IIA-ACCA ACCA CIA Challenge Exam Questions and Answers

Awareness of prior incidents of fraud.

Contractor non-disclosure agreements.

Verification of currency exchange rates.

Receipts for employee expenses.

1 and 2

1 and 4

2 and 3

3 and 4

Customers, innovation, growth, and internal processes.

Business objectives, critical success factors, innovation, and growth.

Customers, support, critical success factors, and learning.

Financial measures, learning and growth, customers, and internal processes.

1 and 3

1 and 4

2 and 3

2 and 4

1 and 3

1 and 4

2 and 3

2 and 4

Disclose the deficiency, and request that the investigation be reassigned to the first line of defense.

Proceed with the investigation, as internal auditors are not required to have fraud expertise.

Outsource the sensitive investigation to a third-party consultant with fraud expertise.

Select a member of the accounting department who is not involved in the fraud to join the investigation team in a consulting capacity.

Proceed with the audit engagement, but do not include the relative's information.

Have the chief audit executive and management determine whether the auditor should continue with the audit engagement.

Disclose in the engagement final communication that the relative is a customer.

Immediately withdraw from the audit engagement.

Requiring employees to attend ethics training.

Performing background checks on employees.

Implementing a control self-assessment.

Performing a surprise audit.

Suggesting alternatives to decision makers.

Improving the integrity of information.

Determining the scope of internal audit services.

Achieving engagement objectives.

3 only

1 and 2 only

2 and 3 only

1, 2, and 3

The need and availability of automated support.

The potential impact of key risks.

The expected outcomes and deliverables.

The operational and geographic boundaries.

Audit client management only

Executive management only

Audit client management, executive management, and others approved by the chief audit executive.

Audit client management, executive management, and any those who request a copy.

1 and 2

1 and 4

2 and 3

3 and 4

Senior management is charged with overseeing the establishment risk management and control processes.

The chief audit executive is responsible for overseeing the evaluation risk management and control processes.

Operating managers are responsible for assessing risks and controls in their departments.

Internal auditors provide assurance about risk management and control process effectiveness.

1 and 3 only

1 and 4 only

2 and 3 only

2 and 4 only

To gain access to a wider variety of skills, competencies and best practices.

To complement existing expertise with a required skill and competency for a particular audit engagement.

To focus on and strengthen core audit competencies.

To provide the organization with appropriate contingency planning for the internal audit function.

The CAE can release prior internal audit reports with the approval of the board and senior management.

The CAE can employ judgment and release prior audit results as they deem appropriate and necessary.

The CAE can only release prior information outside the organization when mandated by legal or statutory requirements.

The CAE can release prior information provided it is as originally published and distributed within the organization.

Recommend additional segregation-of-duty reviews.

Recommend appropriate awareness training for all finance department staff.

Recommend rotating finance staff in this area.

Recommend that management address these concerns immediately.

A review of password policy compliance found that employees frequently use the same password more than once during a year. The IAA recommends that the access control software reject any password used more than once during a 12-month period.

A review of internal service-level agreement compliance in financial services found that requests for information frequently are fulfilled up to two weeks late. The IAA recommends that the financial services unit be eliminated for its ineffectiveness.

A vacation policy compliance review found that employees frequently leave on vacation before their leave applications are signed by their manager. The IAA recommends that the manager attend to the leave applications in a more timely fashion.

A review of customer service-level agreements found that orders to several customers are frequently delivered late. The IAA recommends that the organization extend the expected delivery time advertised on its website.

The number, experience, and availability of audit staff as well as the nature, complexity, and time constraints of the engagement.

The appropriateness and sufficiency of resources and the ability to coordinate with external auditors.

The number, proficiency, experience, and availability of audit staff as well as the ability to coordinate with external auditors.

The appropriateness and sufficiency of resources as well as the nature, complexity, and time constraints of the engagement.

Testing controls where operating procedures vary.

Testing controls in decentralized offices.

Testing controls in high risk areas.

Testing controls in areas with high control failure rates.

Escalate the unresolved issues to the board, because they could pose significant risk exposures to the organization.

