IIA-CRMA-ADV Certification in Risk Management Assurance Questions and Answers

The scope of store operations audits should exclude compliance.

Store operations audits can be fully executed with appropriate disclosure to the board.

Store operations audits should be performed by an external service provider.

A store operations compliance audit should be performed by a staff internal auditor under the direction of the CAE.

Accepting the money would be prohibited only if it were non-customary.

Accepting the money would violate the IIA Code of Ethics.

Because the CIA is not acting as an internal auditor, accepting the money would be governed only by the organization's code of conduct.

Because the contract was signed before the money was offered, accepting the money would not violate the IIA Code of Ethics.

Other internal auditors possess sufficient knowledge of accounting principles and techniques.

The candidate's information systems knowledge and real-world experience in internal auditing.

Accounting skills can be learned over time with appropriate training.

An entry level position does not require expertise in any particular area.

Evaluating risk management processes.

Recommending accountability for risk management.

Providing assurance that risks are evaluated correctly.

Supporting managers to identify ways to mitigate risks.

1 and 3.

1 and 4.

2 and 3.

2 and 4.

The chief audit executive (CAE) approves the annual internal audit plan.

The CAE administratively reports to the board.

The audit committee approves the CAE's annual salary increase.

The chief executive officer approves the internal audit charter.

Performing a chemical analysis of the water, prior to discharge, for components specified in the permit.

Posting signs that tell employees which substances may be disposed of via sinks and floor drains within the facility.

Diluting pollutants by flushing sinks and floor drains daily with large volumes of clean water.

Establishing a preventive maintenance program for the pretreatment system.

An internal auditor evaluates the significant risks arising from a consulting engagement.

An internal auditor declares that he would have a conflict of interest in providing planned audit support.

An internal auditor has been given sufficient authority to access documents needed to make an appraisal of an issue.

An internal auditor uses technology-based audit techniques to ensure that all significant risks are identified.

Outsource the audit engagement to a qualified external auditing firm without burdening the audit committee with the decision.

Determine the requisite knowledge needed, and obtain the proper training for auditors, even if the training will significantly push back the project's timeframe as outlined by the audit committee.

Notify the audit committee of the problem, and assign the most competent auditors on staff to perform the audit engagement.

Employ the skills of a financial derivatives expert to consult on the project, and supplement the consulting with a local seminar on financial derivatives.

Because preventive controls promote doing the right thing in the first place, and lessen the need for corrective action.

Because preventive controls are more sensitive and identify more exceptions than detective controls.

Because preventive controls include output procedures, which cover the full range of possible reviews, reconciliations and analysis.

Because preventive controls identify exceptions after-the-fact, allowing them to be used after the entire review is complete and therefore finding exceptions that detective controls may have missed.

Who?

How?

Why?

When?

Corrective control.

Preventive control.

Detective control.

Directive control.

Plan employee sessions and team building strategies for the organization to improve awareness of fraud among employees.

Review the investigation and implement any improvements to the process.

Conduct lessons learned sessions to ascertain how the fraud occurred and which controls failed.

Determine why The fraud was not detected earlier and design controls to strengthen early detection.

Assurance services for outside clients are not covered under the internal audit charter.

Assurance services for outside clients must be approved on a case-by-case basis by the board of directors.

The nature of assurance services for outside clients should be defined in the internal audit charter.

The nature of assurance services for outside clients is the same as for internal clients.

1 and 3.

1 and 4.

2 and 3.

2 and 4.

Several recent, large expenditures to a new vendor have not been documented.

A manager has bragged about multiple extravagant vacations taken within the last year, which are excessive relative to the manager's salary.

A weak control environment has been accepted by management to encourage creativity.

New employees occasionally fail to meet established project deadlines due to staffing shortages.

A physical security control over a data center.

A system development life cycle control.

A program change management control.

An input control over data integrity.

Terminate the audit engagement in full because an operational audit will not be productive without the client's cooperation.

Terminate only the specific action or process with which the client disagrees and work to determine a substitute function that will not impede further IAA or the client-audit relationship.

