Chapter 1

1.Which of the following are components of the definition of internal auditing?

d. All of the above.

 2.Assurance, Insight, and Objectivity comprise:

d. The value proposition.

 3.Independent outside auditors provide financial reporting assurance services primarily for:
a. The benefit of third parties.

 4.AVF Company’s new CFO has asked the company’s CAE to meet with him to discuss the
role of the internal audit function. The CAE should inform the CFO that the overall
responsibility of internal audit is to:
a. Serve as an independent assurance and consulting activity designed to add value and improve
the company’s operations.

 5.Which of the following statements is not true about business objectives?

d. Business objectives are management’s means of employing resources and assigning
responsibilities.

 6.Within the context of internal auditing, assurance services are best defined as:
a. Objective examinations of evidence for the purpose of providing independent assessments.

 7.Which of the following is mandatory guidance within the IPPF?

d. The core principles.

 8.Which of the following is recommended guidance within the IPPF?

c. Supplemental guidance.

 9.The Internal Audit Foundation exists to help audit leaders, practitioners, students, and
academics experience continuous growth in their careers to propel them to become:
b. Trusted advisors.

10. Which of the following is one of the 5 Cs essential to success as an internal auditor?
a. Courage.

11. Which of the following is a framework that can help individual internal auditors and
internal audit functions assess their current competency levels and identify areas for
improvement?
c. The Global Internal Auditor Competency Framework.

12. Internal auditors must have competent interpersonal skills. Which of the following does
not represent an attribute of interpersonal skills?
c. Project management.
13. While planning an internal audit, the internal auditor obtains knowledge about the
auditee to, among other things:
b. Develop an understanding of the auditee’s objectives and risks.

14. Which of the following is the premier certification sponsored by The IIA?
b. Certified Internal Auditor.

15. Which of the following is the ultimate position of a career internal auditor?
d. CAE.

Chapter 3
 1.Which of the following is not an appropriate governance role for an organization’s board
of directors?
c. Providing assurance directly to third parties that the organization’s governance processes are
effective.

 2.Which of the following are typically governance responsibilities of senior management?

I.   Delegating its tolerance levels to risk managers.
II.  Monitoring day-to-day performance of specific risk management activities.
III. Establishing a governance committee of the board.
IV. Ensuring that sufficient information is gathered to support reporting to the board.
a. I and IV.
 3.ABC utility company sells electricity to residential customers and is a member of an
industry association that provides guidance to electric utilities, lobbies on behalf of the
industry, and facilitates sharing among its members. From ABC’s perspective, what type of
stakeholder is this industry association?
c. Influences the company.

 4.Who is responsible for establishing the strategic objectives of an organization?

b. Senior management.

 5.Who is ultimately responsible for identifying new or emerging key risk areas that should
be covered by the organization’s governance process?
b. Senior management.

 6.The internal audit function should not:

c. Oversee the organization’s governance and risk management processes.

 7.Which of the following would not be considered a first line of defense in the Three Lines
of Defense model?
a. A divisional controller conducts a peer review of compliance with financial control standards.

 8.Which of the following would be considered a first line of defense in the Three Lines of
Defense model?
a. An accounts payable supervisor conducting a weekly review to ensure all payments were issued
by the required payment date.

 9.Which of the following would be considered a second line of defense in the Three Lines of
Defense model?
b. A divisional compliance and ethics officer conducting a review of employee training records to
ensure that all marketing and sales staff have completed the required FCPA training.

10. Companies in industries that are heavily regulated may be subject to audits by the
regulator’s auditors. While not specifically covered in the Three Lines of Defense model, such
auditors would most likely be considered:
c. Part of the third line of defense.
11. Which of the following is not a role of the internal audit function in best practice
governance activities?
b. Ensure the timely implementation of audit recommendations.

12. Which of the following statements regarding corporate governance is not correct?
d. The internal audit function of a company has more responsibility than the board for the
company’s corporate governance.

13. What types of business events tend to drive new legislation and guidance?
b. Fraud or other corporate wrongdoing.

14. Which of the following represents the best governance structure?

Operating Management Executive Management Internal Auditing
a. Responsibility for risk Oversight role Advisory role

Chapter 4
 1.According to COSO ERM, which of the following is not an inherent challenge that arises as
part of establishing strategy and business objectives?
a. Ensuring culture is clearly articulated by the board.

