-month dating
D.End-of-quarter dating
Backdating is a management fraud, resulting in an artificially low exercise price for stock options
granted to executives and employees that could lead to financial restatements. Backdating represents a
bad intent of unnecessarily favoring executives and employees in reducing their tax burden by
manipulating the stock options issue date. Both the SEC and SOX enforcers have ended the backdating
of stock options.
A.Incorrect. There is no bad intent with end-of-year dating.

C.Incorrect. There is no bad intent with end-of-month dating.
D.Incorrect. There is no bad intent with end-of-quarter dating.
58.Bitcoins deploy which of the following technologies?

i. Investment chain
ii. Blockchain
iii. Incident chain
iv. Hash chain
A.I and II
B.II only
C.II and IV
D.I and III

Both blockchain and hash chain technologies are supporting the bitcoin currency.
A.Incorrect. This is partially true about the blockchain technology supporting the bitcoin currency. The
investment chain is not relevant.
B.Incorrect. This is partially true about the blockchain technology supporting the bitcoin currency. The
investment chain is not relevant.
D.Incorrect. Both the investment chain and incident chain are unrelated to the blockchain technology
supporting the bitcoin currency.
59.Hackers accept which of the following payment methods from victims for their ransomware
attacks?
I. Bitcoins
II. Credit cards
III. Green dot cards
IV. Debit cards
A.I only
B.I or III
C.I, II, or IV

Hackers accept either bitcoins or green dot cards as a valid payment method for ransomware attacks to
avoid tracing. Green dot cards are prepaid cash cards.

C.Incorrect. This is a partial answer. Both credit cards and debit cards show a clear trace of the payee,
payor, and bank involved in the payment, which is not good for hackers.
D.Incorrect. This is a partial answer. Both credit cards and debit cards show a clear trace of the payee,
the payor, and the bank involved in the payment, which is not good for hackers.
60.Some basic privacy rules require that web service providers and social media platform
providers give which of the following choices to users?
A.Sign-in and sign-out

B.Check-in and check-out
C.Opt-in and opt-out
D.Log-in and log-out

Opt-in and opt-out choices help protect users’ privacy rights.
A.Incorrect. Sign-in and sign-out choices are not relevant to privacy rules.
B.Incorrect. Check-in and check-out choices are not relevant to privacy rules.
D.Incorrect. Log-in and log-out choices are not relevant to privacy rules.
61.The cybersecurity framework should act as a:
A.First line of defense.

B.Second line of defense.
C.Third line of defense.
D.Last line of defense.

The cybersecurity framework should act as the first line of defense for all organizations, whether in the
public sector or the private sector, to protect against cyberthreats and cyberattacks.
B.Incorrect. Acting as the second line of defense is too late.

C.Incorrect. Act as the third line of defense is too late.
D.Incorrect. Acting as the last line of defense is too late.
62.System resilience plans are developed and implemented in which of the following
cybersecurity framework functions?
A.Protect
B.Detect
C.Recover
D.Respond

During the recover function, system resilience plans are developed and implemented, and any
capabilities or services that were impaired due to a cybersecurity event are restored.
A.Incorrect. “Protect” means developing and implementing the appropriate safeguards (controls) to
ensure delivery of critical infrastructure services.
B.Incorrect. “Detect” means developing and implementing the appropriate activities to identify the
occurrence of a cybersecurity event.
D.Incorrect. “Respond” means developing and implementing the appropriate activities to take action
regarding a detected cybersecurity event.
63.During an audit, an internal auditor observed that an employee in the audit client department
is watching online sports on his desktop computer during working hours. Which of the following
policies should the auditor refer to determine whether the employee's actions are acceptable?
A.Acceptable use policies

B.Business-only internet use policies
C.Software restriction policies
D.Mobile device use policies

Business-only internet use policies deal with whether employees can access outside, nonbusiness
websites during their work hours. Examples of this type of access include: checking baseball scores at
lunchtime, accessing a dating website, making online gambling bets, playing online games, and
checking stock market prices. Here, the employee is accessing the internet to watch online sports using
his desktop computer.
A.Acceptable use policies require that a system user, an end user, or an administrator (e.g., system,
security, and network administrator) agrees to comply with acceptable use policies prior to accessing
computer systems, internal networks, and external networks (the internet). These policies also discuss
how guest accounts, temporary accounts, terminated accounts, and privileged accounts are treated and
maintained. Acceptable use is based on authorized access.
C.Software restriction policies should state what type of employees are allowed to bring their own
software from home for use at work and under what circumstances. The types of restricted software can
include game, entertainment (movies), sports, investment, open sourced, and other non-business-related
software. Software policies should also state what the company's official computer programs can be run
from temporary folders supporting popular internet browsers, compression and decompression
programs, or app folders. It is very risky to run computer programs from temporary folders due to
programming poor code quality and possibility of malware.
D. Mobile device use policies include turning off Bluetooth and Wi-Fi connections while reducing the
threat surface to which a mobile device is exposed. These policies should also state that important
functions are deactivated to reduce the security exposure until requested by users. Here, the employee
is using his desktop computer and no mobile device.
64.Which of the following is the key characteristic of bitcoins?
A.Data immutability
B.Data mining
C.Data wrangling
D.Data masking

Data immutability means data cannot be changed or modified. It also means data can be written only as
it applies to bitcoins and blockchain technology. It is the key characteristic of bitcoins.
B.Incorrect. Data mining is data analysis to bring out hidden data patterns and data relationships for
application to business functions. For example, data mining can be used to study what products and
services are sold to customers in what demographic areas, including customer buying habits and
preferences.
C.Incorrect. Data wrangling software is used to convert unstructured data (i.e., irregular or diverse data
with no apparent value) into structured data that has some real value.
D.Incorrect. Data masking is making sure that sensitive data is not available to unauthorized
individuals to read and use. Data could be encrypted first to make it unreadable for some and later
could be made decrypted for others to read.
65.When protecting customer information from identity theft, which of the following is highly
secure when customers are using their charge cards?
A.Card and signature

B.Card and PIN
C.Card with chip and PIN
D.Card with chip and no PIN

This is highly secure due to using the chip and PIN, representing a two-factor authentication process.
Here, the card with a chip is one factor and the PIN is the second factor.
A.Incorrect. This is least secure due to no chip and no PIN.

B.Incorrect. This is least secure due to no chip.
D.Incorrect. This is not highly secure due because no PIN is used.
66.Which of the following can result from Bluetooth wireless technology?
A.Session hijack attack

B.Man-in-the-middle attack
C.Signal interception attack
D.Signal injection attack
A session hijack attack results from using Bluetooth wireless technology due to its vulnerability in
facilitating a key negotiation hijack attack during session initialization.
B.Incorrect. A man-in-the-middle attack results from using Wi-Fi wireless network communication
technology. This is an attack on the authentication protocol run in which the attacker positions him- or
herself between the claimant and verifier to intercept and alter data traveling between them.
C.Incorrect. A signal interception attack can result from using a credit card or debit card during the
card's transmission of signals using signal analyzers.
D.Incorrect. A signal injection attack can result from using a credit card or debit card during the card's
transmission of signals using signal analyzers.
67.Which of the following are the most popular methods of identity theft using charge cards?
i. Card skimming
ii. Card tampering
iii. Card jamming
iv. Card cloning
A.I and II
B.II and III
C.I and IV
D.II and IV

Card skimming and card cloning are the two most popular methods of identity theft. Card skimming
involves placing skimming devices to steal credit card numbers and personal identification information
(e.g., placing skimming devices on gas pumps at gas stations). Card cloning involves the purchase of
stolen credit card numbers belonging to victims, which are then used to fabricate cloned credit cards.
A.Incorrect. Card skimming is a popular method of identity theft, but card tampering is not.
B.Incorrect. Both card tampering and card jamming methods are not popular methods of identity theft
due to the difficulty in accomplishing them.
D.Incorrect. Card tampering is not a popular methods of identity theft, but card cloning is a popular
method.
68.Which of the following are risky situations facing organizations?

I. False antispyware tools
II. Autonomous spyware
III. Advanced persistent threats
IV. Bots and botnets
A.I and II
B.III only
C.V only

All four items are risky situations for organizations. Some internet websites advertise themselves as
spyware detection or removal tools when in fact they themselves are spyware tools. These false tools
are a deliberate selling of anti- spyware tools.
Autonomous spyware injects itself into other processes running on a computer system when a user logs
in. Examples of autonomous spyware include keyloggers, bots, email and web monitoring tools, and
packet sniffers.
In advanced persistent threats (APTs), a hacker employs stealth and multiple attack methods over an
extended period of time to conduct sabotage and/or espionage activities on a target computer system or
an organization (e.g., a government agency, military facility, high-tech manufacturing company, or
utility company). APTs last longer than other normal threats with repeated and layered attempts, dig
deeper, and operate in aggressive and escalation modes, all resulting in bigger damages to victim
organizations.
Computers infected with bots (zombies) and botnets can be used to distribute spam (a type of malware)
to make it harder to track and prosecute spammers. Bots can also conduct distributed denial of service
(DDoS) attacks that can exhaust computing resources.

C.Incorrect. This is a partial answer.
69.Which of the following is used to identify healthcare providers who bill for more services in a
single day than the number of services that most similar providers bill in a single day?
A.Rules-based techniques
B.Anomaly-based techniques
C.Network-based techniques
D.Predictive-based techniques

Anomaly-based techniques are ways of comparing definitions of what activity is considered normal
against observed activity to identify significant deviations. Simply stated, anomaly-based techniques
compare normal activity against abnormal activity and against peers.
A.Incorrect. Rules-based techniques filter claims data that an individual submitted for an unreasonable
number of services.
C.Incorrect. Network-based techniques discover knowledge with associated link analysis. For example,
these techniques can link bad actors involved in fraud to their addresses and phone numbers.
D.Incorrect. Predictive-based techniques use historical data to identify patterns associated with fraud.
70.Which of the following shows future events and outcomes?
A.Traditional data analytics

B.Streaming data analytics
C.Embedded data analytics
D.Social media data analytics

Embedded data analytics show future events and outcomes.
A.Incorrect. Traditional data analytics show past events and outcomes.

B.Incorrect. Streaming data analytics show current events and outcomes.
D.Incorrect. Social media data analytics show past events and outcomes.
71.Which of the following uses web-call-center notes and web-chat notes to detect fraud?
A.Text-based data analytics

B.Open source data analytics
C.Visual data analytics
D.Streaming data analytics

Since web-call-center notes and web-chat notes are written in words, text-based data analytics are
useful to identify fraud. This analytic is based on matching keywords.
B.Incorrect. Open source data analytics could use a combination of graphs, tables, figures, and words.
C.Incorrect. Visual data analytics mainly uses graphs, tables, and figures, not so much words.
D.Incorrect. Streaming data analytics are performed in real time and in memory where they collect data
from electronic sensors to produce time-series data.
72.When data dashboards are built into business-oriented application systems, this situation is
called:
A.Fraud data analytics.
B.Streaming data analytics.
C.Web-based data analytics.
D.Embedded data analytics.

This is the definition of embedded data analytics.
A.Incorrect. This is not the definition of fraud data analytics.

B.Incorrect. This is not the definition of streaming data analytics.
C.Incorrect. This is not the definition of web-based data analytics.
73.The metric click-to-conversion time can be measured with which of the following?
A.Behavioral analytics
B.Location analytics
C.Advanced analytics
D.Content analytics

Behavioral analytics show how people behave in doing certain things. For example, these analytics can
show how many different clicks and navigation paths have taken place before a customer purchases a
product or service from a retailer's website. This can be measured as click-to-conversion time.
B.Incorrect. Location analytics show tracking of people, machines, places, and inventory.
C.Incorrect. Advanced analytics cannot measure click-to-conversion time because they indicate what
could happen as in statistical modeling or data mining.
D.Content analytics are used in content analysis of text in words. Content analysis is a set of
procedures for transforming unstructured written material into a format for analysis and is also used for
making numerical comparisons among and within documents. It is a means of extracting insights from
already existing data sources. Its potential applications include identifying goals, describing activities,
and determining results.
74.Regarding big data, data ownership and data usage policies are addressed in which of the
following?
A.Data reliability standards

B.Data governance standards
C.Data quality standards
D.Information quality standards

Data governance standards deal with oversight-related data issues, such as data ownership, data
stewardship, data custodian, data usage policies, and data access rules.
A.Incorrect. Data reliability standards ensure that data is reasonably complete, accurate, consistent, and
valid.
C.Incorrect. Data quality standards ensure that data is relevant, accurate, credible, and timely.
D.Incorrect. Information quality standards ensure that data is objective and has utility and integrity
attributes.
75.Airline companies use which of the following most to determine airline ticket prices for
passengers?
A.Customer analytics
B.Prescriptive analytics
C.Behavioral analytics
D.Statistical analytics
Airline companies use prescriptive analytics most to determine airline ticket prices because these
analytics indicate or help decide what should happen in the future. Airline companies may use a
combination of prescriptive analytics, customer analytics, behavioral analytics, statistical analytics, and
other analytics.
A.Incorrect. Customer analytics show customer online shopping behavior.

C.Incorrect. Behavioral analytics show the behavior of people when they use electronic commerce sites,
social media platforms, and online games.
D.Incorrect. Statistical analytics is used in time-series and regression models to forecast sales and
inventory.
76.When big data is turned into new insights, it refers to which of the following characteristic of
big data?
A.Volume
B.Variety
C.Value
D.Velocity

Value means organizations can benefit from the use of big data where the benefits are derived from the
insights provided by that data.
A.Incorrect. Volume is the amount of data being created that is big compared to traditional data sources.
Volume has nothing to do with value.
B.Incorrect. Variety of data comes from all types of data formats, both internally and externally.
Variety has nothing to do with value.
D.Incorrect. Velocity means data is being generated extremely quickly and continuously with greater
speed. Velocity has nothing to do with value.
77.Which of the following characteristics of big data is the main technical driver of investment in
big data?
A.Volume
B.Velocity
C.Veracity
D.Variety

Variety is the main technical driver of investment in big data because more variety means more
insights, more decisions, and more opportunities. Variety of data comes from all types of data formats,
both internally and externally.
A.Incorrect. Volume is the amount of data being created that is big compared to traditional data sources.
Volume has nothing to do with the investment.
B.Incorrect. Velocity means data is being generated extremely quickly and continuously with greater
speed. Velocity has nothing to do with the investment.
C.Incorrect. Veracity means data must be able to be verified based on both accuracy and context.
Veracity has nothing to do with the investment.
78.Which of the following characteristics of big data are the main business drivers of investment
in big data?
Volume and variety

Value and velocity
Velocity and veracity
Variety and variability

Value and velocity are the main business drivers of investment in big data because they provide better
insights at greater speeds.
A.Incorrect. Volume and variety are not the main business drivers of investment in big data because
they do not provide insights and speed.
C.Incorrect. Velocity and veracity are not the main business drivers of investment in big data because
D.Incorrect. Variety and variability are not the main business drivers of investment in big data because
79.Which of the following is an example of unstructured data?
A.Data in disconnected computer systems

B.Data in data warehouses
C.Data in databases
D.Web pages on the internet

Data in disconnected computer systems is unstructured due to multiple and dissimilar systems
collecting data with different formats and with different structures.
B.Incorrect. Data in data warehouses is structured.

C.Incorrect. Data in databases is structured.
D.Incorrect. Web pages on the internet are semistructured.
80.Which of the following thrives on big data?
A.Prescriptive analytics
B.Descriptive analytics
C.Predictive analytics
D.Advanced predictive analytics

Prescriptive analytics thrive on big data because they indicate or help decide what should happen in the
future.
B.Incorrect. Descriptive analytics do not thrive on big data because they indicate what happened in the
past.
C.Incorrect. Predictive analytics do not thrive on big data because indicate what could happen. In the
future.
D.Incorrect. Advanced predictive analytics do not thrive on big data because they indicate what could
happen, as in statistical modeling or data mining.
81.Credit bureaus use which of the following to develop credit scores for individuals?
A.Behavioral analytics
B.Customer analytics
C.Big data analytics
D.Predictive analytics

Credit bureaus use predictive analytics to develop credit scores for individuals. Predictive analytics
collect several data items, such as income, credit history, outstanding loan balances, payment history,
and account activity, to predict whether someone has the financial ability to pay current and future
debts.
A.Incorrect. Behavioral analytics focus on customers’ online purchase behavior. They are not relevant
in developing credit scores.
B.Incorrect. Customer analytics focus on online shopping and online search behavior. They are not
relevant in developing credit scores.
C.Incorrect. Big data analytics is too general and of no value in developing credit scores.
82.The ultimate goal of big data is which of the following?
A.Data collection and validation

B.Data insights
C.Data-driven decision making
D.Data-driven models

Data-driven decision making is the ultimate goal of big data. The aim of all efforts put into developing
data models and collecting and validating data is to obtain new insights, which, in turn, are turned into
decisions and actions.
A.Incorrect. Data collection and validation is not the ultimate goal; it is an intermediary goal of big
data.
B.Incorrect. Data insights is not the ultimate goal, it is an intermediary goal of big data.
D.Incorrect. Data-driven models are not the ultimate goal; they are an intermediary goal of big data.
83.Which of the following would not establish acceptable data use policies and access rules?
A.Data owners
B.Data users
C.Data stewards
D.Data custodians

Data users would not and should not establish acceptable data use policies and access rules because
those policies and rules are written to control users’ work behavior.
A.Incorrect. Data owners are responsible for safeguarding or securing data with security controls,
classifying data (i.e., sensitive or not sensitive), and defining and establishing data usage and access
rules (i.e., grant or deny).
C.Incorrect. Data stewards are responsible for managing a specific set of data resources. They define,
specify, establish, and standardize data assets of an organization within and across all functional areas
of business.
D.Incorrect. Data custodians are responsible for managing a specific set of data resources. They define,
specify, establish, and standardize data assets of an organization within and across all functional areas
of a business.
84.Which of the following poses a major risk to organizations?
A.Challenge-response passwords
B.One-time passwords
C.Hard-coded passwords
D.Long and complex passwords

Hard-coded passwords are a major risk because they are embedded in a computer program code in
plaintext for hackers to see very easily.
A.Incorrect. Challenge response is an authentication procedure that requires calculating a correct

response to an unpredictable challenge between verifier (administrator) and claimant (user) with a
shared secret. When the shared secret is a password, an eavesdropper does not directly intercept the
password itself but may be able to find the password with an offline password guessing attack. The
challenge-response passwords pose a minor risk.
B.Incorrect. In one-time passwords, a password is changed after each use. This method is useful when
the password is not adequately protected from compromise during login (e.g., the communication line
is suspected of being tapped). This poses a minor risk.
D.Incorrect. Long and complex passwords are usually, by definition, stronger and more secure than
short and simple passwords. Here “long” means lengthy in size, and “complex” means a combination
of letters with upper and lower cases, numbers, and special characters. This poses a minor risk.
85.Use of cookies on websites raises which of the following issues?
A.Integrity issue
B.Privacy issue
C.Connectivity issue
D.Accountability issue

Cookies were invented to allow websites to remember its users from visit to visit. Since cookies collect
personal information about web users, they raise privacy issues, such as what information is collected
and how it is used.
A.Incorrect. Cookies do not raise integrity issues. Here, “integrity” means that websites are carefully
and properly designed, tested, and implemented.
C.Incorrect. Cookies do not raise connectivity issues. Here, “connectivity” means websites connecting
to other websites through networks and devices.
D.Incorrect. Cookies do not raise accountability issues. Here, “accountability” means website owners
are responsible for posting their own content.
86.Most spyware detection and removal utility software specifically look for which of the
following?
A.Encrypted cookies
B.Session cookies
C.Persistent cookies
D.Tracking cookies

Information collected by tracking cookies is often sold to other parties and used to target
advertisements and other content at the user. Most spyware detection and removal utility software
specifically looks for tracking cookies on systems. A tracking cookie is placed on a user's computer by
a hacker or others to track the user's activity on different websites, creating a detailed profile of the
user's behavior.
A.Incorrect. Encrypted cookies protect the data from unauthorized access. Some websites create
encrypted cookies to protect data from unauthorized access.
B.Incorrect. Session cookies are temporary cookies that are valid only for a single website session. A
session cookie is erased when the user closes the web browser and is stored in temporary memory.
C.Incorrect. Persistent cookies are stored on a computer's hard drive indefinitely so that a website can
identify the user during subsequent visits. These cookies are set with expiration dates and are valid
until the user deletes them.
87.If website owners want to protect data from unauthorized access, what should they do?
A.Create encrypted cookies.

B.Create session cookies.
C.Create persistent cookies.
D.Create tracking cookies.

A cookie is a small data file that holds information regarding the use of a particular website. Cookies
often store data in plaintext, which could allow an unauthorized party that accesses a cookie to use or
alter the data stored in it. Some websites create encrypted cookies, which protect the data from
unauthorized access during a user's web browsing session.
B.Incorrect. Session cookies are temporary cookies that are valid only for a single website session.
They are erased when the user closes the web browser and is stored in temporary memory.
C.Incorrect. Persistent cookies are stored on a computer's hard drive indefinitely so that a website can
identify the user during subsequent visits. These cookies can help websites serve their users more
effectively. These cookies are set with expiration dates and are valid until the user deletes them.
Unfortunately, persistent cookies also can be misused as spyware to track a user's web browsing
activities without the user's knowledge or consent.
D.Incorrect. Tracking cookies are placed on a user's computer by a hacker or others to track the user's
activity on different websites, creating a detailed profile of the user's behavior.
88.Which of the following can pose a high risk?
A.Encrypted cookies
B.Session cookies
C.Persistent cookies
D.Tracking cookies

Persistent cookies are cookies stored on a computer's hard drive indefinitely so that a website can
identify the user during subsequent visits. These cookies are set with expiration dates and are valid
until the user deletes them. Hence, persistent cookies pose a higher risk than session cookies because
they remain on the computer longer. They pose a high risk.
A.Incorrect. Encrypted cookies are created by some websites to protect data from unauthorized access.
They pose little or no risk.
B.Incorrect. Session cookies are temporary cookies that are valid only for a single website session.
They are cleared or erased when the browser is closed and stored in a temporary memory. They pose a
little or no risk.
D.Incorrect. Tracking cookies are cookies placed on a user's computer to track the user's activity on
different websites, creating a detailed profile of the user's behavior. They pose little or no risk.
89.Which of the following types of cookies have similar functionality?

i. Session cookies
ii. Persistent cookies
iii. Tracking cookies
iv. Encrypted cookies
A.I and II
B.I and III
C.II and III
D.II and IV

Persistent cookies and tracking cookies have similar functionality in terms of misuse of a user's
information at a website. Persistent cookies can be misused as spyware to track a user's web browsing
activities for questionable reasons (i.e., for use in advertisements) without the user's knowledge or
consent. For example, a marketing firm could place ads on many websites and use a single cookie on a
user's computer to track the user's activity on all of those websites, creating a detailed profile of the
user's behavior. Cookies used in this way are known as tracking cookies. Most spyware detection and
removal utility programs specifically look for tracking cookies on computer systems.
A.Incorrect. Session cookies and persistent cookies do not have similar functionality. Session cookies
are temporary cookies that are valid only for a single website session. Persistent cookies are cookies
stored on a computer's hard drive indefinitely so that a website can identify the user during subsequent
visits.
B.Incorrect. Session cookies and tracking cookies do not have similar functionality. Session cookies
are temporary cookies that are valid only for a single website session. Tracking cookies are cookies
placed on a user's computer to track the user's activity on different websites, creating a detailed profile
of the user's behavior.
D.Incorrect. Persistent cookies and encrypted cookies do not have similar functionality. Persistent
cookies are cookies stored on a computer's hard drive indefinitely so that a website can identify the user
during subsequent visits. Some websites create encrypted cookies to protect the data from unauthorized
access.
90.Mobile devices are subjected to which of the following threats?

I. Jamming
II. Flooding
III. Geotracking
IV. Geotagging
A.I and III

B.I and IV
C.III and IV

Jamming is a threat that interferes with the reception or transmission of wireless communications. Any
wireless protocol that is used on a mobile device is vulnerable to jamming, including global positioning
system (GPS), cellular, Wi-Fi, and Bluetooth. A flooding attack inundates a computer system with
more information than it can process; its vulnerabilities are same as that of jamming.
Geotracking can be performed via a mobile device's geolocation services, which is useful for both
legitimate purposes (e.g., locating a lost device) and illegitimate ones (e.g., gathering intelligence). For
example, data mining can be performed by looking for geotagged records, data, and pictures to identify
use patterns for intelligence gathering purposes.
Geotagging is the process of adding geographical identification-related information to various media,
such as photographs or videos. Data mining of geotagged data by a mobile device is a method that
allows tracking for legitimate and illegitimate reasons.
A.Incorrect. This is a partial answer as all four items are threats.

B.Incorrect. This is a partial answer as all four items are threats.
C.Incorrect. This is a partial answer as all four items are threats.
91.Which of the following potentially risky activities are actively taking place when cloud services
and mobile devices directly interact?
i. Data in exchange
ii. Data in transit
iii. Data in hiding
iv. Data in dispute
A.I and II
B.I and III
C.III and IV

Hackers can target data in exchange (i.e., data in transfer) and data in transit (i.e., data in motion)
during interactions between cloud services and mobile devices. A man-in-the-middle attack is possible
here, which results from using the Wi-Fi wireless network communication technology.

C.Incorrect. This choice is not applicable because data in hiding and data in dispute are not risky and
do not need protection.
D.Incorrect. This choice is a mix of correct and incorrect answers.
92.An essential security control requirement to protect data in transit against attacks is a:
A.Virtual local area network.

B.Virtual private dial network.
C.Virtual private network.
D.Virtual password.

Data in transit (i.e., data on the wire) deals with protecting the integrity and confidentiality of
transmitted information across internal and external networks. A virtual private network (VPN) is used
to protect highly confidential information during data transmission. VPNs provide an end-to-end secure
communication channel by enforcing strong authentication and encryption requirements and providing
confidentiality and integrity protection for data in transit. Specifically, line encryption protects the data
in transit and data in transfer.
A.Incorrect. A virtual local area network (VLAN) is a network configuration in which network frames
are broadcast within the VLAN and routed between VLANs. VLANs separate the logical topology of
LANs from their physical topology.
B.Incorrect. A virtual private dial network (VPDN) is a virtual private network (VPN) tailored
specifically for dial-up access.
D.Incorrect. A virtual password is a password computed from a passphrase that meets the requirements
of password storage.
93.John (the seller) and Tom (the buyer) entered into a contract for the sale and purchase of item
K for $15,000 (contract price). Later, John finds out that Tom wants to resell the item to Gary, a
reseller, for a 10% profit after the purchase. John breaches the contract and sells the item
directly to Gary instead of to Tom. The market price of item K at the time of breach is $20,000.
Tom sues John for breach of contract. How much Tom can expect in compensatory damages and
consequential damages respectively?
A.$5,000, $0
B.$0, $1,500
C.$5,000, $1,500
D.$1500, $0

Compensatory damage = Market price – contract price = $20,000 – $15,000 = $5,000
Consequential damage = Profit percentage of contract price = 10% of $15,000 = $1,500
A.Incorrect. This choice results from a wrong calculation and not understanding the basic concepts of
damages.
B.Incorrect. This choice results from a wrong calculation and not understanding the basic concepts of
damages.
D.Incorrect. This choice results from a wrong calculation and not understanding the basic concepts of
damages.
94.Which one of the following items leads to the other three items?
A.Best practices
B.Leading practices
C.Legacy practices
D.Promising practices

Legacy practices are the old and inefficient, ineffective procedures and processes found across most or
all departments or functions of an organization. A report should be developed to capture legacy
practices in order to communicate and share their unsuccessful stories (mission failures) and unpleasant
experiences (lessons learned) with other departments and functions for possible avoidance of the same
problems and moving to promising practices, leading practices, or even best practices.
Legacy Practices → Promising Practices → Leading Practices → Best Practices
A.Best practices are the processes, procedures, and systems identified in public and private
organizations that are performed exceptionally well and are widely recognized as improving an
organization's performance and efficiency in specific areas. Successfully identifying and applying best
practices can reduce business expenses and improve organizational efficiency.
B.Leading practices are successful strategies, actions, and polices that are true, tried, tested, and proven
over a time period that result in increase in revenues and profits, reduced costs, and a competitive
advantage in the marketplace. Leading practices can become best practices when more and more
organization implement leading practices and benefit from them.
D.When properly managed, promising practices can turn into either best practices or leading practices
because they have been proven to be successful and effective. In order to achieve that goal, the
promising practices must be defined in terms of context that led to their success, challenges faced must
be described, problems and solutions applied must be indicated, and results obtained must be
documented.
95.Which of the following items should be eliminated first?
A.Vulnerabilities
B.Threats
C.Risks
D.Controls

Vulnerabilities → Threats → Risks → Controls

D.Incorrect. Vulnerabilities → Threats → Risks → Controls
96.An organization was severely hit with a ransomware attack. Which of the following is critical
to manage?
A.Time to prevent
B.Time to recover
C.Time to detect
D.Time to pay

Ransomware is malicious software (malware) that denies access to computer files until the victim pays
a ransom amount. Ransomware is a type of cyberattack that prevents users from using their computer
until they pay a certain amount of money. It is essentially extortion with all the data on users’
computers at risk unless users pay.
All organizations and all individuals using computer systems and networks should develop a recovery
plan with details about backup source methods, storage policy, schedules, and duration and rotation and
retention of backup files. The integrity of the backup files and programs should be verified by testing
the restoration process to ensure it is working. Because of these extensive and time-consuming
recovery activities, the time to recover is more important to manage than the time-to-prevent,
time-to-detect, and time-to-pay activities.
A.Incorrect. It is difficult to prevent ransomware attacks because hackers can conceal their acts.
C.Incorrect. It is difficult to detect ransomware attacks because hackers can conceal their acts.
D.Incorrect. Organizations have no choice in not paying the ransom amount because they need the data
to work. However, hackers can take the money and ask for more money before releasing the data. This
is a risky and dirty game played by some hackers. Here, organizations are at the mercy of hackers.
97.Which of the following uses a distributed ledger system to raise new capital in the securities
marketplace?
A.Initial public offering

B.Initial coin offering
C.Initial private offering
D.Initial equity offering

Businesses and individuals are promoting the initial coin offering or token sales to raise a new capital
in the form of bitcoin digital currency. A blockchain, which is the technology behind the bitcoin, is an
electronic distributed ledger system or list of entities. The distributed ledger, which is like a stock
ledger that is maintained by various participants in a network of blockchain computers. Blockchains
use cryptographic techniques to process and verify transactions in the ledger, providing assurance to
bitcoin users that the ledger entries are secure. Distributed ledgers are riskier than centralized ledgers
because distributed ledgers are uncontrolled due to lack of centralization.
A.Incorrect. This does not use a distributed ledger system.

C.Incorrect. This does not use a distributed ledger system.
D.Incorrect. This does not use a distributed ledger system.
98.From an access control security viewpoint, which one of the following parties is different from
the other three parties?
A.Ordinary user
B.Privileged user
C.Trusted user
D.Authorized user

An ordinary user is different from the privileged user, trusted user, and authorized user in terms of what
the ordinary user can perform. The ordinary user is restricted in performing some security functions.
B.Incorrect. A privileged user is someone who is authorized to perform security-relevant functions that
ordinary users are not authorized to perform. A privileged user is both a trusted user and an authorized
user.
C.Incorrect. A privileged user is someone who is authorized to perform security-relevant functions that
ordinary users are not authorized to perform. A trusted user is both a privileged user and an authorized
user.
D.Incorrect. A privileged user is someone who is authorized to perform security-relevant functions that
ordinary users are not authorized to perform. An authorized user is both a privileged user and a trusted
user.
99.When conducting information systems security audits, internal auditors must be most
concerned with which of the following?
A.Blacklist
B.Whitelist
C.Blacklisting
D.Blocked listing
A.I
B.I and II
C.I and III
D.II, III, and IV

Internal auditors must be most concerned with the blacklist because it is a list of email senders who
have previously sent spam to a user. It is also a list of host networks or application systems that have
been previously determined to be associated with malicious activity using malware and other
dangerous programs. A blacklist indicates unsafe and unsecure entities.
B.Incorrect. This choice is a partial answer. A whitelist is a list of host networks or application systems
that are known to be benign or mild and are approved for use within an organization and/or information
system. A whitelist indicates safe and secure entities.
C.Incorrect. This choice is a partial answer. Blacklisting is the process of a system invalidating a user
ID based on the user's inappropriate actions. A blacklisted user ID cannot be used to log on to the
system even with the correct authenticator. A blacklisting indicates safe and secure actions.
D.Incorrect. A blocked listing is a part of blacklisting. The term “blocked listing” applies to blocks
placed against Internet Protocol addresses to prevent inappropriate or unauthorized use of the Internet
resources. A blocked listing indicates safe and secure actions.
100.Which of the following cannot reduce the total costs of data breaches?
A.Security metrics
B.Incident response team
C.Encryption
D.Mobile platforms

Extensive and uncontrolled use of mobile platforms (e.g., operating systems and devices) can increase
risks and costs due to their unchecked usage and growth, resulting in increased data breaches.
A.Incorrect. Security metrics can reduce the total costs of data breaches due to insights they provide
regarding threats, attacks, and hackers. Use of metrics is a proactive thinking.
B.Incorrect. The existence of an incident response team can reduce the total costs of data breaches due
to the team's expertise and readiness to prevent, detect, and recover from threats and attacks. Use of
incident response team is a proactive thinking.
C.Incorrect. Use of encryption in computer programs and data files can reduce the total costs of data
breaches because encryption protects against hacker attacks. Use of encryption is a proactive thinking.
101.Which of the following are the opportunity costs resulting from a data breach?
I. Lost sales
II. Lost profits
III. Customer defection costs
IV. Customer acquisition costs
A.I
B.I and II
C.III
D.III and IV

Customer defection costs and customer acquisition costs are examples of opportunity costs that would
have not been incurred in the absence of a data breach.
A.Incorrect. Lost sales are an indirect cost.

B.Incorrect. Lost sales and lost profits are indirect costs.
C.Incorrect. This is a partial answer. Customer defection costs are opportunity costs.
102.Total costs of data breaches are directly related to which of the following?
A.Time to identify a data breach

B.Time to plan a remedy to handle a data breach
C.Time to implement a remedy to handle a data breach
D.Time to contain a data breach

Failure to quickly contain a data breach will lead to higher costs. Hence, there is a direct relationship
between time and cost.
A.Incorrect. This choice is a part of time to contain.

B.Incorrect. This choice is a part of time to contain.
C.Incorrect. This choice is a part of time to contain.
103.Which of the following is not a direct cost resulting from a data breach?
A.Digital forensic cost

B.Technical consulting cost
C.Internal investigative cost
D.Legal consulting cost

Internal investigative cost is an indirect cost.
A.Incorrect. Digital forensic cost is a direct cost.

B.Incorrect. Technical consulting cost is a direct cost.
D.Incorrect. Legal consulting cost is a direct cost.
104.An internal audit function is effective when:
A.An audit plan is prepared.

B.An audit budget is approved.
C.The audit's mission is accomplished.
D.All auditors are trained.

This is the major goal.
A.Incorrect. This is one of the minor goals.

B.Incorrect. This is one of the minor goals.
D.Incorrect. This is one of the minor goals.
105.Which of the following can aid in measuring the effectiveness of an internal audit function?
A.Pareto principle
B.Stevens’ power law
C.Gresham's law
D.Kano principle

The Kano principle can be applied to a feedback process from audit clients using three rating scales,
such as satisfied, neutral, and dissatisfied, for measuring the effectiveness of the internal audit function.
A.Incorrect. The Pareto principle states that there are a vital few (20%) and a trivial many (80%) things
in the world.
B.Incorrect. The Stevens’ power law states that there are four types of scales that can be used to define
how things or data can be measured, arranged, or counted. These scales are nominal, ordinal, interval,
and ratio scales, and they are used as data counting methods in big-data analytics.
C.Incorrect. Gresham's law of planning states that managers pay more attention and put more time and
effort into planning programmed activities (i.e., routine and simple tasks) than nonprogrammed
activities (i.e., rare and complex tasks).
106.An internal audit function is effective when:
A.The audit function provides value.

B.An audit manual is developed.
C.All auditors are efficient.
D.All auditors are certified.

This is the major goal.
B.Incorrect. This is one of the minor goals.

C.Incorrect. This is one of the minor goals.
D.Incorrect. This is one of the minor goals.
107.Agile audits are best described as:
A.Historical audits.
B.Scheduled audits.
C.Anticipatory audits.
D.Cycle audits.

Anticipatory audits are sudden and unexpected audits based on current events that just happened or are
about to happen in the immediate future.
A.Incorrect. Agile audits are not historical audits because they have no resemblance to the past events.
B.Incorrect. Scheduled audits are cycle audits with a known frequency.
D.Incorrect. Cycle audits are repeatable audits with a known frequency.
108.An internal audit function is effective in the minds of the board and senior management
when it is performing:
A.Error-seeking audits.
B.Value-adding audits.
C.Nitpicking audits.
D.Fault-blaming audits.

The term “value-adding audits” means something good is added to a function or operation that was not
there before. Consulting auditors can provide this value.
A.Incorrect. Error-seeking audits are low-level audits that the board and senior management may not
prefer because errors are possible events with human beings, meaning errors are normal and common.
No value is provided to audit clients.
C.Incorrect. Nitpicking audits are surface audits based on using a superficial audit scope and objectives.
No value is provided to audit clients.
D.Incorrect. Fault-blaming audits are finger-pointing audits blaming policies, procedures, and practices
based on past events and data. No value is provided to audit clients.
109.Which of the following provides a logical barrier that constrains the operation of program
code, data, and/or users within a defined area of a mobile device?
A.Inbox
B.Substitution box
C.Sandbox
D.Permutation box

A sandbox is a system that allows an untrusted application program to run in a highly controlled
environment (e.g., Java applet). Anything assigned to a sandbox has access to resources within the
sandbox but has controlled or no access to resources outside the sandbox.
A.Incorrect. An inbox is used for storing and displaying email messages. It has nothing to do with
mobile device security.
B.Incorrect. A substitution box consists of electrical circuits deployed in cryptographic algorithms for
signal propagation. It has nothing to do with the mobile device security.
D.Incorrect. A permutation box consists of electrical circuits deployed in cryptographic algorithms for
signal propagation. It has nothing to do with the mobile device security.
110.Regarding mobile security, which of the following uses attack signatures?

i. Firewalls
ii. Access control lists
iii. Anti-malware systems
iv. Intrusion detection and prevention systems (IDS/IPS)
A.I and II
B.II and IV
C.III and IV

Both anti-malware systems and IDS/IPS) inspect data for malicious activity based on attack signatures.
These signatures may look for malicious code in a data stream (anti-malware) or may look for
malicious traffic patterns (IDS/IPS). New signatures are constantly being added to detect new attack
vectors.
A.Incorrect. Both firewalls and access control lists (ACLs) use rule-based criteria to permit or deny
communication based on rulesets defined by protocol standards and/or by information technology staff.
Firewalls and ACLs do not use attack signatures, and anti-malware systems and IDS/IPS systems do
not use rulesets.
D.Incorrect. This choice contains both correct and incorrect answers.
111.Which of the following provides encryption as a basic service and becomes a form of double
encryption when it is sent through an encrypted tunnel?
A.Value-added network
B.Virtual private network
C.Body area network
D.Personal area network

A virtual private network (VPN) is the application of encryption, data integrity, and authentication
protocols to provide a secure connection between a user organization and a remote device or user.
When the data stream itself is also encrypted, the use of VPN to send already-encrypted
communication through an encrypted tunnel is a type of double encryption.
A.Incorrect. A value-added network is used in electronic data interchange transactions in procurement

or purchasing to place purchase orders.
C.Incorrect. A body area network is used in medical field when performing an operation on a human
body.
D.Incorrect. A personal area network is used for an individual using personal computers at home,
home-office, or in small business.
112.Which of the following are examples of major uses of system-based audit trails?
I. Acts as an insurance policy
II. Provides support for operations
III. Identifies performance problems
IV. Detects security violations
A.II only
B.III only
C.IV only

System-based audit trails have multiple uses, such as acting as an insurance policies, providing
support for operations, identifying performance problems, detecting security violations, and detecting
flaws in application systems.
As an insurance policy, audit trails are passive electronic records but are not used unless needed, such
as after a system outage or other abnormality (e.g., data breach). As a support for operations, audit
trails are used to help system administrators ensure that systems or resources have not been harmed by
hackers, contractors, or insiders (employees) or due to technical problems (e.g., program glitches).

113.Mobile devices operating in a high-risk computing environment should not be configured

with which of the following?
A.Login attempts
B.Application accesses
C.Remote logging
D.Login data

Remote logging over unsecured networks (i.e., high-risk computing environments) should not be
configured due to potential security issues it can bring to a company.
A.Incorrect. This choice should be configured. As a part of audit trails, mobile devices should be
configured to log the time, date, and possible locations of all network connections (i.e., login data), all
login attempts, and all accesses to application programs or systems.
B.Incorrect. This choice should be configured. As a part of audit trails, mobile devices should be
configured to log the time, date, and possible locations of all network connections (i.e., login data), all
D.Incorrect. This choice should be configured. As a part of audit trails, mobile devices should be
configured to log the time, date, and possible locations, of all network connections (i.e., login data), all
114.What is it called when a cloud service provider of a mobile device makes a dual connection to
multiple networks?
A.Split tunneling
B.Split controls
C.Split knowledge
D.Split domains

When a cloud service provider of a mobile device makes a connection to multiple networks, it is called
split tunneling, and it should be prohibited. Cloud connections should be restricted to a mutually
authenticated and approved cloud service provider, and the security policy for the mobile device should
also prohibit split tunneling, which is risky. Here, “split tunneling” means some traffic is secured while
other traffic is unsecured.
B.Incorrect. With split controls, safeguards are divided into two or more parts, thus reducing the
strength of the controls.
C.Incorrect. Split knowledge represents a condition under which two or more parties separately have
part of the data, but no party has all the data.
D.Incorrect. Split domains represent split domain name systems (split DNS), where one physical file is
required for external clients and one physical file is required for internal clients.
115.Controls over a mobile device upon employee termination or reassignment include which of
the following?
i. Sanitize the stored information.
ii. Keep the user's personal information.
iii. Clear the device's memory contents.
iv. Dispose of the device.
A.I and III

B.I and IV
C.III and IV

Controls over a mobile device upon employee termination or reassignment include repossessing the
device, fully sanitizing the stored information prior to disposal, clearing the device's memory contents
in case of classified or sensitive information spillage, and keeping the user's personal information on
the device for tracing purposes.

116.Best practices in the use of mobile devices include which of the following?
I. Install application filters.
II. Enable firewalls.
III. Disable all unnecessary features.
IV. Update virus signatures.
A.II and III

B.II, III, and IV
C.III and IV

Best practices in the use of mobile devices include allowing mobile communications to authorized
methods only; installing filters to limit which application has access to a specific device, enabling
firewalls, disabling all unnecessary features, and updating virus signatures on antivirus software
frequently.

117.Regarding mobile devices configuration, organizations should exercise controls over which of
the following procurement considerations?
i. Selection of service provider
ii. Selection of hardware
iii. Selection of operating system
iv. Selection of application systems
A.I and II
B.I and III
C.III and IV

Mobile device procurement considerations include the selection of mobile device's service provider,
hardware, operating system, and application systems, including version control.

118.Regarding mobile device configuration, organizations should exercise controls over which of
the following provisioning considerations?
I. Enabling necessary features
II. Planning for storage controls
III. Preparing for device disposal
IV. Implementing authentication techniques
A.I only
B.II only
C.III only

Organizations should carefully plan what features will be provisioned and deprovisioned according to
risk levels. Management should decide what features will be enabled (e.g., GPS, Bluetooth, and
camera), what storage controls are needed (cloud or traditional), what methods to use in disposing of a
device, and what authentication techniques to be used (single factor or multiple factors).

119.Regarding mobile device operating in a high-risk environment, which of the following

mobile-infrastructure diagnostic audit records must be securely stored in a central location?
i. Configuration files
ii. Security files
iii. Application system files
iv. Operating system files
A.I only
B.II only
C.III and IV

Mobile-infrastructure diagnostic audit records, such as configuration files, security files, application
files, operating system files, and system call log files, must be transferred from the mobile device to a
centralized storage location for later retrieval and analysis.

120.Which of the following is at the core of the definition of total quality management (TQM)?
A.Customer surveys
B.Continuous improvement
C.Employee satisfaction
D.Supplier inspections

Continuous improvement is at the core of the definition of TQM and its principles.
A.Incorrect. Customer surveys are not at the core of TQM.

C.Incorrect. Employee satisfaction is not at the core of TQM.
D.Incorrect. Supplier inspections are not at the core of TQM.
121.The total quality management (TQM) program needs to be anchored to an organization's:
A.Policy.
B.Procedure.
C.Culture.
D.Standards.

TQM involves creating an organizational culture committed to continuous improvement of products or
services. Culture is the major anchor point.
A.Incorrect. Policy is a minor anchor point.
B.Incorrect. Procedure is a minor anchor point.
D.Incorrect. Standards are a minor anchor point.
122.Which of the following is not one of the principles of total quality management (TQM)?
A.Do it right the first time.

B.Strive for zero defects.
C.Be customer-centered.
D.Build teamwork and empowerment.

“Strive for zero defects” is the goal of manufacturing management achieved through statistical
process control and Six Sigma methodologies, which are subsets of TQM. Striving for zero defects is
not one of the principles of TQM.
A.Incorrect. “Do it right the first time” is one of the principles of TQM.
C.Incorrect. “Be customer-centered” is one of the principles of TQM.
D.Incorrect. “Build teamwork and empowerment” is one of the principles of TQM.
123.In the context of total quality management (TQM), a cause-and-effect analysis can be carried
out with:
A.Kaizen.
B.A scatter diagram.
C.A fishbone diagram.
D.Pareto diagram

Fishbone diagrams help TQM teams visualize important cause-and-effect relationships.
A.Incorrect. Kaizen practitioners view quality as an endless journey, not a final destination and not a
specific program or procedure.
B.Incorrect. Scatter diagrams are used to plot the correlation between two variables.
D.Incorrect. The Pareto diagram helps TQM teams to analyze vital few and trivial many (20/80 pattern
or rule). It is most efficient to focus on the few things that make the biggest difference.
124.Total quality management (TQM) should be viewed as:
A.Customer centered and employee driven.

B.Management centered and technology driven.
C.Policy centered and procedure driven.
D.Goal centered and standard driven.

Customers can be internal and external to an organization. Organizations exist to serve and help
external customers with goods and services. Building teamwork and empowering employees can
inspire and encourage internal customers, TQM empowers employees at all levels in order to tap their
full potential of creativity, motivation, and commitment.
B.Incorrect. Being management centered and technology driven does not serve and help external
customers with goods and services.
C.Incorrect. Being policy centered and procedure driven does not serve and help external customers
with goods and services.
D.Incorrect. Being goal centered and standard driven does not serve and help external customers with
goods and services.
125.When a product conforms to its design specifications, it is called:
A.Product-based quality.
B.Value-based quality.
C.Judgment-based quality.
D.Manufacturing-based quality.

Manufacturing-based quality deals with conformance to requirements, such as design specifications,
customer requirements, or blueprints.
A.Incorrect. Product-based quality assumes that higher levels or amounts of product characteristics are
equivalent to higher quality and that quality has a direct relationship with price.
B.Incorrect. Value-based quality focuses on the relationship between the usefulness of or satisfaction
with a product or service and its price.
C.Incorrect. Judgment-based quality is synonymous with superiority or excellence, which is abstract,
subjective, and difficult to quantify.
126.Which of the following total quality management (TQM) process improvement tools
monitors actual versus desired quality measurements during repetitive operations?
A.A run chart

B.A histogram
C.A flowchart
D.A control chart

A control chart helps operations maintain key quality measurements within an acceptable range of an
upper and a lower control limit. It monitors actual versus desired quality measurements during
repetitive operations.
A.Incorrect. A run chart (also called a time-series or trend chart) tracks the frequency or amount of a
given variable over time. Significant deviations from the standard signal the need for corrective action.
B.Incorrect. A histogram is a bar chart showing whether repeated measurements in an operation
conform to a standard bell-shaped curve (normal curve).
C.Incorrect. A flowchart is a graphic representation of a sequence of activities and decisions.
Flowcharts identify unnecessary work steps so that they can be either combined or eliminated.
127.The costs of providing training and technical support to the supplier in order to increase the
quality of purchased materials are examples of
A.Prevention costs.
B.Appraisal costs.
C.Internal failure costs.
D.External failure costs.

Prevention costs are costs incurred to prevent defects from occurring during the design and delivery of
products or services. Prevention costs can keep both appraisal and failure costs to a minimum.
B.Incorrect. Appraisal costs are costs to detect, measure, evaluate, and audit products and processes to
ensure that they conform to customer requirements and performance standards. They include the costs
of inspecting raw materials, testing goods throughout the manufacturing process, and testing the final
product.
C.Incorrect. Internal failure costs are the costs associated with defects that are discovered before the
product is shipped or before the service is delivered to the customer. They include the costs of the
material, labor, and other manufacturing costs incurred in reworking defective products and the costs of
scrap and spoilage.
D.Incorrect. External failure costs are associated with defects found during or after delivery of the
product or service to the customer. They include the costs of repairs made under warranty or product
recalls.
128.In the Six Sigma methodology, the mistake-proofing tool is used in which of the following
stages?
A.Define.
B.Control.
C.Measure.
D.Improve.

A mistake-proofing tool removes the opportunity for error before it happens. It is a way to detect and
correct an error where is occurs and avoid passing the error to the next worker or operation. This tool is
used in the “control” stage to prevent an error from becoming a defect in the process. Mistake-proofing
techniques are used to improve organizational processes. Typical mistakes in production are omitted
processing, processing errors, setup errors, missing parts, wrong parts, and machine adjustment errors.
Poka-yoke is an approach for mistake-proofing processes using automatic devices or methods to avoid
simple human or machine errors.
A.Incorrect. The “define” stage is too early to use the mistake-proofing tool.
C.Incorrect. The “measure” stage is too late to use the mistake-proofing tool.
D.Incorrect. The “improve” stage is too late to use the mistake-proofing tool
129.A process mapping tool is not used in which of the following Six Sigma methodology stages?
A.Define.
B.Control.
C.Measure.
D.Analyze.

Process mapping is a very useful tool in the “define, measure, analyze, and improve” stages but not in
the “control” stage because the process is already in control. In the “control” stage, systems and
structures are in place to institutionalize the improvements. Process mapping is a high-level visual
representation of the current process step, looking beyond the functional activities and rediscovering
core processes. The objective of process mapping is to understand the process before it is improved.
A.Incorrect. A process mapping tool is used in the “define” stage to improve organizational processes.
C.Incorrect. A process mapping tool is used in the “measure” stage to improve organizational
processes.
D.Incorrect. A process mapping tool is used in the “analyze” stage to improve organizational processes.
130.The cause-and-effect diagram is used in which of the following Six Sigma methodology
stages?
A.Define.
B.Analyze.
C.Improve.
D.Control.

The cause-and-effect diagram is a tool for analyzing process variables. The diagram shows the main
cause and subcauses leading to an effect (symptom). This tool is used in both the “define and measure”
stages.
B.Incorrect. The “analyze” stage comes after the “define” stage.

C.Incorrect. The “improve” stage comes before the “control” stage.
D.Incorrect. The “control” stage monitors the ongoing performance of a process and improvement of a
product. This stage is a transition from improvement to controlling the process. It ensures that new
improvements are implemented and institutionalized.
131.Both common causes and special causes are identified in which of the following stages of the
Six Sigma methodology?
A.Define.
B.Measure.
C.Control.
D.Improve.

Common causes affect everyone working in a process and affect all of the outcomes of a process.
These causes are always present and thus are generally predictable. Special causes are not always
present in a process, do not affect everyone working in it, and do not affect all its outcomes. Special
causes are not predictable. The “measure” stage identifies common and special causes and collects data
about current performance that pinpoints opportunities and provides a structure for making
improvements.
A.Incorrect. In the “define” stage, brainstorming techniques are used to define the problem and to make
improvements. This stage It is a better way to identify bottlenecks, process/machine breakdowns, and
non-value-added work steps.
C.Incorrect. The “control” stage monitors the ongoing performance of a process and improvement of a
product. This stage is a transition from improvement to controlling the process. It ensures that new
improvements are implemented and institutionalized.
D.Incorrect. The “improve” stage is the final objective to accomplish. Both common and special causes
are identified before this stage.
132.In the Six Sigma training environment, which of the following roles is primarily dependent
on others to acquire data?
A.Green belts
B.Black belts
C.Master black belts
D.Sponsors

Six Sigma green belts work directly with black belts and cross-functional project leaders to carry out
identified improvement projects. Green belts implement Six Sigma improvement tools by being
competent at detailed and routine tasks and by collecting the required data.
B.Incorrect. The role of Six Sigma black belts is based on the principle of contributing independently
and applying the appropriate tools and techniques in the process of resolving quality problems and
issues in the organization. Black belts assume responsibility for definable projects and possess
technical competence and ability.
C.Incorrect. Master black belts ensure that they contribute through others based on their leadership
skills. They are involved as managers, mentors, or idea leaders in developing others. They have the
technical breadth and skills that, can build a strong network of people, and can resolve conflicts.
D.Incorrect. Sponsors are the champions of quality. They have project management skills, understand
the risk management techniques, and have leadership skills. They have the vision and knowledge of
their organization's culture.
133.All of the following are effective ways to prevent service mistakes from occurring except:
A.Source inspections.
B.Self-inspections.
C.Sequence checks.
D.Mass inspections.

Mistake-proofing a service requires identifying when and where failures occur. Once a failure is
identified, the source must be found. The final step is to prevent the mistake occurring through source
inspections, self-inspections, or sequence checks. Mass or final inspections are expensive,
time-consuming, and ineffective, as they take place too late in the game.
A.Incorrect. Source inspections are effective ways to prevent service mistakes from occurring.
B.Incorrect. Self-inspections are effective ways to prevent service mistakes from occurring.
C.Incorrect. Sequence checks are effective ways to prevent service mistakes from occurring.
134.In an organization with empowered work teams, organizational policies:
A.Should define the limits or constraints within which the work teams must act if they are to remain
self-directing.
B.Become more important than ever. Without clear rules to follow, empowered work teams are almost
certain to make mistakes.
C.Should be few or none. Work teams should have the freedom to make their own decisions.
D.Should be set by the teams themselves in periodic joint meetings.

Work teams are not “empowered” to do anything they please. The organization has certain expectations
for what is to be accomplished and how teams are to go about accomplishing these things. Once the
organization defines the objectives (what is to be accomplished) and sets appropriate policies (how it is
to be done), work teams are free to make and implement decisions within those boundaries. Policies in
this work team area are usually quite broad (e.g., relating to ethical business conduct) but nevertheless
important.
B.Incorrect. Empowered teams are important but not more important than ever. Policies in this context
should not be “rules,” and the distrust implicit in the phrase “is almost certain to make mistakes” is
inconsistent with empowerment.
C.Incorrect. Work teams are not “empowered” to do anything they please.
D.Incorrect. Work teams are not “empowered” to do anything they please.
135.One of the main reasons that implementation of a total quality management (TQM) program
works better through the use of teams is because:
A.Teams are more efficient and help an organization reduce its staffing.
B.Employee motivation is always higher for team members than for individual contributors.
C.Teams are a natural vehicle for sharing ideas, which leads to process improvement.
D.The use of teams eliminates the need for supervision, thereby allowing a company to reduce staffing.

Teams are excellent vehicles for encouraging the sharing of ideas and removing process improvement
obstacles.
A.Incorrect. Teams are often inefficient and costly.

B.Incorrect. Although employee motivation may be high for some team members, such potential high
motivation does not directly affect process improvement, which is key to quality improvement.
D.Incorrect. The use of teams in TQM is not aimed at less supervision and reduced staffing, although
that may be a by-product.
136.One of the main reasons total quality management (TQM) can be used as a strategic weapon
is that:
A.The cumulative improvement from a company's TQM efforts cannot readily be copied by
competitors.
B.Introducing new products can lure customers away from competitors.
C.Reduced costs associated with better quality can support higher stockholder dividends.
D.TQM provides a comprehensive strategic management for a business.

The cumulative effect of TQM's continuous improvement process can attract and hold customers and
cannot be duplicated by competitors.
B.Incorrect. New products can be quickly copied by competitors; therefore, they do not provide a
sustained competitive advantage.
C.Incorrect. TQM does not focus on cost reduction.
D.Incorrect. TQM is only one strategic management tool; other tools have to be used for proper
strategic management.
137.Focusing on customers, promoting innovation, learning new philosophies, driving out fear,
and providing extensive training are all elements of a major change in organizations. These
elements are aimed primarily at:
A.Copying leading organizations to better compete with them.

B.Focusing on the total quality of products and services.
C.Being efficient and effective at the same time, in order to indirectly affect profits.
D.Better management of costs of products and services, in order to become the low-cost provider.

All the elements presented in the question are part of the total quality movement in the manufacturing
and service sectors.
A.Incorrect. Competition with leading organizations is not the only goal of the total quality movement.
C.Incorrect. The goal is quality first and foremost. A total quality movement may reduce some costs in
the long run.
D.Incorrect. The focus of the elements presented is not cost management.
138.Total quality management in a manufacturing environment is best exemplified by:
A.Identifying and reworking production defects before sale.

B.Designing the product to minimize defects.
C.Performing inspections to isolate defects as early as possible.
D.Making machine adjustments periodically to reduce defects.

This response describes the design-it-in approach, which promotes keeping quality in mind right from
the start.
A.Incorrect. This choice describes the fix-it-in approach, which is the first step to do. Inspectors
identify defects and report on defects that have them reworked or fixed.
C.Incorrect. This choice describes the inspect-it-in approach, which applies the fix-it-in approach to
in-process work.
D.Incorrect. This choice describes the adjust-it-in approach, which is the same as the inspect-it-in
approach.
139.Which of the following is a characteristic of total quality management (TQM)?
A.Management by objectives
B.On-the-job training by other workers
C.Quality by final inspection
D.Education and self-improvement

Education and self-improvement should be the number-one career objective for everyone in the
organization.
A.Incorrect. Management by objectives causes aggressive pursuance of numerical quotas.

B.Incorrect. On-the-job training serves to entrench bad work habits.
C.Incorrect. Quality by final inspection is unnecessary if quality is built in from the start.
140.In which of the following organizational structures does total quality management (TQM)
work best?
A.Hierarchical organizational structure

B.Teams of people from the same specialty
C.Small teams of people from different specialties
D.Specialists working individually

Small teams of people from different specialties empowered to make decision are highly effective.
A.Incorrect. A hierarchical organizational structure actually stifles TQM.

B.Incorrect. TQM works best with teams of people from different specialties.
D.Incorrect. Teamwork is essential for TQM.
141.A company is experiencing a high level of customer returns for a particular product because
it does not meet the rigid dimensions required. Each return is reworked on a milling machine
and sent back through all of the subsequent finishing steps. This is a costly process. Identify the
best method for reducing the quality failure costs.
A.Customer surveys
B.Increased finished goods inspections
C.Defect prevention
D.Increased work-in-process inspections

Prevention of a defect is felt in reduced costs throughout the entire manufacturing and quality
inspection cycle. This is a preventive control and a feedforward (proactive) control.
A.Incorrect. Customer surveys are examples of feedback (reactive) controls and are not as effective as
a feedforward (proactive) control.
B.Incorrect. Increased finished goods inspections are examples of feedback (reactive) controls and are
not as effective as a feedforward (proactive) control.
D.Incorrect. Increased work-in-process inspections are examples of feedback (reactive) controls and
are not as effective as a feedforward (proactive) control.
142.Which statement best describes total quality management (TQM)?
A.TQM emphasizes reducing the cost of inspection.

B.TQM emphasizes better statistical quality control techniques.
C.TQM emphasizes doing each job right the first time.
D.TQM emphasizes encouraging cross-functional teamwork.

Superior product quality is not attained just through more inspection, better statistical quality control,
and cross-functional teamwork. Manufacturers must make fundamental changes in the way they
produce products and do each job right the first time.
A.Incorrect. This choice is only a part of the TQM emphasis.

B.Incorrect. This choice is only a part of the TQM emphasis.
D.Incorrect. This choice is only a part of the TQM emphasis.
143.Management of a company is attempting to build a reputation as a world-class manufacturer

of quality products. On which of the next four costs should it spend the majority of its funds?
I. Prevention costs. This involves eliminating the production of products that do not conform to
quality requirements. Costs include product and process design and testing, supplier evaluation
and training, employee training, and preventive maintenance.
II. Appraisal costs. This involves detecting products that do not conform to quality requirements.
Costs include inspection, testing, and statistical quality control.
III. Internal failure costs. This involves correcting or scrapping nonconforming products before they
are shipped. Costs include rework, scrap, retesting, and changes in the design of the product or
process.
IV. External failure costs. This involves customers detecting nonconforming products after shipment.
Costs include allowances, customer complaints, service, warranty, product liability, lost customer
goodwill, and returned products.
A.I only
B.II only
C.III only
D.IV only

The firm would do well to spend the bulk of its funds on prevention through better product and process
design and testing, supplier evaluation and training, employee training, and preventive maintenance.
The aim is to prevent quality breakdowns before the product is produced.
B.Incorrect. Spending funds in the appraisal area will improve quality, but funds are better spent on
prevention than on appraisal area.
C.Incorrect. Spending funds in the internal failure area will improve quality, but funds are better spent
on prevention than on the internal failure area.
D.Incorrect. Spending funds in the external failure area will improve quality, but funds are better spent
on prevention than on the external failure area.

of quality products. Which of the next four costs would be the most damaging to its ability to
build a reputation as a world-class manufacturer?
i. Prevention costs. This involves eliminating the production of products that do not conform to
quality requirements. Costs include product and process design and testing, supplier evaluation
and training, employee training, and preventive maintenance.
ii. Appraisal costs. This involves detecting products that do not conform to quality requirements.
Costs include inspection, testing, and statistical quality control.
iii. Internal failure costs. This involves correcting or scrapping nonconforming products before they
are shipped. Costs include rework, scrap, retesting, and changes in the design of the product or
process.
iv. External failure costs. This involves customers detecting nonconforming products after shipment.
Costs include allowances, customer complaints, service, warranty, product liability, lost customer
goodwill, and returned products.
A.I only
B.II only
C.III only
D.IV only

The firm must avoid external failures. If low-quality products are discovered by a firm's customers, the
firm will not be able to build a reputation as a world-class manufacturer. The firm should spend its
funds on prevention, appraisal, and internal failure, in that order. That is, it should prevent quality
breakdowns before the product is produced and shipped so that customers never receive poor-quality
products.
A.Incorrect. Detecting poor-quality products at earlier stages prevents customers from ever receiving
poor-quality products.
B.Incorrect. Detecting poor-quality products at earlier stages prevents customers from ever receiving
C.Incorrect. Detecting poor-quality products at earlier stages prevents customers from ever receiving

of quality products. Which of the following measures would not be used by the firm to measure
quality?
A.The percentage of shipments returned by customers because of poor quality.

B.The number of parts shipped per day.
C.The number of defective parts per million.
D.The percentage of products passing quality tests the first time.

The number of parts shipped per day is not a good measure of quality of the product. It relates to the
quantity of products shipped.
A.Incorrect. This choice is a good measure of product quality.

C.Incorrect. This choice is a good measure of product quality.
D.Incorrect. This choice is a good measure of product quality.
146.Prior to finalizing an outsourcing arrangement for a business process or function,

management should perform which of the following first?
A.Risk and result analysis

B.In-source versus outsource analysis
C.Competence and cost analysis
D.Contract-or-service analysis

From an economics point of view, management should first perform an in-source versus outsource
analysis to determine whether the planned outsourcing arrangement for a business process or function
can be performed internally more efficiently, effectively, and economically than the outsourced
vendors. The scope of in-source versus outsource analysis includes functional need requirements, skills
requirements and their availability, opportunity costs of outsourcing, incremental costs and revenues
for internal wok and external work, potential risks and opportunities of outsourcing, and
legal/regulatory requirements and methods needed to comply with legal/regulatory requirements
internally or externally.
A.Incorrect. Risk and result analysis can be part of or separate from the in-source versus outsource
analysis.
C.Incorrect. Competence and cost analysis can be part of or separate from the in-source versus
outsource analysis.
D.Incorrect. Contract-or-service analysis can be part of or separate from the in-source versus outsource
analysis.
147.Which of the following statements is not true about the benefits of outsourcing a business
process or function?
A.It improves performance of systems and employees.

B.It reduces operating costs and capital investments,
C.It reduces control over outside vendors.
D.It prevents a firm from hiring additional employees to meet temporary needs.

This choice is not a true statement about the benefits of outsourcing. Many organizations turn to
outsourcing to improve performance (system and people) and to reduce operating costs. On a positive
note, outsourcing offers solutions when there is a shortage of in-house skills, when a high-risk and
high-overhead project needs to be managed, and when there is an unacceptable lead time to complete a
project using company personnel.
The benefits from outsourcing usually focus on performance improvements and/or cost reduction.
Another benefit is that it allows internal management to focus time and resources more to the core
business and the company's future. Outsourcing enables a firm to avoid hiring additional employees to
meet temporary needs. However, outsourcing does not mean surrendering control and internal
management responsibility of subcontracted functions and projects to outside vendors.
A.Incorrect. This choice is a true statement about the benefits of outsourcing.

B.Incorrect. This choice is a true statement about the benefits of outsourcing.
D.Incorrect. This choice is a true statement about the benefits of outsourcing.
148.Which of the following service-level metrics are more reasonable and practical for an
outsourced vendor than for a non-outsourced vendor?
A.Absolute numbers
B.Rolling numbers
C.Range of numbers
D.Average numbers

Service-level metrics (e.g., number of system user complaints received for each application system)
cannot be absolute numbers, rolling numbers, or average numbers because actual performance
measurements can vary based on the peak and nonpeak times. So a range of numbers (i.e., minimum to
maximum numbers) is more meaningful than the single numbers (e.g., low (nonpeak) and high (peak)
numbers.
A.Incorrect. Absolute numbers do not show low (nonpeak) and high (peak) performance.
B.Incorrect. Rolling numbers do not show low (nonpeak) and high (peak) performance.
D.Incorrect. Average numbers do not show low (nonpeak) and high (peak) performance.
149.In a global outsourcing environment, which of the following selection factors for an
outsourced vendor does not matter that much?
A.Attitudes of a vendor's personnel

B.Reputation of a vendor
C.Knowledge, skills, and abilities of a vendor
D.Proximity of a vendor

In a global outsourcing environment, potential vendors can come from anywhere in the world.
Proximity of a vendor (local or global) to a user organization does not matter that much. It is the least
important selection factor.
A.Incorrect. This choice does matter in selecting an outsourced vendor.