Confirm the decision with management and document this decision in the audit file.

Document the issue in the audit file and follow up until the issues are resolved.

Initiate an assurance engagement on the unresolved issues.

The auditor must not perform the training, because any task to improve the business process could impact audit independence.

The auditor must create a new, separate consulting engagement with the business process owner prior to performing the improvement task.

The auditor should get permission to extend the current engagement, and with the process owner's approval, perform the improvement task.

The auditor may proceed with the improvement task without obtaining formal approval, because the task is voluntary and not time-intensive.

1,2, and 3.

1.2, and 4.

1.3, and 4.

2, 3, and 4.

The auditor performs thorough reviews and provides absolute assurance of regulatory compliance.

The auditor is alert to the possibility of fraud and activities where irregularities are most likely to occur.

The auditor recommends improvements for all of the organization's procedures and practices.

The auditor is cognizant of reducing travel expenses by combining a personal vacation with a business trip.

If an organization does not have a mature privacy framework, the internal audit activity should assist in developing and implementing an appropriate privacy framework.

Because the audit committee is ultimately responsible for ensuring that appropriate control processes are in place to mitigate risks associated with personal information, the internal audit activity is C. required to conduct privacy assessments.

The internal audit activity may delegate to nonaudit IT specialists the responsibility of determining whether personal information has been secured adequately and data protection controls are sufficient.

The internal audit activity should have appropriate knowledge and competence to conduct an asses .......framework.

Control environment.

Control activities.

Information and communication.

Monitoring activities.

Automatic shut-off valve.

Auto-correct software functionality.

Confirmation with suppliers and vendors.

Safety instructions.

An internal auditor assessed the effectiveness of controls over payroll software, which he had helped implement with a previous employer.

An internal auditor participated in an audit of controls around absenteeism, despite providing some consultation on controls in this area earlier in the year.

An internal auditor performed an assurance engagement for the effectiveness of accounts payable access controls, one of which he previously helped to design.

An internal auditor, previously employed in the quality assurance operations area, performed a consulting engagement for the operations manager.

Segregation of duties.

Exception reports.

Incentive compensation plans.

Automated reconciliations.

1 only

2 only

1 and 3.

2 and 4.

The core competencies outlined in the framework are not expected of a person undertaking an entry-level position as an internal auditor.

The framework is designed to be used primarily by chief audit executives that are developing indicators to measure the performance of the internal audit activity for which they are responsible.

The framework lists the core competencies internal auditors should possess before attempting to attain The IIA's Certified Internal Auditor certification.

The framework describes competencies needed for individual internal auditors, but not those necessary at the chief audit executive level.

A budget.

A risk assessment.

The board of directors.

The control environment.

The CAE would need to procure external services to deliver the internal audit assurance program.

There is no expertise within the internal audit team for detecting and investigating fraud.

There is no expertise within the internal audit team for auditing an IT engagement.

There is no available expertise on the internal audit team to perform a consulting engagement.

Analytical reviews of high-risk areas.

Detective controls built into the daily processes.

Unannounced audits or reviews of programs or departments.

Tips received from employees or citizens.

The scope and frequency of internal and external assessments as well as the qualifications and independence of the assessor.

The scope and cost of the QAIP. frequency of internal and external assessments, and conclusions of the assessor.

The scope, findings, risks, recommendations, and agreed-upon improvement actions.

The number and types of people involved in the assessment, costs, and duration of the QAIP

To help the internal audit activity complete its annual assurance plan.

To identify inefficiencies within the internal audit team.

To help improve the overall quality of the internal audit activity's work.

To identify key risks and areas of concern within the organization.

Internal control checklist.

Procurement employee survey.

Cross-functional flow chart.

Segregation of duties matrix.

Delegate final approval of the risk-based internal audit plan to the chief audit executive (CAE).

Approve the annual budget and resource plan for the internal audit activity.

Assist the CAE with hiring objective and competent internal audit staff.

Encourage the CAE to communicate and coordinate with the external auditor.

During facilitated workshops, people more openly say things to internal auditors than during private interviews.

