IIA-ACCA Exam Dumps - ACCA CIA Challenge Exam

To enable Triple Bottom Line reporting capability.

To facilitate the conduct of risk assessment.

To achieve and maintain sustainable development.

To fulfill regulatory and compliance requirements.

An internal auditor should express an opinion only when consensus with top management has been achieved.

An internal auditor's opinion should be based on experience and free of all bias.

An internal auditor's opinion should be based on factual evidence.

An internal auditor's opinion should be limited to the effectiveness of internal controls.

Vendor invoice payment requests are accompanied by a purchase order and receiving report.

Purchase orders are typed by the purchasing department using prenumbered forms.

Buyers promptly update the official vendor listing as new supplier sources become known.

Department managers initiate purchase requests that must be approved by the plant superintendent.

When an internal auditor releases required information to a regulator, resulting in a significant loss through fines and penalties for the organization, he fails to add value.

When an internal auditor limits the scope of the audit engagement after learning that management is hiding relevant information, he demonstrates integrity.

When an internal auditor disagrees with the treatment received by workers in the organization's foreign subsidiary and alters the audit program to highlight the issue, he fails to demonstrate objectivity.

When an internal auditor continues with an audit engagement, despite the audit client's claims that the work performed is unnecessary and redundant he fails to demonstrate competency.

Risks are discussed with audit client.

All available information from the risk-based plan is used.

Client efforts to affect risk management are considered.

Prior risk assessments are considered.

The number, experience, and availability of audit staff as well as the nature, complexity, and time constraints of the engagement.

The appropriateness and sufficiency of resources and the ability to coordinate with external auditors.

The number, proficiency, experience, and availability of audit staff as well as the ability to coordinate with external auditors.

The appropriateness and sufficiency of resources as well as the nature, complexity, and time constraints of the engagement.

Allow the audit manager to hire the contractor and state that the individual is free to perform IT audits, including security.

Not allow the audit manager to hire the contractor, as it would be a conflict of interest.

Allow the audit manager to hire the contractor, but state that the individual is not allowed to work on IT security audits for one year.

Not allow the audit manager to hire the contractor and ask the individual to apply again in one year.

She may participate, but only after she has completed one year with the IAA.

She may participate, because she did not previously work in the Human Resources Department.

She may participate, but she must be supervised by the auditor in charge.

She may participate for training purposes, to build her knowledge of the IAA.

Appoint the CAE as a member of the board.

Move the CAE's functional reporting to an executive who is not on the board.

Obtain full board approval of the internal audit activity's annual audit plan.

Move the CAE's functional reporting to the audit committee.

1 and 2.

1 and 3.

2 and 3.

3 and 4.

1 and 3.

1 and 4.

2 and 3.

2 and 4.

The need and availability of automated support.

The potential impact of key risks.

The expected outcomes and deliverables.

The operational and geographic boundaries.

It is best to determine planning activities on a case-by-case basis because they can vary widely from engagement to engagement.

If the engagement subject matter is not unique, it is not necessary to outline specific testing procedures during the planning phase.

The engagement plan includes the expected distribution of the audit results, which should be kept confidential until the audit report is final.

Engagement planning activities include setting engagement objectives that align with audit client's business objectives.

They assist in the implementation of recommendations.

They provide support for communication to third parties.

They demonstrate compliance with auditing standards.

They contribute to development of the internal audit staff.

Align organizational activities to internal audit activities and measure according to the approved IAA performance measures.

Establish a periodic review of monitoring and reporting processes to help ensure relevant IAA reporting.

Use the results of IAA engagement and advisory reporting to guide current and future internal audit activities.

Establish a format and frequency for IAA reporting that is appropriate and aligns with the organization's governance structure.

1 and 2 only

1 and 4 only

2 and 3 only

3 and 4 only

Customers, innovation, growth, and internal processes.

Business objectives, critical success factors, innovation, and growth.

Customers, support, critical success factors, and learning.

Financial measures, learning and growth, customers, and internal processes.

Having no active role or involvement in the risk management process.

Auditing the risk management process for reasonableness.

Coordinating and managing the risk management process.

