CIA Exam Part 1: Study Unit 3 Questions
& Answers with Rationales
Which of the following statements is not accurate with regard to soft controls?
A. Control self-assessment is not an approach to audit soft controls.
B. Soft controls have become more necessary as technology advances have
empowered employees.
C. The COSO and CoCo models emphasize soft controls.
D. The communication of ethical values and the fostering of mutual trust are soft
controls in the CoCo model. - Answer (A) is correct.
One approach to auditing soft controls is control self-assessment, which is the
involvement of management and staff in the assessment of internal controls within their
work group.
Internal auditors should review the means of physically safeguarding assets from losses
arising from
A. Underusage of physical facilities.
B. Procedures that are not cost justified.
C. Misapplication of accounting principles.
D. Exposure to the elements. - Answer (D) is correct.
The internal audit activity must evaluate risk exposures relating to governance,
operations, and information systems regarding the safeguarding of assets (Impl. Std.
2120.A1). For example, internal auditors evaluate risk exposure arising from theft, fire,
improper or illegal activities, and exposure to the elements.
Management considers risk appetite for all of the following reasons except
A. Increasing the net present value of investments.
B. Setting objectives.
C. Developing risk management techniques.
D. Evaluating strategic options. - Answer (A) is correct.
As described in the COSO ERM framework, risk appetite should be considered in
Evaluating strategies,
Setting related objectives, and
Developing risk management methods.
Increasing the net present value of investments is an operational objective. It would be
determined after consideration of the entity's risk appetite and other strategic factors.
A key feature that distinguishes fraud from other types of crime or impropriety is that
fraud always involves the
A. Deceitful wrongdoing of management-level personnel.
B. Unlawful conversion of property that is lawfully in the custody of the perpetrator.
C. Violent or forceful taking of property.
D. False representation or concealment of a material fact. - Answer (D) is correct.
,Fraud is defined in The IIA Glossary as "any illegal act characterized by deceit,
concealment, or violation of trust. These acts are not dependent upon the threat of
violence or physical force."
Which of the following is a true statement about the COSO report on internal control?
A. Control frameworks should be well defined and inflexible.
B. Internal control is not management's responsibility.
C. Internal control is not limited to accounting controls.
D. Internal control is restricted to financial reporting. - Answer (C) is correct.
The Internal Control -- Integrated Framework, also known as COSO Framework, report
by COSO made the following declarations:
Internal control is defined broadly. It is not limited to accounting controls or financial
reporting.
While accounting and financial reports are important issues, there are other important
aspects of the business, such as resources protection; operational efficiency and
effectiveness; and compliance with rules, regulations, and organization policies. These
factors affect financial reporting.
Internal control is management's responsibility. The participation of all persons within an
organization is required if it is to be effective.
The control framework is tied to the business objectives and is flexible enough to be
adaptable.
The COSO model for internal control lists five specific areas encompassed by the
control environment component. Which of the following are elements of the control
environment?
A. Integrity and ethical values.
B. Organizational structure.
C. All of the answers are correct.
D. Assignment of authority and responsibility. - Answer (C) is correct.
The five principles that relate to the control environment are
The organization demonstrates a commitment to integrity and ethical values;
The board demonstrates independence from management and exercises oversight for
internal control;
Management establishes, with board oversight, structures, reporting lines, and
appropriate authorities and responsibilities;
The organization demonstrates a commitment to attract, develop, and retain competent
individuals in alignment with objectives; and
The organization holds individuals accountable for their internal control responsibilities
in pursuit of objectives.
Which of the following members of an organization has ultimate ownership responsibility
of the enterprise risk management, provides leadership and direction to senior
managers, and monitors the entity's overall risk activities in relation to its risk appetite?
A. Chief financial officer.
B. Chief executive officer.
C. Chief risk officer.
,D. Internal auditors. - Answer (B) is correct.
The chief executive officer (CEO) sets the tone at the top of the organization and has
ultimate responsibility for ownership of the ERM. The CEO will influence the
composition and conduct of the board, provide leadership and direction to senior
managers, and monitor the entity's overall risk activities in relation to its risk appetite. If
any problems arise with the organization's risk appetite, the CEO will also take any
measures to adjust the alignment to better suit the organization.
The internal auditors' responsibility regarding fraud includes all of the following except
A. Ensuring that fraud will not occur.
B. Being aware of activities in which fraud is likely to occur.
C. Evaluating the effectiveness of control activities.
D. Determining whether the control environment sets the appropriate tone at top. -
Answer (A) is correct.
Control is the principal means of preventing fraud, and management is responsible for
establishing and maintaining internal control. Thus, internal auditors cannot give
absolute assurance that noncompliance or fraud does not exist.
