NYC Management Auditor Trainee Exam 6072 Master Study Guide: 300
Practice Questions and Answers
Domain 1: Government Auditing Standards (GAGAS) & IIA Standards
Q1. An auditor is planning a performance audit of a NYC social services agency.
According to Government Auditing Standards (GAGAS), which of the following must
be documented in the audit plan regarding the assessment of fraud risk?
A) The exact dollar amount of fraud expected to be found based on historical data.
B) The auditor's assessment of the risk of material misstatement due to fraud and
the specific audit responses designed to address that risk.
C) The names of all employees who have been accused of fraud in the past five
years.
D) The specific data analytics software used to detect anomalies in the payroll
system.
Answer: B
Rationale: GAGAS requires auditors to assess the risk of fraud and design the audit
to provide reasonable assurance of detecting material misstatements resulting from
fraud. The audit plan must document this risk assessment and the auditor's
response to it.
Q2. A management auditor for the NYC Comptroller’s office is assigned to audit a
program where the auditor's spouse is a mid-level manager. Under GAGAS
independence requirements, what is the most appropriate action?
A) The auditor should proceed but disclose the relationship in the audit report.
B) The auditor should recuse themselves from the engagement because the
relationship impairs independence in appearance and fact.
C) The auditor should proceed but restrict their testing to areas not directly
supervised by their spouse.
D) The auditor should obtain written permission from the agency being audited to
proceed.
Answer: B
Rationale: GAGAS strictly prohibits auditors from participating in an audit if they or
their immediate family members have a direct financial interest or a close
Page 1 of 99
,managerial relationship with the audited entity that impairs independence.
Q3. During an IT audit of the NYC Department of Education's student database, the
auditor discovers that the agency lacks a formal disaster recovery plan. According to
the IIA Standards, how should the auditor report this finding?
A) As a minor observation, since the database has never experienced downtime.
B) As a significant deficiency or material weakness in internal control, highlighting
the risk to data integrity and availability.
C) Only if the agency's management specifically requests a review of disaster
recovery.
D) As a compliance violation of the NYC Charter.
Answer: B
Rationale: The absence of a disaster recovery plan for a critical database represents
a significant deficiency in IT general controls, posing a high risk to data availability
and integrity, which must be reported according to IIA Standards.
Q4. An auditor is conducting a financial audit of a NYC public benefit corporation.
The agency provides a written representation letter stating that all liabilities have
been recorded. However, subsequent fieldwork reveals a $5 million unrecorded
pension obligation. What is the auditor's primary responsibility regarding the
representation letter?
A) The representation letter absolves the auditor of responsibility for detecting the
unrecorded liability.
B) The auditor must ignore the representation letter since it is internally generated.
C) The representation letter does not relieve the auditor of the responsibility to
obtain sufficient, appropriate audit evidence to detect material misstatements.
D) The auditor must immediately resign from the engagement.
Answer: C
Rationale: Management representation letters are audit evidence but do not replace
the need for the auditor to perform substantive testing and obtain independent,
sufficient, and appropriate audit evidence.
Page 2 of 99
,Q5. In a performance audit of NYC's affordable housing initiatives, the auditor needs
to determine the criteria for evaluating program effectiveness. According to GAGAS,
what is the best source for establishing these criteria?
A) The auditor's personal opinion on what constitutes effective housing policy.
B) Statutory requirements, agency strategic plans, and industry best practices.
C) Interviews with a random sample of city residents.
D) The budget allocations approved by the City Council.
Answer: B
Rationale: GAGAS requires that criteria used in performance audits be objective,
understandable, relevant, and measurable. Statutory mandates, agency goals, and
recognized
Domain 2: Internal Controls & The COSO Framework
Q6. The NYC Comptroller’s audit team is evaluating the internal controls of the
Department of Transportation. They find that the same employee who approves
vendor invoices also has the system access to add new vendors to the procurement
database. Which COSO component is primarily compromised?
A) Control Environment
B) Risk Assessment
C) Control Activities (Segregation of Duties)
D) Monitoring Activities
Answer: C
Rationale: The Control Activities component includes segregation of duties.
Allowing one individual to both approve invoices and create vendors creates a
severe conflict of interest and the risk of fictitious vendor fraud.
Q7. During a review of the NYC Health and Hospitals Corporation (HHC), the auditor
notes that the agency has established a whistleblower hotline but has not
communicated its existence to frontline staff. Which of the 17 principles of the
COSO 2013 Internal Control Framework is most directly violated?
Page 3 of 99
, A) Principle 1: The organization demonstrates a commitment to integrity and ethical
values.
B) Principle 7: The organization identifies and analyzes risks to the achievement of
objectives.
C) Principle 14: The organization internally communicates information necessary to
support internal control.
D) Principle 16: The organization evaluates and communicates internal control
deficiencies.
Answer: C
Rationale: Principle 14 requires that relevant information is communicated internally
so that staff can fulfill their control responsibilities, including the use of
whistleblower mechanisms to report suspected wrongdoing.
Q8. An auditor is testing the automated controls of the NYC Financial Management
System (FMS). Which of the following represents an application control rather than
an IT general control?
A) Password complexity requirements for user logins.
B) The system automatically calculates interest penalties on late vendor payments
based on the invoice date and payment date.
C) Daily automated backups of the FMS database to an offsite server.
D) Restricting physical access to the server room via biometric scanners.
Answer: B
Rationale: Application controls are specific to the processing of data within a
specific application (e.g., automated calculations, edit checks). Options A, C, and D
are IT General Controls (ITGCs) that apply to the overall IT environment.
Q9. The auditor is assessing the "Control Environment" of a NYC agency. Which of
the following findings would indicate a strong control environment?
A) The agency's organizational structure is highly centralized, with all decisions
made by the Commissioner.
