Need help with these multiple choice questions for internal audit final exam. Due in 2 hours.

QUESTION 1 RsQ_004Without management direction and assumption of responsibility, it would be inappropriate for the internal audit function to perform which of the following: Design controls for a process. a. Develop a new whistleblower policy. b. Design a new IT application before implementation. c. Lead a process reengineering project. d. None of these (a-d) are correct. None of them are inappropriate. e. All of these (a-d) are correct. All of them are inappropriate. f. 1 points QUESTION 2 RsQ_004 Choose the best answer. Make sure your answer is as complete as possible. The defintion of Internal Auditing includes the words, independent, objective assurance and consulting activity designed to add value and improve an organizations's opera a. independent, objective assurance activity designed to add value and improve an organizations's operations b. independent, objective assurance and consulting activity designed to add value and improve an organizations's objec c. independent, objective assurance and consulting activity and improve an organizations's objectives d. independent, objective assurance activity designed to add value and improve an organizations's objectives e. None of these (a-d) are correct. f. 1 points QUESTION 3 RsQ_005 (This is not a sampling question but an evidence question.) If an internal auditor selects a sample of the most recent updates billed to customer accounts and matches them with shipping documents. This procedure most directly addresses which of the following assertions? All shipments to customers are recorded as receivables. a. All shipped items are billed to customers. b. All recorded receivables represent goods shipped to customers. c. All shipments to customers are billed. d. None of these (a-d) are true e. All of these (a-d) are true f. Some of these (a-d) are true g. 1 points QUESTION 4 RsQ_006 After an internal auditor's evaluation of internal control design indicates that the controls are designed adequately, the appropriate next step would be to: Test whether there is proper documentation of the controls. a. Test a compensating system of internal controls. b. Conclude that residual risk is low. c. Conclude that control risk is high. d. None of these (a-d) would be the next step e. All of these (a-d) would be the next step f. Some of these (a-d) are true g. 1 points QUESTION 5 RsQ_007 Reported internal audit observations emerge by a process of comparing "what should be" with "what is". In determining "what should be" during an audit of a company's treasury function, which of the following would be desirable criterion against which to judge current operations? Best practices of the treasury function in relevant industries. a. Established company policies and procedures delegating authority and assigning responsibilities. b. Performance standards established by senior management. c. The desired operations by employees according to the company's code of conduct d. None of these (a-d) are desirable as "what should be." e. All of these (a-d) are desirable as "what should be." f. Only one of these (a-d) is desirable g. 1 points QUESTION 6 RsQ_007An Internal auditor has completed an assessment of internal risks. Which of the following external risks is likely to impact the accuracy of financial reporting? A recent judicial court case increases the likelihood that pending litigation will result in an unfavorable outcome. a. The standard-setting body in the organization's country issues a new financial accounting standard. b. A change to standard industry contracts now allows for the netting of payables and receivables. c. Pressures from the competition now allows sales contracts not to be reported with industry practices d. None of these (a-d) are likely e. All of these (a-d) are likely f. Only one of these (a-d) is likely g. 1 points QUESTION 7 RsQ_007 Which of the following is not a responsibility of the CAE? To communicate the internal audit function's plans and resource requirements to senior management and the board f a. To oversee the establishment, administration, and assessment of the organization's system of internal auditing b. To follow up on whether appropriate management actions have been taken on significant issues cited in internal aud c. To establish a risk-based plan to accomplish the objectives of the internal audit function consistent with the organiza d. All of these (a-d) are a responsibility of the CAE e. None of these (a-d) are a responsibility of the CAE f. 1 points QUESTION 8 RsQ_008The inventory manager of XYZ Corporation ordered excessive raw materials and had the materials delivered to a friend's business. The manager falsified receiving reports and approved the invoices for payment. Which of the following procedures would most likely detect this fraud? Perform ratio and trend analysis. Compare the ratio of cost of goods sold to inventory for the past five years. We ex a. Confirm the amounts of raw materials purchased, purchase prices, and dates of shipment with vendors. b. Perform ratio and trend analysis. Compare the revenue of goods sold with the cost of raw materials purchased for th c. Observe the receiving dock and count material received. Compare the counts with receiving reports completed by re d. None of these (a-d) would most likely detect this fraud. e. All of these (a-d) would most likely detect this fraud. f. Some of these (a-d) are true g. 1 points QUESTION 9 RsQ_008Company policy provides funds for authorized employees to accumulate large personal office inventories. These funds are not to exceed a thousand dollars in anticipated expenses, but company procedures do not require justification for larger advances. In this audit observation, the element of an audit finding known as "effect" or consequences will be wrtten in the working paper as: A violation of a primary control objectiv a. Personal inventory advances exceed prescribed maximum amount. b. Authorized employees accumulate large, unneeded advances. c. Authorized employees are permitted unnecessary advances. d. None of these (a-d) are true e. All of these (a-d) are true f. Some of these (a-d) are true g. 1 points QUESTION 10 RsQ_008 Internal auditors sometimes express opinions in addition to stating observations in their reports. Due professional care requires that internal audit opinions be: Based on competent and other matter. a. Limited to the effectiveness of internal controls. b. Based on sufficient appropriate evidence. c. Based on experience and fee from errors in judgment. d. None of these (a-d) are true e. All of these (a-d) are true f. Some of these (a-d) are ture g. 1 points QUESTION 11 RsQ_009Which of the following applications of generalized audit software would be most effective in addressing the auditor's concern about payments for ficticious purchases from ficticious vendors? List all purchases. Take a sample to determine whether they were properly approved. a. Take a random sample of all expenditures to determine whether they were properly approved. b. Select a sample of purhcases and examine supporting documentation for goods or services received. c. List all major vendors by product line. Select a sample of major vendors and send negative confirmations to validate d. None of these (a-d) would be most effective in addressing the auditor's concern about payments for ficticious purcha e. All of these (a-d) are ture f. Some of these (a-d) would be most effective in addressing the auditor's concern about payments for ficticious purch g. 1 points QUESTION 12 RsQ_009 The Internal auditor wants to correct employee training deficiencies recently observed. Which of the following report-writing techniques is very likely to be effective? Do not suggest specific practical improvements in training to address the identified employee failures a. List the specific requirements of employee training manual. b. List the deficiencies in training of employees found in employee training manual. c. List changes to employee training manual d. None of these (a-d) are very likely to be effective e. All of