During a review of data center physical security and environmental controls,an auditor
should ensure that:
I. Visitors are accompanied by authorized personnel at all times.
II.Only developers and operators have access to the data center.
III.Fire suppression equipment is tested periodically.
IV.Fire and water detectors have been installed.

A.

I and IIIonly

B.

II and IVonly

C.

I,III,and IVonly

D.

II,III,and IVonly

A quantitative risk assessment model has all of the following advantages except:

A.

Accommodating a large number of risk factors in the assessment.

B.

Providing documentation for the chief audit executive,who must defend the long-range
audit plan.

C.

Providing a systematic method of applying weightings to risks and priorities.

D.

Removing the need for judgment on the part of the chief audit executive.

The main reason to establish internal controls in an organization is to:

A.

Encourage compliance with policies and procedures.

B.

Safeguard the resources of the organization.

C.

Ensure the accuracy,reliability,and timeliness of information.

D.

Provide reasonable assurance on the achievement of objectives.

When using a risk assessment model to develop audit plans,it is essential that the chief
audit executive take into accountthe:

A.

Results of the last audit.

B.

Planned visits by the external auditors during the upcoming year.

C.

Recent or expected changes in management direction and objectives.

D.

Dates of future board meetings.

The chief audit executive for an organization has just completed a risk assessment
process,identified the areas with the highest risk,and assigned an audit priority to each.
Which of the following statements is true and consistent with the International Professional
Practices Framework?
I.Items should be ranked in the order of quantifiable dollar exposure to the organization.
II.The audit priorities should be in order of major control deficiencies.
III.The risk assessment,though quantified,is the result of professional judgments about both
exposures and probability of occurrences.

A.

Ionly

B.

IIIonly

C.

 II and IIIonly

D.

I,II,and III.

Which of the following factors related to an organization's performance management
system would not contribute to the organization's success?

A.

Performance management is linked to competence and knowledge management.

B.

Subordinates and superiors have shared responsibility for the performance management process.

C.

Staff members own the performance management process,thereby ensuring implementation and accountability.

D.

Performance management is integrated into other organizational processes and human
resource processes.

Which statement most accurately describes how criteria are established for use by internal
auditors in determining whether goals and objectives have been accomplished?

A.

Management is responsible for establishing the criteria.

B.

Internal auditors should use professional standards or government regulations to establish the criteria.

C.

The industry in which a company operates establishes criteria for each member
company through benchmarks and best practices for that industry.

D.

Appropriate accounting or auditing standards,including international standards,should be
used as the criteria.

An organization receives the most value from an internal audit activity's enterprise-wide risk
assessment when the auditor:

A.

Focuses primarily on enterprise-level risks.

B.

Considers activities at all levels of the organization.

C.

Reviews special projects and new initiatives.

D.

Validates supporting financial and operational data.

The audit process used by the internal audit activity of a large wholesale clothing company
does not include an engagement letter or project approval document. The most serious
consequence of this deficiency in the process is thatthe:

A.

Audit schedule may not be optimal from the engagement client's perspective.

B.

Audit objectives may not be understood by management of the area being audited.

C.

Audit resources may not be sufficient.

D.

Audit plan priority may have changed.

The chairperson of an organization's audit committee has obtained a risk management
report that identifies significant industry concerns that impact the organization. The
chairperson has asked the chief audit executive (CAE) to review these concerns and
advise if they are relevant to the organization. How should the CAE respond?

A.

Accept the engagement but communicate only with the audit committee to protect the
confidentiality of the request.

B.

Decline the engagement because it is outside of the scope of the internal audit charter.

C.

Decline the engagement because it impairs the internal audit activity's independence.

D.

Accept the engagement but inform senior management of the request.