Internal auditors do not need other sources of information, as the data gathered during facilitated workshops is sufficient.

Facilitated workshops create a synergy of discussion that can bring multiple perspectives to the same issue.

The testimonial evidence obtained during facilitated workshops is generally considered more reliable.

Variability tolerance.

Ratio estimation.

Stratification.

Acceptance sampling.

Definition of Internal Auditing.

MA Standards.

Internal audit charter.

The IIA's Code of Ethics.

Observation of the facility during operations.

Questioning of facility management, including the facility safety officer.

Analysis of facility operating reports, focusing on instances when breakdowns occurred.

Review of records involving safety violations, filed by facility production employees.

1 and 2

2 and 4

1, 2, and 3

2, 3, and 4

Improper segregation of duties.

Incentives and bonus programs.

An employee's reported concerns.

Lack of an ethics policy.

Were audit findings relevant and useful to management?

Does the audit report format present issues clearly and concisely?

Does the IAA work with a high degree of professionalism and objectivity?

Were the findings reported in a timely manner?

The accounts payable supervisor, accounts payable manager, and controller.

The accounts payable manager, purchasing manager, and receiving manager.

The accounts payable supervisor, controller, and treasurer.

The accounts payable manager, chief financial officer, and audit committee.

Require the approval of additions and changes to the vendor master listing, where the inherent risk of false vendors is high.

Monitor amounts paid each period and compare them to the budget to identify potential issues.

Compare employee addresses to vendor addresses to identify potential employee fraud.

Monitor customer quality complaints compared to the prior period to identify vendor issues.

1 and 2

1 and 3

2 and 4

3 and 4

Verify that approvals of purchasing documents comply with the authority matrix.

Observe whether the purchase orders are sequentially numbered.

Examine whether the sales department supervisor approves invoices for payment.

Determine whether the accounts payable department reconciles all purchasing documents prior to payment.

1 and 2 only

1 and 4 only

2 and 3 only

3 and 4 only

1, 2, and 3

1, 2, and 4

1, 3, and 4

2, 3, and 4

Outline the schedule of future audits.

Define the scope of internal audit activities.

Establish the size of the internal audit activity.

Communicate the internal audit activity's goals.

Authority and responsibility to resolve issues.

Framework to plan, execute and monitor activities.

Integrated responses to multiple risks.

Knowledge and skills needed to perform activities.

The sample to be representative of the population.

The sample to be selected haphazardly.

A smaller sample size than if selected using statistical sampling.

Projecting the results to the population.

Fraudulent statements.

Bribery.

Misappropriation of assets.

Corruption.

1 only.

4 only.

2 and 4.

3 and 4.

A sense of achievement.

Promotion.

Recognition.

An incremental increase in salary.

All personal information, by definition is considered to be sensitive, requiring specialized controls.

Information is not considered personal if it can only be linked to or used to identify an individual indirectly.

Individuals who provide personal information to organizations share in the risk of inappropriate disclosure.

Good protection controls remove any restrictions on the quantity of personal information that can be collected

To improve the chain of command.

To strengthen corporate headquarters.

To focus better on a single market.

To increase lateral communication.

1 and 2 only

3 and 4 only

1, 2, and 4 only

2, 3, and 4 only

Company A owns Company B; Company B sells goods to Company A.

Company A does not own Company B. Company A charges Company B a fee to sell Company B's goods without taking ownership of the goods.

Company A owns both Company B and Company C; all three companies sell goods to the public.

Company A moves goods internally from one location to another.

The framework categorizes an organization's objectives to distinct, non overlapping objectives.

Control environment is one of the framework's eight components.

The framework facilitates effective risk management, even if objectives have not been established.

The framework integrates with, but is not dependent upon, the corresponding internal control framework.

Businesses must pay a tax only if they make a profit.

The consumer ultimately bears the cost of the tax through higher prices.

Consumer savings are discouraged.

The amount of value added is the difference between an organization's sales and its cost of goods sold.

Internal strengths and weaknesses.

Break-even points.

External trends and events.

