1) Which of the following would not be part of a corporate risk assessment audit:

A) Evaluate whether there is a clearly defined risk management policy

B) Test the internal controls relating to computer security

C) Evaluate whether risk management is integrated with the business planning process

D) Evaluate whether the risk management policy is understood

E) All of the above would be part of a risk assessment

2) Which are the following is not a similarity between the COSO Enterprise Risk Management Integrated Framework and the COSO Internal Control-Integrated Framework

a) Both have a component on risk assessment

b) Both have a component on control activities

c) Both have component on monitoring

d) Both have a component on risk response

e) None of the above

3) Which of the following is not true about corporate governance

A) It involves stakeholders others than shareholders

B)  It provides incentives for management to pursue objectives in the interest of the company

C)  There are multiple models of corporate governance

D) Its sole objective is to maximize the value of the company in the short-term. 

E) It involves monitoring of performance

4) Which of the following best describes internal auditing's purpose in reviewing the organization's existing governance, risk management and controls processes?

A)  To help determine the nature, timing and extent of tests necessary to achieve engagement objectives

B)  To ensure that weaknesses in the internal control system are corrected

C)  To provide reasonable assurance that the processes will enable the organization's objectives and goals to be met efficiently and economically

D)  To determine whether the processes ensure that the accounting records are correct and that financials statements are fairly stated

E)   To comply with the IPPF Code of Ethics

5)  Which of the following is an area where it would not be appropriate for the risk management and internal auditing functions to collaborate:

A)  Sharing work products

B)  Leveraging the other's expertise

C)  Having internal auditing assume some of the accountability for risk management

D)  Monitoring risks

E)   Assessing risks

6) What is the primary benefit of having an internal auditor with expertise and experience in their business

A)  It is impossible to evaluate internal controls without this knowledge

B)  An individual cannot be hired into an internal auditing department without this knowledge

C)  The auditor will have difficulty establishing credibility with management without this knowledge

D)  The IPPF prohibits an auditor working on an assignment who is not an expert

E)   The internal auditor can be used to implement any recommendations. 

7) Which of the following is not within the scope of an internal auditing review of IT governance

A) Alignment between the business and IT

B) Adequacy and reporting of IT metrics

C) How adaptable IT is to changes in the business

D) Segregation of duties in the accounts payable department

E) All of the above would be covered in a review of IT governance

8) According to the IIA, the Code of Ethics prohibits a CAE from receiving stock options.

A) True

B) False

9) The internal audit activity's role in the risk management process of an organization may not encompass:      

A) No role

B) Auditing the risk management process as part of the internal audit plan.

C) Facilitating identification of risks

D) Accountability for risk management

E) Participation on oversight committees, monitoring activities, and status reporting.

10) Which of the following is not part of the definition of internal auditing?

A)  Risk management

B)  Governance

C)  Consulting

D)  Add value

E)  Implement internal controls

11) Which of the following is true about the IPPF

A)  By law in the U.S. internal auditing departments must comply with all the IIA Standards. 

B)  Interpretations are not considered to be mandatory guidance

C)  The Code of Ethics is part of the Standards

D)  Independence as defined in the IPPF is a concept dealing with an unbiased mental attitude

E)  All of the above are not true

12) According to the IPPF, an internal auditor assigned to an audit engagement:

A)  Must be an expert in the area being audited

B)  Must be proficient and exercise due professional care

C)  Can not have a relative working anywhere in the company

D)  Must be a Certified Internal Auditor

E)  Is responsible for detecting fraud

13) Which of the following is a change to the updated COSO Internal Control Framework from the 1992 version:

A) The definition of internal controls

B) The 17 principles

C) The three categories of control objectives

D) The five integrated components

E) The importance of management judgment

14) Which is of the following is considered to be the foundation of an internal control structure

A) Control Activities

B) Control Environment

C) Risk Assessment

D) Monitoring

E) Communication and Information

15) Which of the following is true about internal vs. external auditing?

A) Internal auditing reports to the external auditors

B) Internal auditing is more focused on financial reporting than external auditing

C) Many of the tool and techniques in auditing are common to both internal and external auditing

D) External auditors cannot rely on any of the work done by internal auditing

E) Both have the same definition of the term "independence."

16)  Which of the following is not cited in week 3 as a limitation of a system of internal controls

A) Cost/benefits trade-offs in establishing controls

B) Average age of senior management

C) Management overrides

D) Collusion

E) Lack of training in control procedures

17) Which of the following is not a problem faced by internal auditors in documenting internal controls

A) Too much detail

B) Not enough detail

C) Missing significant transactions

D) Not identifying the control

E) None of the above

18) Analysis of risk is limited to estimating the impact and assessing the likelihood of a risk event. 