Fact Pattern: An international nonprofit organization finances medical research. The
majority of its revenue and support comes from fundraising activities, investments, and
specific grants from an initial sponsoring corporation. The organization has been in
operation over 15 years and has a small internal audit department. The organization
has just finished a major fundraising drive that raised US $500 million for the current
fiscal period.
The following are selected data from recent financial statements (US dollar figures in
millions):
Current Year (1)
Past Year (2)
Revenue
US $500 (1)
US $425 (2)
Investments (average balances)
210 (1)
185 (2)
Medical research grants made
418 (1)
325 (2)
Investment income
16 (1)
20 (2)
Administrative expense
, 10 (1)
6 (2)
Auditors must always be alert for the possibility of fraud. Assume the controls over each
risk listed below are marginal. Which of the following possible frauds or misuses of
organization assets should be considered the area of greatest risk?
A. The payroll clerk has added ghost employees.
B. Purchases of supplies are made from fictitious vendors.
C. Grants are made to organizations that might be associated with the president or are
not for purposes dictated in the organization's charter.
D. The president is using company travel and entertainment funds for activities that
might be considered questionable. - Answer (C) is correct.
Grants represent 83.6% (US $418 ÷ $500) of current revenue. Consequently, fraudulent
grants constitute a much greater risk exposure than any of the other items listed.
Limitations of enterprise risk management (ERM) may arise from
A. Faulty human judgment.
B. Collusion.
C. Cost-benefit considerations.
D. All of the answers are correct. - Answer (D) is correct.
The limitations of ERM are the same as those for control in general. They arise from the
possibility of (1) faulty human judgment, (2) cost-benefit considerations, (3) simple
errors or mistakes, (4) collusion, and (5) management override.
Internal auditors have been advised to consider red flags to determine whether
management is involved in a fraud. Which of the following does not represent a difficulty
in using the red flags as fraud indicators?
A. Red flag information is not gathered as a normal part of an engagement.
B. Many common red flags are also associated with situations in which no fraud exists.
C. The red flags literature is not well enough established to have a positive impact on
internal auditing.
D. Some red flags are difficult to quantify or to evaluate. - Answer (C) is correct.
The state of red flags literature is an aid, not a difficulty, in internal auditing. It is well
established and will be refined in the future as research is done.
An unexpected decrease in which of the following ratios could indicate that fictitious
inventory has been recorded?
A. Price-earnings.
B. Current.
C. Total asset turnover.
D. Average collection period. - Answer (C) is correct.
The total asset turnover ratio equals sales divided by total assets. An increase in
reported inventory will increase total assets and decrease the ratio.
& Answers with Rationales
Which of the following statements is not accurate with regard to soft controls?
A. Control self-assessment is not an approach to audit soft controls.
B. Soft controls have become more necessary as technology advances have
empowered employees.
C. The COSO and CoCo models emphasize soft controls.
D. The communication of ethical values and the fostering of mutual trust are soft
controls in the CoCo model. - Answer (A) is correct.
One approach to auditing soft controls is control self-assessment, which is the
involvement of management and staff in the assessment of internal controls within their
work group.
Internal auditors should review the means of physically safeguarding assets from losses
arising from
A. Underusage of physical facilities.
B. Procedures that are not cost justified.
C. Misapplication of accounting principles.
D. Exposure to the elements. - Answer (D) is correct.
The internal audit activity must evaluate risk exposures relating to governance,
operations, and information systems regarding the safeguarding of assets (Impl. Std.
2120.A1). For example, internal auditors evaluate risk exposure arising from theft, fire,
improper or illegal activities, and exposure to the elements.
Management considers risk appetite for all of the following reasons except
A. Increasing the net present value of investments.
B. Setting objectives.
C. Developing risk management techniques.
D. Evaluating strategic options. - Answer (A) is correct.
As described in the COSO ERM framework, risk appetite should be considered in
Evaluating strategies,
Setting related objectives, and
Developing risk management methods.
Increasing the net present value of investments is an operational objective. It would be
determined after consideration of the entity's risk appetite and other strategic factors.
A key feature that distinguishes fraud from other types of crime or impropriety is that
fraud always involves the
A. Deceitful wrongdoing of management-level personnel.
B. Unlawful conversion of property that is lawfully in the custody of the perpetrator.
C. Violent or forceful taking of property.
D. False representation or concealment of a material fact. - Answer (D) is correct.
,Fraud is defined in The IIA Glossary as "any illegal act characterized by deceit,
concealment, or violation of trust. These acts are not dependent upon the threat of
violence or physical force."
Which of the following is a true statement about the COSO report on internal control?
A. Control frameworks should be well defined and inflexible.
B. Internal control is not management's responsibility.
C. Internal control is not limited to accounting controls.
D. Internal control is restricted to financial reporting. - Answer (C) is correct.
The Internal Control -- Integrated Framework, also known as COSO Framework, report
by COSO made the following declarations:
Internal control is defined broadly. It is not limited to accounting controls or financial
reporting.
