Chapter 3 Answers Multiple Choice (Questions 1-51)

Internal Audit Activitys Role in Organizational Governance

1. Choice (c) is the correct answer. A private conversation signals to the employee that the CAE is
interested in what he or she has to say, and will not be measuring his or her words against those of
another. However, the CAE must establish a position and show support for the supervisor. There
may be more than one valid viewpoint, but that does not necessarily mean that the employee's is
valid (IIA Standard 2030 Resource Management). Choice (a) is incorrect. The supervisor, as
author of a critical performance review, will only add to the element of management intimidation.
Choice (b) is incorrect. Again, the presence of a third party would inhibit the CAEs listening
effectiveness. Unless the CAE thinks the auditor's concerns are so serious that the human resources
department must be informed, it is preferable to meet with the employee privately. Choice (d) is
incorrect. It is never appropriate to mislead an employee in order to obtain information or to
determine the employees view on a matter.
2. Choice (c) is the correct answer. The annual plan should be comprised of both an audit
schedule and a budget and, as such, should include all of these issues (IIA Standard 2010
Planning). Choice (a) is incorrect. The charter outlines the purpose, authority, and responsibilities
of the department, not the details related to staffing and such. Choice (b) is incorrect. The
policies and procedures manual spells out how audits should be conducted. It does not cover
areas such as staffing levels. Choice (d) is incorrect. Job descriptions do not reflect staffing level
requirements.
3. Choice (a) is the correct answer. The development of audit programs occurs during the
planning phase of an individual audit. It is not included within the scope of developing the audit
schedule (IIA Standard 2010 Planning). Choices (b), (c), and (d) are incorrect because each
choice is considered to determine the audit schedule.
4. Choice (a) is the correct answer. In addition to language skills, local customs must be
considered. For example, gender and ethnic compatibility may be important in some Middle
Eastern countries because religious restrictions and incompatibilities are relevant. As always,
experience levels are relevant in making audit assignments (IIA Standard 2010 Planning).
Choice (b) is incorrect. The Monetary Exchange Rate would not be a factor in determining the
needed traits of the team members. Choice (c) is incorrect because it includes appropriate factors,
but does not identify all the acceptable choices. Choice (d) is incorrect because it includes
incomplete answer.
5. Choice (c) is the correct answer. The purpose of a quality assurance program is to evaluate the
operations of the internal audit department. The IIA Standard 1300 Quality Assurance and
Improvement Program notes that a program should include supervision, internal reviews, and

external reviews. Choices (a), (b), and (d) are incorrect because proper training is an important
component of maintaining a current staff, but does not provide feedback.
6. Choice (d) is the correct answer. The key point is independence and objectivity. A specialist
from the department currently being audited would not be independent due to his natural bias
towards that department (IIA Standard 1210 Proficiency and IIA Standard 2030 Resource
Management). Choices (a) and (b) are incorrect because they include acceptable consultants, but
do not identify all the acceptable choices. Choice (c) is incorrect. A specialist from the same
department is unacceptable since the person would not be either independent or objective.
7. Choice (d) is the correct answer because it is the primary reason. The alternatives may be
desirable, but they are not the basis for the rotation preference (IIA Standard 1120 Individual
Objectivity and IIA Standard 2030 Resource Management). Choice (a) is incorrect. It is a
secondary reason. For example, auditor burnout can be reduced with less travel. Choice (b) is
incorrect. It is a secondary reason. Professional development can be obtained in other ways such
as attending conferences, seminars, and taking the CIA exam. Choice (c) is incorrect. It is a
secondary reason. This approach establishes a precedent or standard for others to follow.
8. Choice (a) is the correct answer because it is a planning task (IIA Standard 2340
Engagement Supervision). Choices (b), (c), and (d) are incorrect because each choice is a
supervisory task.
9. Choice (b) is the correct answer because it is a task most likely performed by the audit staff
(IIA Standard 2230 Engagement Resource Allocation and IIA Standard 2340 Engagement
Supervision). Choices (a), (c), and (d) are incorrect because each choice is a common team
leader task.
10. Choice (d) is the correct answer because it is a task most likely performed by the team leader
(IIA Standard 2230 Engagement Resource Allocation and IIA Standard 2340 Engagement
Supervision). Choices (a), (b), and (c) are incorrect because each choice is a common CAEs
task.
11. Choice (c) is the correct answer. The auditor must have access to all audit evidence in order
to fulfill his obligations and responsibilities (IIA Standard 1000 Purpose, Authority, and
Responsibility). Choice (a) is incorrect. The internal audit department should not specifically
identify what activities will be audited. Choice (b) is incorrect. The auditor is obligated to make
all needed disclosures to the audit committee. Choice (d) is incorrect. Access to the external
auditor's working papers cannot be guaranteed in the charter.
12. Choice (c) is the correct answer. Selection of individuals with the attributes and education
needed for internal auditing is essential if the staff is to develop properly. This is true in any
organization whether it is audit or non-audit function that a well-developed set of selection criteria
is important (IIA Standard 2030 Resource Management). Choice (a) is incorrect. The success of

