The chief audit executive should periodically report the internal audit activity's
purpose,authority,responsibility,and performance,as well as significant risk exposures and
control issues,to which of the following?
I. Board of directors.
II.Senior management.
III.Shareholders.
IV.External auditors.

A.

IIonly

B.

I and IIonly

C.

I,II,and IIIonly

D.

I,III,and IVonly

A code of business conduct provides?

A.

A fraud avoidance plan that does not explicitly describe punishments for violations.

B.

A passive method of fraud deterrence.

C.

A program to anonymously report irregularities to authorities.

D.

An alternative to "tone at the top" programs.

Which of the following best describes how the increased use of computerization may
impact an auditor's assessment of the risk of fraud?

A.

Access to assets may be available to information systems personnel as well as to computer users.

B.

Computer controls are generally less effective than human review.

C.

Overrides of key controls may require less collaboration.

D.

Audit trails are less effective.

If earnings on financial statements for internal use only have been manipulated in the
past,an internal auditor is likely to focus on which of the following?

A.

The proper accrual of payables at the end of the interim period.

B.

The timing of revenue recognition and the valuation of inventories.

C.

Whether accounting estimates are reasonable given past actual results.

D.

Whether there have been changes in accounting principles that materially affect the financial statements.

Which of the following is not an appropriate role for internal auditors after a disaster occurs?

A.

Monitor the effectiveness of the recovery and control of operations.

B.

Correct deficiencies of the entity's business continuity plan.

C.

Recommend future improvements to the entity's business continuity plan.

D.

Assist in the identification of lessons learned from the disaster and the recovery operations.

Organizations that use a highly structured command-and-control management approach
are at greater risk of:

A.

Delayed response due to the inability to reach consensus among decision makers.

B.

Negative consequences that result from lower-level staff's unwillingness to confront errors by superiors.

C.

Erosion of staff morale due to perceptions of ineffective leadership.

D.

Waste and abuse of organizational resources resulting from management override of controls.

Which of the following would be the best source of information for a chief audit executive to
use in planning future audit staff requirements?

A.

Discussions of audit needs with executive management and the audit committee.

B.

Review of audit staff education and training records.

C.

Review of audit staff size and composition of similar-sized companies in the same industry.

D.

Interviews with existing audit staff.

Which of the following best describes the most important criteria when assigning
responsibility for specific tasks required in an audit engagement?

A.

Auditors must be given assignments based primarily upon their years of experience.

B.

All auditors assigned an audit task must have the knowledge and skills necessary to
complete the task satisfactorily.

C.

Tasks must be assigned to the audit team member who is most qualified to perform them.

D.

All audit team members must have the skills necessary to satisfactorily complete any
task that will be required in the audit engagement.

An internal auditor is assigned to conduct an audit of security for a local area network
(LAN) in the finance department of the organization. Investment decisions,including the use
of hedging strategies and financial derivatives,use data and financial models which run on
the LAN. The LAN is also used to download data from the mainframe to assist in decisions.
Which of the following should be considered outside the scope of this security audit engagement?

A.

Investigation of the physical security over access to the components of the LAN.

B.

The ability of the LAN application to identify data items at the field or record level and
implement user access security at that level.

C.

Interviews with users to determine their assessment of the level of security in the system
and the vulnerability of the system to compromise.

D.

The level of security of other LANs in the company which also utilize sensitive data.

Which is the least effective form of risk management?

A.

Systems-based preventive control.

B.

People-based preventive control.

C.

Systems-based detective control.

D.

People-based detective control.