Internal risk factors.

Conduct periodic reviews of the privacy policy to ensure that the existing policy meets current legislation requirements in both regions.

Include a "right to audit" clause in the contract and impose detailed security obligations on the outsourced vendor

Implement mandatory privacy training for management to help with identifying privacy risks when outsourcing services

Develop an incident monitoring and response plan to track breaches from internal and external sources

Cash discounts.

Quantity discounts.

Functional discounts.

Seasonal discounts.

The extent to which management judgments are required in an area could serve as a risk factor in assisting the auditor in making a comparative risk analysis.

The highest risk assessment should always be assigned to the area with the largest potential loss.

The highest risk assessment should always be assigned to the area with the highest probability of occurrence.

Risk analysis must be reduced to quantitative terms in order to provide meaningful comparisons across an organization.

Develop a bargaining zone that lies between $50 million and $70 million and create sets of outcomes between $50 million and $70 million.

Adopt an added-value negotiating strategy, develop a bargaining zone between $50 million and $70 million, and create sets of outcomes between $50 million and $70 million.

Involve a mediator as a neutral party who can work with the textile company's management to determine a bargaining zone.

Develop a bargaining zone that lies between $55 million and $60 million and create sets of outcomes between $55 million and $60 million.

Each nation's total imports approximately equal its total exports.

Each good is produced by the nation that has the lowest opportunity cost for that good.

Goods that contribute to a nation's balance-of-payments deficit are no longer imported.

International trade is unrestricted and tariffs are not imposed.

1 and 3 only

1 and 4 only

2 and 3 only

2 and 4 only

Times interest earned, return on assets, and inventory turnover.

Accounts receivable turnover, inventory turnover in days, and the current ratio.

Accounts receivable turnover, return on assets, and the current ratio.

Inventory turnover in days, the current ratio, and return on equity.

It is expected that there will be slow retaliation from incumbents.

The acquiring organization has information that the selling organization is weak.

The number of bidders to acquire the organization for sale is low.

The condition of the economy is poor.

Input controls.

Output controls

Processing controls

Integrity controls

1 only

1 and 3 only

2 and 4 only

1, 3, and 4 only

Does not require testing for user acceptance.

Allows applications to be portable across multiple system platforms.

Is less expensive since it is self-documenting.

Better involves users in the design process.

Decrease by about 17 percent.

Decrease by about 7 percent.

Increase by about 7 percent.

Increase by about 17 percent.

Troubleshoot end user problems

Provide production support.

Provide physical security of databases

Maintain database integrity

Standardization.

Global marketing.

Limited exporting.

Domestic marketing.

Implementation and transition phase.

Monitoring and reporting phase

Decision-making and business-case phase.

Tendering and contracting phase.

Key processes across the entity which impact quality must be identified and included.

The quality management system must be documented in the articles of incorporation, quality manual, procedures, work instructions, and records.

Management must review the quality policy, analyze data about quality management system performance, and assess opportunities for improvement and the need for change.

The entity must have processes for inspections, testing, measurement, analysis, and improvement.

System software that acts as an interface between a user and a computer.

A standardized set of guidelines that facilitates communication between computers on different networks.

System software that translates hypertext markup language to allow users to view a remote webpage.

A network of servers used to control a variety of mission-critical operations.

Access is approved by the supervising manager.

User accounts specify expiration dates and are based on services provided.

Administrator access is provided for a limited period.

User accounts are deleted when the work is completed.

Internally encrypted passwords

System access privileges.

Logon passwords

Protocol controls.

Application input controls

Firewall controls.

Transmission encryption controls

Change management controls

PKI uses an independent administrator to manage the public key.

The public key is authenticated against reliable third-party identification.

PKI's public accessibility allows it to be used readily for e-commerce.

The private key uniquely authenticates each party to a transaction.

Specializing in proven manufacturing techniques that have made the organization profitable in the past.

Substituting its own production technology with advanced techniques used by its competitors.

Forgoing profits over a period of time to gain market share from its competitors.

Using the same branding to sell its products through new sales channels to target new markets.