B.Incorrect. This choice does matter in selecting an outsourced vendor.
C.Incorrect. This choice does matter in selecting an outsourced vendor.
150.In a global outsourcing environment, which of the following should be in place by an

outsourced vendor in order to succeed?
A.Project governance
B.Vendor governance
C.Customer governance
D.Service governance

Vendor governance requires a vendor to establish written policies, procedures, standards, and
guidelines regarding how to deal with its customers or clients in a professional and businesslike manner.
It also requires establishing an oversight mechanism and implementing best practices in the industry.
A.Incorrect. Because vendor governance provides a comprehensive and big-picture perspective, project
governance is a part of vendor governance.
C.Incorrect. Because vendor governance provides a comprehensive and big-picture perspective,
customer governance is a part of vendor governance.
D.Incorrect. Because vendor governance provides a comprehensive and big-picture perspective, service
governance is a part of vendor governance.
151.Which of the following scope items for an outsourced vendor takes on a significant dimension
in a supply-chain environment?
A.Liabilities and guarantees

B.Well-defined service levels
C.Licensing of services and products
D.Changes to terms and conditions of services

In a supply-chain environment, there could be several suppliers and integrators in developing or
delivering a specific product or service to a user customer or client. So, liabilities and guarantees take
on a significant dimension in order to pin down each party's roles, responsibilities, liabilities,
guarantees, and remedies to problems encountered.
B.Incorrect. This choice is important, not significant.

C.Incorrect. This choice is important, not significant.
D.Incorrect. This choice is important, not significant.
152.Which of the following is required to periodically monitor an outsourced vendor's

contractual agreements?
A.Due diligence review

B.Independent audit
C.Statement of work
D.Rules of engagement

An independent audit by a third party, who is fully independent of the outsourced vendor and the user
organization, is required to periodically monitor the outsourced vendor's contractual agreement and
performance. The audit should focus on operational systems and functions of the external service
provider.
A.Incorrect. Due diligence review comes before the independent audit.

C.Incorrect. The statement of work comes before the independent audit.
D.Incorrect. The rules of engagement come before the independent audit.
153.Which of the following involves identifying, studying, and building on the best practices of
other organizations?
A.Kaizen
B.Benchmarking
C.Plan, do, check, and act cycle
D.Total quality management

Benchmarking is identifying, studying, and building on the best practices of other organizations.
Benchmarking establishes standards that provide feed-forward control by warning people when they
deviate from standards.
A.Incorrect. Kaizen is continuous improvement.

C.Incorrect. The plan, do, check and act (PDCA) cycle, called the Shewhart cycle in quality, was later
modified by Deming to be the plan, do, study, and act (PDSA) cycle.
D.Incorrect. Total quality management (TQM) is a management philosophy about the quality of
products and services.
154.Which of the following is true of benchmarking?
A.It is typically accomplished by comparing an organization's performance with the performance of its
closest competitors.
B.It can be performed using either qualitative or quantitative comparisons.
C.It is normally limited to manufacturing operations and production processes.
D.It is accomplished by comparing an organization's performance to that of best-performing
organizations.
Benchmarking is accomplished by comparing an organization's performance to that of best-performing
organizations.
A.Incorrect. Benchmarking involves a comparison against industry leaders or world-class operations.

Benchmarking either uses industry-wide figures (to protect the confidentiality of information provided
by participating organizations) or figures from cooperating organizations.
B.Incorrect. Benchmarking requires measurements, which involve quantitative comparisons.
C.Incorrect. Benchmarking can be applied to all functional areas in a company whether it is
manufacturing or service. Production processes in manufacturing are industry-specific activities. On
the other hand, processing a customer order and paying an invoice to a vendor are common activities
among industries. Regardless of common or specific activities, benchmarking provides a greater
opportunity to improve by learning from global companies.
155.Which of the following is an example of an internal nonfinancial benchmark?
A.The labor rate of comparably skilled employees at a major competitor's plant.

B.The average actual cost per pound of a specific product at the company's most efficient plant
becomes the benchmark for the company's other plants.
C.The company setting a benchmark of $50,000 for employee training programs at each of the
company's plants.
D.The percentage of customer orders delivered on time at the company's most efficient plant becomes
the benchmark for the company's other plants.

This is an example of an internal nonfinancial benchmark.
A.Incorrect. This choice is an example of an external financial benchmark.

B.Incorrect. This choice is an example of an internal financial benchmark.
C.Incorrect. This choice is an example of an internal operational benchmark.
156.A company that has many branch stores has decided to benchmark one store for the purpose
of analyzing the accuracy and reliability of branch store financial reporting. Which one of the
following is the most likely measure to be included in a financial benchmark?
A.High turnover of employees

B.High level of employee participation in setting budgets
C.High amount of bad debt write-offs
D.High number of suppliers

A high amount of bad debt write-offs could indicate fraud and the compromising of financial report
accuracy and reliability.
A.Incorrect. A high turnover of employees may indicate a morale problem but not necessarily a
problem with the accuracy and reliability of financial reports.
B.Incorrect. A high level of employee participation in budget setting is an example of decentralization
and would not necessarily impact the accuracy and reliability of financial reports.
D.Incorrect. A high number of suppliers would not necessarily indicate a problem with the accuracy
and reliability of financial reports.
157.Which of the following can reflect the effectiveness of a firm's human resource department?
A.The ratio of total hiring costs to the total number of hires.

B.The elapsed time between the number of employees hired and the number of employees retired is
within the established time ranges.
C.A comparison of the average number of days from the date the approved vacant position requisition
is received until the date the new hire starts work.
D.The ratio of the number of job offers accepted to the number of job offers extended.
Effectiveness measures the degree to which a predetermined objective is met (i.e., established time
ranges).
A.Incorrect. This choice reflects an efficiency measure (i.e., inputs used to achieve a given level of
output).
C.Incorrect. This choice reflects an efficiency measure (i.e., inputs used to achieve a given level of
output).
D.Incorrect. This choice reflects an efficiency measure (i.e., inputs used to achieve a given level of
output).
158.A new, midsize manufacturing company in a small town was fined heavily for unknowingly
polluting the nearby drinking water system with harmful chemicals that leaked from its
manufacturing plant. What this company could have done, if anything, to prevent such heavy
fines that it cannot afford to pay?
A.Conduct business impact analysis.

B.Conduct environmental impact analysis.
C.Conduct sustainability impact analysis.
D.Conduct survivability impact analysis.

Conducting environmental impact analysis requires performing a risk assessment exercise. It includes
three steps: (1) Identify all environmental concerns faced by the company; (2) Categorize these
concerns into high risk (high impact), moderate risk (medium impact), or low risk (low impact); and (3)
Direct financial resources to those concerns that pose the greatest potential threat to the company's
long-term existence.
A.Incorrect. Conducting business impact analysis is not directly applicable here because its scope is too
broad and includes studying products, services, sales, costs, and profits.
C.Incorrect. Conducting sustainability impact analysis is not directly applicable here because it focuses
on whether a company can survive or die over a long period.
D.Incorrect. Conducting survivability impact analysis is not directly applicable here because it is a part
of sustainability impact analysis.
159.The balanced scorecard system is a(n):
A.Internal control system.

B.Accounting control system.
C.Management control system.
D.Operational control system.

The balanced scorecard system is a comprehensive management control system (an umbrella system)
that balances traditional financial measures (e.g., internal and accounting control) with nonfinancial
measures (e.g., operational control) relating to a company's critical success factors.
A.Incorrect. An internal control system is a part of a management control system.

B.Incorrect. An accounting control system is a part of a management control system.
D.Incorrect. An operational control system is a part of a management control system.
160.Which of the following is the heart of a balanced scorecard system?
A.Strategic management system

B.Tactical management system
C.Functional management system
D.Operational management system

The balanced scorecard system started as a management control system but is now becoming a
strategic management system because of its importance to a company's overall progress in terms of
long-term value, vision, and strategy.
B.Incorrect. A tactical management system supports the strategic management system.

C.Incorrect. A functional management system supports the strategic management system.
D.Incorrect. An operational management system supports the strategic management system.
161.The balanced scorecard system reflects which of the following?

I. Lag indicators
II. Lead indicators
III. Financial indicators
IV. Nonfinancial indicators
A.I and II
B.II and III
C.III and IV

Financial measures are lag indicators focusing on past actions and promoting short-term behavior.
Companies also need lead indicators focusing on value creators or drivers, promoting long-term
behavior, and equally emphasizing nonfinancial measures such as quality and service. Examples of
financial indicators include return on assets, net income after taxes, and return on equity.

162.Which of the following is not a perspective of the balanced scorecard approach?
A.Timeliness
B.Productivity
C.Efficiency
D.Quantity

The four perspectives of the balanced scorecard approach include measures of quality, productivity,
efficiency and timeliness, and marketing success. Quantity is not one of the perspectives.
A.Incorrect. This choice is a valid perspective of the balanced scorecard approach.

B.Incorrect. This choice is a valid perspective of the balanced scorecard approach.
C.Incorrect. This choice is a valid perspective of the balanced scorecard approach.
163.The balanced scorecard approach does not require looking at performance from which of the
following perspectives?
A.Financial
B.Competitor
C.Customer
D.Internal business processes

The balanced scorecard approach requires looking at performance from four different but related
perspectives: financial, customer, internal business processes, and learning and growth. The scorecard
does not require a competitor's perspective.
A.Incorrect. This choice is a required perspective.

C.Incorrect. This choice is a required perspective.
D.Incorrect. This choice is a required perspective.
164.All of the following are critical success factors under the customer perspective of the
balanced scorecard approach except:
A.Increasing customer service.

B.Reducing prices.
C.Increasing quality.
D.Reducing delivery time.

This choice is not a critical success factor. Reducing prices has a temporary effect while the other three
choices have a permanent effect on customers. The number of product or service warranty claims filed,
number of returned products, customer response time, and percentage of on-time deliveries are also
critical success factors.
A.Incorrect. This choice is a critical success factor.

C.Incorrect. This choice is a critical success factor.
D.Incorrect. This choice is a critical success factor.
165.Which of the following perspectives of the balanced scorecard deal with objectives across a
company's entire value chain?
A.Financial
B.Customer
C.Internal business processes
D.Learning and growth

The value chain of a company includes all activities from research and development to post-sale
customer service and everything in between. The scope of internal business processes also includes
improving quality throughout the production process, increasing productivity, increasing efficiency of
resources, and timeliness of information.
A.Incorrect. The financial perspective focuses on only one activity – finance, which does not address
the entire value chain consisting of several activities.
B.Incorrect. The customer perspective focuses on only one activity – customer, which does not address
the entire value chain consisting of several activities.
D.Incorrect. The learning and growth perspective focuses on only one activity – learning and growth,
which does not address the entire value chain consisting of several activities.
166.Which of the following perspectives of the balanced scorecard deal with objectives of
increasing market share and penetrating into new markets?
A.Financial
B.Customer

The customer perspective deals with taking care of customer interests as well as acquiring and retaining
more customers. This includes increasing market share and entering into new markets.
A.Incorrect. The financial perspective does not directly deal with increasing market share and
penetrating into new markets.
C.Incorrect. The internal business processes perspective does not directly deal with increasing market
share and penetrating into new markets.
D.Incorrect. The learning and growth perspective does not directly deal with increasing market share
and penetrating into new markets.
167.Which of the following perspectives of the balanced scorecard deal with the objectives of
product improvement?
A.Financial
B.Customer

Learning and growth perspectives deal with product improvement and innovation, information systems
capabilities, efficient and effective use of employees, and overall company growth.
A.Incorrect. The financial perspective does not directly deal with the objectives of product
improvement.
B.Incorrect. The customer perspective does not directly deal with the objectives of product
improvement.
C.Incorrect. The internal business processes perspective does not directly deal with the objectives of
product improvement.
168.Which of the following items represent nonfinancial measures under the balanced scorecard
approach?
i. Costs
ii. Sales margins
iii. Quality
iv. Customer service
A.III only
B.IV only
C.I and II
D.III and IV

The balanced scorecard approach integrates financial and nonfinancial performance measures of a
company. Costs and sales margins are financial measures while quality and customer service are
nonfinancial measures.
A.Incorrect. Costs and sales margins are financial measures while quality and customer service are
B.Incorrect. Costs and sales margins are financial measures while quality and customer service are
C.Incorrect. Costs and sales margins are financial measures while quality and customer service are
169.Which of the following statements is not true about nonfinancial measures of performance
under the balanced scorecard approach?
A.At times quality may be more important than cost.

B.At times timeliness may be more important than meeting budget.
C.At times customer service may be more important than financial returns.
D.At times traditional measures may be more important than nontraditional measures.

This choice is not a true statement. Traditional measures are basically financial and are not adequate to
fully assess the total performance of companies. Traditional measures mainly deal with historical
accounting and financial data (e.g., return on investment) and cannot answer nontraditional measures
(e.g., customer satisfaction, quality improvement, productivity, efficient utilization of resources,
employee morale, and employee satisfaction). Both traditional and nontraditional measures are
important.
A.Incorrect. This choice is a true statement about nonfinancial measures.

B.Incorrect. This choice is a true statement about nonfinancial measures.
C.Incorrect. This choice is a true statement about nonfinancial measures.
170.Which of the following perspectives of the balanced scorecard deal with the objective of
shortening the time to market a new product?
A.Financial
B.Customer

Time to market a new product is a marketing metric and is a part of the learning and growth
perspective of the balanced scorecard. This metric should be shorter to gain entry into a market faster.
A.Incorrect. The financial perspective does not directly deal with the objective of shortening the
time-to-market metric.
B.Incorrect. The customer perspective does not directly deal with the objective of shortening the
time-to-market metric.
C.Incorrect. The internal business processes perspective does not directly deal with the objective of
shortening the time-to-market metric.
171.All of the following are examples of customer-performance scorecard measures except:
A.Lost customers.
B.Dissatisfied customers.
C.Product or service quality.
D.Machine downtime.

Machine downtime, rework time, and plant waste are examples of production-performance scorecard
measures.
A.Incorrect. Examples of customer-performance scorecard measures include customers (new,

dissatisfied, satisfied, or lost); target market awareness or preference; relative product or service quality;
and on-time delivery.
B.Incorrect. Examples of customer-performance scorecard measures include customers (new,
C.Incorrect. Examples of customer-performance scorecard measures include customers (new,
172.Which of the following balanced scorecard measures is difficult to identify and implement?
A.Market-based performance scorecard.

B.Production-based performance scorecard.
C.Stakeholder-based performance scorecard.
D.Human resource–based performance scorecard.

The stakeholder-based performance scorecard measure are difficult to identify and implement because
stakeholders are external to a corporation. The difficulties include: (1) dealing with so many diverse
constituents (shareholders, employees, unions, governments, investors, creditors, bankers, distributors,
wholesalers, retailers, suppliers and vendors); (2) reaching them on a day-to-day basis; (3)
communicating with them periodically; (4) coordinating with them; and (5) reaching conclusions on
issues due to their diverging viewpoints and conflicting objectives.
A.Incorrect. The market-based performance scorecard measure is relatively easy to identify and
implement because the marketing function is internal to a corporation.
B.Incorrect. The production-based performance scorecard measure is relatively easy to identify and
implement because the production function is internal to a corporation.
D.Incorrect. The human resource–based performance scorecard measure is relatively easy to identify
and implement because the human resource function is internal to a corporation.
173.A good balanced scorecard system contains which of the following?

I. Lag measures
II. Lead measures
III. Interlinking measures
IV. Interrelationship digraph
A.I and II
B.III and IV
C.I, II, and III

A good balanced scorecard system contains lag measures, lead measures, and interlinking measures.
Financial measures are lag indicators focusing on past actions and promoting short-term behavior.
Companies also need lead indicators focusing on value creators or drivers, promoting long-term
behavior, and emphasizing nonfinancial measures such as quality and service. A good balanced
scorecard contains both leading and lagging measures and links them through logical cause-and-effect
relationships. Interlinking measure is the quantitative modeling of cause-and-effect relationships
between internal and external performance measures.
A.Incorrect. This is a partially correct answer. (i.e., lag measures and lead measures).
B.Incorrect. This choice contains both valid answers (i.e., interlinking measures) and invalid answers
(i.e., interrelationship digraph).
An interrelationship digraph identifies and explores causal relationships among related concepts or
ideas. It shows that every idea can be logically linked with more than one other idea at time and allows
for lateral thinking rather than linear thinking. The graph is used after the affinity diagram has clarified
issues and problems.
D.Incorrect. This choice contains both valid answers (i.e., lead measures, lag measures, and
interlinking measures) and invalid answers (i.e., interrelationship digraph).
An interrelationship digraph identifies and explores causal relationships among related concepts or
ideas. It shows that every idea can be logically linked with more than one other idea at time and allows
for lateral thinking rather than linear thinking. The graph is used after the affinity diagram has clarified
issues and problems.
174.When a customer presents her credit card with a smart chip and a personal identification
number (PIN) to pay for merchandise purchases at a retail store, she is using a:
A.Zero-factor authentication.
B.Single-factor authentication.
C.Two-factor authentication.
D.Three-factor authentication.

The credit card with a smart chip is one factor and the PIN is the second factor. Hence, it is a
two-factor authentication.
A.Incorrect. There is an evidence of authentication factors used with card, chip, and PIN.
B.Incorrect. There is an evidence of more than one authentication factors used with card, chip, and
PIN.
D.Incorrect. Only two authentication factors are used where the card and chip is one factor and the PIN
is the second factor.
175.In electronic authentication, using one token to gain access to a second token is called a:
A.Single-token, multifactor scheme.

B.Single-token, single-factor scheme.
C.Multitoken, multifactor scheme.
D.Multistage authentication scheme.

Using one token to gain access to a second token is considered a single-token and a single-factor
scheme because all that is needed to gain access is the initial token. Therefore, when this scheme is
used, the compound solution is only as strong as the token with the lowest assurance level.
A.Incorrect. This choice is not applicable because multifactor scheme is not used.
C.Incorrect. This choice is not applicable because a multitoken and multifactor scheme is not used.
D.Incorrect. This choice is not applicable because a multistage authentication scheme is not used.
176.Token duplication is a threat to the tokens used for electronic authentication. Which of the
following is a countermeasure to mitigate the token duplication threat?
A.Use tokens that generate high-entropy authenticators.

B.Use hardware cryptographic tokens.
C.Use tokens with dynamic authenticators.
D.Use multifactor tokens.

In token duplication, the subscriber's token is copied with or without the subscriber's knowledge. A
countermeasure is to use hardware cryptographic tokens that are difficult to duplicate. Physical security
mechanisms can also be used to protect a stolen token from duplication because they provide tamper
evidence, detection, and response capabilities.
A.Incorrect. This choice cannot handle a duplicate token problem.

C.Incorrect. This choice cannot handle a duplicate token problem.
D.Incorrect. This choice cannot handle a duplicate token problem.
177.Eavesdropping is a threat to the tokens used for electronic authentication. Which of the
following is a countermeasure to mitigate the eavesdropping threat?
A.Use tokens that generate high-entropy authenticators.


A countermeasure to mitigate the eavesdropping threat is to use tokens with dynamic authenticators
where knowledge of one authenticator does not help in deriving a subsequent authenticator.
A.Incorrect. This choice cannot provide dynamic authentication. Entropy is a measure of the amount of
uncertainty that an attacker faces to determine the value of a secret.
B.Incorrect. This choice cannot provide dynamic authentication.
D.Incorrect. This choice cannot provide dynamic authentication.
178.Identifier management is applicable to which of the following accounts?
A.Group accounts
B.Local user accounts
C.Guest accounts
D.Anonymous accounts

All users accessing an organization's information systems must be uniquely identified and
authenticated. Identifier management is applicable to local user accounts where the account is valid
only on a local computer and its identity can be traced to an individual.
A.Incorrect. Identifier management is not applicable to shared information system accounts, such as
group, guest, default, blank, anonymous, and nonspecific user accounts.
C.Incorrect. Identifier management is not applicable to shared information system accounts, such as
D.Incorrect. Identifier management is not applicable to shared information system accounts, such as
179.Phishing or pharming is a threat to the tokens used for electronic authentication. Which of
the following is a countermeasure to mitigate the phishing or pharming threat?
A.Use tokens that generate highly robust authenticators.


A countermeasure to mitigate the phishing or pharming threat is to use tokens with dynamic
authenticators where knowledge of one authenticator does not assist in deriving a subsequent
authenticator.
Phishing is tricking individuals into disclosing sensitive personal information through deceptive
computer-based means. Phishing attacks use social engineering and technical subterfuge to steal
consumers’ personal identity data and financial account credentials. It involves internet fraudsters who
send spam or pop-up messages to gain personal information (e.g., credit card numbers, bank account
information, social security numbers, passwords, or other sensitive information) from unsuspecting
victims.
Pharming is misdirecting users to fraudulent websites or proxy servers, typically through
denial-of-service hijacking or poisoning.
A.Incorrect. This choice cannot provide dynamic authentication.

180.Theft is a threat to the tokens used for electronic authentication. Which of the following is a
countermeasure to mitigate the theft threat?


A countermeasure to mitigate the threat of token theft is to use multifactor tokens that need to be
activated through a personal identification number or biometric.
A.Incorrect. This choice cannot provide multifactor tokens because they use only one factor.
B.Incorrect. This choice cannot provide multifactor tokens because they use only one factor.
C.Incorrect. This choice cannot provide multifactor tokens because they use only one factor.
181.Social engineering is a threat to the tokens used for electronic authentication. Which of the
following is a countermeasure to mitigate the social engineering threat?


A countermeasure to mitigate the social engineering threat is to use tokens with dynamic authenticators
where knowledge of one authenticator does not assist in deriving a subsequent authenticator.
A.Incorrect. This choice cannot provide dynamic authentication.
182.Authorization controls are a part of which of the following?
A.Directive controls
B.Preventive controls
C.Detective controls
D.Corrective controls

Authorization controls, such as access control matrices and capability tests, are a part of preventive
controls because they block unauthorized access. Preventive controls deter security incidents from
happening in the first place.
A.Incorrect. Directive controls are broad-based controls to handle security incidents, and they include
management's policies, procedures, and directives.
C.Incorrect. Detective controls enhance security by monitoring the effectiveness of preventive controls
and by detecting security incidents where preventive controls were circumvented.
D.Incorrect. Corrective controls are procedures to react to security incidents and to take remedial
actions on a timely basis. Corrective controls require proper planning and preparation as they rely
heavily on human judgment.
183.Serious vulnerabilities exist when:
A.An untrusted individual has been granted unauthorized access to a system.

B.A trusted individual has been granted authorized access to a system.
C.An untrusted individual has been granted authorized access to a system.
D.A trusted individual has been granted unauthorized access to a system

Serious vulnerabilities typically result when an untrusted individual is granted unauthorized access to a
system. Granting unauthorized access is riskier than granting authorized access to an untrusted
individual, and trusted individuals are better than untrusted individuals. Both trust and authorization are
important to minimize vulnerabilities.
B.Incorrect. Serious vulnerabilities may not exist with trusted individuals.

C.Incorrect. Serious vulnerabilities may not exist with it.
D.Incorrect. Serious vulnerabilities may not exist with it.
184.From an access control point of view, separation of duty is not related to which of the
following?
A.Safety
B.Reliability
C.Fraud
D.Security

Computer systems must be designed and developed with security, fraud, and safety in mind because
unsecure and unsafe systems can cause injury to people and damage to assets (e.g., military and airline
systems). With separation of duty (SOD), fraud can be minimized when sensitive tasks are separated
from each other (e.g., signing a check from requesting a check). Reliability is more of an engineering
term in that a computer system is expected to perform with the required precision on a consistent basis.
SOD deals with people and their work-related actions, which are not precise and consistent.
A.Incorrect. Computer systems must be designed and developed with safety in mind because unsecure
and unsafe systems can cause injury to people and damage to assets (e.g., military and airline systems).
C.Incorrect. Computer systems must be designed and developed with fraud in mind because unsecure
and unsafe systems can cause injury to people and damage to assets (e.g., military and airline systems).
D.Incorrect. Computer systems must be designed and developed with security in mind because
unsecure and unsafe systems can cause injury to people and damage to assets (e.g., military and airline
systems).
185.Which of the following access authorization policies applies to when an organization has a list
of software not authorized to execute on an information system?
A.Deny all, permit by exception

B.Allow all, deny by exception
C.Allow all, deny by default
D.Deny all, accept by permission

An organization employs a deny-all, permit-by-exception authorization policy to identify software not
allowed to execute on the system. The correct answer is based on a specific access authorization policy.
B.Incorrect. The access policy is not based on a specific access authorization policy.
C.Incorrect. The access policy is not based on a specific access authorization policy.
D.Incorrect. The access policy is not based on a specific access authorization policy.
186.Encryption is a part of which of the following?

Encryption prevents unauthorized access and protects data and programs when they are in storage (at
rest) or in transit. Preventive controls deter security incidents from happening in the first place.
187.Which of the following are needed when it is difficult to enforce normal security policies,
procedures, and rules?
i. Compensating controls
ii. Close supervision
iii. Team review of work
iv. Peer review of work
A.I only
B.II only
C.I and II

When the enforcement of normal security policies, procedures, and rules is difficult, enforcement takes
on a different dimension from that of requiring contracts, separation of duties, and system access
controls. Under these situations, compensating controls in the form of close supervision, followed by
peer and team review of quality of work, are needed.

188.Host and application system hardening procedures are a part of which of the following?

Host and application system hardening procedures are a part of preventive controls, as they include
antivirus software, firewalls, and user account management. Preventive controls deter security
incidents from happening in the first place.
189.Which of the following authentication techniques is appropriate for accessing nonsensitive

information technology (IT) assets with multiple uses of the same authentication factor?
A.Single-factor authentication
B.Two-factor authentication
C.Three-factor authentication
D.Multifactor authentication

Multiple uses of the same authentication factor (e.g., using the same password more than once) is
appropriate for accessing nonsensitive IT assets and is known as single-factor authentication.
B.Incorrect. This choice is not needed for authentication of nonsensitive assets with low security risk.
C.Incorrect. This choice is not needed for authentication of nonsensitive assets with low security risk.
D.Incorrect. This choice is not needed for authentication of nonsensitive assets with low security risk.
190.From an access control effectiveness viewpoint, which of the following represents biometric
verification when a user submits a combination of a personal identification number (PIN) first
and biometric sample next for authentication?
A.One-to-one matching
B.One-to-many matching
C.Many-to-one matching
D.Many-to-many matching

This combination of authentication represents something that you know (PIN) and something that you
are (biometric). At the authentication system prompt, the user enters the PIN and then submits a
biometric live-captured sample. The system compares the biometric sample to the biometric reference
data associated with the PIN entered, which is a one-to-one matching of biometric verification.
B.Incorrect. This choice does not properly define the statement in the question.
C.Incorrect. This choice does not properly define the statement in the question.
D.Incorrect. This choice does not properly define the statement in the question.
191.From an access control effectiveness viewpoint, which of the following represents biometric
identification when a user submits a combination of a biometric sample first and a personal
identification number (PIN) next for authentication?
A.One-to-one matching
B.One-to-many matching
C.Many-to-one matching
D.Many-to-many matching

This combination of authentication represents something that you are (biometric) and something that
you know (PIN). The user presents a biometric sample first to the sensor, and the system conducts a
one-to-many matching of biometric identification. The user is prompted to supply a PIN that provides
the biometric reference data. The biometric identification with one-to-many matching can result in
slow system-response-times because the PIN is entered as a second authentication factor. This type of
matching can be more expensive because checking the biometric data takes more time than checking
the PIN data. The reason is that the size of biometric database can be larger.
The biometric verification with one-to-one matching can result in faster system response times and can
be less expensive because the PIN is entered as a first authenticator and the matching is quick.
A.Incorrect. This choice does not properly define the statement in the question.
C.Incorrect. This choice does not properly define the statement in the question.
D.Incorrect. This choice does not properly define the statement in the question.
192.From an access control effectiveness viewpoint, which of the following is represented when a
user submits a combination of a hardware token and a personal identification number (PIN) for
authentication?
I. A weak form of two-factor authentication
II. A strong form of two-factor authentication
III. Supports physical access
IV. Supports logical access
A.I only
B.II only
C.I and III
D.II and IV

This combination represents something that you have (i.e., hardware token) and something that you
know (i.e., PIN). The hardware token can be lost or stolen. Therefore, this is a weak form of two-factor
authentication that can be used to support unattended access controls for physical access only.

B.Incorrect. This is not true.
D.Incorrect. Logical access controls are software based and as such do not support a hardware token.
193.A combination of something you have (one time), something you have (second time), and
something you know is used to represent which of the following personal authentication proofing
schemes?
A.One-factor authentication
D.Four-factor authentication

Use of the same factor multiple times (i.e., something you have is used two times) results in one-factor
authentication. When this is combined with something you know, it results in a two-factor
authentication scheme.
A.Incorrect. This choice is not applicable because two factors are used.
C.Incorrect. This choice is not applicable because two factors are used.
D.Incorrect. This choice is not applicable because two factors are used.
194.Remote access controls are a part of which of the following?

Remote access controls are a part of preventive controls, as they include Internet Protocol (IP) packet
filtering by border routers and firewalls using access control lists. Preventive controls deter security
incidents from happening in the first place.
195.What is using two different passwords for accessing two different systems in the same session
called?

Requiring two different passwords for accessing two different systems in the same session is more
secure than requiring one password for two different systems. This authentication equates to two-factor
authentication. Requiring multiple proofs of authentication presents multiple barriers to entry access by
intruders. Using the same password (one-factor) for accessing multiple systems in the same session is a
one-factor authentication, because only one type (and the same type) of proof is used. The key point is
whether the type of proof presented is the same or different.
A.Incorrect. This choice is not applicable because two factors are used..
196.What is using a personal identity card with attended access (e.g., a security guard) and a
personal identification number (PIN) called?

On the surface, this situation may seem to be three-factor authentication, but in reality, it is two-factor
authentication, because only a card (proof of one factor) and PIN (proof of second factor) are used,
resulting in a two-factor authentication. Note that it is not the strongest two-factor authentication
because of the attended access. A security guard is an example of attended access; the guard checks for
the validity of the card and is counted as one-factor authentication. Other examples of attended access
include peers, colleagues, and supervisors who will vouch for the identify of a visitor who is accessing
physical facilities.
A.Incorrect. This choice is not applicable because two factors are used.
197.A truck driver, who is an employee of a defense contractor, transports highly sensitive parts
and components from a defense contractor's manufacturing plant to a military installation at a
highly secure location. The military's receiving department tracks the driver's physical location
to ensure that there are no security problems on the way to the installation. Upon arrival at the
installation, the truck driver shows an employee badge with photo ID issued by the defense
contractor, enters a password and personal identification number (PIN), and presents a
fingerprint for biometric sampling prior to entering the installation and unloading the truck's
contents. What type of authentication is represented in this scenario?

Tracking the driver's physical location (perhaps with GPS or a wireless sensor network) is an example
of somewhere you are (proof of first factor). Showing an employee a physical badge with photo ID is
an example of something you have (proof of second factor). Entering a password and PIN is an
example of something you know (proof of third factor). Taking a biometric sample of fingerprint is an
example of something you are (proof of fourth factor). Therefore, this scenario represents four-factor
authentication. The key point is that it does not matter whether the proof presented is one item or more
items in the same category (e.g., somewhere you are, something you have, something you know, and
something you are).
A.Incorrect. This choice is not applicable because four factors are used.
B.Incorrect. This choice is not applicable because four factors are used.
C.Incorrect. This choice is not applicable because four factors are used.
198.All the following storage encryption authentication products may use the operating system's
authentication for single sign-on except:
A.Full-disk encryption.
B.Volume encryption.
C.Virtual disk encryption.
D.File encryption.

Products such as volume encryption, virtual disk encryption, or ../../content/cia/html/file/folder
encryption may use the operating system's authentication for single sign-on. After a user authenticates
to the operating system at login time, the user can access the encrypted file without further
authentication, which is risky. The same single-factor authenticator should not be used for multiple
purposes. A full-disk encryption provides better security than the other three choices because the entire
disk is encrypted, not just part of it.
B.Incorrect. Volume encryption is the process of encrypting an entire volume, which is a logical unit of
storage comprising a file system, and permitting access to the data on the volume only after proper
authentication is provided.
C.Incorrect. Virtual disk encryption is the process of encrypting a container, which can hold many files
and folders, and permitting access to the data within the container only after proper authentication is
provided. A container is a file encompassing and protecting other files.
D.Incorrect. File encryption is the process of encrypting individual files on a storage medium and
permitting access to the encrypted data only after proper authentication is provided.
199.CIA.P2D1Q199_TB_1810
Use V-O keys to navigate.

Which of the following security mechanisms for high-risk storage encryption authentication
products provides protection against authentication-guessing attempts and favors security over
functionality?
A.Alert consecutive failed login attempts.

B.Lock the computer for a specified period of time.
C.Increase the delay between attempts.
D.Delete the protected data from the device.

For high-security situations, storage encryption authentication products can be configured so that too
many failed attempts cause the product to delete all the protected data from the device. This approach
strongly favors security over functionality.
A.Incorrect. This choice can be used for low-security situations.

B.Incorrect. This choice can be used for low-security situations.
C.Incorrect. This choice can be used for low-security situations.
200.Recovery mechanisms for storage encryption authentication solutions require which of the
following?
A.A trade-off between confidentiality and security

B.A trade-off between integrity and security
C.A trade-off between availability and security
D.A trade-off between accountability and security

Recovery mechanisms increase the availability of storage encryption authentication solutions for
individual users, but they can also increase the likelihood that an attacker can gain unauthorized access
to encrypted storage by abusing the recovery mechanism. Therefore, information security management
should consider the trade-off between availability and security when selecting and planning recovery
mechanisms.
A.Incorrect. This choice does not provide recovery mechanisms.

B.Incorrect. This choice does not provide recovery mechanisms.
D.Incorrect. This choice does not provide recovery mechanisms.
201.Regarding password management, which of the following enforces password strength

requirements effectively?
A.Educate users on password strength.

B.Run a password cracker program to identify weak passwords.
C.Perform a cracking operation offline.
D.Use a password filter utility program.

One way to ensure password strength is to add a password filter utility program (also known as a
password complexity enforcement program), which is specifically designed to verify that a password
created by a user complies with the password policy. Adding a password filter is a more rigorous and
proactive solution than without the filter.
A.Incorrect. This choice is a less rigorous and reactive solution.

B.Incorrect. This choice is a less rigorous and reactive solution.
C.Incorrect. This choice is a less rigorous and reactive solution.
202.Which of the following controls over telecommuting use tokens and/or one-time passwords?
A.Firewalls
B.Robust authentication
C.Port protection devices
D.Encryption

Robust authentication increases security in two significant ways. It can require the user to possess a
token in addition to a password or personal identification number (PIN). Tokens, when used with PINs,
provide significantly more security than passwords. With this type of authentication, a hacker or other
would-be impersonator must have both a valid token and the corresponding PIN. This is much more
difficult than obtaining a valid password and user ID combination. Robust authentication can also
create one-time passwords. Electronic monitoring (eavesdropping or sniffing) or observing a user type
in a password is not a threat with one-time passwords because each time a user is authenticated to the
computer, a different “password” is used. A hacker could learn the one-time password through
electronic monitoring, but it would be of no value.
A.Incorrect. A firewall uses a secure gateway or series of gateways to block or filter access between
two networks, often between a private network and a larger, more public network, such as the internet
or a public-switched network (e.g., the telephone system). A firewall does not use tokens and
passwords as much as robust authentication does.
C.Incorrect. A port protection device (PPD) is connected to a communications port of a host computer
and authorizes access to the port itself, prior to and independent of the computer's own access control
functions. A PPD can be a separate device in the communications stream or may be incorporated into a
communications device (e.g., a modem). PPDs typically require a separate authenticator, such as a
password, to access the communications port. One of the most common PPDs is the dial-back modem.
PPD does not use tokens and passwords as much as robust authentication does.
D.Incorrect. Encryption is more expensive than robust authentication. It is most useful if highly
confidential data needs to be transmitted or if moderately confidential data is transmitted in a
high-threat area. Encryption is most widely used to protect the confidentiality of data and its integrity
(it detects changes to files). Encryption does not use tokens and passwords as much as robust
authentication does.
203.Which of the following statements about an access control system is not true?
A.It is typically enforced by a specific application.

B.It indicates what a specific user could have done.
C.It records failed attempts to perform sensitive actions.
D.It records failed attempts to access restricted data.

Some applications use access control (typically enforced by the operating system) to restrict access to
certain types of information or application functions. This can be helpful to determine what a particular
application user could have done. Some applications record information related to access control, such
as failed attempts to perform sensitive actions or access restricted data. It is not true that an access
control system is typically enforced by a specific application.
B.Incorrect. This choice is a true statement.

C.Incorrect. This choice is a true statement.
D.Incorrect. This choice is a true statement.
204.Which of the following is not a preventive measure against network intrusion attacks?
A.Firewalls
B.Auditing
C.System configuration
D.Intrusion detection system

Auditing is a detection activity, not a preventive measure.
A.Incorrect. Firewalls are preventive measures against network intrusion attacks.

B.Incorrect. System configuration is a preventive measure against network intrusion attacks.
D.Incorrect. An intrusion detection system is a preventive measure against network intrusion attacks.
205.Smart card authentication is an example of which of the following?
A.Proof by knowledge
B.Proof by property
C.Proof by possession
D.Proof of concept

Smart cards are credit card size plastic cards that hold embedded computer chips containing an
operating system, programs, and data. Smart card authentication is perhaps the best-known example of
proof by possession (e.g., key, card, or token).
A.Incorrect. Passwords are examples of proof by knowledge.

B.Incorrect. Fingerprints are examples of proof by property.
D.Incorrect. Proof of concept deals with testing a product prior to developing an actual product.
206.Which of the following is a component that provides a security service for a smart card
application used in a mobile device authentication?
A.Challenge-response protocol
B.Service provider
C.Resource manager
D.Driver for the smart card reader

The underlying mechanism used to authenticate users via smart cards relies on a challenge-response
protocol between the mobile device and the smart card. For example, a personal digital assistant (PDA)
challenges the smart card for an appropriate and correct response that can be used to verify that the
card is the one originally enrolled by the PDA device owner. The challenge-response protocol provides
a security service.
B.Incorrect. This choice is a software component that supports a smart card application and does not
provide a challenge-response protocol.
C.Incorrect. This choice is a software component that supports a smart card application and does not
D.Incorrect. This choice is a software component that supports a smart card application and does not
207.Which of the following is not a sophisticated technical attack against smart cards?
A.Reverse engineering
B.Fault injection
C.Signal leakage
D.Impersonating

For user authentication, the fundamental threat is when an attacker impersonates a user and gains
control of the device and its contents. Impersonating is a unsophisticated technical attack.
A.Incorrect. Reverse engineering is a sophisticated technical attack against smart cards. Smart cards are
designed to resist tampering and monitoring of the cards, including sophisticated technical attacks.
B.Incorrect. Fault injection is a sophisticated technical attack against smart cards. Smart cards are
C.Incorrect. Signal leakage is a sophisticated technical attack against smart cards. Smart cards are
208.Which of the following is an example of nonpolled authentication?

A.Smart card
B.Password
C.Memory token
D.Communications signal

Nonpolled authentication is discrete and unsecure. After the verdict is determined, it is inviolate until
the next authentication attempt. Examples of nonpolled authentication include password, fingerprint,
and voice verification.
A.Incorrect. A smart card is an example of polled authentication. Polled authentication is continuous

and secure where (1) the presence of some card, token, or signal determines the authentication status
and (2) the absence of some card, token, or signal triggers a nonauthenticated condition.
C.Incorrect. A memory token is an example of polled authentication. Polled authentication is
continuous and secure where (1) the presence of some card, token, or signal determines the
authentication status and (2) the absence of some card, token, or signal triggers a nonauthenticated
condition.
D.Incorrect. A communications signal is an example of polled authentication. Polled authentication is
continuous and secure where (1) the presence of some card, token, or signal determines the
authentication status and (2) the absence of some card, token, or signal triggers a nonauthenticated
condition.
209.Sniffing precedes which of the following?
A.Phishing and pharming

B.Spoofing and hijacking
C.Snooping and scanning
D.Cracking and scamming

Sniffing is observing and monitoring packets passing by on the network traffic using packet sniffers.
Sniffing precedes either spoofing or hijacking. Spoofing, in part, is using various techniques to subvert
Internet Protocol (IP)–based access control by masquerading as another system by using its IP address.
Spoofing is an attempt to gain access to a system by posing as an authorized user. Other examples of
spoofing include spoofing packets to hide the origin of attack in a denial-of-service situation, spoofing
email headers to hide spam, and spoofing phone numbers to fool caller-ID. Spoofing is synonymous
with impersonating, masquerading, or mimicking and is not synonymous with sniffing. Hijacking is an
attack that occurs during an authenticated session with a database or system.
A.Incorrect. Phishing is tricking individuals into disclosing sensitive personal information through
deceptive computer-based means. Phishing attacks use social engineering and technical subterfuge to
steal consumers’ personal identity data and financial account credentials. It involves internet fraudsters
who send spam or pop-up messages to obtain personal information (e.g., credit card numbers, bank
account information, Social Security number, passwords, or other sensitive information) from
unsuspecting victims. Pharming is misdirecting users to fraudulent websites or proxy servers, typically
through domain name system hijacking or poisoning.
C.Incorrect. Snooping, scanning, and sniffing are all actions that search for required and valuable
information. They involve looking around for vulnerabilities and planning to attack. These are
preparatory actions prior to launching serious penetration attacks.
D.Incorrect. Cracking is breaking to get passwords and bypassing software controls in an electronic
authentication system, such as user registration. Scamming is impersonating a legitimate business using
the internet. Buyers should check out sellers before buying goods or services. Seller should give out a
physical address with a working telephone number.
210.Passwords and personal identification numbers (PINs) are examples of which of the
following?
A.Procedural access controls

B.Physical access controls
C.Logical access controls
D.Administrative access controls

Passwords, PINs, and encryption are examples of logical access controls.
A.Incorrect. This choice represents a type of access control.

B.Incorrect. This choice represents a type of access control.
D.Incorrect. This choice represents a type of access control.
211.Each user is granted the lowest clearance needed to perform authorized tasks. Which of the
following principles is this?
A.The principle of least privilege

B.The principle of separation of duties
C.The principle of system clearance
D.The principle of system accreditation

The principle of least privilege requires that each subject (user) in a system be granted the most
restrictive set of privileges (or lowest clearances) needed to perform authorized tasks. The application
of this principle limits the damage that can result from accident, error, and/or unauthorized use.
B.Incorrect. The principle of separation of duties states that no single person can have complete control
over a business transaction or task.
C.Incorrect. The principle of system clearance states that users’ access rights should be based on their
job clearance status (i.e., sensitive or nonsensitive).
D.Incorrect. The principle of system accreditation states that all systems should be approved by
management prior to making them operational.
212.Which of the following statements is true about intrusion detection systems (IDS) and
firewalls?
A.Firewalls are a substitution for an IDS.

B.Firewalls are an alternative to an IDS.
C.Firewalls are a complement to an IDS.
D.Firewalls are a replacement for an IDS.

An IDS should be used as a complement to a firewall, not as a substitute, alternative, or replacement
for it. Together, they provide a synergistic effect.
A.Incorrect. This choice is not true.

B.Incorrect. This choice is not true.
D.Incorrect. This choice is not true.
213.Which of the following cannot prevent shoulder surfing?
A.Promoting education and awareness

B.Protecting keys while entering the password
C.Installing encryption techniques
D.Asking people not to watch while a password is typed

The key point in preventing shoulder surfing is to make sure that no one watches users while they type
their passwords. Encryption does not help here because it is applied after a password is entered, not
before. Proper education and awareness and using difficult-to-guess passwords can eliminate this
problem.
A.Incorrect. This choice can help prevent shoulder surfing.

B.Incorrect. This choice can help prevent shoulder surfing.
D.Incorrect. This choice can help prevent shoulder surfing.
214.Which one of the following is not an authentication mechanism?
A.What the user knows

B.What the user has
C.What the user can do
D.What the user is

“What the user can do” is defined in access rules or user profiles, which comes after a successful
authentication process. Hence, this choice is not an authentication mechanism.
A.Incorrect. This choice is a part of an authentication process. The authenticator factor “knows” means
using a password or personal identification number.
B.Incorrect. This choice is a part of an authentication process. The authenticator factor “has” means
using a key or card.
D.Incorrect. This choice is a part of an authentication process. The authenticator factor “is” means
using a biometric identity (e.g., fingerprint or thumb print).
215.How is authorization different from authentication?
A.Authorization comes after authentication.

B.Authorization and authentication are the same.
C.Authorization is verifying the identity of a user.
D.Authorization comes before authentication.

Authorization comes after authentication because users are granted access to a program (authorization)
after they are fully authenticated. Authorization is permission to do something with information in a
computer.
B.Incorrect. Authorization and authentication are not the same. Authorization refers to verifying the
user's permission; authentication refers to verifying the identity of a user.
C.Incorrect. Authorization is permission to do something with information in a computer.
D.Incorrect. Authorization comes after authentication.
216.Which of the following statements is not true about discretionary access control?
A.Access is based on the authorization granted to the user.

B.It uses access control lists.
C.It uses grant access or revoke access to objects.
D.Users and owners are different.

In discretionary access control, the granting and revoking of access control privileges is left to the
discretion of individual users. A discretionary access control mechanism enables users to grant or
revoke access to any of the objects under their control. As such, users are said to be the owners of the
objects under their control. This mechanism uses access control lists. This choice is not a true statement
about discretionary access control.
A.Incorrect. This choice is a true statement about discretionary access control.

B.Incorrect. This choice is a true statement about discretionary access control.
C.Incorrect. This choice is a true statement about discretionary access control.
217.Which of the following does not provide robust authentication?
A.Kerberos
B.Secure remote procedure calls
C.Reusable passwords
D.Digital certificates

Reusable passwords provide weak authentication. Robust authentication means strong authentication
that should be required for accessing internal computer systems. Robust authentication is provided by
Kerberos, one-time passwords, challenge-response exchanges, digital certificates, and secure remote
procedure calls.
A.Incorrect. This choice provides a robust authentication. Kerberos is an authentication tool used in
local logins, remote authentication, and client-server requests. It is a means of verifying the identities
of principals on an open network.
B.Incorrect. This choice provides robust authentication.
D.Incorrect. This choice provides robust authentication.
218.Which of the following is not an example of nondiscretionary access control?
A.Identity-based access control

B.Mandatory access control
C.Role-based access control
D.Temporal constraints

In nondiscretionary access control policies, rules are not established at the discretion of the user. These
controls can be changed only through administrative action and not by users. An identity-based access
control (IBAC) decision grants or denies a request based on the presence of an entity on an access
control list. IBAC and discretionary access control are considered equivalent and are not examples of
nondiscretionary access controls.
B.Incorrect. This choice is an example of a nondiscretionary access control. Mandatory access control
deals with rules.
C.Incorrect. This choice is an example of a nondiscretionary access controls. Role-based access control
deals with job titles and functions.
D.Incorrect. This choice is an example of a nondiscretionary access controls. Temporal constraints deal
with time-based restrictions and control time-sensitive activities.
219.How does a rule-based access control mechanism work?
A.It is based on filtering rules.

B.It is based on identity rules.
C.It is based on access rules.
D.It is based on business rules.

A rule-based access control mechanism is based on specific rules relating to the nature of the subject
and object. These specific rules are embedded in access rules.
A.Incorrect. Filtering rules are specified in firewalls.

B.Incorrect. Identity rules are applied to individuals.
D.Incorrect. Business rules are too broad to apply here.
220.Individual accountability does not include which of the following?
A.Unique user identifiers

B.Access authorization rules
C.Audit trails
D.Policies and procedures

A basic tenet of information technology security is that individuals must be accountable for their
actions. If this idea is not followed and enforced, it is not possible to successfully prosecute those who
intentionally damage or disrupt systems or to train those whose actions have unintended adverse effects.
Policies and procedures indicate what to accomplish and how to accomplish objectives. By themselves,
they do not exact individual accountability.
A.Incorrect. This choice provides individual accountability. The concept of individual accountability
drives the need for many security safeguards, such as unique user identifiers, audit trails, and access
authorization rules.
B.Incorrect. This choice provides individual accountability. The concept of individual accountability
C.Incorrect. This choice provides individual accountability. The concept of individual accountability
221.From an access control viewpoint, which of the following is computed from a passphrase?
A.Access password
B.Personal password
C.Valid password
D.Virtual password

A virtual password is a password computed from a passphrase that meets the requirements of password
storage in terms of its length and size (e.g., 56 bits for Data Encryption Standard (DES). A passphrase
is a sequence of characters, longer than the acceptable length of a regular password, which is
transformed by a password system into a virtual password of acceptable length.
A.Incorrect. An access password is not computed from a passphrase This password is used to authorize
access to data and is distributed to all those who are authorized to have similar access to that data.
B.Incorrect. A personal password is not computed from a passphrase. It is known by only one person
and is used to authenticate that person's identity.
C.Incorrect. A valid password is not computed from a passphrase. It is a personal password that
authenticates the identity of an individual when presented to a password system. It is also an access
password that enables the requested access when presented to a password system.
222.Which of the following user identification and authentication techniques depend on reference
profiles or templates?
A.Memory tokens
B.Smart cards
C.Cryptography
D.Biometric systems

Biometric systems require the creation and storage of profiles or templates of individuals wanting
system access. This includes physiological attributes, such as fingerprints, hand geometry, or retina
patterns, or behavioral attributes, such as voice patterns and handwritten signatures.
A.Incorrect. Memory tokens do not depend on reference profiles or templates. Memory tokens involve
the creation and distribution of a token device with a personal identification number (PIN) and data that
tell the computer how to recognize valid tokens or PINs.
B.Incorrect. Smart cards do not depend on reference profiles or templates. Smart cards involve the
creation and distribution of a token device with a personal identification number (PIN) and data that
tell the computer how to recognize valid tokens or PINs.
C.Incorrect. Cryptography does not depend on reference profiles or templates. Cryptography requires
the generation, distribution, storage, entry, use, distribution, and archiving of cryptographic keys as in
encryption.
223.What is the objective of separation of duties?

A.No one person has complete control over a transaction or an activity.
B.Employees from different departments do not work together well.
C.Controls are available to protect all supplies.
D.Controls are in place to operate all equipment.

The objective is to limit what people can do, especially in conflict situations or incompatible functions,
in such a way that no one person has complete control over a transaction or an activity from start to
finish. The goal is to limit the possibility of hiding irregularities or fraud.
B.Incorrect. This choice is not related to separation of duties.

C.Incorrect. This choice is not related to separation of duties.
D.Incorrect. This choice is not related to separation of duties.
224.What names are used in an access control matrix?
A.Users in each row and names of objects in each column

B.Programs in each row and names of users in each column
C.Users in each column and names of devices in each row
D.Subjects in each column and names of processes in each row

A discretionary access control is a process to identify users and objects. An access control matrix can
be used to implement a discretionary access control mechanism, where names of users (subject) are
placed in each row and names of objects are placed in each column of a matrix. A subject is an active
entity, generally in the form of a person, process, or device that causes information to flow among
objects or changes the system's state. An object is a passive entity that contains or receives information.
Access to an object potentially implies access to the information it contains. Examples of objects
include records, programs, pages, files, and directories. Hence, an access control matrix describes an
association of objects and subjects for authentication of access rights.
B.Incorrect. This choice does not describe the contents of an access control matrix.
C.Incorrect. This choice does not describe the contents of an access control matrix.
D.Incorrect. This choice does not describe the contents of an access control matrix.
225.Which of the following types of access control mechanism does not rely on physical access
controls?
A.Encryption controls
B.Application system access controls
C.Operating system access controls
D.Utility programs

Encryption controls depend solely on the strength of the algorithm and the secrecy of the key it uses.
Encryption does not rely on physical access controls.
B.Incorrect. This choice depends on physical access controls. Most systems can be compromised if
someone can physically access the central processing unit or major components, for example, restarting
the system with different software. Logical access controls are therefore dependent on physical access
controls. Application systems, operating systems, and utility programs are heavily dependent on
physical access controls to protect against unauthorized use.
C.Incorrect. This choice depends on physical access controls. Most systems can be compromised if
D.Incorrect. This choice depends on physical access controls. Most systems can be compromised if
226.An inherent risk is associated with logical access that is difficult to prevent or mitigate but
can be identified via a review of audit trails. Which of the following types of access is this risk
most associated with?
A.Properly used authorized access

B.Misused authorized access
C.Unsuccessful unauthorized access
D.Successful unauthorized access

Properly used authorized access and misused authorized access can use audit trail data for analysis.
However, misused authorized access require a greater review of audit trail data due to its high risk.
Although users cannot be prevented from using resources to which they have legitimate access
authorization, audit trail analysis is used to examine users actions. Hence, misused authorized access
requires a greater review of audit trails.
A.Incorrect. Properly used authorized access can use audit trail analysis, but the risk is much lower
than the misused authorized access.
C.Incorrect. Unauthorized access attempts, whether successful or not, can be detected through the
analysis of audit trails.
D.Incorrect. Unauthorized access attempts, whether successful or not, can be detected through the
analysis of audit trails.
227.Which of the following is the most effective method for password creation?
A.Using password generators

B.Using password advisors
C.Assigning passwords to users
D.Implementing user-selected passwords

Password advisors are computer programs that examine user choices for selecting passwords and
inform users if passwords are weak. Hence, this is the most effective method for password creation.
A.Incorrect. Passwords produced by password generators are difficult to remember, whereas

user-selected passwords are easy to guess. Hence, this is the least effective method for password
creation.
C.Incorrect. Users write down assigned passwords on paper. Hence, this is the least effective method
for password creation.
D.Incorrect. This choice comes after the selection of passwords.
228.Which of the following is not a technical security control?
A.Encryption
B.Smart cards
C.Social engineering
D.Access control lists

Social engineering is not a technical security control. It is a nontechnical intrusion that relies heavily on
human interaction and often involves tricking other people to break normal security controls and
procedures. Different forms of social engineering include phishing, vishing, and smishing. Phishing is
the criminal act of attempting to manipulate a user victim into providing sensitive information by
masquerading as a trustworthy entity. Vishing is an approach that leverages voice communications in
enticing a user victim to call a certain phone number and divulge sensitive information; it uses voice
over internet protocol (VoIP) solutions and broadcasting services. Smishing exploits text messages,
which can contain links to such things as webpages, email addresses, web browsers, and phone
numbers that are highly integrated to increase the likelihood that users will fall victim to engineered
malicious activity. Exploitation by social engineering is lucrative and will increase in the mobile
market. People-based security controls are needed to educate employees about social engineering
intrusions.
A.Incorrect. This choice is a technical security control. Technical security controls consist of hardware
and software-based controls used to provide automated protection to computer systems or applications
as they operate within these systems or applications. Technical security controls are far-reaching in
scope and encompass such technologies as encryption, smart cards, network authentication, access
control lists, and file integrity auditing software.
B.Incorrect. This choice is a technical security control. Technical security controls consist of hardware
D.Incorrect. This choice is a technical security control. Technical security controls consist of hardware
229.Which of the following results when software vulnerabilities are not mitigated in a timely
manner?
I. Zero-day threats
II. Zero-day exploits
III. Zero-day warez
IV. Zero-day incidents
A.I and II
B.I, II, and III
C.I, II, and IV

Large numbers of skilled attackers are discovering vulnerabilities at a significant rate. Software
suppliers and vendors with a good record of security fixes often gain early insight into security
vulnerabilities that are included on message boards and blogs. Examples of these vulnerabilities
include zero-day threats, zero-day exploits, and zero-day incidents, not zero-day warez. A zero-day
threat tries to exploit computer application vulnerabilities that are unknown to others, undisclosed to
the software vendor, or for which no security fix is available. Note that the terms “zero-day threats,”
“zero-day exploits,” and “zero-day incidents” refer to the same thing. A zero-day warez refers to
content (e.g., software, games, videos, music, or data) unlawfully released or obtained on the day of
public release or earlier. Either a hacker or an employee of the releasing company is involved in
copying the content on the day of the official, public release or earlier. “Zero-day warez” is called
“negative day” or counted as a minus day from a calendar date because the content is released either on
the day of public release or earlier.

D.Incorrect. This is a partial answer.
230.What is the major purpose of system hardening?
A.To remove all nonessential software

B.To remove all dangerous utility programs
C.To eliminate as many security risks as possible
D.To remove computer programs providing backdoor access into a system

The major purpose of system hardening is to eliminate as many security risks as possible in order to
make the system secure and strong. System hardening is achieved by removing all nonessential
software and dangerous utility programs from the computer. While some utility programs may offer
useful features to users, if they provide backdoor access to the system, they must be removed during
the system hardening process.
A.Incorrect. This choice is a minor purpose of system hardening.

B.Incorrect. This choice is a minor purpose of system hardening.
D.Incorrect. This choice is a minor purpose of system hardening.
231.Which of the following are examples of security boundary controls?
A.Patches and probes

B.Firewalls and fences
C.Tags and labels
D.Encryption and smart cards

A firewall is an example of logical access control while fences provide physical security and perimeter
access control. When these two controls are combined, they provide a total boundary control. By
limiting access to host systems and services, firewalls provide a necessary line of perimeter defense
against attacks and thus provide a logical security boundary control. Similarly, perimeter fences
provide a physical security boundary control for a facility or building.
A.Incorrect. A patch is a modification to software that fixes an error in an operational application

system on a computer. Patches are generally supplied by the software vendor. A probe is a device
programmed to gather information about a system or its users.
C.Incorrect. Tags and labels are used in access controls.
D.Incorrect. Encryption and smart cards are used in user identification and authentication mechanisms.
232.Which of the following cannot defend login spoofing?
A.Providing a secure channel between the user and the system

B.Installing a hardware reset button
C.Implementing cryptographic authentication techniques
D.Installing input overflow checks

Input overflow checks ensure that input is not lost during data entry or processing and are good against
input overflow attacks, which can be avoided by proper program design..
A.Incorrect. Login spoofing can be defended against by providing a secure channel between the user
and the system.
B.Incorrect. A hardware-reset button on a personal computer can be very effective in removing some
kinds of spoofing attacks.
C.Incorrect. Cryptographic authentication techniques can increase security, but only for complex
systems.
233.Because much of the data involved in daily operations would be helpful to competitors if they
had access to it, a company authorizes access for employees to only the data required for
accomplishing their jobs. This approach is known as access on a(n):
A.Need-to-know basis.
B.Individual accountability basis.
C.Just-in-time basis.
D.Management-by-exception basis.

Access on a need-to-know basis means that access is authorized only as is required for employees to
perform authorized job functions.
B.Incorrect. “Individual accountability” means that individuals with access to data are responsible for
the use and security of data obtained via their access privileges.
C.Incorrect. “Just-in-time” means arranging delivery of inventory or materials as close to the time they
would be incorporated into products as is possible rather than maintaining large quantities of inventory
or materials.
D.Incorrect. “Management by exception” means spending managerial time on exceptional conditions
on the grounds that attending to exceptions is a better approach to management than spending time on
transactions or processes that are operating in their normal ranges.
234.The best preventive measure against a computer virus is to:
A.Compare software in use with authorized versions of the software.

B.Execute virus exterminator programs periodically on the system.
C.Allow only authorized software from known sources to be used on the system.
D.Prepare and test a plan for recovering from a virus.

Allowing only authorized software from known sources to be used on the system reduces the likelihood
of introducing a computer virus onto the system via software.
A.Incorrect. Comparing software in use with authorized versions of the software is a detective measure,
not a preventive measure.
B.Incorrect. Executing virus exterminator programs periodically on the system is a detective/corrective
measure, not a preventive measure.
D.Incorrect. Preparing and testing a plan for recovering from a virus is a corrective measure, not a
preventive measure.
235.A controller became aware that a competitor appeared to have access to the company's
pricing information. The internal auditor determined that the leak of information was occurring
during the electronic transmission of data from branch offices to the head office. Which of the
following controls would be most effective in preventing the leak of information?
A.Asynchronous transmission
B.Encryption
C.Use of fiber optic transmission lines
D.Use of passwords

Encryption is the conversion of data into a code. While data may be accessed by tapping into the
transmission line, an encryption “key” is necessary in order to understand the data being sent.
A.Incorrect. Asynchronous transmission does not prevent theft of data; it speeds up the transmission
process.
C.Incorrect. Fiber optic transmission lines will improve the quality of the transmission but will not
prevent theft of data.
D.Incorrect. Use of passwords will control access at the sending location and will limit access to the
head office computer. Passwords, however, will not prevent someone from tapping into the
transmission line.
236.An insurance firm uses a wide area network to allow agents away from the home office to
obtain current rates and client information and to submit approved claims using notebook
computers and dial-in modems. In this situation, which of the following methods would provide
the best data security?
A.Dedicated phone lines

B.Call-back features
C.Frequent changes of user IDs and passwords
D.End-to-end data encryption

Encryption of data from its entry point to the network and its return would provide the best data
security.
A.Incorrect. Dedicated phone lines would not be cost effective or available to field agents.
B.Incorrect. Field agents would not always be located at the same phone line to permit dial-up call back
usage.
C.Incorrect. User IDs and passwords can be compromised by an attacker's computer software.
237.When protecting a bank's customer information from identity theft, a bank's disclosure
policy would not respond to which of the following types of request?
A.An email
B.A pretext telephone call
C.A text message
D.A personal letter

A bank's policy would not respond to a fraudster's pretext telephone call. Pretext callers use pieces of a
customer's personal information to impersonate an account holder to gain access to that individual's
account information. Banks can take actions to reduce the incidence of pretext calling, such as limiting
the circumstances under which customer information may be disclosed by telephone. A bank's policy
could be that customer information is disclosed only through email, text message, a letter, or in-person
meeting.
A.Incorrect. A bank's disclosure policy would respond to an email from a bank's customer.
C.Incorrect. A bank's disclosure policy would respond to a text message from a bank's customer.
D.Incorrect. A bank's disclosure policy would respond to a personal letter from a bank's customer.
238.Which of the following is not a key value driver of an organization?
A.Strategies and goals

B.Culture and ethics
C.Products and services
D.Shareholders

Shareholders are not key value drivers because they are outsiders and play a little or no role in the
day-to-day operations of an organization, either to create or destroy value. Instead, they receive value
from the organization in the form of dividends, increase in stock market price, and increase in wealth.
Key value drivers are core elements that can make an organization either a value creator or a value
destroyer.
A.Incorrect. Strategies and goals are key value drivers of an organization that can create value. Key
value drivers are core elements that can make an organization either a value creator or a value
destroyer.
B.Incorrect. Culture and ethics are key value drivers of an organization that can create value. Key value
drivers are core elements that can make an organization either a value creator or a value destroyer.
C.Incorrect. Products and services are key value drivers of an organization that can create value. Key
value drivers are core elements that can make an organization either a value creator or a value
destroyer.
239.Reengineering is the thorough analysis, fundamental rethinking, and complete redesign of

essential business processes. The intended result is a dramatic improvement in service, quality,
speed, and cost. An internal auditor's involvement in reengineering should include all of the
following except:
A.Determining whether the process has senior management's support.

B.Recommending areas for consideration.
C.Developing audit plans for the new system.
D.Directing the implementation of the redesigned process.
Internal auditors should not become directly involved in the implementation of the redesign process.
This would impair their independence and objectivity. Internal auditors should not perform this
function.
A.Incorrect. Internal auditors should perform this function as it would not impair their independence
and objectivity.
B.Incorrect. Internal auditors should perform this function as it would not impair their independence
and objectivity.
C.Incorrect. Internal auditors should perform this function as it would not impair their independence
and objectivity.
240.Auditors are operating in organizations in which management is in the process of

reengineering operations with strong emphasis on total quality management (TQM) techniques.
In the quest to gain efficiency in processing, many of the traditional control procedures are being
deleted from the organization's control structure. As part of this change, management is:
A.Placing more emphasis on monitoring control activities.

B.Making different assumptions about human performance and the nature of human motivation than
was done under traditional control techniques.
C.Placing more emphasis on self-correcting control activities and process automation.
D.All of the above.