 2.Which of the following external events will most likely impact a defense contractor that
relies on large government contracts for its success?
c. Political event.

 3.Which of the following is not an example of a risk-sharing strategy?

b. Selling a nonstrategic business unit.

 4.An organization tracks a website hosting anonymous blogs about its industry. Recently,
anonymous posts have focused on potential legislation that could have a dramatic effect on
this industry. Which of the following may create the greatest risk if this organization makes
business decisions based on the information contained on this website?
d. Accuracy and reliability of the information.
 5.Which of the following risk management activities is out of sequence in terms of timing?
c. Determine key organizational objectives.

 6.Who is responsible for implementing ERM?

d. Management throughout the organization.

 7.Which of the following is not a potential value driver for implementing ERM?
a. Financial results will improve in the short run.

 8.Which of the following is the best reason for the CAE to consider the organization’s
strategic plan in developing the annual internal audit plan?
d. To ensure that the internal audit plan supports the overall business objectives.

 9.When senior management accepts a level of residual risk that the CAE believes is
unacceptable to the organization, the CAE should:
c. Discuss the matter with knowledgeable members of senior management and, if not resolved,
take it to the audit committee.

10. The CAE is asked to lead the enterprise risk assessment as part of an organization’s
implementation of ERM. Which of the following would not be relevant with respect to
protecting the internal audit function’s independence and the objectivity of its internal
auditors?
d. The internal audit function obtains assistance from an outside consultant in the conduct of the
formal risk assessment session.

11. An internal audit engagement was included in the approved internal audit plan. This is
considered a moderately high-risk audit based on the internal audit function’s risk model. It
is currently on a two-year audit cycle. Which of the following will likely have the greatest
impact on the scope and approach of the internal audit engagement?
c. A new system was implemented during the year, which changed how the transactions are
processed.

12. When assessing the risk associated with an activity, an internal auditor should:
b. Provide assurance on the management of the risk.
13. One of the challenges of ERM in an organization that has a centralized structure is that:
a. It may be difficult to raise awareness of the impact of work actions on other employees or
work areas.

14. The function of the chief risk officer is most effective when he or she:
d. Monitors risk as part of the ERM team.

15. Enterprise risk management:

c. Involves the identification of events with negative impacts on business objectives.
 Chapter 6

 1.Which of the following best describes an internal auditor’s purpose in reviewing the
organization’s existing governance, risk management, and control processes?
c. To provide reasonable assurance that the processes will enable the organization’s objectives
and goals to be met efficiently and economically.

 2.What is residual risk?

c. Risk that is not managed.

 3.The requirement that purchases be made from suppliers on an approved vendor list is an
example of a:
a. Preventive control.

 4.An effective system of internal controls is most likely to detect a fraud perpetrated by a:
b. Single employee.

 5.The control that would most likely ensure that payroll checks are written only for
authorized amounts is to:
c. Require supervisory approval of employee time cards.

 6.An internal auditor plans to conduct an audit of the adequacy of controls over
investments in new financial instruments. Which of the following would not be required as
part of such an engagement?
c. Determine whether the treasurer is getting higher or lower rates of return on investments than
treasurers in comparable organizations.

 7.Appropriate internal control for a multinational corporation’s branch office that has a
department responsible for the transfer of money requires that:
a. The individual who initiates wire transfers does not reconcile the bank statement.

 8.Who has primary responsibility for the monitoring component of internal control?
c. The organization’s management.

 9.Reasonable assurance, as it pertains to internal control, means that:

c. Inherent limitations of internal control preclude a system of internal control from providing
absolute assurance that objectives will be achieved.

10.Which of the following best exemplifies a control activity referred to as independent

verification?
a. Reconciliation of bank accounts by someone who does not handle cash or record cash
transactions.

11.The risk assessment component of internal control involves the:

c. Organization’s identification and analysis of the risks that threaten the achievement of its
objectives.

12.COSO’s Internal Control Framework consists of five internal control components and 17
principles for achieving effective internal control. Which of the following is/are (a)
principle(s)?

I.   The organization demonstrates a commitment to integrity and ethical values.

II.  Monitoring activities.
III. A level of assurance that is supported by generally accepted auditing procedures and
judgments.
IV. A body of guiding principles that form a template against which organizations can evaluate a
multitude of business practices.
V.  The organization selects, develops, and performs ongoing and/or separate evaluations to
ascertain whether the components of internal control are present and functioning.

b. I and V only.