these (a-d) are very likely to be effective f. 1 points QUESTION 13 RsQ_009Which of the following controls is likely to be relevant when evaluating the design adequacy of a cash collections process? Calculating the amount of cash received. a. Testing the controls over the deposits made. b. Matching the total deposits to the amounts credited to customers' accounts receivable balances. c. Segregating the preparation of deposit slips from the adjustment of customer account balances. d. None of these (a-d) are relevant e. All of these (a-d) are relevant f. Only one of these (a-d) is relevant g. 1 points QUESTION 14 RsQ_009The internal auditor has responsibility to follow-up activities in an assurance engagement. Which of these are also true? To determine if corrective action has not been taken but the controls are achieving the desired results anyway and th a. To determine if corrective action has been taken and is achieving the desired results, or that senior management has b. To schedule audit follow-up activities only if asked to do so by senior management or the audit committee. c. Not to do follow-up activities if the auditee has agreed in writing to implement the internal audit function's recomme d. None of these (a-d) are true for assurance engagement follow-up activities e. All of these (a-d) are true for assurance engagement follow-up activities f. Only a and b are true for assurance engagement follow-up activities g. 1 points QUESTION 15 RsQ_010An internal auditor determines that the process is not designed adequately to reduce the underlying risks to an acceptable level. Which of the following should the internal auditor do next? Write the audit report, there's no reason to test the operating effectives of controls that are not designed adequately. a. Test compensating controls in other (adjacent) processes to see if the impact of the design inadequacy is reduced to a b. Test the existing key controls anyway to prove that, despite the design inadequacy, the process is still meeting the pr c. Postpone the engagement until the design inadequacy has been rectified. d. None of these (a-d) are true e. All of these (a-d) are true f. Some of these (a-d) are true g. 1 points QUESTION 16 RsQ_010An internal auditor has just issued an interim report during an internal audit. We would expect that the auditor's report to: Provide management the opportunity to act on certain observations a. Promptly inform auditee management and their supervisors of audit procedures performed to date. b. Limit the scope of the audit c. Provide auditee management the opportunity to wait before acting on certain observations immediately d. None of these (a-d) are the auditor's intentions e. All of these (a-d) are the auditor's intentions f. Some of these (a-d) are true g. 1 points QUESTION 17 RsQ_010Internal audit assurance engagement working papers must have Procedures, objectives, facts, conclusions and recommendations. a. Objectives, procedures, and conclusions. b. Procedures, purpose, criteria, techniques, and conclusions. c. Procedures, subject, purpose, sampling information, and analysis d. None of these (a-d) are "must haves" e. All of these (a-d) are "must haves" f. Only b and d are "must haves" g. 1 points QUESTION 18 RsQ_011 Given a possible control exception is found while testing controls, which of the following may be appropriate? Test additional items to determine whether the exception is an isolated occurrence or indicative of a key control defi a. Gain an understanding of the root cause, that is, the reason the exception occurred. b. Draft an observation for the audit report, given it meets the definition of an observation. c. All of these (a-d) are appropriate. d. None of these (a-d) are appropriate e. Only some of these (a-d) are appropriate. f. some of these (a-d) are true g. 1 points QUESTION 19 If the number of error-filled accounts transacted by Medicare is expected to be high, which of the following statements is correct, if the goal is to estimate the amount of dollars in error? PPS sampling should not be used to estimate this amount a. attribute sampling should be used to estimate this amount b. Classical variables sampling should not be used c. d. a non-random sampling estimation procedure can not be used a random sampling estimation procedure can not be used e. More than one of the above answers is correct f. 1 points QUESTION 20 RsQ_005 Any observation that is identified by the internal auditor as a material fraudulent act committed by senior management should be: Reported to senior management a. Reported to the independent outside auditors. b. Reported to the audit committee. c. Reported to major outside funding sources as defined by the laws and reglations of the country in which it operates d. answers a & b are correct e. answers a through c are correct f. All the answers, a through d, are correct g. 1 points QUESTION 21 RsQ_001 None, one or more than one of these answers are correct. Should any one of these events discussed occur, then an audit committee would be most likely to receive a formal report that the controls over salary increases have been compromised and some unauthorized raises have be a. an informal report that the controls over salary increases have been compromised and some unauthorized raises have b. a formal report that the controls over salary increases have been compromised and some unauthorized raises have be c. an informal report that the controls over salary increases have been compromised and some unauthorized raises have d. Answers a & c are correct e. answers a,b, c & d are correct f. 1 points QUESTION 22 RsQ_002 Which of the following is an element of non sampling risk as supposed to an element of sampling risk? Performing an inappropriate audit procedure. a. Performing an incorrect calculation. b. Failing to detect a control deviation. c. Forgetting to perform a specific action. d. All of these "A-D" are correct e. None of these "A-D" are correct f. 1 points QUESTION 23 RsQ_003Which of the following is not an example of a risk-sharing strategy? Outsourcing a noncore, high-risk area. a. Partnering with another company in a foreign investment. b. Hedging against interest rate fluctuations. c. Buying an insurance policy protect against adverse weather. d. Each of these is an example of a risk-sharing strategy e. Not one of these is an example of a risk-sharing strategy f. 1 points QUESTION 24 Which of the following are "mandatory guidance" in The IIA's IPPF? The Definition of Internal Auditing. a. The IIA Standards b. The Code of Ethics. c. All of these are mandatory guidance d. 1 points QUESTION 25 Which one of the following are true regarding the internal and external risks? There is a direct relationship between the amount of risk mitigated and the cost associated with implementing a. Controllable risk is that portion of inherent risk that management can not directly influence and reduce throu b. Risk tolerance must not align with the risk appetite. c. All of the statements given here are true. d. 1 points QUESTION 26 Determine the sample size needed if the shipping documents are supposed to match with sales invoices for the prices of items shipped, when the expected non compliance (the deviation) rate is typically 2 Percent and the worse case, the tolerable deviation rate, is 5 Percent and you want to be right 95 percent of the time (the risk of assessing control risk as too low is 5 percent). a. 132 b. 181 c. 1463 d. 590 1 points QUESTION 27 Which of the following best describes an internal auditor's purpose in reviewing the organization's existing governance, risk management, and control processes? To help determine the nature, timing, and extent of tests necessary to achieve engagement objectives. a. To ensure that weaknesses in the internal control system are correct b. To provide reasonable assurance that the process will enable the organization's objectives and goals to be met efficie c. To determine whether the processes ensure that the accounting records are correct and that financial statements are f d. 1 points QUESTION 28 In obtaining an understanding of the entity and its