any training program will be heavily dependent on the attributes of those being trained. Choice (b)
is incorrect. While compensation is an important factor in attracting and retaining staff, it is
probably not the most important in staff development. Choice (d) is incorrect. Not the best answer
because such a program should be fair and equitable to all staff members.
13. Choice (c) is the correct answer. Selection of individuals with the attributes and education
needed for internal auditing is essential if the staff is to develop properly. This is true in any
organization whether it is audit or non-audit function that a well-developed set of selection criteria
is important (IIA Standard 2030 Resource Management). Choice (a) is incorrect. The success of
any training program will be heavily dependent on the attributes of those being trained. Choice (b)
is incorrect. While compensation is an important factor in attracting and retaining staff, it is
probably not the most important in staff development. Choice (d) is incorrect. Not the best answer
because such a program should be fair and equitable to all staff members.
14. Choice (a) is the correct answer because it is a good source of information concerning staff
size or skill requirements (IIA Standard 2010 Planning and IIA Standard 2030 Resource
Management. Choices (b) and (d) are incorrect because there are not obvious link with scheduled
work. Choice (c) is incorrect because that would not account for the unique needs of a particular
organization.
15. Choice (d) is the correct answer. Comprehensive policies and procedures provided by the
chief audit executive guide the audit staff on a daily basis to ensure compliance with
department's standards of performance (IIA Standard 2040 Policies and Procedures). Choice
(a) is incorrect. Quality control reviews would evaluate compliance and not serve as a daily
guide to the audit staff. Choice (b) is incorrect. Position descriptions provide the purpose
description and responsibilities of individual positions but are not effective in the day-to-day
management of the function. Choice (c) is incorrect. Performance evaluations are a periodic
function and will not be effective on a day-to-day basis.
16. Choice (d) is the correct answer. Having a collective mix of knowledge and skills is an
integral part of the IIAs Standards. No internal audit department can have a credible program
without this mix (IIA Standard 1210 Proficiency and IIA Standard 2030 Resource
Management). Choice (a) is incorrect. The scope of internal auditing is so broad it is not possible
for one individual to have the requisite expertise in all areas. Choice (b) is incorrect. It is
desirable to have various skill levels to match auditors appropriately with varying assignment
complexities. It is also necessary to have experienced auditors available to train and supervise
less experienced staff members. Choice (c) is incorrect. Many skills are needed in internal
auditing. Computer skills are widely needed in companies, which perform IT audits. Many
industries find it necessary to have the skills of engineers and other disciplines available on a
regular basis.

17. Choice (d) is the correct answer. The IIA Standard 1000 Purpose, Authority, and
Responsibility states that the charter should include the internal auditors' access to those records,
personnel and physical properties, which are relevant to their work. Having limitations on such
access would impact the operational effectiveness of the internal audit department because the
internal auditor would not be able to conduct the audit in the proper approach that he designed it.
Choice (a) is incorrect. The Standards state that "the charter should (1) establish the department's
position within the organization; (2) authorize access to records, personnel, and physical properties
relevant to the performance of audits; and (3) define the scope of internal auditing activities."
Accordingly, not only is the frequency of audits not included in the charter, but also such
information is not related to the operational effectiveness of the internal audit department. Choice
(b) is incorrect. The manner of reporting audit findings (e.g., how it is reported and to whom it will
be reported) is not included in the charter and is not related to operational effectiveness of the
internal audit department. Choice (c) is incorrect. The procedures to be employed by internal
auditors in investigating and reporting fraud are not included in the charter.
18. Choice (d) is the correct answer. This is the most realistic way to address the department's
staffing needs (IIA Standard 1210 Proficiency and IIA Standard 2030 Resource
Management). Choice (a) is incorrect. The IIA Standards states the general subjects that staff
should possess knowledge of but clearly states that every auditor need not possess knowledge of
all of them. Choice (b) is incorrect. The department's needs may be for additional expertise in
economics or computer science. Choice (c) is incorrect. This may be good advice, but it does not
adequately address the department's present needs.
19. Choice (a) is the correct answer. The long-range program gives evidence of coverage of key
functions at planned intervals (IIA Standard 2010 Planning). Choice (b) is incorrect. The audit
program is limited in scope to a particular project. Choice (c) is incorrect. The department budget
may be used to justify head count, but it is not used to ensure adequate audit coverage over time.
Choice (d) is incorrect. The department charter is not an audit planning tool.
20. Choice (b) is the correct answer. Internal auditing standards are required to be known by the
department collectively. Individual internal auditing staff members may, however, bring special
skills to the department instead of specific knowledge of internal auditing standards (IIA
Standard 1210 Proficiency and IIA Standard 2030 Resource Management). Choice (a) is
incorrect. Each new employee of an internal auditing department is not required to have
knowledge of internal auditing standards. It is required that the department collectively has this
knowledge. Choice (c) is incorrect. Each individual internal auditor is not required to have
knowledge of accounting or taxes. Choice (d) is incorrect. What knowledge that was acquired by
observing is irrelevant to the skills necessary for internal auditing.
21. Choice (a) is the correct answer. Time budgets should be appraised for revision after the
preliminary survey and preparation of the audit program (IIA Standard 2200 Engagement
Planning). Choice (b) is incorrect. When a deficiency has been substantiated, no further audit