All of the actions taken in the other three choices are proper and meaningful to the organization.
A.Incorrect. All of the statements are reflective of the differences in approaches to controls in
reengineered organizations. Reengineering places more emphasis on monitoring controls to let
management know when an operation may be out of control and signals the need for corrective action.
This choice reflects management's proper action.
B.Incorrect. Most of the reengineering and TQM techniques assume that humans will be motivated to
actively work to improve the process when they are involved from the beginning. This choice reflects
management's proper action.
C.Incorrect. There is an increasing emphasis on self-correcting and automated controls. This choice
reflects management's proper action.
241.An organization has decided to reengineer several major processes. Of the following reasons
for employees to resist this change, which is least likely to happen?
A.Threat of loss of jobs

B.Required attendance at training classes
C.C Breakup of existing work groups
D.Imposition of new processes by top management without prior discussion

Employee training programs facilitate doing jobs in a new or different way. This choice is least likely
to happen. Reengineering is the thorough analysis, fundamental rethinking, and complete redesign of
essential business processes. The intended result is a dramatic improvement in service, quality, speed,
and cost.
A.Incorrect. Real or imagined loss of jobs is a common reason for employees to resist any change. This
choice is most likely to happen. Reengineering is the thorough analysis, fundamental rethinking, and
complete redesign of essential business processes. The intended result is a dramatic improvement in
service, quality, speed, and cost.
C.Incorrect. Members of work groups often exert peer pressure on one another to resist change,
especially if social relationships are changed. This choice is most likely to happen. Reengineering is the
thorough analysis, fundamental rethinking, and complete redesign of essential business processes. The
intended result is a dramatic improvement in service, quality, speed, and cost.
D.Incorrect. Management's lack of communication and discussion of the need for switching to new
processes threatens the status quo. This choice is most likely to happen. Reengineering is the thorough
analysis, fundamental rethinking, and complete redesign of essential business processes. The intended
result is a dramatic improvement in service, quality, speed, and cost.
242.Which of the following paired items have a direct relationship with each other?
A.Sampling errors and confidence level

B.Risk appetite and value-at-risk
C.Sampling risk and reliability level
D.Audit risk and audit assurance

Risk appetite and value-at-risk have a direct relationship with each other. As the risk appetite increases,
the value-at-risk increases.
A.Incorrect. Sampling errors and confidence level have an inverse relationship with each other.
Sampling error is (1 minus confidence level), meaning as the sampling error increases, the confidence
level decreases.
C.Incorrect. Sampling risk and reliability level have an inverse relationship with each other. Sampling
risk is (1 minus reliability level), meaning as the sampling risk increases, the reliability level decreases.
D.Incorrect. Audit risk and audit assurance have an inverse relationship with each other. As the audit
risk increases, the audit assurance decreases.
243.Which of the following paired items have an inverse relationship with each other?
A.Audit reliance and audit assurance

B.Risk and return
C.Risk appetite and residual risk
D.Risk agility and risk resiliency

Risk appetite and residual risk have an inverse relationship with each other. As the risk appetite
decreases, the residual risk increases.
A.Incorrect. Audit reliance and audit assurance have a direct relationship with each other. As the audit
reliance increases, the audit assurance increases.
B.Incorrect. Risk and return have a direct relationship with each other. As the risk increases, the return
increases.
D.Incorrect. Risk agility and risk resiliency have a direct relationship with each other. As the risk
agility increases, the risk resiliency increases.
A.De-risking and residual risk

B.Sample size and sampling risk
C.Probability of ruin and value of an asset
D.Time-to-contain and cost of data breach

Time-to-contain and cost of data breach have a direct relationship with each other. As the
time-to-contain a data breach increases, the cost of data breach increases.
A.Incorrect. De-risking and residual risk have an inverse relationship with each other. As the de-risking
increases, the residual risk decreases.
B.Incorrect. Sample size and sampling risk have an inverse relationship with each other. As the sample
size increases, the sampling risk decreases.
C.Incorrect. Probability of ruin and value of an asset have an inverse relationship with each other. As
the probability of ruin increases, the value of an asset decreases.
245.Which of the following paired items have an inverse relationship with each other?
A.Click fraud rate and click-to-conversion time
B.Risk universe and audit universe
C.Competence and Judgment
D.Proficiency and competence

Click fraud rate and click-to-conversion time have an inverse relationship with each other. As the click
fraud rate increases, the click-to-conversion time decreases.
B.Incorrect. Risk universe and audit universe have a direct relationship with each other. As the risk
universe increases, the audit universe increases.
C.Incorrect. Competence and judgment have a direct relationship with each other. As the competence
increases, the judgment increases.
D.Incorrect. Proficiency and competence have a direct relationship with each other. As the proficiency
increases, the competence increases.
A.Production volume and production costs

B.Audit risk scores and audit cycle frequency
C.Tolerable error and sample size
D.Precision limits and sample size

Production volume and production costs have a direct relationship with each other. As the production
volume increases, the associated production costs would also increase.
B.Incorrect. Audit risk scores and audit cycle frequency have an inverse relationship with each other.
As the audit risk scores increase, the audit cycle frequency gets decreased (i.e., shorter time intervals
between audits to address higher risk areas).
C.Incorrect. Tolerable error and sample size have an inverse relationship with each other. The lower
the tolerance for error, the larger the number of items that needs to be selected in a sample (i.e., need a
larger sample size).
D.Incorrect. Precision limits and sample size have an inverse relationship with each other. The smaller
the precision limits, the larger the size of the sample selected.
247.Relatively speaking, which of the following poses a minor risk to an organization?
A.Anti-debugging software
B.Anti-malware software
C.Anti-spyware software
D.Anti-spamming software

A major purpose of a debugging software is to identify, detect, and remove bugs (errors) automatically
in applications software or operating system software. Even if hackers install anti-debugging software
to kill the automated features of debugging, computer programmers can do the same debugging work
manually, despite its inefficiency and ineffectiveness. In reality, hackers do not even bother to install
the anti-debugging software because they have nothing big to gain by doing so. This choice poses a
minor risk.
B.Incorrect. A major purpose of anti-malware software is to scan computer resources (e.g., files and
devices) for the presence of malware and protect such computer resources from getting infected with
malware. However, hackers can deactivate the anti-malware software and can kill its features and
functions to make the software useless. Hackers can then insert their own dangerous malware in the
place of the official anti-malware to conduct their attacks. This choice poses a major risk.
C.Incorrect. A major purpose of anti-spyware software is to scan computer resources (e.g., files and
devices) for the presence of spyware and protect such computer resources from getting infected with
spyware. However, hackers can deactivate the anti-spyware software and can kill its features and
functions to make the software useless. Hackers can then insert their own dangerous spyware in the
place of the official anti-spyware to conduct their attacks. This choice poses a major risk.
D.Incorrect. A major purpose of anti-spamming software is to scan computer resources (e.g., files and
devices) for the presence of spamware and protect such computer resources from getting infected with
spamware. However, hackers can deactivate the anti-spamware software and can kill its features and
functions to make the software useless. Hackers can then insert their own dangerous spamware in the
place of the official anti-spamware to conduct their attacks. This choice poses a major risk.
248.Software piracy violates which of the following?
A.Trademarks
B.Copyrights
C.Trade secrets
D.Patents

Software is copyrighted most of the time. Because software is copyrightable, software piracy violates
the copyrights laws. A copyright protects the copyright holder (owner) against the infringement of any
of six exclusive rights in “original works of authorship fixed in any tangible medium of expression.”
This original work includes computer software; literary, musical; and dramatic works; motion pictures
and sound recordings; and pictorial, sculptural, and architectural works.
A.Incorrect. Software is not usually trademarked. A trademark is a valuable marketing asset in that it
identifies products and differentiates companies owing those products from other companies and
protects the trademark owner from infringement by others. It forms an association of a product with a
company in people's minds (i.e., minds and products). Trademarks are features such as designs, brand
names, or symbols which allow easy recognition of a product.
C.Incorrect. Software is not usually a trade secret. A trade secret can be of any form or type of
commercially-valuable information that the owner has taken reasonable measures to keep secret and
that has an independent economic value from the fact that it is a secret and cannot be readily
ascertained by the public. Trade secrets can include, for example, technical, scientific, and engineering
data; business records; or economic, financial, and marketing information (e.g., marketing strategies).
For example, a soup recipe for a soup company is a trade secret.
D.Incorrect. Software is not usually patented. In its simplest form, a patent is a property right for an
invention granted by the government to the inventor. A patent gives the owner the right to exclude
others from making, using, and selling devices that embody the claimed invention. Patents generally
protect features, products, and processes, not pure ideas.
249.How best to quantify the information value that is at risk?
A.The cost of using information

B.The cost of protecting information
C.The cost of not using information
D.The cost of not protecting information

The cost of not protecting information is the best way to quantify the information value at risk because
it will indicate what the consequences would be if the information is not protected at all. Examples of
these consequences are greater vulnerability to threats and attacks and increased damages resulting
from such attacks. These damages could be financial, physical (buildings, equipment, and inventory),
non-physical (e.g., loss of intellectual property), and human (death resulting from wrongly prescribed
and dispensed medication based on incorrect medical records).
A.Incorrect. The cost of using information is not relevant here because it does not matter whether the
protected information is used or not. Protection is more important than use.
B.Incorrect. The cost of protecting information is important and can be calculated from adding up all
the costs incurred to acquire and install hardware and software and the costs to hire staff. The cost of
information protection, which represents a one-side of a coin, can become a routine and mechanical
exercise and can become a discretionary spending amount. To get a big-picture perspective, the cost of
protecting information should be compared with the cost of not protecting information, which is the
other side of the coin.
C.Incorrect. The cost of not using information is not relevant because it does not matter whether the
protected information is used or not.
250.Reporting to senior management and the board is an important part of the auditor's
obligation. Which of the following items is not required to be reported to senior management
and/or the board?
A.Subsequent to the completion of an audit, but prior to the issuance of an audit report, the audit senior
in charge of the audit was offered a permanent position in the auditee's department.
B.An annual report summary of the department's audit work schedule and financial budget.
C.Significant interim changes to the approved audit work schedule and financial budget.
D.An audit plan was approved by senior management and the board. Subsequent to the approval, senior
management informed the chief audit executive not to perform an audit of a division because the
division's activities were very sensitive.

This would not have to be communicated. The audit work was done. The chief audit executive would
have to determine that there was no impairment of the independence of the senior's work. If there was
none, the report could be issued without reporting the personnel change (IIA Standard 2020 –
Communication and Approval).
B.Incorrect. This is a standard part of the required reporting to senior management and the board.
C.Incorrect. This is a standard part of the required reporting to senior management and the board.
D.Incorrect. The audit plan had been approved by both senior management and the board. The change
dictated by senior management should be reported to the board.
Part 2 Domain 2
Question 1 of 62
All of the following are major concerns for a chief audit executive (CAE) except:
a) Audit clients rejecting major audit findings.

b) Audit work failures.
c) False assurances to audit clients.
d) Audit department's reputation issues
Answer A is Correct.
It is common for audit client management to reject major audit findings due to issues such as (1)
little or no value added to the audit client department, (2) unclear audit scope and audit objectives,
(3) the audit client manager is new to the department, or (4) for some other reason. These issues
can be fixed by, for example, revising the audit scope and objectives and/or redoing the same audit
with the same auditor or with a different auditor. These issues should not be the major concern for
the CAE.
B . Audit work failures, for whatever reasons, should be a major concern for the CAE because they
deal with auditor competency and professionalism.
C . False assurances to audit clients should be a major concern for the CAE because they deal with
auditor competency and professionalism.
D . Audit department's reputation issues should be a major concern for the CAE because they deal
with auditor competency and professionalism.
Question 2 of 62
Internal auditors induce which of the following?
a) Scope creep
b) Scope limitations
c) Scope diversions
d) Scope restrictions
Internal auditors either knowingly or unknowingly can increase the nature, extent, and size of audit
work (i.e., scope creep) due to planned and unplanned auditable areas they intend to review.
B . Audit clients induce scope limitations.
C . Audit clients induce scope diversions.

D . Audit clients induce scope restrictions.
Question 3 of 62
Internal audit's scope gap can be minimized or reduced in which of the following phases of an audit
process?
a) Audit program
b) Audit fieldwork
c) Audit preliminary survey
d) Audit reporting
Answer C is Correct.
A scope gap is the difference between the expected scope and the actual scope. The audit scope and
audit objectives are developed during the preliminary survey phase, which is the first phase of the audit
process. Potential risks and exposures, goals, and standards for the audited area are also identified and
gathered during the preliminary survey phase. The audit scope should indicate what is included in and
what is excluded from the audit work, thus minimizing and reducing the scope gap.
A . Audit procedures are developed in the audit program phase based on the audit scope and audit
objectives. Because the audit program phase comes after the audit preliminary survey phase, it cannot
minimize or reduce the scope gap, because it is too late.
B . Audit procedures included in the audit program phase are carried out in the fieldwork phase.
Because the audit fieldwork phase comes after the audit preliminary survey phase, it cannot minimize or
reduce the scope gap, because it is too late.
D . Audit results are communicated to auditee management both orally and in writing during the
reporting phase. Because the audit reporting phase comes after the audit preliminary survey phase, it
cannot minimize or reduce the scope gap, because it is too late.
Question 4 of 62
The best way to develop the scope of a specific internal audit engagement is through a:
a) Standard design.
b) Custom design.
c) General design.
d) Detail design.
Answer B is Correct.
The scope of internal auditing is flexible in that it can be custom designed to fit the specific needs of a
company's management.
A . The scope of a specific internal audit engagement cannot be based on a standard design or a
boilerplate format. A standard design cannot accommodate the needs of a specific audit work.
C . The scope of a specific internal audit engagement cannot be based on a general design, which means
the same focus as the standard design. A general design cannot accommodate the needs of specific
audit work.
D . The scope of a specific internal audit engagement cannot be based on a detail design, which means
breaking down the general design. A detail design cannot accommodate the needs of a specific audit
work.
Question 5 of 62
What is the effect of combining a compliance audit, an operational audit, and a financial audit into a one
big assurance audit?
a) Additive effect
b) Dilution effect
c) Multiplicative effect
d) Synergistic effect
Assurance audits result when compliance audits, operational audits, and financial audits are combined
into a one big audit, yielding reduced audit results due to the summarized audit scope; this is called
dilution effect (2 + 2 = 3). Separate audits have detailed scope; combined audits may not achieve the
same audit results as separate audits.
A . Assurance audits result when compliance audits, operational audits, and financial audits are
combined into a one big audit. The additive effect (2 + 2 = 4) assumes that combined the audit scope
yields better results than the separate audit scopes, which is not true.
C . Assurance audits result when compliance audits, operational audits, and financial audits are
combined into a one big audit. The multiplicative effect (2 × 2 = 4) assumes that the combined audit
scope yields better results than separate audit scopes, which is not true.
D . Assurance audits result when compliance audits, operational audits, and financial audits are
combined into a one big audit. The synergistic effect (2 + 2 = 5) assumes that the combined audit scope
yields better results than separate audit scopes, which is not true.
Question 6 of 62
Selecting high-impact and high-visibility auditable activities to audit requires which of the following
approaches?
a) Risk based
b) Process based
c) Knowledge based
d) Experience based
Audits and controls reduce risks and protect assets. By definition, high-impact and high-visibility
activities are high risk due to their nature. Hence, they require a risk-based review approach to ensure
that all potential and possible risks are managed properly.
B . Process based means operations based, requiring major focus on processes, tasks, and activities.
However, it does not address high-impact and high-visibility activities.
C . Knowledge based is a broad term and does not address high-impact and high-visibility activities.
D . Experience based is a broad term and does not address high-impact and high-visibility activities.
Question 7 of 62
A fully approved internal audit plan for the current year is already in place for a large internal auditing
department. Which of the following people gives final approval of the specific scope of an internal audit
engagement?
a) Audit director
b) Senior auditor
c) Audit supervisor
d) Audit manager
Answer D is Correct.
The audit manager can approve the scope of a specific audit engagement because he or she might be
managing the audit supervisor, senior auditor, and audit staff assigned to the specific audit. The audit
manager is responsible and accountable for the successful completion of the specific audit engagement
work.
A . The audit director does not provide final approval of the scope of a specific audit engagement
because he or she already approved the annual audit plan. The specific audit plan is taken from the
annual audit plan.
B . The senior auditor cannot approve the scope of a specific audit engagement because he or she might
be working on the audit and lacks the authority to approve a specific audit plan.
C . The audit supervisor cannot approve the scope of a specific audit engagement because he or she
might be developing the specific audit plan and supervising senior auditors and staff auditors working on
the audit. The audit supervisor also lacks the authority to approve the specific audit plan.
Question 8 of 62
Managing and mitigating organization-wide risks finally aligns with which of the following management
concepts?
a) Chain of authority
b) Chain of accountability
c) Chain of responsibility
d) Chain of delegation
The chain of accountability refers to the level of ownership over an organization. It states that the
ultimate accountability in an organization rests at the top level of the management hierarchy. This
means that top-level management is in a better situation to manage and mitigate organization-wide
risks. The chain of accountability is much stronger than the chains of authority, responsibility, and
delegation because individuals will be made strictly accountable for their actions and inactions.
A . The chain of authority deals with a manager's organizational position to make decisions, issue orders,
and allocate resources in order to achieve organizational goals.
C . The chain of responsibility deals with a subordinate's duty to perform assigned work tasks, which is
the flipside of the authority chain.
D . The chain of delegation deals with the transfer of authority and responsibility from a superior to a
subordinate, but accountability still rests with the superior.
Question 9 of 62
The real success of an internal audit engagement depends on which of the following?
a) Audit evidence
b) Audit scope
c) Audit workpapers
d) Audit testing
Establishing an audit scope is a make-or-break point because the entire audit work is based on the audit
scope. Scope is a guiding light to a specific audit work. The audit will be successful when the audit scope
is complete; otherwise it will fail.
A . Audit evidence is collected based on the audit scope and evidence standards. If the audit scope is
incomplete, then the audit evidence will be incomplete too.
C . Audit workpapers simply document the audit work performed and the evidence collected during a
specific audit based on the audit work program, which is developed from the audit scope. If the audit
scope is incomplete, then the audit workpapers will be incomplete too.
D . Audit testing shows what sampling, compliance, and substantive tests are conducted during a
specific audit based on the audit work program, which is developed from the audit scope. If the audit
scope is incomplete, then the audit testing will be incomplete too.
Question 10 of 62
Which of the following is the most important risk factor to consider when internal auditors are
performing a detailed risk assessment of auditable activities in an organization?
a) Quality of internal control system

b) Competence of management
c) Integrity of management
d) Competence of customers
The quality of the internal control system is the most important risk factor to consider when internal
auditors are performing a detailed risk assessment of auditable activities in an organization. This is
because the internal control system forms a focal point and guides all the activities of an organization,
where the internal control system affects all activities of the organization.
B . The competence of management is an important factor to consider when internal auditors are
performing a detailed risk assessment of auditable activities in an organization. Management and
employees are a part of the internal control system.
C . The integrity of management is an important factor to consider when internal auditors are
performing a detailed risk assessment of auditable activities in an organization. Management and
employees are a part of the internal control system.
D . Customers or clients are external parties of an organization. As such, they are the least important risk
factor during a detailed risk assessment of auditable activities by internal auditors, although customers
or clients are the most important parties for an organization's success. Internal audit risk assessments
are primarily based on internal review and evaluation of internal activities of an organization. Hence, the
competence of customers or clients does not matter that much.
Question 11 of 62
The best way to assess the adequacy of internal audit resources is through an analysis of which of the
following?
a) Assurance gaps
b) Resource gaps
c) Staffing gaps
d) Technology gaps
Internal audit management needs to give priority to reviewing governance, risk management, and
control processes in conducting special audits. Assurance gaps can occur when internal audit work does
not address significant risks embedded in the governance, risk management, and control processes.
Significant risks are big in scope (nature), size (magnitude), and strength (impact).
B . Resource gaps are considered during the assessment of assurance gaps.
C . Staffing gaps are considered during the assessment of assurance gaps.
D . Technology gaps are considered during the assessment of assurance gaps.
Question 12 of 62
Which of the following can create a false assurance for an internal audit activity?
a) Visiting auditors
b) Loaned auditors
c) Guest auditors
d) Borrowed auditors
A false assurance is created in the minds of nonaudit clients due to their higher expectation of the
loaned auditors to a business function or operation to work as a client employee. Clients may think that
these auditors know everything because of their audit jobs, which leads to a false assurance.
A . Visiting auditors may come from a local, regional, or divisional audit office. They do not create a false
assurance to audit clients because they are moving from one audit office to another.
C . Guest auditors may come from outside of the audit function, from other audit organizations, or
inside of an organization. There are no audit clients here to create a false assurance.
D . Borrowed auditors may come from a local, regional, or divisional audit office. They do not create a
false assurance to audit clients because they are moving from one audit office to another.
Question 13 of 62
Auditors need to determine if management has established criteria to determine if goals and objectives
have been accomplished. If the auditor determines such criteria are inadequate or nonexistent, which of
the following actions would be appropriate?
I. Report the inadequacies to the appropriate level of management and recommend appropriate
courses of action.
II. Recommend alternative sources of criteria to management such as acceptable industry
standards.
III. Formulate criteria the auditor believes to be adequate and perform the audit and report in
relationship to the alternative criteria.
a) I only.
b) I and II.
c) I, II, and III.
d) II only.
All three responses would be appropriate according to IIA Standard 2201 – Planning Considerations.
A . Refer to the correct answer.
B . Refer to the correct answer.
D . Refer to the correct answer.
Question 14 of 62
An internal audit director initiated an audit of the corporate code of ethics and the environment for
ethical decision making. Which of the following would most likely be considered inappropriate regarding
the scope and/or recommendations of the audit?
a) A review of the corporate code of ethics and a comparison to other corporate codes.
b) A survey of corporate employees, asking general questions regarding the ethical quality of
corporate decision making.
c) Administration of an anonymous "ethics test" to determine if employees know of unethical
behavior or have acted unethically themselves.
d) A survey of the Board of Directors to determine their level of support for a corporate code of
ethics.
Not much benefit is gained by surveying the Board of Directors since their views will be biased for this
audit (IIA Standard 2220 – Engagement Scope).
A . This would be included in the "normal scope" of this type of audit.
B . Surveys of employees are not prohibited by the standards.
C . Not prohibited by the standards.

Question 15 of 62
When determining the number and experience level of the internal audit staff to be assigned to an
audit, the chief audit executive should consider all of the following except the:
a) Complexity of the audit assignment.

b) Available audit resources.
c) Training needs of internal auditors.
d) Lapsed time since the last audit.
This is a part of the audit scheduling, not auditor selection for audit assignment (IIA Standard 2200 –
Engagement Planning).
A . This choice is included as a factor in the Standard.
B . This choice is included as a factor in the Standard.
C . This choice is included as a factor in the Standard.
Question 16 of 62
Management asserted that the performance standards the auditors used to evaluate operating
performance were inappropriate. Written performance standards that had been established by
management were vague and had to be interpreted by the auditor. In such cases, auditors may meet
their due professional care responsibility by:
a) Assuring themselves that their interpretations are reasonable.

b) Assuring themselves that their interpretations are in line with industry practices.
c) Establishing agreement with auditees as to the standards needed to measure performance.
d) Incorporating management's objections in the audit report.
This is what IIA Standard 2210 – Engagement Objectives requires in such cases.
A . The assertions are self-serving.
B . The assertions are self-serving.
D . Noting differences in interpretation in the audit report, in and of itself, is not due professional care.
Due professional care has to do with how the audit is performed and the report is written.
Question 17 of 62
According to the IIA Standards, internal auditing has a responsibility for helping to deter fraud. Which of
the following best describes how this responsibility is generally met?
a) By coordinating with security personnel and law enforcement agencies in the investigation of
possible frauds.
b) By testing for fraud in every audit and following up as appropriate.
c) By assisting in the design of control systems to prevent fraud.
d) By evaluating the adequacy and effectiveness of controls in light of the potential exposure or
risk.
This is how the responsibility is met according to IIA Standard 2210 – Engagement Objectives.
A . This involves detection, not deterrence.
B . Testing for fraud in every audit is not required.
C . This is not the primary means as described in the standards.
Question 18 of 62
Independence permits internal auditors to render impartial and unbiased judgments. The best way to
achieve independence is through:
a) Individual knowledge and skills.

b) Organizational status and objectivity.
c) Supervision within the organization.
d) Organizational knowledge and skills.
Organizational status and objectivity provides for the achievement of independence (IIA Standard 1100
– Independence and Objectivity; IIA Standard 1110 – Organizational Independence).
A . Individual knowledge and skills allow individual auditors to achieve professional proficiency.
C . Supervision allows the internal auditing department to achieve professional proficiency.
D . Organizational knowledge and skills allow the internal auditing department to achieve professional
proficiency.
Question 19 of 62
When faced with an imposed scope limitation, the chief audit executive should:
a) Refuse to perform the audit until the scope limitation is removed.

b) Communicate the potential effects of the scope limitation to the audit committee of the board
of directors.
c) Increase the frequency of auditing the activity in question.
d) Assign more experienced personnel to the engagement.
The scope limitation and its potential effects should be communicated to the audit committee of the
board of directors (IIA Standard 2220 – Engagement Scope; IIA Standard 2450 – Overall Opinions).
A . The audit may be conducted under a scope limitation.
C . A scope limitation would not necessarily cause the need for more frequent audits.
D . A scope limitation would not necessarily cause the need for more experienced personnel.
Question 20 of 62
You transferred from the treasury department to the internal auditing department of the same
company last month. The chief financial officer of the company has suggested that since you have
significant knowledge in this area, it would be a good idea for you to immediately begin an audit of the
treasury department. In this circumstance you should:
a) Accept the audit engagement and begin work immediately.

b) Discuss the need for such an audit with your former superior, the treasurer.
c) Suggest that the audit be performed by another member of the internal auditing staff.
d) Offer to prepare an audit program but suggest that interviews with your former coworkers be
conducted by other members of the internal auditing staff.
This response would avoid the lack of objectivity inherent in auditing activities that the auditor so
recently performed. This response conforms with IIA Standard 1100 – Independence and Objectivity and
IIA Standard 1130 – Impairment to Independence or Objectivity.
A . The proposed engagement directly violates the Standards on objectivity. Objectivity would be
presumed to be impaired in this circumstance.
B . Subordinating your judgment on audit matters to that of others does not maintain the independent
mental attitude defined in the Standards.
D . This response still violates the Standards since the preparation of the audit program offers significant
opportunities for bias to occur.
Question 21 of 62
Which one of the following items can be a part of the other items?
a) Entity-level controls.
b) Manual controls.
c) Fully automated controls.
d) Partly automated controls.
The key controls can be in the form of entity-level controls (e.g., employees are trained and take a test
to confirm their understanding of the code of conduct). The entity-level controls can be manual, fully
automated, or partly automated. Manual controls can exist within a business process (e.g., the
performance of a physical inventory). Fully automated controls can exist within a business process (e.g.,
matching or updating accounts in the general ledger). Partly automated controls can exist within a
business process (also called hybrid or information technology–dependent controls), where an
otherwise manual control relies on application functionality such as an exception report (IIA Standard
2200 – Engagement Planning).
B . Manual controls can exist within a business process (e.g., the performance of a physical inventory).
C . Fully automated controls can exist within a business process (e.g., matching or updating accounts in
the general ledger).
D . Partly automated controls can exist within a business process (also called hybrid or information
technology-dependent controls), where an otherwise manual control relies on application functionality
such as an exception report.
Question 22 of 62
Consulting engagement objectives must be consistent with all of the following except:
a) Organization's goals.
b) Organization's values.
c) Organization's strategies.
d) Organization's objectives.
Goals are short term in nature while objectives are long term in nature. Hence, consulting engagement
objectives must be consistent with the organization's values, strategies, and objectives (IIA Standard
2210 – Engagement Objectives).
B . This choice is consistent.
C . This choice is consistent.
D . This choice is consistent.
Question 23 of 62
If an auditee's operating standards are vague and thus subject to interpretation, the auditor should:
a) Seek agreement with the auditee as to the standards to be used to measure operating
performance.
b) Determine best practices in this area and use them as the standard.
c) Interpret the standards in their strictest sense because standards are otherwise only minimum
measures of acceptance.
d) Omit any comments on standards and the auditee's performance in relationship to those
standards, because such an analysis would be meaningless.
This is what is required by the IIA Standard 2210 – Engagement Objectives.
B . The auditor should seek to understand the operating standards as they are applied to the
organization.
C . Agreement is necessary.
D . The auditor should first seek to gain an understanding with the auditee on the appropriate
standards.
Question 24 of 62
During a preliminary survey, an auditor notes that several accounts payable vouchers for major suppliers
show adjustments for duplicate payment of prior invoices. This would indicate:
a) A need for additional testing to determine related controls and the current exposure to
duplicate payments made to suppliers.
b) An unrecorded liability for the amount of purchases that are not processed while awaiting
supplier master file address maintenance.
c) A lack of control in the receiving area that prevents timely notice to the accounts payable area
that goods have been received and inspected.
d) The existence of a sophisticated accounts payable system that correlates overpayments to open
invoices and therefore requires no further audit concern.
This preliminary survey information should prompt the auditor to identify the magnitude of such
duplicate payments (IIA Standard 2201—Planning Considerations).
B . This situation is not identified in the question.
C . The existence of duplicate payments is not related to a problem in the receiving area.
D . Duplicate payments are not overpayments; they are exceptions and should be handled as such.
Question 25 of 62
In the preparation of an audit program, which of the following items is not essential?
a) The performance of a preliminary survey.

b) A review of material from prior audit reports.
c) The preparation of a budget identifying the costs of resources needed.
d) A review of performance standards set by management.
Resources to be used is necessary. However, conversion to funds needed is not essential for the
program (IIA Standard 2240—Engagement Work Program).
A . It is needed to determine audit objectives and controls in use.
B . This is necessary to get background on the audit.
D . This refers to obtaining information on the validity of criteria to be used or to be evaluated during
the audit.
Question 26 of 62
What action should an internal auditor take on discovering that an audit area was omitted from the
audit program?
a) Document the problem in the work papers and take no further action until instructed to do so.
b) Perform the additional work needed without regard to the added time required to complete the
audit.
c) Continue the audit as planned and include the unforeseen problem in a subsequent audit.
d) Evaluate whether completion of the audit as planned will be adequate.
Changes often are needed in the audit plan as work progresses. The auditor should review the plan with
his or her supervisor since revised budgets may be needed (IIA Standard 2200—Engagement Planning).
A . Although the finding should be documented, whether any changes may need to be made to the audit
plan should be determined.
B . The budgeted hours should be reviewed and increases approved prior to undertaking any additional
steps.
C . The unforeseen area may have an impact on the planned audit and need to be incorporated into the
plan.
Question 27 of 62
In order to determine the extent of audit tests to be performed during fieldwork, preparing the audit
program should be the next step after completing the:
a) Preliminary survey.
b) Survey of company policies.
c) Assignment of audit staff.
d) Time budgets for specific audit tasks.
During the preliminary survey, the internal auditor becomes acquainted with the auditee. The internal
auditor decides how much reliance can be placed on the internal control system. This allows him or her
to initially determine whether to extend or limit audit tests. The internal auditor then prepares the audit
program (IIA Standard 2240—Engagement Work Program).
B . The survey of company policies may be a segment of the preliminary survey. However, completing
the survey of company policies is not sufficient to begin preparing the audit program; the entire
preliminary survey must be completed.
C . Audit staff are usually assigned to specific assignments before completing either the preliminary
survey or the audit program.
D . Specific tasks to be performed are determined during the audit program preparation.
Question 28 of 62
Which of the following is a step in an audit program?
a) The audit will commence in six weeks and include tests of compliance.
b) Determine whether the manufacturing operations are effective and efficient.
c) Auditors may not reveal findings to nonsupervisory, operational personnel during the course of
this audit.
d) Observe the procedures used to identify defective units produced.
This is an audit step because it is a procedure to be followed to obtain necessary evidence (IIA Standard
2240—Engagement Work Program).
A . This is simply the proposed starting time and partial scope.
B . This is an audit objective.
C . This is a rule for the conduct of the audit personnel.
Question 29 of 62
Audit programs testing internal controls should:
a) Be tailored for the audit of each operation.

b) Be generalized to fit all situations without regard to departmental lines.
c) Be generalized so as to be usable at all locations of a particular department.
d) Reduce costly duplication of effort by ensuring that every aspect of an operation is examined.
A tailor-made program will be more relevant to an operation than a generalized program (IIA Standard
2240—Engagement Work Program).
B . A generalized program cannot take into account variations resulting from changing circumstances
and varied conditions.
C . A generalized program cannot take into account variations in circumstances and conditions.
D . Every aspect of an operation need not be examined—only those likely to conceal problems and
difficulties.
Question 30 of 62
An auditor begins an audit with a preliminary evaluation of internal control, the purpose of which is to
decide on the extent of future auditing activities. If the auditor's preliminary evaluation of internal
control results in a finding that controls may be inadequate, the next step would be:
a) An expansion of audit work prior to the preparation of an audit report.

b) The preparation of a flowchart depicting the internal control system.
c) An exception noted in the audit report if losses have occurred.
d) To implement the desired controls.
If the preliminary findings indicate control problems, the auditor usually decides to do some expanded
testing (IIA Standard 2240—Engagement Work Program).
B . If a flowchart were necessary, the auditor would have prepared one during the preliminary
evaluation.
C . The auditor is not ready to make a report until more work has been performed.
D . Auditors do not implement controls; that is a function of management.
Question 31 of 62
An internal auditor has just completed an on-site survey in order to become familiar with the company's
payroll operations. Which of the following should be performed next?
a) Assign audit personnel.
b) Establish initial audit objectives.
c) Write the audit program.
d) Conduct fieldwork.
The audit program is normally prepared after the on-site survey. The on-site survey allows the auditor to
become familiar with the auditee and thus provides input to the audit program (IIA Standard 2240—
Engagement Work Program).
A . Audit personnel are normally assigned before the on-site survey takes place.
B . Initial audit objectives are established at the beginning of the planning process. They should be
specified before the on-site survey takes place.
D . Fieldwork can be performed only after the audit program has been written. Thus, fieldwork could not
immediately follow the on-site survey.
Question 32 of 62
Interviewing operating personnel, identifying the objectives of the auditee, identifying standards used to
evaluate performance, and assessing the risks inherent in the auditee's operations are activities typically
performed in which phase of an internal audit?
a) The fieldwork phase.

b) The preliminary survey phase.
c) The audit programming phase.
d) The reporting phase.
These activities are normally accomplished during the preliminary survey phase (IIA Standard 2200—
A . The activities described must be performed before the audit program can be developed, the
fieldwork can be completed, or reporting can be undertaken.
C . The activities described must be performed before the audit programming phase.
D . The reporting phase is the last phase of the four choices given; hence it comes after the preliminary
survey phase.
Question 33 of 62
Which of the following best describes a preliminary survey?

a) A standardized questionnaire used to obtain an understanding of management objectives.
b) A statistical sample of key employee attitudes, skills, and knowledge.
c) A walk-through of the financial control system to identify risks and the controls that can address
those risks.
d) A process used to become familiar with activities and risks in order to identify areas for audit
emphasis.
It is the most complete response, per IIA Standard 2201—Planning Considerations.
A . This may be used, but it is only one means in fulfilling the objective of a preliminary survey.
B . This may be used, but it is only one means in fulfilling the objective of a preliminary survey.
C . This may be used, but it is only one means in fulfilling the objective of a preliminary survey.
Question 34 of 62
The auditor in charge has just been informed of the next audit assignment and the assigned audit team.
Select the appropriate phase for finalizing the audit time budget.
a) During formulation of the long-range plan.

b) After the preliminary survey.
c) During the initial planning meeting.
d) After the completion of all fieldwork.
The preliminary survey establishes the subject of the review, the theory of the audit approach, and the
structure of the project. If the survey discloses significant differences from the project that was placed in
the long-range plan, budget adjustments should be requested and authorized (IIA Standard 2200—
A . An initial budget is determined at this time, but revisions, based on the preliminary survey, may be
required.
C . The audit project is not sufficiently well defined at this point to complete the budget.
D . At this point, the bulk of the audit hours have been expended and the usefulness of the budget as a
control and evaluation tool would be negated.
Question 35 of 62
Many administrative audit tasks are performed during the course of an audit. Various audit tasks are
shown below and given a number. In the answers, the numbered tasks are grouped as being done
primarily by a staff auditor, audit manager, or director of audit. Only one of the following groupings is
correct. Select the answer in which listed tasks are most appropriately grouped according to the auditor
position.
1. The auditee is selected and the scope of the audit assigned.

2. An initial interview is held with the auditee explaining the scope of the audit.
3. Working papers are prepared showing audit work performed.
4. Audit work is supervised during the fieldwork.
5. Working papers are reviewed.
6. Inquiry is made of auditee management to explain unusual findings.
7. Working papers are finalized and a preliminary report is prepared.
8. Review draft audit report prior to discussion with management.
9. After the audit report has been discussed with auditee management, the report and working
papers receive a final review before the audit report is signed, published, and distributed.
Not all tasks are listed in each answer, and some of the numbered tasks could be done by more than
one of the three auditing personnel.
Staff auditor Audit manager Audit director

A. 3, 6, 7 2, 5, 8 1, 8, 9
B. 2, 4, 7 3, 4, 8 1, 6, 9
C. 3, 7, 9 2, 4, 6 2, 3, 8
D. 2, 7, 9 4, 6, 8 1, 5, 6
A . A.
B . B.
C . C.
D . D.
Question 36 of 62
A governmental agency constrained by scarce audit and human resources wishes to know the status of
its program for licensing automobiles. In particular, management is concerned about the possibility of:
 A backlog in new license applications, and

 Poor controls over the collection and processing of application fees.
The results of the preliminary survey and limited audit testing conducted by the internal auditing
department revealed that the licensing process was operating as intended. No major deficiencies were
noted. How should the internal auditing department proceed?
a) Perform no further audit work, issue a formal audit report with the survey results, and discuss
the results with management.
b) Perform no further audit work, discuss pertinent issues with management and the executive
director, and prepare an audit program for future use so that another survey will not be
necessary.
c) Complete the audit as scheduled to ensure that other issues do not exist that were not noted
during the survey phase.
d) Send a memorandum report to the executive director and other concerned parties summarizing
the preliminary survey results and indicating that the audit has been canceled.
This is the proper level of reporting in light of the results of the preliminary survey and limited testing
(IIA Standard 2200—Engagement Planning).
A . Since no further audit work was performed beyond the preliminary survey and limited testing, it
would not be appropriate to issue a formal audit report or to discuss it with management.
B . No audit program need be prepared for the future. Because events may occur, or compliance with
policies and procedures may change, an audit program written now may be outdated for future use.
Also, an audit report summarizing survey results should be prepared.
C . It is not necessary if the survey and limited testing was conducted with due professional care. Also, it
is a poor use of audit resources.
Question 37 of 62
One of the primary roles of an audit program is to:
a) Serve as a tool for planning, directing, and controlling audit work.

b) Document an auditor's understanding of the internal control system.
c) Provide for a standardized approach to the audit engagement.
d) Delineate the audit risk accepted by the auditor.
This is the primary purpose of an audit program (IIA Standard 2240—Engagement Work Program).
B . The internal control system should be documented in the work papers by means of narratives,
flowcharts, internal control questionnaires, and so on—not in the audit program itself.
C . The audit program should be logical, but it may not be consistent from year to year due to changing
conditions encountered by the auditee. The audit program should be tailored to the current year's
situation; thus, consistency may not be the most appropriate description.
D . While audit risk should be considered in planning the audit, the nature and extent of audit risk
should be documented in the audit work papers, specifically in the planning section.
Question 38 of 62
The preliminary survey discloses that a prior audit deficiency was never corrected. Subsequent fieldwork
confirms that the deficiency still exists. Which of the following courses of action should the internal
auditor pursue?
a) Take no action. To do otherwise would be an exercise of operational control.

b) Discuss the issue with the director of internal auditing. The problem requires an ad hoc solution.
c) Discuss the issue with the person(s) responsible for the problem. They should know how to
solve the problem.
d) Order the person(s) responsible to correct the problem. They have had long enough to do so.
Obtaining auditee cooperation (or at least understanding) is a vital part of the solution of any problem
(IIA Standard 2200—Engagement Planning).
A . A deficiency finding places the firm at risk until the situation changes or the deficiency is corrected.
B . Deficiency findings that have not been corrected are not unique, so they do not require ad hoc
solutions.
D . The internal auditor should have no line authority over the auditee. To exercise such authority
impairs the internal auditor's objectivity.
Question 39 of 62
The following information is available from the financial statements of a manufacturing division. The
director of internal auditing is reviewing the data to identify potential risks as a basis for planning the
audit. The division has not been audited by the internal auditing department in the past three years. The
division conducts most of its business autonomously. The division has historically relied on one major
product. However, that product is aging and will soon lose its patent protection.
The division had a large increase in sales in the previous year (20X2). Which of the following hypotheses
would the data support regarding the potential cause of the sales increase? The division:
a) Reduced its selling price for most of its product line.

b) Acquired another company and accounted for the purchase as a purchase transaction, not a
pooling.
c) Liquidated a substantial part of its older inventory.
d) Sold off most of its intangible assets, realizing a profit on the sale.
This is shown by the dramatic change between the sales/total assets ratio (large decrease) and the
relatively small change in sales/tangible assets ratio. The company must have acquired a large amount
of intangible assets during the year. Since purchase accounting also incorporates the results of the
acquired company, it is the most likely explanation for the increase (IIA Standard 2200—Engagement
Planning).
A . There is no evidence that the company reduced its sales prices. If anything, it may have raised sales
prices since the COGS/Sales ratio decreased.
C . Inventory is increasing, not decreasing.
D . This is not likely since intangible assets went up, not down.
Question 40 of 62
A standardized internal audit program would not be appropriate for the following situation:
a) A stable operating environment undergoing only minimal changes.

b) A complex or changing operating environment.
c) Multiple locations with similar operations.
d) Subsequent inventory audits performed at same location.
A standard audit program would not be appropriate for a complex or changing operating environment
because the audit objectives and related work steps may no longer have relevance (IIA Standard 2240—
A . A standard audit program would be appropriate for use in a minimally changing operating
environment.
C . A standard audit program could be used to audit multiple locations with similar operations.
D . A standard audit program would be acceptable for conducting subsequent inventory audits at same
location.
Question 41 of 62
An audit program for a comprehensive audit of a purchasing function should include:
a) Work steps arranged by relative priority based on perceived risk.

b) A statement of the audit objectives of the operation under review with agreement by the
auditee.
c) Specific methods to accomplish audit objectives.
d) A focus on risks impacting the financial statements as opposed to controls.
Specific methods are included in an audit program (IIA Standard 2240—Engagement Work Program).
A . The program should normally be arranged in an order that would most efficiently complete the audit
steps.
B . Audit objectives should be stated, but they do not need to be agreed to by the auditee.
D . In a comprehensive audit, there should be a focus on controls as opposed to risks.
Question 42 of 62
The finance department of a governmental unit has a computer‑based model for forecasting tax
revenue to use in preparing annual budgets. The internal audit group has been asked to audit the
model. A reasonable objective of the audit would be to:
a) Verify that for varying input values the model gives results consistent with revenue behavior.
b) Confirm that the model forecasts each kind of revenue within a small percentage of actual
revenue.
c) Determine whether the programs used for this year's forecast were identical to those used in
the previous year.
d) Ensure that the model was modified so that it would have forecasted the previous year's actual
revenue.
An essential component of the audit approach would be to verify that for varying input values, the
model gives results consistent with prior revenue behavior.
B . There is no forecast technique that would always forecast all the different kinds of revenue this
precisely; the overall behavior of the model is more important than the forecasting of individual revenue
components.
C . Due to continually evolving circumstances in a state or country, there is no reason to believe that the
programs used for this year's forecast should be identical to those used in the previous year.
D . Since the model is a forecasting tool, there is no reason to require that it predict the previous year's
actual revenue, especially as conditions and tax regulations change.
Question 43 of 62
An internal auditing department has scheduled an audit of a construction contract. One portion of this
audit will include comparing materials purchased to those specified in the engineering drawings. The
auditing department does not have anyone on staff with sufficient expertise to complete this audit step.
Select the best alternative for the director of internal auditing.
a) Delete the audit from the schedule.

b) Perform the entire audit using current staff.
c) Engage an engineering consultant to perform the comparison.
d) Accept the contractor's written representations.
It would be inappropriate to delete the audit.
A . It would be inappropriate to delete the audit.
B . This is a direct violation of IIA Standard 2230—Engagement Resource Allocation.
D . Accepting the contractor's representations without adequate testing or disclosure of such would
violate the IIA Standards.
Question 44 of 62
One purpose of the exit conference is for the internal auditor to:
a) Require corrective action for deficiencies found.

b) Review and verify the appropriateness of the audit report based on auditee input.
c) Review the performance of audit personnel assigned to the engagement.
d) Present the final audit report to management.
The exit conference provides an opportunity for all parties to communicate their views. This may lead to
modifications in the audit report, if justified (IIA Standard 2400—Communicating Results).
A .The internal auditor cannot require corrective action; only management can.
C . Audit personnel performance is reviewed in private with the individual employee, not at the exit
conference.
D . The exit conference is normally based on draft reports. The final report is subject to modification
based on the results of the exit conference.
Question 45 of 62
Which of the following would not explain the decrease in cost of goods sold as a percentage of sales
ratio? The division:
a) Liquidated inventory in conjunction with a plan to bring its current ratio more in line with the
industry average.
b) Increased the selling price of its products by selling to less creditworthy customers.
c) Recorded subsequent year's sales in the current year, but adjusted inventory to actual goods on
hand at year-end.
d) Is incorrectly capitalizing certain production costs.
This is not a potential explanation because (1) there has been an increase in inventory, and (2) a
liquidation would have resulted in a write-down of the costs of inventory, which would have caused the
ratio to move the other way (IIA Standard 2200—Engagement Planning).
B . Although this choice is not the most likely, there is a large increase in the number of days sales in
accounts receivable, which could indicate the possibility of less creditworthy customers.
C . This is a potential explanation. Recording subsequent year's sales in the current year, while adjusting
inventory to goods actually on hand, would cause the ratio to increase.
D . This is a potential explanation. Incorrectly capitalizing production costs would cause the number of
day's sales in inventory to increase and the cost of goods ratio to decrease.
Question 46 of 62
The current ratio increased during the past year while the quick ratio decreased. Which of the following
explanations would best explain the reason that the current ratio increased while the quick ratio
decreased?
a) A substantial increase in accounts payable that affects the current ratio but not the quick ratio.
b) The significant buildup of inventory.
c) The substantial increase in accounts receivable.
d) The large increase in the amount of intangible assets that affects the current ratio but not the
quick ratio.
Inventory affects the current ratio but not the quick ratio. The division is facing liquidity problems, as
indicated by the quick ratio (IIA Standard 2200—Engagement Planning).
A . It is likely that accounts payable has increased and the increase would affect the quick ratio more
than the current ratio. However, the increase in accounts payable would affect both ratios and would
not constitute an explanation for the major differences in the two ratios.
C . The substantial increase in accounts receivable affects both ratios. Moreover, the increase in
receivables would have also caused the quick ratio to increase.
D . The amount of intangibles does not affect either ratio.
Question 47 of 62
An internal auditor conducts a preliminary survey and identifies a number of significant audit issues and
reasons for pursuing them in more depth. The auditee informally communicates concurrence with the
preliminary survey results and asks that the auditor not report on the areas of significant concern until
the auditee has an opportunity to respond to the problem areas. Which of the following audit responses
would not be appropriate?
a) Keep the audit on the audit time schedule and discuss with management the need for
completing the audit on a timely basis.
b) Consider the risk involved in the areas involved, and if the risk is high, proceed with the audit.
c) Consider the audit to be terminated with no report needed since the auditee has already agreed
to take constructive action.
d) Work with the auditee to keep the audit on schedule and address the significant issues in more
depth, as well as the auditee's responses, during the course of the audit.
It would not be appropriate to consider the audit completed because the auditor has completed only a
preliminary survey. The constructive action by the auditee may be a delaying tactic to hide additional
problems (IIA Standard 2201—Planning Considerations).
A . This would be an appropriate response consistent with the IIA Standards.
B . The auditor should always consider the risk associated with the potential findings as a basis for
determining the need for more immediate audit attention.
D . This would be an appropriate response by the auditor because the issues may be more pervasive
than shown by the preliminary survey.
Question 48 of 62
The auditor has planned an audit of the effectiveness of the quality assurance function as it affects the
receiving of goods, the transfer of the goods into production, and the scrap costs related to defective
items. The auditee argues that such an audit is not within the scope of the internal auditing function and
should come only under the purview of the quality assurance department. What would be the most
appropriate audit response?
a) Refer to the audit department charter and the approved audit plan, which includes the area
designated for audit in the current time period.
b) Since quality assurance is a new function, seek the approval of management as a mediator to set
the scope of the audit.
c) Indicate that the audit will only examine the function in accordance with the standards set, and
approved, by the quality assurance function before beginning the audit.
d) Terminate the audit because an operational audit will not be productive without the auditee's
cooperation.
This is the most appropriate response. The audit department charter should specify the broad
responsibilities of the department, and the approved audit plan for the year should indicate
management and the audit committee's approval for the process (IIA Standard 2220—Engagement
Scope).
B . It would not be appropriate to ask management to resolve every potential scope disagreement
between the auditor and the auditee. The audit charter and audit plan already communicate
management's approval.
C . There may be other objectives that have been set by management and the auditor. The audit should
not be limited to the specific standards set by the quality assurance department but should consider
such standards in the development of the audit program.
D . This would not be an appropriate response.
Question 49 of 62
The internal auditing department of an organization has been in existence for ten years. It has
established a charter, which has not yet been approved by the audit committee. However, the audit
committee is chaired by the chief executive officer (CEO) and includes the controller and one outside
board member. The director reports directly to the controller who approves the internal audit work
plan. Thus, the auditing department has never felt the need to push for a formal approval of the charter.
The organization is publicly held and has nine major divisions. The previous director of internal auditing
was recently dismissed following a dispute between the director and a major auditee. The CEO accused
the director of not operating “in the best interests of the organization.” A new director with significant
experience in both public accounting and internal auditing has just been hired. Within the first month,
the new director encountered substantial resistance from an auditee regarding the nature of an audit
and the audit department's access to records.
Which of the following combinations best illustrates a scope limitation and the appropriate response by
the director of internal auditing?
A . A.
B . B.
C . C.
D . D.
Question 50 of 62
In considering the internal auditing department's independence, which of the following facts, by
themselves, could contribute to a lack of internal audit independence?
I. The CEO accused the previous director of not operating “in the best interests of the
organization.”
II. The majority of audit committee members come from within the organization.
III. The internal audit charter has not been approved by the board or the audit committee.
a) I only.
b) II only.
c) II and III only.
d) I, II, and III.
The statement that the CEO accused the previous director of not operating “in the best interests of the
company” does not necessarily indicate a lack of independence, although it might be corroborating
evidence if there are other factors present.
A . The statement that the CEO accused the previous director of not operating “in the best interests of
the company” does not necessarily indicate a lack of independence, although it might be corroborating
evidence if there are other factors present.
B . According to the IIA Research Foundation report on audit committees, the independence of all audit
functions is enhanced when the audit committee is made up of a majority of outside members.
D . This is incorrect because only two of the items are correct.
Question 51 of 62
Given the current dispute with an auditee regarding audit scope, which of the following internal auditing
actions is not appropriate?
a) Meet with the board to obtain approval of the audit charter to mitigate the existence of this
problem and similar problems that may occur in the future.
b) Report the dispute, if it remains unresolved, to the board.
c) Review the approved work plan with the CEO and controller and ask for immediate guidance in
dealing with the auditee.
d) Indicate to the auditee that if the resistance continues, the auditing department will not be
available to perform cost/benefit audits for the department in the future.
This would not be an appropriate action. Future audits should be based on the risk analysis performed
by the internal audit department and the audit plan approved by the board (IIA Standard 2220—
Engagement Scope).
A . This would be an appropriate action since approval of a charter by the board explicitly defines the
scope of activities by the audit department and expected cooperation from the auditees.
B . This would be an appropriate action since the Standards require significant scope limitations be
reported to the board.
C . This would be an appropriate short-term response since management would have approved the
audit program and should be in a position to secure auditee cooperation.
Question 52 of 62
During the course of an audit, the auditor makes a preliminary determination that a major division has
been inappropriately capitalizing research and development expense. The audit is not yet completed,
and the auditor has not documented the problem or determined that it really is a problem. However,
the auditor is informed that the director of internal auditing has received the following communication
from the president of the company: The controller of Division B informs me that you have discovered a
questionable account classification dealing with research and development expense. We are aware of
the issue. You are directed to discontinue any further investigation of this matter until informed by me
to proceed. Under the confidentiality standard of your profession, I also direct you not to communicate
with the outside auditors regarding this issue.
Which of the following would be an appropriate action for the director to take regarding the
questionable item?
a) Immediately report the communication to the Institute of Internal Auditors and ask for an
ethical interpretation and guidance.
b) Inform the president that this scope limitation will need to be reported to the chairperson of the
audit committee.
c) Continue to investigate the area until all the facts are determined, and document all the
relevant facts in the audit work papers.
d) Immediately notify the external auditors of the problem to avoid aiding and abetting a potential
crime by the organization.
The director should communicate the scope limitation to the board. However, it would be appropriate
to ensure that the president is aware of this (IIA Standard 2220—Engagement Scope).
A . There are other factors that should be considered, such as the organization's code of conduct.
C . The director should first consult the audit committee. The director provides value by serving the
organization, and management may, in fact, be fully aware of the problem and may not want to incur
additional costs.
D . In this situation, the audit work is preliminary and the auditor has not yet formed a basis for an
opinion. Thus, it would be too early to contact the external auditors. However, if an inquiry would be
made by the external auditors, the internal auditors should share the extent of work completed to date.
Question 53 of 62
The internal auditing department encounters a scope limitation from senior management that will affect
its ability to meet its goals and objectives for a potential auditee. The nature of the scope limitation
should be:
a) Noted in the audit work papers, but the audit should be carried out as scheduled and the scope
limitation worked around, if possible.
b) Communicated to the external auditors so they can investigate the area in more detail.
c) Communicated, preferably in writing, to the board.
d) Communicated to management, stating that the limitation will not be accepted because it
would impair the audit department's independence.
This is required per IIA Standard 2220—Engagement Scope.
B . There is no requirement or need to communicate the limitation to the external auditor.
D . Internal auditing exists to serve the organization. Thus, the auditor's alternative is to communicate
with the board, not threaten senior management.
Question 54 of 62
It is important that the auditor be able to carefully distinguish between a scope limitation and other
limitations on the audit. According to the IIA Standards, which of the following would not be considered
a scope limitation?
I. The divisional management of an auditee has indicated that the division is in the process of
converting a major computer system and has indicated that the information technology portion
of the planned audit will have to be postponed until next year.
II. The audit committee reviews the audit plan for the year and deletes an audit that the director
thought was important to conduct.
III. The auditee has indicated that certain customers cannot be contacted because the organization
is in the process of negotiating a long-term contract with them and does not want to upset the
customers.
IV. None of the responses is correct.
a) I only.
b) II only.
c) III only.
d) IV.
This is not a scope limitation. Rather, it is the audit committee's responsibility to review and approve the
planned scope of activities for the year (IIA Standard 2220—Engagement Scope).
A . This would be a scope limitation because it restricts the performance of an audit. Some scope
limitations may be justified. The IIA Standards identify scope limitations and do not distinguish between
those that are justified and not justified. The limitations are reported to senior management and the
board for their determination of the justification of the limitations.
C . This is a scope limitation because it restricts the performance of specific procedures.
D . Two of these choices are scope limitations.
Question 55 of 62
Writing an audit program occurs at which stage of the audit process?
a) During the planning stage.

b) Subsequent to testing internal controls to determine whether to rely on the controls or audit
around them.
c) As the audit is performed.
d) At the end of each audit, the standard audit program should be revised for the next audit to
ensure coverage of noted problem areas.
Planning should include writing the audit program (IIA Standard 2200—Engagement Planning).
B . The external auditor may use this approach in designing substantive tests of balances.
C . The program is prepared in advance and modified, as appropriate, during the course of the audit.
D . While this could be done, the program should be updated during the planning process.
Question 56 of 62
According to the IIA Standards, an internal auditor's role with respect to operating objectives and goals
includes:
a) Approving the operating objectives or goals to be met.
b) Determining whether underlying assumptions are appropriate.
c) Developing and implementing control procedures.
d) Accomplishing desired operating program results.
Internal auditors can provide assistance to managers who are developing objectives and goals by
determining if the underlying assumptions are appropriate (IIA Standard 2220—Engagement Scope).
A . The approval of objectives and goals to be met is a line function; internal auditing is a staff function.
C . Management is responsible for developing and implementing controls.
D . Management is responsible for accomplishing desired program results.
Question 57 of 62
The scope of an internal audit is initially defined by the:
a) Audit objectives.
b) Scheduling and time estimates.
c) Preliminary survey.
d) Audit program.
The scope of the audit is specified by the audit objectives (IIA Standard 2220—Engagement Scope).
B . The scheduling and time estimates are based on the audit objectives and the scope of the audit.
C . The preliminary survey is performed after the audit objectives are determined.
D . The audit program is developed based on the audit objectives and the scope of the audit.
Question 58 of 62
An outside consultant is developing a system to be used for the management of a city's capital facilities.
An appropriate scope of an audit of the consultant's product would be to:
a) Review the consultant's contract to determine its propriety.

b) Establish the parameters of the value of the items being managed and controlled.
c) Determine the adequacy of the controls built into the system.
d) Review the handling of idle equipment.
This is a normal area of internal audit expertise (IIA Standard 2220—Engagement Scope).
A . This aspect is related to a procurement action.
B . This is a top management financial decision.
D . This is a management policy. Some equipment may be retained for emergency use.
Question 59 of 62
Assume your company is considering purchasing a small toxic waste disposal company. As internal
auditors, you are part of the team doing a due diligence review for the acquisition. Your scope (as
auditors) would most likely not include:
a) An evaluation of the merit of lawsuits currently filed against the waste company.
b) A review of the purchased company's procedures for acceptance of waste material and
comparison with legal requirements.
c) Analysis of the company's compliance with, and disclosure of, loan covenants.
d) Assessment of the efficiency of the waste company's operations and profitability.
The merit of a lawsuit is a matter of legal judgment, beyond the expertise of internal audit (IIA Standard
2220—Engagement Scope).
B . Comparison of procedures to legal requirements is within scope and expertise of internal audit.
C . Compliance with loan covenants is within scope and expertise of internal audit.
D . Assessing efficiency is a common practice of internal audit.
Question 60 of 62
Which of the following is a proper step in an audit program?
a) Notification of the audit.

b) Observation of procedures.
c) Definition of audit objectives.
d) Planning for audit reporting.
Techniques such as observation and inspection are part of an audit program, which describes specific
actions (steps) to be taken by the auditor. The actions mentioned in the other three choices are taken
prior to the development of an audit program (IIA Standard 2240—Engagement Work Program).
A . Notification of the audit is done during audit planning.
C . Definition of audit objectives is done during audit planning.

D . Planning for audit reporting is also done during audit planning.
Question 61 of 62
In planning an audit, an on-site survey could assist with all of the following except:
a) Obtaining auditee comments and suggestions on control problems.

b) Obtaining preliminary information on internal controls.
c) Identifying areas for audit emphasis.
d) Evaluating the effectiveness of the system of internal controls.
Determining the effectiveness of internal controls would require testing (IIA Standard 2240—
A . A survey would assist in obtaining auditee comments.
B . A survey would assist in obtaining information on internal controls.
C . A survey would assist in identifying areas for audit emphasis.
Question 62 of 62
Fieldwork has been defined as “a systematic process of objectively gathering evidence about an entity's
operations, evaluating it, and determining if those operations meet acceptable standards.” Which of the
following is not part of the work performed during fieldwork?
a) Expanding or altering audit procedures if circumstances warrant.

b) Applying the audit program to accomplish audit objectives.
c) Creating working papers that document the audit.
d) Developing a written audit program.
This is a requirement of the audit-planning Standard. The audit program should be developed before the
fieldwork begins (IIA Standard 2200—Engagement Planning).
A . This is a requirement of the IIA Standards that relates to fieldwork.
B . This statement concerning fieldwork is true, and it is in harmony with the IIA Standards.
C . Working paper preparation is a requirement of the IIA Standards that should be met during
fieldwork.
PART 2 DOMAIN 3
Question 1 of 250
Which of the following can help a charge card company to trace a cardholder's card activity?
a) Network maps
b) Data flow maps
c) Risk maps
d) Strategy maps
Data flow maps show the flow of credit card or debit card activity of a cardholder as per the Payment
Card Industry Digital Security Standard.
A . Network maps can show scanning results of the network assets such as firewalls, printers,
terminals, cables, servers, and wiring closets. In addition, they provide help-desk functions, network
entry and exit points, and a reporting mechanism for tracking end user complaints.
C . Risk maps show an organization's understanding of its risk profile and risk appetite.
D . Strategy maps are visual diagrams showing grand strategy divided into strengths, weaknesses,
opportunities, and threats.
Question 2 of 250
Which of the following should be performed prior to designing data mining applications?
I. Data extraction
II. Data cleansing
III. Data analysis
IV. Data normalization
a) I and III
b) II only
c) IV only
d) II and IV
Data cleansing methods purify data or filter inappropriate data, and include log management
functions such as log filtering, log correlations, and log analysis. Data normalization methods convert
clean data into a standardized format and label them consistently (e.g., data and time stamps).
A . Data extraction and data analysis are used during data mining applications to retrieve relevant
information from data sources to reveal data patterns and trends.
B . Data cleansing is a partial answer. Data cleansing methods purify data or filter inappropriate data,
and include log management functions such as log filtering, log correlations, and log analysis.
C . Data normalization is a partial answer. Data normalization methods convert clean data into a
standardized format and label them consistently (e.g., data and time stamps).
Question 3 of 250
Which of the following connects employees to their job duties?
a) Risk and control matrix

b) Responsibility assignment matrix
c) Pivot table
d) Contingency table
A responsibility assignment matrix or RACI diagram connects employees to their assigned jobs, duties,
tasks, activities, or projects so they can complete them. “RACI” stands for responsible, accountable,
consulted, and informed.
A . A risk and control matrix provides the links between risks, controls, testing approaches, summaries
of interviews, auditor observations, audit test results, audit evidence, and auditor conclusions that
can be documented in audit workpapers.
C . A pivot table is a second, revised table in rows and columns containing reformatted using the raw
data from the first, original table in rows and columns.
D . A contingency table is presented in a matrix format and shows frequency distribution and
probabilities. Contingency tables are cross-tabulations used in business intelligence, market research,
and customer surveys.
Question 4 of 250
Which of the following represents a workflow system to visualize data flows through a system in
order to streamline or simplify the workflow?
a) Bullet chart
b) Bump chart
c) Box plot
d) Spaghetti map
A spaghetti map (chart, diagram, or plot) is a workflow system to visualize data flows through a
system where flows appear as noodles. These maps are used in several places, such as (1) tracking
product routing and material movement through a factory; (2) reducing inefficiencies in an office,
factory, or warehouse workflow system; and (3) showing the effects of medical drugs on test patients
during a new drug trial. The results of the spaghetti map can be useful in streamlining or simplifying
the workflow to save resources, such as time, money, materials, and energy.
A . A bullet chart can compare two data variables, such as sales dollars and salespersons, to measure
their sales performance and productivity levels.
B . A bump chart can trace ranking of a performance item over a time period on a rank scale of 1 to 5.
This chart shows performance against time.
C . A box plot is a part of a data distribution analysis to show the full range of quantitative values.
Question 5 of 250
A major feature of data dashboards is which of the following?
a) Data exploration
b) Data filters
c) Data mingling
d) Data masking
Data exploration is a serious way of finding and searching for useful and relevant data. Data
dashboards come after data exploration.
A . Data exploration is a serious way of finding and searching for useful and relevant data. Data
dashboards come after data exploration.
C . Data mingling is one reason to perform data cleansing. In data mingling, data related to some
event, incident, or activity are mixed with data that are unrelated to the event, incident, or activity,
thus making these two data types often indistinguishable.
D . Data masking will ensure that sensitive information is not available to unauthorized users or
readers. This sensitive information can be related to customers, employees, suppliers, and vendors.
Question 6 of 250
Managers and supervisors can use data dashboards with which of the following?
I. Drag and drop

II. Slice and dice
III. Dig and dive
IV. Drill down
a) I and II
b) I and III
c) II and III
d) I and IV
Drag and drop and drill down are the functions of data dashboards.
A . Drag and drop is a function of data dashboards. Slice and dice is a function of visual analytics.
B . Drag and drop is a function of data dashboards. Dig and dive is a function of data calculations.
C . Slice and dice is a function of visual analytics. Dig and dive is a function of data calculations.
Question 7 of 250
The major purpose of data dashboards is to:
a) Obtain insights.
b) Communicate results.
c) Visualize data.
d) Create actions.
Creating actions means actions are seen through decisions, which is the major purpose of data
dashboards.
A . Obtaining insights is a minor purpose, leading to the major purpose.
B . Communicating results is a minor purpose, leading to the major purpose.
C . Visualizing data is a minor purpose, leading to the major purpose.
Question 8 of 250
Which of the following can be used for multiple purposes?
a) Heat maps
b) Process maps
c) Network maps
d) Risk maps
Heat maps are visual maps highlighting a major activity of interest, using a data visualization
technology. They can be used for multiple purposes, such as risk heat maps; attackers’ heat maps;
website heat maps; and organization's governance, risk, and compliance heat maps showing data
outliers and problem areas.
B . Process maps are visual diagrams showing inputs, transformation (conversion), and outputs of a
task, activity, or function. These maps can show delays, duplicates, conflicts, and constraints that
waste resources and increase inefficiencies. They can be used to determine whether quality and value
are either created or destroyed in a process. Tools such as questionnaires, interviews, focus groups,
and flowcharts can be used to understand and improve a process. The goal of any business process is
to improve its effectiveness, increase its efficiency, and reduce its resource consumption. Process
maps focus on only one purpose: processes.
C . Network maps can show scanning results of network assets, such as firewalls, printers, terminals,
cables, servers, and wiring closets. In addition, they provide help desk functions, network entry and
exit points, and a reporting mechanism for tracking end user complaints. Network maps focus on only
one purpose: networks.
D . Risk maps show an organization's understanding of its risk profile and risk appetite. Risk maps
focus on only one purpose: risks.
Question 9 of 250
An auditor's judgment plays a major role in which of the following items?
a) Projected misstatements
b) Likely misstatements
c) Known misstatements
d) Tolerable misstatements
A misstatement can be either material or immaterial in amount and it can be either intentional or
accidental (unintentional). Tolerable misstatements (formerly test materiality) are the materiality the
auditor uses to test a specific line item, account, or class of transactions. A tolerable misstatement is
defined as the maximum error in a population of transactions or account balance that an auditor is
willing to accept or live with it. Based on the auditor's judgment, the auditor may set the tolerable
misstatement equal to or less than design materiality and may set different amounts of tolerable
misstatement for different line items or accounts or assertions. The tolerable misstatement amount is
certain and reasonable, and the auditor has accepted it. The auditor's judgment plays a major role
here.
A . Projected misstatements are probable and include known misstatements. The projected
misstatements in a population are based on the misstatements found in the examined sample items.
The projected misstatement amounts are not certain (i.e., they are probable), they are unreasonable,
and the auditor has not accepted them. The auditor's judgment plays a minor role here.
B . The term “misstatements” has several interpretations, and the auditor should quantify the
magnitude of the misstatements and classify them as likely misstatements. These misstatements, in
turn, reflects the auditor's best estimate of the amount of the misstatements in the population. Note
that likely misstatements include known misstatements. For sampling applications, the likely amount
is the projected misstatement. The likely misstatement amounts are not certain (i.e., they are
probable), they are unreasonable, and the auditor has not accepted them. The auditor's judgment
plays a minor role here.
C . The term “misstatements” has several interpretations, and the auditor should quantify the effects
of the misstatements and classify them as known misstatements, which are the amount of
misstatements actually found. Note that likely misstatements include known misstatements. The
auditor's judgment plays a minor role here. Examples of types of known misstatements include (1)
incorrect selection of accounting principles, (2) misapplication of accounting principles, (3)
misstatement of facts identified, (4) mistakes in gathering or processing data, (5) overlooking or
ignoring facts, and (6) misinterpretation of facts.
Question 10 of 250
Audit assurance level is not the same as:
a) Statistical confidence level.

b) Auditor's judgment level.
c) Auditor's confidence level.
d) Quantitative measurement level.
The audit assurance level is a combination of an auditor's judgment level, an auditor's confidence
level, and a quantitative measurement of an auditor's confidence level. The statistical confidence
level is related to an individual sample, not to an auditor.
B . An auditor's judgment level is a part of the audit assurance level.

