Need multiple choice answers by noon November 20th

ACCT 436 SECTION 7980 INTERNAL AUDITING EXAM 1 INSTRUCTOR: MR. STEVEN ULMER INSTRUCTIONS This is an open book exam. You can use any of the week 1-3 materials (readings, lectures, discussion postings). This is not a research paper. Any responses must be in your own words using what you have learned. You cannot do Internet research or reference other sources. You ARE NOT allowed to use discuss the exam with other students. You MUST submit your multiple-choice responses in a separate Excel document with each question number in column A and your letter answer in column B. Do not submit the exam sheet! For the three essays, please submit a Word document. MULTIPLE CHOICE (2 points each) Pick the best answer 1) In which situation does the internal auditor lack objectivity? A) The internal auditor recommends standards of performance for an outsourcing contract B) The internal auditor discusses the status of a system implementation over lunch at a vendor conference C) The internal auditor performs a review of internal controls over the treasury function eight months after being transferred from that department to internal auditing D) The internal auditor reviews audit findings with the CAE prior to issuing the final audit report E) All of the above 2) Internal auditing needs to consider risk in A) B) C) D) E) Developing the annual audit plan Conducting audit engagements Providing assurance to the board on the effectiveness of risk management processes All of the above None of the above 3) Which of the following is not cited in week 3 as a limitation of a system of internal controls? A) Cost/benefits trade-offs in establishing controls B) Management overrides C) Collusion D) The limited size of the internal auditing staffs E) Lack of training in control procedures 4) Which of the following about outsourcing is not true? A) The organization should consider the risk of performing the function internally and compare it to the risk of outsourcing B) According to COSO ERM the risk can be assumed by the service provider C) The level of risk increases when key business operations are outsourced D) Managing the relationship is more difficult because the service provider may limit the client's ability to observe and assess controls E) All of the above are true ACCT 436 SECTION 7980 INTERNAL AUDITING EXAM 1 INSTRUCTOR: MR. STEVEN ULMER 5) Which of the following is false? A) An auditor who lacks business knowledge can still produce some good audit findings B) Auditors can build relationships with the business without violating the principle of objectivity C) Auditors who lack business knowledge will have a more difficult time establishing credibility D) Internal auditing typically knows more about the function being audited than the audit client E) All of the above are false 6) Which of the following is not part of the definition of internal auditing? A) B) C) D) E) Risk management Governance Consulting Implement internal controls Add value 7) Which of the following is a change to the updated COSO Internal Control Framework from the 1992 version? A) The definition of internal controls B) The three categories of control objectives C) The 17 principles D) The five integrated components E) The importance of management judgment 8) In the Three Lines of Defense Model, the primary responsibility for maintaining effective internal controls belongs to: A) B) C) D) E) Operational management The CEO Internal auditing The risk management function The audit committee 9) According to the IPPF, an internal auditor assigned to an audit engagement: A) B) C) D) E) Must be an expert in the area being audited Is responsible for detecting fraud Cannot have a relative working anywhere in the company Must be a Certified Internal Auditor Must be proficient and exercise due professional care 10) Which of the following is true about ERM? A) COSO ERM Framework is part of the COSO Internal Controls Framework B) An effective ERM process will not guarantee the enterprise will achieve its business objectives C) The COSO ERM Framework is the only approved ERM framework in the U.S. D) More than 50% of all corporations have fully implemented ERM E) None of the above is true ACCT 436 SECTION 7980 INTERNAL AUDITING EXAM 1 INSTRUCTOR: MR. STEVEN ULMER 11) Which of the following components of the IPPF is not considered to be mandatory? A) The Code of Ethics B) Definition of Internal Auditing C) Implementation Guidance D) Mission of Internal Auditing E) Standards 12) Which of the following is not a legitimate role for internal auditing in cloud computing? A) Reviewing personnel transition and end-user training plans B) Providing assurance on IT general controls C) Reviewing service level agreements D) Ongoing monitoring of vendor performance E) Implementing the cloud computing strategy 13) In the Three Lines of Defense Model, the CEO is part of the A) 1st Line B) 2nd Line C) 3rd Line D) All lines E) None of the above 14) Which of the following is not a category of objectives of internal control per the COSO Internal Control Framework? A) Reliability of financial reporting B) Effectiveness and efficiency of operations C) Compliance with laws and regulations D) Achievement of strategic objectives E) All of the above are categories of objectives of internal control 15) The internal audit activity's role in the risk management process of an organization may not encompass: A) Auditing the risk management process as part of the internal audit plan. B) Facilitating identification of risks C) Accountability for risk management D) Participation on oversight committees, monitoring activities, and status reporting. E) None of the above ACCT 436 SECTION 7980 INTERNAL AUDITING EXAM 1 INSTRUCTOR: MR. STEVEN ULMER 16) Which area can risk management and internal auditing not collaborate? A) B) C) D) E) Sharing available resources Being jointly accountable for risk management Assessing and monitoring risks Sharing work products Cross-leveraging expertise 17) Without effective general computing controls, reliance on IT systems may not be possible? A) True B) False 18) Which of the following best describes internal auditing's primary purpose in reviewing the organization's existing governance, risk management and controls processes? A) To ensure all weaknesses in the internal control system are corrected B) To develop the audit plan C) To provide reasonable assurance that the processes will enable the organization's objectives and goals to be met D) To offer an opinion as to whether the financial statements are fairly stated E) To comply with the IPPF Code of Ethics 19) Which of the following is true about internal vs. external auditing? A) External auditors cannot rely on any of the work done by internal auditing B) Both have the same definition of the term \"independence.