While accounting and financial reports are important issues, there are other important
aspects of the business, such as resources protection; operational efficiency and
effectiveness; and compliance with rules, regulations, and organization policies. These
factors affect financial reporting.
Internal control is management's responsibility. The participation of all persons within an
organization is required if it is to be effective.
The control framework is tied to the business objectives and is flexible enough to be
adaptable.
The COSO model for internal control lists five specific areas encompassed by the
control environment component. Which of the following are elements of the control
environment?
A. Integrity and ethical values.
B. Organizational structure.
C. All of the answers are correct.
D. Assignment of authority and responsibility. - Answer (C) is correct.
The five principles that relate to the control environment are
The organization demonstrates a commitment to integrity and ethical values;
The board demonstrates independence from management and exercises oversight for
internal control;
Management establishes, with board oversight, structures, reporting lines, and
appropriate authorities and responsibilities;
The organization demonstrates a commitment to attract, develop, and retain competent
individuals in alignment with objectives; and
The organization holds individuals accountable for their internal control responsibilities
in pursuit of objectives.
Which of the following members of an organization has ultimate ownership responsibility
of the enterprise risk management, provides leadership and direction to senior
managers, and monitors the entity's overall risk activities in relation to its risk appetite?
A. Chief financial officer.
B. Chief executive officer.
C. Chief risk officer.
,D. Internal auditors. - Answer (B) is correct.
The chief executive officer (CEO) sets the tone at the top of the organization and has
ultimate responsibility for ownership of the ERM. The CEO will influence the
composition and conduct of the board, provide leadership and direction to senior
managers, and monitor the entity's overall risk activities in relation to its risk appetite. If
any problems arise with the organization's risk appetite, the CEO will also take any
measures to adjust the alignment to better suit the organization.
The internal auditors' responsibility regarding fraud includes all of the following except
A. Ensuring that fraud will not occur.
B. Being aware of activities in which fraud is likely to occur.
C. Evaluating the effectiveness of control activities.
D. Determining whether the control environment sets the appropriate tone at top. -
Answer (A) is correct.
Control is the principal means of preventing fraud, and management is responsible for
establishing and maintaining internal control. Thus, internal auditors cannot give
absolute assurance that noncompliance or fraud does not exist.
Fact Pattern: An international nonprofit organization finances medical research. The
majority of its revenue and support comes from fundraising activities, investments, and
specific grants from an initial sponsoring corporation. The organization has been in
operation over 15 years and has a small internal audit department. The organization
has just finished a major fundraising drive that raised US $500 million for the current
fiscal period.
The following are selected data from recent financial statements (US dollar figures in
millions):
Current Year (1)
Past Year (2)
Revenue
US $500 (1)
US $425 (2)
Investments (average balances)
210 (1)
185 (2)
Medical research grants made
418 (1)
325 (2)
Investment income
16 (1)
20 (2)
Administrative expense
, 10 (1)
6 (2)
Auditors must always be alert for the possibility of fraud. Assume the controls over each
risk listed below are marginal. Which of the following possible frauds or misuses of
organization assets should be considered the area of greatest risk?
A. The payroll clerk has added ghost employees.
B. Purchases of supplies are made from fictitious vendors.
C. Grants are made to organizations that might be associated with the president or are
not for purposes dictated in the organization's charter.
D. The president is using company travel and entertainment funds for activities that
might be considered questionable. - Answer (C) is correct.
Grants represent 83.6% (US $418 ÷ $500) of current revenue. Consequently, fraudulent
grants constitute a much greater risk exposure than any of the other items listed.
Limitations of enterprise risk management (ERM) may arise from
A. Faulty human judgment.
B. Collusion.
C. Cost-benefit considerations.
D. All of the answers are correct. - Answer (D) is correct.
The limitations of ERM are the same as those for control in general. They arise from the
possibility of (1) faulty human judgment, (2) cost-benefit considerations, (3) simple
errors or mistakes, (4) collusion, and (5) management override.
Internal auditors have been advised to consider red flags to determine whether
management is involved in a fraud. Which of the following does not represent a difficulty
in using the red flags as fraud indicators?
A. Red flag information is not gathered as a normal part of an engagement.
B. Many common red flags are also associated with situations in which no fraud exists.
C. The red flags literature is not well enough established to have a positive impact on
internal auditing.
D. Some red flags are difficult to quantify or to evaluate. - Answer (C) is correct.
The state of red flags literature is an aid, not a difficulty, in internal auditing. It is well
established and will be refined in the future as research is done.
An unexpected decrease in which of the following ratios could indicate that fictitious
inventory has been recorded?
A. Price-earnings.
B. Current.
C. Total asset turnover.
D. Average collection period. - Answer (C) is correct.
The total asset turnover ratio equals sales divided by total assets. An increase in
reported inventory will increase total assets and decrease the ratio.
