Chapter 2 Multiple Choice Answers (1-32)

Establish a Risk-Based Plan

1. Choice (d) is the correct answer. Audits should be planned and conducted according to the risk
level; that is, high-risk auditable areas should be reviewed first, followed by medium-risk areas,
which are followed by low-risk areas. The medium- and low-risk auditable areas should be
reviewed only when audit resources are available (IIA Standard 2010 Planning and IIA
Standard 2120 Risk Management). The other three choices do not consider risk explicitly.
2. Choice (c) is the correct answer. Audit risk is the risk that the auditor may unknowingly fail to
appropriately modify his/her opinion on financial statements that are materially misstated. It is
the product of other three risks: it is equal to inherent risk multiplied by control risk, which is
multiplied by detection risk. Audit risk is an all-inclusive term here (IIA Glossary and IIA
Standard 2010 Planning and IIA Standard 2120 Risk Management). Inherent risk is the
susceptibility of a management assertion to a material misstatement, assuming that there are no
related internal control structure policies or procedures. Detection risk is the risk that the auditor
will not detect a material misstatement present in a management assertion. Control risk is the risk
that a material misstatement in a management assertion will not be prevented or detected on a
timely basis by the entity's internal control structure policies or procedures.
3. Choice (c) is the correct answer. Auditor skills become a consideration during audit
scheduling. Risk analysis is done prior to the start of an audit, where factors such as system
complexity, system changes, and results of prior audit are very important to consider. These
factors determine whether an auditable area is high risk, medium risk, or low risk (IIA Standard
2010 Planning and IIA Standard 2120 Risk Management).
4. Choice (c) is the correct answer. The audit resources should be allocated to those areas where
the risk level is the highest (IIA Standard 2010 Planning and IIA Standard 2120 Risk
Management). Print software is low-risk compared to the other three types of software to be
reviewed by an auditor.
5. Choice (c) is the correct answer. This is the basic definition of risk given in the IIA Standard
2010 Planning, IIA Glossary, and IIA Standard 2120 Risk Management (Item III). Choice (a)
is incorrect. Requests from management and the audit committee should both be considered by
the internal audit department. Although an audit committee request is important, it is not always
more important, nor does it always imply higher risk (item I). Choice (b) is incorrect. Risk is
measured by the potential exposure to the organization. The size of the departmental budget is an
important determinant, but is not a sufficient determinant (item II). Choice (d) is incorrect since
it contains both correct and incorrect answers.

6. Choice (a) is the correct answer. The results of a financial audit would be the least relevant
factor in prioritizing the auditors tasks because the financial audit will not resolve the question
asked by management. Also, the financial audit was prior to the recent problems. Choice (b) is
incorrect. Fraud is one of the major factors to be considered in analyzing risk and identifying
audit activities. Choice (c) is incorrect. The increase in expenditures provides a benchmark for
potential exposure or loss to the organization. Choice (d) is incorrect. Fines imposed by
regulatory agencies could represent a significant risk (IIA Standard 2010 Planning and IIA
Standard 2120 Risk Management).
7. Choice (b) is the correct answer. The IIA Standard 2010 Planning and IIA Standard 2120
Risk Management states that objective reports are factual. Lawrence Sawyer states, "Every
categorical statement, every figure, every reference must be based on hard evidence." The size of
the audit unit is a fact, and not affected by the auditor's impressions and feelings. Choice (a) is
incorrect. Assessment of prior audit findings is dependent on the auditor's impressions and
feelings. Choice (c) is incorrect. Comfort with operating management is dependent on the
auditor's impressions and feelings. Choice (d) is incorrect. Assessment of changes in staff
systems or the environment is dependent on the auditor's impressions and feelings.
8. Choice (c) is the correct answer. There is a great risk when cash payments can be made with
no authorization. Several possible types of fraud could be occurring (IIA Standard 2010
Planning and IIA Standard 2120 Risk Management). Choice (a) is incorrect. This is an
important item, but most important items include whether cash disbursements are properly
controlled and payment will not be made without verification of receipt. The receipts could have
been voided and destroyed. Choice (b) is incorrect. Some types of purchases do not require
purchases requisitions, such as routine inventory acquisition. There is some risk in this, but it is
not the greatest risk posed in the problem. Choice (d) is incorrect. Unless other controls are
missing, the largest risk would be the loss of a day's receipts. This is a risk, but not the greatest
risk.
9. Choice (a) is the correct answer. A department causing production bottlenecks would seem to
have problems with efficiency and effectiveness, and would thus warrant an operational audit
(IIA Standard 2010 Planning and IIA Standard 2120 Risk Management). Choice (b) is
incorrect. There is no information given that would indicate that Production C was particularly
inefficient or ineffective. Choice (c) is incorrect. There is nothing to indicate that Purchasing has
been particularly inefficient or ineffective. Choice (d) is incorrect. There is nothing to indicate
that Marketing has been particularly inefficient or ineffective.
10. Choice (a) is the correct answer. Risk is a combination of the amount of assets exposed to
risk, times the probability of a loss occurring (IIA Standard 2010 Planning and IIA Standard
2120 Risk Management). Choice (b) is incorrect. Annual cost is not a sufficient reason to
conduct an audit. The amount of costs at risk times the probability of loss would be a better risk
measure. Choice (c) is incorrect. The probability of loss is not sufficient reason to conduct an