A) True

B) False

19) According to the IPPF which of the following is not true about objectivity.

A) It deals with where internal auditing reports in the organization

B) Auditors cannot subordinate their judgment on audit matters to others

C) It requires impartiality

D) Conflict of interests can exist even if there is no unethical result

E) An internal auditor can never provide assurance services for an activity which he previously had responsibility

20) Which of the following is not a section of  the Performance Standards

A) Objectivity

B) Risk management

C) Engagement scope

D) Disseminating results

E) None of the above

21)Which of the following is true about ERM

A) The COSO ERM Framework is the only approved ERM framework in the U.S.

B) 90% of all corporations have implemented the entire COSO ERM Framework

C) The COSO ERM Framework is part of the COSO Internal Controls Framework

D) An effective ERM process will guarantee the enterprise will achieve its business objectives

E) None of the above are true

22) Which of the following is an example of a "soft" control

A) Bank reconciliations

B) Segregation of duties

C) Approvals on purchase orders

D) Integrity and ethical values

E) None of the above

23) Which of the following is not true about a risk assessment process:

A) It is about measuring and prioritizing risks

B) It requires analysis of interaction among risks

C) All risks require continual monitoring

D) Risk assessment should be done before developing risk responses

E) All of the above are true

24) Which are the following would not likely be a recommendation resulting from a risk management audit

A) There is insufficient integration of risk management into the business

B) The internal auditing department is not following the IPPF

C) Strategic planning activities do not apply risk assessment properly

D) Risk management does not lead to more effective internal controls

E) Risk ownership is not properly defined 

25) In determining the adequacy of IT controls, which of the following is not applicable

A)  Complexity of the IT infrastructure

B)  The organization's risk appetite

C)  The benefits provided by the controls versus the costs

D)  Whether the system is connected to the Internet

E)  All are applicable

26) What is residual risk?

A)  Impact of risk

B)  Risk that is under control

C)  Risk that is not managed

D)  The inherent risk in the environment

E)  None of the above

27) Which of the following is not an example of an IT general control

A) IT governance

B) System development process

C) Backup and recovery

D) Edit checks in the accounts payable application

E) Program change management

28) What is a way management can gain assurance over controls when an activity is outsourced to a third party

A) Obtain a report by an independent party on controls at the outsourcer

B) Have terms in the contract governing the nature of services and performance measures

C) Have an audit rights clause in the contract

D) Determine if the outsourcer has any relevant certifications

E) All of the above

29) According to Mike Jacka, the new COSO Internal Control Framework is revolutionary, not evolutionary

A) True

B) False

30) According to Mike Jacka when implementing the new COSO internal controls framework, internal auditors tend to overlook

A) Controls over financial reporting

B) The control environment

C) Monitoring the entire controls framework

D) Control activities

E) B & C

31) You are the technology auditor for a medium size online retailer.   With the growth it has been very difficult for the Information Technology (IT) group to keep up with the hardware requirements and new software for all the various smartphone applications.  Although there would be reduction of most of the IT staff the CIO has done a complete analysis of moving to a Cloud Computing solution with Amazon Webservices.  With this change, all IT functions for the primary application of order processing and fulfillment would be handled through Amazon.   The reduction in ongoing costs would be almost fifty percent along with major capital expenditures for upgrades if they were to keep processing in-house.   Much of the in-house technology is outdated from a web application and regulatory standpoint.

Amazon Web Services is the largest provider of integrated Cloud Computing Services and offers a complete set of infrastructure and application services.  Many organizations have lowered costs, including your competitors allowing them to lower costs and gain market share.  One of the key benefits of cloud computing is the opportunity to replace up-front capital infrastructure expenses with low variable costs that scale as the business grows.

You have been asked by senior management to assist with the Amazon project and the evaluation of the controls.

a. Describe the five most significant areas of controls concern that you would like to express to the senior management in the transition to Amazon?

b. How would you propose the organization gets comfortable with the controls at Amazon?

c. The CIO has also asked you to review the staffing as he had plans to get rid of the entire IT staff after a transition period and wants audit concurrence with that.  Do you agree or disagree?  Explain the reasons for your conclusion.  

32) A) What does "limitations of internal control" mean?  Provide some examples.

B) Discuss how regulations help to improve governance.  Explain how some regulations may have unintended consequences regarding governance.