 13.When assessing the risk associated with an activity, an internal auditor should:
b. Provide assurance on the management of the risk.

 14.Determining that engagement objectives have been met is ultimately the responsibility
of the:
d. CAE.

 15.An adequate system of internal controls is most likely to detect an irregularity

perpetrated by a:
b. Single employee.

Chapter 8
1.Predication is a technical term that refers to:
b. The ability of a fraud examiner to commence an investigation if a form of evidence exists that
fraud has occurred.

 2.What fraud schemes were reported to be most common in the ACFE’s 2016 Report to the
Nations?
c. Misappropriation of assets by employees.

 3.Which of the following is not a typical “rationalization” of a fraud perpetrator?

d. I’m smarter than the rest of them.

 4.Which of the following is not something all levels of employees should do?
d. Investigate suspicious activities that they believe may be fraudulent.

 5.An organization that manufactures and sells computers is trying to boost sales between
now and the end of the year. It decides to offer its sales representatives a bonus based on
the number of units they deliver to customers before the end of the year. The price of all
computers is determined by the vice president of sales and cannot be changed by sales
representatives. Which of the following presents the greatest reason a sales representative
may commit fraud with this incentive program?
b. Customers have the right to return a laptop for up to 90 days after purchase.

 6.How should an organization handle an anonymous accusation from an employee that a

supervisor in the organization has manipulated time reports?
c. Assess the facts provided by the anonymous party against pre-established criteria to determine
whether a formal investigation is warranted.

 7.Which of the following is an example of misappropriation of assets?

a. A small amount of petty cash is stolen.

 8.Which of the following is not an example of a fraud prevention program element?

b. Exit interviews of departing employees.

 9.Which of the following types of companies would most likely need the strongest anti-
fraud controls?
c. A bank.

10.A payroll clerk increased the hourly pay rate of a friend and shared the resulting
overpayment with the friend. Which of the following controls would have best served to
prevent this fraud?
b. Limiting the ability to make changes in payroll system personnel information to authorized HR
department supervisors.

11. The internal audit function’s responsibilities with respect to fraud are limited to:
c. Being aware of fraud indicators, including those relating to financial reporting fraud, but not
necessarily possessing the expertise of a fraud investigation specialist.

12. From an organization’s standpoint, because internal auditors are seen to be “internal
control experts,” they also are:
b. The best resource for audit committees, management, and others to consult in-house when
setting up anti-fraud programs and controls, even if they may not have any fraud investigation
experience.

13. According to research in personality psychology, the three “dark triad personalities” do
not mention:
a. Sociopaths.

14. The 17 principles in the updated COSO 2013 Internal Control – Integrated Framework
include one devoted specifically to addressing fraud risk:
a. True.

15. The Cressey Fraud Triangle does not include, as one of its vertices:
d. Fraudster personality.

Chapter 10
1.Professional skepticism means that internal auditors beginning an assurance engagement
should:
c. Neither assume client personnel are honest nor assume they are dishonest.

 2.Which of the following statements regarding audit evidence would be the least
appropriate for an internal auditor to make?
b. “I do not perform procedures that provide persuasive evidence because I must obtain
convincing evidence.”

 3.Audit evidence is generally considered sufficient when:

b. There is enough of it to support well-founded conclusions.

 4.Documentary evidence is one of the principal types of corroborating information used by

an internal auditor. Which one of the following examples of documentary evidence generally
is considered the most reliable?
a. A vendor’s invoice obtained from the accounts payable department.

 5.An internal auditor must weigh the cost of an audit procedure against the persuasiveness
of the evidence to be gathered. Observation is one audit procedure that involves cost-
benefit tradeoffs. Which of the following statements regarding observation as an audit
procedure is/are correct?
I.Observation is limited because individuals may react differently when being watched.
II.Observation is more effective for testing completeness than it is for testing existence.
III. Observation provides evidence about whether certain controls are operating as designed.
c. I and III.

 6.Your audit objective is to determine that purchases of office supplies have been properly
authorized. If purchases of office supplies are made through the purchasing department,
which of the following procedures is most appropriate?
c. Inspect purchase requisitions for proper approval.

 7.A production manager of MSM Company ordered excessive raw materials and had them
delivered to a side business he operated. The manager falsified receiving reports and
approved the invoices for payment. Which of the following procedures would most likely
detect this fraud?
c. Perform ratio and trend analysis. Compare the cost of raw materials purchased with the cost of
goods produced.