C . An auditor's confidence level is a part of the audit assurance level.
D . A quantitative measurement of an auditor's confidence level is a part of the audit assurance level.
Question 11 of 250
Nonsampling risk is based on which of the following?
a) Judgment
b) Precision
c) Confidence interval
d) Confidence level
Nonsampling risk occurs even if the entire population is tested. It is due to errors in auditor judgment,
such as use of inappropriate audit procedures and not recognizing errors during sampling.
Nonsampling risk can be controlled with better audit planning and supervision.
B . Precision is an allowance for sampling risk and does not match with nonsampling risk. Precision
deals with sampling error that indicates how closely we can reproduce results from a sample that we
would obtain if we were to take a complete count of the population using the same measurement
methods. It deals with sampling risk.
C . The confidence interval is an estimate of a population that consists of a range of values bounded
by upper and lower confidence limits. Confidence intervals are stated at a certain confidence level
(e.g., 95%). The confidence interval deals with sampling risk.
D . The confidence level is a number often stated as a percentage (e.g., 95%) that expresses the
degree of certainty associated with a confidence interval estimate of a population parameter. It is the
probability that an estimate based on a random sample falls within a specified range. It deals with
sampling risk.
Question 12 of 250
In compliance testing, sampling risk is related to which of the following?
I. Risk of overreliance
II. Risk of incorrect acceptance
III. Risk of underreliance
IV. Risk of incorrect rejection
a) I or II
b) I or III
c) II or IV
d) III or IV
Sampling risk is the risk that an auditor's conclusion based on a sample might differ from the
conclusion reached by testing the entire population. Usually, the smaller the sample size, the greater
will be the sampling risk. For compliance testing, sampling risk is the risk of overreliance or
underreliance. For tests of controls, sampling risk is the risk of assessing control risk either too low or
too high.
A . The risk of overreliance or the risk of incorrect acceptance does not represent sampling risk in
compliance testing.
C . For substantive testing, sampling risk is the risk of incorrect acceptance or the risk of incorrect
rejection.
D . The risk of underreliance or the risk of incorrect rejection does not represent sampling risk in
compliance testing.
Question 13 of 250
Which of the following relates to the efficiency of an audit?
i. Risk of overreliance
ii. Risk of incorrect acceptance
iii. Risk of underreliance
iv. Risk of incorrect rejection
a) I and II
b) I and IV
c) II and III
d) III and IV
The risk of underreliance and the risk of incorrect rejection are related to an audit efficiency.
A . The risk of overreliance and the risk of incorrect acceptance are related to an audit effectiveness.
B . The risk of overreliance and the risk of incorrect rejection are not related to an audit efficiency.
C . The risk of incorrect acceptance and the risk of underreliance are not related to an audit efficiency.
Question 14 of 250
Which of the following statement is not true about sampling risk?
a) Attributes sampling considers sampling risk.

b) Nonstatistical sampling sample does not consider sampling risk.
c) Variables sampling considers sampling risk.
d) Monetary unit sampling considers sampling risk.
Sampling risk is the risk that an auditor's conclusion based on a sample might differ from the
conclusion reached by testing the entire population. It is true that nonstatistical sampling, which uses
judgmental sampling, considers sampling risk.
A . It is true that attributes sampling considers sampling risk.

C . It is true that variables sampling considers sampling risk, which is same as the monetary unit
sampling.
D . It is true that monetary unit sampling considers sampling risk, which is same as the variables
sampling.
Question 15 of 250
When an auditor's sampling objective is to obtain a measurable assurance that a sample will contain
at least one occurrence of a specific critical exception existing in a population, the sampling approach
to use is:
a) Random.
b) Discovery.
c) Probability proportional to size.
d) Variables.
Discovery sampling is structured to measure the probability of at least one exception occurring in a
sample if there are a minimum number of errors in the population. Discovery is used only when
exception rates are expected to be very low.
A . Random sampling deals only with the technique used to choose the sample.
C . Probability-proportional-to-size sampling deals with the technique used to select items but does
not apply when attempting to discover critical occurrences.
D . Variables sampling need not contain at least one exception of a critical occurrence.
Question 16 of 250
Management is legally required to prepare a shipping document for all movement of hazardous
materials. The document must be filed with bills of lading. Management expects 100% compliance
with the procedure. Which of the following sampling approaches would be most appropriate?
a) Attributes sampling.
b) Discovery sampling.
c) Targeted sampling.
d) Variables sampling.
Discovery sampling is best because this application deals with an attribute that is expected to be quite
rare.
A . Attributes sampling is too broad.
C . Targeted sampling is a nonsense term.
D . Variables sampling deals with monetary amounts.
Question 17 of 250
The appropriate sampling plan to use to identify at least one irregularity, assuming some number of
such irregularities exist in a population, and then to discontinue sampling when one irregularity is
observed is
a) Stop-and-go sampling.
c) Variables sampling.
d) Attributes sampling.
Discovery sampling involves identifying characteristics that could include “discovering” single
instances of suspected special characteristics (irregularities).
A . Stop-and-go-sampling involves discontinuing the sampling when a target error rate is achieved.
C . Variables sampling involves reducing sample size by separating the population into groups of items
with similar values.
D . Attribute sampling involves identifying characteristics of the sample and projecting those to the
population.
Question 18 of 250
After partially completing an internal control review of the accounts payable department, the auditor
suspects that some type of fraud has occurred. To ascertain whether the fraud is present, the best
sampling approach would be to use:
a) Simple random sampling to select a sample of vouchers processed by the

department during the past year.
b) Probability-proportional-to-size sampling to select a sample of vouchers processed
by the department during the past year.
c) Discovery sampling to select a sample of vouchers processed by the department
during the past year.
d) Judgmental sampling to select a sample of vouchers processed by clerks identified
by the department manager as acting suspiciously.
The purpose here is to determine whether any fraud has taken place rather than to estimate its
overall frequency. Discovery sampling is a method designed specifically to do this.
A . This approach would be appropriate if the extent of fraud were to be estimated.
B . This approach would be appropriate if the monetary value of fraud were to be estimated.
D . It would be difficult to determine what an adequate sample would be in this case, but a more
important issue is restricting the population considered to the vouchers processed by workers that
the department manager considers suspicious. This presents a significant potential for biasing the
sample because of the department manager's potential conflict of interest.
Question 19 of 250
Because of control weaknesses, it is possible that the individual managers of 122 restaurants could
have placed fictitious employees on the payroll. Each restaurant employs between 25 and 30 people.
To efficiently determine whether this fraud exists at less than a 1% level, the auditor should use:
b) Judgment sampling.
c) Directed sampling.
d) Discovery sampling.
Discovery sampling is most often interested in the occurrence of fraud. It efficiently defines a
sampling effort that will have a specified probability of containing at least one occurrence of the
attribute within the population, given that it is expected to occur at a certain rate.
A . Attribute sampling could work, but it would not be as efficient as discovery sampling.
B . Judgment sampling cannot provide the needed statistical assurance.
C . Directed sampling focuses on certain transactions or locations that are likely to contain errors. Its
use is not indicated.
Question 20 of 250
In the audit of a health insurance claims processing department, a sample is taken to test for the
presence of fictitious payees, although none is suspected. The most appropriate sampling plan would
be:
c) Variables sampling.
d) Stop-and-go sampling.
Discovery sampling is appropriate when a near-zero error rate is expected and the characteristic
under scrutiny is critical.
A . Attributes sampling implies a fixed sample size and a need to project a sample occurrence rate. It
involves identifying characteristics of the sample and projecting those to the population.
C . Variables sampling involves reducing sample size by separating the population into groups of items
with similar values.
D . Stop-and-go-sampling is not in accord with the audit objective.
Question 21 of 250
An auditor applying a discovery sampling plan with a 5% risk of overreliance may conclude that there
is:
a) A 95% probability that the actual rate of occurrence in the population is less than
the critical rate if only one exception is found.
b) A 95% probability that the actual rate of occurrence in the population is less than
the critical rate if no exceptions are found.
c) A 95% probability that the actual rate of occurrence in the population is less than
the critical rate if the occurrence rate in the sample is less than the critical rate.
d) Greater than a 95% probability that the actual rate of occurrence in the population is
less than the critical rate if no exceptions are found.
If no exceptions are found, the correct conclusion is that the occurrence rate is less than the critical
rate at a given probability level.
A . There is a 95% probability that the actual rate of occurrence is equal to or greater than the critical
rate if one exception is found.
C . There is a 95% probability that the actual rate is equal to or exceeds the critical rate if any
exceptions are found.
D . The probability does not increase because no exceptions were found.
Question 22 of 250
An internal auditor suspects fraud. Which of the following sample plans should be used if the purpose
is to select a sample with a given probability of containing at least one example of the irregularity?
a) Attributes sampling
b) Discovery sampling
c) Stop-and-go sampling
d) Probability-proportional-to-size sampling
Discovery sampling is used when the internal auditor suspects a rare but material error or fraud. The
plan seeks to select a sample just large enough to include one example of the error or irregularity a
specified percentage of the time.
A . Attribute sampling is for normal compliance testing. It is not used when very, very few errors are
expected.
C . Stop-and-go sampling is a form of attribute sampling.
D . Probability-proportional-to-size (monetary-unit) sampling is used for substantive testing. It allows

the verification of values whose range lies between positive and negative infinity.
Question 23 of 250
Cycle time can be either reduced or speeded up with which of the following?
a) Business process reengineering

b) Benchmarking
c) Best practices
d) Business process improvement
Business process reengineering (BPR) can be used to reduce the cycle time or speed it up because the
BPR is a radical approach to improvement.
B . Benchmarking is used for comparison purposes at a higher level of business processes.
C . Best practices are best-in-class practices that are proven over a time period and that work.
D . Business process improvement is an incremental approach to improvement.
Question 24 of 250
The time between when an order is placed and when it is received by the customer is defined as:
a) Arrival time.
b) Order cycle time.
c) Shipping time.
d) Order time.
The time between when an order is placed and when the customer receives is defined as the order
cycle time.
A . This choice does not define the question.
C . This choice does not define the question.
D . This choice does not define the question.
Question 25 of 250
The time it takes to deliver a product or service after an order is placed is defined as:
a) Order cycle time.

b) Customer response time.
c) Order process time.
d) Inspection time.
The time it takes to deliver a product or service after an order is placed is called customer response
time.
Question 26 of 250
The time between when an order is placed and when the order is ready for setup is defined as:
a) Order receipt time.

b) Order wait time.
d) Efficiency time.
The time between when an order is placed and when the order is ready for setup is called order
receipt time.
B . This choice does not define the question.
Question 27 of 250
The time between when an order is ready for setup and the setup is complete is defined as:
a) Order receipt time.

b) Order wait time.
d) Efficiency time.
This choice does not define the question.
Question 28 of 250
Which of the following refers to eliminating unnecessary procedures and activities in a business
process?
a) Work standardization
b) Work simplification
c) Work customization
d) Work measurement
Work simplification refers to eliminating unnecessary procedures and activities in a business process.
A . Work standardization refers to bringing similar procedures to a uniform level.
C . Work customization refers to providing a tailor-made solution to work procedures.

D . Work measurement uses industrial engineering techniques to estimate labor time and material
standards.
Question 29 of 250
A manufacturing company has the following estimates for a specific customer order to produce 50 toy
sets:
Using these time estimates, what is the value-added time?
a) 36 hours
b) 37 hours
c) 38.5 hours
d) 48.5 hours
Processing time (36 hours) is the only task that adds value to a specific customer.
B . This choice combines processing time and inspection time.
C . This choice combines processing time, inspection time, and move time.
D . This choice combines processing time, inspection time, move time, and wait time.
Question 30 of 250
sets:
Wait time 10 hours

Inspection time 1 hour
Processing time 36 hours
Move time 1.5 hours
Using these time estimates, what is the non-value-added time?
a) 2.5 hours
b) 10.0 hours
c) 11.0 hours
d) 12.5 hours
Wait time (10 hours), inspection time (1 hour), and move time (1.5 hours) are examples of
non-value-added time (12.5 hours) from a customer's viewpoint.
A . This choice adds inspection time and move time as non-value-added time.
B . This choice keeps only the wait time as non-value-added time.
C . This choice adds wait time and inspection time as non-value-added time.
Question 31 of 250
sets:
Wait time 10 hours

Inspection time 1 hour
Processing time 36 hours
Move time 1.5 hours
Using these time estimates, what is the manufacturing cycle time?
a) 36.00 hours
b) 46.00 hours
c) 47.00 hours
d) 48.50 hours
The manufacturing cycle time (48.5 hours) is the combination of value-added time (36 hours) and
non-value-added time (12.5 hours).
A . The manufacturing cycle time includes both value-added times and non-value-added times. This
choice ignores inspection time and move time as non-value-added times.
B . The manufacturing cycle time includes both value-added times and non-value-added times. This
choice ignores move time as non-value-added time.
C . The manufacturing cycle time includes both value-added times and non-value-added times. This
choice ignores move time as non-value-added time.
Question 32 of 250
Which of the following actions does not help in reducing the cycle time?
a) Changing from a parallel flow to a linear flow in a process

b) Using alternate flow paths in a process
c) Changing the layout of a process
d) Using technology to improve process flow
Cycle time cannot be reduced by changing from a parallel flow to a linear flow in a process. However,
cycle time can be reduced by changing from a linear flow to a parallel flow in a process.
B . Cycle time can be reduced by using alternate flow paths in a process.
C . Cycle time can be reduced by changing the layout of a process.
D . Cycle time can be reduced by using technology to improve process flow.
Question 33 of 250
In reducing cycle time, speed can increase from which of the following?
a) Complexity
b) Simplicity
c) Homogeneity
d) Heterogeneity
Simplicity of tasks, activities, and operations can increase speed.
A . Complexity of tasks, activities, and operations can decrease speed.
C . Homogeneity of tasks, activities, and operations may or may not increase speed due to their
internal structure.
D . Heterogeneity of tasks, activities, and operations can decrease speed due to their internal
structure.
Question 34 of 250
Which of the following is not generally associated with reducing cycle time?
a) Expanding work steps

b) Eliminating work steps
c) Minimizing work steps
d) Combining work steps
Expanding work steps usually increases cycle time. The goal of reducing cycle time is to eliminate,
minimize, combine, or improve work steps or time.
B . The goal of reducing cycle time is to eliminate, minimize, combine, or improve work steps or time.
C . The goal of reducing cycle time is to minimize, eliminate, combine, or improve work steps or time.
D . The goal of reducing cycle time is to combine, eliminate, minimize, or improve work steps or time.
Question 35 of 250
Which of the following is caused by exceeding the capacity limitation of key resources?
a) Pain points
b) Check points
c) Critical points
d) Choke points
Exceeding the capacity limitation of key resources causes choke points in a process. Here “capacity” is
defined as the potential output over a time period. Choke points cause major delays in cycle time.
A . Pain points are not related to capacity and cycle time.
B . Check points are not related to capacity and cycle time.
C . Critical points are not related to capacity and cycle time.
Question 36 of 250
In documenting the procedures used by several interacting departments, the internal auditor will
most likely use a(n):
a) Horizontal flowchart.
b) Vertical flowchart.
c) Gantt chart.
d) Internal control questionnaire.
A horizontal (systems) flowchart highlights the interaction between departments.
B . A vertical flowchart does not highlight the interaction of departments.
C . A Gantt chart is not a procedure-oriented documenting tool.
D . An internal control questionnaire does not highlight the interaction of departments.
Question 37 of 250
A production process delivers value through all of the following items except:
a) Product selling.
b) Product quality.
c) Cost reduction.
d) Schedule flexibility.
Product selling is outside the production process because selling comes after completing the
production process.
B . Product quality is essential in delivering value as it is inside the production process.
C . Cost reduction is essential in delivering value as it is inside the production process.
D . Schedule flexibility is essential in delivering value as it is inside the production process.

Question 38 of 250
Regarding forecasting, which of the following assumes that the future will be an extension of present
and past results?
a) Scenario analysis
b) Survey analysis
c) Trend analysis
d) Market analysis
Trend analysis is the hypothetical extension of a past pattern of events or time series into the future.
An underlying assumption of trend analysis is that past and present tendencies will continue into the
future. “Trend” is the long-run shift or movement in the time series observable over several periods
of data.
A . Scenario analysis is the preparation and study of written descriptions of alternative but equally
likely future conditions.
B . Survey analysis indicates what is happening or what people are saying at the current time period.
D . Market analysis indicates what customers’ interests and preferences are about products and
services of a company and its competitors at the current time period.
Question 39 of 250
Seasonal components in a time-series forecasting model:
a) Cannot be predicted.
b) Are regular repeated patterns.
c) Are long runs of observations above or below the trend line.
d) Reflect a shift in the series over time.
A seasonal component is the component of the time-series model that shows a periodic pattern over
one year or less. Seasonal components are regular repeated patterns.
A . Seasonal components can be predicted as retailers predict sales for every season (e.g., fall,
summer, winter, and spring).
C . A cyclical component is the component of the time-series model that results in periodic
above-trend and below-trend behavior of a time series lasting more than one year.
D . Because of their repeated patterns, seasonal components do not reflect a shift in the time series
over time.
Question 40 of 250
Short-term, unanticipated, and nonrecurring factors in a time-series forecasting model provide the
random variability known as the:
a) Irregular component.
b) Residual.
c) Forecast error.
d) Mean squared error.
The irregular component is the component of the time-series model that reflects the random
variation of the actual time-series values beyond what can be explained by the trend, cyclical, and
seasonal components. Smoothing methods are used to smooth the irregular component.
B . The residual is the difference between the actual value of the dependent variable and the value
predicted by the regression equation.
C . The forecast error is the difference between actual and forecasted values.
D . The mean squared error is an approach to measuring the accuracy of a forecasting mode. This
measure is the average of the sum of the squared differences between the actual time-series values
and the forecasted values.
Question 41 of 250
Causal forecasting models:
a) Should avoid the use of multiple regression analysis.

b) Attempt to explain behavior of a time series.
c) Do not use time-series data.
d) Should avoid the use of linear regression analysis.
The causal forecasting model is a forecasting method that relates a time series to other variables that
are believed to explain or cause its behavior.
A . Causal forecasting uses multiple regression analysis where there can be several independent
variables and one dependent variable.
C . Causal forecasting models use time-series data to explain the behavior of statistical variables.
D . A simple linear regression is a method for analyzing the relation between one independent
variable and one dependent variable.
Question 42 of 250
Which of the following seasonal indices shows a positive effect?
a) Above 1
b) Exactly 1
c) Less than 1
d) Exactly zero
A seasonal index is a measure of the seasonal effect on a time series (i.e., positive effect or negative
effect). A seasonal index above 1 indicates a positive effect.
B . A seasonal index of exactly 1 indicates no seasonal effect.
C . A seasonal index of less than 1 indicates a negative effect.
D . A seasonal index must always be above zero as there will be some seasonal variation on sales.
Question 43 of 250
A deseasonalized time series is calculated by:
a) Dividing each original time-series observation by the corresponding seasonal index.

b) Subtracting each original time-series observation from the corresponding seasonal
index.
c) Multiplying each original time-series observation with the corresponding seasonal
index.
d) Adding each original time-series observation to the corresponding seasonal index.
A deseasonalized time series means that the impact of a season's sales is removed from the total
sales to determine what the normal sales would be in the absence of seasonal sales. The effect of
season is removed by dividing each original time-series observation by the corresponding seasonal
index.
B . A deseasonalized time series means that the impact of a season's sales is removed from the total
sales to determine what the normal sales would be in the absence of a season. It does not use a
subtract mathematical operation to compute.
C . A deseasonalized time-series means that the impact of a season's sales is removed from the total
sales to determine what the normal sales would be in the absence of a season. It does not use a
multiply mathematical operation to compute.
D . A deseasonalized time series means that the impact of a season's sales is removed from the total
sales to determine what the normal sales would be in the absence of a season. It does not use an add
mathematical operation to compute.
Question 44 of 250
Which of the following is not an appropriate time-series forecasting technique?
a) Least squares
b) Exponential smoothing
c) The Delphi technique
d) Moving averages
The Delphi technique is a qualitative technique, not a quantitative technique. This technique obtains
forecasts through group consensus, not through mathematical equations.
A . The least squares technique is used in regression models to produce a line that best fits the
time-series data. This choice is an appropriate quantitative technique for time-series forecasting.
B . The exponential smoothing technique (single parameter) is appropriate for time-series data. This
technique incorporates more recent observations than the old observations. This choice is an
appropriate quantitative technique for time-series forecasting.
D . The moving average process is used to decompose the time-series components. This choice is an
appropriate quantitative technique for time-series forecasting.
Question 45 of 250
A cost-volume-profit (CVP) model developed in a dynamic manufacturing company's environment

determined that the estimated parameters (variables) used may vary between limits. Subsequent
testing of the model with respect to all possible values of the estimated parameters is termed:
a) Sensitivity analysis.
b) Statistical estimation.
c) Statistical hypothesis testing.
d) A time-series study.
Sensitivity analysis reveals the impact of changes in one or more input variables on the output or
results of a decision model (e.g., CVP model).
B . Statistical estimation involves the estimation of statistical parameters or variables.
C . Statistical hypothesis testing involves testing of hypotheses concerning estimated parameters or

variables.
D . A time-series study involves forecasting data over time. Time-series analysis is a statistical
forecasting technique that uses patterns observed in historical data to predict future values.
Question 46 of 250
A company is deciding whether to purchase an automated machine to manufacture one of its

products. Expected net cash flows from this decision depend on several factors, interactions among
those factors, and the probabilities associated with different levels of those factors. The method that
the company should use to evaluate the distribution of net cash flows from this decision and changes
in net cash flows resulting from changes in levels of various factors is:
a) Simulation and sensitivity analysis.

b) Linear programming.
c) Correlation analysis.
d) Differential analysis.
Simulation is a technique used to describe the behavior of a real-world system over time. Most often
this technique employs a computer program to perform the simulation computations. Sensitivity
analysis examines how outcomes change as the model parameters or variables change.
B . Linear programming is a mathematical technique for maximizing or minimizing a given objective
subject to certain constraints in labor hours and production materials.
C . Correlation analysis is a statistical procedure for studying the relation between variables.
D . Differential analysis is a method used for decision making that compares differences in costs and
revenues under two or more alternatives.
Question 47 of 250
Which of the following is not true about simulation models?
a) They are deterministic in nature.

b) They may involve sampling.
c) They mathematically estimate what actual performance would be.
d) They emulate stochastic systems.
Simulation models are probabilistic in nature. It is not true that simulation models are deterministic in
nature.
B . It is true that simulation models may involve sampling.
C . It is true that simulation models mathematically estimate what performance would be under
various conditions.
D . It is true that simulation models are stochastic or probabilistic models.
Question 48 of 250
large fishing operation has information on the interval, time, and probabilities of shrimp schools
staying beneath their fishing boats. In order to use this information to predict when and where to
send their boats, which of the following techniques should be used?
a) Simulation
b) Least squares
c) Queuing theory
d) Exponential smoothing
Simulation is a technique in which a probabilistic process is first modeled. A model is designed to

understand the behavior of the simulation model. The characteristics that are learned from the model
are then used to make inferences about the real system. This choice helps the fishing operation.
B . The least squares method is a prediction and estimation technique utilizing a single dependent and
a single independent variable. The same thing is true with multiple dependent and multiple
independent variables. This choice does not help the fishing operation.
C . The queuing theory or waiting-line technique is used to balance desirable service levels against the
cost of providing more service. This choice does not help the fishing operation.
D . Exponential smoothing is a forecasting technique utilizing arbitrary weights and incorporating
more recent observations. This choice does not help the fishing operation.
Question 49 of 250
As part of a risk analysis, an internal auditor wants to forecast the percentage growth in next month's
sales for a particular manufacturing plant using sales results from the past 30 months. Significant
changes in the organization affecting sales volumes were made within the last 9 months. The most
effective analytical technique to use would be:
a) The unweighted moving average.

b) Exponential smoothing.
c) Queuing theory.
d) Linear regression analysis.
Exponential smoothing puts most weight on recent sales data. The exponential smoothing technique
is good to use since it incorporates the more recent observations. It is the most effective analytical
technique here.
A . An unweighted average will not give more importance to more recent data. It is the least effective
analytical technique here.
C . Queuing theory is used to determine the time in waiting lines. It is the least effective analytical
technique here.
D . Linear regression analysis is a cross-sectional tool, which does not give more importance to more
recent data. It is the least effective analytical technique here.
Question 50 of 250
The manager of the assembly department of a manufacturing company would like to estimate the
fixed and variable components of the department's cost. To do so, the manager has collected
information on total cost and output for the past 24 months. To estimate the fixed and variable
components of total cost, the manager should use which of the following?
a) Regression analysis
b) Game theory
c) Sensitivity analysis
d) Queuing theory
Regression analysis is a statistical technique for measuring the relationship between variables. It
estimates the component of the dependent variable that varies with changes in the independent
variable and the component that does not vary (fixed) with changes in the independent variable.
Regression analysis separates the total cost into fixed cost and variable cost components.
B . Game theory is a mathematical approach to decision making in which each decision maker
considers the courses of action of competitors. Game theory does not separate the total cost into
fixed cost and variable cost components.
C . Sensitivity analysis is a method for studying how changes in one or more variables affect the
optimal solution in a linear programming model. Sensitivity analysis does not separate the total cost
into fixed cost and variable cost components.
D . Queuing theory consists of waiting-line models, which can be used to determine the operating
characteristics for a waiting line. Queuing theory does not separate the total cost into fixed cost and
variable cost components.
Question 51 of 250
The internal auditor of a bank has developed a multiple regression model that has been used for a
number of years to estimate the amount of interest income from commercial loans. During the
current year, the auditor applies the model and discovers that the R2 value (i.e., the coefficient of
determination) has decreased dramatically; otherwise, the model seemed be working okay. Which of
the following conclusions is justified by the change?
a) Changing to a cross-sectional regression analysis should cause the R2 to increase.

b) Regression analysis is no longer an appropriate technique to estimate interest
income.
c) Some new factors, not included in the model, are causing interest income to change.
d) A linear regression analysis would increase the model's reliability.
The R2 explains the amount of variation in the dependent variable (interest income) that is explained
by the independent variables. In this case, less of the change in interest income is explained by the
model; thus, some other factor must be causing the interest income variable to change. This would
merit audit investigation.
A . Cross-sectional regression analysis would not be appropriate because the auditor is trying to
estimate changes in a single account balance over time.
B . Regression analysis may still be the most appropriate methodology to estimate interest income,
but the auditor should first understand the factors that may be causing R2 to be decreasing. The
decrease may be caused by a systematic error in the account balance.
D . Linear regression models are simpler models than the multiple regression models. The problem is
that the auditor should be looking for either a systematic error in the account balance or a more
complex model.
Question 52 of 250
In regression analysis, which of the following correlation coefficients represents the strongest
relationships between the independent and dependent variables?
a) 1.03
b) −0.02
c) −0.89
d) 0.75
This answer is only 0.11 from the maximum value of −1.0. The nega ve sign indicates the direc on
relationship (e.g., inverse) between the independent and dependent variables. This choice shows the
strongest relationship.
A . The range for the correlation coefficient is between −1.0 and +1.0, inclusive. Thus, this answer is
not possible even though it is the largest value among the four alternative answers.
B . This is the weakest correlation coefficient among the four alternative answers. This answer is so
close to 0.00 that no relationship exists between the independent and dependent variables.
D . This answer is only 0.25 from the maximum value of +1.0. However, −0.89 is closer and stronger to
−1.0.
Question 53 of 250
A division uses a regression analysis in which monthly advertising expenditures are used to predict
monthly product sales (both in millions of dollars). The results show a regression coefficient for the
independent variable equal to 0.8. This coefficient value indicates that:
a) The average monthly advertising expenditure in the sample is $800,000.

b) When monthly advertising is at its average level, product sales will be $800,000.
c) On average, for every additional dollar in advertising, you get $0.80 in additional
sales.
d) Advertising is not a good predictor of sales because the coefficient is so small.
A regression coefficient represents the change in the dependent variable for a unit change in the
independent variable. It is true that, on average, for every additional dollar in advertising, you get
$0.80 in additional sales.
A . A regression coefficient tells you nothing about the means of the variables.
B . In order to predict a specific value of sales, you must multiply the independent variable value by
the coefficient and add the intercept value.
D . The absolute size of the coefficient bears no necessary relationship to the importance of the
variable.
Question 54 of 250
An audit manager has just returned from an executive training program and has suggested that the
audit department develop a mathematical model to help identify factors that may be causing changes
in the cost of production. According to the manager, the model should recognize that the company
currently has three separate production (cost) centers. Which of the following approaches would best
provide the analysis suggested by the audit manager?
a) Develop a classical variables sampling estimate of cost of production per

department, with the sample stratified by the dollar value of each product
produced.
b) Develop a three-year ratio analysis of costs of production compared to costs of raw
inventory across the three departments.
c) Develop a multiple regression analysis of production costs including such variables
as raw material inventory costs, number of employees in the department, and
overtime pay.
d) Develop a linear regression analysis relating cost of production to cost of goods sold.
A multiple regression analysis would help the auditor identify which factors appear to be driving the
changes in the company's cost structure.
A . The classical variables sampling procedure does not help quantify the reasons for changes in
production costs. It only helps estimate production costs, and that data should be readily available in
the client's records.
B . The three-year ratio analysis method only identifies one possible cause.
D . The linear regression addresses only one factor and would not be as useful as multiple regression.
Question 55 of 250
A chain retailer has outlets in 40 nonoverlapping though similar local markets. Recently the retailer
conducted its largest promotional campaign ever. Each outlet was unrestricted in allocating its
promotional budget between local print, radio, or television advertising or in underspending the
budget. The internal auditor wishes to evaluate the effectiveness of these tactics. In this case:
a) Time-series analysis should be used since the promotion occurred over time.
b) Multiple regression analysis may be an effective tool for modeling the relationship
between sales and promotional tactics.
c) Discriminant analysis would be the best tool for discriminating between effective
and ineffective promotional tactics.
d) Since the relationships between promotional expenditures and sales are probably
nonlinear, regression analysis should not be used.
Multiple regression analysis is the most effective tool because we are trying to determine the relative
effect of four different variables.
A . The data are cross-sectional, meaning that the data represent a specific point in time.
C . Discriminant analysis is an identification procedure. It studies the differences between two or

more groups and a set of discriminant variables. Here, the dependent variable, sales, is continuous.
D . The linearity of the relationships cannot be assessed before the data is analyzed.
Question 56 of 250
Which of the following can be used to create a data classification?
a) Cluster analysis
b) Discriminant analysis
c) Canonical analysis
d) Link analysis
Cluster analysis can be used to create a data classification. It involves clustering together things that
go together by using single or multiple dimensions. It involves coding things and identifying patterns
in data.
B . Discriminant analysis is an identification procedure. This technique can be applied to a wide variety
of research and predictive problems and interpretation and classification of data. It studies the
differences between two or more groups and a set of discriminant variables. It does not create a data
classification.
C . Canonical analysis considers possible interrelationships among independent variables and

dependent variables. Canonical analysis extends the basic relationship to an entire set of dependent
variables. It depends on an understanding of factor analysis. It does not create a data classification.
D . Link analysis connects relevant data segments with each other, forming categories, clusters, or
networks of information. It does not create a data classification.
Question 57 of 250
Qualitative data should be linked with quantitative data to:
I. Enable confirmation of each other via triangulation.

II. Enable corroboration of each other via triangulation.
III. Elaborate analysis, providing better richer detail.
IV. Develop analysis, providing better richer detail.
a) I only
b) III only
c) II and IV
d) I, II, III, and IV
Qualitative data should be linked with quantitative data to (1) enable confirmation or corroboration
of each other via triangulation; (2) elaborate or develop analysis, providing better richer detail; and (3)
initiate new lines of thinking through attention to surprises or paradoxes, turning ideas around,
providing fresh insight.
A . This is a partial answer.
B . This is a partial answer.
C . This is a partial answer.
Question 58 of 250
The primary criteria for determining the adequacy of working papers can be found in the:
a) IIA Standards.
b) IIA's Code of Ethics.
c) Core Principles.
d) Foreign Corrupt Practices Act.
IIA Standard 2330 – Documenting Information addresses this aspect of working paper content.
B . The Code of Ethics does not address working papers.
C . The Core Principles do not address working papers; instead, they provide high-level concepts for
conducting internal audit activities.
D . The Foreign Corrupt Practices Act does not deal with working paper content.
Question 59 of 250
An internal auditor fails to discover an employee fraud during an audit. The nondiscovery is most
likely to suggest a violation of the IIA Standards if it was the result of a:
a) Failure to perform a detailed audit of all transactions in the area.

b) Determination that any possible fraud in the area would not involve a material
amount.
c) Determination that the cost of extending audit procedures in the area would exceed
the potential benefits.
d) Presumption that the internal controls in the area were adequate and effective.
Although IIA Standard 2320 – Analysis and Evaluation states that "the internal auditor should
consider . . . the adequacy of internal control system," the Standards make clear that this
consideration must be based on an analysis and evaluation, not just an assumption.
A . The Standards state that "Due Professional Care . . . does not require detailed audits of all
transactions."
B . The Standards state that "the relative materiality . . . of matters to which audit procedures are
applied" is a legitimate consideration.
C . The Standards state that "the internal auditor should consider . . . the cost of auditing in relation to
potential benefits."
Question 60 of 250
The IIA Standards define relevant evidence as:
a) Factual, adequate, and convincing.

b) Reliable and the best attainable through the use of appropriate audit techniques.
c) Consistent with the audit objectives and supports audit observations and
recommendations.
d) Information that helps the organization meets its goals.
This defines relevant information per IIA Standard 2310 – Identifying Information.
A . This defines sufficient information.
B . This defines competent information.
D . This defines useful information.
Question 61 of 250
The IIA Standards require that, in most cases, an internal auditing department have documented
policies and procedures to ensure the consistency and quality of audit work. The exception to this
requirement is directly related to:
a) Departmentalization.
b) Division of labor.
c) Span of control.
d) Authority.
With a small audit department, substantial direct supervision can be provided by the chief audit
executive (IIA Standard 2340 – Engagement Supervision).
A . Departmentalization can improve communications among team members, but sufficient direct
supervision may be lacking if spans of control are large.
B . Division of labor produces highly specialized individuals, but formalized guidance is necessary for
newer employees if the department is large.
D . The chief audit executive is the ultimate authority for the internal auditing department, but direct
supervision by this individual will be lacking in a large department. Formal policies are needed.
Question 62 of 250
An audit manager responsible for the supervision and review of other auditors needs the necessary
skills and knowledge. Which of the following does not describe a skill or knowledge necessary to
supervise a particular audit assignment?
a) The ability to review and analyze an audit program to determine if the proposed
audit procedures will result in evidence relevant to the audit's objectives.
b) Assuring that an audit report is supported and accurate relative to the evidence
documented in the working papers of the audit.
c) Use risk assessment and other judgmental processes to develop an audit plan and
schedule for the department and present the plan to the audit committee.
d) Determine that staff auditors have completed the audit procedures and that audit
objectives have been met.
This is a requirement of the chief audit executive, not an audit manager (IIA Standard 2340 –
Engagement Supervision).
A . This is a list skill of an audit manager.

B . This is a list skill of an audit manager.
D . This is a list skill of an audit manager.
Question 63 of 250
IIA Standards require the director of internal auditing to establish and maintain a quality assurance
program to evaluate the operations of the internal audit department. Which of the following relates
most directly to the objective of maintaining high quality in all audits?
a) Required supervisory review of all audit programs, working papers, and draft audit
reports.
b) Required coordination with external auditors.
c) Required compliance with the Code of Ethics of the Institute of Internal Auditors.
d) Required educational standards for all members of the professional audit staff.
The purpose of supervisory review is to assure quality (IIA Standard 2340 – Engagement Supervision).
B . This relates to efficiency more than quality.
C . This relates only indirectly to the quality of audits.
D . This relates directly to the quality of audits but is not as effective a control as supervisory review.
Question 64 of 250
An audit supervisor would challenge whether audit evidence is sufficient to support the conclusion
that journal entries are properly prepared and approved if the working papers included:
a) A note stating the controller's assurance those journal entries are always looked at
by the accounting supervisor before entry into the computer system.
b) A copy of a handwritten schedule of standard and appended nonstandard journal
entries for the most recent month showing the initials of the preparer for each entry
and the summary approval of the controller at the top.
c) A copy of a computer-generated list of automated and nonstandard journal entries
initialed by the controller showing the auditor's references to system reports and
monthly reconciliations.
d) A cross-reference to another section of the working papers containing sufficient
evidence for this conclusion.
This evidence suggests that the auditor did not confirm this information or follow up with testing (IIA
Standard 2340 – Engagement Supervision).
B . This evidence shows the source and approval of journal entry information.
C . This evidence shows testing based on computer-based reports and manual reconciliations.
D . This evidence demonstrates efficiency by referencing work already done in another section of the
working papers.
Question 65 of 250
An internal auditor observes that a receivables clerk has physical access to and control of cash
receipts. The auditor worked with the clerk several years before and has a high level of trust in the
individual. Accordingly, the auditor notes in the working papers that controls over receipts are
adequate. Is the auditor in compliance with the Standards?
a) Yes, reasonable care has been taken.

b) No, irregularities were not noted.
c) No, alertness to conditions where irregularities are most likely was not shown.
d) Yes, the working papers were annotated.
IIA Standard 2320 – Analysis and Evaluation requires alertness for irregularities and knowledge of
high- risk areas.
A . The Standard also calls for alertness.
B . There is no indication that irregularities should occur.
D . Following instructions by rote is unacceptable. Professional judgment and alertness must be used.
Question 66 of 250
According to the IIA Standards, supervision of an audit assignment should include:
a) Determining that audit working papers adequately support the audit observations.
b) Assigning staff members to the particular engagement.
c) Determining the scope of the audit.
d) Appraising each auditor's performance on at least an annual basis.
IIA Standard 2340 – Engagement Supervision specifies that supervision includes determining that
working papers adequately support audit observations.
B . Staffing engagements is not a supervisory function; it is a planning function.
C . Determining audit scope is not a supervisory function; it is a planning function.
D . Appraising performance on an annual basis is not a supervisory function of a specific assignment; it

is part of the management of the internal auditing department.
Question 67 of 250
The IIA Standards define “competent information” as:
a) Supporting the audit observations and being consistent with the audit objectives.
b) Assisting the organization in meeting prescribed goals.
c) Factual, adequate, and convincing so that a prudent person would reach the same
conclusion as auditor.
d) Reliable and the best available through the use of appropriate audit techniques.
Competent information is reliable and the best available through the use of appropriate audit
techniques (IIA Standard 2310 – Identifying Information).
A . Relevant information supports audit observations and is consistent with audit objectives.
B . Useful information assists the organization in meeting goals.
C . Sufficient information is factual, adequate, and convincing to a prudent person.
Question 68 of 250
According to the IIA Standards concerning due professional care, an internal auditor should:
a) Consider the relative materiality or significance of matters to which audit

procedures are applied.
b) Emphasize the potential benefits of an audit without regard to the cost.
c) Consider whether established operating standards are being met and not whether
those standards are acceptable.
d) Select procedures that are likely to provide absolute assurance those irregularities
do not exist.
The exercise of due professional care includes consideration of materiality (IIA Standard 1220 – Due
Professional Care).
B . The auditor should consider the cost/benefit ratio before beginning an audit.
C . The auditor should evaluate the acceptability of standards as well as whether they are being met.
D . Due care does not require absolute assurance.
Question 69 of 250
The IIA Standards require that the internal auditing department provide assurance that internal audits
are properly supervised in order to:
a) Produce professional audits of consistently high quality.

b) Assure high productivity of audit reporting.
c) Provide for the efficient training of the audit staff.
d) Determine that the audit program is followed without deviation.
The supervisor is the keystone to this effort (IIA Standard 2340 – Engagement Supervision).
B . There must also be an assurance of quality.
C . Training is a part of the supervision but is not the overall objective.
D . In some cases the audit program should be deviated from. This also is only a part of the
supervisory responsibility.
Question 70 of 250
Which of the following does not describe one of the primary functions of audit working papers?
a) Facilitates third-party reviews.

b) Aids in the planning, performance, and review of engagement.
c) Provides the principal support for the engagement results.
d) Aids in the professional development of the audit staff.
While audit working papers may aid in the professional development of audit staff, that is not a
primary function (IIA Standard 2330 – Documenting Information).
A . This describes primary functions of audit working papers.
B . This describes primary functions of audit working papers.
C . This describes primary functions of audit working papers.
Question 71 of 250
Which of the following is the major purpose of performing analytical procedures in internal audits?
a) To perform additional audit procedures.

b) To plan the audit engagement.
c) To obtain audit evidence.
d) To study relationships among elements of information.
Analytical procedures often provide the internal auditor with an efficient and effective means of
obtaining audit evidence. The assessment results from comparing information with expectations
identified or developed by the internal auditor.
A . This is part of obtaining audit evidence (IIA Standard 2320 – Analysis and Evaluation; Practice
Advisory 2320-1).
B . This is part of obtaining audit evidence (IIA Standard 2320 – Analysis and Evaluation; Practice
Advisory 2320-1).
D . This is part of obtaining audit evidence (IIA Standard 2320 – Analysis and Evaluation; Practice
Advisory 2320-1).
Question 72 of 250
During testing of the effectiveness of inventory controls, the auditor makes a note in the working
papers that most of the cycle count adjustments for the facility involved transactions of the machining
department. The machining department also had generated an extraordinary number of cycle count
adjustments in comparison to other departments last year. The auditor should:
a) Interview management and apply other audit techniques to determine whether
transaction controls and procedures within the machining department are
adequate.
b) Do no further work because the concern was not identified by the analytical
procedures designed in the audit program.
c) Notify internal audit management that fraud is suspected.
d) Place a note in the working papers to review this matter in detail during the next
review.
The IIA Standard 2320 – Analysis and Evaluation calls for follow-up when analytical procedures
identify unexpected results.
B . The audit program is a guide, but it does not restrict the auditor from pursuing information
unknown at the time that the program was written.
C . The facts belie an indication of fraud.
D . The risk of a material error caused by the machining department's activity is not addressed by
delaying appropriate audit procedures.
Question 73 of 250
An inexperienced internal auditor notified the senior auditor of a significant variance from the
auditee's budget. The senior told the new auditor not to worry as the senior had heard that there had
been an unauthorized work stoppage that probably accounted for the difference. Which of the
following statements is most appropriate?
a) The new auditor should have investigated the matter fully and not bothered the
senior.
b) The senior used proper judgment in curtailing what could have been a wasteful
investigation.
c) The senior should have halted the audit until the variance was fully explained.
d) The senior should have aided the new auditor in formulating a plan for accumulating
appropriate evidence.
IIA Standard 2320 – Analysis and Evaluation provides that unexpected results from applying analytical
auditing procedures should be investigated since unexplained results could indicate a potential error
or irregularity. The variance was not adequately investigated or explained.
A . IIA Standard 2320—Analysis and Evaluation provides that the extent of supervision should vary
with the proficiency of the auditor. It is not inappropriate for an inexperienced auditor to refer this to
the senior.
B . IIA Standard 2320—Analysis and Evaluation provides that the extent of supervision should vary
with the proficiency of the auditor. It is not inappropriate for an inexperienced auditor to refer this to
the senior.
C . While the variance does need explanation, the rest of the audit can continue.
Question 74 of 250
A significant part of the auditor's working papers will be the conclusions reached by the auditor
regarding the audit area. In some situations, the supervisor might not agree with the conclusions and
will ask the staff auditor to perform more work. Assume that after subsequent work is performed, the
staff auditor and the supervisor continue to disagree on the conclusions documented in the working
paper developed by the staff auditor. Which of the following audit department responses would not
be appropriate?
a) Both the staff auditor and the supervisor document their reasons for reaching
different conclusions. Retain the rationale of both parties in the working papers.
b) Note the disagreement and retain the notice of disagreement and follow-up work in
the audit working papers.
c) Present both conclusions to the chief audit executive (CAE) for resolution. The CAE
may resolve the matter.
d) Present both conclusions in the audit report and let management and the auditee
react to both.
This would not be an appropriate response per IIA Standard 2330 – Documenting Information. The
CAE should determine the most reasonable conclusion and present that to the auditee and
management. The issue of disagreements on the working papers should not necessarily affect the
reporting to management unless the CAE believes that both conclusions are equally appropriate and
that management's understanding would be enhanced if it were presented with both.
A . This would be an appropriate response.
B . This would be an appropriate response.
C . This is an appropriate response since the CAE is ultimately responsible for the supervision of the
audit staff as well as the quality of the working papers.
Question 75 of 250
The IIA Standards specify that supervision of the work of internal auditors be “carried out
continuously.” Which of the following statements regarding supervision is correct?
I. “Continuously” indicates that supervision should be performed throughout the

planning, examination, evaluation, report, and follow-up stages of the audit.
II. Supervision should also be extended to training, time reporting, and expense control as
well as similar administrative matters.
III. The extent and nature of supervision needs to be documented, preferably in the
appropriate working papers.
a) I only.
b) I and III.
c) II only.
d) I, II, and III.
Answer D is Correct
All of the statements are correct according to IIA Standard 2340 – Engagement Supervision.
A . This is a partial answer.
B . These are partial answers.
C . This is a partial answer.
Question 76 of 250
A new staff auditor was told to perform an audit in an area with which the auditor was not familiar.
Because of time constraints, there was no supervision of the audit. The auditor was given the
assignment because it represented a good learning experience, but the area was clearly beyond the
auditor's competence. Nonetheless, the auditor prepared comprehensive working papers and
reported the results to management. In this situation:
a) The audit department violated the IIA Standards by hiring an auditor without
proficiency in the area.
b) The audit department violated the IIA Standards by not providing adequate
supervision.
c) The chief audit executive has not violated the Code of Ethics since the Code does not
address supervision.
d) The IIA Standards and the Code of Ethics were followed by the audit department.
IIA Standard 2340 – Engagement Supervision requires the chief audit executive to ensure that audit
work conforms to the Standards. These Standards require the department to provide adequate
supervision depending on the proficiency of the auditor.
A . Standards do not require all auditors to be proficient in all areas. The department should have an
appropriate mix of skills.
C . Although the Code does not address supervision directly, it does require the director to follow the
Standards.
D . IIA Standard 2340 – Engagement Supervision requires the chief audit executive to ensure that
audit work conforms to the Standards. Although the Code does not address supervision directly, it
does require the director to follow the Standards.
Question 77 of 250
A new staff auditor has been assigned to an audit of the cash management operations of the
organization. The staff auditor has no background in cash management, and this is the auditor's first
audit. Under which of the following conditions would the internal auditing department be in
compliance with the Standards regarding knowledge and skills?
I. The senior auditor is skilled in the area and closely supervises the staff auditor.
II. The staff auditor performs the work and prepares a report that is reviewed in detail by
the director of audit.
III. Not enough information is given.
IV. None of the above.
a) I.
b) II.
c) III.
d) IV.
The internal audit department would, in composite, have the requisite skills to perform the audit. The
other key element is that the staff auditor is carefully supervised such that significant deviations from
good business practices would be noted. This would be consistent with IIA Standard 2340 –
Engagement Supervision.
B . The audit would not be conducted in accordance with the Standards because the staff auditor
might not have noted significant deviations to include in the audit report. The review by the director
at the time the report is generated would be too late.
C . This is not true.
D . This is not true.
Question 78 of 250
Management of a property and casualty insurance company is concerned about the efficiency and
effectiveness of the claims processing activities. It has two major concerns: (1) Some claims are being
paid that should not be paid or are being paid in amounts in excess of the policy; and (2) many
claimants are not being paid on a timely basis. In preparing for an audit of the area, the internal
auditor decides to perform a preliminary survey to gather more information about the nature of
processing and potential problems.
Which of the following procedures would be the least effective in gathering information about the
nature of the processing and potential problems?
a) Interview supervisors in the claims department to find out more about the
procedures used and the rationale for the procedures, and obtain their observations
about the nature and efficiency of processing.
b) Send an electronic mail message to all clerical personnel detailing the alleged
problems and request them to respond.
c) Interview selected clerical employees in the claims department to find out more
about the procedures used and the rationale for the procedures, and obtain their
observations about the nature and efficiency of processing.
d) Distribute a questionnaire to gain a greater understanding of the responsibilities for
claims processing and the control procedures utilized.
This is the least effective communication and information-gathering technique of the four responses
because it is impersonal and alleges inefficiencies before there is evidence that the problems are due
to processing inefficiencies. The impersonal method may have been applicable if the auditor wished
open responses, but not enough guidance is given here to lead to that kind of response.
A . This would be a good method to learn more about the nature of processing and to solicit input
from employees as to the potential cause of the situation being investigated.
C . This would supplement the supervisor's perceptions with those from individuals intimately
involved with the processing of transactions. This would be an effective communication technique.
D . This is not as good of a procedure as the correct answer but would represent an efficient method
of gathering preliminary information that would be useful in structuring the interviews.
Question 79 of 250
An audit team has been assigned to review the customer satisfaction measurement system that the
industrial products division implemented two years ago. This system consists of the division's
customer service office conducting an annual mail survey. A survey is sent to 100 purchasing
departments randomly selected from all customers who made purchases in the prior 12 months. The
survey is three pages long, and its 30 questions use a mixture of response modes (e.g., some
questions are open ended, some multiple choice, and others use a response scale). The customer
service office mails the survey in September and tabulates the results for questionnaires returned by
October 15. Only one mailing is sent. If the customer does not return the questionnaire, no follow-up
is conducted. When the survey was last conducted, 45 of the questionnaires were not returned.
Which of the following is not an advantage of face-to-face interviews over mail surveys?
a) The response rate is typically higher.

b) Interviewers can increase a respondent's comprehension of questions.
c) Survey designers can use a wider variety of types of questions.
d) They are less expensive since mailing costs are avoided.
One of the principal advantages of mail surveys is their cost efficiency because mailing costs are less
than interview labor costs.
A . Mail surveys often have notoriously low response rates.
B . The interviewer's flexibility to interpret responses and re-phrase questions increases response
quality.
C . Audio-visual aids, complex sequences, and other varieties of questions are made possible by the
interactive nature of interviews.
Question 80 of 250
A sample from a population of over 10,000 bills of lading is needed to estimate an error rate. Since a
sample size of 250 will satisfy precision and confidence level needs, a sampling interval of 40 is chosen.
For ease of implementation, the auditor randomly selects a number between 1 and 40, and then
selects each succeeding fortieth item. Which of the following is true?
a) The sample lacks randomness and will not be correct.

b) Interval sampling is not an acceptable statistical method.
c) If the population lacks bias, the sample is statistically valid.
d) Interval sampling eliminates the use of auditor judgment.
If the population contains no systematic bias, interval sampling with a random start is valid.
A . The sample has a random start.
B . Interval sampling, with a random start, is statistically valid.
D . Auditor judgment is required when using statistical methods.
Question 81 of 250
An inventory listing consisting of approximately 2,050 unnumbered items is arranged by category,

with 10 items in each category. Within each category, the most expensive (per unit) items are listed
first. An auditor wishes to use an interval-sampling plan to select a representative sample of at least
100 items from this population. The best technique is to:
a) Select a random number from 1 to 20 as the starting point and then select every
twentieth item, moving through the entire population.
b) Select a random number from 1 to 15 as the starting point and then select every
fifteenth item until the auditor has 100 items.
c) Select seven random digits from 1 to 135 as the starting points and then select every
135th item per pass, moving through the entire population seven times.
d) Select the 50 largest items (i.e., extensions with the highest dollar amounts); then,
excluding the 50 largest items already selected, select a random number from 1 to
37 as the starting point and select every thirty-seventh item, moving through the
entire population.
The seven different starting points, plus the fact that the sampling interval (135) is not an exact
multiple of the population pattern interval (10), should result in a representative sample.
A . Due to the pattern of this population, this technique could result in a sample consisting almost
entirely of high-value items (starting numbers = 1, 2, 11, or 12) or low-value items (starting numbers =
8, 9, 18, or 19).
B . The sample will be complete after the auditor has moved through three-quarters of the population,
so items in the last one-quarter/4 of the population will have zero chance of being selected.
D . The sample will be complete after the auditor has moved through three-quarters of the population,
so items in the last one-quarter/4 of the population will have zero chance of being selected.
Question 82 of 250
You are to audit the timeliness of the payment of vendor invoices based on a representative sample
of checks written. The sample population consists of a total of 967 consecutively numbered checks
that have been issued for accounts payable. The most appropriate method for drawing a sample of
checks is:
a) Cluster sampling.
b) Interval sampling.
c) Simple random sampling.
d) Stratified sampling.
It is easy to do since checks are numbered consecutively.
A . It may be misleading.
B . There may be a pattern in the way the checks were written.
D . There is no reason to stratify.
Question 83 of 250
You are to audit the timeliness of the payment of vendor invoices based on a representative sample
of checks written. The sample population consists of a total of 967 consecutively numbered checks
that have been issued for accounts payable. If you know that 40% of the checks were issued to a
single vendor who offered unusually large cash discounts, the most appropriate method of sampling
would be:
a) Cluster sampling.
b) Interval sampling.
c) Simple random sampling.
d) Stratified sampling.
Two strata could be used, the single vendor and all others.
A . There is no basis for this.
B . This would not subdivide the population.
C . This would not subdivide the population.
Question 84 of 250
An auditor using statistical sampling wishes to select a sample from an aged trial balance of 750
accounts receivable. There are no account numbers; the accounts are listed in alphabetical order by
customer name. Account balances range from $50 to $10,000. Which of the following selection
schemes is most likely to produce a random sample of 75 items?
a) Select all accounts in which the fourth digit to the left of the decimal point in the
account balance (i.e., the thousands digit) is a 3 (assume that the digit 3 was
appropriately chosen from a random number table).
b) Select the 3rd account, then the 13th, 23rd, and so on, on through the 743rd
(assume that the digit 3 was appropriately chosen from a random number table).
c) Select the 75 accounts with the largest total balances.
d) Select the 50 accounts with the largest total balances plus the 25 accounts (other
than those included in the first 50) with the largest past due balances.
Since there appears to be no pattern in the sequencing of this population, use of interval sampling
with a random start gives each account an equal chance of being selected and should provide an
unbiased sample.
A . This would provide only accounts with balances in the $3,000 to $3,999 range and thus would not
be representative of the population.
C . While this scheme will provide the maximum dollar coverage, it is not random because large
accounts have a greater chance of being selected than small accounts.
D . This scheme may lead to the selection of accounts most likely to be in error or to invoice collection
problems. However, it is not random because all accounts do not have an equal chance of being
selected.
Question 85 of 250
To use stratified variables sampling to evaluate a large, heterogeneous inventory, an appropriate

criterion for classifying inventory items into strata is:
a) Dollar values.
b) Number of items.
c) Turnover volume.
d) Storage locations.
In variables sampling, the objective is to estimate the dollar value of the inventory. Strata based on
dollar values are the usual population characteristic.
B . Dollar values are the usual characteristic to create strata in variables sampling, not number of
items.
C . Turnover volume could be a characteristic of interest in attribute sampling but not in variables
sampling.
D . Storage location is not a relevant characteristic when creating strata for variables sampling.
Question 86 of 250
Which of the following would not be appropriate if the auditor expects a built-in pattern in the
population?
a) Dollar-unit sampling
b) Systematic sampling with multiple random starts
c) Cluster sampling
d) Stratifying the population in anticipation of the pattern
Cluster sampling is a selection method resulting in contiguous sampling units and does not overcome
patterns.
A . Dollar-unit sampling includes a random start and a selection based on dollar value sampling
increments.
B . Multiple random starts overcome the existence of a pattern by using a number of different starting
points.
D . Stratified sampling is dividing the population into two or more strata using the variability of values;
recognizing a pattern in advance permits appropriate sampling techniques.
Question 87 of 250
An auditor designed an attribute sample to test the effectiveness of a control procedure. The auditor
designed the sample to achieve an upper precision limit of 4% at a confidence level of 95% with a 1%
expected error rate. Based on those factors, the auditor selected 156 items and found three errors.
The auditor can conclude that there is:
a) At least a 95% chance that the error rate in the population exceeds 4%.
b) At least a 95% chance that the error rate in the population is less than 4%.
c) Less than a 95% chance that the error rate in the population is less than 4%.
d) More than a 95% chance that the error rate in the population exceeds 1%.
The auditor knows this because the error rate in the sample was more than 1%. If the error rate was
equal to 1%, the auditor would know that the probability was 95% that the error rate in the
population was no higher than 4%.
A . The error rate may exceed 4%, but the probability that it does it less than 95%.
B . The error rate may be less than 4%, but that probability is less than 95%.
D . The error rate may be higher than 1%, but that probability is less than 95%.
Question 88 of 250
Which of the following must be known to evaluate the results of an attributes sample?
a) Estimated dollar value of the population.

b) Standard deviation of the sample values.
c) Actual size of the sample selected.
d) Finite population correction factor.
Sample size is used to evaluate the actual occurrence rate.
A . Dollar values are irrelevant to attributes sampling.
B . Standard deviation is irrelevant to attributes sampling.
D . The finite population correction factor is used to adjust an initial computed sample size.
Question 89 of 250
In evaluating an attribute sample, the range within which the estimate of the population
characteristic is expected to fall is called the:
a) Confidence level.
b) Precision.
c) Upper error limit.
d) Expected error rate.
This is the definition of precision.
A . Confidence level is a measure of how reliable the auditor wants the sample results to be.
C . The upper error limit is not relevant here.
D . The expected error rate is a measure of how frequently the auditor expects the characteristic of
interest to exist in the population prior to selecting and evaluating the sample.
Question 90 of 250
Many questionnaires are made up of a series of different questions that use the same response
categories (e.g., strongly agree, agree, neither, disagree, strongly disagree). Some designs will have
different groups of respondents answer alternative versions of the questionnaire that present the
questions in different order and reverse the orientation of the endpoints of the scale (e.g., agree on
the right and disagree on the left or vice versa). The purpose of such questionnaire variations is to:
a) Eliminate intentional misrepresentations.

b) Reduce the effects of pattern response tendencies.
c) Test whether respondents are reading the questionnaire.
d) Make it possible to get information about more than one population parameter
using the same questions.
There are many known effects of the sequence and format of questions. One method for dealing with
these is to use questionnaire variations that cause these biases to average out across the sample.
C . Refer to the correct answer.
D . Refer to the correct answer.

Question 91 of 250
An auditor wishes to determine if the error rate on travel reimbursement claims is within the 5%
tolerance level set by management. What sampling plan should the auditor use?
a) Variable sampling.
b) Attributes sampling.
c) Judgmental sampling.
d) Dollar-unit sampling.
Attribute sampling is used to estimate how many, such as the rate of erroneous claims.
A . Variable sampling is used to estimate how much, such as total dollar amount or total weight.
C . Judgmental sampling is not appropriate if inferences are to be made about a population.
D . Dollar-unit sampling, like variable sampling, is used to estimate how much an account balance is in
error.
Question 92 of 250
A bank internal auditor wishes to determine if loans that were not funded were rejected using criteria
consistent with that contained in bank policies. A lending officer initially processes all loan requests.
Those that the officer deems appropriate to be funded are forwarded to the lending committee for its
approval. The most efficient audit procedure to address this objective would be to:
a) Select an attribute sample of loans not funded, and review the loan applications and
the reasons for rejecting them.
b) Select an attribute sample of loans that were funded, review the loan applications,
and determine if the funded loans complied with bank policies.
c) Take a sample of all loan applications, review the applications, and trace them to
either a funded or rejected loan to determine if all actions taken were consistent
with bank policies.
d) Take a sample of loans presented to the lending committee for approval, and
determine if committee actions taken were consistent with bank policies.
Answer A is correct.
This would be the most appropriate audit procedure because the audit objective only asks for a
determination that rejected loans have been rejected for proper reasons. It is not concerned with
approval of loans that should not have been made.
B . This only provides information on loans that were funded. The concern is with loans that may have
been inappropriately rejected.
C . This is an excellent procedure to determine whether all the loans (both funded and unfunded) are
being handled consistent with the stated policies and procedures. However, the audit objective only
dealt with loans that were not funded; therefore, this procedure would cause the auditors to review
more loans and would not be efficient.
D . This uses a sample of loans that were presented to the lending committee. It does not include
loans that would have already been rejected by an individual lending officer.
Question 93 of 250
An auditor has taken an attribute sample of a bank's existing loan portfolio. Out of a sample of 60
loans, the auditor finds:
 Four that were not properly collateralized,

 Five that are not in compliance with bank policies (other than lack of
collateralization), and
 Four that were part of a related-party group, but were set up as separate loan
entities.
Of the 60 loans selected in the sample, these errors were noted on a total of ten loans. Several loans
had multiple problems. Which of the following conclusions can the auditor reach from these findings?
I. There is sufficient evidence that fraudulent activity is taking place by one or more of the
bank's lending officers.
II. The financial statements will be misstated as a result of these actions.
III. There are significant noncompliance audit findings that should be reported.
a) I and II
b) I and III
c) II and III
d) III only
These are significant audit findings (item III). Item I is incorrect. Although these findings are significant
audit findings, there is not sufficient evidence to conclude fraudulent activity on the part of the bank's
lending officers. There must be intent to deceive for some personal gain to infer fraud. Item II is
incorrect. The financial statements will not necessarily be incorrect as long as the bank can determine
that the loans receivable are properly classified as to term and are carried at their net realizable
value.
A . Item I does not provide sufficient evidence. Item II will not be misstated.
B . Item I does not provide sufficient evidence.
C . Item II will not be misstated.
Question 94 of 250
In selecting a sample of items for attributes testing, an auditor must consider the confidence level
factor, the desired precision, and the:
a) Recorded dollar value of the population.

b) Sampling interval.
c) Expected occurrence rate.
d) Standard deviation in the population.
The expected occurrence rate is one necessary factor in selecting samples for attributes sampling.
A . The dollar value of the population relates to a variable often involved in sample selection when
testing for variables.
B . The sampling interval is used in monetary-unit sampling to select items based on monetary-unit
value distributions.
D . The standard deviation is not a variable having relevance when selecting samples for attributes
sampling.
Question 95 of 250
An auditor is planning to use attributes sampling to test the effectiveness of a specific internal control
related to approvals for cash disbursements. In attributes sampling, decreasing the estimated
occurrence rate from 5% to 4% while keeping all other sample size planning factors exactly the same
would result in a revised sample size which would be:
a) Larger.
b) Smaller.
c) Unchanged.
d) Indeterminate.
A smaller estimated occurrence rate results in a smaller sample size when all other factors are the
same.
A . This is not true.
Question 96 of 250
If all other sample size planning factors were exactly the same in attributes sampling, changing the
confidence level from 95% to 90% and changing the desired precision from 2% to 5% would result in a
revised sample size that would be:
a) Larger.
b) Smaller.
c) Unchanged.
d) Indeterminate.
A lower confidence level and a less rigorous precision allow a smaller sample with other factors
constant.
A . This is not true.