environment, including its internal control, an auditor is required to obtain knowledge about the:. Design of relevant internal controls pertaining to financial reporting in each of the five internal control components a. Design of relevant internal controls pertaining to financial reporting in each of the five internal control components b. Consistency with which the internal controls are currently being applied c. Financial and operational controls related to each principal transaction class and account balance d. 1 points QUESTION 29 .The difference between vouching and tracing is that (which of these are true?) Vouching involves top down analysis from income statement expense to voucher to receiving document a. Vouching involves bottom up analysis from income statement expense to voucher to receiving document b. Tracing involves top down analysis from income statement expense to voucher to receiving document c. None of these statements are true d. 1 points QUESTION 30 The Certified Internal Auditor (CIA) exam tests a candidate's expertise now in which of these parts? The Internal Audit Activity's Role in Governance, Risk, and Control.Conducting the Internal Audit Engagement. a. Business Practice, and Analysis b. Business Management Skills; Info Tech. c. All of these are parts of the Certified Internal Auditor Exam. d. 1 points QUESTION 31 An organization's IT governance committee has several important responsibilities. Which of the following is not normally such a responsibility? Designing IT application-based controls a. Aligning investments in IT with business strategies. b. Overseeing changes to IT systems c. Monitoring IT security procedures d. 1 points QUESTION 32 According to the IIA Standards, which of the following must the internal audit manager think about when considering appropriate due care while planning an assurance engagement? The cost of assurance in relationship to potential benefits. a. . The opportunity to cross train internal audit staff. b. The potential to deliver consulting services to the auditee. c. . Job openings in the area that may be of interest to internal auditors assigned to the engagement. d. 1 points QUESTION 33 The IIA's Standards require internal auditors to exercise due professional care while conducting assurance engagements. Which of the following is not something an internal auditor is required to consider in determining what constitutes the exercise of due care in an assurance engagement of treasury operations? TheTreasury management has instituted many new risk management policies.. a. The treasury function just completed implementation of a new real-time investment tracking system. b. The audit committee has requested assurance on the treasury function's compliance with a new policy on use of fina c. The outside auditors have not made any special requests requireing due care lately d. 1 points QUESTION 34 An internal auditor is auditing a division in which the division's CFO is a close personal friend. The auditor learns that the friend is to be replaced after a series of critical contract negotiations with the Department of Defense. The auditor relays this information to this friend. Which principle of The IIA's Code of Ethics has been violated? Integrity a. Privacy b. Objectivity c. None of these answers apply d. 1 points QUESTION 35 An internal auditor provides income tax services during the tax season. For which of the following activities would the auditor most likely be considered in violation of The IIA's Code of Ethics Preparing, for a fee, a division manager's personal tax returns a. Preparing, for a fee, a member of the Board of Director's a personal tax returns b. Preparing, for a fee, any senior manager's personal tax returns c. In all of these activities would the auditor most likely be considered in violation of The IIA's Code of Ethics d. 1 points QUESTION 36 Which of the following is/are components of the IIA Standards? I. Statements.II. Interpretations.III. Glossary. I only and not II or III a. Both I and II b. Both II and III c. I, II, and III d. 1 points QUESTION 37 A primary-purpose of the IIA Standards is to Establish a basis for evaluating internal audit performance a. Develop a consistency in internal audit practices b. Provide a codification of existing practices c. None of these is a primary-purpose of the IIA Standards d. Internal Audit-Final Exam Study Guide Proposed Questions on Final Exam: 1. Which of the following types of audit evidence is the most persuasive? a. Prenumbered client purchase order forms b. Client work sheets supporting cost allocations c. Bank statements obtained from the client-Correct Answer d. Client representation letter 2. While performing a test of details during an audit, an auditor determined that the sample results supported the conclusion that the recorded account balance was materially misstated. It was, in fact, not materially misstated. This situation illustrates the risk of: a. Assessing control risk too high b. Assessing control risk too low c. Incorrect rejection-Correct Answer d. Incorrect acceptance 3. Audit documentation should: a. Not be permitted to serve as a reference source for the client b. Not contain critical comments concerning management c. Show that the accounting records agree or reconcile with the F/S-Correct Answer d. Be considered the primary support for the F/S being audited 4. Which of the following is true regarding audit work paper documentation for fraud investigation? 1. All incriminating evidence should be included in workpapers 2. All important testimony reviewed to make sure it provides sufficient basis for conclusions 3. If interviewing suspect, written transcripts or statement should be in workpapers A. B. C. D. 1 and 2 only 1 and 3 only 2 and 3 only 1,2, and 3 5. Considering the differences between statistical and judgmental sampling, which statement about statistical is true? A. B. C. D. No judgment is required, because everything is computed according to formula Smaller sample can be used More accurate results are obtained Population estimates can be made with measurable reliability 6. When you redo procedures or controls to ensure they effective and done correctly and you analyze its operating effectiveness, this is what quality? A. B. C. D. Relevance Reperformance Confirmation Reliability 7. Internal auditors obtain understanding of controls and perform tests of controls to: A. Find material misstatements of account balances B. Reduce control risk to acceptable low level C. Evaluate design adequacy and operating effectiveness D. Assess inherent risks with transaction 8. Which of the following is auditor least likely to do when aware of illegal acts? A. Discuss with client's attorney B. Obtain evidence of how act will affect financial statement C. Contact local law enforcement about the act D. See how act affects relationship with company management 9. Which of the following is least likely to be evidence of operating effectiveness of controls? A. Cancelled Supporting Documents B. Confirmations of Accounts Receivable C. Records documenting Usage of Computer Programs D. Signatures on Authorization Forms 10. An auditor's reason for executing test of controls is to give reasonable assurance that: A. The controls are operating in an effective manner B. Risk that auditor may fail to change the opinion on financial statements is minimized C. Access to assets is restricted by segregation of duties and functions done according to manager's authorization D. Recording of transactions are done to prepare financial statements according to GAAP 11. What are the 4 Risk Response Options? A. Fear, Love, Hate, and Surprise B. Accept, Reduce, Share and Avoid C. Test, Reduce, Avoid, and Accept D. Avoid, Accept, Divert, and Increase 12. How many Principles does ISO 31000 relating to Risk Management provide? A. 9 B. 11 C. 13 D. 31 13. What are Client Acceptance, Preliminary Engagement Activities and Plan the Audit known as? A. 3 Lines of Defense Model B. 3 Phases of Audit related to Accepting a Client C. 3 Phases of Audit related to Audit Planning D. 3 Phases of Audit related to Consulting Services 