work is required. Choice (c) is incorrect. The assignment of inexperienced staff should have no
effect on the time budget. Choice (d) is incorrect. Expanded tests should have no effect on the
time budget; the budget would have already been expanded as necessary.
22. Choice (d) is the correct answer. The chief audit executive (CAE) is responsible for
supervision, including determining that audit objectives are being met (IIA Standard 2340
Engagement Supervision). Choices (a), (b), and (c) are incorrect because according to the
Standards, the CAE is responsible for supervision.
23. Choice (c) is the correct answer. External reviews should be conducted at least once every
five years (IIA Standard 1312 External Assessments). Choice (a) is incorrect. Supervision
should be carried out continually, not just on a periodic test basis. Choice (b) is incorrect.
Internal reviews should be conducted by internal auditors and should focus on specific audit
projects. Choice (d) is incorrect. Periodic rotation of audit managers is not required.
24. Choice (c) is the correct answer because this is a requirement of the IIA Standard 2010
Planning. Choices (a) and (b) are incorrect because prioritizing audits would consider these
factors. Choice (d) is incorrect because staffing for each audit would include this consideration.
25. Choice (b) is the correct answer. Properly formulated job descriptions provide a basis for the
identifying job qualifications, including training and experience (IIA Standard 2030 Resource
Management). Choice (a) is incorrect. Employee background checks help assure that statements
made by prospective employees are accurate. However, they are not the primary requisite.
Choice (c) is incorrect. Continuing education occurs after the proper people are hired. Choice (d)
is incorrect. A thorough orientation helps the new employee become productive more rapidly.
However, it will not overcome hiring the wrong person.
26. Choice (c) is the correct answer. Formal staff meetings provide the best opportunity for
ensuring that issues are addressed timely and efficiently (IIA Standard 2030 Resource
Management and IIA Standard 2040 Policies and Procedures). Choice (a) is incorrect. Informal
communication is not the most appropriate forum. Choice (b) is incorrect. Memoranda are
generally impersonal and do not afford a good opportunity for maximum exchange of ideas.
Choice (d) is incorrect. The employee evaluation conference is not a timely place to discuss
problems and receive updates.
27. Choice (d) is the correct answer. External review process will provide independent evaluation
for management and the audit committee (IIA Standard 1312 External Assessments). Choice
(a) is incorrect. Internal peer review process will identify things that can be done better. Choice
(b) is incorrect. Internal review process will assess if audit activities meet professional standards.
Choice (c) is incorrect. Internal review process will set forth recommendations for improvement.
28. Choice (b) is the correct answer. The exit conference can be used to allow operating
management to air their views and to present any operational objections to specific

recommendations (IIA Standard 2440 Disseminating Results). Choice (a) is incorrect. An