Refer the client to the IAA's charter and the approved yearly audit plan, which includes the areas designated for audit in the current time period.

Seek the approval of senior management or the board in mediation, allowing an overseer to clarify the scope of the audit engagement for the client.

1 and 3 only

1 and 4 only

2 and 3 only

2 and 4 only

Have a proficient internal audit staff member perform the assessment and disclose the impairment in the audit report and to the board.

Have a regulatory compliance staff member perform a self-assessment, to be reviewed by a proficient internal auditor.

Have a proficient internal audit staff member perform the audit and report the results of the assessment directly to senior management and the board.

Contract with a third-party entity or external auditor to complete the assessment and report the results to senior management and the board.

The audit engagements to be performed during the upcoming year.

The internal audit activity's position within the organization.

The scope of internal audit activities.

Management and the board of directors' agreement regarding the roles and responsibilities of the internal audit activity.

Impose risk management processes.

Coordinate risk management activities.

Implement risk responses on management's behalf.

Review the management of key risks.

Management principles.

Computerized information systems.

Internal audit standards, procedures, and techniques.

Fundamentals of accounting, economics, and finance.

Diversifying the risk that network access will not be available to legitimate, authorized users.

Accepting the risk that there may be attempts at unauthorized access to the network.

Avoiding the risk of having a direct network connection to un-trusted networks.

Sharing the risk that either firewall could be compromised by hackers.

The CFO determines the scope of internal audit work in the accounting department.

The CFO manages the accounting of the budget for the internal audit function.

The CFO administers the annual evaluation process for the internal auditors.

The CFO provides feedback on the CAE's audit reports.

The same employee who receives cash from customers prepares a prelisting of cash receipts.

The same employee who records cash receipts in the accounts receivable subsidiary ledger ensures that the ledger automatically updates the information.

The same employee who restrictively endorses checks received from customers prepares the bank's check deposit slips.

The same employee who makes deposits at the bank prepares the monthly bank reconciliation.

Higher inventory turnover.

Higher operating margin.

Lower obsolete stock disposal.

Lower sales volume.

Objective setting.

Control activities.

Information and communication.

Event identification.

Competence.

Flexibility.

Objectivity.

Independence.

Report the deviations immediately to the audit committee.

Gather additional information to determine the cause of the deviations.

Conclude that the budget was unreasonably set and accept the deviations.

Perform alternative forms of analytical procedures which provide no deviations.

The CAE should agree with the audit committee and implement only those standards appropriate to the size of the IAA.

The CAE should request the audit committee to review the Standards to identify specifically which are creating the greatest concern.

The CAE should seek sufficient funding to increase audit resources to meet the minimum requirements of the Standards.

The CAE should explain that conformance with the Standards is essential and not dependent upon the size of the IAA.

Continue with the engagement in order to meet the regulatory deadline, but highlight areas in the final report that might need to be revised in the future.

Ask that a senior member of the organization's IT department with the required systems expertise join the audit team to assist in completing the engagement.

Delay the engagement and inform the board of the situation, asking them to provide acceptable alternatives for completing the engagement.

Remove the planned engagement from the audit plan and explain to senior management the problems with moving forward without an auditor with the necessary expertise.

Three months.

Six months.

One year.

Two years.

An internal auditor should express an opinion only when consensus with top management has been achieved.

An internal auditor's opinion should be based on experience and free of all bias.

An internal auditor's opinion should be based on factual evidence.

An internal auditor's opinion should be limited to the effectiveness of internal controls.

A library control log.

A review of exception reports.

A password lock on a server.

A software scan of financial records for irregularities.

Vendor invoice payment requests are accompanied by a purchase order and receiving report.

Purchase orders are typed by the purchasing department using prenumbered forms.

Buyers promptly update the official vendor listing as new supplier sources become known.

Department managers initiate purchase requests that must be approved by the plant superintendent.

Because management requires the review to measure effectiveness of the internal audit activity.

So that the individual objectivity of the internal audit staff can be more clearly established.