14. Which one of these is not a component that IIA defines as the value proposition of Internal Auditing? A. Assurance B. Insight C. Objectivity D. Professionalism 15. Which of these elements is not \"Strongly Recommended\" Guidance in the IIA Professional Practices Framework? A. Position Papers B. Professional Standards C. Practice Advisories D. Practice Guides 16. Which one of the following is/are true regarding the internal and external risks: I. There is a direct relationship between the amount of risk mitigated and the cost associated with implementing controls design to achieve that level of mitigation. II. Controllable risk is that portion of inherent risk that management can directly influence and reduce through day-to-day business activities. III. Risk tolerance must align with the risk appetite. a) b) c) d) I and II; I and III; I, II, III; None of them. 17. In obtaining an understanding of the entity and its environment, including its internal control, an auditor is required to obtain knowledge about the: a. Design of relevant internal controls pertaining to financial reporting in each of the five internal control components b. Effectiveness of the internal controls that have been placed in operation c. Consistency with which the internal controls are currently being applied d. Controls related to each principal transaction class and account balance 18. Which of the following best describes an internal auditor's purpose in reviewing the organization's existing governance, risk management, and control processes? A. To help determine the nature, timing, and extent of tests necessary to achieve engagement objectives. B. To ensure that weaknesses in the internal control system are corrected. C. To provide reasonable assurance that the process will enable the organization's objectives and goals to be met efficiently and economically. D. To determine whether the processes ensure that the accounting records are correct and that financial statements are fairly stated. 19. An organization's IT governance committee has several important responsibilities. Which of the following is not normally such a responsibility? A. Aligning investments in IT with business strategies B. Overseeing changes to IT systems C. Monitoring IT security procedures D. Designing IT application-based controls Old Exam Questions Exam One Which of the following is not an example of a risk-sharing strategy? a. Outsourcing a noncore, high risk area b. Partnering with another company in a foreign investment c. Hedging against interest rate fluctuations d. Buying an insurance policy to protect against adverse weather e. Each of these is an example of a risk-sharing strategy f. Not one of these is an example of a risk-sharing strategy What is the best reason for the internal auditor to consider a company's strategic plan when developing the company's annual internal audit plan? a. To serve as an independent assurance and consulting activity designed to add value and improve the company's operations b. To ensure that the audit plan supports the company's overall business objectives c. To review the integrity of financial and operating information and the methods used to accumulate and report information d. To determine whether the company's system of internal controls provides reasonable assurance that information is effectively and efficiently communicated to management e. None of the above answers are correct A manufacturing company has identified the following risk: "Failure of management to file the proper financial statements." To which type of objective does this risk most directly relate? a. Employee b. Reporting c. Strategic d. Compliance e. None of the above answers are correct The CAE is asked to lead the enterprise risk assessment as part of an organization's implementation of ERM. Which of the following would not be relevant with respect to protecting the internal audit function's independence and objectivity of its internal auditors? a. Risk owners are assigned responsibility for each key risk b. Risk owners are assigned responsibility for their risk increase c. A member of senior management presents the results of the risk assessment to the board and communicates that it represents the organization's risk profile d. A cross-section of management is involved in assessing the impact and likelihood of each risk e. None of the above answers are correct. All are relevant. None are irrelevant f. All of the above answers are correct. All are irrelevant. None are relevant Which of the following activities are in proper sequence in terms of timing? a. Activities and sequence: 1-determine the key organizational objectives, 2-identify and assess and then prioritize the risks, 3- develop risk response/treatments, 4-Monitor the effectiveness of risk/ response/ treatments b. Activities and sequence: 1-determine the key organizational objectives, 2-identify and assess and then prioritize the risks, 3- develop risk response/treatments c. Activities and sequence: 1-identify and asses and then prioritize the risks, 2-determine the key organizational objectives, 3- develop risk response/treatments, 4-Monitor the effectiveness of risk/ response/ treatments d. None of these (a-c) are out of sequence e. All of these (a-c) are out of sequence f. Only answers a and b have activities in proper sequence Exam 2 What is residual risk? a. Risk that occurs after given inherent risk, the entity controls, and maybe additional controls are applied b. Risk that is under control. c. Risk that is managed d. Underlying risk e. All of these answers (a-d) apply f. None of these answers (a-d) apply Which of the following best illustrates the use of EDI? a. Computerized placement of a purchase order from a supplier to its customer. b. Computerized placement of a purchase order from a vendor to its customer. c. Computerized placement of a purchase order from a customer to the vendor from whom the purchase is made. d. Computerized placement of any data e. All of these answers (a-d) apply f. None of these answers (a-d) apply Internal auditors often prepare process maps and reference portions of these maps to narrative description of certain activities. This is an appropriate procedure to a. Obtain the understanding necessary before auditing the process b. Obtain the understanding necessary but not to test the process. c. Obtain the understanding necessary for the process before internal audit standards can be applied. d. Obtain the understanding necessary to test the process e. All of these answers (a-d) apply f. None of these answers (a-d) apply Microsoft Word is an example of a. Application software b. Utility software c. Operating system software d. Database management system software. e. All of these answers (a-d) apply f. None of these answers (a-d) apply There is a term in the text referred to as an ability. It is called a predication, a technical term that refers to: a. The ability of a fraud examiner to begin an investigation given fraud evidence exists. b. The ability of a fraud examiner to commence an investigation if a form of evidence exists that fraud has not occurred. c. The ability of a fraud examiner to commence an investigation if a form of evidence exists unrelated to the possibility of a fraud d. The ability of a fraud examiner to commence an investigation if a form of evidence exists that management is unrelated to the fraud. e. All of these answers (a-d) apply f. None of these answers (a-d) apply Exam 3A The CAE is asked to lead the enterprise risk assessment as part of an organization's implementation of ERM. Which of the following would be relevant with respect to protecting the internal audit function's independence and objectivity of its internal auditors? a. The internal audit function obtains the level of tolerable risk from the joint decision of the board and management b. Risk owners are assigned responsibility for each key risk c. A member of senior management presents the results of the risk assessment to the board and communicates that it represents the organization's risk profile d. A cross-section of management is involved in assessing the impact