IIA-ACCA ACCA CIA Challenge Exam Questions and Answers

Submit batches of test transactions through the current system and verify with expected results.

Use a test program to simulate the normal data entering process.

Select a sample of records from the database and ensure it matches supporting documentation.

Evaluate compliance with the organization's change management process.

The CAE would need to procure external services to deliver the internal audit assurance program.

There is no expertise within the internal audit team for detecting and investigating fraud.

There is no expertise within the internal audit team for auditing an IT engagement.

There is no available expertise on the internal audit team to perform a consulting engagement.

Internal audits.

Whistleblower hotline.

Key controls.

External audits.

Borrowers may not sign all required mortgage loan documentation.

Fees paid by the borrower at the time of the loan may not be deposited in a timely manner.

The bank's loan documentation may not meet the government's disclosure requirements.

Loan officers may override the lending criteria established by senior management.

1 only

1 and 2 only

1, 2, and 3

1, 2, and 4

The financial interest the service provider may have in the organization.

The relationship the service provider may have had with the organization or the activities being reviewed.

Compensation or other incentives that may be applicable to the service provider.

The service provider's experience in the type of work being considered.

Inform the audit supervisor.

Investigate the potential conflict of interest.

Inform the external auditors of the potential conflict of interest.

Disregard the potential conflict, because it is outside the scope of the audit assignment.

The strategy is favored when unit costs fall with the increase in units produced.

The strategy is favored when buyers are relatively insensitive to price increases.

The strategy is favored when there is insufficient market capacity and competitors cannot increase market capacity.

The strategy is favored when high price is perceived as high quality.

1 and 2 only

1 and 3 only

2 and 3 only

1, 2, and 3

The core competencies outlined in the framework are not expected of a person undertaking an entry-level position as an internal auditor.

The framework is designed to be used primarily by chief audit executives that are developing indicators to measure the performance of the internal audit activity for which they are responsible.

The framework lists the core competencies internal auditors should possess before attempting to attain The IIA's Certified Internal Auditor certification.

The framework describes competencies needed for individual internal auditors, but not those necessary at the chief audit executive level.

It cannot be used to test the completeness assertion.

It cannot be used to test the existence assertion.

It cannot be used to test the occurrence assertion.

It cannot be relied upon because the evidence is not persuasive.

Due professional care.

Individual independence.

Individual objectivity.

Organizational independence.

Soft skills in communication, negotiation, and collaboration.

Technical skills in the area under review.

Professional qualifications and certification in internal auditing.

Confidentiality and independence.

Human rights and the environment.

Organizational governance and financial reporting.

Fair operating practices and government regulation.

Consumer issues and return on investment.

Objectivity.

Proficiency.

Independence.

Due professional care.

Internal auditors shall continually improve their proficiency and effectiveness and quality of their services.

Internal auditors shall respect and contribute to legitimate and ethical objectives of the organization.

Internal auditors shall not accept anything that may impair or be presumed to impair their professional judgment.

Internal auditors shall be prudent in the use and protection of information acquired in the course of their duties.

Preparing the financial statements for the company's defined contribution plan.

Performing a pre-implementation review of the company's payroll application.

Providing the COBIT framework as a possible IT management tool.

Reviewing the company's policy for foreign currency translation adjustments for compliance with accounting standards.

Planning an engagement of the area in which fraud is suspected.

Employing audit tests to detect fraud.

Interrogating a suspected fraudster.

Completing a process review to improve controls to prevent fraud.

Improper segregation of duties.

Incentives and bonus programs.

An employee's reported concerns.

Lack of an ethics policy.

Having no active role or involvement in the risk management process.

Auditing the risk management process for reasonableness.

Coordinating and managing the risk management process.

Participating with management in identifying and evaluating risks.

Option A

Option B

Option C

Option D

The scope and frequency of internal and external assessments as well as the qualifications and independence of the assessor.

The scope and cost of the QAIP. frequency of internal and external assessments, and conclusions of the assessor.