audit. If only a few assets are involved (such as a petty cash fund), then audit resources can best
be utilized elsewhere. Choice (d) is incorrect. Quantity of assets is not a sufficient reason to
conduct an audit. The amount of assets at risk times the probability of loss would be a better risk
measure.
11. Choice (c) is the correct answer. Developing a financial/behavioral profile may corroborate
illegal income and provide a basis for tracing illegal payments (IIA Standard 2010 Planning
and IIA Standard 2120 Risk Management). Choice (a) is incorrect. The issue is not unrecorded
liabilities but direct financial kickbacks, which will not be determined by this action. Choice (b)
is incorrect. Although helpful in identifying possible sources of kickbacks, this action would not
corroborate the allegation. Choice (d) is incorrect. Past charge-off of receivables have no relation
to kickbacks from a media outlet to a marketing manager.
12. Choice (a) is the correct answer. Informing the wrongdoer of legal rights is the responsibility
of legal authorities (IIA Standard 2010 Planning and IIA Standard 2120 Risk Management).
Choices (b), (c), and (d) are incorrect because they are a part of the auditor's responsibility with
respect to the discovery of fraud.
13. Choice (b) is the correct answer. Of all the four choices, the purchasing function typically
represents significant risk for a manufacturing operation. In a merger of two manufacturers'
purchasing functions, that auditable area can be a source of even more significant risk (IIA
Standard 2010 Planning and IIA Standard 2120 Risk Management). Choice (a) is incorrect.
The usual size of imprest funds will not likely result in a risk that matches with the purchasing
operation. Choice (c) is incorrect. Legal functions typically do not represent the magnitude of
risk that a purchasing operation has. Choice (d) is incorrect. Marketing functions may have
identifiable risks but typically not as much as purchasing operations.
14. Choice (b) is the correct answer. The IIA Standards specifically define risk as the probability
that an event or action may adversely affect the activity under audit (IIA Glossary, Standard 2010
Planning, and IIA Standard 2120 Risk Management). Choice (a) is incorrect. This is the
American Institute of Certified Public Accountants (AICPA's) definition of inherent risk for
financial statement audit purposes. Choices (c) and (d) are incorrect because they are listed in
the Standards as a type of adverse action that can result from unmitigated risk.
15. Choice (a) is the correct answer. This is the least risky area because the number of analysts
and programmers may be more of a reflection of operating philosophy (buying new applications
vs. developing them). This philosophy is unlikely to affect the probability of the event adversely
affecting the operations (IIA Standard 2010 Planning and IIA Standard 2120 Risk
Management). Choice (b) is incorrect. This is a risk area because (1) one of the companies has
little experience with dealing with EDI, and (2) the complexity of computer communications in
an EDI environment creates risk for those companies that have not yet established strong
communication controls. Choice (c) is incorrect. This is a high-risk factor because the two