Question 97 of 250
Which of the following must be known to evaluate the results of an attribute sample?
a) Estimated dollar value of the population.

b) Standard deviation of the sample values.
c) Actual size of the sample selected.
d) Finite population correction factor.
Sample size is used to evaluate the actual occurrence rate.
A . Dollar values are irrelevant to attribute sampling.
B . Standard deviation is irrelevant to attribute sampling.
D . The finite population correction factor is used to adjust an initial computed sample size.
Question 98 of 250
An auditor has to make a number of decisions when using attribute sampling. The term “efficiency” is
used to describe anything that affects sample size. The term “effectiveness” is used to describe the
likelihood that the statistical sample result will be a more accurate estimate of the true population
error rate. Assume an auditor expects a control procedure failure rate of 0.5%. The auditor is making
a decision on whether to use a 90% or a 95% confidence level and whether to set the tolerable
control failure rate at 3% or 4%. Which of the following statements regarding efficiency and
effectiveness of an attribute sample is true?
a) Decreasing the confidence level to 90% and decreasing the tolerable control failure
rate to 3% will result in both increased efficiency and effectiveness
b) Decreasing the tolerable failure rate from 4% to 3% will increase audit efficiency
c) Increasing the confidence level to 95% and decreasing the tolerable control failure
rate to 3% will increase audit effectiveness
d) Increasing the confidence level to 95% will increase audit efficiency
Increasing the confidence level and decreasing the tolerable failure rate will result in a much larger
sample size and will give the auditor a more precise estimate of the population parameters.
A . Decreasing the confidence level results in a decrease in effectiveness, while decreasing the
tolerable failure rate results in a decrease in efficiency.
B . Decreasing the tolerable failure rate will result in a larger sample size, resulting in a decrease in
efficiency as defined in the problem.
D . Increasing the confidence level results in a larger sample size, which decreases audit efficiency.
Question 99 of 250
An auditor is testing on a company’s large, normally distributed accounts receivable file. The
objectives of the audit are to test end-of-period dollar balances and accounts receivable posting
exception (error) rates. The expected population exception rate is 3% for the accounts receivable
posting processes. If the auditor has established a 5% tolerable rate, the auditor would use which
sampling plan for testing the actual exception rate?
a) Difference or mean per unit estimation.

b) Discovery.
c) Stratified.
d) Attribute.
Attribute sampling is used to reach conclusions about exception occurrence rates in populations.
A . Difference or mean estimation is used when sampling for dollar values.
B . Discovery is only used when exception rates are expected to be very low.
C . Stratified sampling arranges populations for more efficient sampling.
Question 100 of 250
exception (error) rates. To test the accounts receivable file to compute an estimated dollar total, the
auditor could use any one of the following sampling techniques except:
a) Difference or ratio estimation.

b) Unstratified mean-per-unit estimation.
d) Attribute.
Attribute sampling does not involve dollar-balance estimation.
A . Difference or ratio estimation can be used to estimate population dollar values.
B . Mean-per-unit estimation can be used to estimate population dollar values.
C . Probability-proportional-to-size (PPS) can be used for estimating population dollar values.
Question 101 of 250
Several of the audit team members are concerned about the low response rate, the poor quality of
the questionnaire design, and the potentially biased wording of some of the questions. They suggest
that the customer service office might want to supplement the survey with some unobtrusive data
collection, such as observing customer interactions in the office or collecting audiotapes of phone
conversations with customers. Which of the following is not a potential advantage of unobtrusive
data collection compared to surveys or interviews?
a) Interactions with customers can be observed as they occur in their natural setting.
b) It is easier to make precise measurements of the variables under study.
c) Unexpected or unusual events are more likely to be observed.
d) People are less likely to alter their behavior because they are being studied.
Lack of experimental control and measurement precision is the chief weaknesses of unobtrusive
measures.
A . Observing the phenomenon in its natural setting is a principal advantage of unobtrusive measures.
C . Unobtrusive measures are useful for exploratory investigations for this reason.
D . Since people are going about their normal business, they are less likely to do what they think the
researcher wants, censor their comments, and so on.
Question 102 of 250
exception (error) rates. The accounts receivable file contains a large number of small-dollar balances
and a small number of large- dollar balances, and the auditor expects to find numerous errors in the
account balances. The most appropriate sampling technique to estimate the dollar amount of errors
would be:
a) Difference or ratio estimation.

b) Unstratified mean per unit.
d) Attribute.
Difference or ratio estimation is used when estimating dollar amounts of errors for normally
distributed populations.
B . Mean-per-unit estimation is used to project a total dollar value for a population but would be
inappropriate since there are a large number of small-balance account errors.
C . Probability proportional to size (PPS) is used for estimating dollar values of errors when the
expected error frequency is low.
D . Attribute sampling does not involve dollar-balance estimation.
Question 103 of 250
An internal auditor planning an attribute sample from a large number of invoices must estimate the
tolerable error. Which factor below is the most important for the auditor to consider?
a) Audit objective.
b) Population size.
c) Desired confidence level.
d) Population variance.
Tolerable error is the specified precision or the maximum sampling error that will still permit the
results to be useful. Since the precision is under the control of the auditor, the audit objective is the
most important factor to be considered.
B . Knowing the population is large is sufficient.
C . This factor is independent of precision.
D . It is a consideration but not the most important one.
Question 104 of 250
To use stratified sampling to evaluate a large, heterogeneous inventory, which of the following would
least likely be used as criteria to classify inventory items into strata?
a) Dollar values.
b) Number of items.
c) Turnover volume.
d) Storage locations.
The number of items is not generally associated with the risk of misstatement.
A . The extent of risk of misstatement is associated with the dollar values of inventory items.
C . Turnover volume could be associated with the risk of misstatement of the items.
D . Storage location may be associated with the risk of misstatement of the items.
Question 105 of 250
Using company policies to establish when approval is needed, an auditor has sampled accounts
receivable balances exceeding $1,000 to determine whether the credit department is requiring a
credit check for credit sales when appropriate. This is an example of:
a) Dollar-unit sampling.
b) Mean-per-unit sampling
c) Attributes sampling.
d) Variables sampling.
Attributes sampling typically involve tests of the effectiveness of controls.
A . Dollar-unit sampling is used to estimate dollar amounts.
B . Mean-per-unit sampling is used to estimate dollar amounts.
D . Variables sampling describes methods used to estimate dollar amounts. The report should be
made to management and coordinated with the external auditor.
Question 106 of 250
An audit of accounts payable was made to determine if the error rate was within the stated policy of
0.5%. One hundred of the 10,000 accounts payable transactions were randomly selected using a 95%
confidence level. No errors were found. With 95% certainty, one can conclude that the sample
results:
a) Indicate another sample is needed.

b) Prove there are no errors in accounts payable.
c) Indicate the null hypothesis is false.
d) Fail to prove the error rate is above 0.5%.
This is the definition of 95% confidence level.
A . The sample is adequate.
B . No sample could prove this.
C . The null hypothesis is error rate <= 0.5%
Question 107 of 250
What is the chief advantage of stop-or-go sampling?
a) The error rate in the population can be projected to within certain precision limits.
b) It may reduce the size of the sample that needs to be taken from a population, thus
reducing sampling costs.
c) It allows sampling analysis to be performed on populations that are not
homogeneous.
d) It allows the sampler to increase the confidence limits of analysis without sacrificing
precision.
Stop-or-go sampling helps prevent oversampling for attributes by permitting the sampler to halt an
audit test at the earliest possible moment.
A . Only upper precision limits and statements are made.
C . The populations must be homogeneous in all attribute-sampling plans.
D . An increase in the confidence limits will result in a loss of precision (assuming contact sample size).
Question 108 of 250
A statistical sampling technique that will minimize sample size whenever a low rate of noncompliance
is expected is called:
a) Ratio-estimation sampling.
b) Difference-estimation sampling.
c) Stratified mean-per-unit sampling.
d) Stop-or-go sampling.
The stop-or-go sampling technique will yield a smaller sample size if the error rate is low. It is also the
only technique listed that is applicable to estimates of rate of compliance (attributes sampling).
A . Rate of noncompliance is not applicable to ratio-estimation sampling (a variables-sampling

technique).
B . Difference-estimation sampling is used when we want to obtain a “corrected” estimate of a

previously stated book value (a variables-sampling technique).
C . Stratified mean-per-unit sampling is used in substantive testing (a variables-sampling technique).
Question 109 of 250
In order to estimate the value of 2,500 accounts receivable outstanding, the best sampling method
would be:
a) Variables estimation.
b) Stop-and-go sampling.
c) Cluster sampling.
d) Attributes estimation.
Variables sampling method is good for estimating the dollar value.
B . This is an inappropriate plan for drawing samples.
C . This is an inappropriate plan for drawing samples.
D . It is for estimating discrete characteristics, not values.
Question 110 of 250
In selecting a sample of items for variables testing, an auditor must consider the desired precision, the
standard deviation, and the:
a) Recorded dollar value of the population.
b) Acceptable risk level.
c) Expected occurrence rate.
d) Sampling interval.
Risk level is a necessary criterion to include in the sample selection process for variables.
A . The recorded dollar value is not needed for variables testing.
C . The expected occurrence rate is not a criterion in sample selection for variables.
D . The sampling (skip) interval is the monetary-unit interval when selecting samples using monetary-
unit sampling.
Question 111 of 250
In a variable sampling application, if the achieved dollar precision range of the statistical sample at a
given confidence level is greater than the desired dollar precision range, this is an indication that the:
a) Occurrence rate was smaller than expected.

b) Occurrence rate was greater than expected.
c) Standard deviation was less than expected.
d) Standard deviation was greater than expected.
Standard deviation (variability) directly affects the computed precision.
A . Occurrence rate is irrelevant for computing achieved precision.
B . Occurrence rate is irrelevant for computing achieved precision.
C . A lower actual variability would result in achieved precision being lower than desired precision.
Question 112 of 250
An audit team developed a preliminary questionnaire with the following response choices:
I. Probably not a problem

II. Possibly a problem
III. Probably a problem
The questionnaire illustrates the use of
a) Trend analysis.
b) Ratio analysis.
c) Unobtrusive measures or observations.
d) Rating scales.
The auditors are using a numerical rating for the organization audited.
A . Trend analysis is a specialized form of analytical review procedure, used primarily to analyze the
changes in account balances over time.
B . Ratio analysis is a subset of trend analysis used in analytical review. It is unrelated to the subject.
C . “Observing means seeing, noticing, not passing over. It implies a careful, knowledgeable look at
people and things. It means a visual examination with a purpose, a mental comparison with standards,
an evaluative sighting.” Use of rating scales requires the participant to actively participate; it is not
unobtrusive.
Question 113 of 250
In a variables-sampling application, which of the following factors will vary directly with a change in
confidence level from 90% to 95%?
a) Standard error of the mean.

b) Nonsampling error.
c) Achieved precision.
d) Point estimate of the arithmetic mean.
Achieved precision (sampling error) is equal to the confidence level factor times the standard error of
the mean.
A . The standard error of the mean is dependent on only the standard deviation and sample size.
B . Nonsampling error is not variable according to sampling criteria; it is the result of such as
misclassifications.
D . The point estimate of the sample mean does not include a confidence interval.
Question 114 of 250
In determining the sample size for variables sampling, the internal auditor requires some knowledge
of the variability of the population. In obtaining this preliminary information, the internal auditor:
a) Can seldom rely on the results of prior years’ sample results since they pertain only
to the prior years’ populations.
b) Frequently takes a convenience pilot sample of 30 to 50 items and uses this to
estimate the variability of the population.
c) Frequently takes a random pilot sample of 30 to 50 items, applies audit tests to
these items, and uses the variability in these items to estimate the variability in the
population of audit values. The pilot sample is then discarded, and the real sample is
taken from the remaining population.
d) Frequently takes a random pilot sample of 30 to 50 items, computes the range in
this sample, and uses this range as an estimate of the population variability for
purposes of computing sample size.
Pilot samples are often used to estimate variability.

A . This is a common practice.
C . It would be inefficient to disregard the audit evidence found in the pilot sample.
D . The sample range is not the correct measure of variability for this purpose.
Question 115 of 250
An internal auditor wishes to estimate the number of units in a certain class of inventory without
counting each one. Which of the following sample plans would be appropriate?
a) Attributes.
b) Discovery.
c) Stop or go.
d) Variables.
Variables sampling is used for substantive testing. It allows the verification of values whose range lies
between positive and negative infinity.
A . Attribute sampling is for compliance testing. It calls for yes-or-no, right-or-wrong answers. The
range of values is limited to 0 through 1.
B . Discovery sampling is used when the internal auditor suspects a gross error or fraud. The plan
seeks to select a sample just large enough to include one example of the error or irregularity a
specified percentage of the time.
C . Stop-or-go sampling is an attribute-sampling plan.
Question 116 of 250
Ratio estimation sampling would be inappropriate to use to project the dollar error in a population if:
a) The recorded book values and audited values are approximately proportional.
b) A number of observed differences exist between book values and audited values.
c) Observed differences between book values and audited values are proportional to
book values.
d) Subsidiary ledger book balances for some inventory items are unknown.
Individual item amounts must be known to use ratio estimation.
A . Proportional relationships tend to support the use of ratio estimation.
B . A minimum number of differences must be present to validly use ratio estimation.
C . Ratio estimation is supported by proportional differences.
Question 117 of 250
The auditor wishes to sample the perpetual inventory records to develop an estimate of the dollar
amount of misstatement, if any, in the account balance. The account balance is made up of a large
number of small-value items and a small number of large-value items. The auditor has decided to
audit all items over $50,000 plus a random selection of others. This audit decision is made because
the auditor expects to find a large amount of errors in the perpetual inventory records but is not sure
that it will be enough to justify taking a complete physical inventory. The auditor expects the errors to
vary directly with the value recorded in the perpetual records. The most efficient sampling procedure
to accomplish the auditor’s objectives would be:
a) Dollar-unit sampling.
b) Ratio estimation.
c) Attribute sampling.
d) Stratified mean-per-unit sampling.
Ratio estimation is the most efficient sampling methodology because the auditor expects a large
number of errors and expects the errors to vary directly with size of the account balance on the
perpetual record.
A . Dollar-unit sampling becomes less accurate when a large number of errors are expected.
C . Attribute sampling is not used to estimate a dollar amount.
D . Stratified mean-per-unit sampling could be used, but it is not as efficient as ratio estimation when
a large number of errors are expected in the account balance.
Question 118 of 250
Difference estimation sampling would be appropriate to use to project the dollar error in a population
if:
a) Subsidiary ledger book balances for some individual inventory items are unknown.
b) Virtually no differences between the individual book values and the audited values
exist.
c) A number of nonproportional differences between book values and audited values
exist.
d) Observed differences between book values and audited values are proportional to
book values.
There must be a sufficient number of nonproportional errors to generate a reliable sample estimate.
A . Individual item amounts must be known to use difference estimation.
B . There must be sufficient errors in the population to generate a reliable sample estimate.
D . Ratio estimation is supported by proportional differences.
Question 119 of 250
An internal auditor is interested in the processing accuracy of a sales invoice preparation system. The
monetary amount of individual invoices is highly variable. The internal auditor has sound reasons for
believing that the error rate in invoice processing is between 3% and 10% but has no idea of the
monetary magnitude of the errors. In evaluating which specific approach to variables sampling to
employ, the internal auditor should be aware that:
a) Since the error magnitude is uncertain, a stratified mean per unit estimator will
perform poorly in this case.
b) With error rates in this range, there is little advantage to stratifying the population.
c) Either a difference estimator or a ratio estimator will be more efficient than an
unstratified mean-per-unit estimator in this case.
d) Neither a difference nor a ratio estimator is practical in this case unless an audit
value and a book value exist for each item in the population.
Ratio or difference estimates would be more efficient in this situation.
A . The stratified mean per unit would work here. The error magnitude is unimportant.
B . The advantage of stratification is not dependent on error rates.
D . These estimators do not require an audit value for every item in the population. If such values
were available, there would be no need to sample at all.
Question 120 of 250
An auditor randomly selects 100 items of finished goods perpetual inventory, physically counts them,
and computes an audited value for each (calculated as quantity times unit cost per production
reports). The internal auditor then compares the audited value with the book value (inventory cost
per perpetual inventory records) and uses difference estimation to estimate the correct total for the
finished goods inventory. Results of the 100-item sample are:
The total book value of the entire finished goods inventory (1,100 items) is $6,988,000. On the basis
of difference estimation, the auditor's best guess (point estimate) as to the correct total is:
a) $6,655,000.
b) $6,713,000.
c) $6,963,000.
d) $7,263,000.
The average overstatement error in the sample is $250 per item ($630,000 – $605,000 / 100 items).
Thus, the projected overstatement is $275,000 (1,100 items × $250), and the estimated total is
$6,988,000 – $275,000.
A . This answer (1,100 items × the average audited value of $6,050 per item) is based on
mean-per-unit estimation, not difference estimation.
C . This response was obtained by subtracting the $25,000 total sample overstatement from the book
value. As explained, it is the projected overstatement that must be subtracted.
D . This is the book value plus the projected overstatement. Since the difference is an overstatement,
it must be subtracted from, not added to, the book value.
121.Using mean-per-unit sampling to estimate the value of inventory, an auditor had the
following results:
The recorded value of inventory was $3,075,000.
Which of the following is a logical conclusion from the sample?
A.There is a 95% chance that the misstatement of inventory is less than $100,000.
B.There is a 5% chance that $200,000 or more misstates the inventory amount.
C.Inventory is materially misstated.
D.There is a 2.5% chance that the inventory amount is greater than $3,200,000.
This is a valid statement about the confidence interval. There is also a 2.5% chance that inventory is
less than $2,800,000. There is a 95% chance that the true inventory value falls between $2,800,000 and
$3,200,000.
A.Incorrect. This conclusion is not supported by the facts given. There is, however, a 95% chance that
the true value of inventory is more than $2,800,000 and less than $3,200,000.
B.Incorrect. This conclusion is also not supported by the facts given in the problem. Instead, there is a
5% chance that the true value of inventory is more than $3,200,000 or less $2,800,000.
C.Incorrect. It is not possible to conclude from the information given that inventory is materially
misstated.
following results:
Which of the following changes would result in a narrower confidence interval?
A.An increase in the confidence level from 95 to 99%
B.A decrease in the confidence level from 95 to 90%
C.A decrease in the allowable risk of incorrect acceptance
D.An increase in the precision
The confidence interval = Mean ± Z value × Standard error. Decreasing the confidence level would
decrease the Z value, and that would result in a smaller confidence interval.
A.Incorrect. Increasing the confidence level would result in a wider confidence interval.
C.Incorrect. Decreasing the allowable risk of incorrect acceptance would increase the confidence level,
which would result in a wider confidence interval.
D.Incorrect. Increasing the precision would make the confidence interval wider.
123.An audit of the quality control department is being planned. Which of the following would be
least likely to be used in the preparation of a preliminary survey questionnaire?
A.An analysis of quality control documents
B.The permanent audit file
C.The prior audit report
D.Management's charter for the quality control department

Such analysis is a part of fieldwork, which comes after the preliminary survey.
B.Incorrect. This file probably contains information, such as questions used in prior audits and
problems detected in prior years that will help in the development of appropriate questions to ask this
year.
C.Incorrect. The report will identify prior findings and recommendations that should be followed up on
this year.
D.Incorrect. Knowing what the department is supposed to do will help the auditor develop
knowledgeable questions.
following results:
The standard error of $100,000 reflects:
A.The projected population error based on errors in the sample.
B.The average rate of error in the sample.
C.The degree of variation in the dollar amount of sample items.
D.The error in the population that the auditor can accept.
The standard error is a function of the standard deviation, which is a measurement of the average
variation from the mean of the sample. The standard error is used to compute precision and the
confidence interval. The larger the standard error, the wider the interval.
A.Incorrect. The standard error is not a projection of error in the population.

B.Incorrect. The standard error is not a measurement of the errors in the sample.
D.Incorrect. The amount of error that the auditor would be willing to accept (the tolerable error) is the
auditor's decision; it is not the result of a statistical calculation. The amount of tolerable error has no
effect on the standard error.
following results:
If the auditor had used nonstatistical sampling instead of statistical sampling, which of the
following would be true?
A.The confidence level could not be quantified.
B.The precision would be larger.
C.The projected value of inventory would be less reliable.
D.The risk of incorrect acceptance would be higher.
Statistical sampling enables an auditor to quantify the confidence level or the sampling risk.
Nonstatistical sampling does not.
B.Incorrect. Unless the auditor uses statistical sampling, the auditor would not be able to quantify
precision.
C.Incorrect. The value of inventory could not be projected when nonstatistical sampling is used.
D.Incorrect. The risk of incorrect acceptance could not be quantified when nonstatistical sampling is
used.
126.The auditor is performing a test to determine whether the gas and electric appliance
company should move its service center from one location to another. The service center houses
the service trucks that are used to drive to the customers’ locations to service their appliances.
The auditor wants to determine the reduction in average miles driven as a result of moving to the
other location. Which of the following statistical sampling methods would be most appropriate
for this test?
A.Attribute sampling.
B.Discovery sampling.
C.Probability proportional to size (dollar‐unit) sampling.
D.Mean‐per‐unit sampling.
This is the only statistical sampling method designed to estimate a variable for which there are no
available individual book values making up the value of a population.
A.Incorrect. Attribute sampling will not produce a quantitative value.
B.Incorrect. Discovery sampling is used to uncover an attribute that exists in the population with a low
rate of occurrence, not to estimate a variable.
C.Incorrect. Individual book values adding up to a total book value is required for this method to be
used.
127.An auditor is designing stratified, mean-per-unit variables sampling plan. To which one of
the following strata should the auditor allocate the largest proportion of the overall sample size?
A.A
B.B
C.C
D.D
This stratum has the largest expected standard deviation. Allocating more selections to strata with
larger standard deviations decreases the standard error of the mean, which results in a smaller
confidence interval. The objective of stratifying a sample is to reduce variation in order to be able to
use a smaller sample than would be required without stratification.
B.Incorrect. Although this stratum has the largest mean, it has a smaller standard deviation than stratum
defined in the correct answer.
C.Incorrect. Although this stratum has the largest number of items, is has the smallest standard
deviation.
D.Incorrect. The total dollar value is directly related to the mean and number of items in a stratum. As
explained above, neither of these factors is a normal consideration in allocating sample size to strata.
128.An internal auditor has obtained the following data by selecting a random sample from an
inventory population.
The estimate of the population dollar value using mean-per-unit sampling would be:
A.$5,000,000.
B.$5,420,000.
C.$5,500,000.
D.$5,720,000.
Mean per unit = $220,000/200 = $1100 and $1100 (5000) = $5,500,000.
A.Incorrect. This calculation uses the means of the book value of the sample rather than the mean of
the audit sample: $200,000/200 = $1,000; 1,000 × 5,000 = $5,000,000.
B.Incorrect. This calculation added the audit value of the sample to the book value of the population:
$220,000 + 5,200,000 = $5,420,000.
D.Incorrect. Ratio estimation = $220,000/$200,000 = 1.1 and 1.1 ($5,200,000) = $5,720,000.
The estimate of the population dollar value using difference estimation sampling would be:
A.$4,700,000.
B.$5,500,000.
C.$5,680,000.
D.$5,700,000.
Difference estimation = $220,000 – $200,000 = $20,000 and $20,000/200 = $100 and $100 (5000) =
$500,000 and $500,000 + $5,200,000 = $5,700,000.
A.Incorrect. Estimated difference of $500,000 should be added to $5,200,000, not deducted from
$5,200,000.
B.Incorrect. Mean per unit = $220,000/200 = $1100 and $1100 (5000) = $5,500,000.
C.Incorrect. This is an incorrect calculation using the difference in units between the population and
sample and then adding this incorrect amount to the book value as follows: [(220,000 – 200,000)/200]
× (5,000 – 200) = 480,000 and $5,200,000 + 480,000 = $5,680,000.
The estimate of the population dollar value using ratio estimation would be:
A.$4,727,273.
B.$5,500,000.
C.$5,700,000.
D.$5,720,000.
Ratio estimation = $220,000/$200,000 = 1.1 and 1.1 ($5,200,000) = $5,720,000.
A.Incorrect. This calculation reverses the correct ratio estimation as: Ratio estimation =
$200,000/$220,000 = .90909091 and .90909091 ($5,200,000) = $4,727,273.
B.Incorrect. Mean per unit = $220,000/200 = $1100 and $1100 (5000) = $5,500,000.
C.Incorrect. Difference estimation = $220,000 – $200,000 = $20,000 and $20,000/200 = $100 and
$100 (5000) = $500,000 and $500,000 + $5,200,000 = $5,700,000.
131.The internal auditor for an insurance company is conducting an audit of claims processing
and wants to assess the average length of time that it takes to process automobile claims to
determine whether processing is being completed within standards set by company policy.
The auditor plans to take a sample of claims made during the year and perform the needed
analysis. The most appropriate sampling method would be:
A.Mean-per-unit variables sampling.
B.Probability proportion to size.
C.Attribute sampling.
D.Discovery sampling.

Mean-per-unit variables sampling is the most appropriate sampling procedure because it allows the
auditor to calculate a mean of the processing time and build confidence levels around the mean. The
normal sampling distribution will allow the auditor to also estimate the percentage of claims that are
not processed within the time limit contained in the company's policy.
B.Incorrect. Probability proportion to size is not appropriate in this situation.
C.Incorrect. Attribute sampling would not lead to an estimate of the average length of time to process
the claims. It could, however, be used to estimate the probability that a claim is not processed within
the company's defined standard.
D.Incorrect. Discovery sampling is used to determine if an isolated event is occurring in the population.
It would be used here only if exceeding the policy for claims processing was expected to be extremely
rare and extremely important.
132.What effect does an increase in the standard deviation have on the required sample size of
mean-per-unit estimation and probability proportional to size (PPS) sampling? Assume no
change in any of the other characteristics of the population and no change in desired precision
and confidence.
A.A
B.B
C.C.
D.D.
133.By statistically projecting the population value based on the average value of sampled
subsidiary accounts, the auditor has estimated the value of the total equipment account to be
$2,800,000. This is an example of:
A.Dollar‐unit sampling.
B.Mean‐per‐unit sampling.
C.Attributes sampling.
.D.Statistical difference estimation.
Mean‐per‐unit sampling uses subsidiary account balances or records as a basis for projecting total
account balances.
A.Incorrect. Dollar‐unit sampling uses individual dollars instead of account balances as the sampling
units.
C.Incorrect. Attributes sampling estimates the presence of a qualitative characteristic, such as internal
control errors.
D.Incorrect. Difference estimation uses differences between audit and book values to project
population values.
134.In advance of a preliminary survey, an audit director sends a memorandum and

questionnaire to the supervisors of the department to be audited. What is the most likely result of
that procedure?
A.It creates apprehension about the audit.
B.It involves the auditee’s supervisory personnel in the audit.
C.It is an uneconomical approach to obtaining information.
D.It is useful only for audits of distant locations.
This helps involve the supervisors of the auditee’s department and encourages a more collegial
approach to the audit.
A.Incorrect. Greater knowledge of the upcoming audit is more likely to remove some of the
apprehension about it.
C.Incorrect. It will normally be more economical since the legwork will be done by those most
competent to do it rapidly.
D.Incorrect. Even though it is very useful for audits of distant locations, it can also be advantageous in
other circumstances.
135.An audit of a wholesale company's inventory was conducted to estimate its value. The
inventory contained 20,000 items with a book value of $1 million. The audit plan was to estimate
inventory value with a precision of ± 2% at a 90% confidence level. The sample results were:
Sample size: 300
Sample mean per unit: $52
Sample standard deviation per unit: $10.80
Sample precision per unit: $1.03
Based on the sample results, the estimated inventory value is between:
A.$784,000 and $1,216,000.
B.$844,000 and $1,256,000.
C.$1,019,400 and $1,060,600.
D.$979,400 and $1,020,600.
(20,000 × 50.97) = $1,019,400, where 50.97 = 52.00 − 1.03, which is equal to 20,000 (52.00 ± 1.03)
(20,000 × 53.03) = 1,060,600, where 53.03 = 52.00+1.03, which is equal to 20,000 (52.00 ± 1.03)
Based on the data given: Precision of sample result = 1.03/52 = 1.98%. This is within the plan goal of ±
2%.
A.Incorrect. It uses book value plus or minus sample mean and standard deviation rather than sample
mean and precision to compute the confidence interval.
B.Incorrect. It uses standard deviation instead of precision to compute confidence interval.
(20,000 × 41.2) = 824,000, where 41.2 = 52.0 − 10.8 and then incorrectly adds $20,000 to reach
$844,000
(20,000 × 62.8) = 1,256,000, where 62.8 = 52 + 10.8
D.Incorrect. It is centered on book value mean.

136.An auditor is using the mean‐per‐unit method of variables sampling to estimate the correct
total value of a group of inventory items. Based on the sample, the auditor estimates, with a
precision of ± 4% and confidence of 90%, that the correct total is $800,000. This means that:
A.There is a 4% chance that the actual correct total is less than $720,000 or more than $880,000.
B.There is a 10% chance that the actual correct total is less than $768,000 or more than $832,000.
C.The probability that the inventory is not significantly overstated is between 6% and 14%.
D.The inventory is not likely to be overstated by more than 4.4% ($35,200) or understated by more
than 3.6% ($28,800).
A 90% confidence level implies that 10% of the time the true population total will be outside the
computed range. Precision of ± 4% gives the boundaries of the computed range: 4% × $800,000 =
$32,000. $800,000 ± $32,000 provides a range of $768,000 to $832,000.
A.Incorrect. The computation underlying this response transposes the correct definitions of “precision”
and “confidence.”
C.Incorrect. This response improperly uses precision to modify confidence and fails to specify a dollar
amount for the range within which the correct total is apt to lie.
D.Incorrect. This response improperly uses confidence to modify precision, and the phrase “not likely”
is ambiguous.
137.What effect does an increase in the standard deviation have on the required sample size of
mean-per-unit estimation and dollar-unit sampling? Assume no change in any of the other
characteristics of the population and no change in desired precision and confidence.
A. A
B. B
C. C
D. D
In mean-per-unit estimation, an increase in the standard deviation increases the sample size since it is
used to estimate unknown values, such as inventory. In dollar-unit sampling, an increase in the
standard deviation has no effect on the sample size since it yields a smaller sampling error.
A.Incorrect. An increase in the standard deviation represents an increase in the variability of the
population and therefore requires increasing, not decreasing, the sample size.
B.Incorrect. A change in the standard deviation has no effect on the required sample size when
dollar-unit sampling is used, since the sampling units are homogeneous—the individual dollars.
D.Incorrect. Refer to the correct answer.
138.An auditor applied dollar-unit sampling to select a sample of costs charged by a contractor.
The sample design and results were:
Which of the following is true about this sample?
A.The probability of selecting any particular invoice is 15% (300/2000).
B.There is a 1% chance that the contract invoices contain significant errors.
C.The sampling risk is acceptable if errors do not exceed $33,333.
D.There is a 95% chance that the costs are not overstated more than $100,000 (1% of $10,000,000).
No errors were detected in the sample. Therefore, the desired confidence level and precision were
achieved.
A.Incorrect. The probability of selecting any particular invoice is proportional to the dollar amount of
the invoice.
B.Incorrect. The chance is 5% that errors are more than 1% of $10,000,000.
C.Incorrect. The acceptable level of sampling risk is 5%, which is 100% less 95%. Sampling risk is the
complement of the confidence level.
139.In which of the following situations would monetary-unit sampling be more effective and
efficient than ratio estimation?
A.The population contains a large number of differences between the recorded amount and the actual
amount.
B.The population is expected to contain few differences between the recorded amount and the actual
amount.
C.The population has a high degree of variability in dollar amount.
D.The population has a low degree of variability in dollar amount.
Monetary-unit sampling is especially efficient and effective when there are a small number of
differences. Ratio estimation, however, requires a large number of differences to be effective.
A.Incorrect. Monetary-unit sampling is generally inefficient and less effective than variables sampling
when there are a larger number of differences. The ratio approach, however, tends to be especially
efficient in such circumstances.
C.Incorrect. A high degree of variability in the dollar amount within the population makes both of these
methods efficient relative to alternative statistical methods. A high degree of variability in the dollar
amount of the population generally has no effect on the effectiveness of these two methods relative to
each other.
D.Incorrect. A low degree of variability among the items in the population reduces the relative
efficiency of both of these methods compared to alternative statistical sampling methods. A low degree
of variability does not affect the effectiveness of these methods.
140.An auditor is using dollar-unit sampling with a fixed interval to test an account with a
balance of $750,000. Sample size is 50. The auditor started the selection process with a random
start of 04719. Which of the following items would be the third sample item selected?
A. A
B. B
C. C
D. D
The cumulative amount is the first amount greater than $34,719, which would be the threshold for the
third selection (i.e., $4719 + $15,000 + $15,000). The selection interval is $750,000/50 = $15,000. It
contains $31,375 through $35,482, thus it contains $34,719.
A.Incorrect. The cumulative amount is less than $34,719.
C.Incorrect. This item would not be selected because it does not contain the 34,719th dollar.
D.Incorrect. This item would not be selected because it does not contain the 34,719th dollar.
141.Monetary‐unit sampling is most useful when the internal auditor:
A.Is testing the accounts payable balance.
B.Cannot cumulatively arrange the population items.
C.Expects to find several material errors in the sample.
D.Is concerned with overstatements.
Overstated items have a greater chance of being included in the sample. Additionally, samples under
this procedure include more of the “higher‐dollar” accounts because of the way the sample is
conducted. Errors in these accounts are more likely to result in material misstatements and are thus
more critical to the internal auditor.
A.Incorrect. Monetary‐unit sampling is “generally not appropriate for testing understatement of

liabilities since the more a balance is understated, the less its chance of being included in the sample.”
B.Incorrect. This is one of the requirements for using monetary‐unit sampling.
C.Incorrect. Again, one of the assumptions for using monetary‐unit sampling is that the error rate in the
population should be small (e.g., less than 10%). The internal auditor should not use this procedure if
material errors are expected.
142.The book value of a 3,000th item inventory is $3,000,000. An auditor specifies a maximum
tolerable error of $60,000 and a 95% confidence level (reliability factor = 3.0). Assuming that no
individual item in the population exceeds the monetary value of the interval, the expected sample
size for monetary‐unit sampling would be:
A.Less than 70.
B.From 70 to 140.
C.From 140 to 160.
D.Greater than 160.
(3) ($3,000,000/$60,000) = 150, which represents the correct sample size.
A.Incorrect. Refer to the correct answer.
B.Incorrect. Refer to the correct answer.
143.An auditor is planning to use monetary-unit sampling for testing the dollar value of a large
accounts receivable population. The advantages of using monetary-unit sampling include all of
the following except:
A.It is an efficient model for establishing that a low error rate population is not materially misstated.
B.It does not require the normal distribution approximation required by variable sampling.
C.It can be applied to a group of accounts, since the sampling units are homogenous.
D.It results in a smaller sample size than that required when using classical sampling, as errors
increase.
Monetary unit sampling would result in a larger sample size, and this is not an advantage.
A.Incorrect. Monetary unit sampling is an efficient model; this is an advantage.
B.Incorrect. Monetary unit sampling does not assume normally distributed populations; this is an
advantage.
C.Incorrect. Monetary unit sampling uses dollar units as the homogenous units; this is an advantage.
144.Which of the following factors would most likely preclude the auditor from using monetary
unit sampling?
A.The auditor expects to find a limited number of understatements of individual account balances.
B.The auditor expects to find that a large percentage of items sampled have misstatements.
C.Individual accounts are not assigned a number but are listed only alphabetically.
D.The auditor expects to find more errors in the larger dollar value items than in the smaller dollar
value items.
Monetary unit sampling is not as effective in calculating an upper error estimate when a very large
number of errors are expected.
A.Incorrect. Monetary unit sampling can effectively handle a small number of understatement errors.
C.Incorrect. Account numbers do not have to be assigned to use monetary unit sampling.
D.Incorrect. This would not preclude the use of monetary unit sampling because: (1) most large‐dollar‐
value items are selected and a census of that data is performed; and (2) the probability of any item
being selected is proportional to its size. Thus, monetary unit sampling works especially well in the
situation described here.
145.Management answered “yes” to every question when filling out an internal control
questionnaire and stated that all listed requirements and control activities were part of its
procedures. An internal auditor retrieved this questionnaire from management during the
preliminary survey visit but did not review the responses with management while on site. The
auditor’s supervisor should be critical of the above procedure based on the fact that:
A.Audit information must be corroborated in some way.
B.Internal control questionnaires cannot be relied on.
C.The auditors were not present while the questionnaire was being filled out.
D.The questionnaire was not designed to address accounting operations and controls.
Self‐audit questionnaires provide indirect evidence, which must be confirmed.
B.Incorrect. The ability to adapt general‐purpose internal control questionnaires (ICQs) to different
organizational units, personnel, and functional units is one of the strengths of these audit tools.
C.Incorrect. ICQs can be designed so that the auditee can answer the questions without the auditor
being present.
D.Incorrect. An ICQ does not need to address accounting information to ensure integrity.
146.Many firms are beginning to use the statistical processing control techniques as part of their
total quality management approach. Which of the following would not constitute a part of
statistical processing control techniques?
A.Acceptance sampling.
B.Dollar-unit sampling.
C.Quality control charts.
D.Continuous monitoring and feedback.
Dollar unit is a sampling technique that has been uniquely applied to auditing. It is not used in
statistical processing control.
A.Incorrect. Acceptance sampling is a standard statistical process control technique.
C.Incorrect. Quality control charts are an integral part of total quality management approaches.
D.Incorrect. Continuous monitoring and frequent feedbacks are two of the important elements of
statistical quality control.
147.Dollar-unit sampling is not efficient if:
A.Computerized account balances are being audited.
B.Statistical inferences are to be made.
C.The audit objective is oriented to understatements.
D.The account contains a large number of transactions.
Dollar unit sampling, because it samples each individual dollar, automatically stratifies. If the audit
objective is to identify understatements, dollar-unit sampling is not appropriate because the larger the
understatement, the least likely it is to be identified.
A.Incorrect. The issue of manual or computerized accounts would not have any impact on sampling
efficiency.
B.Incorrect. Dollar-unit sampling is an accepted method of estimating the dollar error of an account
balance.
D.Incorrect. The number of transactions is not the issue, the number of dollars is.
148.An internal auditor is considering the use of dollar‐unit (probability proportional to size,
PPS) sampling. This technique is likely to be especially beneficial if:
A.The auditor is interested in testing the proper valuation of accounts payable.
B.The auditor believes that the items to be tested are just as likely to be overstated as understated.
C.The auditor is interested in testing the accuracy and valuation of accounts receivable.
D.The error rate in the population is believed to be quite large.
Dollar‐unit sampling is often used for these purposes.

A.Incorrect. The technique is ineffective at detecting understatements, which are of significant concern
for accounts payable.
B.Incorrect. The technique is ineffective at detecting understatements, which are of significant concern
for accounts payable.
D.Incorrect. Dollar‐unit sampling performs relatively poorly with very large error rates.
149.A sampling plan is needed to test for overstatement of a $3 million accounts payable book
balance. The auditor determines that a $100,000 error is material and a 95% confidence level is
appropriate. Based on these determinations, the sample of size 90 is needed. The sampling plan
most likely used is:
A.Stop and go.
B.Cluster sampling.
C.Dollar-unit sampling.
D.Attributes sampling.
Dollar-unit sampling is the only quantitative method listed.
A.Incorrect. A quantitative materiality amount cannot apply to stop or go, a form of attributes
sampling.
B.Incorrect. It requires a definition of a cluster.
D.Incorrect. This question involves a variable and cannot apply to attributes sampling.
150.An internal auditor is preparing to sample accounts receivable for overstatement. A

statistical sampling method that automatically provides stratification when using systematic
selection is:
A.Attributes sampling.
B.Ratio‐estimation sampling.
C.Dollar‐unit sampling.
D.Mean‐per‐unit sampling.

It stratifies, in that each dollar is a sampling unit and the larger the account balance, the greater the
chance of selection.
A.Incorrect. They do not automatically stratify.
B.Incorrect. They do not automatically stratify.
D.Incorrect. They do not automatically stratify.
151.An auditor wishes to select a dollar-unit sample of 100 sales invoices that are included in
receivables. Total receivables consist of 1,600 invoices, beginning with invoices number 1781,
ranging in value from $25 to $3,000 and totaling $700,000. A partial list is:
Assuming the four-digit random number 1461 is selected as a starting point, the first two invoice
numbers to be included in the sample are:
A.1790 and 1795.
B.1790 and 1805.
C.1795 and 1804.
D.1795 and 1805.
Invoice number 1790 includes cumulative amount $1,461, and invoice number 1805 includes
cumulative amount $8,461.
A.Incorrect. The sampling interval is $7,000 (population total of $700,000 / sample size of 100). Thus,
the first two dollar amounts to be selected are cumulative amounts $1,461 (the starting point) and
$8,461 ($1,461 + $7,000). Invoice number 1795 is obtained by adding 1461 to the initial selection and
does not reflect the $7,000 interval.
C.Incorrect. Invoice number 1795 includes cumulative amounts $1,476 through $2,975 and thus does
not include the starting point of $1,461; and, invoice number 1804 does not include the second
cumulative amount of $8,461.
152.An auditor becomes concerned that fraud in the form of payments to bogus companies may
exist. Buyers, who are responsible for all purchases for specific product lines, are able to approve
expenditures up to $50,000 without any other approval. Which of the following audit procedures
would be most effective in addressing the auditor's concerns?
A.Use generalized audit software to list all purchases over $50,000 to determine whether they were
properly approved.
B.Develop a snapshot technique to trace all transactions by suspected buyers.
C.Use generalized audit software to take a random sample of all expenditures under $50,000 to
determine whether they were properly approved.
D.Use generalized audit software to list all major vendors by product line; select a sample of paid
invoices to new vendors and examine evidence showing that services or goods were received.
This is the most comprehensive procedure because it identifies major vendors, concentrates on new
vendors, and searches for underlying support that goods or services were provided by the vendor.
A.Incorrect. This would provide evidence only on purchases above $50,000, which must be approved
by someone other than the buyer.
B.Incorrect. This would provide information only on whether the transactions that were authorized by
the buyer were properly processed. It does not provide evidence on whether the transaction should have
been processed.
C.Incorrect. This would provide information on whether transactions under $50,000 contained the
buyer's authorization. That is not the question here; the question is whether there is support for the
expenditure. Further, this procedure is limited because it is not directed to the specific indicators that a
fraud might exist.
153.An auditor wishes to determine the extent to which invalid data could be contained in a
human resources computer system. Examples would be an invalid job classification, age in excess
of retirement age, or an invalid ethnic classification. The best approach to determine the extent of
the potential problem would be to:
A.Submit test data to test the effectiveness of edit controls over the input of data.
B.Review and test access controls to ensure that access is limited to authorized individuals.
C.Use generalized audit software to develop a detailed report of all data outside specified parameters.
D.Use generalized audit software to select a sample of employees. Use the sample to determine the
validity of data items and project the result to the population as a whole.
This is both the most effective and the most efficient procedure as it provides a comprehensive analysis
of the extent that obviously incorrect data is included in the database.
A.Incorrect. Test data would provide evidence on whether the edit controls are currently working. The
concern, however, is that data may have entered the system earlier and may be corrupted.
B.Incorrect. Access controls are important, but they do not address the auditor's major concern, which
is to determine the extent of the potential problem as a precursor for planning the extent to which
additional audit work is necessary.
D.Incorrect. This is a valid procedure, but given the auditor's more limited objective, the correct choice
provides a more comprehensive and efficient evidence.
154.A bank internal auditor wishes to determine whether all loans are backed by sufficient
collateral, properly aged as to current payments, and properly categorized as current or
noncurrent. The best audit procedure to accomplish this objective would be to:
A.Use generalized audit software to read the total loan file, age the file by last payment due, and take a
statistical sample stratified by the current and aged population. Examine each loan selected for proper
collateralization and aging.
B.Take a block sample of all loans in excess of a specified dollar limit and determine if they are current
and properly categorized. For each loan approved, verify aging and categorization.
C.Take a discovery sample of all loan applications to determine whether each application contains a
statement of collateral.
D.Take a sample of payments made on the loan portfolio and trace them to loans to see that the
payments are properly applied. For each loan identified, examine the loan application to determine that
the loan has proper collateralization.
This is the best procedure because it takes a sample from the total loan file and tests to determine that
the loan is properly categorized as well as properly collateralized.
B.Incorrect. This sample deals only with large-dollar items and does not test for proper
collateralization.
C.Incorrect. This is an inefficient audit procedure because it samples from loan applications, not loans
approved.
D.Incorrect. This would be an ineffective procedure because it is based only on loans in which
payments are currently being made—it does not include loans that should have been categorized
differently because payments are not being made.
155.A retail company uses electronic data interchange (EDI) to order all of its merchandise. The
goods are received at a central warehouse, where they are electronically scanned into the
computer to determine that a purchase order had been issued and to record the goods. The goods
are price-marked at the warehouse and shipped to individual stores within 24 to 48 hours.
Inventory and accounts payable are updated when the goods are received. The company receives
an invoice electronically from the vendor. A computer program matches the invoice with the
applicable purchase order and receiving information. If the items match, the invoice is scheduled
for payment and a report is made to the treasurer. If the invoice does not match the other items
within predefined ranges, a report is generated and sent to accounts payable for further
investigation. All the applicable documents are electronically marked, cross-referenced, and
retained in open files.
The auditor wants to determine whether the computer program is appropriately matching the
purchase receipts and vendor invoices throughout the year. Which one of the following
computerized audit techniques would be most efficient and effective in accomplishing this
objective?
A.Use the test data method during the last quarter.
B.Use an integrated test facility throughout the year.
C.Use the parallel simulation technique and apply on a monthly basis.
D.Use the SCARF (systems control audit review file) on a daily basis.
The integrated test facility would allow the auditor to submit data periodically during the year to
determine how well the program worked throughout the year.
A.Incorrect. The test data method is limited to a point in time in which the testing is accomplished.
Using it only during the last quarter of the year would not be effective unless there was also a test of
program changes.
C.Incorrect. Parallel simulation would not be an efficient technique because it would cause the auditor
to develop a massive parallel system.
D.Incorrect. The SCARF method is used to identify outliers (transactions with unusual characteristics
or transactions that are processed when they do not pass normal edit controls). It simply writes these
transactions out to a file for further audit investigation. It would not be a good technique for addressing
the audit objective.
156.Management answered “yes” to every question when filling out an internal control
questionnaire and stated that all listed requirements and control activities were part of its
procedures. An internal auditor retrieved this questionnaire from management during the
preliminary survey visit but did not review the responses with management while on site.
The auditor's supervisor is writing the performance assessment for the auditor on this
preliminary survey assignment. The supervisor cites the need to review management's responses
on the control questionnaire. The auditor should have interviewed management for additional
information because the interview technique:
A.Provides the opportunity to insert questions to probe promising areas.
B.Is the most efficient way to upgrade the information to the level of objective evidence.
C.Is the least costly audit technique when a large amount of information is involved.
D.Is the only audit procedure that does not require confirmation and walk-through of the information
that is obtained.
During face-to-face contact, a skilled interviewer can react to potential problems and expand
questioning of more relevant subjects.
B.Incorrect. Interviews do not produce objective evidence unless the information corroborates facts
already in evidence.
C.Incorrect. Interviews tend to be more costly in relation to the amount of information that must be
included because of the preparation and discussion time involved.
D.Incorrect. Critical information obtained during an interview must be followed up and confirmed.
157.A retail company uses electronic data interchange (EDI) to order all of its merchandise. The
goods are received at a central warehouse, where they are electronically scanned into the
computer to determine that a purchase order had been issued and to record the goods. The goods
are price-marked at the warehouse and shipped to individual stores within 24 to 48 hours.
Inventory and accounts payable are updated when the goods are received. The company receives
an invoice electronically from the vendor. A computer program matches the invoice with the
applicable purchase order and receiving information. If the items match, the invoice is scheduled
for payment and a report is made to the treasurer. If the invoice does not match the other items
within predefined ranges, a report is generated and sent to accounts payable for further
investigation. All the applicable documents are electronically marked, cross-referenced, and
retained in open files.
The auditor wants to determine the extent to which items are not matched at year-end and
investigate the potential cause of the nonmatching items. Which one of the following audit
procedures would be most effective in determining the items to investigate?
A.Submit test data to identify attributes of nonmatching items. Follow up by investigating the attributes
identified.
B.Use generalized audit software to read the purchase order file for the year. Select a statistical sample
of purchase orders and trace to applicable receiving and vendor invoice files.
C.Use the SCARF (systems control audit review file) to identify unusual items. Take an attribute
sample and trace to the underlying paper documents.
D.Use generalized audit software to read the electronically marked unmatched items.
This would be the best method because it would sample from a population that has been explicitly
identified as nonmatching. It allows the auditor to analyze the potential problems before investigating
further.
A.Incorrect. The test data method would only tell us whether the computer program is working
correctly at one point in time. It would not identify all the problems encountered during the year.
B.Incorrect. Generalized audit software is a good tool, but it would not be used efficiently here since it
is reading the purchase order file only. Many of the items selected may have been appropriately
matched and some may not have been filled.
C.Incorrect. SCARF would not be an effective audit tool because the auditor wishes to identify
nonmatched items.
158.Governmental auditors have been increasingly called on to perform audits to determine

whether individuals are getting extra social welfare payments. One common type of welfare
fraud is individuals receiving more than one social welfare payment. This is often accomplished
by filing multiple claims under multiple names but using the same address. Which of the
following computer audit tools and techniques would be most helpful in identifying the existence
of this type of fraud?
A.Tagging and tracing.
B.Generalized audit software.

C.Integrated test facility (ITF).
D.Spreadsheet analysis.
Generalized audit software could be used to develop a list of multiple recipients at one address. The list
could then be investigated further to determine the possibility of fraud.
A.Incorrect. Tagging and tracing is most effective to determine that items properly submitted are
processed correctly.
C.Incorrect. The ITF is most effective to determine that items properly submitted are processed
correctly.
D.Incorrect. This would not be the most effective technique.
159.The auditor determines that a major user application is implemented on a spreadsheet. The
spreadsheet takes input regarding projected freight deliveries from the mainframe computer and
develops an optimal freight-dispatching plan. When first used two years ago, the spreadsheet
helped reduce costs dramatically. However, freight costs have been increasing, and no one, other
than the developer, has reviewed the spreadsheet. The freight-dispatching algorithm is
complicated, but the auditor has researched the area and understands the algorithm and its
correct computation.
The auditor wishes to gain assurance on whether the spreadsheet has properly implemented the
freight-dispatching algorithm. Which of the following audit procedures would accomplish the
task?
I. Develop an independent spreadsheet and run test data through it and through the user's
spreadsheet. Compare the results.
II. Use a product to print out the logic of the user spreadsheet. Examine the logic to determine
if it has been correctly incorporated into the spreadsheet.
III. Develop a set of test data and manually calculate the expected results. Run the test data
through the user application.
A.II only.
B.I and III.
C.I, II, and III.
D.I only.
All three audit approaches would work. If we were to rank order the effectiveness, it would be I, III,
then II. However, if properly implemented, procedure II would work.
A.Incorrect. All three of the procedures would work.
B.Incorrect. All three of the procedures would work.
D.Incorrect. All three of the procedures would work.
160.The auditor determines that a major user application is implemented on a spreadsheet. The
spreadsheet takes input regarding projected freight deliveries from the mainframe computer and
develops an optimal freight-dispatching plan. When first used two years ago, the spreadsheet
helped reduce costs dramatically. However, freight costs have been increasing, and no one, other
than the developer, has reviewed the spreadsheet. The freight-dispatching algorithm is
complicated, but the auditor has researched the area and understands the algorithm and its
correct computation.
Assume the audit testing indicates that the spreadsheet has correctly implemented the
freight-dispatching algorithm. Which of the following conclusions is(are) justified from the audit
evidence?
i. The spreadsheet must be obtaining incorrect data when it is downloaded from the mainframe.
ii. Although the algorithm is correctly implemented, it is not the most efficient algorithm.
iii. The increased freight costs must be due to some other cause than the spreadsheet calculation.
A.III only.
B.I, II, and III.
C.I and II.
D.II only.
The only justifiable conclusion that can be reached based on the audit tests is that something other than
the calculation is causing the increase in freight costs.
B.Incorrect. Although hypotheses I and II may be potential explanations, they would need to be tested.
They represent hypotheses, not conclusions.
C.Incorrect. Although hypotheses I and II may be potential explanations, they would need to be tested.
They represent hypotheses, not conclusions.
D.Incorrect. The auditor has researched the potential algorithms and did not conclude that the one
implemented is not sufficient. There is not enough evidence to justify this conclusion.
161.The auditor wishes to test controls over computer program changes. The specific objective to
be addressed in the following audit step is that only authorized changes have been made to
computer programs (i.e., there are no unauthorized program changes). The organization uses an
automated program library system, and the auditor obtains copies of the table of contents of the
program library system at various periods of time. The table of contents indicates the date a
change was last made to the program, the version number of the program, and the length of the
program. Which of the following audit procedures would best address the stated objective?
A.Use generalized audit software to randomly select a sample of current applications. Trace those
selected to program change authorization forms.
B.Take a sample of all program change requests. Trace the requests to proper authorization and to
changes in the program library.
C.Use generalized audit software to compare the table of contents of the program library currently with
an auditor copy made previously. Compare and identify differences. Select a sample of the differences
for further investigation.
D.Obtain a list of programming projects implemented by the data processing manager during the last
six months. Take a sample from the list and trace to program change authorization forms.
This would be the best procedure. Since the auditor is looking for unauthorized changes, the auditor
must first identify all changes that have taken place. The auditor then investigates the changes to see if
they had been authorized.
A.Incorrect. This would be an inefficient procedure. Many programs will not have changes made to
them during the applicable time period. Thus, there will not be program change request forms for many
items selected.
B.Incorrect. Sampling from authorized changes will tell the auditor only that authorized changes had
been made. The auditor is searching for unauthorized changes.
D.Incorrect. Similar to response (b), the population only identifies those projects that have been
authorized. The auditor is concerned with unauthorized changes.
162.Auditors have learned that increased computerization has created more opportunities for
computer fraud but has also led to the development of computer audit techniques to detect
frauds. A type of fraud that has occurred in the banking industry is a programming fraud where
the programmer designs a program to calculate daily interest on savings accounts to four
decimal places. The programmer then truncates the last two digits and adds it to his or her
account balance. Which of the following computer audit techniques would be most effective in
detecting this type of fraud?
A.Parallel simulation.
B.Generalized audit software that selects account balances for confirmation with the depositor.
C.Snapshot.
D.SCARF (systems control and audit review file).
This method would work best because the amounts credited to each account would be compared to that
calculated by the auditor's parallel program.
B.Incorrect. It is doubtful that confirmation of an account balance would detect errors of less than 1
cent made on a daily basis.
C.Incorrect. Snapshot is a technique for tracing the processing of transactions through a system. It
would not be applicable here.
D.Incorrect. SCARF is an audit technique that captures unusual transactions (or transactions in excess
of edit checks) that have been submitted for processing. The auditor can evaluate the items later. It is
not applicable here.
163.While performing analytical procedures related to an audit of a social services agency of a

government entity, the auditor noted that there was an unusually large increase in payments to
individual recipients who are under the direction of a particular social worker in the agency.
Which of the following audit procedures would be the best procedure to investigate this
observation?
A.Use generalized audit software to sort payments to recipients by social worker. Then sort the
payments by common addresses and names.
B.Implement an integrated test facility and monitor transactions throughout the year to identify unusual
items.
C.Implement the snapshot approach and tag transactions that are related to the social worker identified
with the unusually large increases.
D.Use generalized audit software to take a random sample of recipients, and investigate by sending
confirmations to each recipient to determine if proper payments had been received.
This would be the best procedure because it would be an efficient manner to determine if any easily
seen fraudulent pattern was associated with the payments under the control of the social worker.
B.Incorrect. The integrated test facility is designed to test the correctness of processing, not whether
only valid recipients are receiving payment.
C.Incorrect. This is a future-oriented approach and would not provide much information about the
possibility of fraudulent items currently contained in the file. Like the integrated test facility (ITF),
snapshot concentrates on the processing of data, not the addition of new recipients to the files.
D.Incorrect. Sending confirmations to the recipients listed on the file would not be the first approach
that is being used for two reasons: (1) the correct choice would better establish whether there is a
defined pattern of potential fraud; (2) if the recipients are indeed fraudulent, the social worker will
receive the confirmation (all sent to a common address) and will be able to respond positively.
164.While performing analytical procedures related to an audit of a social services agency of a

government entity, the auditor noted that there was an unusually large increase in payments to
individual recipients who are under the direction of a particular social worker in the agency.
The auditor is considering making a recommendation on appropriate controls to address a

potential problem of fictitious recipients. The auditor has identified the following control
procedures as potential items to include in the recommendation.
I. Require that all additions to the recipient file be independently investigated and approved
by a supervisor of the social workers.
II. Require the use of self-checking digits on the account numbers of all recipients so that any
duplicates will be immediately noted by the system.
III. Incorporate a code into the computer program to search for duplicate names and addresses.
Develop an exception report that will go the section supervisor whenever duplicates are
noted.
IV. Require social workers to be rotated among recipients.
Which of the following control combinations would effectively address the auditor's concerns and
improve control over valid recipients?
A.I, II, III, and IV.
B.I, II, and III.

C.I and IV.
D.I, III, and IV.
All three of these responses would be effective in dealing with the audit and control concern identified
by the auditor: Item I segregate duties, item III incorporates an important computer check, and item IV
rotates duties so that a new worker will find that some recipients are not valid.
A.Incorrect. Item II would not add to the control.
B.Incorrect. The self-checking digit would not improve the control procedure. Each recipient set up in
the system would have a unique self-checking digit. The concern is over the process of setting up valid
recipients.
C.Incorrect. Item III would also contribute.
165.Many public utility companies operate complex customer service systems (CSSs) to manage
their customer service function. CSSs operate in an online, real‐time environment, which allows
customer service data to be directly entered online from customer telephone calls. Which of the
following information technology auditing techniques provides the auditor with the capability to
continuously monitor customer service data that are collected from telephone calls in CSSs?
A.Generalized audit software.
B.Control flowcharting.
C.Embedded audit data collection.
D.Integrated test facility (ITF).
Embedded audit data collection provides the auditor with the capability to continuously monitor the
operation of an application.
A.Incorrect. Generalized audit software can be used for data collection but operates
independently—and thus not continuously—from an application.
B.Incorrect. Control flowcharting is developed to document and/or review the controls in an

application system.
D.Incorrect. ITF is used to test programs, not to collect data.

166.Which of the following information systems auditing techniques processes real transaction
data (or a copy of the real data) through auditor‐developed test programs?
A.Integrated test facility (ITF).
B.Tracing.
C.Parallel simulation.
D.Mapping.
Parallel simulation processes real transaction data through auditor‐developed test programs.
A.Incorrect. The ITF involves the use of test data and also the creation of fictitious entities (e.g.,
vendors and employees) on master files.
B.Incorrect. Tracing provides a detailed listing of the sequence of program statement execution.
D.Incorrect. Mapping is a procedure for reporting code usage within a program.
167.An auditor is considering developing a questionnaire to research employee attitude toward

control procedures. Which of the following represents criteria that should not be considered in
designing the questionnaire?
A.Questions must be worded to ensure a valid interpretation by the respondents.
B.Questions must be reliably worded so that they measure what was intended to be measured.
C.The questionnaire should be short to increase the response rate.
D.Questions should be worded such that a “no” answer indicates a problem.
Correct. Questions can be multiple choice, fill in the blank, essay, Likert scales, and so on.
A.Incorrect. Validity and reliability of each question is extremely important.
B.Incorrect. Validity and reliability of each question is extremely important.
C.Incorrect. When questionnaires are too long, people tend not to fill them out.
168.To determine if there have been any unauthorized program changes since the last authorized
program update, the best information technology audit technique is for the auditor to conduct
a(n):
A.Code comparison.
B.Code review.
C.Test date run.
D.Analytical review.
Code comparison is the process of comparing two versions of the same program to determine whether
the two correspond. It is an efficient technique because it is performed by software.
B.Incorrect. Code review is the process of reading program source code listings to determine whether
the code contains potential errors or inefficient statements. Code review can be used as a means of code
comparison but is inefficient.
C.Incorrect. Test data runs permit the auditor to verify the processing of preselected transactions. They
give no evidence about unexercised portions of the program.
D.Incorrect. Analytical review is the process of creating and evaluating ratios between numbers, often
in the context of financial statements.
169.In auditing an online perpetual inventory system, an auditor selected certain file‐updating
transactions for detailed testing. The audit technique that will provide a computer trail of all
relevant processing steps applied to a specific transaction is described as:
A.Simulation.
B.Snapshot.
C.Code comparison.
D.Tagging and tracing.
Tagging is an audit technique to obtain a computer trail of processing steps relevant to a given
transaction.
A.Incorrect. Simulation permits comparisons of live data processing but does not produce a trail of
processing steps.
B.Incorrect. Snapshot is a technique for taking a picture of computer memory to aid in verifying a
decision process.
C.Incorrect. Code comparison verifies that program changes and maintenance are correctly followed.
170.Which of the following statements is not true concerning the tasks that generalized audit
software is able to perform?
A.Provides totals of unusual items.
B.Checks for duplications, missing information, or ranges of values.
C.Specifies which data elements will be tested and the criteria to be used.
D.Verifies calculation totals and analyses produced.
This is a manual function that must be performed by the auditor.
A.Incorrect. This is an example of functions that generalized audit software is able to perform.
B.Incorrect. This is an example of functions that generalized audit software is able to perform.
D.Incorrect. This is an example of functions that generalized audit software is able to perform.
171.Generalized audit software can be used to:
A.Examine the existence and consistency of data maintained on files.
B.Perform concurrent auditing of data files.
C.Verify processing logic of operating systems software.
D.Access complex data structures without using host language extensions.
The software compares two files for data consistency.

B.Incorrect. Generalized audit software only permits ex‐post (after the fact) auditing.
C.Incorrect. Generalized audit software cannot verify operating system logic.
D.Incorrect. Using a host language extension, an auditor can gain direct access to the database.
172.A primary reason auditors are reluctant to use integrated test facility (ITF) is that it requires
them to:
A.Reserve specific master file records and process them at regular intervals.
B.Collect transaction and master file records in a separate file.
C.Notify user personnel so they can make manual adjustments to output.
D.Identify and reverse the fictitious entries to avoid contamination of the master file.
This is the major reason for not using ITF.
A.Incorrect. Reserving specific master file records and processing them at regular intervals pertains to
base case system evaluation instead of ITF.
B.Incorrect. Collecting transaction and master file records in a separate file is a feature of embedded
audit data collection, not ITF.
C.Incorrect. Making manual adjustments to output does not reverse the fictitious entries in the master
file.
173.Embedded audit modules:
A.Identify unexecuted computer code.
B.Aid in debugging application systems.
C.Analyze the efficiency of programming.
D.Enable continuous monitoring of transaction processing.
They can be continuously monitored or specifically activated.

A.Incorrect. It is a characteristic of snapshot.
B.Incorrect. It is a characteristic of tracing.
C.Incorrect. It is a characteristic of mapping.
174.An internal auditing department implemented an integrated test facility (ITF) to test its
payroll processing.
The auditing department identified the key controls and processing steps built into the computer
program and developed test data based on the key controls and processing steps in order to test
them. The department submitted test transactions throughout the year. Assuming that the
auditors did not find any differences in their test results, the auditors can conclude that:
A.The system is properly capturing the hours worked by employees during the year, and the hours have
been properly submitted to payroll and processed correctly.
B.All employees were correctly paid during the year, and their pay was correctly computed.
C.The computer application and its control procedures were processing payroll transactions correctly
during the past year.
D.All of the above.
The auditor's inference can be only to the operation of computerized controls and the correctness of
computer processing during the year because the ITF tests only the computerized portion of the
application, not that all data have been entered correctly.
A.Incorrect. The ITF only provides audit evidence on the correctness of processing of data that has
been submitted to the computer application. Thus, it does not provide evidence that all hours worked
have been entered into the system for processing.
B.Incorrect. The auditor cannot conclude that all employees were paid correctly and that their pay was
correctly recorded; to do so, the auditor would need evidence that all employees were correctly
classified as to pay rate and that all their time was correctly submitted to the computer program.
175.The greatest impact information technology has had on the audit process is:
A.Its use to track personnel performance and development of audit staff.
B.Its use in the audit reporting process, such as automated working paper packages.
C.Its use to conduct audits utilizing various computer‐assisted techniques.
D.Its use as a strategic tool to develop the audit plan.
Computer‐assisted techniques have had the greatest impact on the audit process. They have changed
the audit scope and test procedures, and so on.
A.Incorrect. This task can be performed manually without the use of information technology.
B.Incorrect. While it has changed audit documentation, it has not impacted the audit scope or test
procedures.
D.Incorrect. Whether using information technology or not, the audit risk is the same.
176.Generalized audit software is designed to allow auditors to:
A.Monitor the execution of application programs.
B.Process test data against master files that contain real and fictitious entities.
C.Select sample data from files and check computations.
D.Insert special audit routines into regular application programs.
This is a function of generalized audit software.
A.Incorrect. This is a function of mapping.
B.Incorrect. This is a function of an integrated test facility.
D.Incorrect. This is a function of an embedded audit routine.
177.An internal auditor was assigned to confirm whether operating personnel had corrected
several errors in transaction files that were discovered during a recent audit. Which of the
following automated tools is the auditor most likely to use?
A.Online inquiry.
B.Parallel simulation.
C.Mapping.
D.Tracing.
Online inquiry is an interactive procedure that allows an auditor or other authorized personnel to select
and view individual records or transactions.
B.Incorrect. Parallel simulation processes real data through audit programs so simulated output and
regular output can be compared.
C.Incorrect. Mapping monitors the execution of a program.
D.Incorrect. Tracing provides an audit trail of the instructions that are executed when a program is run.
178.Which of the following statements describes an internal control questionnaire? It:
A.Provides detailed evidence regarding the substance of the control system.
B.Takes less of the auditee’s time to complete than other control evaluation devices.
C.Requires that the auditor be in attendance to properly administer it.
D.Provides indirect audit evidence that might need corroboration.
The evidence provided is indirect and therefore could require corroboration in some way.
A.Incorrect. “Yes” and “no” answers may be very general and not specific as to degree.
B.Incorrect. They are tiring for auditees to complete due to their length.
C.Incorrect. The structured questionnaire asks for specific “yes” or “no” answers plus brief
explanations.
179.An audit test to substantiate that a company is complying with software copyright
requirements is to:
A.Review the corporate policy on copyrights.
B.Compare the software on a sample of microcomputers with the purchase documentation.

C.Inventory all the software that is being run on microcomputers.
D.Review the minutes of the management information system steering committee or similar body.
Comparing a sample of software being run on personal computers with purchase documentation will
establish a basis for determining compliance.
A.Incorrect. Reviewing the policy will not determine compliance with copyright limitations.
C.Incorrect. An inventory of software alone cannot determine compliance without comparing it to

supporting purchase documentation.
D.Incorrect. Reviewing the minutes may determine the intent to comply with copyright laws but cannot
establish compliance.
180.A principal disadvantage of auditing around rather than through the computer is:
A.The time involved in testing controls for simulation programs is extensive.
B.The costs involved in testing controls over computer processing are high.
C.The integrity of the audit trail through the computer is not tested.
D.The technical expertise to compensate for auditing around the computer is extensive.
Auditing around the computer does not involve testing the transaction (audit) trail.
A.Incorrect. Simulation programs involve computer applications and require auditing through the
computer.
B.Incorrect. High costs are not involved with testing controls when auditing around the computer.
D.Incorrect. A high level of technical expertise is a disadvantage of auditing through the computer, not
around the computer.
181.An accounting clerk developed a scheme to input fraudulent invoices for nonexistent vendors.
All the payments were sent to the same address. The auditor suspects a possible fraud.
The most effective computer audit technique to investigate the fraud would be to:
A.Use test data for multiple vendors and investigate unexpected results.
B.Perform a complete audit of computer program changes.
C.Use generalized audit software to compare addresses across multiple files and print out duplicates for
investigation.
D.Test application controls through an integrated test facility and investigate unexpected results.
This software could check the mailing addresses of vendors and detect common address, or other
commonalities of the billings.
A.Incorrect. Test data would check the processing of information, not the validity of the input
information.
B.Incorrect. The fraud did not involve a program change.
D.Incorrect. This test is not designed to test for the processing of invalid information.
182.An accounting clerk developed a scheme to input fraudulent invoices for nonexistent vendors.
All the payments were sent to the same address. The auditor suspects a possible fraud. The
auditor would test all of the vendor information rather than a sample of the vendor transactions
because:
A.Although nonsampling error is reduced, sampling error is larger when computers are used to draw
the sample.
B.The audit procedures used to compare vendor information require the reading of all records.
C.Audit standards prohibit the use of sampling if fraud is expected.
D.The only effective procedures require auditing through the computer.
The audit procedure to be applied in this case requires a matching of all records to identify vendor
addresses that are the same.
A.Incorrect. Sampling error is not larger when computers are used to draw the sample.
C.Incorrect. Standards do not prohibit the use of sampling.

D.Incorrect. This is not an example of auditing through the computer. The test uses audit software to
extract and compare data.
183.To achieve cost‐effective audits of computer‐based systems where similar audit tasks are
required to meet a variety of objectives, the auditor should use:
A.Comparison programs.
B.Custom audit software.
C.Query functions and report writers.
D.Generalized audit software.
Generalized audit software allows many different audits to be done where similar audit tasks are
required. It is cost effective.
A.Incorrect. Comparison programs compare source versions of operational programs with authorized
copies and identify only changes or deviations in logic.
B.Incorrect. Custom audit software is written for a specific audit and cannot be used on different
systems.
C.Incorrect. It requires the auditor to learn rules of each environment—usually limited to retrieval.
184.Which of the following is an appropriate audit procedure that can be used to test the
adequacy of application controls over computer‐based accounts payable?
A.Observing the computer library and operations area to obtain evidence to support an opinion about
the security of accounts payable data files.
B.Manually comparing vendor invoice numbers with those listed on computer‐generated lists of
accounts payable to assess the effectiveness of computer‐based sequence checks.
C.Testing purchase transactions using a test‐data approach.
D.Using a computer‐generated questionnaire to obtain reliable information about the accuracy and
completeness of input and update of accounts payable data from the organization’s computer
management personnel
The use of test data is a useful audit procedure to test application controls.
A.Data file security is a general control concern. The question deals with application controls.
B.Computer‐based sequence checks are applications controls. It is appropriate for an internal auditor to
seek to determine whether the checks are working. However, this question involves document numbers
on vendor invoices. Since vendors generate these document numbers, the purchasing firm has no
access to a sequencing of such invoices.
D.Incorrect. It is never acceptable for an internal auditor to rely on the representations of an auditee.
185.The internal auditing department has begun an audit of an automated payroll system. Audit
staff members have been trained in the use of an audit software package and have a working
knowledge of the database employed for this system but do not have programming experience. In
the system being audited, employees report their hours on time sheets, which are keyed each
week by an assigned individual in each department.
The transaction file of payroll hours is maintained by the system as a primary source of payroll
input. After the department manager reviews the gross hours, the information is released to the
online payroll system. The payroll is then processed, and pay stubs are printed and distributed to
the employees. All payments are through direct deposit. In order to preserve the confidentiality
of the payroll information of employees, detailed reports that reconcile payroll expenses charged
to the department are not generated. Management wants to know whether the payroll program is
reliable. Given the skill level of the assigned staff, which of the following methods will most likely
be applied to test the accuracy of the payroll calculation?
A.Parallel simulation.
B.Integrated test facility.
C.Tagging and tracing.
D.Mapping and program analysis.
Use of audit software to perform parallel simulation is an acceptable audit application.
B.Incorrect. Use of an integrated facility usually requires advance planning before a system is
implemented. Installing an integrated test facility after the fact can be quite costly and time consuming.
C.Incorrect. Tagging and tracing is more difficult to employ than parallel simulation.
D.Incorrect. Mapping and program analysis requires a strong programming background, which is not
available with this audit team.
186.To identify lost or incomplete sales accounting record updates using the computer, the most
appropriate approach is:
A.Test data.
B.Parallel simulation.
C.Controlled reprocessing.
D.Integrated test facility.
Controlled reprocessing allows update inputs to be inexpensively reprocessed and compared to original
update results.
A.Incorrect. Test data checks specific controls but would not allow identification of lost or incomplete
updates.
B.Incorrect. Parallel simulation is quite expensive and is inappropriate for a one-time identification of
lost or incomplete updates.
D.Incorrect. An integrated test facility tests the system on a continuous basis but may contaminate
actual transaction data.
187.You have been assigned to review the propriety of the duplicate payments edit control in the
accounts payable system of a public agency. The agency purchases spare parts from
approximately 2,000 vendors. In addition, the agency is building a heavy rail system and makes
payments to contractors and subcontractors for this $2 billion project. You have been told that
vendors recently have reported several duplicate payments.
Management believes that some unreported duplicate payments may exist for which the agency
should seek refunds. The director of management information systems stated that the duplicate
payments were isolated instances that would eventually have been discovered by controls outside
of the computer system. All payments are matched against a 60-day payment history file.
Whenever there is a match on amount, invoice number, and vendor number, a duplicate
payments warning is sent to the accounts payable clerk. Only the manager of accounts payable is
capable of overriding this edit. Which of the following is the best computer-assisted audit
technique or tool to use in this situation?
A.Statistical sampling.
B.Source code desk checking.
C.Integrated test facility.
D.Generalized audit software.
Generalized audit software can be utilized to review 100% of the file for duplicate payments using any
matching requirements and thus help identify potential duplicate payments claims.
A.Incorrect. Statistical sampling is most useful in estimating the size of a population (variables
sampling) or the degree of error (attribute sampling). Specific identification of duplicate payments is
the problem here.
B.Incorrect. While desk checking the source code might detect a program error, it is not the solution to
the problem at hand.
C.Incorrect. An integrated test facility is useful for passing test data through a production system, but it
does not address the duplicate payments problem.
188.When concerned with the validity of certain recurring transactions, which of the following
computer‐assisted audit techniques would allow the auditor to select predefined transactions for
audit during normal processing?
A.Extended records
B.Tracing
C.Mapping
D.Embedded audit data collection
Embedded audit data collection requires screening routines be inserted within production runs and thus
allows identification and selection of transactions meeting predefined criteria.
A.Incorrect. Extended records combine elements from different files into a single record.
B.Incorrect. Tracing is used to identify the execution and sequence of computer instructions.
C.Incorrect. Mapping is used to determine if any unexecuted code exists.