The scope, findings, risks, recommendations, and agreed-upon improvement actions.

The number and types of people involved in the assessment, costs, and duration of the QAIP

Suggesting alternatives to decision makers.

Improving the integrity of information.

Determining the scope of internal audit services.

Achieving engagement objectives.

Established strategy of players.

Low number of new firms.

High unit costs.

Technical expertise.

Escalate the unresolved issues to the board, because they could pose significant risk exposures to the organization.

Confirm the decision with management and document this decision in the audit file.

Document the issue in the audit file and follow up until the issues are resolved.

Initiate an assurance engagement on the unresolved issues.

The CAE should send the final report to operational and senior management and the audit committee.

The CAE should send the final report to operational management only, as there is no need to communicate this information to higher levels.

The CAE should notify operational and senior management that the audit engagement was completed with no significant findings to report.

The CAE should send the final report to operational management and notify senior management and the audit committee that no significant findings were identified.

Identifying the processes at the activity level.

Analyzing the organization's strategic plan where the business processes are defined.

Analyzing the organization's objectives and identifying the processes needed to achieve the objectives.

Identifying the risks affecting the organization, the objectives, and then the processes concerned.

Management sells the product division to a competitor.

Management outsources the product division to a third party.

Management allows the product division to remain unchanged.

Management modifies the product division to minimize errors.

Ethics should vary with local customs in the organization's foreign operations.

Whistleblowing should be discouraged because it can cause distrust among employees.

Ethical behavior should be incorporated into performance evaluations.

Senior management should be granted specific exemptions to the code of ethics.

Segregation of duties.

Exception reports.

Incentive compensation plans.

Automated reconciliations.

Independently evaluate the skills and experience of potential chief information officer candidates to assess the best fit based on the organization's risk appetite.

Evaluate the organization's governance standards and assess IT-related activities to identify gaps and develop policies, ensuring alignment with the organization's risk appetite.

Assist management in interpreting complex IT-related privacy and security risk exposures and evaluating potential mitigation strategies.

Assess whether governance activities are aligned with the organization's risk appetite and take into consideration emerging risks.

Preventive controls.

Detective controls.

Soft controls.

Directive controls.

The internal audit activity has to ensure team members' objectivity is not impaired.

Auditors cannot participate in an assurance engagement of a function for which they previously performed a consulting engagement.

The scope and objective of the engagement is agreed upon based on the engagement client's needs.

The internal audit activity must ensure management actions have been implemented effectively or risk accepted.

Promote closer linkage between organizational strategy and information.

Provide users with greater online access to information systems.

Enhance the functionality of application systems.

Expand the use of automated controls.

Key processes across the entity which impact quality must be identified and included.

The quality management system must be documented in the articles of incorporation, quality manual, procedures, work instructions, and records.

Management must review the quality policy, analyze data about quality management system performance, and assess opportunities for improvement and the need for change.

The entity must have processes for inspections, testing, measurement, analysis, and improvement.

Variability tolerance.

Ratio estimation.

Stratification.

Acceptance sampling.

Bank statements.

Customer confirmation letters.

Copies of sales invoices.

Copies of deposit slips.

An auditor is appropriately able to communicate results.

An auditor performs his work free from interference.

An auditor is unrestricted in determination of scope.

An auditor avoids conflicts of interest.

1 and 2.

1 and 4.

2 and 3.

3 and 4.

Accommodating.

Compromising.

Collaborating.

Competing.

Internal control checklist.

Procurement employee survey.

Cross-functional flow chart.

Segregation of duties matrix.

If an organization does not have a mature privacy framework, the internal audit activity should assist in developing and implementing an appropriate privacy framework.

Because the audit committee is ultimately responsible for ensuring that appropriate control processes are in place to mitigate risks associated with personal information, the internal audit activity is C. required to conduct privacy assessments.

The internal audit activity may delegate to nonaudit IT specialists the responsibility of determining whether personal information has been secured adequately and data protection controls are sufficient.

