Questions and Answers of Internal Auditing Assurance

In governance, what are the key responsibilities of:a. The board of directors?b. Senior management?c. Risk owners?
What role does the internal audit function play in governance?
Which of the following would be considered a first line of defense in the Three Lines of Defense model?a. An accounts payable supervisor conducting a weekly review to ensure all payments were issued
Discuss how regulations help to improve governance. Explain how some regulations may have unintended consequences regarding governance.
In addition to the internal audit function, what other internal functions may provide independent assurance to the board or senior management?
Which of the following would be considered a second line of defense in the Three Lines of Defense model?a. An accounts payable supervisor conducting a weekly review to ensure all payments were issued
The King Code of Corporate Governance for South Africa is widely considered one of the most progressive governance codes in the world. Search the internet for the latest version (King IV), which
Companies in industries that are heavily regulated may be subject to audits by the regulator’s auditors. While not specifically covered in the Three Lines of Defense model, such auditors would most
What are the three lines of defense in the Three Lines of Defense model?
What is a combined assurance model? Why do some organizations use such models?
Which of the following is not a role of the internal audit function in best practice governance activities?a. Support the board in enterprise wide risk assessment.b. Ensure the timely implementation
What are some key U. S. regulations that have been written in response to adverse business events?
Which of the following statements regarding corporate governance is not correct?a. Corporate control mechanisms include internal and external mechanisms.b. The compensation scheme for management is
Which of the following represents the best governance structure? Operating Management a. Responsibility for risk b. Oversight role c. Responsibility for risk d. Oversight
What types of business events tend to drive new legislation and guidance?a. Economic downturns.b. Fraud or other corporate wrongdoing.c. Elections or other political changes.d. Economic growth.
Describe the difference between risk-taking philosophy, risk appetite, and acceptable variation in performance. Give examples of each.
COSO provides a variety of guidance relevant to the internal audit profession. The purpose of this case is to become more familiar with COSO and its guidance. Visit www.coso.org and answer the
How does COSO define risk? How does ISO define risk?
According to COSO ERM, which of the following is not an inherent challenge that arises as part of establishing strategy and business objectives?a. Ensuring culture is clearly articulated by the
Which of the following external events will most likely impact a defense contractor that relies on large government contracts for its success?a. Economic event.b. Natural environment event.c.
How does effective ERM help achieve strategy?
What are the five fundamental points embedded in the COSO and ISO definitions of risk?
In the United States, COSO published its Enterprise Risk Management – Aligning Risk with Strategy and Performance (COSO ERM, or ERM framework) in 2017. In 2004, COSO identified a need for a robust
Which of the following is not an example of a risk-sharing strategy?a. Outsourcing a noncore, high-risk area.b. Selling a nonstrategic business unit.c. Hedging against interest rate fluctuations.d.
Define inherent risk and residual risk. Which of the two types of risk should have a greater impact on the annual internal audit plan?
According to COSO, what are the fundamental concepts emphasized in its definition of enterprise risk management (ERM)?
An organization tracks a website hosting anonymous blogs about its industry. Recently, anonymous posts have focused on potential legislation that could have a dramatic effect on this industry. Which
The ISO 31000 risk management framework includes five components, the first of which is “mandate and commitment.” Explain what mandate and commitment means. Discuss why mandate and commitment is
How does COSO define mission, vision, and core values?
Which of the following risk management activities is out of sequence in terms of timing?a. Identify, assess, and prioritize risks.b. Develop risk responses/treatments.c. Determine key organizational
For an organization that has not implemented ERM, describe steps the internal audit function can take to initiate an ERM program without impairing the function’s independence and/or objectivity.
How does COSO define strategy and business objectives?
Who is responsible for implementing ERM?a. The chief financial officer.b. The chief audit executive.c. The chief compliance officer.d. Management throughout the organization.
Risk assessment most commonly focuses on two criteria—impact and likelihood. As an organization’s risk assessment process evolves, what other criteria might be valuable to consider and why?
Which of the following is not a potential value driver for implementing ERM?a. Financial results will improve in the short run.b. There will be fewer surprises from year to year.c. There will be
One of your classmates, I. M. Motivated, consistently carries a very heavy class load. In addition to his already heavy class load, he is contemplating applying for an internal audit internship at a
How does COSO define risk appetite?
Which of the following is the best reason for the CAE to consider the organization’s strategic plan in developing the annual internal audit plan?a. To emphasize the importance of the internal
It may be easier for some to understand ERM by thinking about five “everyday questions” that can be used to apply risk management thinking:a. What are we trying to accomplish (what are our
What is inherent risk? What is residual risk?
When senior management accepts a level of residual risk that the CAE believes is unacceptable to the organization, the CAE should:a. Report the unacceptable risk level immediately to the chair of the
What are COSO’s five categories of risk response?
The CAE is asked to lead the enterprise risk assessment as part of an organization’s implementation of ERM. Which of the following would not be relevant with respect to protecting the internal
In what forms might risk information be communicated?
An internal audit engagement was included in the approved internal audit plan. This is considered a moderately high-risk audit based on the internal audit function’s risk model. It is currently on
What are typical ERM responsibilities of:a. The board of directors?b. Management?c. The chief risk officer?d. Financial executives?e. The internal audit function?f. The independent outside auditors?
When assessing the risk associated with an activity, an internal auditor should:a. Determine how the risk should best be managed.b. Provide assurance on the management of the risk.c. Update the risk
What are the 11 risk management principles identified in ISO 31000?
One of the challenges of ERM in an organization that has a centralized structure is that:a. It may be difficult to raise awareness of the impact of work actions on other employees or work areas.b.
What are the five components of the ISO 31000 risk management framework?