189.Management of a property and casualty insurance company is concerned about the efficiency
and effectiveness of the claims processing activities. It has two major concerns: (1) Some claims
are being paid that should not be paid or are being paid in amounts in excess of the policy; and (2)
many claimants are not being paid on a timely basis. In preparing for an audit of the area, the
internal auditor decides to perform a preliminary survey to gather more information about the
nature of processing and potential problems.
The auditor used a questionnaire during interviews to gather information about the nature of
claims processing. Unfortunately, the questionnaire did not cover a number of pieces of
information offered by the person being interviewed. Consequently, the auditor did not
document the potential problems for further audit investigation. The primary deficiency with
this process is that:
A.The auditor failed to consider the importance of the information offered.
B.The use of a questionnaire in a situation where a structured interview should have been used.
C.Questionnaires do not allow for opportunities to document other information.
D.All of the above.
The major problem is that the auditor was too oriented to the questionnaire and failed to appropriately
consider the other information that was offered. Questionnaires may be limited, but the auditor needs to
be flexible enough to gather other information when it is offered.
B.Incorrect. This is not an inappropriate use of a questionnaire. The problem was the auditor did not
listen well enough to expand the information-gathering process.
C.Incorrect. Questionnaires are limited, but the problem is with its application, not necessarily the
nature of the questionnaires.
190.Which of the following best describes the major disadvantage of using a questionnaire rather
than a flowchart to evaluate internal controls?
A.Questionnaires usually take more time to complete and are more cumbersome.
B.Responses do not efficiently flag potential internal control weaknesses.
C.It is difficult for auditors to develop or obtain questionnaires that are appropriate for most internal
control systems.
D.Auditors may complete questionnaires without really understanding overall operations of internal
control systems.
This is the major disadvantage of using questionnaires. Developing or reviewing flowcharts is an

extremely effective way to gain an overall understanding of the system and pinpoint control points and
the lack of controls.
A.Incorrect. The opposite is true
B.Incorrect. This is an advantage of questionnaires.
C.Incorrect. Questionnaires are readily obtained or developed.
191.To test that all inventory shipments are billed to customers, an auditor would compare
computer‐generated:
A.Receivables ledger updates with detailed sales invoices.
B.Shipping records with detailed sales invoices.
C.Shipping records with original customer orders.
D.Shipping records with customer credit limits.
Comparing shipping records with sales invoices would disclose any shipments that were not billed.
A.Incorrect. Comparing entries in the receivable ledger with sales invoices demonstrates only that the
prepared invoices were posted.
C.Incorrect. Comparing shipping records with original customer orders demonstrates only that
shipments were made to customers, not that those customers were billed.
D.Incorrect. Comparing shipping records with credit limits demonstrates only that credit limits might
not have been exceeded.
192.Which of the following best describes the operation of an integrated test facility (ITF)?
A.Establishing a dummy entity against which test data are processed and stored.
B.Developing a simulation program to compare actual data and test data.
C.Using specially coded inputs to trace test data through the transaction trail.
D.Translating business transactions into a format that the operating system processes.
An ITF uses a fictitious or dummy entity against which data are processed and stored.
B.Incorrect. Simulation programs are techniques using separate programs to process actual data and
then compare results.
C.Incorrect. Snapshot is a technique using specially coded inputs to trace the transaction trail.
D.Incorrect. Data conversion is the process of translating transactions into a form compatible with an
operating system.
193.An internal auditor identifies a situation where there is doubt whether all overhead is
completely allocated to cost centers by the computer program. The best procedure to test the
completeness of the allocation by the program is:
A.Use of control flowcharting.
B.Inquiry of the systems programmers.
C.Use of extended records and mapping.
D.The test‐data approach.
The test‐data approach inputs data into the application and allows output to be compared to
predetermined results, thus identifying the degree of completeness of the allocation.
A.Incorrect. Control flowcharting is generally at the systems level rather than the program level.
B.Incorrect. Inquiry of the systems programmer would be of little help in relation to specific program
logic problems.
C.Incorrect. Extended records are used to capture an audit trail through a system.
194.Modern computer technology makes it possible to perform paperless audits. For example, in
an audit of computer‐processed customer accounts receivable balances, an auditor might utilize a
microcomputer to directly access the accounts receivable files and copy selected customer
records into the microcomputer for audit analysis. Which of the following is an advantage of this
type of paperless audit of accounts receivable balances?
A.It reduces the amount of substantive testing required.
B.It allows immediate processing of audit data on a spreadsheet working paper.
C.It increases the amount of technical skill required of the auditor.
D.It allows direct confirmation of customer account balances.
A major advantage of this type of auditing is the ability to immediately process data using
microcomputer software without first having to manually enter the data into the microcomputer.
A.Incorrect. Audit technology has no direct effect on the amount of substantive testing required.
C.Incorrect. While this is true, it is not an advantage.
D.Incorrect. Processing computer files does not in itself provide confirmation of customer account
balances.
195.To ensure that goods received are the same as those shown on the purchase invoice, a
computerized system should:
A.Match selected fields of the purchase invoice to goods received.
B.Maintain control totals of inventory value.
C.Calculate batch totals for each input.
D.Use check digits in account numbers.
Computer matching of fields such as goods received number, product code, supplier code, and quantity
ensures agreement between goods received and goods invoiced.
B.Incorrect. Control totals do not identify specific item‐by‐item differences.
C.Incorrect. Batch totals only provide a total value for a field and do not allow for detail matching.
D.Incorrect. Check digits only provide for validation of predefined account numbers.
196.Which of the following is a disadvantage of using an integrated test facility (ITF) when
auditing a computer application?
A.The ITF may be useful in verifying the correctness of account balances but not in determining the
presence of processing controls.
B.The test transactions could enter the live data environment.
C.The ITF technique cannot be used with simulated master file records during application testing.
D.The test data must be processed by information technology staff with substantial technical skills.
An acknowledged risk of using the ITF is the contamination of live master files.
A.Incorrect. The ITF is utilized to test programs in operation, including the presence of processing
controls.
C.Incorrect. The ITF technique can be used for both system development and application testing.
D.Incorrect. Minimal technical skill is required to process test data when using an ITF.
197.Which of the following is one purpose of an embedded audit module?
A.Enable continuous monitoring of transaction processing
B.Identify program code that may have been inserted for unauthorized purposes
C.Verify the correctness of account balances on a master file
D.Review the contents of a specific portion of computer memory
An embedded audit module enables continuous monitoring and analysis transaction processing,
including the functioning of processing controls.
B.Incorrect. Mapping is a technique for determining whether a computer program contains any
unexecuted code that should be examined.
C.Incorrect. Retrieval and analysis programs, such as generalized audit software, offer the features and
flexibility suitable for verifying the correctness of information on a computer file.
D.Incorrect. The snapshot method is a technique utilized to capture and print all data pertinent to the
analysis of a specific moment in the processing cycle.
198.Management has requested an audit of promotional expenses. The sales department has been
giving away expensive items in conjunction with new product sales to stimulate demand. The
promotion seems successful, but management believes the cost may be too high. Which of the
following audit procedures would be the least useful to determine the effectiveness of the
promotion?
A.A comparison of product sales during the promotion period with sales during a similar nonpromotion
period.
B.A comparison of the unit cost of the products sold before and during the promotion period.
C.An analysis of marginal revenue and marginal cost for the promotion period compared to the period
before the promotion.
D.A review of the sales department's reasons for believing that the promotion has been successful.
There is no indication that cost of the products sold has changed. The challenge is to address the
effectiveness of the promotion.
A.Incorrect. This comparison would help highlight the effectiveness of the promotion in increasing
sales.
C.Incorrect. This is the key analysis, as it would show the extent of additional revenue versus cost.
D.Incorrect. This would be helpful because the sales department may have useful information on new
customers and repeat purchases.
199.An internal auditor plans to use an analytical review to verify the correctness of various
operating expenses in a division. The use of an analytical review as a verification technique would
not be a preferred approach if:
A.The auditor notes strong indicators of a specific fraud involving this account.
B.The company has relatively stable operations that have not changed much over the past year.
C.The auditor would like to identify large, unusual, or nonrecurring transactions during the year.
D.The operating expenses vary in relation to other operating expenses but not in relation to revenue.
If the auditor already suspects fraud, a more directed audit approach would be appropriate.
B.Incorrect. Relatively stable operating data are a good scenario for using analytical review.
C.Incorrect. Analytical review would be useful in identifying whether large, nonrecurring, or unusual
transactions occurred.
D.Incorrect. Analytical review only needs to have accounts related to other accounts or other
independent data. It does not require that they be related to revenue.
200.During an audit, the internal auditor should consider the following factor(s) in determining
the extent to which analytical procedures should be used:
A.Adequacy of the system of internal control
B.Significance of the area being examined
C.Precision with which the results of analytical audit procedures can be predicted
D.All of the above
All of the above factors would be considered in determining the extent of analytical audit procedures to
be used.
A.Incorrect. Adequacy of the system of internal control would be used to determine the extent of
analytical audit procedures to be completed.
B.Incorrect. The significance of the area being examined would be a factor in determining the extent of
the analytical audit procedures to be used.
C.Incorrect. The precision of the prediction of the internal audit results would be a factor in
determining the extent of analytical audit procedures to be used.
201.Which of the following is the primary advantage of using an internal control questionnaire?
A.It provides a clear picture of the interrelationships that exist between the various controls.
B.It reduces the risk of overlooking important aspects of the system.

C.It forces an auditor to acquire a full understanding of the system.
D.The negative responses indicate the only areas needing further audit work.
It can be prepared in advance and functions very much like a checklist.
A.Incorrect. This is an advantage of a flowchart.
C.Incorrect. This is an advantage of a flowchart.
D.Incorrect. Positive responses must also be tested to determine compliance.
202.A restaurant food chain has over 680 restaurants. All food orders for each restaurant are
required to be input into an electronic device that records all orders by food servers and
transmits the order to the kitchen for preparation. All food servers are responsible for collecting
cash for all their orders and must turn in cash at the end of their shift equal to the sales value of
food ordered for their ID number. The manager then reconciles the cash received for the day
with the computerized record of food orders generated. All differences are investigated
immediately by the restaurant.
Corporate headquarters has established monitoring controls to determine when an individual

restaurant might not be recording all its revenue and transmitting the applicable cash to the
corporate headquarters. Which one of the following would be the best example of a monitoring
control?
A.The restaurant manager reconciles the cash received with the food orders recorded on the computer.
B.All food orders must be entered on the computer, and there is segregation of duties between the food
servers and the cooks.
C.Management prepares a detailed analysis of gross margin per store and investigates any store that
shows a significantly lower gross margin.
D.Cash is transmitted to corporate headquarters on a daily basis.
Monitoring is a process that assesses the quality of the internal control structure's performance over
time. It involves appropriate personnel assessing the design and operation of controls on a timely basis
and taking necessary actions. Monitoring can be done through ongoing activities or separate
evaluations. Ongoing monitoring procedures are built into the normal recurring activities of an entity
and include regular management and supervisory activities.
A.Incorrect. This is an example of a reconciliation control applied at the store level. Monitoring refers
to an overall control, which will tell management whether its other controls are operating effectively.
B.Incorrect. These are operational and segregation controls.
D.Incorrect. This is a daily operational control.
203.The auditor of a construction company that builds foundations for bridges and large
buildings performed a review of the expense accounts for equipment (augers) used to drill holes
in rocks to set the foundation for the buildings. During the review, the auditor noted that the
expenses related to some of the auger accounts had increased dramatically during the year. The
auditor spoke to the construction manager, who explained that the augers last two to three years
and are expensed when purchased. Thus, the auditor should see a decrease in the expense
accounts for these augers in the next year but would expect an increase in the expenses of other
augers. The auditor also found out that the construction manager is responsible for the
inventorying and receiving of augers and is a part owner of a company that supplies augers to the
company. To improve the quality of equipment, the president of the company approved the
supplier.
Which of the following procedures would be the least appropriate audit procedure to address
these analytical findings?
A.Note the explanation in the working papers for investigation during the next audit and perform no
further work at this time.
B.Develop a comparative analysis of auger expense over the past few years to determine if the
relationship held in previous years.
C.Take a sample of debits to the auger expense account, and trace to independent shipping documents
and to invoices for the augers.
D.Arrange to take an inventory of augers to determine if the augers purchased this year were on hand
and would be available for use in the next two years.
This is the least appropriate audit procedure because it just defers the investigation to the following
year. If a fraud was being conducted, it would not be appropriate to defer investigative action to the
following year.
B.Incorrect. This would be an effective procedure to establish the face validity of the manager's
explanation. If the relationship is valid, it should also hold for the previous years.
C.Incorrect. This would be an appropriate attempt to establish some independent evidence as to

whether the goods were received, because the construction manager has a conflict of interest. The
auditor should look for the existence of receiving reports signed by someone other than the
construction manager and should verify that the individuals signing the reports exist.
D.Incorrect. This would be a good procedure to determine if the augers exist since they are supposed to
be used over a two- to three-year period.
204.The auditor of a construction company that builds foundations for bridges and large
buildings performed a review of the expense accounts for equipment (augers) used to drill holes
in rocks to set the foundation for the buildings. During the review, the auditor noted that the
expenses related to some of the auger accounts had increased dramatically during the year. The
auditor spoke to the construction manager, who explained that the augers last two to three years
and are expensed when purchased. Thus, the auditor should see a decrease in the expense
accounts for these augers in the next year but would expect an increase in the expenses of other
augers. The auditor also found out that the construction manager is responsible for the
inventorying and receiving of augers and is a part owner of a company that supplies augers to the
company. To improve the quality of equipment, the president of the company approved the
supplier.
Assume the auditor did not find a satisfactory explanation for the results of the analytical
procedures performed and has conducted the appropriate follow-up procedures. The audit of the
area is otherwise complete. Which of the following would be the most appropriate action to take?
A.Note the actions and follow-up next year. Defer the reporting to management until a satisfactory
explanation can be obtained.
B.Expand audit procedures by observing the receipt of all augers during a reasonable period of time,
and trace the receipts to the appropriate accounts. Determine causes of any discrepancies.
C.Report the findings, as they are, to management, and recommend an investigation for possible
irregularities.
D.Report the findings to the construction manager and insist that appropriate internal controls, such as
independent receiving reports, be implemented. Follow up to see if the controls are properly
implemented.
The IIA Standards states: “Results, or relationships from applying analytical auditing procedures that
are not sufficiently explained should be communicated to the appropriate levels of management.”
A.Incorrect. This would only delay the reporting of an important finding.
B.Incorrect. The results should be reported to management. The suggested audit procedure is
incomplete and likely would not answer the question on the causes of the problem.
D.Incorrect. The results should be reported to other levels of management because the auditor has
already noted that the construction manager has a conflict of interest. Further, the auditor cannot insist
that controls be implemented; the auditor can only recommend.
205.An auditor performs an analytical review by comparing the gross margins of various
divisional operations with those of other divisions and with the individual division's performance
in previous years. The auditor notes a significant increase in the gross margin at one division.
The auditor does some preliminary investigation and also notes that there were no changes in
products, production methods, or divisional management during the year. Based on the above
information, the most likely cause of the increase in gross margin would be:
A.An increase in the number of competitors selling similar products.
B.A decrease in the number of suppliers of the material used in manufacturing the product.
C.An overstatement of year-end inventory.
D.An understatement of year-end accounts receivable.
An overstatement of year-end inventory would result in an increase in the gross margin.
A.Incorrect. An increase in the number of competitors would result in price competition and a likely
decrease in gross margin.
B.Incorrect. A decrease in the number of suppliers would cause less price competition on the incoming
side and, all else being equal, would result in a decreased gross margin.
D.Incorrect. A decrease in accounts receivable would be very unlikely to signal an increase in the gross
margin.
206.During an operational audit, an auditor compares the inventory turnover rate of a subsidiary
with established industry standards in order to:
A.Evaluate the accuracy of the subsidiary’s internal financial reports.
B.Test the subsidiary’s controls designed to safeguard assets.
C.Determine if the subsidiary is complying with corporate procedures regarding inventory levels.
D.Assess the performance of the subsidiary and indicate where additional audit work may be needed.
Such an analytical procedure will provide an indication of the efficiency and effectiveness of the
subsidiary’s management of the inventory.
A.Incorrect. Comparison with industry standards will not test the accuracy of internal reporting.
B.Incorrect. Comparison with industry standards will not test the controls designed to safeguard the
inventory.
C.Incorrect. Comparison with industry standards will not test compliance.
207.During an audit of a smaller division, the auditor notes the following regarding the
purchasing function:
 There are three purchasing agents. Agent 1 is responsible for ordering all large component parts,
Agent 2 is responsible for electric motors, and Agent 3 is responsible for smaller parts, such as
fasteners.
 There are separate accounts payable and receiving departments.
 In order to hold vendors more responsible, all invoices are sent to the purchasing agent placing the
order. The purchasing agent matches the vendor invoice, receiving slip, and purchase order. If all
match, the purchasing agent sends the documents forward to the accounts payable department.
The purchasing agent investigates differences.
 Only the accounts payable department has the ability to authorize an item for payment.
 All recorded receipts are immediately recorded into a perpetual inventory record by the
department to which the goods are transferred after receipt.
The auditor interviewed both management and the purchasing agents. Both groups were very satisfied
with the current system because it helped maintain vendor accountability and provided sufficient
segregation of duties since only the accounts payable department can authorize an item for payment.
Which of the following audit procedures would be most effective in determining whether material
fraud was taking place?
A.Take a random sample of cash disbursements and trace to approved purchase orders and receiving
slips.
B.Reconcile the perpetual inventory to the general ledger and investigate any differences.
C.Take a random sample of purchase orders. Trace each purchase order to a receiving slip, vendor
invoice, and approval by the accounts payable department.
D.Perform an analytical review of inventory by product line to determine whether a particular product
line has increased. Inquire of the purchasing agent as to the reason for the inventory increase.
A fraud would result in an overstatement of inventory in the ledger, but the perpetual inventory would
reflect actual purchases.
A.Incorrect. This would not be an effective procedure because, by definition, all cash disbursements
would be accompanied by approved documents.
C.Incorrect. This procedure would only verify that purchase orders were processed. It would not
indicate the existence of fictitious purchase orders.
D.Incorrect. This procedure would provide limited evidence of the possibility of fraud but would not be
as complete as the correct choice.
 There are three purchasing agents. Agent 1 is responsible for ordering all large component
parts, Agent 2 is responsible for electric motors, and Agent 3 is responsible for smaller parts,
such as fasteners.
 In order to hold vendors more responsible, all invoices are sent to the purchasing agent
placing the order. The purchasing agent matches the vendor invoice, receiving slip, and
purchase order. If all match, the purchasing agent sends the documents forward to the
accounts payable department. The purchasing agent investigates differences.
The auditor interviewed both management and the purchasing agents. Both groups were very
satisfied with the current system because it helped maintain vendor accountability and provided
sufficient segregation of duties since only the accounts payable department can authorize an item
for payment.
The auditor is responsible for evaluating the control structure to determine if the structure
would allow for undetected fraud. Based on the above scenario, what is the most likely
undetected fraud, if any?
A.The purchasing agents could be purchasing the majority of products from a favorite vendor since
rotation among purchasing agents is not mandatory.
B.The purchasing agents could be sending fake purchase orders to a dummy vendor, inserting a
receiving slip, and having payments made to the dummy vendor.
C.The receiving department could be diverting receipts to different locations and failing to create
receiving reports.
D.The production department could be deflating the price of products purchased and thereby increasing
the reported gross margin of sales.
This type of fraud would not be detected by the control system since the purchasing agent could insert
the fictitious receiving slip.
A.Incorrect. There may be good reason to purchase most goods from a particular vendor. Nothing in
the scenario suggests fraudulent activities.
C.Incorrect. This possible fraud would be detected because no receiving report would be available to
support the vendor's invoice.
D.Incorrect. This response is unrelated to the purchasing environment.
 There are three purchasing agents. Agent 1 is responsible for ordering all large component
parts, Agent 2 is responsible for electric motors, and Agent 3 is responsible for smaller parts,
such as fasteners.
 In order to hold vendors more responsible, all invoices are sent to the purchasing agent
placing the order. The purchasing agent matches the vendor invoice, receiving slip, and
purchase order. If all match, the purchasing agent sends the documents forward to the
accounts payable department. The purchasing agent investigates differences.
The auditor interviewed both management and the purchasing agents. Both groups were very
satisfied with the current system because it helped maintain vendor accountability and provided
sufficient segregation of duties since only the accounts payable department can authorize an item
for payment.
Which of the following control procedures, if properly implemented, would best decrease the
likelihood of fraud in the environment described above?
A.Require periodic rotation of purchases among different vendors.
B.Require rotation of duties among the three purchasing agents.
C.Require receiving reports be sent directly to accounts payable.
D.Require that the receiving department make the updates to the perpetual inventory record.
This change in procedures would make it difficult for the purchasing agent to insert a fictitious
receiving report. An even better procedure would be to have both receiving reports and vendor invoices
be sent to accounts payable.
A.Incorrect. This might partially deal with the problem, but the purchasing agent could just develop
new dummy vendors. Further, this would be a trend away from establishing long-term relationships
with key vendors as part of many total quality management programs.
B.Incorrect. Rotation of duties would not affect the type of fraud that could take place in this
environment. The purchasing agent could just develop another dummy vendor for the new product line.
D.Incorrect. This would just create an additional opportunity for fraud by the receiving department.
210.Analytical procedures:
A.Are considered direct evidence of the assertion being evaluated.
B.Are compelling evidence when they involve recomputation.
C.May provide the best available evidence for the completeness assertion.
D.Are not sufficient by themselves for management assertions but should be used for fraud.
Analytical relationships provide evidence that related transactions have been recorded.
A.Incorrect. Although relevant, analytical evidence is not direct.
B.Incorrect. It is not a recomputation or compelling.
D.Incorrect. For assertions and accounts of low materiality, analytical evidence is often considered
sufficient.
211.A company makes a practice of investing excess short‐term cash in marketable equity
securities. A reliable test of the valuation of those securities would be a:
A.Comparison of cost data with current market quotations.
B.Confirmation of securities held by the broker.

C.Recalculation of investment carrying value using the equity method.
D.Calculation of premium or discount amortization.
This procedure would provide most competent evidence about value of the marketable equity
securities.
B.Incorrect. This procedure would not provide evidence about value.
C.Incorrect. Marketable equity investments held for the short term are not subject to the equity method
of accounting.
D.Incorrect. There is no amortization of premium or discount on equity investments, only on bonds and
other debtor investments held for long‐term purposes.
212.An audit manager is conducting the annual meeting with manufacturing division
management to discuss proposed audit plans and activities for the next year. After some
discussion about the past year’s audit activity at 12 plants in the division, the divisional vice
president agrees that all significant recommendations made by the audit staff refer to key
controls and related operating activities that are correctly described for local management within
the volume of standard operating procedures for the division. The vice president proposes to
transcribe key control activities from the division’s extensive written procedures to a self‐audit
standard operating procedure (SOP) questionnaire. What significance should the audit manager
attach to such SOP questionnaires in relation to the proposed audit schedule for the next year?
A.The SOP questionnaires should improve control adequacy, but the auditors need to verify that
controls are working as documented in the SOP.
B.Adding this control should eliminate significant audit recommendations in the coming year, so the
scope of audit activities can be reduced accordingly.
C.Audit activity can be reduced if the vice president agrees to require internal auditing department
approval on all divisional SOPs.
D.SOP questionnaires must be mailed and controlled by the internal auditing department to be
considered in relation to the proposed audit schedule.
A specific advantage of a SOP questionnaire is that it can be used by local management to periodically
ensure that employee practices remain current with relevant, valid, and up‐to‐date standard operating
procedures; this improves the overall level of control and the control environment when follow‐up is
included to ensure performance.
B.Incorrect. These SOP questionnaires have no impact on inherent risk, and there is no evidence that
such a control would be effective; there is no basis in fact for reducing the proposed scope.
C.Incorrect. Standard operating procedures, as described, are providing directive controls, which
appear to be adequate; adding internal auditing department approval does not impact the effectiveness
of these controls.
D.Incorrect. Control of SOP questionnaires by the internal auditing department would not affect the
level of evidence obtained in this manner; information obtained via questionnaires must be verified to
be considered objective.
213.Analytical procedures in which current financial statements are compared with budgets or
previous statements are intended primarily to determine:
A.Adequacy of financial statement disclosure.
B.Existence of specific errors or omissions.
C.Overall reasonableness of statement contents.
D.Use of an erroneous cutoff date.
A determination of overall reasonableness can be made based on analytical procedures.
A.Incorrect. Analytical procedures do not generally provide evidence regarding the adequacy of
disclosure.
B.Incorrect. Analytical procedures do not disclose specific errors or omissions.
D.Incorrect. Analytical procedures will not disclose specific errors of cutoff.
214.Which of the following is true of a horizontal flowchart as compared to a vertical flowchart?
A.It provides more room for written descriptions that parallel the symbols.
B.It brings into sharper focus the assignment of duties and independent checks on performance.
C.It is usually longer.
D.It does not provide as broad a picture at a glance.

By emphasizing the flow of processing between departments and/or people, a horizontal flowchart
more clearly shows any inappropriate separation of duties and lack of independent checks on
performance.
A.Incorrect. A vertical flowchart is usually designed to provide for written descriptions.
C.Incorrect. It is usually shorter because space for written descriptions is not provided.
D.Incorrect. More of the flow of processing can be depicted on one page than in a vertical flowchart
with written descriptions.
215.Of the following, which is the most efficient source for an auditor to use to evaluate a
company's overall control system?
A.Control flowcharts.
B.Copies of standard operating procedures.
C.A narrative describing departmental history, activities, and forms usage.
D.Copies of industry operating standards.
Control flowcharting provides an efficient and comprehensive method of describing relatively complex
activities, especially those involving several departments.
B.Incorrect. Copies of procedures and related forms do not provide an efficient method of reviewing
the processing activities.
C.Incorrect. A narrative review covering the history and form usage of the department is not as
efficient or comprehensive as flowcharting for communicating relevant information about controls.
D.Incorrect. Industry standards do not provide a picture of existing practice for subsequent audit
activity.
216.Which of the following tools would best give a graphical representation of a sequence of
activities and decisions?
A.Flowchart.
B.Control chart.
C.Histogram.
D.Run chart.
The definition of a flowchart is that it is a graphical representation of a sequence of activities and

decisions.
B.Incorrect. A control chart is used to monitor actual versus desired quality measurements during
repetition operation.
C.Incorrect. A histogram is a bar chart showing conformance to a standard bell curve.
D.Incorrect. A run chart tracks the frequency or amount of a given variable over time.
217.Of the techniques available to an auditor, which is the most valuable in providing a summary
outline and overall description of the process of transactions in an information system?
A.Flowcharts.
B.Transaction retrievals.
C.Test decks.
D.Software code comparisons.
A flowchart is most valuable in providing a summary outline and description of transaction flows.
B.Incorrect. Transaction retrievals are used to select items for testing and review.
C.Incorrect. Test decks are used to verify processing accuracy.
D.Incorrect. Software code comparisons are used to validate that programs in production correspond to
an authorized copy of the software.
218.An auditor reviews and adapts a systems flowchart to understand the flow of information in
the processing of cash receipts. Which of the following statements is true regarding the use of
such flowcharts? The flowcharts:
A.Show specific control procedures used, such as edit tests that are implemented and batch control
reconciliations.
B.Are good guides to potential segregation of duties.

C.Are generally kept up to date for systems changes.
D.Show only computer processing, not manual processing.
Systems flowcharts show segregation of duties and the transfer of data between different segments in
the organization.
A.Incorrect. The systems flowchart shows the overall flow but would not identify the specific edit tests
implemented. Those would be found in a programming flowchart.
C.Incorrect. Flowcharts generally are not kept up to date for changes. Therefore, the auditor will have
to interview key personnel to determine changes in processing since the flowchart was developed.
D.Incorrect. A systems flowchart should show both manual processing and computer processing.
219.In documenting the procedures used by several interacting departments, the internal auditor
will most likely use:
A.A horizontal (or systems) flowchart.
B.A vertical flowchart.
C.A Gantt chart.
D.An internal control questionnaire.
A horizontal flowchart highlights the interaction between departments.
B.Incorrect. This does not highlight the interaction of departments.
C.Incorrect. It is not a procedure-oriented documenting tool.
D.Incorrect. This does not highlight the interaction of departments.
220.Which method of evaluating internal controls during the preliminary review provides the
auditor with the best visual grasp of a system and a means for analyzing complex operations?
A.A flowcharting approach.

B.A questionnaire approach.
C.A matrix approach.
D.A detailed narrative approach.
A flowchart provides a visual grasp of the system and a means of analysis that cannot be achieved by
other methods.
B.Incorrect. A questionnaire approach provides only an agenda for evaluation.
C.Incorrect. A matrix approach does not provide the visual grasp of the system that a flowchart does.
D.Incorrect. A detailed narrative does not provide the means of evaluating complex operations that a
flowchart does.
221.An operational audit is being performed to evaluate the productivity of telephone sales
representatives relative to last year. The organization sells two similar products, one of which is
priced 20% higher than the other. Prices did not change during the two years subject to the audit,
and the gross profit percentage is the same for both products. The sales representatives are paid
a base salary plus a commission. Which one of the following items represents the best evidence
that the organization's sales representatives are more productive this year than last year?
A.The revenue per representative is higher this year than last year.
B.The number of sales calls is higher this year than last year.
C.The ratio of the number of new customers to the number of prospects contacted is higher this year
than last year.
D.Unit sales increased at a higher rate this year than last year.
Revenue per representative measures productivity because it relates an output to input.
B.Incorrect. The number of sales calls does not measure output.
C.Incorrect. The higher ratio could be achieved even if unit sales, revenue, and gross profit declined
and the number of sales representatives increased.
D.Incorrect. The unit sales increase could be achieved by an uneconomic addition of sales
representatives and would not necessarily result in higher revenue.
222.Data gathered in support of an audit conclusion can be rated on a continuum of reliability.
The most reliable form of evidence would be an:
A.Internal document obtained from the auditee.
B.External document obtained directly from an outside source.
C.Internal document subject to rigorous internal review procedures.
D.Internal document that has been circulated through an outside party.
The auditee cannot alter an external document obtained directly from its source.
A.Incorrect. The auditee may alter internal documents.
C.Incorrect. The auditee may alter internal documents, even if internal control procedures are followed.
D.Incorrect. Circulation through an outside party does not mean the document is correct, unless it is
received directly by the auditor.
223.Checklists used to assess audit risk have been criticized for all of the following reasons
except:
A.Providing a false sense of security that all relevant factors are addressed.
B.Inappropriately implying equal weight to each item on the checklist.
C.Decreasing the uniformity of data acquisition.
D.Being incapable of translating the experience or sound reasoning intended to be captured by each
item on the checklist.
Checklists increase the uniformity of data acquisition.
A.Incorrect. This is a criticism of checklists.
B.Incorrect. This is a criticism of checklists.
D.Incorrect. This is a criticism of checklists.

224.The purchasing manager of a manufacturing company was concerned with the rising prices
of some direct materials provided by a supplier. The purchasing manager told the supplier either
to maintain the current prices or withdraw as a supplier for the company’s direct materials. The
supplier devised a plan to circumvent the purchasing manager’s intent without actually violating
the purchasing manager’s mandate. Which one of the following is the probable action taken by
the supplier?
A.The supplier maintained prices in the short run but later returned to a pattern of increasing prices.
B.The supplier decided to stop providing the direct materials to the manufacturing company, since
holding the line on prices would have a negative impact.
C.The supplier maintained prices but substituted a lower grade of direct materials.
D.The supplier worked through the president of the manufacturing company to force the purchasing
manager to cancel the mandate.
This would permit the supplier to increase profit without actually raising the price.
A.Incorrect. This is a violation of the purchasing manager’s mandate.
B.Incorrect. This is not a way to circumvent the purchasing manager’s mandate. It follows the choices
enumerated by the purchasing manager.
D.Incorrect. This action does not provide enough information to determine if the supplier violated the
purchasing manager’s mandate.
225.The internal auditing department has just completed an audit of loan processing and
commercial loan account balances for a financial institution. Following are a few excerpts from
their working papers indicating potential audit findings:
A. We took a statistical sample of 100 loan applications and determined that only 85 loans were
granted.
B. Of the 85 loans granted, we noted that four loans should have been reviewed and approved
by the loan committee but were not. Company policy states that the committee, prior to
funding, must approve all loans. The vice president, however, approved each of the four
loans. The matter was discussed with the vice president, who indicated it was a competitive
loan situation to a new customer and in the best interests of the financial institution to
expedite the loan and establish a firm relationship with a growing customer. The loan
committee formally approved all of the other loans.
C. Of the 81 loans approved by the loan committee, we found seven where the actual amount
loaned exceeded the approved amount.
D. We noted three instances in which loans were made to related groups of companies without
an analysis of the total amount of loans made to the controlling entity. There may be
statutory limitations on the amount of loans that can be made to any individual controlling
organization.
E. Of the 81 loans approved by the loan committee, we found that 14 either contained
insufficient documentation or were not received by the committee in a timely fashion in
advance of its meeting.
The statistical sample was taken with a 95% confidence level using attribute sampling with a
tolerable error limit of 4%. You may assume that the sampling plan was implemented correctly.
Regarding item A only, which of the following audit conclusions is justified?
I. There is a 15% deviation rate in total loans processed.
II. There is a problem in processing that should be followed up by the auditor to determine
why 15 of the loans may have been lost.
III. The loans that have been made comply with company procedures while the loans that were
not made do not.
IV. None of the above.
A.I.
B.II.
C.III.
D.IV.
From the information given, none of the conclusions above is correct.
A.Incorrect. The deviation rate applies to errors that were noted in the sample. The 15 items on which
loans were not made are not necessarily errors.
B.Incorrect. There is no evidence that there is a problem with the processing.
C.Incorrect. There is no evidence that the loans made (or not made) comply with company procedures.
granted.
organization.
Regarding item 2, which of the following would be correct?
I. The sample deviation rate exceeds 4%.
II. The auditor should examine the nature of the loans approved by the vice president to see if
there is a pattern.
III. The audit finding should be included in the auditor's report with a suggestion that the loan
committee review the loans.
A.II only.
B.II and III only.
C.III only.
D.I, II, and III.
This is the most comprehensive answer. All of the actions are appropriate.
A.Incorrect. The deviation rate is greater than 4% (4/85).
B.Incorrect. The auditor should examine the nature of the loans.
C.Incorrect. The item should be reported in the auditor's report.
a) We took a statistical sample of 100 loan applications and determined that only 85 loans were
granted.
b) Of the 85 loans granted, we noted that four loans should have been reviewed and approved
c) Of the 81 loans approved by the loan committee, we found seven where the actual amount
d) We noted three instances in which loans were made to related groups of companies without
organization.
e) Of the 81 loans approved by the loan committee, we found that 14 either contained
Assume that, with regard to item B, the vice president asks the loan committee to review the
loans on an after-the-fact basis. Assume further that, upon this subsequent review, the loan
committee approves the loans on the after-the-fact basis. Which of the following conclusions
would be correct regarding the reporting of the audit finding in the auditor's report?
i. The sample deviation rate would drop to 0%.
ii. The item should still be reported in the audit report because it was not approved in a timely
manner in accordance with company policies.
iii. The item should be reported as a nondeviation because subsequent action validated the vice
president's approach.
A.I only.
B.II only.
C.III only.
D.I, II, and III.
The loans were not approved in a timely fashion prior to funding according to company policies and
procedures. Therefore, the item should be reported as a deviation, and the auditor should note that the
loan committee subsequently reviewed the loans.
A.Incorrect. The loan was not approved in accordance with company policies; therefore, the four items
are still deviations, and the rate would not drop to zero.
C.Incorrect. The loans were not processed in accordance with company policy and therefore represent
deviations.
granted.
organization.
Regarding item C, which of the following actions would be inappropriate on the part of the
auditor?
A.Examine the loans to determine if there is a pattern of the loans to companies. Summarize amounts
and include in the audit report.
B.Report the amounts to the loan committee, and leave it up to the committee to correct. Take no
further follow-up action at this time, and do not include the items in the audit report.
C.Follow up with the vice president and include the vice president's acknowledgment of the situation in
the audit report.
D.Determine amount of differences and make an assessment as to whether the dollar differences are
material. If the amounts are not material, not in violation of government regulations, and can be
rationally explained, omit the finding from the audit report.
This is the least appropriate response per the IIA Standards.
A.Incorrect. This is an appropriate follow-up action. The auditor should attempt to determine the
causes of audit findings and, where appropriate, include them in the audit report.
C.Incorrect. This is an appropriate follow-up step to determine the cause of the audit finding.
D.Incorrect. The action is appropriate as long as the auditor has concluded that the amounts are clearly
not material and not in violation of governmental regulations and that a rationale for the deviations
exist.
a) We took a statistical sample of 100 loan applications and determined that only 85 loans were
granted.
b) Of the 85 loans granted, we noted that four loans should have been reviewed and approved
c) Of the 81 loans approved by the loan committee, we found seven where the actual amount
d) We noted three instances in which loans were made to related groups of companies without
organization.
e) Of the 81 loans approved by the loan committee, we found that 14 either contained
Regarding item D, which of the following would be correct?
i. The deviation rate is under 4%; therefore, the finding need not be reported to management and the
audit committee.
ii. The auditor should review appropriate regulations and possibly get legal counsel opinion on the
finding prior to including the finding in the final audit report.
iii. The auditor should report the finding to the vice president who approved the loans and ask for a
follow-up report during the audit scheduled next year. No further action need be taken at this
time.
iv. The auditor should review a plan by the loan committee to prevent such occurrences in the future,
and include a summary and analysis of the plan in the final audit report.
A.I only.
B.III only.
C.II and IV.
D.II only.
Both II and IV are appropriate. The auditor should independently determine the significance of the
finding and should consult outside legal services if deemed appropriate. It would also be appropriate to
review plans taken by the loan committee and include that analysis in the audit report.
A.Incorrect. Item D represents a violation of good business practice and, statistics notwithstanding,
therefore should be reported. The need to include an item in an audit report is based on the significance
of the finding, not just the tolerable error rate. Further, the upper error rate (although not computed here)
would be higher than the tolerable error rate.
B.Incorrect. This would not be appropriate because it may represent significant violations of both
federal regulations and company policy. Waiting a full year for follow-up action without reaching a
conclusion on the seriousness of the problem would not be appropriate.
D.Incorrect. Item IV is also an appropriate response.
a)We took a statistical sample of 100 loan applications and determined that only 85 loans were
granted.
b)Of the 85 loans granted, we noted that four loans should have been reviewed and approved by
the loan committee but were not. Company policy states that the committee, prior to funding,
must approve all loans. The vice president, however, approved each of the four loans. The matter
was discussed with the vice president, who indicated it was a competitive loan situation to a new
customer and in the best interests of the financial institution to expedite the loan and establish a
firm relationship with a growing customer. The loan committee formally approved all of the
other loans.
c)Of the 81 loans approved by the loan committee, we found seven where the actual amount
d)We noted three instances in which loans were made to related groups of companies without an
analysis of the total amount of loans made to the controlling entity. There may be statutory
limitations on the amount of loans that can be made to any individual controlling organization.
e)Of the 81 loans approved by the loan committee, we found that 14 either contained insufficient
documentation or were not received by the committee in a timely fashion in advance of its
meeting.
Regarding item E, which of the following conclusions/audit actions is appropriate?
I. There is no audit finding since the loan committee approved all of the loans.
II. Before issuing a final audit report, the auditor should investigate to determine the reasons
for the lack of documentation and timely submittal to the loan committee and include that
analysis in the report.
III. The auditor should include the audit findings in the report only if the auditor is able to
determine the cause of the findings.
IV. All of the above
A.I.
B.II.
C.III.
D.IV.
The auditor should attempt to determine the cause of the deficiencies and include constructive
suggestions in the audit report. See Section 430 of the IIA Standards.
A.Incorrect. Even though the loan committee approved the loans, the procedure was not conducted in
accordance with company policies.
C.Incorrect. The findings should be included in an audit report with a recommendation that
management perform follow-up to determine the causes of the deviations and take corrective action.
231.Which of the following documents would provide the best evidence that a purchase
transaction actually has occurred?
A.Canceled check issued in payment of the procured goods
B.Ordering department’s original requisition for the goods
C.Receiving memorandum documenting the receipt of the goods
D.Supplier’s invoice for the procured goods
The receiving memorandum indicates that the goods were received; therefore, a purchase transaction
has occurred.
A.Incorrect. The canceled check indicates that the goods have been paid for, not received.
B.Incorrect. The supervisor’s signature indicates the ordering of the goods was authorized, not that the
goods were received.
D.Incorrect. The invoice indicates the goods have been billed but provides no evidence as to their
receipt.
232.The internal auditor of a financial institution is performing an audit of the real estate loans
portfolio. The auditor wants to test the basic assertions on the existence and valuation of the
loans and to determine that the loans do not exceed the bank's policy that loans to any single
entity do not exceed 8% of the total loan portfolio. The auditor wants to be 95% confident in the
test results. Consequently, the auditor took a judgment sample of 100, which included the 20
largest account balances and selected others. The auditor was aware that some of the account
balances were controlled by common holding corporations but did not feel the need to combine
the accounts since they were all listed as separate accounts in the bank's computer files and
represented different real estate developments with separate legal entities. The auditor sent
confirmations to the 100 entities and received the following results:
82 of the 100 returned the positive confirmations and reported no exceptions; 53 did so in
response to a first inquiry; 25 responded to a second request; and the remaining four responded
after management called the customer and asked them to respond.
Of the remaining 18 accounts, the auditor found the following:
A. For seven accounts, customers returned confirmations showing differences in either the
terms of the loan or a disagreement on the amount outstanding. Most were minor, but one
customer reported that the account had a zero balance. Upon subsequent investigation, it
was found the cash payment had been recorded to a commercial account with the same
company. The bank agreed to adjust the loan balances to the amounts confirmed; therefore,
the auditor concluded there were no differences on the account balances.
B. For five accounts, the auditor traced the loan balance to a signed loan contract, a check
disbursing the funds, and examined a payment subsequent to year-end.
C. For two accounts, the auditor examined payments made on the account in the subsequent
period and verified it was for the correct balance.
D. For the remaining four accounts, there were no payments, but the auditor examined the
bank's internal file, which showed a signed contract and a loan application signed by the
customer.
The auditor was satisfied that all 100 account balances had been accounted for and, with the
possible exception of the last four, was confident in the correct balances. The auditor reasoned
that there was positive assurance that 96 out of 100 were correct and some assurance that the
other four were correct because of a valid loan application and contract. The auditor concluded
that the 95% confidence level had been achieved. The auditor also noted that none of the 100
account balances exceeded 8% of the real estate loan portfolio.
Which of the following would constitute an error on the part of the auditor in interpreting the
data and drawing a conclusion?
I. Concluding that the 95% confidence level had been achieved
II. Concluding there were no significant differences in the account balances because most of the
differences on the returned items were minor and the bank agreed to change them
III. Concluding that the five account balances described in item B represented valid account
balances and were appropriately recorded
A.I and II.
B.I and III.
C.II and III.
D.I, II, and III.
The conclusion about 95% confidence level is unjustified because the statistical parameters of the
account balance are not known. Further, it is incorrect to assume that no material differences exist in
the account balance just because the bank agreed to adjust the account balances to the errors found.
Note that the question is asking for errors in drawing conclusions.
B.Incorrect. It mixes both valid conclusion (item III) and invalid conclusion (item I).
C.Incorrect. Incorrect. It mixes both valid conclusion (item III) and invalid conclusion (item II). The
auditor has examined both internal and external documentation to reach this conclusion.
D.Incorrect. Incorrect. It mixes both valid conclusion (item III) and invalid conclusions (items I and II).
 82 of the 100 returned the positive confirmations and reported no exceptions; 53 did so in
response to a first inquiry; 25 responded to a second request; and the remaining four
responded after management called the customer and asked them to respond.
 Of the remaining 18 accounts, the auditor found the following:
customer.
other 4 were correct because of a valid loan application and contract. The auditor concluded that
the 95% confidence level had been achieved. The auditor also noted that none of the 100 account
balances exceeded 8% of the real estate loan portfolio.
The auditor often has to evaluate the reliability of data to reach audit conclusions. Consider the
following four sources of audit evidence gathered by the auditor and rank from the most
persuasive to least persuasive:
i. The 25 positive responses received in connection with the second request
ii. The four positive responses received in response to a call by management
iii. The five accounts tested by alternative means in item B
iv. The seven responses in item A that showed account balance differences
A.III, II, IV, I.
B.I, II, III, IV.
C.II, IV, I, III.
D.I, IV, III, II.
Items I and IV represent external evidence received directly by the auditor, and both have a high degree
of reliability. Item IV merits further investigation because customers sometimes make mistakes. Item
III is ranked third because it contains a combination of internal evidence (loan contract, payments, etc.)
and external evidence (a current payment for the correct amount on the account balance). Item II is the
least reliable because, although it comes from an outside party, it was derived in direct response to
pressure from management.
A.Incorrect. This is not the right sequence.
B.Incorrect. This is not the right sequence.
C.Incorrect. This is not the right sequence.
234.When an internal auditor is interviewing to gain information, the auditor will not be able to
remember everything that was said in the interview. The most effective way to record interview
information for later use is to:
a) Write notes quickly, trying to write down everything in detail, as it is said; then highlight
important points after the meeting.
b) Tape‐record the interview to capture everything that everyone says; then type everything said into
a computer for documentation.
c) Hire a professional secretary to take notes, allowing complete concentration on the interview; then
delete unimportant points after the meeting.
d) Organize notes around topics on the interview plan and note responses in the appropriate area,
reviewing the notes after the meeting to make additions.
Organizing note taking ahead of time helps you have time during the interview to listen and evaluate
the responses and the reactions of your respondent.
A.Incorrect. Extensive note taking may interfere with your communication with your respondent, since
you cannot maintain eye contact or notice nonverbal cues as well when you are occupied with your
own notes.
B.Incorrect. Tape recording might be used for controversial material but generally will not elicit
positive feelings from your respondent. For most organizational purposes, you will not need exact
quotes, the major benefit of a recording.
C.Incorrect. Aside from cost, this option would not work because of confidentiality and negative
reaction from respondents. This interview is your job, not someone else’s.
a) For seven accounts, customers returned confirmations showing differences in either the
b) For five accounts, the auditor traced the loan balance to a signed loan contract, a check
c) For two accounts, the auditor examined payments made on the account in the subsequent
d) For the remaining four accounts, there were no payments, but the auditor examined the
customer.
Assuming the responses obtained from the customers are accurate, which of the following
auditor conclusions is (are) justified by the data?
i. There is no violation of the bank's policy on the total loan balance for a single entity.
ii. The portfolio account balance as recorded exists.
iii. The portfolio account balance as recorded is properly valued.
A.I only.
B.I and II.
C.II only.
D.I, II, and III.
Only item II is a justifiable conclusion. The auditor can conclude that the recorded account balance
does exist per the IIA Standard.
A.Incorrect. Item I is not justified because the auditor is aware that a number of loans are made to
holding companies, all controlled by one entity. Until the auditor examines the nature of the holding
companies, no conclusion can be made regarding this assertion.
B.Incorrect. Item I is not justified because the auditor is aware that a number of loans are made to
holding companies, all controlled by one entity. Until the auditor examines the nature of the holding
companies, no conclusion can be made regarding this assertion.
D.Incorrect. Items I and III are not justified. The loans should be valued at net realizable value. The
auditor has gathered information only on the gross amount of the loans receivable.
customer.
If the auditor had decided to utilize an integrated test facility instead of using confirmations to
test the account balance, the auditor would have gathered evidence to test which of the following
assertions?
I. Existence
II. Valuation
III. The computer program properly accrues interest income
IV. Payments entered into the system are properly matched to account balances by the
computer program
A.III and IV only.
B.I and II only.
C.I and III only.
D.I, II, III, and IV.
An integrated test facility (ITF) provides assurance about the correctness of processing of the computer
portion of the application only. It does not provide evidence on existence and valuation. To do so, there
must be complementary audit procedures to see that all loans are initially entered into the computer
application.
B.Incorrect. The ITF does not provide evidence on existence and valuation. To do so, there must be
complementary audit procedures to see that all loans are initially entered into the computer application.
C.Incorrect. Item IV is addressed but not item I.
D.Incorrect. Items I and II are not addressed.
E. For seven accounts, customers returned confirmations showing differences in either the
F. For five accounts, the auditor traced the loan balance to a signed loan contract, a check
G. For two accounts, the auditor examined payments made on the account in the subsequent
H. For the remaining four accounts, there were no payments, but the auditor examined the
customer.
The auditor decides to expand the audit tests to gather more information about the collectibility
and cash realization of the account balances. As a first step, the auditor wants to understand
more about the procedures used by the organization to deal with collectibility and the ultimate
cash realization of the account balances. Which of the following techniques would be the least
effective in gathering the information?
A.Develop a questionnaire and administer to appropriate personnel.
B.Obtain a systems flowchart describing the processing of normal loan transactions.
C.Make inquiries of the credit department on criteria used and evidence gathered to support loan
write-offs. Document it in a narrative.
D.Interview the credit department and develop a flowchart of the key decisions made regarding
collectibility of account balances.

This would be the least effective audit procedure. There are two problems with it: (1) It deals with
normal processing of account transactions, not with potential write-off or extra collection efforts on the
accounts; and (2) there is always the danger that the flowcharts may be out of date per the IIA
Standards.
A.Incorrect. The auditor can custom design a questionnaire to gather key information on the processes
used in evaluating collectibility and the individuals responsible for actions.
C.Incorrect. Inquiries would be an effective procedure and could easily be documented in a narrative.
D.Incorrect. A flowchart of key decisions and flow of information regarding collectibilty might be
useful. Flowcharts need not be limited to the ordinary processing of transactions.
238.The auditor wants to understand the actual flow of data regarding cash processing. The most
convincing evidence would be obtained by:
A.Reviewing the systems flowchart.
B.Performing a walk‐through of the processing and obtaining copies of all documents used.
C.Reviewing the programming flowchart for evidence of control procedures placed into the computer
programs.
D.Interviewing the treasurer.
This is the most persuasive evidence because the auditor reviews actual documents and finds out what
personnel actually do with the documents.
A.Incorrect. This is less persuasive because the systems flowchart might not indicate how processing
may have evolved over time.
C.Incorrect. The program flowchart shows only the computer program portion of the application.
D.Incorrect. The manager may not know how the specific clerical processing may have changed.
Further, the manager may be biased in presenting a picture of processing that might not reflect actual
processing.
239.The following are potential sources of evidence regarding the effectiveness of the division's
total quality management (TQM) program. Assume that all comparisons are for similar time
periods and duration and that current items are compared with similar items before the
implementation of the TQM program. The least persuasive evidence would be a comparison of:
A.Employee morale over the two time periods.
B.Scrap and rework costs over the two time periods.
C.Customer returns over the two time periods.
D.Manufacturing and distribution costs per unit over the two time periods.
Employee morale is important and often is a side benefit of TQM programs. However, employee
morale is not a sufficient reason to implement TQM; there should be some evidence of greater
customer satisfaction or reduced costs.
B.Incorrect. Reduction in scrap should be one of the outcomes as TQM is implemented.
C.Incorrect. TQM should lead to product quality improvements resulting in a lower level of customer
returns.
D.Incorrect. TQM is supposed to reduce costs.
240.The auditor is concerned with the overall valuation of inventory. Rank the following sources
of audit evidence from most persuasive to least persuasive in addressing the assertion as to the
valuation of inventory.
i. Calculate inventory turnover by individual product.
ii. Assess the net realizability of all inventory items with a turnover ratio of 2.0 or less by
interviewing the marketing manager as to the marketability of the product.
iii. Calculate the net realizable value (NRV) of all inventory products (using audit software to
calculate NRV based on the last selling price) and compare NRV with cost.
iv. Take a statistical sample of inventory and examine the latest purchase documents (invoices
and receiving slips) to calculate inventory cost.
A.I, II, III, IV.
B.I, IV, II, III.
C.IV, I, III, II.
D.II, III, IV, I.

Item IV. This is the most persuasive because it uses an external source. Inventory should be valued at
the lower of cost or market. Thus, it is important to first begin with the establishment of cost. Item I,
changes in inventory turnover or a very low level of inventory turnover, indicates potential
obsolescence of inventory; the auditor should do more investigation, for example, looking at
subsequent sales to determine whether inventory should be written down. Item III, calculation of net
realizable value, is a good indication of a lower of cost or market problem. The only difficulty with this
procedure is that the auditor needs to make sure that the sales prices used in the calculation are for
sufficient amounts to support the conclusion about existing inventory quantities. This evidence is
useful, but it is a form of testimonial evidence from an individual who may have a biased, or vested,
interest in persuading the auditor that the goods will be sold at their normal prices in the normal course
of business. Item II, In addition, the arbitrary cutoff value of 2.0 may not be justified. The cutoff should
be based on the nature of the client's inventory.
A.Incorrect. This is not the right sequence.
B.Incorrect. This is not the right sequence.
D.Incorrect. This is not the right sequence.
241.The auditor wishes to test the assertion that all claims paid by a medical insurance company
contain proper authorization and documentation, including but not limited to the validity of the
claim from an approved physician and an indication that the claim complies with the claimant’s
policy. The most appropriate audit procedure would be to:
A.Select a random statistical sample of all policyholders and examine all claims for the sampled items
during the year to determine if they were handled properly.
B.Select a sample of claims filed and trace to documentary evidence of authorization and other
supporting documentation.
C.Select a sample of claims denied and determine that all claims denied were appropriate. The claims
denied file is much smaller, and the auditor can obtain greater coverage with the sample size.
D.Select a sample of paid claims from the claims (cash) disbursement file and trace to documentary
evidence of authorization and other supporting documentation.
The auditor is interested in whether the actual claims paid are properly supported. The most appropriate
population from which to sample is the claims‐paid file.
A.Incorrect. Sampling from a population of policyholders would be very inefficient for the audit
assertion, as many policyholders may not have any activity during the year.
B.Incorrect. A sample of claims filed does provide evidence on the overall processing of claims and
thus provides some evidence related to the assertion. However, given the assertion, this is not as
efficient as it does not deal with paid claims.
C.Incorrect. The claims denied filed provides evidence on the claims denied, but the auditor cannot
conclude that all claims that were not denied should have been paid.
242.An auditor of a public company has the following information available to write a
memorandum on the progress of developing new audit software for accounts receivable: The
programmers who were to start on the sampling software last week will not be able to start until
next week. The programmers want to spend $5,000 for a commercially available software
package. The $5,000 for the software is not in the budget. By using the software, the
programmers expect to complete their work on schedule. Programming costs will be reduced by
$12,500 if the programmers can use the purchased software. The programming of the sampling
techniques is expected to be completed one week early. The overall project is expected to be
completed on time. Except for the software package and the programming costs, the project is on
budget.
The most important message for the auditor to convey to senior management is:
A.The development of the new audit software is behind schedule.
B.The programmers want to buy new software that costs $5,000.
C.The project is expected to be completed on time and within budget.
D.The programming of the sampling techniques will be completed one week early.
The reader, given this information, may not need to know any of the other details.
A.Incorrect. Although the reader needs to know this negative information, emphasizing it will make the
reader unduly concerned about the progress of the project.
B.Incorrect. This news, which may require approval of the reader, is otherwise relatively unimportant.
D.Incorrect. The information is relatively unimportant.
budget.
To emphasize information in a memorandum, it is best to place the information:
A.In the middle of the memorandum and use passive voice.
B.In the middle of the memorandum and use active voice.
C.At the beginning of the memorandum and use passive voice.
D.At the beginning of the memorandum and use active voice.
Both initial placement and active voice are strong ways to emphasize information.
A.Incorrect. Both middle placement and passive voice subordinate information.
B.Incorrect. Middle placement subordinates information.
C.Incorrect. Passive voice subordinates information.
budget.
Regarding the unbudgeted $5,000 for the purchase of a software package, the auditor should:
A.Disclose it with the $12,500 reduction in programming costs to show the complete picture.
B.Leave it out of the report because it is irrelevant.
C.Emphasize it because it is outside the budget.
D.Leave it out of the report to avoid criticism.

This gives the reader a context in which to understand both the magnitude of the request and the reason
for it.
B.Incorrect. An unbudgeted expenditure is relevant.
C.Incorrect. The expenditure is not important enough, by itself, to emphasize.
D.Incorrect. Omitting negative information from a report will not avoid criticism when the reader finds
out that the writer is hiding things.
245.As part of the test of the effectiveness of a disaster recovery plan, the auditor plans to
interview five employees from each of five different departments (25 employees in all). After the
first few interviews, what would be the best way for the auditor to remain attentive during the
remaining interviews?
A.Make up completely different questions to stay interested.
B.Ask the questions in a slightly different format and in a different sequence.
C.Have the rest of the employees write down their responses.
D.Interview the remaining employees in groups of four or five.
Changing the wording of the questions and the sequence in which they are asked may eliminate some
of the tedium associated with a series of interviews and may also allow the auditor to refine the
technique during the process.
A.Incorrect. The results of the auditor’s test depend on comparing responses to the same questions.
C.Incorrect. Written responses to questions are often very different from verbal responses, and the
interviewer does not have the option of immediately pursuing a particular answer.
D.Incorrect. Employees are less likely to be forthcoming in a group, particularly when their responses
may be critical of management.
246.In evaluating the validity of different types of audit evidence, which one of the following
conclusions is incorrect?
A.Recomputation, although highly valid, is limited in usefulness due to its limited scope.
B.The validity of documentary evidence is independent of the effectiveness of the control system in
which it was created.
C.Internally created documentary evidence is considered less valid than externally created
documentary evidence.
D.The validity of confirmations varies directly with the independence of the party receiving the
confirmation.
The validity of documentary evidence depends on the internal control system.
A.Incorrect. This is a true statement.
C.Incorrect. This is a true statement.
D.Incorrect. This is a true statement.
247.Which of the following is generally not true when evaluating the persuasiveness of evidence?
The evidence is considered more persuasive if:
A.Verified by internally maintained documents rather than by written inquiry of third party.
B.Obtained under conditions of strong controls rather than weak controls.
C.Known by an auditor's personal knowledge rather than from a third-party confirmation.
D.Obtained from an external source rather than from an internal source.
Written inquiry/confirmation obtained from outside third parties is more persuasive than internal
company documents.
B.Incorrect. Evidence obtained under conditions of strong control is always more persuasive than if
controls had been weak.
C.Incorrect. Personal knowledge is generally more persuasive than knowledge obtained from other
parties.
D.Incorrect. Generally evidence from outside the organization is more persuasive than evidence
obtained from organizational sources.
248.Listed below are four examples of common types of audit evidence. Use the evidence types to
answer the three questions.
I. Inquiry of management
II. Observation of auditee's procedures
III. Physical examination
IV. Documentation prepared externally
The most persuasive evidence to test the existence of newly acquired computers for the sales
department would be:
A.Inquiry of management.
B.Observation of auditee's procedures.
C.Physical examinations.
D.Documentation prepared externally.
Examination of the asset is generally considered one of the most persuasive types of evidence for the
“existence” assertion, if not the most persuasive type.
A.Incorrect. Unsubstantiated inquiry of management is generally considered the least persuasive

evidence.
B.Incorrect. Unsubstantiated inquiry of management is generally considered the least persuasive

evidence.
D.Incorrect. Documentation is less relevant for existence than is physical examination of the asset.
i. Inquiry of management
ii. Observation of auditee's procedures
iii. Physical examination
iv. Documentation prepared externally
The most persuasive evidence regarding the asset value of the acquired computers would be:
A.Inquiry of management.
B.Observation of auditee's procedures.
C.Physical examinations.
D.Documentation prepared externally.
Documentation of the purchase provides very persuasive evidence regarding the cost of the asset.
A.Incorrect. Unsubstantiated inquiry of management is generally considered the least persuasive

evidence.
B.Incorrect. Observation of procedures for acquisition would not be as persuasive as documents

showing the cost of the asset.
C.Incorrect. Physical examination of the asset reveals only limited information as to the asset's value.
I. Inquiry of management
II. Observation of auditee's procedures
III. Physical examination
IV. Documentation prepared externally
Which of the following represents the general order of persuasiveness, from most to least, for the
evidence types listed above?
A.III, IV, II, I.
B.IV, I, II, III.
C.II, IV, I, III.
D.IV, III, I, II.
Evidence is arranged in general order of persuasiveness.

B.Incorrect. Inquiry of management is considered one of the least persuasive evidence types,
particularly in regard to physical examination.
C.Incorrect. Inquiry of management is considered one of the least persuasive evidence types,
D.Incorrect. Inquiry of management is considered one of the least persuasive evidence types,
WILEY PART-2 DOMAIN 4
1.When presenting audit results to audit clients, internal auditors can use which of the following
in an effective manner?
A.Data normalization tools

B.Data visualization tools
C.Data counting tools
D.Data synchronization tools

Data visualization tools are data presentation tools that can make a reader of audit results fully engaged
and interested in understanding the results. Examples of these tools include graphs, exhibits, charts,
tables, and dashboards.
A.Incorrect. Data normalization tools convert clean data into a standardized format and label them
consistently. They have nothing to do with presenting the audit results.
C.Incorrect. Data counting tools deal with labeling data as nominal, ordinal, ratio, and interval data.
They have nothing to do with presenting the audit results.
D.Incorrect. Data synchronization tools deals with placing date stamps and time stamps on datasets or
data elements for data location, data discovery, and data consistency. They have nothing to do with
presenting the audit results.
2.Regarding internal audit activity, a reaudit is usually performed:
A.Before audit report is issued.

B.After supervisory review.
C.After workpaper review.
D.During follow-up.

A reaudit during follow-up and monitoring is usually performed after written responses are received
from audit clients based on auditor recommendations and after auditor review of such responses with
corrective actions from audit clients. The goal of a reaudit is to ensure that these corrective actions are
complete and fully address auditor recommendations.
A.Incorrect. Performing a reaudit before the audit report is issued is too early and a waste of audit
resources; it is an indication that the original audit work was not done completely and properly.
B.Incorrect. Performing a reaudit after supervisory review is too early and a waste of audit resources. It
is an indication that the original audit work was not done completely and properly.
C.Incorrect. Performing a reaudit after workpaper review is too early and a waste of audit resources. It
is an indication that the original audit work was not done completely and properly.
3.When hiring entry-level internal audit staff, which of the following will most likely predict the
applicant's success as an auditor?
A.Grade point average on college accounting courses

B.Ability to fit well socially into a group
C.Ability to organize and express thoughts well
D.Level of detailed knowledge of the company

No characteristic gets to the heart of an internal auditor's job more than the ability to gather, analyze,
and draw conclusions from facts. The internal auditor's success in implementing well-founded
recommendations is most closely tied to his or her ability to communicate (i.e., possessing
communication skills).
A.Incorrect. Accounting educational performance is undoubtedly one criterion that must be examined.
Reviewing performance in only one subject area is much too limited a criterion when the broad scope
of internal auditing work is considered.
B.Incorrect. The ability to get along well socially is a benefit to any internal auditor but cannot be
considered the most important characteristic of a good candidate.
D.Incorrect. Entry-level internal auditors typically have relatively little detailed knowledge of the
company. It is desirable for applicants to demonstrate a general knowledge of the company, but this is
not the most reliable predictor of successful performance as an internal auditor.
4.Which of the following provides assurance as the first line of defense over risks and exposures
facing an organization?
Internal auditors
Senior managers
Risk managers
Operations managers
Answers D is Correct
Managers and employees working in operations departments or functions are responsible for providing
assurance as the first line of defense over risks and exposures. They work in a line function or frontline
operation.
A Incorrect. Internal auditors act as risk evaluators and provide the third line of defense.
B Incorrect. Senior managers act as executives and provide the second line of defense.
C Incorrect. Risk managers act as a staff function and provide the second line of defense.
5.Residual risk means:
A.Risk mitigation.
B.Risk transfer.
C.Risk avoidance.
D.Risk acceptance.
Residual risk means risk acceptance or risk retention. It is a deliberate action taken by
management—senior or functional (operational) management—to accept the remaining risk (i.e.,
residual risk). Whether to accept the residual risk really depends on its potential impact to the delivery
of critical services to customers or clients.
A Incorrect. Organizations may choose to handle risk in different ways, for example, mitigating the
risk with controls.
B Incorrect. Organizations may choose to handle risk in different ways, for example, transferring the
risk with an insurance policy
C Incorrect. Organizations may choose to handle risk in different ways, for example, avoiding the risk
with controls or with risk-lessening methods.
6.Residual risks are not:
A.Mitigated risks.
B.Unmanaged risks.
C.Net risks.
D.Unaddressed risks.
Residual risks are not mitigated risks.
B Incorrect. Residual risks are unmanaged risks.