The internal audit activity should have appropriate knowledge and competence to conduct an asses .......framework.

Unauthorized overtime.

Fictitious employees.

Unearned bonuses or commissions.

Skimming.

Vendor invoice payment requests are accompanied by a purchase order and receiving report.

Purchase orders are typed by the purchasing department using prenumbered forms.

Buyers promptly update the official vendor listing as new supplier sources become known.

Department managers initiate purchase requests that must be approved by the plant superintendent.

1 and 3 only

1 and 4 only

2 and 3 only

2 and 4 only

Were audit findings relevant and useful to management?

Does the audit report format present issues clearly and concisely?

Does the IAA work with a high degree of professionalism and objectivity?

Were the findings reported in a timely manner?

1 only

4 only

1 and 3

2 and 4

Strategic plans reflect the organization's business objectives and overall attitude toward risk.

Strategic plans are helpful to identify major areas of activity, which may direct the allocation of internal audit activity resources.

Strategic plans are likely to show areas of weak financial controls.

The strategic plan is a relatively stable document on which to base audit planning.

Assert whether the described and reported control processes and systems exist.

Assess whether senior management adequately supports and promotes the internal control culture described in the report.

Evaluate the completeness of the report and management's responses to identified deficiencies.

Determine whether management's operating style and the philosophy described in the report reflect the effective functioning of internal controls.

Disclose the information in a separate report.

Distribute the information in a confidential report to the board only

Distribute the reports through the use of blind copies.

Exclude the results from the report and verbally report the conditions to senior management and the board.

Coach management in responding to risks.

Develop risk management strategies for board approval.

Facilitate identification and evaluation of risks.

Evaluate risk management processes.

The audit committee of the board.

The environmental, health, and safety manager.

The organization's external environmental lawyers.

The organization's insurance department.

The matter does not need to be reported, because the noncompliant findings fall within the acceptable tolerance limit.

The deviations are within the acceptable tolerance limit, so the matter only needs to be reported to the information security manager.

The incidents of noncompliance fall outside the acceptable tolerance limit and require immediate corrective action, as opposed to reporting.

The incidents of noncompliance exceed the tolerance level and should be included in the final engagement report.

1 and 2

1 and 4

2 and 3

3 and 4

Audit client management only

Executive management only

Audit client management, executive management, and others approved by the chief audit executive.

Audit client management, executive management, and any those who request a copy.

Testing controls where operating procedures vary.

Testing controls in decentralized offices.

Testing controls in high risk areas.

Testing controls in areas with high control failure rates.

Integrity.

Flexibility.

Initiative.

Curiosity.

Senior management is charged with overseeing the establishment risk management and control processes.

The chief audit executive is responsible for overseeing the evaluation risk management and control processes.

Operating managers are responsible for assessing risks and controls in their departments.

Internal auditors provide assurance about risk management and control process effectiveness.

Scheme.

Opportunity.

Rationalization.

Pressure.

CSA allows management to have input into the audit plan.

CSA allows process owners to identify, evaluate, and recommend improving control deficiencies.

CSA can improve the control environment.

CSA increases control consciousness.

Management disagrees with the report findings and conclusions in their responses.

Management has already satisfactorily completed the recommended corrective action.

Management has provided additional information that contradicts the findings.

Management believes that the finding is insignificant and unfairly included in the report.

1 and 2 only

1 and 4 only

2 and 3 only

3 and 4 only

Administrators monitoring the use, assignment and configuration of privileges on the network.

The IT department establishing^ implementing, and actively managing security configurations.

Management identifying and classifying the types of critical data in the organization's system

Senior management of the organization setting the cybersecurity policy

1 and 2 only

3 and 4 only

1, 2, and 4 only

2, 3, and 4 only

The business continuity management charter.

The business continuity risk assessment plan

The business impact analysis plan

The business case for business continuity planning

Access to read application logs is restricted to authorized users.

Account balance information is encrypted in the database.

The web server used to host the application is located in a physically secure area.

Sensitive data, such as account numbers, are submitted using encrypted communications.