So that there is assurance of the internal audit staff's proficiency to complete audit activities.

Because changes in the organization may impair the internal audit activity's ability to meet its objectives.

Recommend management seek a consulting firm to advise on outsourcing.

Highlight matters that require management's attention.

Implement solutions for specific organizational problems.

Accumulate data, obtain varying views, and report information to senior management.

Strategic objectives.

Operational objectives.

Reporting objectives.

Compliance objectives.

Consult with an immediate supervisor and notify the organization's audit committee.

Consult with an immediate supervisor and review the organization's ethics policy.

Give the prize to a friend or family member and notitfy the organization's audit committee.

Give the prize to a friend or family member and review the organization's ethics policy.

1 and 2.

1 and 3.

2 and 3.

3 and 4.

A budget.

A risk assessment.

The board of directors.

The control environment.

Quality assessments and cultural biases of the internal audit activity.

Rotational assignments and familiarity of the internal audit activity.

Employee incentives and self review of the internal audit activity.

Organizational positioning and scope control of the internal audit activity.

Authority and responsibility to resolve issues.

Framework to plan, execute and monitor activities.

Integrated responses to multiple risks.

Knowledge and skills needed to perform activities.

Disclose the deficiency, and request that the investigation be reassigned to the first line of defense.

Proceed with the investigation, as internal auditors are not required to have fraud expertise.

Outsource the sensitive investigation to a third-party consultant with fraud expertise.

Select a member of the accounting department who is not involved in the fraud to join the investigation team in a consulting capacity.

Usage of IT system policy.

Risk management framework.

Acceptance of gifts policy.

Personal responsibility policy.

The CAE would need to procure external services to deliver the internal audit assurance program.

There is no expertise within the internal audit team for detecting and investigating fraud.

There is no expertise within the internal audit team for auditing an IT engagement.

There is no available expertise on the internal audit team to perform a consulting engagement.

Control environment.

Control activities.

Risk assessment.

Monitoring.

The audit committee and senior management.

The audit committee and the external auditors.

Senior management and management of the audited area.

Senior management and the external auditors.

The training courses necessary to enhance the internal auditor's knowledge, skills, and other competencies.

The appropriateness of assurance procedures necessary to ensure all significant risks will be identified.

The use of innovative technology and data analysis techniques.

The extent of work needed to achieve the engagement’s objectives.

Internal auditors should take a leading role in investigating all fraud-related cases.

Internal auditors must have sufficient knowledge to evaluate the risk of fraud.

Internal auditors should report all fraud cases to law enforcement agents, in accordance with the Code of Ethics.

Internal auditors are responsible for ensuring that fraud does not occur.

Perform ongoing surveys of the employees, customers, and partners of the organization to assess the organization's ethical climate. ^Evaluate the effectiveness of the organization's strategies and B. processes for achieving the desired level of legal and ethical compliance.

Maintain a whistleblower hotline to identify inappropriate or illegal activity within the organization.

Perform background checks of potential new employees before they are hired by the organization.

Objectivity.

Proficiency.

Independence.

Due professional care.

Continuously monitor the organization's overall risk activities in relation to its risk appetite.

Evaluate the adequacy and effectiveness of the organization's governance activities.

Oversee the establishment and administration of an effective risk management program.

Assist management in implementing recommended control improvements.

4 only

1 and 3 only

1 and 4 only

2, 3, and 4 only

The bottom of the pyramid responsibility.

Innovative responsibility.

Ethical responsibility.

Discretionary responsibility.

Establish and provide continuing assurance on an anti-money laundering program for new hires.

Survey employees for their understanding of anti-money laundering practices.

Provide assurance for the effectiveness of anti-money laundering training.

Assess the risk of being fined for ineffective anti-money laundering practices.

1 and 2.

1 and 3.

2 and 3.

2 and 4.

Independently evaluate the skills and experience of potential chief information officer candidates to assess the best fit based on the organization's risk appetite.

Evaluate the organization's governance standards and assess IT-related activities to identify gaps and develop policies, ensuring alignment with the organization's risk appetite.