C Incorrect. Residual risks are net risks.
D Incorrect. Residual risks are unaddressed risks.
7.Which of the following statement is not true about residual risks?
A.Residual risks are unidentified risks.

B.Residual risks are unmanaged risks.
C.Residual risks are unaddressed risks.
D.Residual risks are uncontrolled risks.
This not a true statement. Residual risks are identified and ignored risks that management does not
want to manage, address, or control.
B Incorrect. This is a true statement.

C Incorrect. This is a true statement.
D Incorrect. This is a true statement.
8.Residual risks are not:
A.Uncovered risks.
B.Untreated risks.
C.Uncommitted risks.
D.Unknown risks.
Residual risks are known risks to both auditors and managers.
A Incorrect. Residual risks are uncovered risks.

B Incorrect. Residual risks are untreated risks.
C Incorrect. Residual risks are uncommitted risks.
9.Which are the following are the most risky situations?

I. Residual value
II. Residual interests
III. Residual risk
IV. Residual data
A.I and II
B.III only
C.II and IV
D.III and IV
Residual risk and residual data are the most risky situations. Residual risk is leftover, unmanaged, or
unaddressed risk that still remains after all controls and mitigations are applied. It can be most risky if
it is big in size. Residual data is the leftover data remaining on a storage media after it is erased. Since
the residual data can be recovered by hackers, additional disposal techniques should be applied to
protect the sensitive electronic data in storage. Until then, residual data can be most risky.
A Incorrect. This choice is not relevant. Residual value is the estimated value at the end of a lease term
on a leased equipment. There is a little or no risk in residual value. Residual interests are financial
assets of an individual person or beneficiaries in a company, which were created by a transfer that
qualifies as a sale of financial assets. There is a little or no risk in residual interests.
B Incorrect. This is a partial answer.
C Incorrect. This is a partial answer.
10.Which of the following is a legal form of derisking?

A.Risk sharing
B.Incorporation
C.Risk transfer
D.Risk reduction
Incorporation is a legal term in use when an individual wants to register a business in a state to conduct
business. Organizations can also incorporate to do their business. This is a legal form of derisking.
A Incorrect. Risk sharing involves spreading risks with other divisions of the same organization. This is
not a legal form.
C Incorrect. Risk transfer means pushing a potential risk from one party to another party. This is not a
legal form.
D Incorrect. Risk reduction is achieved through installing appropriate and timely controls that are
effective and efficient in operation. This is not a legal form.
11.Which of the following is not a legal form of derisking?
A.Hold-harmless agreements
B.New contracts
C.Recontracting
D.Risk shifting
Risk shifting is risk transferring from one party to another, but the risk still remains. This is not a legal
form of derisking.
A Incorrect. Hold-harmless agreements mean risk is lessened (de-risked) due to a previous agreement.
This is a legal form of derisking.
B Incorrect. New contracts can be drawn to reduce risks. This is a legal form of derisking.
C Incorrect. An existing contract can be canceled, and it can be recontracted with modifications. This is
a legal form of derisking.
12.Essentially, derisking means
A.Downsizing risks.
B.Postponing risks.
C.Ignoring risks.
D.Eliminating risks.
Derisking means downsizing risks to bring down risk severity levels.
B Incorrect. Postponing risks does not decrease risks. Risks stay the same or increase.
C Incorrect. Ignoring risks does not decrease risks. Risks stay the same or increase.
D Incorrect. Risks cannot be eliminated, only decreased or increased.
13.Which of the following has the highest form of risk dealing with derisking?
A.Proprietorship
B.Partnership
C.Public corporation
D.Private corporation
A proprietorship poses a high risk because the single owner is legally responsible for all the risks.
B Incorrcet. A partnership poses a low risk because partners share all the risks.
C Incorrect. A public corporation poses a low risk because a government shares all the risks.
D Incorrect. A private corporation poses a low risk because its shareholders share all the risks.
14.Derisking does not mean:
A.Risk volatility.
B.Risk securitization.
C.Risk diversification.
D.Risk modification.
Risk volatility increases risks with unexpected variations in risk outcomes. It is not a good method of
derisking.
B Incorrect. Risk securitization decreases risks and is a good method of derisking.
C Incorrect. Risk diversification decreases risks and is a good method of derisking.
D Incorrect. Risk modification decreases risks and is a good method of derisking.
15.A solution to derisking that is related to an organization's structure is:
A.Legal structure.
B.Capital structure.
C.Tall structure.
D.Flat structure
A legal structure, such as incorporation, provides derisking opportunities aligned with an organization's
structure. For example, a public corporation is less risky than a private corporation.
B Incorrect. Capital structure refers to the amount of debt and equity in a corporation's balance sheet.
C Incorrect. Tall structure refers to how many management levels exist in an organization (i.e., several
levels exist).
D Incorrect. Flat structure refers to how many management levels exists in an organization (i.e., fewer
levels exist).
16.Regarding risk management, derisking does not mean:
A.Risk elimination.
B.Risk mitigation.
C.Risk management.
D.Risk-return balancing.
Derisking means risk lessening, not risk elimination, because risks cannot be eliminated completely.
There will always be some residual risks or leftover risks in life and business.
B Incorrect. Risk mitigation facilitates derisking.
C Incorrect. Risk management facilitates derisking.
D Incorrect. Risk-return balancing facilitates derisking.
17.Which of the following is the key performance indicator for an internal audit activity?
A.Number of audit clients satisfied

B.Number of audit recommendations made
C.Number of audit recommendations accepted
D.Number of audit recommendations implemented
Similar to any other business function or activity, customer satisfaction is the key performance
indicator and internal audit activity is no different. Audit clients are the customers of internal audit
activity. The more audit clients are satisfied, the better it is for the internal audit activity.
B Incorrect. Audit recommendations may or may not be useful to audit clients.
C Incorrect. Audit recommendations may or may not be accepted by audit clients.
D Incorrect. Audit recommendations may or may not be implemented by audit clients.
18.Which of the following provides assurance as the first line of defense over risks and exposures
facing an organization?
A.Internal auditors
B.Senior managers
C.Risk managers
D.Operations managers
Answer D is Correct
Managers and employees working in operations departments or functions are responsible for providing
assurance as the first line of defense over the risks and exposures. They work in a line function or
frontline operation.
A Incorrect. Internal auditors act as risk evaluators and provide the third line of defense.
B Incorrect. Senior managers act as executives and provide the second line of defense.
C Incorrect. Risk managers act as a staff function and provide the second line of defense.
19.A major drawback of an internal audit metric “Percentage of the internal audit plan
completed” is that it addresses:
A.Past risks.
B.Current risks.
C.Future risks.
D.Unique risks.
This internal audit metric addresses past risks and does not address current, future, and unique risks.
Past risks focus on looking backward. Management cannot plan or react based on past risks, which
become historical risks and are used for reference and review purposes only.
B Incorrect. Current, future, and unique risks focus on looking forward while past risks focus on
looking backward. Unique risks are one-of-a-kind risks facing a specific business or an industry, such
as floods, fires, or volcanoes for an insurance company.
C Incorrect. Future, current, and unique risks focus on looking forward while past risks focus on
D Incorrect. Unique, current, and future risks focus on looking forward while past risks focus on
20.Which of the following is not a contributing factor leading to internal audit failures?
A.Management gap
B.Data gap
C.Competency gap
D.Communication gap
A gap is the difference between expected and actual outcomes. Data gaps identify problems in
data-quality attributes, such as accuracy, completeness, availability, timeliness, and usefulness of data.
As such, data gaps cannot contribute to internal audit failures.
A Incorrect. A gap is the difference between expected and actual outcomes. Management gaps
contribute to management's inability to plan, organize, direct (lead), or control business functions and
resources. The internal audit management gap certainly contributes to internal audit failures.
C Incorrect. A gap is the difference between expected and actual outcomes. Competency gaps are the
differences between the expected competencies in terms of knowledge, skills, and abilities (KSAs) and
actual KSAs. While management gaps can be traced to audit management only, competency gaps can
be traced equally to audit staff and audit management. Competency gaps can certainly lead to internal
audit failures.
D Incorrect. A gap is the difference between expected and actual outcomes. Communication gaps result
when the required communication is not delivered to the right parties at the right time. Communication
gaps can also occur when an internal audit activity's role, purpose, and scope is not clearly
communicated to company management. When combined with other gaps, communication gaps can
lead to internal audit failures.
21.Which of the following is not a contributing factor to a false assurance coming from an
internal audit to others?
A.Measurement gap
B.Communication gap
C.Expectation gap
D.Competency gap
False assurance is a level of confidence or assurance based on perceptions or assumptions rather than
facts. False assurance has nothing to do with the measurement gap, where the measurement identifies
problems in measuring something of importance (e.g., production counts, inventory counts, and claims
counts).
B Incorrect. A communication gap is one of the gaps contributing to false assurance and occurs when
an internal audit activity's role, purpose, and scope are not clearly communicated to company
management. Communication gaps also result when the required communication is not delivered in the
right time.
C Incorrect. An expectation gap is one of the gaps contributing to false assurance and occurs when
company management has an incorrect expectation of the internal audit function related to audit work
results.
D Incorrect. A competency gap is one of the gaps contributing to false assurance and occurs when the
auditor's actual competency level is different from what the auditee's management requires or expects.
Competency gaps are the differences between the expected competencies in terms of knowledge, skills,
and abilities (KSAs) and actual KSAs.
22.Which of the following is the common item causing overall risks to the internal audit
function?
A.Management gap
BCompetency gap
C.Compliance gap
D.Expectation gap.
A gap is the difference between what is expected and what is real. The competency gap is the common
item causing audit failures, audit false assurances, and audit losses of reputation—the three broad
categories of overall risks to the internal audit function. The competency gap is the difference between
the expected competencies in terms of knowledge, skills, and abilities (KSAs) and actual KSAs. The
audit director needs to reduce the competency gap in the audit staff, audit supervisors, audit managers,
including him- or herself, through acquiring the needed KSAs.
A Incorrect. A gap is the difference between what is expected and what is real. When combined with
the competency gap and communication gap, the audit management gap can lead to the risk of audit
failures, which is a category of overall risks to the internal audit function. Availability of day-to-day
guidance from internal audit management combined with compliance to professional audit standards
could reduce the risk of audit failures.
C Incorrect. A gap is the difference between what is expected and what is real. When combined with
the competency gap and audit brand gap, the compliance gap can lead to audit reputation risk, which is
a category of overall risks to the internal audit function. Availability of day-to-day guidance from
internal audit management combined with compliance to professional audit standards could reduce the
risk of loss of reputation.
D Incorrect. A gap is the difference between what is expected and what is real. When combined with
the competency gap and communication gap, the expectation gap can lead to the risk of audit false
assurance, which is a category of overall risks to the internal audit function. Availability of day-to-day
guidance from internal audit management combined with compliance to professional audit standards
could reduce the risk of audit false assurance.
23.Which of the following is not a leading practice to protect the reputation risk of an internal
audit function?
A.Performing a risk assessment exercise

B.Implementing a quality assurance program
C.Protecting the internal audit brand
D.Establishing management review of audit findings
Establishing an effective management review of audit findings is a leading practice in mitigating risks
of audit failures and does not, by itself, protect reputation risk. This leading practice should make a
company management review, accept, and own the audit findings.
A Incorrect. Performing a risk assessment exercise is a part of leading practice to protect the reputation
risk of an internal audit function.
B Incorrect. Implementing a quality assurance program is a part of leading practice to protect the
reputation risk of an internal audit function.
C Incorrect. Protecting the internal audit brand is a part of leading practice to protect the reputation risk
of an internal audit function.
24.Which of the following will not help in identifying the overall risks to the internal audit
function?
A.Barrier analysis
B.Root-cause analysis
C.Assurance maps
D.Risk maps
Barrier analysis, as it relates to the business activity of organizational change, identifies key
determinants (barriers) of human behavioral change in employees to help focus on their behaviors that
have not changed, despite management's repeated efforts to have them change. The four key
determinants of human behavior are self-efficacy, social norms, positive consequences, and negative
consequences. Hence, barrier analysis will not help in identifying the overall risks to the internal audit
function.
B Incorrect. Root-cause analysis identifies the real reasons and specific situations leading to overall
risks to the internal audit function. Based on this analysis, changes can be made either in the internal
audit process or in the control environment of the organization or both. Hence, root-cause analysis will
help in identifying the overall risks to the internal audit function.
C Incorrect. Assurance maps are organization-wide, coordinated exercises involving mapping

assurance coverage provided by multiple parties against the key risks facing the organization so that
duplicate efforts, missed risks, and potential gaps can be identified and monitored. Hence, assurance
maps will help in identifying overall risks to the internal audit function.
D Incorrect. Risk maps involve profiling risk events to their sources (i.e., threats and vulnerabilities),
determining their impact levels (i.e., low, medium, or high), and evaluating the presence or lack of
effective controls to mitigate risks. Hence, risk maps will help in identifying overall risks to the internal
audit function.
25.Which of the following can increase residual risk?

i. Risk pursuance
ii. Risk acceptance
iii. Risk sharing
iv. Risk transferring
A.I only
B.II only
C.I and II
D.III and IV
Risk pursuance and risk acceptance increase residual risk. Risk pursuance seeks increased performance.
When that performance did not materialize, it can increase the residual risk. By definition, risk
acceptance means residual risk, and they move in the same direction.
A Incorrect. This is a partial answer.
B Incorrect. This is a partial answer.
D Incorrect. Risk sharing and risk transferring reduce residual risk. Sharing the risk with others and
transferring the risk to others reduces the residual risk.
26.Given the acceptance of the cost savings audits and the scarcity of internal audit resources, the
audit manager also decided that follow-up action was not needed. The manager reasoned that
cost savings should be sufficient to motivate the auditee to implement the auditor's
recommendations. Therefore, follow-up was not scheduled as a regular part of the audit plan.
Does the audit manager's decision violate the Standards?
A.No. The Standards do not specify whether follow-up is needed.

B.Yes. The Standards require the auditors to determine whether the auditee has appropriately
implemented all of the auditor's recommendations.
C.Yes. Scarcity of resources is not a sufficient reason to omit follow-up action.
D.No. When there is evidence of sufficient motivation by the auditee, there is no need for follow-up
action.
IIA Standard 2500 – Monitoring Progress and IIA Standard 2030 – Resource Management require
follow-up action. Lack of resources is not a sufficient reason.
A Incorrect. Follow-up is required.
B Incorrect. Follow-up is to see that actions are taken, not just that the auditor's recommendations have
been implemented.
D Incorrect. Follow-up is required.
27.Auditors realize that at times corrective action is not taken even when agreed to by the
appropriate parties. This should lead an internal auditor to:
A.Decide the extent of necessary follow-up work.

B.Allow management to decide when to follow-up, since it is management's ultimate responsibility.
C.Decide to conduct follow-up work only if management requests the auditor's assistance.
D.Write a follow-up audit report with all findings and their significance to the operations.
IIA Standard 2500 – Monitoring Progress states that the chief audit executive should determine the
nature, timing, and extent of follow-up.
B Incorrect. The Standards state that follow-up work is not management's responsibility.
C Incorrect. The Standards state that follow-up work is not management's responsibility.
D Incorrect. The auditor has to provide an opinion as to the decision made with regard to lack of action.
28.Management has requested the audit department to conduct an audit of the implementation of
its recently developed company code of conduct. In preparing for the audit, the auditor reviews
the newly developed code and compares it with several others for comparable companies and
concludes that the newly developed code has severe deficiencies. Based on this conclusion, the
auditor should:
A.Plan an audit for the implementation of management's code of conduct and also for compliance with
the “best practices” from the other codes since this represents the best available criteria.
B.Report the nature of the deficiencies in a formal report to management.
C.Inform management of the problems with the existing code and report that it would be inappropriate
to conduct an audit until the code is revised to incorporate the "best practices" from industry.
D.Conduct the audit as requested by management, reporting only noncompliance with the code.
This would be the best solution. The auditor is responsible for reporting deficiencies in criteria to
management (IIA Standard 2400 – Communicating Results).
A Incorrect. It is not appropriate to conduct an audit for compliance with criteria that have never been
communicated to auditees.
C Incorrect. It is acceptable to inform management and discuss whether it is the best time to conduct
the audit now. But it is not inappropriate to conduct the audit if management wants feedback on the
implementation of its code.
D Incorrect. The auditor needs to communicate deficiencies in criteria to management. Just reporting
on the implementation of the current code would be deficient.
29.PARAGRAPH 1: The production department has the newest production equipment available
because of a fire that required the replacement of all equipment.
PARAGRAPH 2: The members of the production department have become completely
comfortable with the state-of-the-art technology over the past year and a half. As a result, the
production department has become an industry leader in production efficiency and effectiveness.
PARAGRAPH 3: The production department produces an average of 25 units per worker per
shift. The defect rate is 1%.
PARAGRAPH 4: The industry average productivity is 20 units per worker per shift. The
industry defect rate is 3%.
Which paragraph would be characterized as the attribute described in the IIA Standards as
“Criteria”?
A.1.
B.2.
C.3.
D.4.
Paragraph 4 describes the standard by which the production department is measured. This is the
"Criteria," and it is the standards, measures, or expectations used in making an evaluation and/or
verification (what should exist) as per IIA Standard 2410 – Criteria for Communicating.
A Incorrect. Paragraph 1 explains the reason that the firm's productivity is greater than is the industry
average. This is the attribute called "Cause," and it is the reason for the difference between the
expected and actual conditions (why the difference exists).
B Incorrect. Paragraph 2 describes the result of the firm's access to state-of-the-art technology. This
attribute is called "Effect," and it is the risk or exposure the auditee organization and/or others
encounter because the condition is not the same as the criteria (the impact of the difference). In this
case the effect is positive rather than negative.
C Incorrect. Paragraph 3 describes the actual productivity extant within the firm. This attribute is called
"Condition," and it is the factual evidence which the internal auditor found in the course of the
examination (what does exist).
30.PARAGRAPH 1: The production department has the newest production equipment available
because of a fire that required the replacement of all equipment.
PARAGRAPH 2: The members of the production department have become completely
comfortable with the state-of-the-art technology over the past year and a half. As a result, the
production department has become an industry leader in production efficiency and effectiveness.
PARAGRAPH 3: The production department produces an average of 25 units per worker per
shift. The defect rate is 1%.
PARAGRAPH 4: The industry average productivity is 20 units per worker per shift. The
industry defect rate is 3%.
Which paragraph would be characterized as the attribute described in the IIA Standards as
“Condition”?
A.1.
B.2.
C.3.
D.4.
Paragraph 3 is the statement of "Condition” as per IIA Standard 2410 – Criteria for Communicating.
A Incorrect. Paragraph 1 is the statement of "Cause."
B Incorrect. Paragraph 2 is the statement of "Effect."
D Incorrect. Paragraph 4 is the statement of "Criteria."
31.A relatively new internal auditor is completing an audit report. The final report should most
appropriately be signed by:
A.The auditor because of a greater level of detail knowledge of the report.

B.The auditor and the person in charge of the area being audited to indicate review of the report.
C.The chief audit executive.
D.The chairman of the audit committee of the board of directors.
The chief audit executive has ultimate responsibility for the quality of reports issued by the internal
auditing group and should signify formal approval of the report by his or her signature. The chief audit
executive determines which internal auditor is authorized to sign the audit report as per IIA Standard
2410 – Criteria for Communicating.
A Incorrect. Although the internal auditor performing the audit has much detail knowledge, the final
audit report should be signed by the chief audit executive who has performed an objective review of the
findings and recommendations.
B Incorrect. The person in charge of the area being reviewed will indicate review of the report through
a written reply.
D Incorrect. The chairman of the audit committee is responsible for reviewing the ongoing activities of
the internal auditing group and should not be directly involved in the preparation and review of the
audit report.
32.According to the IIA Standards, which of the following best describes the nature of opinions
that are appropriate for internal audit reports?
A.Opinions are generally the auditor's subjective judgments concerning why deficiencies exist.
B.Opinions are the auditor's evaluations of the effects of the observations and recommendations on the
activities reviewed.
C.Opinions are conclusions that the auditor has reached concerning the appropriateness of the auditee's
objectives.
D.Opinions should involve only the fairness of the auditee's financial statements.
This is the nature of opinions per IIA Standard 2410 – Criteria for Communicating.
A Incorrect. Not the best answer. Opinions should be solidly based and involve more than is given
here.
C Incorrect. Not the best answer. Auditors usually take the auditee's objectives as given.
D Incorrect. Opinions in internal audit reports are not limited to the fairness of financial statements.
33.During an audit of purchasing, internal auditors found several violations of company policy
concerning competitive bidding. The same condition had been reported in an audit report last
year and corrective action had not been taken. Which of the following best describes the
appropriate action concerning this repeat finding?
A.The audit report should note that this same condition had been reported in the prior audit.
B.During the exit interview, management should be made aware that a finding from the prior report
had not been corrected.
C.The chief audit executive should determine whether management or the board has assumed the risk
of not taking corrective action.
D.The chief audit executive should determine whether this condition should be reported to the
independent auditor and any regulatory agency.
This action meets the requirements of IIA Standard 2500 – Monitoring Progress.
A Incorrect. These actions are insufficient.
B Incorrect. These actions are insufficient.
D Incorrect. This action would be inappropriate.
34.Which of the following combination of participants would be most appropriate to attend an

exit conference?
A.The responsible internal auditor and representatives from management who are knowledgeable of
detailed operations and those who can authorize implementation of corrective action.
B.The chief audit executive and the executive in charge of the activity or function audited.
C.Staff auditors who conducted the fieldwork and operating personnel in charge of the daily
performance of the activity or function audited.
D.Staff auditors who conducted the fieldwork and the executive in charge of the activity or function
audited.
This is the option most in line with what is suggested by IIA Standard 2440 – Disseminating Results.
B Incorrect. These executives may not be knowledgeable enough about details.
C Incorrect. These persons might not have the necessary perspectives and/or authority.
D Incorrect. The staff auditor might lack the proper perspective and may be "overmatched."
35.An internal audit of sales contracts revealed that a bribe had been paid to secure a major
contract. It was considered quite possible that a senior executive had authorized the bribe. Which
of the following best describes the proper distribution of the completed audit report?
A.The report should be distributed to the chief executive officer and the appropriate regulatory agency.
B.The report should be distributed to the board of directors, the chief executive officer, and the
independent auditor.
C.The chief audit executive should provide the board of directors a copy of the report and decide
whether further distribution is appropriate.
D.The report should be distributed to the board of directors, the appropriate law enforcement agency,
and the appropriate regulatory agency.
This is basically what IIA Standard 2440 – Disseminating Results requires.
A Incorrect. Outside distribution is probably not appropriate.
B Incorrect. Outside distribution is probably not appropriate.
D Incorrect. Outside distribution is probably not appropriate.
36.Which is the lowest organizational level to which the internal auditing department should
address the final report of the operational audit of the production department?
A.Audit committee of the board of directors.

B.Chief executive officer.
C.Vice president of production.
D.First-line supervisor.
The stem identifies the first-line position (foremen) as the lowest-level persons "who are in a position
to take corrective action or insure that corrective action is taken." In any case, the foremen are in a
position "to insure that audit results are given due consideration." As a result, the foremen should each
receive a full final audit report. Since the foreman's position is the lowest report receiving
organizational level, this response is correct (IIA Standard 2440 – Disseminating Results).
A Incorrect. Audit committees usually do not require the full audit report to be submitted to them.
Instead, they ordinarily ask for a summary of the audit report. This summary is sometimes nothing
more than the summary referred to in the Standard. The audit committee may ask for the full audit
report. If it does, however, it is the highest organizational level to receive it. Three lower levels, which
may or must receive the full final audit report, are identified in the other responses.
B Incorrect. The chief executive officer (CEO) qualifies as one of those "higher-level members in the
organization" that "may receive only a summary report." Like the audit committee, the CEO can
request the full audit report. If the CEO does receive the full report, however, this represents a high
organizational level. Two of the other three responses identify lower organizational levels that receive
the full final audit report.
C Incorrect. The vice president of production is the head of the audited unit. As such, he or she should
receive the complete final audit report. There are organizational levels lower than the unit head that
"are in a position to take corrective action or insure that corrective action is taken." One such
organizational level is identified among the other three response.
37.Which of the following audit committee activities would be of the greatest benefit to the
internal auditing department?
A.Review and approval of audit programs.

B.Assurance that the external auditor will rely on the work of the internal auditing department
whenever possible.
C.Review and endorsement of all internal audit reports prior to their release.
D.Support for appropriate follow-up of recommendations made by the internal auditing department.
The audit committee can lend considerable weight to the recommendations of internal auditing (IIA
Standard 2500 – Monitoring Progress).
A Incorrect. Review and approval of audit programs is the responsibility of internal audit supervision.
B Incorrect. External audit's reliance on the work of internal auditing is the subject of a pronouncement
by the American Institute of Certified Public Accountants.
C Incorrect. Review and approval of internal audit reports is the responsibility of the chief audit
executive or designee.
38.Which of the following combination of participants would be most appropriate to attend an

exit conference?
A.The responsible internal auditor and representatives from management who are knowledgeable of
detailed operations and those who can authorize implementation of corrective action.
B.The chief audit executive and the executive in charge of the activity or function audited.
C.Staff auditors who conducted the fieldwork and operating personnel in charge of the daily
performance of the activity or function audited.
D.Staff auditors who conducted the fieldwork and the executive in charge of the activity or function
audited.
This is the option most in line with what is suggested by IIA Standard 2440 – Disseminating Results.
B Incorrect. These executives may not be knowledgeable enough about details.
C Incorrect. These persons might not have the necessary perspectives and/or authority.
D Incorrect. The staff auditor might lack the proper perspective and may be overmatched.
39.Auditing Standards state that the internal auditor may communicate recommendations for
improvements. Which of the following would be a valid justification for omitting
recommendations in an audit report? The auditor:
A.May not always understand the true cause of the finding being reported.
B.Does not have sufficient time to formulate a recommendation due to audit budget pressures.
C.Can avoid the confrontation by letting management solve its own problems.
D.May lose independence by being perceived as making operational decisions.
The true cause of a finding may require additional expertise and may only be determinable through
additional management study (IIA Standard 2410 – Criteria for Communicating).
B Incorrect. If the finding is significant enough to report, time must be found to determine what action
would solve the deficiency.
C Incorrect. Avoiding honest difference of opinion is not an acceptable reason for deleting a
recommendation.
D Incorrect. Recommendations do not impair an auditor's independence. Management is responsible

for decision making and implementing suggestions or formulating new solutions.
40.Audit policy requires that final reports will not be issued without a management response. An
audit with significant findings is complete except for management's response. Evaluate the
following courses of action and select the best alternative.
A.Issue an interim report regarding the important issues noted.

B.Modify audit policy to allow a specific time period for the management response.
C.Wait for management response and issue audit report.
D.Discuss situation with the external auditors.
Interim reports should be issued regarding the significant issues noted (IIA Standard 2410 – Criteria for
Communicating).
B Incorrect. Significant audit findings should be timely communicated.
C Incorrect. Significant audit findings should be timely communicated.
D Incorrect. Significant audit findings should be timely communicated to audit committee.
41.Audit findings often emerge by a process of comparing what should be with what is. Findings
are based on the attributes of criteria, condition, and cause and effect. From the following
descriptions, which one most appropriately describes the effect of the audit finding?
A.Reason for the difference between the expected and actual conditions.
B.Factual evidence found during the course of the examination.
C.Risk or exposure encountered because of the condition.
D.Standards, measures, or expectations used in making the evaluation.
The risk or exposure encountered represents the effect of the audit finding (IIA Standard 2410 –
Criteria for Communicating).
A Incorrect. Reason for the difference between expected and actual conditions represents the cause of
the finding.
B Incorrect. Factual evidence represents the condition.
D Incorrect. Standards, measures, or expectations represent the criteria for the audit findings.
42.two years on which financial statements have already been issued. The chief audit executive
should immediately inform:
A.The external audit firm responsible for the financial statements affected by the discovery.
B.The appropriate governmental or regulatory agency.
C.Appropriate management and the audit committee of the board of directors.
D.The internal accounting function ultimately responsible for making corrective journal entries.
IIA Standard 2440 – Disseminating Results requires this path for reporting; it is management's decision
to make further disclosure.
A Incorrect. The Standards do not require such reporting.
B Incorrect. The Standards do not require such reporting.
D Incorrect. The Standards do not require such reporting.
43.An internal auditor has uncovered illegal acts that were committed by a member of senior
management. According to the IIA Standards, such information:
A.Should be excluded from the internal auditor's report and discussed orally with the senior manager.
B.Must be immediately reported to the appropriate government authorities.
C.May be disclosed in a separate report and distributed to all senior management.
D.May be disclosed in a separate report and distributed to the company's audit committee of the board
of directors.
Improper or illegal acts that are committed by senior management may be disclosed in a separate report
and distributed to the audit committee of the board of directors or to a similar high-level entity within
the organization (IIA Standard 2410 – Criteria for Communicating).
A Incorrect. Although improper or illegal acts may be disclosed in a separate report, the internal
auditor should not discuss such information with those individuals who have committed such acts.
B Incorrect. In general, internal auditors are responsible to their organization's management rather than
outside agencies. In the case of fraud, statutory filings with regulatory agencies may be required.
C Incorrect. Since it is a member of senior management who has committed the illegal acts, it would
not be appropriate for the internal auditor to disclose this information to them. Instead, such
information should be communicated to individuals of the organization to whom senior management
report.
44.The internal auditing department for a chain of retail stores recently concluded an audit of
sales adjustments in all stores in the southeast region. The audit revealed that several stores are
costing the company an estimated $85,000 per quarter in duplicate credits to customers' charge
accounts.
The audit report, published eight weeks after the audit was concluded, included the internal
auditors' recommendations to store management that should prevent duplicate credits to
customers' accounts.
Which of the following Standards for reporting has been disregarded in the above case?
A.The follow-up actions were not adequate.

B.The auditors should have implemented appropriate corrective action as soon as the duplicate credits
were discovered.
C.Auditor recommendations should not be included in the report.
D.The report was not timely.
The audit report, which was not published until eight weeks after the audit was concluded, was not
issued in a timely fashion, given the significance of the findings and the need for prompt, effective
action (IIA Standard 2420 – Quality of Communications).
A Incorrect. There is not enough information to evaluate the effectiveness of follow-up.
B Incorrect. Auditors may properly make recommendations for potential improvements but should not
implement corrective action.
C Incorrect. Auditor recommendations are one of the recommended elements of an audit finding.
45.According to the IIA Standards, which of the following is the correct listing of information
that must be included in a fraud report?
A.Purpose, scope, results, and, where appropriate, an expression of the auditor's opinion.
B.Criteria, condition, cause and effect.
C.Background, findings, and recommendations.
D.Findings, conclusions, recommendations, and corrective action.
A written report should be issued at the conclusion of the investigation phase. It should include all
findings, conclusions, recommendations, and corrective action taken. This is the list provided by IIA
Standard 2410 – Criteria for Communicating.
A Incorrect. This is the list of information to include in a final written report at the conclusion of an
audit examination, which may not include fraud. Since this definition does not include "corrective
action," it is incomplete.
B Incorrect. This is a correct listing of the elements comprising "Findings." A fraud report includes
more than findings, so this answer is incomplete.
C Incorrect. The inclusion of background is recommended but not required for inclusion in a final audit
report. There is no mention of it in a fraud report. This list leaves out "conclusions" and "corrective
action," so it is incomplete.
46.An internal auditor reported a suspected fraud to the chief audit executive (CAE). The CAE
turned the entire case over to the security department. Security failed to investigate or report the
case to management. The perpetrator continued to defraud the organization until being
accidentally discovered by a line manager two years later. Select the most appropriate action for
the CAE.
A.The CAE's actions were correct.

B.The CAE should have periodically checked the status of the case with security.
C.The CAE should have conducted the investigation.
D.The CAE should have discharged the perpetrator.
The CAE should have periodically checked the status of the case with security. Follow-up is specified
by IIA Standard 2500 – Monitoring Progress.
A Incorrect. According to IIA Standards, the CAE should have ensured that the internal auditing
department's responsibilities were met.
C Incorrect. A security department generally would have more expertise in the investigation of a fraud.
D Incorrect. The fraud was only suspected when reported to the CAE. Immediate discharge would have
violated the suspect's rights. In addition, the CAE would not normally have the authority to discharge
an employee in an audited area.
47.An internal auditor has just completed an audit of a division and is in the process of preparing
the audit report. According to the IIA Standards, the observations in the audit report should
include:
A.Statements of opinion about the cause of an observation.

B.Pertinent factual statements concerning the control weaknesses that were uncovered during the
course of the audit.
C.Statements of both fact and opinion developed during the course of the audit.
D.Statements which may deal with potential future events that may be helpful to the audited division.
IIA Standard 2410 – Criteria for Communicating states that observations are pertinent statements of
fact. Audit observations must be factual evidence regarding control strengths and weaknesses that the
auditor has found during the course of his or her examination.
A Incorrect. Audit observations must be statements of fact rather than statements representing an
auditor's opinion. Opinions represent the auditor's evaluations of the effects of audit observations on
the activities reviewed.
C Incorrect. Audit observations cannot be both facts and opinions. They must describe only facts or
conditions that exist.
D Incorrect. Audit observations deal with present, not future, factual conditions or events.
48.Internal audit reports should contain the purpose, scope, and results. The audit results should
contain the criteria, condition, effect, and cause of the finding. The cause can best be described
as:
A.Factual evidence that the internal auditor found.

B.Reason for the difference between the expected and actual conditions.
C.The risk or exposure because of the condition found.
D.Resultant evaluations of the effects of the findings.
“Cause” is the reason for the difference between the expected and actual conditions (IIA Standard 2410
– Criteria for Communicating).
A Incorrect. Factual evidence represents the condition.
C Incorrect. Risk or exposure is the effect.
D Incorrect. Resultant evaluations are the conclusions.
49.According to the IIA Standards, internal auditing reports should be distributed to those
members of the organization who are able to ensure that audit results are given due
consideration. For higher-level members of the organization, that requirement usually can be
satisfied with:
A.Interim reports.
B.Summary reports.
C.Oral reports.
D.Final written reports only.
Summary reports that highlight audit results are appropriate for higher-level management (IIA
Standard 2410 – Criteria for Communicating).
A Incorrect. Interim reports are used to communicate urgent information, changes in audit scope, and
audit progress.
C Incorrect. Only interim reports may be oral. The final report must be written.
D Incorrect. Higher-level management is often too busy to read an entire report.
50.If an internal auditor finds that no corrective action has been taken on a prior audit finding
that is still valid, the IIA Standards state that the internal auditor should:
A.Restate the prior finding along with the findings of the current audit.
B.Determine whether management or the board has assumed the risk of not taking corrective action.
C.Seek the board's approval to initiate corrective action.
D.Schedule a future audit of the specific area involved.
It is the correct answer as per IIA Standard 2500 – Monitoring Progress.
A Incorrect. Refer to the correct answer.
C Incorrect. Refer to the correct answer.
D Incorrect. Refer to the correct answer.
51.After completing an investigation, internal auditing has concluded that an employee has stolen
a material amount of cash receipts. A draft of the proposed report on this finding should be
reviewed by:
A.Legal counsel.
B.The audit committee of the board of directors.
C.The president of the organization.
D.The external auditor.
Review by legal counsel reduces the possibility of inclusion (and dissemination) of a statement for
which the accused employee could sue the organization (IIA Standard 2410 – Criteria for
Communicating).
B Incorrect. The audit committee should receive a final draft of the report only after it has been
reviewed and approved by legal counsel.
C Incorrect. If appropriate, the president may receive a final draft of the report after it has been
reviewed and approved by legal counsel.
D Incorrect. If it is customary to send the outside auditors copies of all internal audit reports, it should
be a final report that has been reviewed and approved by legal counsel.
52.The IIA Standards specify that final audit reports should be reviewed and approved by the:
A.Auditee or the person to whom the auditee reports.

B.Auditor in charge.
C.Chief audit executive or designee.
D.Chief financial officer.
IIA Standard 2410 – Criteria for Communicating states that audit reports should be reviewed and
approved by chief audit executive or designee.
A Incorrect. The Standards state final reports should be reviewed by chief audit executive or designee.
B Incorrect. Auditor in charge would not be correct unless designated by the chief audit executive.
D Incorrect. Audit reports should be reviewed by chief audit executive or designee prior to distribution.
53.According to the IIA Standards, a report issued by an internal auditor should contain an
expression of opinion when:
A.The area of the audit is the financial statements.
B.The internal auditors' work is to be used by external auditors.
C.A full-scope audit has been conducted in an area.
D.An opinion will improve communications with the reader of the report.
According to IIA Standard 2410 – Criteria for Communicating, a report should contain an opinion
where appropriate. The criterion of appropriateness is improvement in communications.
A Incorrect. The area of the audit is irrelevant for decisions about whether an overall opinion is
appropriate.
B Incorrect. Whether the internal auditors' work is to be used by external auditors is irrelevant,
particularly since external auditors cannot depend on an overall opinion but must examine the detail
and form their own opinion.
C Incorrect. An overall opinion is not a mandatory requirement.
54.As an internal auditor for a multinational chemical company, you have been assigned to
perform an operational audit at a local plant. This plant is similar in age, sizing, and construction
to two other company plants that have been recently cited for discharge of hazardous wastes. In
addition, you are aware that chemicals manufactured at the plant release toxic by‑products.
Assume that you have evidence that the plant is discharging hazardous wastes. As a Certified
Internal Auditor, what is the appropriate reporting requirements in this situation?
A.Send a copy of your audit report to the appropriate regulatory agency.

B.Ignore the issue; the regulatory inspectors are better qualified to assess the danger.
C.Issue an interim report to the appropriate levels of management.
D.Note the issue in your working papers but do not report it.
Suspected wrongdoing should be reported to the appropriate levels of management (IIA Standard 2410
– Criteria for Communicating).
A Incorrect. Internal auditors are not responsible for notifying outside authorities of suspected
wrongdoing.
B Incorrect. The Standards require internal auditors to determine whether the organization is
complying with applicable laws.
D Incorrect. The Standards on due professional care require the reporting of violations of laws or
regulations, that is, wrongdoing.
55.The person responsible for audit report distribution should be:
A.The chief audit executive or designee.

B.The audit committee of the board of directors.
C.The vice president responsible for the area being audited.
D.The audit supervisor of the audit being performed.
The chief audit executive is the most appropriate individual to make the decision as to report
distribution (IIA Standard 2440 – Disseminating Results).
B Incorrect. This committee is a recipient of the reports.
C Incorrect. This individual would not be knowledgeable of potential recipients.

D Incorrect. This individual is an audit technician, engaged in the performance of the audit, not audit
administration.
56.An exit conference helps ensure that:
A.The objectives of the audit and the scope of the audit work are known by the auditee.
B.The auditee understands the audit program.
C.There have been no misunderstandings or misinterpretations of fact.
D.The list of persons who are to receive the final report are identified.
The clarification of matters of fact is one of the reasons for an exit interview with the auditee (IIA
Standard 2440 – Disseminating Results).
A Incorrect. Both audit objectives and the scope of audit work are properly covered with the auditee
during the preliminary survey.
B Incorrect. It is not important that the auditee understand the audit program.
D Incorrect. The identification of persons who are to receive the final report occurs much earlier than
the exit conference. With rare exceptions, the list is determined during the preliminary survey.
57.Which of the following is the most appropriate method of reporting disagreement between the
auditor and the auditee concerning audit findings and recommendations?
A.State the auditor's position because the report is designed to provide the auditor's independent view.
B.State the auditee's position because management is ultimately responsible for the activities reported.
C.State both positions and identify the reasons for the disagreement.
D.State neither position. If the disagreement ultimately is resolved, there will be no reason to report the
previous disagreement. If the disagreement is never resolved, the disagreement should not be reported,
because there is no mechanism to resolve it.
Both positions should be reported, and the reasons for the disagreement should be identified (IIA
Standard 2410 – Criteria for Communicating).
A Incorrect. Both positions should be reported, and the reasons for the disagreement should be
identified.
B Incorrect. Both positions should be reported, and the reasons for the disagreement should be
identified.
D Incorrect. Both positions should be reported, and the reasons for the disagreement should be
identified.
58.Which of the following best defines an audit opinion?
A.A summary of the significant audit findings.

B.The auditor's professional judgment of the situation that was reviewed.
C.Conclusions that must be included in the audit report.
D.Recommendations for corrective action.
The audit opinion is the auditor's professional judgment of the situation under review. It is based on the
audit findings (IIA Standard 2410 – Criteria for Communicating).
A Incorrect. While significant audit findings are summarized in the audit report, this choice does not
constitute an audit opinion. An audit opinion is the auditor's professional judgment of the situation
under review.
C Incorrect. The Standards do not require that audit reports include opinions. However, the opinion is a
desirable component of the audit report.
D Incorrect. Recommendations for corrective action are separate from the audit opinion, since the
opinion is the auditor's professional judgment of the situation.
59.The act of disclosing adverse information to someone within the organization but outside the
internal auditor's normal chain of command is called:
A.Internal whistleblowing.
B.External whistleblowing.
C.Public officials or ombudsman.
D.Special-purpose report.
In some situations, an internal auditor may face the dilemma of considering whether to communicate
the information to persons outside the normal chain of command or even outside the organization. This
communication is commonly referred to as whistleblowing. The act of disclosing adverse information
to someone within the organization but outside the internal auditor's normal chain of command is
considered internal whistleblowing (IIA Standard 2440 – Disseminating Results).
B Incorrect. Refer to the correct answer.
60.The act of disclosing adverse information to government agency or other authority outside the
organization is called:
A.Internal whistleblowing.
B.External whistleblowing.
C.Public officials or ombudsman.
D.Special-purpose report.
In some situations, an internal auditor may face the dilemma of considering whether to communicate
the information to persons outside the normal chain of command or even outside the organization. This
communication is commonly referred to as whistleblowing. The act of disclosing adverse information
to a government agency or other authority outside the organization is considered external
whistleblowing (IIA Standard 2440 – Disseminating Results).
61.When public servants or citizens possess knowledge of illegal or unethical acts, appropriate
laws or regulations require them to do which of the following?
A.Consider internal whistleblowing.

B.Consider external whistleblowing.
C.Inform public officials or ombudsman.
D.Issue a special-purpose report.
Many jurisdictions have laws or regulations requiring public servants with knowledge of illegal or
unethical acts to inform an inspector general, other public official, or ombudsman. Some laws
pertaining to whistleblowing actions protect citizens if they come forward to disclose specific types of
improper activities (IIA Standard 2440 – Disseminating Results).
D Incorrect. Refer to the correct answer
62.The chief audit executive may do which of the following based on an existing report or
information to make the report suitable for dissemination outside the organization?
A.Consider internal whistleblowing.

B.Consider external whistleblowing.
C.Inform public officials or ombudsman.
D.Issue a special-purpose report.
The internal audit activity's charter, the board's charter, organizational policies, or the engagement
agreement may contain guidance related to reporting information outside the organization. In certain
situations, it may be possible to create a special-purpose report based on an existing report or
information to make the report suitable for dissemination outside the organization (IIA Standard 2440 –
Disseminating Results).
63.An internal audit team recently completed an audit of the company's compliance with its lease
versus purchase policy concerning company automobiles. The audit report noted that the basis
for several decisions to lease rather than purchase automobiles had not been documented and
was not auditable. The report contained a recommendation that operating management ensure
that such lease agreements not be executed without proper documentation of the basis for the
decision to lease rather than buy. The internal auditors are about to perform follow-up work on
this audit report.
The primary purpose for performing a follow-up review is to:
A.Ensure timely consideration of the internal auditors' recommendations.

B.Ascertain that appropriate action was taken on reported findings.
C.Allow the internal auditors to evaluate the effectiveness of their recommendations.
D.Document what management is doing in response to the audit report, and close the audit file in a
timely manner.
This is what IIA Standard 2500 – Monitoring Progress requires.
A Incorrect. It is not the best answer. It implies that the auditor's recommendations, not the findings,
are the most important elements of the report.
C Incorrect. It is not the best choice. This implies that the auditor's recommendations, not findings, are
primary.
D Incorrect. This implies that processes in the internal auditing activity are primary.
64.An internal audit team recently completed an audit of the company's compliance with its lease
versus purchase policy concerning company automobiles. The audit report noted that the basis
for several decisions to lease rather than purchase automobiles had not been documented and
was not auditable. The report contained a recommendation that operating management ensure
that such lease agreements not be executed without proper documentation of the basis for the
decision to lease rather than buy. The internal auditors are about to perform follow-up work on
this audit report.
Assume that senior management has decided to accept the risk involved in failure to document
the basis for lease versus purchase decisions involving company automobiles. In such a case, what
would be the auditors' reporting obligation?
A.The auditors have no further reporting responsibility.

B.Management's decision and the auditors' concern should be reported to the company's board of
directors.
C.The auditors should issue a follow-up report to management clearly stating the rationale for the
recommendation that the basis for lease versus purchase decisions be properly documented.
D.The auditors should inform the external auditor and any responsible regulatory agency that no action
has been taken on the finding in question.
When senior management has assumed such risk, reporting to the board is required only for significant
findings (IIA Standard 2500 – Monitoring Progress). There is no indication that the failure to document
several decisions is significant enough to report to the board.
B Incorrect. There is no need to document management's decisions and auditors' concerns.
C Incorrect. Senior management has already indicated that it understands and has accepted the related
risk.
D Incorrect. Reporting to anyone outside the organization is not required or appropriate.
65.Auditors realize that at times corrective action is not taken even when agreed to by the
appropriate parties. This should lead an internal auditor to:

B.Allow management to decide when to follow-up, since it is management's ultimate responsibility.
C.Decide to conduct follow-up work only if management requests the auditor's assistance.
D.Write a follow-up audit report with all findings and their significance to the operations.
The IIA Standard 2500 – Monitoring Progress states that the nature, timing, and extent of follow-up
should be determined by the director of internal auditing.
B Incorrect. IIA Standard 2500—Monitoring Progress state that follow-up work is not management's
responsibility.
C Incorrect. The IIA Standard 2500—Monitoring Progress state that follow-up work is not
management's responsibility.
D Incorrect. The auditor has to provide an opinion as to the decision made with regard to lack of action.
66.Developing an audit finding involves comparing the condition to the relevant standard or
criterion. Which of the following choices best represents an appropriate standard or criterion to
support a finding?
I. A quality standard operating procedure (number and date) for the department.
II. An internal accounting control principle, cited and copied from a public accounting reference.
III. A sound business practice, based on the internal auditor's knowledge and experience obtained
during many audit assignments within the company.
IV. All of the above.
A.I.
B.II.
C.III.
D.IV.
Provided that the auditee agrees with the standard or criterion, any of the above choices is appropriate
(IIA Standard 2410 – Criteria for Communicating).
A Incorrect. Standard operating procedures are an appropriate source.
B Incorrect. Textbook references are appropriate authority for standards and criteria.
C Incorrect. Sound business practice is valid as a criterion as long as the auditee agrees.
67.Which of the following techniques is best for emphasizing a point in a written communication?
A.Place the point in the middle rather than at the beginning or end of the paragraph.
B.Use passive rather than active voice.
C.Highlight the point through the use of nonparallel structure.
D.Use a short sentence with one idea rather than a longer sentence with several ideas.
Long sentences with several ideas will create information overload and disguise the important point
(IIA Standard 2410—Criteria for Communicating).
A Incorrect. Placing it at the beginning or end of the paragraph best emphasizes the point.
B Incorrect. Use of the active voice best emphasizes the point.
C Incorrect. Parallel structure will emphasize the point better. Nonparallel structure usually will detract
from the point.
68.Which of the following statements conveys negative information in such a way that a favorable
response from the auditee may still be achieved?
A.Your bookkeeper has failed to reconcile the bank statement each month.
B.The bank statements have not been reconciled each month.
C.Unfortunately, your bookkeeper has not taken the time to reconcile the bank statement each month.
D.You have apparently failed to inform your bookkeeper that the bank statements should be reconciled
on a timely basis.
Using the passive version without placing blame or making the statement personal is more likely to
make the reader react positively (IIA Standard 2431—Engagement Disclosure of Nonconformance).
A Incorrect. Placing the blame and using words such as “failed” will make the individual react
negatively.
C Incorrect. Placing the blame in a manner that seems mean-spirited and using words such as
“unfortunately” will make the reader react negatively.
D Incorrect. Placing the blame on the reader and using words such as “failed” will make the reader
react negatively.
69.Although encouraged by IIA Standards, which of the following is not usually found in the
final internal audit reports?
A.Auditee's advanced responses whether valid or not.

B.Auditee's noteworthy accomplishments.
C.Auditee's corrective action plans.
D.Auditee's final comments prior to issuing the final audit report.
Noteworthy accomplishments are significant auditee's accomplishments identified during the audit that
were within the scope of the audit should be included in the audit report, along with deficiencies. Such
information is necessary to fairly present the situation the auditors found and to provide appropriate
balance to the report. In addition, inclusion of such accomplishments may lead to improved
performance by other department heads or managers that read the report. Usually, these
accomplishments are not found in the final audit reports because it depends on the auditor-in-charge,
audit supervisor, or the audit management (IIA Standard 2440—Disseminating Results).
A Incorrect. When the auditee's advanced responses oppose the audit report's findings, conclusions, or
recommendations, and are not, in the auditors' opinion, valid, the auditors may choose to state their
reasons for rejecting them. Conversely, the auditors should modify their report if they find the
comments valid.
C Incorrect. The auditee's promise or plan for corrective action should be noted, but should not be
accepted as justification for dropping a significant finding or a related recommendation.
D Incorrect. The auditee's final comments should be objectively evaluated and recognized, as
appropriate, prior to issuing the final audit report.
70.The following information is to be included in a finding of an inventory control audit of a tent

and awning manufacturer. The issue relates to overstocked rope.
i. The quantity on hand at the time of the audit represented a 10-year supply based on normal
usage.
ii. The company had held an open house of its new factory two months prior to the audit and
had used the rope to provide safety corridors through the plant for visitors. This was not
considered when placing the last purchase order.
iii. Rope is reordered when the inventory level reaches a one-month supply and is based on
usage during the previous 12 months.
iv. The quantity to be ordered should be adequate to cover expected usage for the next six
months.
v. The purchasing department should review inventory usage and inquire about any unusual
fluctuations before placing an order.
vi. A public warehouse, costing $500 per month, was required to store the rope.
vii. The purchasing agent receives an annual salary of $59,000.
Which of these statements should be in the criteria section of the finding?
A.II only.
B.III only.
C.III and IV only.
D.V only.
Both statements should be in the criteria section (IIA Standard 2410—Criteria for Communicating).
A Incorrect. This should be reported in the cause section of the report.
B Incorrect. This is only one of two statements that should be reported in the criteria section.
D Incorrect. This should be in the recommendation section of the report.

I. The quantity on hand at the time of the audit represented a 10-year supply based on normal
usage.
II. The company had held an open house of its new factory two months prior to the audit and
III. Rope is reordered when the inventory level reaches a one-month supply and is based on
IV. The quantity to be ordered should be adequate to cover expected usage for the next six
months.
V. The purchasing department should review inventory usage and inquire about any unusual
VI. A public warehouse, costing $500 per month, was required to store the rope.
VII. The purchasing agent receives an annual salary of $59,000.
Which of these statements should be in the condition section of the finding?
A.I only.
B.IV only.
C.VI only.
D.VII only.
This belongs in the condition section (IIA Standard 2410—Criteria for Communicating).
B Incorrect. This should be in the criteria section.
C Incorrect. This should be in the effect section.
D Incorrect. This should not be included in the report.

i. The quantity on hand at the time of the audit represented a 10-year supply based on normal
usage.
ii. The company had held an open house of its new factory two months prior to the audit and
iii. Rope is reordered when the inventory level reaches a one-month supply and is based on
iv. The quantity to be ordered should be adequate to cover expected usage for the next six
months.
v. The purchasing department should review inventory usage and inquire about any unusual
vi. A public warehouse, costing $500 per month, was required to store the rope.
vii. The purchasing agent receives an annual salary of $59,000.
viii. Which of these statements should be in the cause section of the finding?
A.I only.
B.II only.
C.VI only.
D.VII only.
This belongs in the cause section (IIA Standard 2410—Criteria for Communicating).
A Incorrect. This belongs in the condition section.
C Incorrect. This belongs in the effect section.
D Incorrect. This should not be included in the report.

The quantity on hand at the time of the audit represented a 10-year supply based on normal
usage.
The company had held an open house of its new factory two months prior to the audit and had
used the rope to provide safety corridors through the plant for visitors. This was not considered
when placing the last purchase order.
Rope is reordered when the inventory level reaches a one-month supply and is based on usage
during the previous 12 months.
The quantity to be ordered should be adequate to cover expected usage for the next six months.
The purchasing department should review inventory usage and inquire about any unusual
A public warehouse, costing $500 per month, was required to store the rope.
The purchasing agent receives an annual salary of $59,000.
Which of these statements should be in the effect section of the finding?
A.II only.
B.III only.
C.V only.
D.VI only.
This belongs in the effect section (IIA Standard 2410—Criteria for Communicating).
A Incorrect. This belongs in the cause section.
B Incorrect. This belongs in the criteria section.
C Incorrect. This belongs in the recommendations section.

I. The quantity on hand at the time of the audit represented a 10-year supply based on normal
usage.
II. The company had held an open house of its new factory two months prior to the audit and
III. Rope is reordered when the inventory level reaches a one-month supply and is based on
IV. The quantity to be ordered should be adequate to cover expected usage for the next six
months.
V. The purchasing department should review inventory usage and inquire about any unusual
VI. A public warehouse, costing $500 per month, was required to store the rope.
VII. The purchasing agent receives an annual salary of $59,000.
Which of these statements should be in the recommendation section of the finding?
A.III only.
B.III and IV only.
C.V only.
D.VI only.
This belongs in the recommendation section (IIA Standard 2410—Criteria for Communicating).
A Incorrect. This belongs in the criteria section.
B Incorrect. These belong in the criteria section.
D Incorrect. This belongs in the effect section.
75.The internal audit department of a major financial institution completed an audit of the
company's derivatives trading operations in its foreign branch. The audit report was critical of
the lack of controls in the trading process and the lack of effective monitoring of successful
traders by the home office. The auditor suspected, but did not state, that the reason the home
office tolerated the behavior of the foreign branch trading unit was that the branch, and in
particular one individual trader, had been very successful. The success created enormous profits
and thereby influenced the bonuses of all members of senior management. After receiving the
audit report, senior management indicated that corrective action was under way. Based on the
imminent corrective action, the auditor did not report the finding to the audit committee.
Which of the following statements is (are) correct regarding the company's compensation system
and related bonuses?
i. The bonus system should be considered part of the control environment of the organization and
should be considered in formulating a report on internal control.
ii. Compensation systems are not part of an organization's control system and should not be reported
as part of an organization's control system.
iii. An audit of the compensation system should be performed independently of an audit of the
control system over the company's derivatives trading activities and should not be considered an
integral part of the derivatives audit.
A.I only.
B.II only.
C.III only.
D.II and III.
Compensation systems influence behavior and should be considered an integral part of an

organization's control structure. Thus, they should be considered an important part of the control
structure over derivatives trading (IIA Standard 2410—Criteria for Communicating).
B Incorrect. Although compensation or payroll audits are often conducted independently of the control
structure over related activities, the compensation system should be considered whenever the control
structure is evaluated.
C Incorrect. Although compensation or payroll audits are often conducted independently of the control
structure over related activities, the compensation system should be considered whenever the control
structure is evaluated.
D Incorrect. Both statements II and III are incorrect.

76.The internal audit department of a major financial institution completed an audit of the
company's derivatives trading operations in its foreign branch. The audit report was critical of
the lack of controls in the trading process and the lack of effective monitoring of successful
traders by the home office. The auditor suspected, but did not state, that the reason the home
office tolerated the behavior of the foreign branch trading unit was that the branch, and in
particular one individual trader, had been very successful. The success created enormous profits
and thereby influenced the bonuses of all members of senior management. After receiving the
audit report, senior management indicated that corrective action was under way. Based on the
imminent corrective action, the auditor did not report the finding to the audit committee.
Which of the following statements, if true, could have justified the auditor's decision not to report
the control concerns to the audit committee?
A.Management plans to initiate corrective action.

B.The board of directors has a separate committee to make recommendations on compensation.
C.The amounts of trading and the potential risks associated with the foreign branch are not material to
the overall organization.
D.Derivatives are complex, and the auditor should rely on management's analysis of the extent of the
problem.
The only justification for not reporting the items to the audit committee is the auditor's judgment that
the deficiency and the risks associated with it cannot be considered material (IIA Standard
2400—Communicating Results).
A Incorrect. Significant deficiencies in control should be reported to the audit committee even if
corrective action is planned.
B Incorrect. The compensation system influences employee behavior and is part of the control
environment. The auditor's reservations about its effect on the organization's control structure should be
communicated to the audit committee.
D Incorrect. Auditors should ensure they have adequate expertise to conduct an audit. Thus, the
complexity of the audit should have no bearing on the auditor's responsibilities.
77.An internal auditor has completed an audit of an organization's activities and is ready to issue
a report. However, the auditee disagrees with the internal auditor's conclusions. The auditor
should:
A.Withhold the issuance of the audit report until agreement on the issues is obtained.
B.Perform more work, with the auditee's concurrence, to resolve areas of disagreement. Delay the
issuance of the report until agreement is reached.
C.Issue the audit report and indicate that the auditee has provided a scope limitation that has led to a
difference as to the conclusions.
D.Issue the audit report and state both the auditor and auditee positions and the reasons for the
disagreement.
This would be consistent with IIA Standard 2400—Communicating Results.
A Incorrect. As long as the auditor is satisfied that the audit is completed, it would be inappropriate to
delay the issuance of the audit report. Further, agreement may never be obtained.
B Incorrect. The auditor is satisfied with the audit conclusions. There would be little justification for
expanding the audit work.
C Incorrect. The disagreement is not caused by a scope limitation.

78.According to the IIA Standards, reported audit findings emerge by a process of comparing
“what should be” with “what is.” In determining “what should be” during an audit of a
company's treasury function, which of the following would be the least desirable criteria against
which to judge current operations?
A.The operations of the treasury function as documented during the last audit.
B.Company policies and procedures delegating authority and assigning responsibilities.
C.Finance textbook illustrations of generally accepted good treasury function practices.
D.Codification of best practices of the treasury function in relevant industries.
Past practices may or may not have been at the level of best practices or may not have been in
compliance with company procedures. This would not be an appropriate criterion (IIA Standard
B Incorrect. Company policies and procedures specify what should be a part of the treasury function's
operations.
C Incorrect. Generally accepted good practices usually can be found in leading textbooks describing
the field. The auditor should look to the finance discipline for a description of good practices.
D Incorrect. Industry identification of best practices can serve as relevant criteria for both the auditor
and the organization.
79.Which of the following is not a major purpose of an audit report?
A.Inform.
B.Get results.
C.Assign responsibility.
D.Persuade.
Assigning responsibility is a function of management (IIA Standard 2400—Communicating Results).
A Incorrect. This is a major purpose as per IIA Standard 2400—Communicating Results.
B Incorrect. This is a major purpose as per IIA Standard 2400—Communicating Results.
D Incorrect. This is a major purpose as per IIA Standard 2400—Communicating Results.
80.Which of the following would not be included in the statement of scope in an audit report?
A.Period covered by the audit.

B.Audit objectives.
C.Activities not audited.
D.Nature and extent of the auditing performed.
This should be included in the purpose section (IIA Standard 2400—Communicating Results).
A Incorrect. This should be included in the scope section (IIA Standard 2400—Communicating
Results).
C Incorrect. This should be included in the scope section (IIA Standard 2400—Communicating
Results).
D Incorrect. This should be included in the scope section (IIA Standard 2400—Communicating
Results).
81.Providing useful and timely information and promoting improvements in operations are goals
of internal auditors. To accomplish this in their reports, auditors should:
A.Provide top management with reports that emphasize the operational details of defective conditions.
B.Provide operating management with reports that emphasize general concerns and risks.
C.Provide information in written form before it is discussed with the auditee.
D.Provide reports that meet the expectations and perceptions of both operational and top management.
The audit report needs to address the expectations and perceptions of both top management and
operating management. As a result, it needs general concepts as well as details of operations (IIA
Standard 2400—Communicating Results).
A Incorrect. Top management can best perceive general concepts.
B Incorrect. Operating management can best perceive details of operations.
C Incorrect. Do not surprise auditees; discuss matters with them before they are reported.
82.An auditor has submitted a first draft of an audit report to an auditee in preparation for an
exit interview. The following is an excerpt from that report:
The audit was performed to accomplish several objectives:
 Verify the existence of unused machinery being stored in the warehouse.
 Determine whether machinery had been damaged during storage.
 Review the handling procedures being performed by personnel at the warehouse.
 Determine whether proper accounting procedures are being followed for machinery kept in
the warehouse.
 Calculate the current fair market value of warehouse inventories.
 Compare the total value of the machinery to company accounting records.
It was confirmed that, of the 30 machines selected from purchasing records for the sample, 13
were present on the warehouse floor and another 5 were on the loading dock ready for
conveyance to the production facility. Twelve others had been sent to the production facility at a
previous time. An examination of the accounting procedures used at the warehouse revealed the
failure by the warehouse accounting clerk to reconcile inventory records monthly, as required by
policy. A sample of 25 machines was examined for possible damage, and all but one was in good
condition. It was confirmed by the auditors that handling procedures outlined in the warehouse
policy manual appear to be adequate, and warehouse personnel apparently were following those
procedures, except for the examination of items being received for inventory.
When communicating with auditees, there exist both situational factors and message
characteristics that can damage the communication process. An auditor has only limited control
over situational factors but has substantial control over message characteristics.
Which of the following would seem to be a message characteristic that the auditor who prepared
the above report overlooked?
A.Sequence of message.
B.Nature of the audience.
C.Noise.
D.Prior encounters with the auditee.
Complex messages are more understandable if they follow a logical sequence. Thus, the sequence or
organization of the message is a characteristic that is within the control of the sender (IIA Standard
B Incorrect. The nature of an audience is a situational factor that is outside the control of the auditor.
C Incorrect. Noise is a situational factor that interferes with the effective communication of intended
messages.
D Incorrect. The history of previous encounters is a situational factor that is outside the control of the
auditor.
83.A primary purpose of the closing conference is to:
A.Implement audit findings.

B.Gather audit evidence.
C.Resolve remaining issues.
D.Determine the scope of the audit.
A major purpose of the closing conference is to resolve remaining issues (IIA Standard
A Incorrect. Audit findings are not implemented. Audit recommendations are implemented.
B Incorrect. Audit evidence is gathered prior to the closing conference.
D Incorrect. The engagement scope is determined prior to the closing conference.
exit interview. The following is an excerpt from that report:
The audit was performed to accomplish several objectives.
 Verify the existence of unused machinery being stored in the warehouse.
 Determine whether machinery had been damaged during storage.
 Review the handling procedures being performed by personnel at the warehouse.
 Determine whether proper accounting procedures are being followed for machinery kept in
the warehouse.
 Calculate the current fair market value of warehouse inventories.
 Compare the total value of the machinery to company accounting records.
It was confirmed that, of the 30 machines selected from purchasing records for the sample, 13
were present on the warehouse floor and another 5 were on the loading dock ready for
conveyance to the production facility. Twelve others had already been sent to the production
facility at a previous time. An examination of the accounting procedures used at the warehouse
revealed the failure by the warehouse accounting clerk to reconcile inventory records monthly, as
required by policy. A sample of 25 machines was examined for possible damage, and all but one
was in good condition. It was confirmed by the auditors that handling procedures outlined in the
warehouse policy manual appear to be adequate, and warehouse personnel apparently were
following those procedures, except for the examination of items being received for inventory.
When communicating with auditees, there exist both situational factors and message
characteristics that can damage the communication process. An auditor has only limited control
over situational factors but has substantial control over message characteristics.
The following elements are usually included in final audit reports: purpose, scope, results,
conclusions, and recommendations. Which of the following describes all of the elements missing
from the above report?
A.Scope, conclusion, recommendation.
B.Purpose, result, recommendation.
C.Result, conclusion, recommendation.
D.Purpose, scope, recommendation.
While a portion of the scope is discussed (30 machines selected), the reader cannot recognize the
significance or insignificance of this number without knowing the total number of machines that could
have been selected. The value of the machinery is not given. Also, the conclusion or auditor's opinion
of the operation is not given, and the report does not make any recommendations (IIA Standard
B Incorrect. The purpose or objective of the audit was clearly stated. Results of the audit were also
given.
C Incorrect. The purpose or objective of the audit was clearly stated. Results of the audit were also
given.
D Incorrect. The purpose or objective of the audit was clearly stated. Results of the audit were also
given.
85.Successful communication between the auditor and the auditee partially depends on achieving
appropriate emphasis so both parties are aware of the most important points in their discussion.
Which of the following approaches would provide the most emphasis in an audit report?
A.Graphics, repetition, and itemization.

B.Solid paragraphs and detailed appendices.
C.Calm discussion in a conversational tone.
D.Key points embedded in discussion.
Graphic illustrations, oral and written repetition such as summaries, and itemized lists (bulleted or
numbered) are good ways of emphasizing information in a report (IIA Standard 2440—Disseminating
Results).
B Incorrect. Long paragraphs may bury important information, and appendices hide it because readers
may not use them.
C Incorrect. Vocal emphasis comes from raising or lowering the projection of the voice to attract
attention to the idea being stated, not from keeping the voice even.
D Incorrect. Embedding ideas subordinates them rather than emphasizes them.
86.An internal auditor in a retail company reports to the corporate director of internal audit.
The auditor is assigned to audit a regional division. The audit reports are to be sent both to the
corporate office and the division controller in the region. The auditor has been on location for six
months and has submitted monthly reports, each month auditing a part of the operation as
assigned by corporate internal auditing. This month, for the first time, the auditor has audited
the inventory controls, following procedures established by the corporate internal auditing staff.
After seeing the audit report on inventory control, the divisional controller called and requested
a meeting with the auditor. At the meeting, the divisional controller loudly and abusively
criticized the accuracy of the auditor's work, the soundness of the auditor's methods, and the
results presented in the reports. In the past, while not always agreeing with the auditor's
conclusions, the divisional controller always had rational discussions and developed appropriate
follow-up steps to correct the problems the auditor found.
Despite never having said so, the divisional controller had always thought the auditor's work was
substandard. The divisional controller could have handled the situation better by:
A.Providing training on auditing of inventory controls so the auditor would do a better job the next
time.
B.Documenting shortcomings regularly and reporting them to the director of internal auditing.
C.Discussing the auditor's work with other internal auditors to compare the auditor's methods with
others used in the company.
D.Calling the corporate director of internal audit and insist that the auditor be replaced.
Since the auditor does not report to the divisional controller, the divisional controller can help alleviate
the problem by making the director of internal audit aware of the perceived shortcomings (IIA Standard
2431—Engagement Disclosure of Nonconformance).
A Incorrect. Training on only one part of the job will not improve the rest of the internal audit reports.
C Incorrect. Good management involves dealing directly with problems, not gossiping about
employees within the company.
D Incorrect. Without awareness of previous problems, the director of internal audit will not fire the
auditor and may consider the controller's demand an unreasonable encroachment on corporate audit's
responsibilities.
The divisional controller could have handled the situation better by:
A.Accepting the report because the auditor has consistently done good work, and this one report is not
that important.
B.Accepting the report but informing the director of internal auditing that the report was unsatisfactory.
C.Changing the methods used by corporate audit.
D.Discussing the objections to the inventory report with the auditor to get agreement on changes and
appropriate additional work.
The divisional controller should not let anger create more problems. The controller should identify and
solve the actual work problems and retain good relations with the auditor (IIA Standard
2431—Engagement Disclosure of Nonconformance).
A Incorrect. If the auditor's work is not acceptable in this case, the auditor needs to know about it and
help to find the solution in order to learn from the process.
B Incorrect. The divisional controller should not go behind the auditor's back by bringing in someone
else. The auditor has done good work so far; the controller should deal directly with the problem.
C Incorrect. This is a usurpation of authority, and the divisional controller cannot implement such a
change.
If the internal auditor believes the criticism is completely unjustified, the auditor should:
A.Ask the divisional controller to identify specific areas of disagreement and document them in the
management response section of the audit report.
B.Confront the divisional controller just as loudly to communicate that the auditor can be just as
aggressive and can survive in the corporate environment.
C.Offer to personally rewrite the report and develop the follow-up steps to correct the inventory
problems to show the accuracy of the work.
D.Ignore the divisional controller's response.
Specific comments will both help revise the report and defuse the potentially explosive interpersonal
situation (IIA Standard 2431—Engagement Disclosure of Nonconformance).
B Incorrect. Confrontation will not solve the internal audit problem. The auditor's personality is not an
issue here, but the auditor's work apparently is; the auditor, therefore, should focus on finding out
specifically what is wrong.
C Incorrect. This response will weaken the auditor's ability to continue doing audits, because the
auditee has intimidated the auditor.
D Incorrect. Unless the auditor finds out what specifically the divisional controller thinks is wrong, the
auditor will not be able to decide whether the controller's objections are justified.
This particular audit was not the auditor's best work, and the auditor realizes this. The auditor
should:
A.Defend the work now and try to improve it in the future.