1 and 4 only

2 and 3 only

1, 2, and 3 only

1, 2, 3, and 4

Information integrity risk.

Privacy risk

Access risk

Software risk

Risk acceptance.

Risk sharing.

Risk avoidance.

Risk reduction.

1 and 3 only.

1 and 4 only.

2 and 3 only

3 and 4 only.

Reversing all previous closing adjustments is a mandatory step in the accounting cycle

Reversing entries should be completed at the end of the next accounting period after recording regular transactions of the period

Reversing entries are identical to the adjusting entries made in the previous period.

Reversing entries are the exact opposite of the adjustments made in the previous period.

Both the key used to encrypt the data and the key used to decrypt the data are made public.

The key used to encrypt the data is kept private but the key used to decrypt the data is made public.

The key used to encrypt the data is made public but the key used to decrypt the data is kept private.

Both the key used to encrypt the data and the key used to decrypt the data are made private.

To keep stock price constant.

To keep shareholders' equity constant.

To increase shareholders' equity.

To enhance the stock liquidity.

To improve the chain of command.

To strengthen corporate headquarters.

To focus better on a single market.

To increase lateral communication.

A time-sensitive just-in-time purchase environment.

A large volume of custom purchases.

A variable volume sensitive to material cost.

A currently inefficient purchasing process.

Logical access controls monitor application usage and generate audit trails.

The development process is designed to prevent, detect and correct errors that may occur

A record is maintained to track the process of data from input, to output, to storage

Business users' requirements are documented, and their achievement is monitored

Self control.

Power distance.

Masculinity versus femininity.

Uncertainty avoidance.

Determining the trends that will influence key factors in the organization's environment.

Selecting the issue or decision that will impact how the organization conducts future business.

Selecting leading indicators to alert the organization of future developments.

Identifying how customers, suppliers, competitors, employees, and other stakeholders will react.

Automated password change requirements

System data backup process

User testing of system changes

Formatted data fields

Functional departmentalization.

Product departmentalization.

Matrix organization.

Divisional organization.

Conform with all other parts of The IIA's Standards and provide appropriate disclosures.

Conform with all other parts of The IIA's Standards; there is no need to provide appropriate disclosures.

Continue the engagement without conforming with the other parts of The IIA's Standards.

Withdraw from the engagement.

1 and 2

1 and 3

2 and 4

3 and 4

Buying an insurance policy to protect against loss events.

Hedging against natural gas price fluctuations.

Selling a non-strategic business unit.

Outsourcing a high risk process to a third party.

The CAE has no role to play, because the chief health and safety officer reports to a senior executive.

The CAE should coordinate with, and review the work of, the chief health and safety officer to gain an understanding of whether risks related to health and safety are managed properly.

The CAE should give periodic reports directly to the regulator regarding health and safety issues, as it is the appropriate regulatory oversight body.

The CAE should hire an independent external specialist to conduct an annual assessment and provide assurance over the effectiveness of the health and safety program and the reliability of its reports.

Acts that may endanger the health or safety of individuals.

Acts that favor one party to the detriment of another.

Acts that damage or have an adverse effect on the environment.

Acts that conceal inappropriate activities in the organization.

Authority and responsibility to resolve issues.

Framework to plan, execute and monitor activities.

Integrated responses to multiple risks.

Knowledge and skills needed to perform activities.

Refrain from indicating that the internal audit activity operates in conformance with the Standards until the chief audit executive confirms that the internal audit activity has addressed all areas of nonconformance and the audit committee has been notified.

Refrain from indicating that the internal audit activity operates in conformance with the Standards until another external assessment confirms that the significant areas of nonconformance have been addressed.

Indicate that the internal audit activity operates in partial conformance with the Standards, as the internal audit activity has a quality assurance and improvement program in place to address deficiencies and has met the requirement for conducting an external assessment.

Update and reissue previous audit reports, removing the assertion that the internal audit activity operates in conformance with the Standards, and distribute them to all parties who received the original reports.