and likelihood of each risk e. All of these answers (a-d) apply f. None of these answers (a-d) apply Which of the following statements regarding an internal audit function's continuous auditing responsibility is/are true? I. Then internal audit function is responsible for assessing the effectiveness of management's continuous monitoring activities. II. In areas of the organization in which management has implemented effective monitoring activities, the internal audit function can conduct less stringent continuous assessments of risks and controls. III. In areas of the organization in which management has implemented ineffective monitoring activities, the internal audit function may conduct more stringent continuous assessments of risks and controls, depending on risk. a. Only statement I is true b. Only statement II is true c. Only statements I and II are true d. Neither statement I nor statement II is true e. All statements (I, II, and II) are true f. No statements (I, II, and II) are true The purpose of logical security controls is to: a. Restrict processing results. b. Require access to hardware c. Enable complete and accurate processing of data d. Restrict of access to data e. All of these "A-D" are correct f. None of these "A-D" are correct From an organization's standpoint, because internal auditors are seen to be "internal control experts," they also are: a. Fraud risk management process owners, and hence, the first and most important line of defense against fraudulent financial reporting or asset misappropriation b. The best resources for audit committees, management, and others to consult in-house when setting up anti-fraud programs and controls, because they are also risk managers c. The best candidates to manage risk d. The secondary decision makers for risk appetites e. All of these answers (a-d) are correct f. None of these answers (a-d) are correct Which of the following symbols in a process map will most likely contain a terminator? a. Oval b. Diamond c. Arrow d. Circle e. All of these "A-D" are correct f. None of these "A-D" are correct When senior management accepts a level of residual risk that the CAE believes in unacceptable to the organization, the CAE should: a. Not resign his or her position in the organization, but also not take further action b. Not report the unacceptable risk level immediately to the chair of the audit committee and the independent outside firm partner, but also not take further action c. Discuss the matter with knowledgeable members of the senior management and, if not resolved, take it to the audit committee of the Board of Directors d. Accept senior management's position because it establishes the risk appetite for the organization e. All of these (a-d) are true f. None of these (a-d) are true An adequate system of internal controls is most likely to detect a fraud perpetrated by a: a. Group of employees in collusion. b. the collusion of employees c. Group of managers in collusion d. Single manager e. All of these "A-D" are correct f. In none of these "A-D" will the internal controls likely detect a fraud An inappropriate internal control for a multinational corporation's branch office that has a department responsible for the transfer of money requires that: a. The individual who initiates wire transfers does reconcile the bank statement. b. The branch manager must receive all wire transfers c. Foreign currency rates must be based on one person's opinion d. Corporate management approves the hiring of employees in this department e. All of these "A-D" are inappropriate f. None of these "A-D" are inappropriate The control that would most likely ensure that payroll checks are written only for authorized amounts is to: a. Periodically witness the distribution of payroll checks b. Conduct periodic floor verification of employees on the payroll c. Require the return of undelivered checks to the cashier d. Require supervisory approval of employee time cards e. All of these "A-D" are correct f. None of these "A-D" are correct Which of the following best describes an internal auditor's purpose in reviewing the organization's existing governance, risk management, and control processes? a. To help to determine the nature, timing and extent of tests necessary to achieve engagement objectives b. To ensure that weakness in the internal control system are corrected. c. To provide reasonable assurance that the processes will enable the organization's objectives and goals to be met efficiently and economically d. To determine whether the processes ensure that the accounting records are correct and that financial statements are fairly stated e. All of these "A-D" are correct f. None of these "A-D" are correct The internal audit function's responsibilities with respect to fraud are limited to: a. Being aware of fraud indicators, including those relating to financial reporting fraud, and also possessing the expertise of a fraud infestation specialist b. Monitoring any calls received through the organization's whistleblower hotline, but not necessarily conducting a follow-up investigation c. The organization's operational and compliance activities only, because financial reporting matters are the responsibility of the independent outside auditor d. Ensuring that all employees have received adequate fraud awareness training e. All of these "A-D" are correct f. None of these "A-D" are correct An organization's IT governance committee has several important responsibilities. Which of the following is normally such a responsibility? a. Aligning investments in IT with business strategies b. Overseeing changes to IT systems c. Monitoring IT security procedures d. agreeing to risk levels set by management e. All of these "A-D" are correct f. None of these "A-D" are correct An internal audit engagement was included in the approved internal audit plan. This is considered a moderately high-risk audit based on the internal audit function's risk model. It is currently on a two-year audit cycle. Which of the following will likely have the greatest impact on the scope and approach of the internal audit engagement? a. Certain components of the process are outsourced b. Changes to the computer system were implemented during the year (from year 1 to year 2), changing how all transactions are now processed. c. The area being audited involves the processing of a high volume of transactions d. The total dollars processed in this area are material e. All of these "A -D" are correct f. None of these "A -D" are correct A manufacturing company has identified the following risk: "Failure to meet our lowest sales price advantage will result in loss of sales" To which type of objective does this risk most directly relate? a. Strategic b. Operations c. Reporting d. Compliance e. All of these answers (a-d) are correct f. None of these answers (a-d) are correct An organization that manufactures and sells computers is trying to boost sales between now and the end of the year. It decides to offer its sales representatives a bonus based on the number of units they deliver to customers before the end of the year. The price of all computers is determined by the vice president of sales, and cannot be changed by sales representatives. Which of the following presents the greatest reason a sales representative may commit fraud with this incentive program? a. Sales representative may sell units that have a lower margin than other units b. The customers may not pay for the computer timely c. The units delivered may be defective d. Customers have the right to return a laptop for up to 90 days after purchase. In this way a sale can be recorded, and the sales person rewarded unfairly e. All of these "A-D" are correct f. None of these "A-D" are correct Which of the following is not true regarding business process outsourcing? a. Outsourcing a core, high-risk business process reduces the overall operational risk b. Outsourced processes should not be included in the internal audit universe. c. The independent outside auditor is required to audit all significant outsourced business processes d. Management's controls to ensure the outsourcing