different systems must be made compatible to achieve the economy of objectives and strategic
plans of a merged organization. The conversion from one systems or database structure to
another is risky because data or applications may be lost or modified. Employees will have to be
re-trained on the surviving system. There is always increased risk of error when people are not
familiar with a computer system. Choice (d) is incorrect. This is a heavy risk factor for all the
reasons discussed in choice (c) above.
16. Choice (a) is the correct answer. Materiality is defined by the potential impact of an item on
the organization and is not limited to items that can be assessed only in quantitative terms (IIA
Standard 2010 Planning and IIA Standard 2120 Risk Management). Choice (b) is incorrect.
There may be some control failures of a minor nature that would not be considered material.
Choice (c) is incorrect. Sampling approaches may be used to comprehensively cover the control
structure of an organization. Choice (d) is incorrect because responses II and III are not correct.
See choices (b) and (c) above.
17. Choice (b) is the correct answer. This could be very consistent with management's
philosophy and would be considered part of the overall control environment. Detailed internal
audit review can be an integral part of an organization's control structure (IIA Standard 2010
Planning and IIA Standard 2120 Risk Management). Choice (a) is incorrect. It is difficult to
ever justify an audit approach or reporting style based on tradition. It may indicate the audit
director is not in touch with management or that management may not be adopting its control
philosophy to substantive changes in the environment. Choice (c) is incorrect. There is a "user"
component of materiality, but it would be difficult to consider every situation or deviation as
material. Choice (d) is incorrect because it contains correct and incorrect answers.
18. Choice (b) is the correct answer. A formalized corporate code of ethics presents objective
criteria by which actions can be evaluated and would thus serve as criteria against which
activities could be evaluated (IIA Standard 2010 Planning and IIA Standard 2120 Risk
Management). Choice (a) is incorrect. Response I is not correct. The existence of a corporate
code of ethics, by itself, does not ensure higher standards of ethical behavior. It must be
complemented by follow-up policies and monitoring activities to ensure adherence to the Code.
Choice (c) is incorrect. Standards of ethical behavior, which would influence individual actions,
can occur in other places than the Corporate Code of Ethics. For example, there may be defined
policies regarding purchasing activities that may serve the same purpose as a code of ethics.
These policies also serve as criteria against which activities may be evaluated. Choice (d) is
incorrect because it contains both correct and incorrect answers.
19. Choice (b) is the correct answer. The CAEs preliminary findings should be immediately
reported to the audit committee, rather than management, because the audit committee is
considered an organization one level above where the alleged fraud is taking place (IIAs Code of
Ethics, IIA Standard 2010 Planning, and IIA Standard 2120 Risk Management). Choice (a)
is incorrect. This response would not be appropriate because the internal auditors are not in a

position to engage external legal counsel. Further, the findings should not be reported to
management since they might be involved. Choice (c) is incorrect. Standards clearly indicate that
the auditors report the suspected fraud to the appropriate levels of the organization to determine
whether an investigation is undertaken. The auditors may not be in the best position to determine
whether the trading is fraudulent and certainly are not in a position to report the information to
government officials. Choice (d) is incorrect. This would not be acceptable because the IIA's
Code of Ethics clearly indicates that auditors cannot be associated with any illegal or
inappropriate behavior. Ignoring their findings would violate that ethical standard.
20. Choice (d) is the correct answer. This is the one explanation that could be supported by all
the data elements and would thus form a hypothesis for subsequent audit testing (IIA Standard
2010 Planning and IIA Standard 2120 Risk Management). Choice (a) is incorrect. This might
be a potential explanation for one store but unlikely to occur at all three stores. Choice (b) is
incorrect. Although this might be a problem, the data tend to contradict it. Sales are increasing
which would indicate customer satisfaction. Choice (c) is incorrect. There is not enough evidence
to indicate that fraud might be present. In order for this hypothesis to hold true, there would have
to be significant amounts of inventory shrinkage. This does not explain higher sales and bonuses.
21. Choice (c) is the correct answer. If this type of fraud were occurring, it would result in
inventory shrinkage. The surprise inventory count would be an effective audit technique (IIA
Standard 2010 Planning and IIA Standard 2120 Risk Management). Choice (a) is incorrect.
The ITF only provides evidence on the correctness of computer processing. It would not be
relevant to the hypothesized rationale for the operating data. Choice (b) is incorrect. Interviews
provide a weak form of evidence and would be better if the auditor first has substantive
documentary evidence. Choice (d) is incorrect. The problem is with inventory shrinkage, not
whether or not items are appropriately keyed in or scanned in at the cash register.
22. Choice (a) is the correct answer. The audit committee's agenda for an audit committee
meeting would not be an auditable activity, but may contain audit activities conducted by the
audit function (IIA Standard 2010 Planning and IIA Standard 2120 Risk Management).
Choices (b), (c), and (d) are incorrect because these are auditable activities specifically identified
in the IIA Standards.
23. Choice (b) is the correct answer. This is the essence of the risk process as per the IIA
Standards (IIA Standard 2010 Planning and IIA Standard 2120 Risk Management). Choice
(a) is incorrect. Risk represents the probability that an event or action may adversely affect the
organization. Although it may be most convenient to quantify those risks into dollars for ranking
purposes, it is not required that they be quantified. Choice (c) is incorrect. The risk priorities do
not necessarily mean there are major control deficiencies in the area. The auditor may use the
exposures as a basis to evaluate controls, but the controls may be in place. Choice (d) is incorrect
because items I and II are incorrect as noted in choices (a) and (c) above.