Assist management in interpreting complex IT-related privacy and security risk exposures and evaluating potential mitigation strategies.

Assess whether governance activities are aligned with the organization's risk appetite and take into consideration emerging risks.

$11, 250

$25, 000

$33, 750

$45, 000

Having an occupational health officer on the engagement team.

Determining that the claims have been classified properly.

Placing reliance on medical reports from the injured worker's doctor.

Reviewing claims to ensure all accidents actually occurred in the workplace.

Delegate final approval of the risk-based internal audit plan to the chief audit executive (CAE).

Approve the annual budget and resource plan for the internal audit activity.

Assist the CAE with hiring objective and competent internal audit staff.

Encourage the CAE to communicate and coordinate with the external auditor.

The practice of surprise audits and the implementation of an employee support program.

Hiring an employee with a prior fraud conviction and yearly management review.

Occasional accounting department overrides and discontinuation of the anonymous fraud hotline due to infrequent use.

A veteran employee in upper management experiencing financial difficulties and recently implemented enhanced controls.

Their understanding of auditing standards.

Previous experience working with the internal audit activity.

Their reporting line within the organization.

The nature of their regular duties and responsibilities.

The assigned internal auditor must determine the objectives, scope, and techniques of the engagement.

The CAE must personally obtain the needed skills, knowledge, or other competencies if the internal auditor does not have them.

The assigned internal auditor must not assume management responsibilities while performing the engagement.

The assigned internal auditor must maintain objectivity while performing the engagement.

Requiring employees to attend ethics training.

Performing background checks on employees.

Implementing a control self-assessment.

Performing a surprise audit.

The CAE initials and dates every working paper after it has been reviewed.

The CAE completes an engagement working paper checklist.

The CAE prepares a memorandum discussing the results of the working paper review.

The CAE utilizes an external third party to make an objective recommendation after each working paper review.

1 only

2 only

3 only

1 and 2 only

A Bedford analysis of orders filled to average delivery times.

Decision trees rating actual performance against requirements.

Queuing theory to assess potential bottlenecks in the process.

A program evaluation and review technique chart.

Resource management.

Coordination.

Due professional care.

Engagement supervision.

The board.

The chief audit executive.

Senior management.

The external auditors.

Restrict data-table access from management and line supervisors who have the authority to determine pay rates.

Require a supervisor in the department, who has the ability to change the table, to compare the changes to a signed management authorization.

Ensure that adequate edit and reasonableness checks are built into the automated system.

Require a manager, who is independent of the system and who cannot change the table, to authorize and sign-off on any employee pay changes.

Hire a risk consultant.

Implement a hedging strategy.

Maintain a large foreign currency balance.

Insist that customers only pay in a stable currency.

Monthly bank reconciliations are performed by the clerk on a timely basis.

Total cash deposits for the month are reconciled to the cash receipts journal.

Names, amounts, and dates on remittance advices are reconciled with the names, amounts, and dates recorded in the cash receipts journal.

Total cash deposits are compared with the bank reconciliation.

The amount of risk that an organization is willing to seek or accept.

The extent and degree of interdependency for identified key risks.

The boundaries established to manage the amount of risk taken.

The exposure to risks following management's risk responses.

1.2, and 3.

1,2, and 4.

1.3, and 4.

2. 3, and 4.

Hedging against exchange rate variations.

Limiting access to an organization's data center.

Selling a nonstrategic business unit.

Outsourcing a high-risk activity.

External auditors.

Chief risk officer.

Operations management.

Board of directors.

Adequate signs are in place to assist in locating safety equipment.

Servers are secured individually to their racks by locks.

Foam fire extinguishers are operable to protect against electrical fires.

Swipe card access is required to gain access to the server room.

Act as an adviser to the committee responsible for reviewing violations of the code.

Review and adjudicate all violations of the code of conduct.

Lead the committee responsible for the oversight of the code.

Implement a system of procedures to inform all employees of the code.

1,2, and 3.

1.2, and 4.

1.3, and 4.

2, 3, and 4.