provider meets contractual performance requirements should not be tested by the internal audit function. e. All of these "A-D" are correct answers...In short, none of them are true f. None of these "A-D" are correct answers ...In short, all of them are true A new computer system does not guarantee data integrity and therefore increases what type of basic business risk? a. Strategic b. Operations c. Reporting d. Compliance e. All of these answers (a-d) are correct f. None of these answers (a-d) are correct Internal audit engagement programs should: a. Audit every business area within the organization b. Be generalized to fit all situations without regard to department lines. c. Be generalized so as to be usable at various international locations of an organization d. Reduce costly duplication of effort by ensuring that every aspect of an operation is examined e. All of these "A-D" are correct f. None of these "A-D" are correct An internal auditor plans to conduct an audit of the adequacy of controls over investments in new financial instruments. Which of the following would likely be required as part of such as engagement? a. Determine whether policies exist that describe the risks the treasurer may take and the types of instruments in which the treasurer may invest. b. Determine the extent of management oversight over investments in sophisticated instruments c. Determine whether there are policies on whether the investment committee may take on the types of instruments in which the committee may invest d. Determine the nature of monitoring activities related to the investment portfolio e. All of these "A-D" are correct f. None of these "A-D" are correct After certain items that could be identified as business risks, they should be assessed in terms of their inherent: a. Impact only b. Likelihood and probability only c. Significance and severity only d. Significance and control effectiveness only e. Each one of these "A-D" are correct f. None of these "A-D" are correct Exam 4: For which of the following would an internal auditor most likely use attribute sampling? a. Determining whether the sales invoices have the required supporting documentation b. Determining the degree that controls over time cards are working c. Determining whether the vendor's invoices have the required supporting documentation d. Inspecting employee timecards for proper approval e. All of these "A-D" are correct f. None of these "A-D" are correct Which of the following is an element of non sampling risk as supposed to an element of sampling risk? a. Performing an inappropriate audit procedure b. Performing an incorrect calculation c. Failing to detect a control deviation d. Forgetting to perform a specific action. e. All of these "A-D" are correct f. None of these "A-D" are correct Which of the following examples of documentary evidence generally is considered the most reliable? a. A vendor's invoice obtained from the sales department. b. A credit memorandum prepared by the credit manager c. A receiving report obtained from the receiving department d. A vendor's invoice obtained from the accounts payable department e. All of these "A-D" are correct f. None of these "A-D" are correct If all other factors specified in an attribute sampling plan remain constant, changing the expected population deviation rate from 3% to 2% and changing the tolerable deviation rate from 7% to 8% [ see page 11-9, Exhibit 11-1] would cause the required sample size to: a. can not be determine as increasing or decreasing with this information b. Change by 2% c. Increase d. Decrease The Board of Directors requests that the Chief Audit Executive to perform an operational review of the telephone marketing operations of a major division and to recommend procedures and policies for improving management control over the operation. The Chief Audit Executive should: a. Not accept the engagement because recommending controls would impair future objectivity of the department regarding this client b. Not accept the engagement, and indicate to management that recommending controls would impair audit independence so that management knows that future audits of the area would be impaired c. Not accept the engagement because internal audit functions are presumed to have expertise on accounting controls, not marketing controls d. Accept the audit engagement because independence would not be impaired e. All of these "A-D" are correct f. None of these "A-D" are correct Exam 5 Once an uncorrectable material observation is identified by the internal auditor, in the final analysis should be: a. Documented in the working papers. b. Reported to the independent outside auditors. c. Scheduled for follow-up d. all of these (a-c) are correct e. none of these (a-c) are correct Which of the following are part of the minimum requirements for an engagement final communication, according to the International Professional Practices Framewok? I. Background information. II. Purpose of the engagement. III. Engagement scope. IV. Results of the engagement. V. Summaries a. I, II, and III b. I, III, and V c. II, III, and IV d. II, IV, and V e. none of these (a-d) are correct Among the following objectives, which may be an assurance engagement objective? a. Evaluate the design adequacy of the payroll input process. b. Evaluate the accuracy of recorded inventory balances c. Assess compliance with health and safety laws and regulations d. Evaluate the operating effectiveness of fixed asset controls. e. All of these are assurance engagement objectives In final audit communications, recommendations should be included to: a. Provide management with options for addressing audit observations b. Ensure that problems are resolved in the manner suggested by the auditor. c. Minimize the amount of time required to correct audit observations d. Guarantee that audit observations are addressed, regardless of cost The internal auditor will, during any assurance engagement: a. Develop an attitude of professional skepticism concerning management's assertions b. Make constructive suggestions to management regarding internal control improvements c. Evaluate whether misstatements in the auditee's performance reports should be communicated to senior management and the audit committee d. Develop an understanding of the auditee's objectives, risks, and controls e. All of these "a-d" are what the internal auditor will do Exam 6 Two confidential reports were found available to the public press after controls over confidentiality were found to be working as planned with compensating controls. These events revealed information that would not result in a significant loss to the company singularly or as combined. Therefore this event of two reports should be: a. Not even considered an observation b. Considered an observation and reported to the independent outside auditors c. Reported to senior management d. Reported to the audit committee e. answers b, c and d are correct f. Only answers b through c are correct g. None of the answers, a through d, are correct Audit committees are most likely to receive, should any one of these events occur: a. a formal report that the controls over salary increases have been compromised and some unauthorized raises have been paid in amounts that are not considered trivial b. an informal report that the controls over salary increases have been compromised and some unauthorized raises have been paid in amounts that are not considered trivial c. a formal report that the controls over salary increases have been compromised and some unauthorized raises have been paid in amounts that are considered material to the financial statements d. an informal report that the controls over salary increases have been compromised and some unauthorized raises have been paid in amounts that are considered material to the financial statements e. Answers a & c are correct f. answers a, b, c & d are correct Once an insignificant observation is identified by the internal auditor, where it is revealed that although the dollar loss could be insignificant, there was evidence that the key control was compromised even though there were