B.Ask the divisional controller to identify specific areas in which the report is deficient, and, if the
objections are justified, revise the report.
C.Explain the personal problems that kept the auditor from working as hard on this report as could be
expected.
D.Ask for time off for training in the weak areas.
Asking for specific objections will improve both the auditor's work and the working relationship with
the divisional controller by defusing this situation (IIA Standard 2431—Engagement Disclosure of
Nonconformance).
A Incorrect. If the auditor really needs to make changes to the report, eventually they will have to be
made, and the divisional controller may ask someone else to make them if the auditor refuses to admit
any mistakes.
C Incorrect. The issue here is work, not personal problems.
D Incorrect. Again, the issue here is work and getting it done. The auditor should find out what specific
areas need work, revise the report, and apply for related training when it is next available.
90.The following information is extracted from a draft of an audit report prepared on the
completion of an audit of the inventory warehousing procedures for a division.
Findings
[#5]
We performed extensive tests of inventory record keeping and quantities on hand. Based on our
tests, we have concluded that the division carries a large quantity of excess inventory,
particularly in the area of component parts. We expect this be due to the conservatism of local
management that does not want to risk shutting down production if the goods are not on hand.
However, as noted earlier in this report, the excess inventory has led to a higher-than-average
level of obsolete inventory write-downs at this division. We recommend that production forecasts
be established, along with lead times for various products, and used in conjunction with
economic order quantity concepts to order and maintain appropriate inventory levels.
[#6]
We observed that receiving reports were not filled out when the receiving department became
busy. Instead, the receiving manager would fill out the reports after work and forward them to
accounts payable. There is a risk that all items received might not be recorded or that failing to
initially record might result in some items being diverted to other places. During our tests, we
noted many instances in which accounts payable had to call to receiving to obtain a receiving
report. We recommend that receiving reports be prepared.
[#7]
Inventory is messy. We recommend that management communicate the importance of orderly
inventory management techniques to warehouse personnel to avoid the problems noted earlier
about (1) locating inventory when needed for production and (2) incurring unusually large
amounts of inventory write-offs because of obsolescence.
[#8]
We appreciate the cooperation of divisional management. We intend to discuss our findings with
them and follow up by communicating your reaction to those recommendations included within
this report. Given additional time for analysis, we feel there are substantial opportunities
available for significant cost savings and we are proud to be a part of the process.
A major deficiency in paragraph #5 related to the completeness of the audit report is:
A.There is no indication of the potential cause of the problem.

B.The report does not contain criteria by which the concept of excessive inventory is judged.
C.The report does not adequately describe the potential effect of the conditions noted.
D.The recommendations are not required and are not appropriate, given the nature of the problem
identified.
An audit report dealing with findings should discuss the criteria, the conditions found, the cause, and
the effect of the findings. Recommendations may also be included, where appropriate. Paragraph #5 is
silent on the criteria the auditor used in determining that the division had excessive levels of inventory
A Incorrect. There is a brief discussion of the cause of the problem as being due to divisional
management's conservative nature in avoiding risks of shutdowns.
C Incorrect. The report discusses the effect as one leading to unusually large levels of inventory
write-downs because of obsolescence.
D Incorrect. The recommendations are logically derived from the findings and represent an approach
that should be considered by management. Recommendations may be included, where appropriate, in
audit reports.
Findings
[#5]
[#6]
[#7]
[#8]
A major writing problem in paragraph #5 is:
A.The use of potentially emotional words, such as “conservatism” of local management.

B.The presentation of findings before recommendations. The report would have more impact if
recommendations were made before the findings are discussed.
C.The specific identification of “component parts” may be offensive to the personnel responsible for
those parts and may reflect negatively on them.
D.The reference to other parts of the audit report citing excessive inventory write-downs for
obsolescence is not appropriate. If there is a problem, it should all be discussed within the context of
the specific audit finding.
The auditor should avoid using emotionally charged words since doing so might create an unexpected,
and negative, reaction from the auditee. The types of actions and attitudes of divisional management
could have been adequately described as a cause without the use of the emotionally charged word (IIA
Standard 2410—Criteria for Communicating).
B Incorrect. The excerpt is from the findings part of the audit report, not the management executive
summary. Thus, it is appropriate to present the findings, and the basis for the findings, before
presenting the auditor's recommendations.
C Incorrect. Given that the auditor has a basis for making the observation about component parts, it is
appropriately to do so since it presents specifics on which both management and divisional
management can focus action.
D Incorrect. The problem of excessive inventory has been noted in relationship to this finding. As long
as the dollar amounts of excessive write-downs have been noted earlier in the report, it is appropriate to
refer to that section for more detail.
Findings
[#5]
[#6]
[#7]
[#8]
A.The factual evidence for the audit finding is not given.

B.The cause of the problem is not defined.
C.The risk is presented in an overdramatic fashion.
D.The recommendation is incomplete.
The recommendation given is not complete. Receiving reports are being prepared, but they are not
being prepared on a timely basis, or concurrently with the receipt of the goods. The recommendation
needs to be more detailed (IIA Standard 2410—Criteria for Communicating).
A Incorrect. The factual evidence comes from observation.
B Incorrect. The cause of the problem (or at least the excuse given by the receiving department) is
noted. The receiving department does not prepare concurrent receiving reports when it is busy.
C Incorrect. This is a well-known risk, and the auditor is not overdramatic in factually detailing the
result that might occur if the control deficiency is not adequately addressed.
Findings
[#5]
[#6]
[#7]
[#8]
A.There is not a separate section adequately discussing the risks associated with the audit finding.
B.The recommendation does not follow from the findings. The recommendation could have been
reached without any audit findings.
C.The condition for the audit finding is not clearly explained.
D.The reference to other parts of the audit report citing excessive inventory write-downs for
obsolescence is not appropriate. If there is a problem, it should all be discussed within the context of
the specific audit finding.
The description used is that inventory is “messy,” but “messy” is a word that does not clearly convey
the condition (IIA Standard 2410—Criteria for Communicating).
A Incorrect. The risks are pointed out, in some detail, to management.
B Incorrect. The recommendation is logically presented. The problem is that the author has mixed a
finding and a cause.
D Incorrect. The problem of excessive inventory has been noted in relationship to this finding. As long
as the dollar amounts of excessive write-downs have been noted earlier in the report, it is appropriate to
refer to that section for more detail.
Findings
[#5]
[#6]
[#7]
[#8]
A major deficiency in paragraph #8 is:
i. The nature of the follow-up action is inappropriate.
ii. The findings have not been discussed with division management before they are presented
to upper management.
iii. The cost savings mentioned are not supported in the report.
iv. I, II, and III
A.I only.
B.II only.
C.III only.
D.I, II, and III.
All of the items are problems (deficiencies) with the paragraph as it is currently written (IIA Standard
2410—Criteria for Communicating).
A Incorrect. This is a partial answer. It is a major deficiency.
B Incorrect. This is a partial answer. It is a major deficiency.
C Incorrect. This is a partial answer. It is a major deficiency.
95.The auditor completed work on a segment of the audit program. It was clear that a problem
existed that would require a modification of the organization's distribution procedures. The
auditee agreed and has implemented revised procedures. The internal auditor should:
A.Research the problem and recommend in the audit report measures that should be taken.
B.Jointly develop and report an appropriate recommendation.
C.Report the problem and assume that management will take appropriate action.
D.Indicate in the audit report that the auditee determined and implemented corrective action.
The other choices are possible actions. However, this choice will appeal to the auditee's esteem needs
by crediting the auditee in the audit report with the determination and implementation of the corrective
action (IIA Standard 2400—Communicating Results).
B Incorrect. While this is part of the solution, the crediting in the report of the auditee's action responds
to the auditee's needs.

96.An audit report relating to an audit of a bank categorizes findings into “deficiency findings”
for major problems and “other areas for improvement” for less serious problems. Which of the
following excerpts would properly be included under “other areas for improvement”?
A.Many secured loans did not contain hazard insurance coverage for tangible property collateral.
B.Loan officers also prepare the cashier's checks for disbursement of the loan proceeds.
C.The bank is incurring unnecessary postage cost by not combining certain special mailings to
checking account customers with the monthly mailing of their statements.
D.At one branch a large amount of cash was placed on a portable table behind the teller lines.
This appears to be more a matter of operating efficiency than an internal control weakness or violation
of bank policy (IIA Standard 2400—Communicating Results).
A Incorrect. This appears to be a serious violation of a standard bank policy. Destruction of uninsured
collateral by fire or other catastrophe could easily result in significant uncollectible loan losses.
B Incorrect. This is a violation of the fundamental internal control concept of separation of duties and
could result in major employee defalcations.
D Incorrect. This is a violation of the fundamental internal control concepts relating to access to assets
and accountability and could result in cash shortages that would be impossible to pin down.
97.The following is the complete text of a deficiency finding included in the internal audit report
for a bank: The late charges were waived on an excessive number of delinquent installment loan
payments at the Spring Street Branch. We were informed that an officer does not approve late
charge waivers. Approximately $5,000 per year in revenues is being lost. In order to provide a
better control over late charges waived and loss of income, we recommend that a lending officer
be responsible for waiving late charges and that this approval be in writing.
Which of the following elements of a deficiency finding is not properly addressed?
A.Criteria or standards.
B.Condition.
C.Cause.
D.Effect.
“Excessive” is a subjective term. The finding would be more complete if it indicated the percentage of
late payments on which late charges were waived at the Spring Street Branch compared to a standard
percentage or the average percentage at other locations (IIA Standard 2410—Criteria for
Communicating).
B Incorrect. The condition is the fact that an excessive number of late charges are being waived.
C Incorrect. The cause is the fact that approval by an officer is not required.
D Incorrect. The effect is the annual loss of $5,000 of revenues.
98.An auditor for a bank noted a significant deficiency relating to access to cash in the bank's
vault at one of the branch banks. Which of the following is the most satisfactory means of
addressing this deficiency? The auditor should:
A.Discuss the deficiency with the branch manager before drafting the written audit report. If the auditor
and branch manager agree on corrective action and the action is initiated before the report is published,
the deficiency need not be included in the report.
B.Discuss the deficiency with the branch manager before drafting the written audit report. If the auditor
and branch manager agree on corrective action, include both the deficiency and corrective action in the
audit report.
C.Discuss the deficiency with the branch manager only after the audit report is published.
D.Not discuss the deficiency with the branch manager before or after the audit report is published;
discussion may dilute the impact of the written report.
This approach takes nothing away from the auditor, and it builds a problem-solving partnership
between the auditor and the branch manager (IIA Standard 2400—Communicating Results).
A Incorrect. Top management should be made aware of significant deficiencies that have existed, even
though they may have been corrected by the time the audit report is issued.
C Incorrect. Discussion prior to issuing the report helps ensure that there have been no
misunderstandings or misinterpretations of fact and provides the branch manager the opportunity to
clarify specific items.
D Incorrect. Discussion prior to issuing the report helps ensure that there have been no
misunderstandings or misinterpretations of fact and provides the branch manager the opportunity to
clarify specific items.
99.Several levels of management are interested in the results of the marketing department audit.
What is the best method of communicating the results of the audit?
A.Write detailed reports for each level of management.

B.Write a report to the marketing management and give summary reports to other management levels.
C.Discuss results with marketing management and issue a summary report to top management.
D.Discuss results with all levels of management.
A written report should be issued after completion of an audit. The report should be addressed to the
level of management capable of agreeing to and correcting deficiencies noted in the report. Top
management should be aware of internal audit's activities and any major deficiencies noted. This could
be accomplished in a discussion or in a summary report (IIA Standard 2400—Communicating Results).
A Incorrect. A written report should be issued after completion of an audit. However, writing detailed
reports for each level of management is not an efficient use of an auditor's time. A summary report for
top management could be issued along with a detailed report for the appropriate operational level of
management.
C Incorrect. Conclusions and recommendations should be discussed with the appropriate levels of
management, but an audit report should still be issued.
D Incorrect. Conclusions and recommendations should be discussed with the appropriate levels of
management, but an audit report should still be issued.
exit interview. The following is an excerpt from that report: The audit was performed to
accomplish several objectives: verify the existence of unused machinery being stored in the
warehouse, determine whether machinery had been damaged during storage, review the
handling procedures being performed by personnel at the warehouse, determine whether proper
accounting procedures are being followed for machinery kept in the warehouse, calculate the
current fair market value of warehouse inventories, and compare the total value of the
machinery to company accounting records. It was confirmed that of the 30 machines selected
from purchasing records for the sample, 10 were present on the warehouse floor and another 5
were on the loading dock ready for conveyance to the production facility. Twelve others had
already been sent to the production facility at a previous time. An examination of the accounting
procedures used at the warehouse revealed the failure by the warehouse accounting clerk to
reconcile inventory records monthly, as required by policy. A sample of 25 machines was
examined for possible damage, and all but one was in good condition. It was confirmed by the
auditors that handling procedures outlined in the warehouse policy manual appear to be
adequate, and warehouse personnel apparently were following those procedures, except for the
examination of items being received for inventory.
When communicating with auditees, both situational factors and message characteristics can
damage the communication process. An auditor has only limited control over situational factors
but has substantial control over message characteristics.
Which of the following would seem to be a message characteristic that the auditor who prepared
the above report overlooked?
A.Sequence of message.
B.Nature of the audience.
C.Noise.
D.History of prior events leading to the current encounter.
Complex messages are more understandable if they follow a logical sequence. Thus, the sequence or
organization of the message is a characteristic that is within the control of the sender (IIA Standard
B Incorrect. The nature of an audience is a situational factor that is outside the control of the auditor.
C Incorrect. Noise is a situational factor that interferes with the effective communication of intended
messages.
D Incorrect. The history of previous encounters is a situational factor that is outside the control of the
auditor.
101.An auditor has submitted a first draft of an audit report to an auditee in

preparation for an exit interview. The following is an excerpt from that report:
The audit was performed to accomplish several objectives: verify the existence of
unused machinery being stored in the warehouse, determine whether machinery
had been damaged during storage, review the handling procedures being
performed by personnel at the warehouse, determine whether proper accounting
procedures are being followed for machinery kept in the warehouse, calculate
the current fair market value of warehouse inventories, and compare the total
value of the machinery to company accounting records. It was confirmed that of
the 30 machines selected from purchasing records for the sample, 10 were
present on the warehouse floor and another 5 were on the loading dock ready for
conveyance to the production facility. Twelve others had already been sent to the
production facility at a previous time. An examination of the accounting
procedures used at the warehouse revealed the failure by the warehouse
accounting clerk to reconcile inventory records monthly, as required by policy. A
sample of 25 machines was examined for possible damage, and all but one was in
good condition. It was confirmed by the auditors that handling procedures
outlined in the warehouse policy manual appear to be adequate, and warehouse
personnel apparently were following those procedures, except for the
When communicating with auditees, both situational factors and message
characteristics can damage the communication process. An auditor has only
limited control over situational factors but has substantial control over message
characteristics.
The objectives of an audit report are to inform and to influence. Whether these
objectives are met depends on the clarity of the writing. Which of the following
principles of report clarity was violated in the above audit report?
A.Appropriately organize the report.
B.Keep most sentences short and simple.
D.Use active voice verbs.
D.All of the answer options.
The Answer D Is Correct

All of the listed principles of report clarity were violated in the audit report (IIA
A.Incorrect. The report is not organized in a clear and concise manner.

B.Incorrect. The opening sentence is 73 words, while the next sentence is 37 words.
C.Incorrect. There are at least two passive sentences.

characteristics.
The following elements are usually included in final audit reports: purpose,
scope, results, conclusions, and recommendations. Which of the following
describes all of the elements missing from the above report?
A.Scope, conclusion, recommendation.

B.Purpose, result, recommendation.
C.Result, conclusion, recommendation.
D.Purpose, scope, recommendation.
The Answer A Is Correct

While a portion of the scope is discussed (30 machines selected), the reader cannot
recognize the significance or insignificance of this amount without knowing the total
amount of machines that could have been selected. The value of the machinery is not
given. Also, the conclusion or auditor's opinion of the operation is not given, and the
report does not make any recommendations (IIA Standard 2400—Communicating
Results).
B.Incorrect. The purpose or objective of the audit was clearly stated. Results of the
audit were also given.
C.Incorrect. Results of the audit were also given.
D.Incorrect. The purpose or objective of the audit was clearly stated.

characteristics.
The behavioral science literature identifies diffusion as an effective approach to
resolving conflict. An auditor effectively using diffusion in working with a
confrontational auditee would:
A.Set aside critical issues temporarily and try to reach agreement on less controversial
issues first.
B.Emphasize differences between the parties.
C.Avoid the conflict situation.
D.Identify the sources of conflict and address them directly.

Diffusion involves setting aside the conflict situation and concentrating on less
controversial issues (IIA Standard 2400—Communicating Results).
B.Incorrect. Under diffusion, differences are downplayed.

C.Incorrect. Avoiding the conflict situation would be an example of an avoidance
approach, not a diffusion approach.
D.Incorrect. Directly addressing the sources of conflict would be an example of a
confrontation approach, not a diffusion approach.
104.An internal audit director has noticed that staff auditors are presenting
more oral reports to supplement written reports. The best reason for the
increased use of oral reports by the auditors is that they:
A.Reduce the amount of testing required to support audit findings.

B.Can be delivered in an informal manner without preparation.
C.Can be prepared using a flexible format. thereby increasing overall audit efficiency.
D.Permit auditors to counter arguments and provide additional information that the
audience may require.

Oral reports permit auditors to counter arguments and provide additional information
that the audience may require. Since oral reports evoke face-to-face responses, the
auditors can provide an immediate response to any auditee objections or provide
additional information as appropriate (IIA Standard 2400—Communicating Results).
A.Incorrect. The amount of testing required to support audit findings is unrelated to

the use of oral reports. Whether findings are reported through oral or written reports,
they still must be adequately supported.
B.Incorrect. Even though audit reports are delivered orally, they still should be
prepared carefully. Poorly planned and delivered oral reports will be difficult for the
audience to follow and may create unnecessary misunderstandings.
C.Incorrect. The format of the report will depend on the audience. Factors to consider
in delivering reports, both written and oral, may include the background and
expectations of the audience as well as the time available. Since oral reports do not
eliminate the need for a final report, overall audit efficiency is not affected.
105.When making a presentation to management, the auditor wants to report

findings and to stimulate action. These objectives are best accomplished by:
A.Delivering a lecture on the findings.

B.Showing a series of slides or overheads that graphically depict the findings; limit
verbal commentary.
C.Using slides/overheads to support a discussion of major points.
D.Handing out copies of the report, asking participants to read the report, and asking
for questions.
The Answer C Is Correct

This method of “show and tell” results in the most retention of information: 85% of
the information is remembered after three hours and 65% is remembered after three
days (IIA Standard 2440—Disseminating Results).
A.Incorrect. According to research, observers will remember only 70% of the

information after three hours and 10% after three days.
B.Incorrect. Research indicates that observers will remember only 72% of information
after 3 hours and 20% after 3 days.
D.Incorrect. This is the equivalent of a “show” without the “tell.” Observers can be
expected to remember 72% of the information after three hours and 20% after three
days.
106.In which section of the final report should the internal auditor describe the
audit objectives?
A.Purpose.
B.Scope.
C.Criteria.
D.Condition.

“Purpose statements should describe the audit objectives” per IIA Standard
2410—Criteria for Communicating.
B.Incorrect. “Scope statements should identify the audited activities and include,
where appropriate, supportive information such as time period audited. Related
activities not audited should be identified if necessary to delineate the boundaries of
the audit. The nature and extent of auditing performed also should be described.” This
requirement does not include a statement of audit objectives.
C.Incorrect. “Criteria: The standards, measures or expectations used in making an
evaluation and/or verification (what should exist).” This requirement does not include
a statement of audit objectives.
D.Incorrect. “Condition: The factual evidence, which the internal auditor found in the
course of the examination (what does exist).” This requirement does not include a
statement of audit objectives.
107.An internal auditor can use oral reports to:
A.Give immediate information to management and more accurately exchange

thoughts with a face-to-face discussion.
B.Report interim findings more efficiently by eliminating the preparation time for a
written report.
C.Eliminate the need for a lengthy final report by reaching verbal agreement on the
handling of significant findings with the auditee.
D.Impress the auditee with a polished presentation using graphics to enhance the
credibility of audit findings.

Oral reports give immediate response to management and are a more accurate form of
communication since they provide visual feedback of the auditee's responses and
questions and make immediate two-way communication possible (IIA Standard
B.Incorrect. Oral reports must be presented with the same preparation and care as
written reports if the auditor is to have credibility with the auditee.
C.Incorrect. Agreements on significant audit findings should be formalized in the
final report.
D.Incorrect. The auditor should focus on oral report on the ideas being presented, not
on a flashy presentation, which is excessive for the audience or the subject matter.
108.Summary written audit reports are generally intended for:
A.Local operating management.

B.Review by other auditors only.
C.High-level management and/or the audit committee.
D.Midlevel staff management.

Summary written reports are generally intended for audit committees of boards of
directors and/or higher-level management (IIA Standard 2400—Communicating
Results).
A.Incorrect. Summary written reports contain insufficient detail for local operating
management.
B.Incorrect. No document classified as an audit report is restricted to auditors only.
D.Incorrect. Summary written reports contains insufficient detail for midlevel staff
management.
109.An oral audit report may be most appropriate when:
A.A permanent record of the report is needed.

B.Emergency action is needed.
C.Higher-level management needs a summary of individual audits.
D.It is used only for internal reporting within the internal auditing department.
The Answer B Is Correct

Oral reports allow a response to emergency action needs (IIA Standard
A.Incorrect. Oral reports do not provide a permanent record of the report.
C.Incorrect. A summary of individual audits is best presented in a summary written
report.
D.Incorrect. Questionnaire-type reports are normally used for internal reporting
within the internal auditing department.
110.An audit report recommendation should address what attribute of an audit

finding?
A.Cause.
B.Statement of condition.
C.Criteria.
D.Effect.

Cause provides the answer to the question “Why?” and should be the basis for
corrective action (IIA Standard 2410—Criteria for Communicating).
B.Incorrect. A statement of condition simply describes “what is” to serve as a basis
for comparison with a given criteria.
C.Incorrect. Criteria describe “what should be” and are compared to the statement of
condition.
D.Incorrect. Effect addresses the importance of a finding.
111.Which of the following is a proper element in an audit results section of a

report?
A.Status of findings from prior reports.

B.Personnel used.
C.Significance of deficiencies.
D.Engagement plan.

The significance of deficiencies from prescribed procedures is an audit finding and
belongs in the audit findings section of the report (IIA Standard
A.Incorrect. This is not part of audit findings but comes later in the report.
B.Incorrect. This is not an audit finding.
D.Incorrect. The engagement plan precedes the audit findings report.
112.After an audit report with adverse findings has been communicated to

appropriate auditee personnel, proper action is to:
A.Schedule a follow-up review.

B.Implement corrective action indicated by the findings.
C.Examine further the data supporting the findings.
D.Assemble new data to support the findings.
This is appropriate action, so that lack of follow-up action, if any, can be noted on the
next audit report (IIA Standard 2400—Communicating Results).
B.Incorrect. It is not ordinarily the responsibility of the auditor to implement

corrective action.
C.Incorrect. Data have already been examined.
D.Incorrect. Data have already been assembled.
113.The scope statement of an audit report should:
A.Describe the audit objectives and tell the reader why the audit was conducted.
B.Identify the audited activities and describe the nature and extent of auditing
performed.
C.Define the standards, measures, or expectations used in evaluating audit findings.
D.Communicate the internal auditor's evaluation of the effect of the findings on the
activities reviewed.
Audited activities, time period audited, related activities not audited, and the nature
and extent of auditing performed may all be appropriately included in the scope
statement (IIA Standard 2400—Communicating Results).
A.Incorrect. Audit objectives and the reason for conducting the audit are described in
the purpose statement.
C.Incorrect. The standards, measures, or expectations used in evaluating audit
findings are attributes of findings that emerge during the review of the activities
identified in the scope statement.
D.Incorrect. The internal auditor's evaluation of the effect of the findings on the
activities reviewed is properly presented in the conclusion or results section of the
audit report.
114.In beginning an audit, an internal auditor reviews written procedures that

detail segregation of duties adopted by management to strengthen internal
controls. These written procedures should be viewed as the following attribute of
a finding:
A.Criteria.
B.Condition.
C.Cause.
D.Effect.

The written procedures represent the standard against which audit finding concerning
segregation of responsibility would be measured. This standard is the condition that
should exist (IIA Standard 2410—Criteria for Communicating).
B.Incorrect. Condition is the factual evidence that the internal audit gathers in the
course of the audit work. It represents what does exist.
C.Incorrect. Cause is the reason why the condition observed is different from the
criteria established.
D.Incorrect. Effect measures the impact on the organization of the condition being
different from the criteria.
115.Interim reports are issued during an audit to:
A.Explain the purpose of the audit.

B.Eliminate the need for a final report.
C.Communicate information requiring immediate attention.
D.Define the scope of the audit so the final report can be brief.

Interim reports can be used to report to management significant findings that require
immediate attention (IIA Standard 2400—Communicating Results).
A.Incorrect. The purpose of the audit is formally defined in the final report and is
discussed with the auditee's management prior to beginning the audit.
B.Incorrect. The issuance of interim reports does not diminish or eliminate the need
for a final report.
D.Incorrect. The scope of the audit cannot be formally defined until the final report
since interim findings may alter the scope during the audit.
116.A senior member of management who is several organizational levels above

the head of the operational area being audited has asked for a report of the
findings of the audit. The most appropriate means of communicating audit
findings to this senior member of management is by:
A.Sending a copy of the final audit report.

B.Orally communicating the findings.
C.Sending copies of interim reports.
D.Sending the summary section of the report.

The summary report will serve as a useful tool for the senior management member.
This tool will allow him or her to review quickly the major findings of the audit and
to delve into more detail on those parts that are of interest (IIA Standard
2440—Disseminating Results).
A.Incorrect. Senior members of management have enormous demands on their time.

The final report will almost certainly have more detailed information than a senior
management member will want to review.
B.Incorrect. Oral communications will not give a senior manager a written record to
use as a basis for further action.
C.Incorrect. Interim reports typically address specific segments of the audit and will
not present the overview needed by a senior manager.
117.Recommendations in audit reports may or may not actually be implemented.

Which of the following best describes internal auditing's role in follow-up on
audit recommendations? Internal auditing:
A.Has no role; follow-up is management's responsibility.

B.Should be charged with the responsibility for implementing audit
recommendations.
C.Should follow up to ascertain that appropriate action is taken on audit
recommendations.
D.Should request that independent auditors follow up on audit recommendations.

This is what IIA Standard 2500—Monitoring Progress requires.
A.Incorrect. Internal auditing has some follow-up responsibility.

B.Incorrect. This would make internal auditing part of management and cause loss of
independence.
D.Incorrect. This responsibility cannot be passed to the independent auditor.
118.An internal auditor found that employees in the maintenance department
were not signing their time cards. This situation also existed during the last audit.
The auditor should:
A.Include this finding in the current audit report.

B.Ask the manager of the maintenance department to assume the resulting risk.
C.Withhold conclusions about payroll internal control in the maintenance department.
D.Instruct the employees to sign their time cards.

This situation needs corrective action, and management should be made aware that it
still exists (IIA Standard 2500—Monitoring Progress).
B.Incorrect. This is not within the internal auditor's authority, and it would not
remedy the situation. The auditor would ascertain whether higher-level management
has decided to assume the resulting risk, however.
C.Incorrect. The audit report must contain conclusions regarding payroll internal
control in the maintenance department.
D.Incorrect. This would place the internal auditor in the position of supervising
maintenance department employees.
119.Which one of the following elements of an audit report is not always

required?
A.A statement that describes the audit objectives.

B.A statement that identifies the audited activities.
C.Pertinent statements of fact.
D.An evaluation of the impact of the findings on the activities reviewed.

The evaluation of the impact of audit findings on audited activities is the statement of
conclusions (opinions). A statement of conclusions (opinions) is required only where
appropriate (IIA Standard 2450—Overall Opinions).
A.Incorrect. The description of the audit objectives is the statement of purpose. A

statement of purpose is always required.
B.Incorrect. The identification of audited activities is the statement of scope. A
statement of scope is always required.
C.Incorrect. The listing of pertinent facts is the statement of findings. A statement of
findings is always required.
120.An internal auditing department is conducting an audit of the payroll and

accounts receivable departments. Significant problems related to the approval of
overtime have been noted. While the audit is still in process, which of the
following audit reports is appropriate?
A.A summary report.

B.A written report.
C.A questionnaire-type report.
D.An oral report.
An oral report is appropriate as an interim audit report when significant problems are
discovered (IIA Standard 2400—Communicating Results).
A.Incorrect. A summary report is an abbreviated explanation of major audit findings.

It is generally submitted to top management and the audit committee of the board of
directors.
B.Incorrect. A written report is required for each audit but it is not used to get
immediate action.
C.Incorrect. A questionnaire-type report is normally used within the internal auditing
department. It has a limited range of value.
121.During an audit of sales representatives' travel expenses, it was discovered

that 152 of 200 travel advances issued to sales representatives in the past year
exceeded the prescribed maximum amount allowed. Which of the following
statements is a justifiable audit opinion?
A.The majority of travel advances in the organization exceed the prescribed

maximum.
B.Travel advances are not controlled in accordance with existing policy.
C.The prescribed maximum travel advance is too low.
D.76% of all travel advances exceed the management-prescribed maximum.

This statement puts the findings in perspective based on the overall implications. It
provides a capsule comment on the conditions found (IIA Standard 2450—Overall
Opinions).
A.Incorrect. The statement is not consistent with an overall opinion. It is a statement

of condition.
C.Incorrect. This is a possible cause or explanation for the problem and not
legitimately part of the auditor's opinion.
D.Incorrect. This is information used to prove a point or finding. It is a statement of
condition and is not appropriate for an audit opinion.
122.The following data were gathered during an internal auditor's investigation

of the reason for a material increase in bad debts expenses. In preparing a report
of the finding, each of the items might be classified as criteria, cause, condition,
effect, or background information.
1. Very large orders require management's approval of credit.
2. Audit tests showed that sales personnel regularly disregard credit guidelines when
dealing with established customers.
3. A monthly report of write-offs is prepared but distributed only to the accounting
department.
4. Credit reports are used only on new accounts.
5. Accounting department records suggest that uncollectible accounts could increase
by 5% for the current year.
6. The bad debts loss increased by $100,000 during the last fiscal year.
7. Even though procedures and criteria were changed to reduce the amount of
bad-debt write-offs, the loss of commissions due to written-off accounts has
increased for some sales personnel.
8. Credit department policy requires the review of credit references for all new
accounts.
9. Current payment records are to be reviewed before extending additional credit to
open accounts.
10. To reduce costs, the use of outside credit reports was suspended on several
occasions.
11. Since several staff positions in the credit department were eliminated to reduce
costs, some new accounts have received only cursory review.
12. According to the new credit manager, strict adherence to established credit policy
is not necessary.
Criteria are best illustrated by items numbered:
A.1, 8, and 9.
B.2, 10, and 11.
C.3, 4, and 12.
D.5, 6, and 7.

These items are the standards, what the credit department is supposed to do (IIA
B.Incorrect. These items are not the standards.

C.Incorrect. These items are not the standards.
D.Incorrect. These items are not the standards.
Very large orders require management's approval of credit.
Audit tests showed that sales personnel regularly disregard credit guidelines
when dealing with established customers.
A monthly report of write-offs is prepared but distributed only to the accounting
department.
Credit reports are used only on new accounts.
Accounting department records suggest that uncollectible accounts could
increase by 5% for the current year.
The bad debts loss increased by $100,000 during the last fiscal year.
Even though procedures and criteria were changed to reduce the amount of
Credit department policy requires the review of credit references for all new
accounts.
Current payment records are to be reviewed before extending additional credit
to open accounts.
To reduce costs, the use of outside credit reports was suspended on several
occasions.
Since several staff positions in the credit department were eliminated to reduce
costs, some new accounts have received only cursory review.
According to the new credit manager, strict adherence to established credit
policy is not necessary.
Cause is best illustrated by items numbered:
A.2, 10, and 11.

B.3, 4, and 12.
C.5, 6, and 7.
D.1, 8, and 9.

These items best explain why the deviation from the standards occurred (IIA Standard
2410—Criteria for Communicating).
A.Incorrect. These items are not the standards.

C.Incorrect. These items are not the standards.
D.Incorrect. These items are not the standards.

1) Very large orders require management's approval of credit.

2) Audit tests showed that sales personnel regularly disregard credit guidelines
3) A monthly report of write-offs is prepared but distributed only to the
accounting department.
4) Credit reports are used only on new accounts.
5) Accounting department records suggest that uncollectible accounts could
6) The bad debts loss increased by $100,000 during the last fiscal year.
7) Even though procedures and criteria were changed to reduce the amount of
8) Credit department policy requires the review of credit references for all new
accounts.
9) Current payment records are to be reviewed before extending additional
credit to open accounts.
10) To reduce costs, the use of outside credit reports was suspended on several
occasions.
11) Since several staff positions in the credit department were eliminated to
reduce costs, some new accounts have received only cursory review.
12) According to the new credit manager, strict adherence to established credit
Condition is best illustrated by items numbered:

A.5, 6, and 7.
B.1, 8, and 9.
C.2, 10, and 11.
D.3, 4, and 12.

These items show what is occurring and result from the observations, analysis, or
verification of the internal auditor (IIA Standard 2410—Criteria for Communicating).
A.Incorrect. These items do not show what is occurring.

B.Incorrect. These items do not show what is occurring.
D.Incorrect. These items do not show what is occurring.

1. Very large orders require management's approval of credit.
2. Audit tests showed that sales personnel regularly disregard credit guidelines
3. A monthly report of write-offs is prepared but distributed only to the
accounting department.
4. Credit reports are used only on new accounts.
5. Accounting department records suggest that uncollectible accounts could
6. The bad debts loss increased by $100,000 during the last fiscal year.
7. Even though procedures and criteria were changed to reduce the amount of
8. Credit department policy requires the review of credit references for all new
accounts.
9. Current payment records are to be reviewed before extending additional
credit to open accounts.
10. To reduce costs, the use of outside credit reports was suspended on several
occasions.
11. Since several staff positions in the credit department were eliminated to
reduce costs, some new accounts have received only cursory review.
12. According to the new credit manager, strict adherence to established credit
Effect is best illustrated by items numbered:
3, 4, and 12.
5, 6, and 7.
1, 8, and 9.
2, 10, and 11.

These items describe the real or potential impact (effect) according to the standards
A.Incorrect. These items do not comply with the standards.

C.Incorrect. These items do not comply with the standards.
D.Incorrect. These items do not comply with the standards.
126.Audit fieldwork has identified a number of significant findings. Additional

audit tests from the original audit program still have to be performed; however,
data are not readily available. Evaluate the following and select the best
alternative.
A.Do not issue the audit report until all testing has been completed.
B.Issue an interim report to management regarding the negative findings noted.
C.Identify other alternative tests to complete prior to reporting the audit findings.
D.Perform audit tests when the final data is available.

An interim report should be submitted to management (IIA Standard
A.Incorrect. Significant audit findings should be communicated to management.

C.Incorrect. Significant audit findings should be communicated to management with
mention of other tests to be performed.
D.Incorrect. Significant audit findings should be reported without delay for final audit
testing.
127.Upon reviewing the results of the audit report with the audit committee,
executive management agreed to accept the risk of not implementing corrective
action on certain audit findings. Evaluate the following and select the best
alternative for the internal auditing director.
A.Notify regulatory authorities of management's decision.

B.Perform additional audit steps to further identify the policy violations.
C.Conduct a follow-up audit to determine whether corrective action was taken.
D.Internal audit responsibility has been discharged, and no further audit action is
required.

Audit responsibility has been fulfilled (IIA Standard 2600—Communicating the
Acceptance of Risks).
A.Incorrect. Regulatory authorities do not need to be notified since management has

agreed to accept responsibility and no regulatory violations were mentioned.
B.Incorrect. No further audit action is required.
C.Incorrect. No further audit action is required.
128.The internal auditing department for a chain of retail stores recently
concluded an audit of sales adjustments in all stores in the southeast region. The
audit revealed that several stores are costing the company an estimated $85,000
per quarter in duplicate credits to customers' charge accounts.
The audit report, published eight weeks after the audit was concluded, included
the internal auditors' recommendations to store management that should
prevent duplicate credits to customers' accounts. Which of the following
standards for reporting has been disregarded in the above case?
A.The follow-up actions were not adequate.

B.The auditors should have implemented appropriate corrective action as soon as the
duplicate credits were discovered.
C.Auditor recommendations should not be included in the report.
D.The report was not timely.

The report, which was not published until eight weeks after the audit was concluded,
was not issued in a timely fashion, given the significance of the findings and the need
for prompt, effective action (IIA Standard 2420—Quality of Communications).
A.Incorrect. There is not enough information to evaluate the effectiveness of

follow-up.
B.Incorrect. Auditors may properly make recommendations for potential
improvements but should not implement corrective action.
C.Incorrect. Auditor recommendations are one of the recommended elements of an
audit finding.
129.An audit finding is worded as follows: The capital budget includes funds to
purchase 11 new vehicles. Review of usage records showed that 10 vehicles in the
fleet of 70 had been driven less than 2,500 miles during the past year. Vehicles
have been assigned to different groups whose usage rates have varied greatly.
There was no policy requiring rotation of vehicles between high- and low-usage
groups. Lack of criteria for assigning vehicles and a system for monitoring their
usage could lead to purchasing unneeded vehicles.
Based on the facts presented in this finding, it would be appropriate to
recommend that management:
A.Establish a minimum of 2,500 miles per quarter as criteria for assigning vehicles to
user groups.
B.Establish a system to rotate vehicles among users periodically.
C.Delay the proposed vehicle purchases until the apparent excess capacity is
adequately explained or absorbed.
D.Withhold approval of the capital budget until other projects can be reviewed by
internal auditing.

This would be an appropriate recommendation (IIA Standard 2400—Communicating
Results).
A.Incorrect. Specific criteria would not be an appropriate recommendation.

B.Incorrect. This would not be an appropriate recommendation; it would require
further analysis.
D.Incorrect. This would be excessive, given the results of the audit just completed.
130.An audit of a company's payroll department has revealed various control

weaknesses. These weaknesses along with recommendations for corrective
actions were addressed in the internal audit report. This report should be most
useful to the company's:
A.Treasurer.
B.Audit committee of the board of directors.
C.Payroll manager.
D.President.

Control weaknesses over the payroll function should be most useful to the payroll
manager because this is the individual who is directly responsible for this department
(IIA Standard 2400—Communicating Results).
A.Incorrect. Control weaknesses in a company's payroll department would not be

most useful to the treasurer because he or she is not responsible for taking corrective
action for weaknesses in that department.
B.Incorrect. The audit committee of the board of directors would not have a direct
interest in a report dealing with weaknesses over the payroll function, and thus, such a
report would not be most useful to such individuals.
D.Incorrect. A company's president is responsible for the overall operations of the
company. Accordingly, control weaknesses over payroll would not be most useful to
such an individual.
131.The IIA Standards require that the director of internal auditing or designee
decide to whom the final audit report will be distributed. Findings concerning
significant internal control weakness are included in an audit report on the
accounts payable system of a company whose securities are publicly traded. The
director of internal auditing has chosen to send copies of this audit report to the
audit committee and the external auditor. Which of the following is the most
likely reason for distributing copies to the audit committee and the external
auditor?
A.The audit committee and external auditor are normally sent copies of all internal
audit reports as a courtesy.
B.The audit committee and external auditor will need to take corrective action on the
deficiency findings.
C.The activities of the audit committee and external auditor may be affected because
of the potential for misstated financial statements.
D.A regulatory agency's guidelines require such distribution.
This is in accordance with the IIA Standards, which state: “Reports may also be
distributed to other interested or affected parties such as external auditors or the audit
committee.” The potential for misstated financial statements created by the internal
control deficiencies should be of interest to the audit committee and the external
auditors (IIA Standard 2440—Disseminating Results).
A.Incorrect. Normal distribution is to department heads of units audited and others in

a position to take corrective action or ensure that corrective action is taken.
B.Incorrect. Operating management takes corrective action.
D.Incorrect. There is no such requirement.
132.An operational audit report that deals with the scrap disposal function in a
manufacturing company should address:
A.The efficiency and effectiveness of the scrap disposal function and include any
findings requiring corrective action.
B.Whether the scrap material inventory is reported as a current asset.
C.Whether the physical inventory count of the scrap material agrees with the recorded
amount.
D.Whether the scrap material inventory is valued at the lower of cost or market.

An operational audit report should inform management about the efficiency and
effectiveness of the given operations and should discuss findings requiring corrective
action (IIA Standard 2400—Communicating Results).
B.Incorrect. An operational audit report should address the propriety of the function
being audited rather than valuation of item being audited.
C.Incorrect. An operational audit report should address the propriety of the function
being audited rather than agreement between the records and the items being audited.
D.Incorrect. An operational audit report of the scrap disposal function would not
address the valuation of the scrap material inventory at the lower of its cost or market.
133.The internal auditing unit has recently completed an operational audit of its
company's accounts payable function. The audit director decided to issue a
summary report in conjunction with the final report. Who would be the most
likely recipient(s) of just the summary audit report?
A.Accounts payable manager.

B.External auditor.
C.Controller.
D.Audit committee of the board of directors.

According to the IIA Standards, “Summary reports highlighting audit results may be
appropriate for levels of management above the head of the audited unit.” (IIA
Standard 2440—Disseminating Results.)
A.Incorrect. The accounts payable manager would be best served by receiving a copy
of the full final audit report.
B.Incorrect. The external auditor would receive copy of the full final audit report.
C.Incorrect. The controller, like the accounts payable manager, would need a copy of
the full final report so that details of deficiencies are known and so audit
recommendations may be implemented.
134.Which of the following is not an advantage of issuing an interim report?
A.Final report-writing time can be minimized.

B.An interim report allows information requiring immediate attention to be
communicated.
C.An interim report can be conducted on an informal basis and may be communicated
only verbally.
D.A formal, written interim report may negate the need for a final report in certain
circumstances.

According to the IIA Standards, the use of interim reports does not diminish or
eliminate the need for a final report (IIA Standard 2400—Communicating Results).
A.Incorrect. The interim report can minimize report writing time.

B.Incorrect. Improved communications is an advantage.
C.Incorrect. Per the IIA Standards, interim reports may be written or oral and may be
transmitted formally or informally.
135.During the course of an audit of cash handling, the auditor notices that
considerable cash is stored overnight in a work area that has ready access from a
busy street. Furthermore, there is no security system or any armed guard in the
vicinity. When discussed with the appropriate manager, the auditor is informed,
“We have never experienced a robbery or loss of cash from this fund; why
should we spend unnecessary amounts to improve security?” The auditor
should:
A.Make a verbal interim report. In the final report, concentrate on the corrective
measures to be taken.
B.Explain all the facts but allow management the opportunity to tell its story so that
corrective action is more likely to be adopted.
C.Since the company has never suffered any losses from the cash-handling procedures,
there is no need to report the finding.
D.Widely distribute the report; this is a big problem that everyone in the company
needs to know about.

Since this is very confidential information that could be detrimental to the welfare of
the employer, it is not advisable to include these details in the formal audit report. The
final report should concentrate on corrective actions needed and avoid unnecessary
details that could expose employees to a robbery. A verbal interim report could
effectively sell the danger and importance of immediate action in this matter (IIA
B.Incorrect. While this is a good approach on most findings, it is not satisfactory here
because of the high exposure to theft and danger to employees. Therefore, immediate
corrective action and a low profile are dictated.
C.Incorrect. It shows a lack of good judgment bordering on incompetence. The lack of
loss is the product of pure luck and not any internal control system.
D.Incorrect. This is unacceptable because it does not react quickly enough to a
dangerous situation, and a full disclosure of this weakness could represent real danger
to company employees and heighten the chances that a theft would occur.
136.Certain information may not be appropriate for disclosure to all report

recipients because it is privileged, proprietary, or related to improper or illegal
acts. If conditions being reported involve improper acts of a senior manager, the
report should be distributed to:
A.The external auditor.

B.The board of directors.
C.The stockholders.
D.Senior management.

The board of directors should receive the report (IIA Standard 2440—Disseminating
Results).
A.Incorrect. The report should not go to the external auditor and bypass chain of
command.
C.Incorrect. The report should not go to stockholders.
D.Incorrect. The report should not go to senior management since they may be
involved.
137.Which of the following individuals would normally not receive an internal

auditing report related to a review of the purchasing cycle?
A.The director of purchasing.

B.The independent external auditor.
C.The general auditor.
D.The chairman of the board of directors.

The board chairman would not normally receive a copy (IIA Standard
A.Incorrect. The director of purchasing should receive a copy.

B.Incorrect. The external auditor should receive a copy.
C.Incorrect. The general auditor should receive a copy.
138.An excerpt from an audit finding indicates that travel advances exceeded
prescribed maximum amounts. Company policy provides travel funds to
authorized employees for travel. Advances are not to exceed 45 days of
anticipated expenses. Company procedures do not require justification for large
travel advances. Employees can and do accumulate large, unneeded advances.
The cause of the above audit finding is:
A.Company advance procedures do not require specific justification.

B.Company policy provides travel funds to authorized employees.
C.Employees accumulate large travel advances.
D.Travel advances have not been cleared in timely manner.

The cause of the finding is that advance procedures do not require specific
justification (IIA Standard 2410—Criteria for Communicating).
B.Incorrect. Policy provides for advances only to authorized employees.

C.Incorrect. Accumulating large travel advances is the effect of the audit finding.
D.Incorrect. Not clearing travel advances in a timely manner is the effect of the audit
finding.
139.An excerpt from an audit finding indicates that travel advances exceeded
prescribed maximum amounts. Company policy provides travel funds to
authorized employees for travel. Advances are not to exceed 45 days of
anticipated expenses. Company procedures do not require justification for large
travel advances. Employees can and do accumulate large, unneeded advances.
In the above audit finding, the element of an audit finding known as condition is:
A.Advances are not to exceed estimated expenses for 45 days.

B.Employees accumulate large unneeded advances.
C.Procedures do not require justification for large advances.
D.Travel advances exceeded prescribed maximum amounts.

“Travel advances exceeded prescribed maximum amounts” is the condition (IIA
A.Incorrect. “Advances are not to exceed estimated expenses for 45 days” represents
a criterion.
B.Incorrect. “Employees accumulate large advances” is the effect.
C.Incorrect. The cause of the finding is that procedures do not require specific
justification.
140.An internal auditor observed that assembly line personnel without protective
clothing were being exposed to dangerous chemicals. The auditor should
immediately notify management through the use of a(n):
A.Summary written report.

B.Formal written report.
C.Follow-up report.
D.Oral report.

An oral report is appropriate for a situation that requires emergency action. Of course,
a written report should follow (IIA Standard 2400—Communicating Results).
A.Incorrect. A summary written report summarizes various written reports filed in a

specific period.
B.Incorrect. A formal written report is issued at the completion of the audit. This
hazardous situation requires immediate action.
C.Incorrect. The auditor should file a follow-up report on this situation later. However,
management must be alerted about the situation now.
141.An audit report with routine findings in the accounts payable department is
being issued. Distribution should include the accounts payable supervisor,
manager, and unit general manager. It may also be sent to the:
A.External auditors and the corporate controller.

B.Unit purchasing manager and the operations director.
C.Unit receiving manager, the purchasing manager, and the operations director.
D.External auditors, the corporate controller, and the chairman of the board of
directors.

The report may be distributed to other interested or affected parties (IIA Standard
B.Incorrect. The purchasing manager and operations director would not be interested
or affected by a report with only routine findings in another department.
C.Incorrect. The purchasing manager and operations director would not be interested
or affected by a report with only routine findings in another department.
D.Incorrect. A report with routine findings does not warrant being sent to the
chairman of the board of directors.
142.An internal audit team recently completed an audit of the company's

compliance with its lease-versus-purchase policy concerning company
automobiles. The audit report noted that the basis for several decisions to lease
rather than purchase automobiles had not been documented and was not
auditable. The report contained a recommendation that operating management
ensure that such lease agreements not be executed without proper
documentation of the basis for the decision to lease rather than buy. The internal
auditors are about to perform follow-up work on this audit report.
The primary purpose for performing a follow-up review is to:
A.Ensure timely consideration of the internal auditors' recommendations.

B.Ascertain that appropriate action was taken on reported findings.
C.Allow the internal auditors to evaluate the effectiveness of their recommendations.
D.Document what management is doing in response to the audit report and close the
audit file in a timely manner.

This is what IIA Standard 2500—Monitoring Progress requires.
A.Incorrect. This is not the best answer. It implies that the auditor's recommendations,
not the findings, are the most important elements of the report.
C.Incorrect. This is not the best choice. This implies that the auditor's
recommendations, not findings, are primary.
D.Incorrect. This implies that processes in the internal auditing activity are primary.
143.An internal audit team recently completed an audit of the company's

compliance with its lease-versus-purchase policy concerning company
automobiles. The audit report noted that the basis for several decisions to lease
rather than purchase automobiles had not been documented and was not
auditable. The report contained a recommendation that operating management
ensure that such lease agreements not be executed without proper
documentation of the basis for the decision to lease rather than buy. The internal
auditors are about to perform follow-up work on this audit report.
Assume that senior management has decided to accept the risk involved in
failure to document the basis for lease-versus-purchase decisions involving
company automobiles. In such a case, what would be the auditors' reporting
obligation?
A.The auditors have no further reporting responsibility.
B.Management's decision and the auditors' concern should be reported to the

company's board of directors.
C.The auditors should issue a follow-up report to management clearly stating the
rationale for the recommendation that the basis for lease-versus-purchase decisions be
properly documented.
D.The auditors should inform the external auditor and any responsible regulatory
agency that no action has been taken on the finding in question.

When senior management has assumed such risk, reporting to the board is required
only for significant findings. There is no indication that the failure to document
several decisions is significant enough to report to the board (IIA Standard
2600—Communicating the Acceptance of Risks).
B.Incorrect. When senior management has assumed such risk, reporting to the board
is required only for significant findings. There is no indication that the failure to
document several decisions is significant enough to report to the board.
C.Incorrect. Senior management has already indicated that it understands and has
accepted the related risk.
D.Incorrect. Reporting to anyone outside the organization is not required or
appropriate.
144.Auditors realize that at times corrective action is not taken even when
agreed to by the appropriate parties. This should lead an internal auditor to:

B.Allow management to decide when to follow up, since it is management's ultimate
responsibility.
C.Decide to conduct follow-up work only if management requests the auditor's
assistance.
D.Write a follow-up audit report with all findings and their significance to the
operations.

IIA Standard 2500—Monitoring Progress states that the director of internal auditing
should determine the nature, timing, and extent of follow-up.
B.Incorrect. IIA Standard 2500 states that follow-up work is not management's
responsibility.
C.Incorrect. IIA Standard 2500 states that follow-up work is not management's
responsibility.
D.Incorrect. The auditor has to provide an opinion as to the decision made with regard
to lack of action.
145.Given the acceptance of the cost savings audits and the scarcity of internal
audit resources, the audit manager also decided that follow-up action was not
needed. The manager reasoned that cost savings should be sufficient to motivate
the auditee to implement the auditor's recommendations. Therefore, follow-up
was not scheduled as a regular part of the audit plan. Does the audit manager's
decision violate the IIA Standards?
A.No. The IIA Standards do not specify whether follow-up is needed.

B.Yes. The IIA Standards require the auditors to determine whether the auditee has
appropriately implemented all of the auditor's recommendations.
C.Yes. Scarcity of resources is not a sufficient reason to omit follow-up action.
D.No. When there is evidence of sufficient motivation by the auditee, there is no need
for follow-up action.

IIA Standard 2500—Monitoring Progress requires follow-up action. Lack of
resources is not a sufficient reason.
A.Incorrect. Follow-up is required.

B.Incorrect. Follow-up is to see that actions are taken, not just that the auditor's
recommendations have been implemented.
D.Incorrect. Follow-up is required.
146.During an audit of purchasing, internal auditors found several violations of

company policy concerning competitive bidding. The same condition that had
been reported in an audit report last year, and corrective action had not been
taken. Which of the following best describes the appropriate action concerning
this repeat finding?
A.The audit report should note that this same condition had been reported in the prior
audit.
B.During the exit interview, management should be made aware that a finding from
the prior report had not been corrected.
C.The director of internal auditing should determine whether management or the
board has assumed the risk of not taking corrective action.
D.The director of internal auditing should determine whether this condition should be
reported to the independent auditor and any regulatory agency.

This action meets the requirements of IIA Standard 2600—Communicating the
Acceptance of Risks.
A.Incorrect. This action is insufficient.

B.Incorrect. This action is insufficient.
D.Incorrect. This action would be inappropriate.
147.Which of the following audit committee activities would be of the greatest

benefit to the internal auditing department?
A.Review and approval of audit programs.

B.Assurance that the external auditor will rely on the work of the internal auditing
department whenever possible.
C.Review and endorsement of all internal audit reports prior to their release.
D.Support for appropriate follow-up of recommendations made by the internal
auditing department.

The audit committee can lend considerable weight to the recommendations of internal
auditing (IIA Standard 2500—Monitoring Progress).
A.Incorrect. Review and approval of audit programs is the responsibility of internal

audit supervision.
B.Incorrect. External audit's reliance on the work of internal auditing is the subject of
an AICPA pronouncement.
C.Incorrect. Review and approval of internal audit reports is the responsibility of the
director of internal auditing or designee.
148.An internal auditor reported a suspected fraud to the director of internal

auditing. The director turned the entire case over to the security department.
Security failed to investigate or report the case to management. The perpetrator
continued to defraud the organization until being accidentally discovered by a
line manager two years later. Select the most appropriate action for the audit
director.
A.The director's actions were correct.

B.The director should have periodically checked the status of the case with security.
C.The director should have conducted the investigation.
D.The director should have discharged the perpetrator.

Follow-up is specified by IIA Standard 2500—Monitoring Progress.
A.Incorrect. According to Standard 2500, the director should have ensured that the
internal auditing department's responsibilities were met.
C.Incorrect. A security department would generally have more expertise in the
investigation of a fraud.
D.Incorrect. The fraud was only suspected when reported to the director. Immediate
discharge would have violated the suspect's rights. In addition, the director would not
normally have the authority to discharge an employee in an audited area.
149.If an internal auditor finds that no corrective action has been taken on a
prior audit finding that is still valid, the IIA Standards states that the internal
auditor should:
A.Restate the prior finding along with the findings of the current audit.
B.Determine whether management or the board has assumed the risk of not taking
corrective action.
C.Seek the board's approval to initiate corrective action.
D.Schedule a future audit of the specific area involved.

This is correct, as per IIA Standard 2600—Communicating the Acceptance of Risks.
Therefore, by definition, the other choices will be incorrect.
A.Incorrect. This choice is not relevant.

C.Incorrect. This choice is not relevant.
D.Incorrect. This choice is not relevant.
150.Why should organizations require auditees to promptly reply and outline the
corrective action that has been implemented on reported deficiencies?
A.To close the open audit issues as soon as possible.

B.To realize value as early as possible.
C.To indicate concurrence with the audit findings.
D.To ensure that the auditor performance is evaluated.

The objective of the audit is to realize value resulting from the auditee's corrective
action as early as possible so that the organization will benefit from the action taken
A.Incorrect. This is a mechanical aspect of the audit reporting process.

C.Incorrect. The auditee may not concur with the audit finding all the time.
D.Incorrect. This is an administrative function of the audit department.
151.Exit conferences serve to ensure the accuracy of the information used by an

internal auditor. A secondary purpose of an exit conference is to:
A.Get immediate action on a recommendation.

B.Improve relations with auditees.
C.Agree to the appropriate distribution of the final report.
D.Brief senior management on the results of the audit.
The exit conference can be used to allow operating management to air its views and to
present any operational objections to specific recommendations (IIA Standard
A.Incorrect. An interim report would have been used to accomplish this.

C.Incorrect. The distribution of reports is not a secondary purpose of an exit
conference.
D.Incorrect. Senior management should be given a greatly condensed view of the
results of an audit.
152.Why should organizations require auditees to promptly reply and outline the
corrective action that has been implemented on reported deficiencies?
A.To remove items from the pending list as soon as possible.

B.To institute compliance as early as possible.
C.To indicate concurrence with the audit findings.
D.To ensure that the audit schedule is kept up to date.

The objective of the audit is to institute compliance with the auditee's corrective
action as early as possible so that the organization will benefit from the action taken
(IIA Standard 2500—Monitoring Progress).
A.Incorrect. This is an immaterial aspect of the audit reporting process.

C.Incorrect. The auditee may not concur with the audit finding at all times.
D.Incorrect. This is an administrative function of the audit department.
153.The internal auditing department for a large corporation recently concluded

an audit of sales department travel expenses. Which of the following groups
should receive a copy of the audit report?
A.Sales director and vice president for marketing.

B.Chairman of the board, chief operating officer, and vice president for marketing.
C.Chairman of the board, controller, and sales director.
D.Chief financial officer, sales director, and chief executive officer.

Audit reports should be distributed to those members of the organization who are able
to ensure that audit results are given due consideration. In this case, the sales director
and vice president of marketing would be sufficient (IIA Standard
B.Incorrect. The chairman of the board and chief operating officer need not be
involved unless significant problems were revealed.
C.Incorrect. The chairman of the board and controller need not be involved unless
significant problems were revealed.
D.Incorrect. Chief financial officer and chief executive officer involvement would not
be needed.
154.Which of the following would not be considered an objective of the audit
closing or exit conference?
A.To resolve conflicts.

B.To discuss the findings.
C.To identify concerns for future audits.
D.To identify management's actions and responses to the findings.

Identifying concerns for future audits is not a primary objective of the exit conference
A.Incorrect. Resolving conflicts is an objective of the exit conference.

B.Incorrect. Reaching an agreement on the facts is an objective of the exit conference.
D.Incorrect. Determining management's action plan and responses is an objective of
the exit conference.
155.During an exit conference, an auditor and an auditee disagreed about a

well-documented audit finding. Which of the following would describe an
appropriate manner to handle the situation, assuming that it cannot be resolved
prior to issuing the audit report?
A.Present the finding giving all of the facts and conclusions resulting from the testing.
B.Present both the audit finding and auditee's position on the finding.
C.Defer reporting the item and plan to perform more detailed work during the next
audit.
D.Change the finding to agree with the auditee's position.
This is a requirement per IIA Standard 2230—Communicating Results.
A.Incorrect. However, it is assumed that in compliance with IIA Standards, the

auditor discussed the matter with the auditee and that there were no problems.
C.Incorrect. The report should present the findings (results) of the audit. Deferral of
reporting would be unprofessional per the IIA Standards.
D.Incorrect. This could be correct if the auditor was in error. However, it evades the
question and implies agreement with the auditee.
156.An audit of an automated accounts receivable function for a single-plant

furniture manufacturing company has just been completed. Significant findings
include late posting of customers' payments, late mailing of monthly invoices,
and erratic follow-up on past-due accounts. Which of the following managers
should attend the exit conference for this audit?
A.Director of internal auditing, chief operating officer, and controller.

B.Head of the audit team, controller, and vice president of information systems.
C.Head of the audit team, manager of the accounts receivable department, and
manager of the data processing department.
D.Director of internal auditing, chief financial officer, chief executive officer, and
vice president of information systems.
The managers of the accounts receivable and data processing departments should be
informed of the findings by the head of the audit team and given an opportunity to
clarify any misunderstandings that might arise. Those managers are in the best
positions to resolve the problems that were noted, and their corrective action should
be mentioned in the final report (IIA Standard 2230—Communicating Results).
A.Incorrect. It is neither necessary nor appropriate for these executives to be involved

at this phase of the audit.
B.Incorrect. The controller and vice president of information systems need not be
involved at this phase of the audit.
D.Incorrect. These executives should not be involved in an exit conference. The exit
conference should discuss audit findings with those who are directly responsible for
problems and who are best positioned to take corrective action.
157.The IIA Standards require that internal auditors discuss conclusions and
recommendations at appropriate levels of management before issuing final
written reports. Which of the following is the primary reason that a closing
conference should be documented by the auditor?
A.The information may be needed if a dispute arises.

B.The IIA Standards require that closing conferences be documented.
C.The information may be needed to revise future audit programs.
D.Closing conference documentation becomes a basis for future audits.

Notes taken during the course of a closing conference can be valuable in resolving
disputes (IIA Standard 2230—Communicating Results).
B.Incorrect. Documentation of closing conferences is not specifically required by the

IIA Standards.
C.Incorrect. Notes taken during the closing conference may lead to revised audit
program, but that is not the primary use.
D.Incorrect. Information obtained during the closing conference may provide the
impetus for future audits, but this is not the primary reason for documenting the
closing conference.
158.The major purpose of an exit conference is:
A.Communication with all affected parties.

B.Correction of deficiencies found.
C.Assessment of audit staff's performance.
D.Presentation of the final audit report.

The major purpose of an exit conference is to discuss problems, conclusions, and
recommendations. This communication ensures that there have been no
misunderstandings or misinterpretation of facts. It is not the time to correct
deficiencies, which comes later. The audit staff's performance should not be brought
up at this point since it will divert the audit findings. The final report is presented after
incorporating the auditee's viewpoints expressed during the exit conference (IIA
B.Incorrect. Refer to the correct answer.

C.Incorrect. Refer to the correct answer.
159.An internal auditor suspects fraud in the purchasing department. To whom

should the auditor communicate this first?
A.The board of directors.

B.The audit committee.
C.The vice president of purchasing.
D.Audit management.

In situations of suspected fraud, the auditor should handle the matter very carefully so
as not to antagonize other members of the organization. First, the auditor should talk
to audit management to see if audit management knows something more about the
situation. Audit management should move the case forward. The auditor should never
contact the other parties directly (IIA Standard 2400—Communicating Results).
A.Incorrect. It is too early to contact the board of directors.

B.Incorrect. It is not appropriate to contact the audit committee. Contact should be
done only after the fraud is investigated and found true.
C.Incorrect. The auditor only suspects fraud, it has not yet been proved, and the
auditor should not contact the vice president of purchasing. Early and inappropriate
notification could backfire on the auditor.
160.The IIA Standards require auditors to discuss conclusions and

recommendations at appropriate levels of management before issuing final
written reports. Auditors usually accomplish this by conducting exit conferences.
Which of the following best describes the purpose of exit conferences?
A.To allow auditees to get started implementing recommendations as soon as

possible.
B.To allow auditors to explain complicated findings before a written report is issued.
C.To allow auditors to sell findings and recommendations to management.
D.To ensure that there have been no misunderstandings or misinterpretations of facts.

This is the primary purpose of exit conferences (IIA Standard 2400—Communicating
Results).
A.Incorrect. This is a secondary benefit of exit conferences.

B.Incorrect. Complicated findings must be explained thoroughly in written reports.
C.Incorrect. This is a secondary benefit of exit conferences.

Wiley CIA P2 MCQs

Uploaded by

Copyright:

Available Formats

Wiley CIA P2 MCQs

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Wiley CIA P2 MCQs

Uploaded by

Copyright:

Available Formats

What are the main types of audits discussed in the text?

What are the main types of audits discussed in the text?

What is the primary purpose of conducting an exit conference according to the text?

What is the primary purpose of conducting an exit conference according to the text?

WILEY PART 2 DOMAIN 1

A.Assurance audit engagements

The Answer C is Correct

The Answer A is Correct

The Answer C is Correct

The Answer D is Correct

A.Incorrect. This is a partial answer. More reviewers are needed.

A.Store a company backup data on a cloud storage system.

The Answer A is Correct

6.Which of the following is not a common form of ransomware attack methods?

A.Malicious email attachments

The Answer C is Correct

A.Bring your own device (BYOD)

The Answer C is Correct

A.Pay per bounce

The Answer B is Correct

A.Authenticate and encrypt

The Answer D is Correct

11.Which of the following is an example of a single point of failure?

The Answer A is Correct

A.External assurance function

The Answer C is Correct

The Answer A is Correct

The Answer A is Correct

A.Exercising extraordinary care.

The Answer A is Correct

16. Which of the following is not applicable to a due diligence review?

The Answer A is Correct

The Answer B is Correct

18.Due diligence reviews are not performed with:

The Answer B is Correct

The Answer D is Correct

The Answer D is Correct

A.Incorrect. Vulnerabilities → Threats → Risks → Controls

The Answer B is Correct

23.Which of the following could be treated as a legal contract?

A.A letter of intent

The Answer A is Correct

The Answer B is Correct

The Answer B is Correct

The Answer C is Correct

A.Incorrect. This is a partial answer.

The Answer C is Correct

29.Which of the following can help hackers evade detection?

The Answer A is Correct

The Answer C is Correct

The Answer D is Correct

A.They use sophisticated attack-in-depth strategies.

The Answer C is Correct

The Answer B is Correct

The Answer B is Correct

35.Which of the following is not a variant of phishing attacks?

The Answer D is Correct

The Answer C is Correct

37.Risk-based internal audit plans should focus on which of the following?