 8.An internal auditor is concerned that fraud, in the form of payments to fictitious vendors,
may exist. Company purchasers, responsible for purchases of specific product lines, have
been granted the authority to approve expenditures up to $10,000. Which of the following
applications of generalized audit software would be most effective in addressing the
auditor’s concern?
c. List all major vendors by product line. Select a sample of major vendors and examine
supporting documentation for goods or services received.

 9.Which of the following most completely describes the appropriate content of internal
audit assurance engagement working papers?
c. Objectives, procedures, facts, conclusions, and recommendations.

10. Internal audit engagement teams prepare working papers primarily for the benefit of
the:
c. Board and senior management.

11. Which of the following represents the most competent evidence that trade receivables
actually exist?
b. Sales invoices.

12. Competent evidence is best defined as evidence that:

a. Is reasonably free from error and bias and faithfully represents that which it purports to
represent.

13. Workpaper summaries, if prepared, can be used to:

a. Promote efficient workpaper review by internal audit supervisors.

14. When using a rational decision-making process, the next step after defining the problem
is:
a. Developing alternative solutions.

15. An internal auditor gathered the following accounts receivable trend and ratio analysis
information:
Which of the following is the least reasonable explanation for the changes observed by the
auditor?
b. The effectiveness of credit and collection procedures deteriorated over the three-year period.

An organization's management perceives the need to make significant changes. Which of the
following factors is management least likely to be able to change?
C. The organization's environment
Lack of skills, threats to job status or security, and fear of failure all have been identified as
reasons that employees often
D. Resist organizational change

Organizational change must be considered in the light of potential employee resistance.

Resistance
A. May occur even though employees will benefit from the change

Audit committees have been identified as a major factor in promoting the independence of both
internal and external auditors. Which of the following is the most important limitation on the
effectiveness of audit committees?
A. Audit committees may be composed of independent directors. However, those directors
may have close personal and professional friendships with management

The audit committee strengthens the control processes of an organization by

C. Following up on recommendations made by the chief audit executive

An audit committee should be designed to enhance the independence of both the internal and
external auditing functions and to insulate these functions from undue management pressures.
Using the criterion, audit committees should be composed of
D. Only external members of the board of directors or its equivalent

An accounting associations established a code of ethics for all members. What is one of the
association's primary purposes of establishing the code of ethics?
A. To outline criteria for professional behavior to maintain standards of integrity and objectivity

The best reason for establishing a code of conduct within an organization is that such codes
B. Express standards of individual behavior for members of the organization

The code of ethics of a professional organization sets forth

A. Broad standards of conduct for the members of the organization

The purpose of the internal audit activity's evaluation of the effectiveness of existing risk
management processes is to determine that
B. Management directs processes so as to provide reasonable assurance of achieving objectives

Control by management is the result of

A. Planning, organizing, and directing of organizational activities

What is the most accurate term for the procedures used by the board to oversee activities
performed to achieve organizational objectives?
A. Governance
Who has primary responsibility for providing information to the board on the professional and
organizational benefits or coordinating internal audit activities with those of other providers of
similar services?
B. The chief audit executive

To improve their efficiency, internal auditors may rely upon the work of external auditors if it is
C. Coordinated with internal auditing work

Coordination of internal and external auditing can reduce the overall costs. Who is responsible for
actual coordination of internal and external auditing efforts?
A. The chief audit executive

The basic principle of governance is

A. Assessment of the governance process by an independent internal audit activity

The internal audit activity has a role in an organization's governance process. The internal audit
activity most directly contributes to this process by
D. Evaluating the design of ethics-related activities

Which of the following is most essential for guiding the internal audit staff?
D. Policies and procedures

Policies and procedures must be established to guide the internal audit activity. Which of the
following statements is false with respect to this requirement?
B. All internal audit activities must have a detailed policies and procedures manual

Written policies and procedures relative to managing the internal audit activity should
B. Give consideration to its structure and the complexity of the work performed

The purpose of the internal audit activity's evaluation of the effectiveness of existing risk
management processes is to determine that
B. Management directs processes so as to provide reasonable assurance of achieving objectives

Internal auditors should review the means of physically safeguarding assets from losses arising
from
C. Exposure to the elements

If an organization has no formal risk management processes, the chief audit executive should
D. Formally discuss with the directors their obligations for risk management processes