interim report would have been used to accomplish this. Choice (c) is incorrect. The distribution
of reports is not a secondary purpose of an exit conference. Choice (d) is incorrect. Senior
management should be given a greatly condensed view of the results of an audit.
29. Choice (b) is the correct answer because it is an advantage of field office (IIA Standard 2010
Planning, Practice Advisory 2010-2, and IIA Standard 2200 Engagement Planning). Choice
(a) is incorrect. Objectivity of field office personnel decreases. Choice (c) is incorrect.
Disadvantage-decreases ease of maintaining standards. Choice (d) is incorrect. Senior audit
personnel are expected to be at corporate level.
30. Choice (b) is the correct answer. Audit needs, not auditor skill availability, should drive audit
schedules (IIA Standard 2010 Planning). Choices (a), (c) and (d) are incorrect because each
one is an important factor according to the Standards.
31. Choice (d) is the correct answer. This information is a status report to be provided to the audit
oversight authority (IIA Standard 2060 Reporting to Senior Management and the Board and
IIA Standard 2410 Criteria for Communicating). Choices (a), (b), and (c) are incorrect because
each one of them is not an activity report as defined by the Standards.
32. Choice (b) is the correct answer. Comparison of the plan to actual activity will reveal if the
planned breadth was achieved (IIA Standard 2010 Planning and IIA Standard 2410 Criteria
for Communicating). Choice (a) is incorrect. The number of audit findings is not an indicator of
audit breadth or quality. Choice (c) is incorrect. Management satisfaction does not directly relate
to the expressed goal (broader audit coverage). Choice (d) is incorrect. Implementation of a
quality assurance program has no bearing on the stated goal.
33. Choice (b) is the correct answer. This is the objective of the audit as per the IIA Standard
2440 Disseminating Results. Choice (a) is incorrect. This is a mechanical immaterial aspect of
the report process. Choice (c) is incorrect. The auditee may not concur with the finding. This
may or may not be considered in closing the audit. Choice (d) is incorrect. This is an
administrative function of the audit organization.
34. Choice (a) is the correct answer. As specified in the IIA Standard 2030 Resource
Management, audit work schedules determine both staffing plans and financial budgets. Choice
(b) is incorrect. Activity reports compare actual performance with goals and schedules and
compare actual expenditures with financial budgets. Choice (c) is incorrect. While past
performance is an indicator of the value of internal auditing, it will not impact the funds
committed to current operations. Choice (d) is incorrect. The charter for an internal auditing
department defines the purpose, authority, and responsibility of the department.
35. Choice (d) is the correct answer. This is an instructive solution and explains the defect in the
actions of the internal auditor (IIAs Code of Ethics and IIA Standard 2431 Engagement

Disclosure of Nonconformance). Choice (a) is incorrect. There was no intent to do wrong. The
sanction is probably too severe. Also, the staff may lose a good auditor. Choice (b) is incorrect.
The single occurrence described does not warrant this action. Choice (c) is incorrect. This is
partly correct but it has no instructive value.
36. Choice (a) is the correct answer. Audit reports should be distributed to those members of the
organization who are able to ensure that audit results are given due consideration, in this case,
the sales director and vice-president of marketing would be sufficient (IIA Standard 2400
Communicating Results). Choice (b) is incorrect. The chairman of the board and chief operating
officer need not be involved unless significant problems were revealed. Choice (c) is incorrect.
The chairman of the board and controller need not be involved unless significant problems were
revealed. Choice (d) is incorrect. The chief financial officer and chief executive officer
involvement would not be needed.
37. Choice (c) is the correct answer. The cost benefit of internal auditing is neither easily
quantifiable nor the subject of an external review (IIA Standard 1312 External Assessments).
Choices (a), (b), and (d) are incorrect because they are included in the evaluation of the
performance of an internal auditing department per the IIA Standard.
38. Choice (b) is the correct answer. High achievers thrive when the job provides for personal
responsibility, feedback, and moderate risks (IIA Standard 2120 Risk Management). Choices
(a), (c), and (d) are incorrect because high achievers prefer moderate risks. They perform best
with moderate risks.
39. Choice (d) is the correct answer. The problem of lack of feedback indicates the CAE has
problems in planning and allocating, audit resources to address communicating this need, and
communicating this need to the audit staff (IIA Standard 2030 Resource Management). Choice
(a) is incorrect. No indication that there is staffing problems (i.e., insufficient audit personnel or
that audit personnel lacking necessary skills to provide feedback on automated support systems.
Choice (b) is incorrect. No indication that staffing or decision making are problems. Choice (c) is
incorrect. No indication that organizing is a problem.
40. Choice (b) is the correct answer. In this type of situation, management is highly averse to
analysis or possible criticism of their actions and will not grant the internal auditors an adequate
charter (IIA Standard 1000 Purpose, Authority, and Responsibility). Choice (a) is incorrect. An
operating budget variance report is a control device used to monitor actual performance versus
budget. Management foot-dragging could cause unfavorable variances, but favorable variances
could also occur if many audits were cut short due to scope impairments. Choice (c) is incorrect.
An unbiased evaluation of audit staff would not be affected by lack of cooperation on the part of
non-audit management. Choice (d) is incorrect. Policies and procedures of the internal audit
function are developed by the internal audit department and should not be affected by non-audit
management.