compensating controls. Therefore this observation should be: a. Documented in the working papers b. Reported to the independent outside auditors c. In a formal report to senior management d. all of these (a-c) apply e. None of these (a-c) apply Please choose the best answer. Once a significant observation is identified by the internal auditor, it should be: a. Documented in the working papers. b. Reported to the independent outside auditors c. Scheduled for follow-up on management's response d. Included in the final audit report e. answers a & b are correct f. answers a through c are correct g. All the answers, a through d, are correct Please choose the best answer. Once an observation is identified by the internal auditor as a fraudulent act committed by senior management it should be: a. Reported to senior management b. Reported to the independent outside auditors c. Reported to the audit committee d. Reported to major outside funding sources as defined by the laws and regulations of the country in which it operates e. answers a & b are correct f. answers a through c are correct g. All the answers, a through d, are correct Slides: Chat One: -Your Job as the Internal Auditor: See Assignment 2 notes+ Course Resources Page 3 of The Miami Herald, June 29, 2011 \"Financial watchdog shown the door\" -His third four-year contract expired in April, and on Monday, Victor Igwe, Miami's auditor general since 1999- Why do you think this internal auditor was fired? 1-1 WorldCom and Cynthia Cooper (Internal Auditor) blows the whistle on management (CFO, Sullivan, and CEO, Ebbers) to the audit committee of the BOD -Compare CPAs and CIAs from your undergrad auditing course: CPAs have the three general standards 1 adequate training and proficiency as an auditor-same for CIAs 2 Independence in mental attitude (independent of clients)- same for CIAs but now \"independent of what you audit\" (independent of management decisions) 3 Due professional care -follow the SASs by the CPAs; follow the international standards- CIAs -The CIA serves the Board of Directors and management (an obvious potential conflict): The CPA gives an audit opinion to the public, is given a license to be a public auditor by the public, but is paid by the client (an obvious potential conflict). -Exhibit 2-3 Shows the IIA standards are coded-the CIA must be alert to risks (due care) but this does not guarantee that all the risks will be identified, just like those risks of the CPA auditor. Exhibit 2-4 To be effective, the Chief Audit Executive, CAE (for example, Cynthia Cooper of WorldCom) must be independent of what she audits, proficient, and one of due care (know the standards and get the evidence) page 2-11. See Course Resources-WorldCom Case- Cynthia Cooper went to the Board of Directors in the audit But she can be a consultant over things she does not audit, page 2-11 and Chapter 15, Consulting Corporate Governance and the CIA: Where is the CIA under this umbrella? [Not as a risk manager but as an audit risk reducer.] Internal auditors audit corporate governance. We are on the right side, your right side as you look at this umbrella. That is the point of chapter 4. Management sets up controls to reduce risk of loss. We measure the risk of the control. -Risk is more than chance- it is both the loss of dollars and the chance that you will lose them-For example, what is the chance that NSU will lose students who are attending and doing well? Risk of losing a large asset like one of their police cars? Chapter 4: Risk Management: -Enterprise Risk Measurement applies to you-WorldCom had earnings risk, operations risk (booked overhead expenses as capital expenditures, not recognized in earnings) Other examples from other companies? At NSU the risks are in the quality, conduct and safety of the students and the quality, conduct and safety of their loans, expenses and the University's future liabilities and other funding streams. -Keep Examples in Mind and CIA and CPA Exams: 1-What is risk? Both chance and magnitude of lossFor NSU one risk--there is always chance that we will both process a student who is not qualified and this will result in a loss of the loan, loss to the Universitythe chance that a student will be attacked by another student and sue the Universitythe chance that the University will buy an asset and then lose it resulting in a loss to the University-see more in chapter 5 -1-What is risk? The chance and magnitude of loss 2-What risk did Cynthia Cooper and Mr. Victor Igwe of Miami face (besides losing their jobs)? a. Strategic risk- is company going in right direction?-will City of Miami lose its bond ratings? (Actually happened) b. Operational risk- can things go wrong the way we operate? (In both cases management wanted to hide things) c. Financial risk-what dollars are at stake? From reporting and compliance risk. -Auditing (Not managing) The Risk: Risk-the chance (and loss) of not meeting objectives-[See WorldCom -Posted in Course Resources[-where the earnings objectives were fraudulently met-- expenses ignored. We are stuck with the leftover (Residual) risk, which is huge if the Governance Controls are not in place and are not tested. Even if we have Controls in place and they are tested we may still be subjected to a smaller risk. Both are residual risk. Our job is to test that risk. Management may be happy with it but we may have to go to the Board if we think it is too great. -The four COSO categories of risk response are: Avoidance (firewalls; avoid goals) -avoid some risky students Reduction (with controls)-insurance Sharing (partnering for example).-NSU Library Acceptance (if the chance or amount is small) the chance and loss that an employee will take home NSU property -What are the steps here? 1-determine the key organizational objectives, 2- identify and assess and then prioritize the risks of not meeting those objectives, 3- develop risk response/treatments, 4-Monitor the effectiveness of risk/ response/ treatments -How to link IIA audit plan to risk: Review Question ANS. The internal audit function's audit plan should be designed based on an assessment of risk and exposures that may affect the organization. Key audit objectives provide management with information to mitigate the negative consequences associated with accomplishing the organization's objectives, as well as an assessment (test) of the effectiveness of risk management activities (controls). -Senior management accepts the level of residual (remaining) risk that the auditor believes is unacceptable-for example sales personnel get Hawaiian vacations for reaching sales goals when the sales are not verified -what should the CAE (the CIA) do? (I have seen this happen-sales people get their relatives to buy and then return merchandise) Answer C-discuss this first with the managers and then if not satisfied take it to the audit committee of the Board of Directors -Which event impacts a government defense contractor? C- Political event Question 6 --Which is not a driver for ERM? A- future earnings will improve over short term Page 4-4 Enterprise Risk Management is a process...designed to identify potential events... and to manage risk appetite, to provide reasonable assurance... of entity's objectives. -Which is not an example of risk sharing? A Outsourcing a risk B Selling a risk C Hedging a risk D Buying insurance against risk E Partnering with another firm in a foreign investment So, now ready to go over Exam 1? Chat 2: Chapter 5: Business Processes and Risks: -STRATEGIC RISK? Example- NOT MEETING REVENUE OBJECTIVES (SALES TOTALS, REV BY A CERTAIN DATE, COMPETITIVE ADVANTAGE FAILED) -OPERATIONS RISK FOLLOWS STRATEGIC RISK OPERATIONS RISK? THINGS DO NOT RUN WELL, OBJECTIVES NOT MET. FIN STATEMENTS RISK? STATEMENTS MATERIALLY INCORRECT, NOT GAAP, NOT TRUE, RESULTS IN LOSSES BECAUSE OBJECTIVES FAILED (NOT MEETING EARNINGS FORECAST, FOR EXAMPLE). COMPLIANCE RISK? GAAP OR LAWS BROKEN, EMPLOYEES SUFFER, INSURANCE RISKS- THIS IS THE SAME FOR CPA (EXTERNAL AUDITING) AND CIA (INTERNAL AUDITING) -What is the Risk of Things Going Wrong? For the processes what can go wrong in the company's strategy, operations, product, service, employees, vendors, customers, and compliance with laws, rules, and natural events? (See the Pizza Case (chapter 5) and the MVF lawn mower company (chapter 7)? Fraud (Ch 8) includes intended things going wrong-Opportunities, motives, excuseschapter 8? Incentives? Sales people make personal bargains, employees cut corners, and other criminal acts? -We have the Responsibility to Assess Risk: The CIA like the CPA measures and helps to reduce risk, but does not manage risk. Chapter 8, rev question 10 (page 8-35): to assess fraud risk (same as non-fraud risk chapter 6), we must: 1) Identify inherent risks (ask questions). 