The most important reason for the chief audit executive to ensure that the internal audit
department has adequate and sufficient resources is to
B. Demonstrate sufficient capability to meet the audit plan requirements

The key factor in the success of an internal audit activity's human resources program is
C. A well-developed set of selection criteria
Directors, management, external auditors, and internal auditors all play important roles in creating
proper control processes. Senior management is primarily responsible for
A. Establishing and maintaining an organizational culture

A basic principle of governance is

A. Assessment of the governance process by an independent internal audit activity

The chief audit executive should develop and maintain a quality assurance and improvement
program that covers all aspects of the internal audit activity and continuously monitors its
effectiveness. All of the following are included in a quality program except
A. Annual appraisals of individual internal auditors' performance

As a part of a quality program, internal assessment teams most likely will examine which of the
following to evaluate the quality of engagement planning and documentation for individual
engagements?
A. Written engagement work programs

An external assessment of an internal audit activity contains an expressed opinion. The opinion
applies
D. To the entire spectrum of assurance and consulting work

The term "risk" is best defined as the possibility that

B. An event could occur affecting the achievement of objectives

Which of the following factors is least likely to be considered in determining the audit work
schedule?
A. Engagement work programs

A chief audit executive may use risk analysis in preparing work schedules. Which of the following
is not considered in performing a risk analysis?
B. Skills available on the internal audit staff

Risk modeling or risk analysis is often used in conjunction with development of long-range
engagement work schedules. The key input in the evaluation of risk is
D. Judgement of the internal auditors

Risk assessment is a systematic process for assessing and integrating professional judgments
about probable adverse conditions or events. Which of the following statements reflects the
appropriate action for the chief audit executive to take?
A. The CAE should generally assign engagement priorities to activities with higher risks

The chief audit executive for a retail merchandise sales organization is considering engagement
assignments for inclusion in the work schedule for the upcoming year. The following areas have
not been evaluated recently, and there are no known reasons that they should be given
immediate attention. If resources are scarce, which project should be given priority?
B. Cash management and credit policy

The chief audit executive of a manufacturer is updating the long-range engagement work
schedule. There are several possible assignments that can fill a given time spot. Information on
potential monetary exposure and key internal controls has been gathered. Based on perceived
risk, select the assignment of greatest merit.
A. Precious metals inventory -- carrying amount, US $1,000,000; separately stores, but access not
restricted

Which of the following audit risk components may be assessed in nonquantitative terms?
A. Control Risk Detection Risk Inherent Risk
Yes Yes Yes
On the basis of audit evidence gathered and evaluated, an auditor decides to increase the
assessed level of control risk from that originally planned. To achieve an overall audit risk level
that is substantially the same as the planned audit risk level, the auditor would
D. Decrease detection risk

Which of the following is the best source of a chief audit executive's information for planning
staffing requirements?
A. Discussions of internal audit needs with senior management and the board

The capabilities of individual staff members are key features in the effectiveness of an internal
audit activity. What is the primary consideration used when staffing an internal audit activity?
B. Job descriptions

By comparing job descriptions with the qualifications and duties of the individuals currently
holding those jobs, a manager can
B. Determine whether the organization is appropriately staffed

Which of the following items would not be an appropriate staffing issue?

B. Providing a competitive selection of employee benefits

When determining the number and experience level of an internal audit staff to be assigned to
an engagement, the chief audit executive should consider all of the following except the
D. Lapsed time since the last engagement

The requirements for staffing level, education and training, and research should be included in
C. The annual plan for the internal audit activity

In most organizations, the rapidly expanding scope of internal auditing responsibilities requires
continual training. What is the main purpose of such a training program?
D. To achieve both individual and organizational goal
In selecting an instructional strategy for developing internal audit staff, a chief audit executive
begins by reviewing
A. Organizational objectives

Which of the following is a necessary part of a program for selecting and developing internal
audit activity staff?
B. Developing a written job description for each level of the staff

Although all the current members of an internal audit activity have good records of performance,
the manager is not sure if any of the members are ready to assume a management role. Which
of the following is an advantage of bringing in an outsider rather than promoting from within?
A. Management training costs are reduced when a qualified outsider is hired

A chief audit executive's performance report should

D. Compare engagements completed with engagements planned

An annual summary report of completed engagement work submitted to senior management and
the board by the chief audit executive should
C. Describe the extent to which the internal audit activity has completed it approved audit plan

Which internal audit planning tool is general in nature and is used to ensure adequate
engagement coverage over time?
A. The audit plan

Which of the following is an appropriate responsibility of the board?

