CIA Exam Part 1 - Practice Exam
A chief audit executive (CAE) of a small department with two auditors wants to have an
external quality assurance review performed to ensure conformance with the
International Professional Practices Framework as part of a quality assurance and
improvement program. The department does not have any resources to fund the review,
nor is it likely that it would be able to obtain such funds. What should the CAE do?
A) Request that the company's top external auditor perform the review.
B) Document the limitation of funds and the likely consequences of not performing such
a review.
C) Have a quality assurance function within the company perform the review.
D) Perform an internal assessment that is validated by an independent internal auditor. -
ANS-D) Perform an internal assessment that is validated by an independent internal
auditor.
- Performing an internal assessment that is validated by an independent internal auditor
requires fewer resources and enables the department to comply.
A chief audit executive (CAE) suspects that several employees have used desktop
computers for personal gain. In conducting an investigation, the primary reason that the
CAE chooses to engage a forensic information systems auditor rather than using the
organization's information systems auditor is that a forensic auditor would possess
A) superior analytical skills that would facilitate the identification of computer abuse.
B) superior documentation and organizational skills that would facilitate in the
presentation of findings to senior management and the board
C) knowledge of what constitutes evidence acceptable in a court of law.
D) knowledge of the computing system that would enable a more comprehensive
assessment of the computer use and abuse - ANS-C) knowledge of what constitutes
evidence acceptable in a court of law.
- The distinguishing characteristic of forensic auditing is the knowledge needed to testify
as an expert witness in a court of law. Although a forensic auditor may possess the
other attributes listed, the organization's information systems auditor may also possess
these skills or knowledge elements
,A chief audit executive (CAE) would most likely use risk assessment for audit planning
because it provides
A) a list of potential effects on the organization.
B) a list of auditable activities in the organization.
C) the probability that an event or action may affect the organization.
D) a systematic process for assessing and integrating professional judgment about
probable conditions. - ANS-D) a systematic process for assessing and integrating
professional judgment about probable conditions.
- Risk assessment is a systematic process for assessing and integrating professional
judgment about probable conditions that is used for audit planning. A list of potential
effects on the organization might convince the CAE of the need for risk assessment but
is not provided by the process. A list of auditable activities in the organization is used in
the risk assessment process but is not the rationale for using risk assessment. The
probability that an event or action may affect the organization is one definition of risk,
not a rationale for performing a risk assessment.
A consumer appliance manufacturer realizes that a specific part made by a supply chain
partner may be faulty on a popular appliance. It decides that it will provide the
replacement part for free to just those customers who report that the appliance is
malfunctioning in a particular way. Doing just this will keep the organization in full
compliance with the laws and regulations of the countries in which it sells the item, since
this is not a life-threatening situation. This decision can affect corporate social
responsibility (CSR) primarily as it relates to what type of risk?
A) reporting risk
B) compliance risk
C) operational risk
D) supply chain partner risk - ANS-C) operational risk
A mineral extraction organization is subject to heavy government regulation. Which of
the following is primarily an internal audit activity that should provide timely periodic
validation of compliance with applicable laws, regulations, and government or industry
standards?
A) External assessments
B) Internal assessments
C) Compliance monitoring
,D) Balanced scorecard for internal auditing - ANS-B) Internal assessments
- Internal assessments, as part of a quality assurance and improvement program,
should include periodic validations of compliance with applicable laws, regulations, and
government or industry standards. External assessments generally focus on other
things than laws, regulations, and standards, and even if they do address these things,
they would not be timely, since they are done only every five years or so. Compliance
monitoring is usually conducted by compliance officers outside of internal auditing.
A quality assurance and improvement program (QAIP) rating of "Generally conforms" is
one of the results possible from the ___________________ rating scale.
A) DIIR (IIA-Germany) Guideline for Conducting a Quality Assessment
B) IIA's Assessment
C) IIA's Capability Model for the Public Sector
D) IIA's Quality Assessment Manual - ANS-D) IIA's Quality Assessment Manual
- A QAIP should include a rating scale to assess the level of conformance of the internal
audit activity with the Standards. Different options are available when deciding which
assessment scale better suits particular needs. An example is the scale in The IIA's
Quality Assessment Manual.
A quality assurance and improvement program (QAIP) requires ongoing and periodic
assessments of the entire spectrum of audit and consulting work performed by the
internal audit activity. These assessments are validations of ________ the Definition of
Internal Auditing, the Code of Ethics, and the Standards.
A) compliance with
B) adherence to
C) conformance with
D) observance of - ANS-C) conformance with
A realistic outcome of a privacy framework evaluation is
A) assurance of compliance with specific laws and/or standards.
B) prioritization of enterprise-level privacy initiatives.
C) assessment of organizational privacy business strategies.
D) customer acceptance of privacy policies. - ANS-A) assurance of compliance with
specific laws and/or standards.
, - In conducting an evaluation of the privacy framework, Practice Advisory 2130.A1-2
recommends that the internal auditor consider the "laws, regulations, and policies
relating to privacy in the jurisdictions where the organization operates."
A receiving department receives copies of purchase orders for use in identifying and
recording inventory receipts. The purchase orders list the name of the vendor and the
quantities of the materials ordered. A possible error that this system could allow is
A) payment to unauthorized vendors
B) payment to unauthorized purchases
C) delay in recording purchases
D) overpayment for partial deliveries - ANS-D) overpayment for partial deliveries
- The risk of telling the receiving department the quantities ordered is that the receiving
department may fail to make an accurate count of the materials received. The receiving
department needs to know quantities, but the receiving clerk counting materials
received does not.
A records management system is an example of what type of control?
A) Preventive
B) Corrective
C) Directive
D) Detective - ANS-A) Preventive
According to COSO, what should be done during the Fraud Control Activity stage of a
comprehensive fraud risk management process?
A) Preplan investigation and corrective action processes.
B) Gather information from external regulatory bodies.
C) Identify potential fraud events or scenarios.
D) Develop training and communication designed to stop fraud from occurring. - ANS-D)
Develop training and communication designed to stop fraud from occurring.
- Prevention controls such as training and communication designed to stop fraud from
occurring are developed during the Fraud Control Activity stage of the fraud risk
management process. Gathering information from external regulatory bodies and
identifying potential fraud events or scenarios takes place during the Fraud Risk
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller modockochieng06. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $7.99. You're not tied to anything after your purchase.