Participating with management in identifying and evaluating risks.

1 and 2

1 and 3 only

2 and 4

1, 3, and 4

1 only

4 only

1 and 3

2 and 4

When planning assurance and consulting engagements, internal auditors must consider the strategies and objectives of the activity being reviewed.

Internal auditors determine the engagement objectives, scope, and work program for both assurance and consulting services.

Internal auditors must not provide assurance or consulting services for an activity for which they had responsibility within the previous year.

Both assurance and consulting services generally involve the internal auditor, the area under review, senior management, and the board.

Determine the organization's overall risk appetite.

Establish a governance committee.

Delegate authority to members of senior management.

Identify key stakeholders and their expectations.

Due professional care.

Individual independence.

Individual objectivity.

Organizational independence.

1 and 2 only

1 and 3 only

2 and 3 only

1, 2, and 3

Strategic plans reflect the organization's business objectives and overall attitude toward risk.

Strategic plans are helpful to identify major areas of activity, which may direct the allocation of internal audit activity resources.

Strategic plans are likely to show areas of weak financial controls.

The strategic plan is a relatively stable document on which to base audit planning.

Independently evaluating conflicts of interests.

Assessing contracts for relevant terms and conditions.

Performing statistical analysis for data anomalies.

Preparing evidentiary documentation.

Observe corrective measures.

Seek a management assurance declaration.

Follow up during the next scheduled audit.

Conduct appropriate testing to verify management responses.

Automatic shut-off valve.

Auto-correct software functionality.

Confirmation with suppliers and vendors.

Safety instructions.

1 and 3

1 and 4

2 and 3

2 and 4

To assess the efficiency and effectiveness of the accounting department.

To evaluate organizational and departmental structures, including assessments of process flows related to financial matters.

To provide a review of routine financial reports, including analyses of selected accounts for compliance with generally accepted accounting principles.

To provide an analysis of business process controls in the accounting department, including tests of compliance with internal policies and procedures.

1 and 2

2 and 4

1, 2, and 3

2, 3, and 4

The auditor must not perform the training, because any task to improve the business process could impact audit independence.

The auditor must create a new, separate consulting engagement with the business process owner prior to performing the improvement task.

The auditor should get permission to extend the current engagement, and with the process owner's approval, perform the improvement task.

The auditor may proceed with the improvement task without obtaining formal approval, because the task is voluntary and not time-intensive.

Operational management, because they are responsible for the day-to-day management of the operational risks.

The CRO, because he is responsible for coordinating and project managing risk activities based on his specialized skills and knowledge.

The chief audit executive, although he is not accountable for risk management in the organization.

The CEO, because he has ultimate responsibility for ensuring that risks are managed within the agreed tolerance limits set by the board.

Delegate final approval of the risk-based internal audit plan to the chief audit executive (CAE).

Approve the annual budget and resource plan for the internal audit activity.

Assist the CAE with hiring objective and competent internal audit staff.

Encourage the CAE to communicate and coordinate with the external auditor.

The amount of risk that an organization is willing to seek or accept.

The extent and degree of interdependency for identified key risks.

The boundaries established to manage the amount of risk taken.

The exposure to risks following management's risk responses.

The practice of surprise audits and the implementation of an employee support program.

Hiring an employee with a prior fraud conviction and yearly management review.

Occasional accounting department overrides and discontinuation of the anonymous fraud hotline due to infrequent use.

A veteran employee in upper management experiencing financial difficulties and recently implemented enhanced controls.

3 only

1 and 2 only

2 and 3 only

1, 2, and 3

The internal audit risk assessment and audit plan for the next fiscal year.

The internal audit budget and resource plan for the coming fiscal year.

A request for an increase of the CAE's salary for the next fiscal year.

The evaluation and compensation of the internal audit team.

Improper segregation of duties.

Incentives and bonus programs.

An employee's reported concerns.

Lack of an ethics policy.

Maintaining custody of inventory records.

Collecting payments on accounts.

Approving changes to employee records.

Preparing customer statements.

Hedging against exchange rate variations.

Limiting access to an organization's data center.