The function of the chief risk officer is most effective when he or she:a. Manages risk as a member of senior management.b. Shares the management of risk with line management.c. Shares the management
What five activities are included in the ISO 31000 risk management process?
In exhibit 4-3, why are some of the balls representing risks clustered together while some are not? Governance Controls & Management-Oversight Controls Process-Level
Enterprise risk management:a. Guarantees achievement of business objectives.b. Requires establishment of risk and control activities by internal auditors.c. Involves the identification of events with
What are some ERM assurance activities the internal audit function may perform? What are some ERM consulting activities the internal audit function may perform if appropriate safeguards are
What is a business process? What are operating processes?
In assessing organizational risk in a manufacturing organization, which of the following would have the greatest long-range impact on the organization?a. Advertising budget.b. Production
How would an oil exploration and production company differ from a global retail company like Wal-Mart in terms of how it organizes business processes?
What is a project and how is it different from a business process?
Internal auditors often prepare process maps and reference portions of these maps to narrative descriptions of certain activities. This is an appropriate procedure to:a. Determine the ability of the
What is a business process?a. How management plans to achieve the organization’s objectives.b. The set of connected activities linked with each other for the purpose of achieving an objective or
What are five of the most important business processes and business risks for a large automobile manufacturer like Toyota?
Select a company that has undergone an initial public offering within the last five years and obtain the prospectus (these are usually available on the company’s website, EDGAR for companies listed
What are the management and support processes that are common to most organizations?
If internal audit resources are limited to conducting only one audit at a divisional location, should a high-risk process that was audited last year at this location be audited in lieu of a
CPI’s internal audit function uses the Assessment area in TeamMate+ to develop its annual risk-based internal audit plan. The planning process begins with the internal audit function’s
What is included in an organization’s business model?
If a risk appears in the bottom right of quadrant II in the above risk control map, it means that:a. There is an appropriate balance between risk and control.b. The controls may be excessive relative
The objectives of Sargon Products’ purchasing process are to obtain the right goods, at the right price, at the right time. What are the significant risks to achievement of these objectives?
Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization, is an auditing standard for service organizations. SSAE 16 was issued in April 2010, and
What is the difference between a top-down and bottom-up approach to understanding business processes?
If a risk appears in the middle of quadrant IV in the above risk control map, it means that:a. There is an appropriate balance between risk and control.b. The controls may be excessive relative to
Think about the sales and cash receipts process of a men’s or women’s clothing store where you shop.a. What are the key objectives of this process?b. What are the key risks that threaten the
How does an organization determine the key objectives of a business process?
Which of the following circumstances would concern the internal auditor the most?a. A risk in the lower left corner of quadrant I.b. A risk in the lower right corner of quadrant II.c. A risk in the
Payswell Company, a small manufacturer, has been in business for 10 years. Senior management is thinking about outsourcing the company’s payroll process.a. What are three important objectives of a
What are two commonly used methods for documenting processes? Describe each.
Which of the following are business processes?I. Strategic planning.II. Review and write-off of delinquent loans.III. Safeguarding of assets.IV. Remittance of payroll taxes to the respective tax
What are the two common factors used when assessing risks?
Which of the following symbols in a process map will most likely contain a question?a. Rectangle.b. Diamond.c. Arrow.d. Oval.
After a risk assessment is completed, the next steps involve linking the risks to what two things?
What must the CEO and CFO of a publicly traded company do to comply with the U. S. Sarbanes-Oxley Act of 2002?
In the United States, Sarbanes-Oxley legislation put responsibility for the design, maintenance, and effective operation of internal control squarely on the shoulders of senior management,
After business risks have been identified, they should be assessed in terms of their inherent:a. Impact and likelihood.b. Likelihood and probability.c. Significance and severity.d. Significance and
What are the four responses an organization can take toward a risk?
In a risk by process matrix, a process that helps to manage a risk indirectly would be shown to have:a. A key link.b. A secondary link.c. An indirect link.d. No link at all.
What is the difference between a key link and a secondary link?
A major upgrade to an important information system would most likely represent a high:a. External risk factor.b. Internal risk factor.c. Other risk factor.d. Likelihood of future systems problems.
How can the risk factor approach be used to identify areas of high risk in an organization?
Which of the following is true regarding business process outsourcing?a. Outsourcing a core, high-risk business process reduces the overall operational risk.b. Outsourced processes should not be
What are the two basic types of factors typically used when following the risk factor approach? What other factors are commonly considered?
A company has recently outsourced its payroll process to a third party service provider. An audit team was scheduled to audit payroll controls in the annual audit plan prepared prior to the
What two axes are typically used in a risk control map? Explain what the two parallel dashed lines in exhibit 5-16 signify.Exhibit 5-16 Critical RISK SIGNIFICANCE Low Low 1 Critical CONTROL
When conducting an assurance engagement, once the objectives are known, what are the three primary steps involved in determining the tests to perform to assess whether the risks threatening the
Which flowcharting symbol indicates the start or end of a process?a. Arrow.b. Diamondc. Oval.d. Rectangle.
How does a control manage a specific risk?a. It reduces the likelihood of the event giving rise to the risk.b. It reduces the impact of the event giving rise to the risk.c. It reduces either
What practices should organizations follow to ensure effective risk management and control of outsourced business processes?
Which of the following best describes an internal auditor’s purpose in reviewing the organization’s existing governance, risk management, and control processes?a. To help determine the nature,
An audit report contains the following observations:a. A service department’s location is not well suited to allow adequate service to other units.b. Employees hired for sensitive positions are not
Controls mitigate risks that threaten objectives and thus provide reasonable assurance that objectives will be achieved. Risks encompass both threats of bad things happening and threats of good

Showing 1000 - 1100 of 1134