24. Choice (b) is the correct answer. The annual audit plan should integrate the risk analysis with
requests from management and the audit committee (IIA Standard 2010 Planning and IIA
Standard 2120 Risk Management). Choice (a) is incorrect. The Standards incorporate the
concept of coordinating work with the external auditor. There may be a number of factors that
affect the choice of which work will be performed by the external auditors. However, there is no
prohibition regarding high risk or low risk items. Choice (c) is incorrect. The risk analysis should
be updated for changes as they occur during the year. Choice (d) is incorrect because items I and
III are not correct as noted in choice (a) and (c) above.
25. Choice (a) is the correct answer. According to the Standards, the auditor could appropriately
consider the extent of management judgments and accounting estimates as a risk factor (IIA
Standard 2010 Planning and IIA Standard 2120 Risk Management). Choice (b) is incorrect.
Risk analysis should consider both the potential loss (or damages) and the probability of
occurrence. An area with the largest potential loss may have a very low expected loss. Choice (c)
is incorrect. An area with a high probability of occurrence may have a very small risk of
potential loss associated with it. Choice (d) is incorrect. Although it may be preferable in many
circumstances to reduce items to quantitative terms, the concept of risk analysis is not limited to
quantitative measures.
26. Choice (d) is the correct answer. Audit managers have the experience to make such
judgments. Group consensus tends to eliminate the extreme judgments that might occur with a
single evaluator and would be an acceptable method (IIA Standard 2010 Planning and IIA
Standard 2120 Risk Management). Choice (a) is incorrect. Risk analysis should consider all
appropriate factors and need not be limited to quantitative or expected value calculations. Choice
(b) is incorrect. High, medium, and low may be the most precise measures available for the audit
department and would therefore be acceptable assessments for the risk analysis process. Choice
(c) is incorrect. Subjective analysis is acceptable. It would be difficult to use multiple regression
analysis to obtain a weighted average for the risk weighting model because no criterion value
exists to determine the weightings.
27. Choice (c) is the correct answer. This would be the preferred response and should enable the
auditor to develop an optimum plan to cover the maximum amount of risk with the more limited
resources (IIA Standard 2010 Planning and IIA Standard 2120 Risk Management). Choice (a)
is incorrect. Cutting all jobs by 10% does not necessarily mean that the risks addressed will drop
by 10%. The auditor should re-prioritize the audit schedule to ensure the optimum coverage of
risk with the more limited resources. Choice (b) is incorrect. A uniform 10% reduction in audit
procedures or audit scope may result in gathering insufficient evidence across a number of audit
areas. The managers should consider cutting the scope of each audit to better address the major
risks in the auditable unit. Choice (d) is incorrect because only choice (c) is correct.
28. Choice (d) is the correct answer. In assessing the magnitude of risk associated with any factor
in a risk model, informed judgment by the auditor is required (IIA Standard 2010 Planning and

IIA Standard 2120 Risk Management). Choice (a) is incorrect. The informed judgment of the
internal auditor is still required to assess the magnitude of risk posed by previous audit results.
Choice (b) is incorrect. To assess the risk posed by management concerns, informed judgment
of the internal auditor is required. Choice (c) is incorrect. Standards do not specify the basic
input risk analyses.
29. Choice (b) is the correct answer. This does not involve risk associated with potential auditees
(IIA Standard 2010 Planning and IIA Standard 2120 Risk Management). Choice (a) is
incorrect because these are the factors that should definitely be considered. Choices (c) and (d)
are incorrect because they should be considered.
30. Choice (c) is the correct answer. Factors 1, 5, and 6 can all be quantified into values, which
can be measured into materiality (IIA Standard 2010 Planning and IIA Standard 2120 Risk
Management). Choice (a) is incorrect. Although all items are used to define audit risk, not all
factors are used to define materiality of audit risk. Choice (b) is incorrect. Factors 2 and 4 cannot
be quantified into materiality. Choice (d) is incorrect. Factors 3 and 4 cannot be quantified into
materiality.
31. Choice (c) is the correct answer. This invariably involves high risk (IIA Standard 2010
Planning and IIA Standard 2120 Risk Management). Choice (a) is incorrect because it is a
normal procedure; purchasing only reviews the specifications. Choice (b) is incorrect because it
is a normal procedure for high use items. Choice (d) is incorrect. An approved vendor list is often
maintained as a control factor to help ensure that purchases are made only from reliable vendors.
However, rotation is not usually appropriate.
32. Choice (a) is the correct answer. Claims analysis is an appropriate inclusion since it enables
identification of the importance of the two key factors (equipment in use and time spent by
employees at such equipment) in leading to claims (IIA Standard 2010 Planning and IIA
Standard 2120 Risk Management). Choice (b) is incorrect. This procedure fails to identify
exposure to risks; it only supports claims paid by the carrier under the workmen's compensation
policies. Choice (c) is incorrect. Documentation supporting purchases of personal computers
cannot customarily be expected to address risk assessments. Choice (d) is incorrect. This data
fails to indicate the risks associated with extent of usage and with type of equipment.