Selling a nonstrategic business unit.

Outsourcing a high-risk activity.

Requiring employees to attend ethics training.

Performing background checks on employees.

Implementing a control self-assessment.

Performing a surprise audit.

Planning an engagement of the area in which fraud is suspected.

Employing audit tests to detect fraud.

Interrogating a suspected fraudster.

Completing a process review to improve controls to prevent fraud.

The chief audit executive (CAE) reports functionally to the board and administratively to the chief financial officer.

The board seeks senior management's recommendation before approving the annual salary adjustment of the CAE.

The CAE confirms to the board, at least once every five years, the organizational independence of the internal audit activity.

The CAE updates the internal audit charter and presents it to the board for approval periodically, not on a specific timeline.

Consumers.

Activists.

Suppliers.

Investors.

Has the longest duration in time.

Costs the most money.

Requires the largest amount of labor

Is deemed most important to the project.

Invest in marketing.

Invest in research and development.

Control costs.

Shift toward mass production.

Internal strengths and weaknesses.

Break-even points.

External trends and events.

Internal risk factors.

Each nation's total imports approximately equal its total exports.

Each good is produced by the nation that has the lowest opportunity cost for that good.

Goods that contribute to a nation's balance-of-payments deficit are no longer imported.

International trade is unrestricted and tariffs are not imposed.

Relatively fast market entry.

Improved cash flow of the acquiring organization.

Increased diversity of corporate culture.

Opportunity to influence local government policy.

Forming stage.

Performing stage.

Norming stage.

Storming stage.

Database management systems handle data manipulation inside the tables, rather than it being done by the operating system itself in files.

The database management system acts as a layer between the application software and the operating system.

Applications pass on the instructions for data manipulation which are then executed by the database management system.

The data within the database management system can only be manipulated directly by the database management system administrator.

Giving assurance that risks are evaluated correctly.

Developing the risk management strategy for the board's approval.

Facilitating the identification and evaluation of risks.

Coaching management in responding to risk.

Chain.

All-channel.

Circle.

Wheel.

Conform with all other parts of The IIA's Standards and provide appropriate disclosures.

Conform with all other parts of The IIA's Standards; there is no need to provide appropriate disclosures.

Continue the engagement without conforming with the other parts of The IIA's Standards.

Withdraw from the engagement.

Lost sales, lost customers, and backorder.

Lost sales, safety stock, and backorder.

Lost customers, safety stock, and backorder.

Lost sales, lost customers, and safety stock.

Increasing complexity over time.

Interface with corporate systems.

Ability to meet user needs.

Hidden data columns or worksheets.

Market price.

Negotiation-based.

Full absorption cost

Variable cost

1 only

2 and 4 only

1, 3, and 4 only

1, 2, 3, and 4

Review the list of people with access badges to the room containing the workstation and a log of those who accessed the room.

Review the password length, frequency of change, and list of users for the workstation's login process.

Review the list of people who attempted to access the workstation and failed, as well as error messages.

Review the passwords of those who attempted unsuccessfully to access the workstation and the log of their activity.

Zone that separates an organization's servers from outside forces.

Area in which messages are scrutinized to determine if they are authorized.

Area where communication and transactions occur between trusted parties.

Zone where data is encrypted, users are authenticated, and user traffic is filtered.

Risk acceptance.

Risk sharing.

Risk avoidance.

Risk reduction.

Block unauthorized traffic.

Encrypt data.

Review disaster recovery test results.

Provide independent assessment of IT security.

Electronic funds transfer.

Knowledge-based systems.

Biometrics.

Standardized graphical user interface.

It calculates the overall value of a project

It ignores the time value of money

It calculates the time a project takes to break even.

It begins at time zero for the project.

The auditor should focus on the audit client as a person and understand him, rather than just concentrating on the problem.

The auditor should make recommendations based on objective criteria, rather than based on a subjective assessment.

The auditor should explore alternative solutions to address the audit problem, so the audit client has options.

The auditor should take a flexible position on the recommendations and focus on resolving the issue by addressing the interests of the people concerned.

Formulas and static data are locked or protected.