\" C) Internal auditing reports to the external auditors D) Internal auditing is more focused on financial reporting than external auditing E) Many of the tool and techniques in auditing are common to both internal and external auditing 20) Which of the following is true about GRC? A) B) C) D) E) It should be implemented as a technology solution Internal auditing has primary responsibility for ensuring the organization has implemented GRC Each component of GRC must be at the same level of maturity Integrating GRC is a gradual process All of the above are true 21) Based on the IPPF Standards which of the following does internal auditing not have responsibility for in the area of governance? A) Assessing how will the organization promotes ethical values B) Assessing information technology governance C) Being a key sponsor of GRC D) Making recommendations to ensure effective organizational performance management E) All of the above are responsibilities of internal auditing ACCT 436 SECTION 7980 INTERNAL AUDITING EXAM 1 INSTRUCTOR: MR. STEVEN ULMER 22) Which of the following is true about the IPPF? A) B) C) D) E) Interpretations are not considered to be mandatory guidance The Code of Ethics is part of the Standards Independence as defined in the IPPF is a concept dealing with an unbiased mental attitude By law in the U.S. internal auditing departments must comply with all the IIA Standards None of the above items are true 23) Differences in internal reporting structures with the third-party outsourcer is an example of what type of risk? A) Key processes B) Security and confidentiality C) Strategy D) Reputational E) Organizational 24) The time it takes a risk event to manifest itself is an example of what assessment criteria? A) Velocity B) Impact C) Likelihood D) Vulnerability E) Uncertainty 25) Which of the following about how internal auditing adds value is not true? A) How internal auditing can best add value changes over time B) What is considered value add in one organization may not be considered value add in another organization C) Internal auditing is limited by resources, staff size and expertise in where and how they can add value D) For any organization consulting is considered to be higher value add than assurance services E) Different levels in the organization have different opinions as to how internal auditing can best add value ACCT 436 SECTION 7980 INTERNAL AUDITING EXAM 1 INSTRUCTOR: MR. STEVEN ULMER 26) Essay 1 (25 points) You can do either A) or B) A) Recently, several states have outsourced some of the services traditionally provided by government employees. In one state, the Department of Health and Human Services (Department) is close to finalizing an agreement to outsource its electronic benefit transfer services to eFunds Inc. Under the contract, eFunds Inc. will be responsible for the electronic distribution of food stamp programs, including transaction processing, reporting, contract management, contract settlement, operations support, help desk services, and project management. For cost reasons, eFunds Inc. will send the work to five offshore service centers it owns in India and can also contract with other companies as necessary. a) Describe the four most significant risks this offshore outsourcing arrangement introduces to the state's Department of Health and Human Services. I want risks specific to the facts of this case. b) What are the key controls you would recommend to mitigate the risks cited in part a. c) What role should the Department's internal audit function take to assist the Department in dealing with these risk and control issues before and after the contract is finalized? Be specific. Let's assume it will not be practical to send internal auditors to India. B) You are the technology auditor for a medium size online retailer. With the growth, it has been very difficult for the Information Technology (IT) group to keep up with the hardware requirements and new software for all the various smartphone applications. Although there would be reduction of most of the IT staff the CIO has done a complete analysis of moving to a Cloud Computing solution with Amazon Web Services. With this change, all IT functions for the primary application of customer order processing and fulfillment would be handled through Amazon. The reduction in ongoing costs would be almost fifty percent along with major capital expenditures for upgrades if they were to keep processing in-house. Much of the in-house technology is outdated from a web application and regulatory standpoint. Amazon Web Services is the largest provider of integrated Cloud Computing Services and offers a complete set of infrastructure and application services. Many organizations have lowered costs, including your competitors allowing them to lower costs and gain market share. One of the key benefits of cloud computing is the opportunity to replace up-front capital infrastructure expenses with low variable costs that scale as the business grows. You have been asked by senior management to assist with the Amazon project and the evaluation of the controls. a. Describe the five most significant areas of controls concern that you would like to express to the senior management in the transition to Amazon? Make sure your control concerns are consistent with the facts of the case. b. How would you propose the organization get comfortable with the controls at Amazon prior to signing the contract? Be specific. ACCT 436 SECTION 7980 INTERNAL AUDITING EXAM 1 INSTRUCTOR: MR. STEVEN ULMER 27) Essay 2 (15 points) a) What does \"limitations of internal control\" mean? Provide two of your own examples. b) Discuss how regulations help to improve governance. Explain how some regulations may have unintended consequences regarding governance. 28) Essay 3 (10 points) Richard Feynman is one of the most brilliant physicists of all time. He was a member of the commission investigating the Challenger space shuttle disaster. What are three lessons for internal auditors regarding management of risk that you can learn from reading his appendix to the main report? http://history.nasa.gov/rogersrep/v2appf.htm. Be specific. I want lessons that can be applied more broadly than just the space shuttle project. Do not copy from any of the week 2 discussion postings