41. Choice (c) is the correct answer. Both management and auditors should be involved in
improving the image of internal audit in the organization (IIA Standard 2410 Criteria for
Communicating). Choice (a) is incorrect. The auditors also need to know the feedback so they
can improve relations with auditees for the next audit. Choice (b) is incorrect. Management
should also know if communication is poor because of some auditor behavior. Choice (d) is
incorrect. Involving the auditees should reduce conflict and defensiveness and make the audit
more participative.
42. Choice (b) is the correct answer. The operational risk is related to the organizations internal
systems, products, services, processes, technology, and people (IIA Glossary, IIA Standard 2010
Planning, and IIA Standard 2120 Risk Management). Choice (a) is incorrect. The strategic
risks include risks related to strategy, political, economic, regulatory, and global market
conditions. It also includes reputation risks, leadership risks, brand management risks, and
customer risks. Choice (c) is incorrect. The financial risk includes risks from volatility in foreign
currencies, interest rates, and commodities. It also includes credit risk, liquidity risk, and market
risk. Choice (d) is incorrect. The hazard risk includes risks that are insurable such as natural
disasters, various insurable liabilities, impairment of physical assets and property, and terrorism.
The ERM includes both upside and downside risks.
43. Choice (a) is the correct answer. The ERM approach is more than just integrating risks,
where risks are a part of uncertainty. The goal of an ERM initiative is to create, protect, and
enhance shareholder value by managing the uncertainties that could influence in achieving the
organizations objectives (IIA Standard 2010 Planning and IIA Standard 2120 Risk
Management).
44. Choice (a) is the correct answer. According to the IIA Research Foundation, ERM defines
risk as any event or action that could adversely influence an organizations ability to achieve its
objectives. ERM encompasses the more traditional view of potential hazards (threats) as well as
opportunities. Management must consider de-risking the opportunities when creating and
evaluating new opportunities. Risks and opportunities move together and the key is to determine
if the potential of a given opportunity exceed the risks (IIA Standard 2010 Planning and IIA
Standard 2120 Risk Management). Items III and IV are part of the strength, weaknesses,
opportunity, and threat (SWOT) analysis used in strategic management. When companies fail to
manage risks, opportunities are missed, and shareholder value can be lost, which creates great
pressure on management to improve corporate governance.
45. Choice (a) is the correct answer. According to the IIA Research Foundation, the chief audit
executives (CAEs) of the study companies understand the value-added potential of ERM, which
made them very effective ERM champions. ERM adds value because it is both inward-looking
and forward-thinking (IIA Standard 2010 Planning and IIA Standard 2120 Risk
Management).The other three choices are part of the value-added potential.

46. Choice (c) is the correct answer. Traditionally, the internal audits role has been to provide
reliable, overall assessment of risks and internal control effectiveness. In light of ERM
implementation in improving corporate governance, internal auditors now (1) take a more
business-oriented approach to audit companys operations, (2) change their audit approach to
focus on business risk, (3) perform more effective follow-up on open ERM scorecards and
metrics to increase management accountability, and (4) review formal action plans developed by
management as part of the ERM implementation. Scorecards, metrics, and formal action plans
are key part of the ERM infrastructure (IIA Standard 2010 Planning and IIA Standard 2120
Risk Management).
47. Choice (a) is the correct answer. In order to meet the ERM implementation challenge, the
internal auditor should (1) use a risk-based audit approach and not a control-based approach, (2)
be a consultant to the ERM implementation team and not as a policeman, (3) focus on future
events and not on past events), and (4) acquire competent skills to become an ERM facilitator
and not use traditional accounting and auditing tools and skills (IIA Standard 2010 Planning
and IIA Standard 2120 Risk Management).
48. Choice (d) is the correct answer. Corporate governance refers to the methods by which a firm
is being governed, directed, administered, or controlled and to the goals for which it is being
governed. Corporate governance is concerned with the relative roles, rights, and accountability
of such stakeholder groups as owners, boards of directors, managers, employees, and others who
assert to be stakeholders (IIA Standard 2110 Governance).
49. Choice (c) is the correct answer. The major condition embedded in the structure of modern
corporations that has contributed to the corporate governance problem has been the separation of
ownership from control (IIA Standard 2110 Governance).
50. Choice (b) is the correct answer. The method, by which a firm is being governed, directed,
administered, or controlled and to the goals for which it is being governed is based on the
corporate charter (IIA Standard 2110 Governance).
51. Choice (c) is the correct answer. The board of directors provides governance, guidance, and
oversight. They are not guarantors for shareholders (IIA Standard 2110 Governance).