The spreadsheet is stored on a network server that is backed up daily.

The purpose and use of the spreadsheet are documented.

Check-in and check-out software is used to control versions.

Limit the use of the employee devices for personal use to mitigate the risk of exposure to organizational data.

Ensure that relevant access to key applications is strictly controlled through an approval and review process

Institute detection and authentication controls for all devices used for network connectivity and data storage

Use management software to scan and then prompt patch reminders when devices connect to the network

Input controls.

Output controls

Processing controls

Integrity controls

Marketing.

Finance.

Production.

Diversification.

Evaluate the proposed external auditor fee.

Recommend criteria to be used in the selection process.

Develop appropriate performance metrics.

Monitor the work of the external auditors.

Management will be able to reduce inherent risk because they will have a better understanding of risk.

Internal auditors will be able to reduce their sample sizes because controls will be more consistent.

Stakeholders will have more assurance that the risks are assessed consistently.

Decision makers will understand that the likelihood of missing or ineffective controls will be reduced.

Informal, soft controls are omitted, and greater focus is placed on hard controls.

The entire objectives-risks-controls infrastructure of an organization is subject to greater monitoring and continuous improvement.

Internal auditors become involved in and knowledgeable about the self-assessment process.

Nonaudit employees become experienced in assessing controls and associating control processes with managing risks.

1, 2, and 3

1, 2, and 4

1, 3, and 4

2, 3, and 4

Require the approval of additions and changes to the vendor master listing, where the inherent risk of false vendors is high.

Monitor amounts paid each period and compare them to the budget to identify potential issues.

Compare employee addresses to vendor addresses to identify potential employee fraud.

Monitor customer quality complaints compared to the prior period to identify vendor issues.

Report follow-up activities to senior management.

Implement follow-up procedures to evaluate residual risk.

Determine the costs of implementing the recommendations.

Evaluate the extent of improvements.

Recommend additional segregation-of-duty reviews.

Recommend appropriate awareness training for all finance department staff.

Recommend rotating finance staff in this area.

Recommend that management address these concerns immediately.

Disclose the information in a separate report.

Distribute the information in a confidential report to the board only

Distribute the reports through the use of blind copies.

Exclude the results from the report and verbally report the conditions to senior management and the board.

The matter does not need to be reported, because the noncompliant findings fall within the acceptable tolerance limit.

The deviations are within the acceptable tolerance limit, so the matter only needs to be reported to the information security manager.

The incidents of noncompliance fall outside the acceptable tolerance limit and require immediate corrective action, as opposed to reporting.

The incidents of noncompliance exceed the tolerance level and should be included in the final engagement report.

Assert whether the described and reported control processes and systems exist.

Assess whether senior management adequately supports and promotes the internal control culture described in the report.

Evaluate the completeness of the report and management's responses to identified deficiencies.

Determine whether management's operating style and the philosophy described in the report reflect the effective functioning of internal controls.

Express an opinion on the participants' inputs and conclusions as the assessment progresses.

Provide appropriate techniques and guidelines on how the exercise should be undertaken.

Evaluate and report on all issues that may be uncovered during the exercise.

Screen and vet participants so that the most appropriate candidates are selected to participate in the exercise.

Suspension of user IDs after a user's repeated attempts to sign on with an invalid password.

Encryption of passwords prior to their transmission or storage.

Forced change of passwords after a designated number of days.

Automatic logoff of inactive users after a specified time period of inactivity.

Access is approved by the supervising manager.

User accounts specify expiration dates and are based on services provided.

Administrator access is provided for a limited period.

User accounts are deleted when the work is completed.

A budget.

A risk assessment.

The board of directors.

The control environment.

Bank statements.

Customer confirmation letters.

Copies of sales invoices.

Copies of deposit slips.

Develop and test the organization's disaster recovery plan.

Install and test fire detection and suppression equipment.

Restrict access to tangible IT resources.

Ensure that at least one developer has access to both systems and operations.

The underlying causes of the risk.

The impact of the risk on the organization's objectives.

The risk levels of current and future events.

The potential for eliminating risk factors.