The internal audit activity can be involved with systems development continuously, immediately
prior to implementation, after implementation, or not at all. An advantage of continuous internal
audit involvement compared to the other types of involvement is that:

A.

The cost of audit involvement can be minimized.

B.

There are clearly defined points at which to issue audit comments.

C.

Redesign costs can be minimized.

D.

The threat of lack of audit independence can be minimized.

In a review of an electronic data interchange application using a third-party service provider, the
auditor should:
I. Ensure encryption keys meet International Organization for Standardization (ISO) standards.
II. Determine whether an independent review of the service provider's operation has been
conducted.
III. Verify that only public-switched data networks are used by the service provider.
IV. Verify that the service provider's contracts include necessary clauses, such as the right to
audit.

A.

 I and II only

B.

I and IV only

C.

 II and III only

D.

II and IV only

Once an audit report is drafted, the auditor's supervisor should review it primarily to ensure that all:

A.

Statements are supported and can be authenticated.

B.

Recommendations for corrective action are clear.

C.

Processes within the audited area were reviewed.

D.

Sample sizes appear appropriate for any issues found.

In preparing to facilitate a control self-assessment session, an auditor would be least likely to
ensure that:

A.

Key stakeholders are represented in the group.

B.

An independent content expert is available to help settle disagreements.

C.

Background research is completed to familiarize the auditor with relevant issues.

D.

Management is consulted on the issues and priorities

What decision-making approach should a facilitator initiate if a group addresses an unfamiliar
situation during a control self-assessment session?

A.

 Spontaneous agreement.

B.

Consensus building.

C.

Majority voting.

D.

Compromise.

If participants in a control self-assessment workshop begin breaking their agreed-upon ground
rules, the facilitator should:

A.

Ignore the behavior and continue the workshop.

B.

Allow them to continue briefly and then remind them of the ground rules.

C.

Have the participants modify the ground rules.

D.

Strictly enforce the ground rules.

Which of the following is the first step in the process where auditors and clients work together to
evaluate the clients' system of internal control?

A.

Assess risks.

B.

Develop questionnaires.

C.

Identify and assess controls.

D.

Identify objectives

An internal auditor has a recommendation to change operations which could potentially increase
profits by $50,000. The best way to sell this recommendation to management is to:

A.

Carefully work out the details of implementation before presenting it to department
management.

B.

Discuss it with operating supervisors who are directly affected by the change, and then with
department management.

C.

Bring it to the audit manager, who should bring it immediately to senior management's
attention.

D.

Wait until the exit conference to discuss it in order to ensure all affected parties are present.

A chief audit executive agrees to conduct an engagement that will focus on customers'
perceptions of the quality of the organization's products and services. Which of the following
issues should be addressed first?

A.

 Cost-effectiveness.

B.

Quality control.

C.

Customer complaints.

D.

Supplier deliveries.

During an information security audit, an auditor discovers that the current disaster recovery plan
was developed three years ago but never tested. There have been significant changes to
information systems since the plan was developed. The auditor should:

A.

Ask management to test the recovery plan immediately.

B.

Recommend that management and users update and test the recovery plan.

C.

 Update the recovery plan for management as part of the review.

D.

Review the recovery plan and report weaknesses to management