Page 4 of 99
Practice Questions and Answers
Domain 1: Government Auditing Standards (GAGAS) & IIA Standards
Q1. An auditor is planning a performance audit of a NYC social services agency.
According to Government Auditing Standards (GAGAS), which of the following must
be documented in the audit plan regarding the assessment of fraud risk?
A) The exact dollar amount of fraud expected to be found based on historical data.
B) The auditor's assessment of the risk of material misstatement due to fraud and
the specific audit responses designed to address that risk.
C) The names of all employees who have been accused of fraud in the past five
years.
D) The specific data analytics software used to detect anomalies in the payroll
system.
Answer: B
Rationale: GAGAS requires auditors to assess the risk of fraud and design the audit
to provide reasonable assurance of detecting material misstatements resulting from
fraud. The audit plan must document this risk assessment and the auditor's
response to it.
Q2. A management auditor for the NYC Comptroller’s office is assigned to audit a
program where the auditor's spouse is a mid-level manager. Under GAGAS
independence requirements, what is the most appropriate action?
A) The auditor should proceed but disclose the relationship in the audit report.
B) The auditor should recuse themselves from the engagement because the
relationship impairs independence in appearance and fact.
C) The auditor should proceed but restrict their testing to areas not directly
supervised by their spouse.
D) The auditor should obtain written permission from the agency being audited to
proceed.
Answer: B
Rationale: GAGAS strictly prohibits auditors from participating in an audit if they or
their immediate family members have a direct financial interest or a close
Page 1 of 99
,managerial relationship with the audited entity that impairs independence.
Q3. During an IT audit of the NYC Department of Education's student database, the
auditor discovers that the agency lacks a formal disaster recovery plan. According to
the IIA Standards, how should the auditor report this finding?
A) As a minor observation, since the database has never experienced downtime.
B) As a significant deficiency or material weakness in internal control, highlighting
the risk to data integrity and availability.
C) Only if the agency's management specifically requests a review of disaster
recovery.
D) As a compliance violation of the NYC Charter.
Answer: B
Rationale: The absence of a disaster recovery plan for a critical database represents
a significant deficiency in IT general controls, posing a high risk to data availability
and integrity, which must be reported according to IIA Standards.
Q4. An auditor is conducting a financial audit of a NYC public benefit corporation.
The agency provides a written representation letter stating that all liabilities have
been recorded. However, subsequent fieldwork reveals a $5 million unrecorded
pension obligation. What is the auditor's primary responsibility regarding the
representation letter?
A) The representation letter absolves the auditor of responsibility for detecting the
unrecorded liability.
B) The auditor must ignore the representation letter since it is internally generated.
C) The representation letter does not relieve the auditor of the responsibility to
obtain sufficient, appropriate audit evidence to detect material misstatements.
D) The auditor must immediately resign from the engagement.
Answer: C
Rationale: Management representation letters are audit evidence but do not replace
the need for the auditor to perform substantive testing and obtain independent,
sufficient, and appropriate audit evidence.
Page 2 of 99
,Q5. In a performance audit of NYC's affordable housing initiatives, the auditor needs
to determine the criteria for evaluating program effectiveness. According to GAGAS,
what is the best source for establishing these criteria?
A) The auditor's personal opinion on what constitutes effective housing policy.
B) Statutory requirements, agency strategic plans, and industry best practices.
C) Interviews with a random sample of city residents.
D) The budget allocations approved by the City Council.
Answer: B
Rationale: GAGAS requires that criteria used in performance audits be objective,
understandable, relevant, and measurable. Statutory mandates, agency goals, and
recognized
Domain 2: Internal Controls & The COSO Framework
Q6. The NYC Comptroller’s audit team is evaluating the internal controls of the
Department of Transportation. They find that the same employee who approves
vendor invoices also has the system access to add new vendors to the procurement
database. Which COSO component is primarily compromised?
A) Control Environment
B) Risk Assessment
C) Control Activities (Segregation of Duties)
D) Monitoring Activities
Answer: C
Rationale: The Control Activities component includes segregation of duties.
Allowing one individual to both approve invoices and create vendors creates a
severe conflict of interest and the risk of fictitious vendor fraud.
Q7. During a review of the NYC Health and Hospitals Corporation (HHC), the auditor
notes that the agency has established a whistleblower hotline but has not
communicated its existence to frontline staff. Which of the 17 principles of the
COSO 2013 Internal Control Framework is most directly violated?
Page 3 of 99
, A) Principle 1: The organization demonstrates a commitment to integrity and ethical
values.
B) Principle 7: The organization identifies and analyzes risks to the achievement of
objectives.
C) Principle 14: The organization internally communicates information necessary to
support internal control.
D) Principle 16: The organization evaluates and communicates internal control
deficiencies.
Answer: C
Rationale: Principle 14 requires that relevant information is communicated internally
so that staff can fulfill their control responsibilities, including the use of
whistleblower mechanisms to report suspected wrongdoing.
Q8. An auditor is testing the automated controls of the NYC Financial Management
System (FMS). Which of the following represents an application control rather than
an IT general control?
A) Password complexity requirements for user logins.
B) The system automatically calculates interest penalties on late vendor payments
based on the invoice date and payment date.
C) Daily automated backups of the FMS database to an offsite server.
D) Restricting physical access to the server room via biometric scanners.
Answer: B
Rationale: Application controls are specific to the processing of data within a
specific application (e.g., automated calculations, edit checks). Options A, C, and D
are IT General Controls (ITGCs) that apply to the overall IT environment.
Q9. The auditor is assessing the "Control Environment" of a NYC agency. Which of
the following findings would indicate a strong control environment?
A) The agency's organizational structure is highly centralized, with all decisions
made by the Commissioner.
Page 4 of 99
