Which of the following would not be an appropriate step for an internal auditor to perform during an
assessment of compliance with an organization's privacy policy?

A.

Determine who can access databases containing confidential information.

B.

Evaluate the organization's privacy policy to determine if appropriate information is covered.

C.

Analyze access to permanent files and reports containing confidential information.

D.

Evaluate the government's security measures related to confidential information received from
the organization.

An internal auditor for a financial institution has just completed an audit of loan processing. Of the
81 loans approved by the loan committee, the auditor found seven loans which exceeded the
approved amount. Which of the following actions would be inappropriate on the part of the
auditor?

A.

Examine the seven loans to determine if there is a pattern. Summarize amounts and include in
the engagement final communication.

B.

Report the amounts to the loan committee and leave it up to them to correct. Take no further
follow-up action at this time and do not include the items in the engagement final communication.

C.

Follow up with the appropriate vice president and include the vice president's acknowledgment
of the situation in the engagement final communication.

D.

Determine the amount of the differences and make an assessment as to whether the dollar
differences are material. If the amounts are not material, not in violation of government
regulations, and can be rationally explained, omit the observation from the engagement final
communication.

During a systems development audit, software developers indicated that all programs were moved from the development environment to the production environment and then tested in the
production environment. What should the auditor recommend?
I. Implement a test environment to ensure that testing is not performed in the production
environment.
II. Require developers to move modified programs from the development environment to the test
environment and from the test environment to the production environment.
III. Eliminate access by developers to the production environment.

A.

 I only

B.

 III only

C.

I and II only

D.

I and III only

A post-audit questionnaire sent to audit clients is an effective mechanism for:

A.

Substantiating audit observations.

B.

Promoting the internal audit activity.

C.

 Improving future audit engagements.

D.

Validating process flow.

As part of an operational audit, an auditor compared records of current inventory with usage
during the prior two-year period and determined that the spare parts inventory was excessive.
What step should the auditor perform first?

A.

Determine the effects of a stock-out on the organization's profitability.

B.

Determine whether a clear policy exists for setting inventory limits.

C.

Determine who approved the purchase orders for the spare parts.

D.

Determine whether purchases were properly recorded

A performance audit engagement typically involves:

A.

Review of financial statement information, including the appropriateness of various accounting
treatments.

B.

Tests of compliance with policies, procedures, laws, and regulations.

C.

Appraisal of the environment and comparison against established criteria.

D.

Evaluation of organizational and departmental structures, including assessments of process
flows.

An audit identified a number of weaknesses in the configuration of a critical client/server system.
Although some of the weaknesses were corrected prior to the issuance of the audit report,
correction of the rest will require between six and 18 months for completion. Consequently,
management has developed a detailed action plan, with anticipated completion dates, for
addressing the weaknesses. Which of the following is the most appropriate course of action for the
chief audit executive to take?

A.

Assess the adequacy of the action plan and monitor key dates and deliverables.

B.

Schedule a follow-up audit engagement to assess the status of corrective action.

C.

Reassign information systems auditors to assist the information technology department in
correcting the weaknesses.

D.

Evaluate statistics related to unplanned system outages, unauthorized access attempts, and
denials of service to assess the effectiveness of corrections.

QUESTION NO: 149
An internal auditor found that the cost of some material installed on capital projects had been
transferred to the inventory account because the capital budget had been exceeded. Which of the
following would be an appropriate technique for the auditor to use to determine the extent of the
problem?

A.

Identify variances between amounts capitalized each month and the capital budget.

B.

Analyze a sample of capital transactions each quarter to detect instances in which installed
material was transferred to inventory.

C.

 Review all journal entries that transferred costs from capital to inventory accounts.

D.

Compare inventory receipts with debits to the inventory account and investigate discrepancies.

When conducting audit follow-up of a finding related to cash management routines, an internal
auditor would expect to find that all of the following changes have occurred except:

A.

The steps being taken are resolving the condition disclosed by the finding.

B.

Inherent risk has been eliminated as a result of resolution of the condition.

C.

Controls have been implemented to deter or detect a recurrence of the finding.

D.

Benefits have accrued to the entity as a result of resolving the condition.

Which of the following represents appropriate evidence of supervisory review of engagement
workpapers?
I. A supervisor's initials on each workpaper.
II. An engagement workpaper review checklist.
III. A memorandum specifying the nature, extent, and results of the supervisory review of
workpapers.
IV. Performance appraisals that assess the quality of workpapers prepared by auditors.

A.

II and IV only

B.

I, II, and III only

C.

I, III, and IV only

D.

 I, II, III, and IV.