2) Assess impact and likelihood of the identified risks. 3) Develop responses (controls) to those risks (high impact and likelihood). Do they result in a potential outcome beyond management's tolerance? (See also monitoring, later.) 4)-After assessing risk we must then ask if no. 3 is working (remember the 4 steps?) Understanding Risks: What can go wrong? -Quiz question: Internal auditors often prepare process maps and reference portions of these maps to narrative description of certain activities. This is an appropriate procedure to obtain the understanding necessary to test the process (Same as for CPAs--but be careful of the word, \"reviewing.\") This is question 2 on page 5-32 -Chapter 6: Understanding (Reviewing) Internal Controls: -Management's Job is to Control, We Audit Controls: Environment- Board, Ethical values, Structure (who does the CAE report to?), HR (help employees) Risk Assessment- Do we have earnings goals, fraud? Does management assess things that can happen, monthly? Control Activities- Segregation of duties, controls over running computer systems (See Pizza case), safeguarding, independent verification, documentation? AAIDSS, IT controls, p 6-12 Information and Communication- controls over changing computer systems, fin info and reporting with computers, controls over company information inside and outside company Monitoring- Internal & external auditing, budgeting, deficiencies reported on timely manner (see Risk Assess) For exams you must have examples of these! -Notice the similarity and difference of the AICPA & IIA (CPA v CIA) standards, why understand controls? CPA-to BEGIN to assess the Risk of Misstatement CIA-\"to provide reasonable assurance that processes... will enable goals to be met\" MC question 1, page 6-29 Note the Difference! The CPA understands and the CIA tests when the word \"reviewing\" is used Objectives, Events, and Risk Response for larger companies that use an Enterprise Risk Management approach Chapter 7: IT Risks and Controls: What is IT, What can go wrong, & Controls? IT? -6 components (rev question 1, p 7-25): computer hardware, networks, computer software, databases, information, and people. Control Activities? -Think AAIDSS, general and application controls from your AIS courses (also Review Questions answer p.7-25) Then apply all this to internet/cloud computing- what can go wrong, in error? Possible risk consequences: financial and operational a. Development/acquisition and deployment risk- unforeseen delays, cost overruns b. Hardware/software risk- business interruptions, damage to data, and hardware/software c. System reliability and information integrity risk- Inaccurate and untimely information, adversely affects the investment/cost decisions d. Fraud and malicious acts risk- financial losses Possible causes of risks (natural, criminal): a. Selection risk- unqualified decision makers b. Availability (change) risk- hardware/software failures, unscheduled maintenance, and viruses and other malicious acts. c. Access risk- laptops/monitors in an open floor plan designed to promote and facilitate employee interaction, and wireless networks. d. Confidentiality and privacy risk-unimpeded access to system networks, software, and databases. Answers to Questions 9-11 (Exhibit 7-4) See IT controls posted with Rev Question answers to 9-11, page 7-25 IT responsibilities for the CIA? -Part of annual planning, require expertise -ID inherent IT risks, assess IT governance -Assign CIA with expertise -Use technology to continuously audit IT Chapter 8 Fraud Risks/Controls: Examples (see text and notes) of fraudCompare and contrast various fraud definitions. Describe the fraud triangle and why all three elements must exist for fraud to occur. Define the types of fraud and fraud risk factors. Describe fraud prevention, deterrence, and detection techniques. Describe internal auditors' fraud-related responsibilities. Understand evolving responsibilities of the internal audit function What are the 7 Elements of AICPA Fraud? Differ from IIA? 1. A Representation 2. About a material point 3. Which is false 4. And intentionally or recklessly so 5. Which is believed 6. And Acted upon by the victim 7. To the victim's damage Exhibit 8-5 SOX & AICPA Require: -(and therefore the CIA should also plan to) Provide reasonable assurance for (a plan on finding) fraud. Document & communicate asked about it. Brainstorm all the ways fraud can occur-the audit team Require special inventory and receivables tests Require management override assumptions Chapter 8 Answer to Review Question 18-p. 8-36: A successful anti-fraud program will typically have -Commitment by the board and senior management. -Fraud awareness (and ethics) training activities. -An affirmation process that requires employees to affirm periodically -A conflict disclosure process that helps employee's self-disclose conflicts of interest. -A changing fraud risk assessment program, to identify all reasonable fraud scenarios. -Reporting procedures and whistleblower protection rules -An investigation process that meets Fed and State laws -Disciplinary and/or corrective actions -Evaluation and employee self improvement programs -Continuous monitoring to ensure the program consistently operates as designed. Chat 4: Chapter 9 Review Questions Page 9-28: -Why have the CAE as senior management? It gives the internal audit function the authority to independently evaluate management's assessment of internal controls and to manage, monitor, and mitigate these risks by management. [NOTE THE CIA DOES NOT MANAGE CLIENT RISK BUT AUDIT RISK.] Why doesn't the NSU CAE (Mr. Ron Midei) audit Blackboard? Does it have a self-auditing function? -Independent and objective? The CAE should report to a level within the organization (like the Board) that allows the internal auditor to be independent of what he/she audits (Organizational Independence) and internal auditors should avoid conflicts of interest (Individual Objectivity-personal independence). -Proficiency v professional care? Due (Professional) care means following the standards; Proficiency- have the necessary skills, knowledge -Elements of a properly designed quality assurance program? (1) The organizational structure and staffing strategy, (2) Financial budget, (3) the internal audit schedule and annual internal audit plan, (4) The staffing plan, hiring practices, training and mentoring goals, (5) Career planning and professional development initiatives, and strategic sourcing and philosophies - Three Lines of Defense: 1-management of departments 2- other departments that serve as checks on those departments, and 3- the Internal audit Department Who? Reporting to the board and senior management (by the CAE) When? Has the responsibility to report \"periodically.\" What to report? Questions 14-15: (1) Risk Exposure, (2) Content Issues (3) Change (4) CPA issues (5) Legal and Compliance issues CAE outlines (Question 15) \"the results of management's self-assessment regarding the design adequacy and operating effectiveness of the... internal controls.\" Standard 1300: Quality Assurance and Improvement Program =The interpretation for this standard explains that \"a quality assurance and improvement program is designed to enable an evaluation of the internal audit activity's conformance with the Standards and an evaluation of whether internal auditors apply the Code of Ethics....And assesses the efficiency and effectiveness of the internal audit activity--op