B. Reviewing the internal audit activity's engagement work schedule submitted by the chief audit
executive

Who reviews and approves a summary of the internal audit plan?

A. Senior management and the board

As the chief audit executive, you have determined that the acquisition of some expensive, state-
of-the-art software for paperless working paper files will be useful. Identify the preferred method
for presenting your request to senior management.
A. The effect of not obtaining the software

Internal auditing is an assurance and consulting activity. An example of an assurance service is a

Compliance engagement

What is the most accurate term for the procedure used by the board to oversee activities
performed to achieve organizational objectives?
Governance
Which of the following potentially are subject to the internal auditors evaluations?
The human resource function
The purchasing process
The manufacturing and production database system

A basic principle of governance is

Assessment of the governance process by an independent internal audit activity

Which of the following is most essential for guiding the internal audit staff?
Policies and procedures

The key factor in the success of an internal audit activity's human resources program is
A well-developed set of selection criteria

Written policies and procedures relative to managing the internal audit activity should
Give consideration to its structure and the complexity of the work performed

The audit committee straightens the control processes of an organization by

Following up on recommendations made by the chief audit executive

An audit committee should be designed to enhance the independence of both the internal and
external auditing functions and to insulate these functions from undue managements pressures.
Using this criterion, audit committees should be composed of
Only external members of the board of directors or its equivalent

Audit committees have been identified as a major factor in promoting independence of both
internal and external auditors. Which of the following is the most important limitation on the
effectiveness of audit committees?
Audit committees may be composed of independent directors. However, those director may have
close personal and professional friendships with management

Johnny Hagert, CAE, is determining the sufficiency of his resource allocation. Mr. Hagert must
consider all the following except
The audit universe

Gator financial service is considering outsourcing its internal audit activity. Gator financial service..

Can outsource the services as long as Gator continues to have the responsibility for maintaining
an effective internal audit activity

When determining the number and experience level of an internal audit staff to be assigned to
an engagement, the CAE should consider which of the following
Complexity and the engagement
Available internal audit activity resources

Which of the following parties is primarily responsible for resource management in an internal
audit engagement?
The CAE

Internal audit resources should be appropriate, sufficient, and effectively deployed. Consequently,
The chief audit executive should perform a periodic skill assessment

Exchange of engagement communications and management letters by internal and external

auditors is
Consistent with the coordination responsibilities of the chief audit executive

Coordination of internal auditing can reduce overall costs. Who is responsible for actual
coordination of internal and external auditing efforts?
The CAE

Which of the following are responsibilities of the CAE?

Coordinating activities with other providers of assurance and consulting services
Understanding the work of external auditors
Providing sufficient information to the external auditors to permit them to understand the
internal auditors work

Which of the following is responsible for coordination of internal and external audit work?
The CAE

Coordinating internal and external audit activity can increase efficiency by using which of the
following?
Similar techniques
Similar methods
Similar terminology

For which situation should the internal auditor consider communicating sensitive information
outside the organization's governance structure?

A. The internal auditor believes the corporation does not have the resources to address the
problem efficiently.
B. Action by management may take longer than the internal auditor believes is necessary to
correct the problem.
C. An outside agency may be able to help the corporation correct the problem faster than the
corporation could on its own.
D. The internal auditor believes that the problem will not be properly investigated by
management.
D. The internal auditor believes that the problem will not be properly investigated by
management.
Which of the following should not be one of the primary reasons why an internal auditor may
communicate sensitive information outside the normal chain of command?

A. The internal auditor does not agree with how the board or directors or management may
correct the problem.
B. The desire to stop the wrongful, harmful, or improper activity.
C. A professional obligation requires disclosure of the activity to an outside party.
D. Legal advice indicates that the internal auditor should disclose the sensitive information to an
outside party.
A. The internal auditor does not agree with how the board or directors or management may
correct the problem.

For which situation should the internal auditor consider communicating sensitive information
outside the organization's governance structure?

A. The internal auditor believes the corporation does not have the resources to address the
problem efficiently.
B. Action by management may take longer than the internal auditor believes is necessary to
correct the problem.
C. An outside agency may be able to help the corporation correct the problem faster than the
corporation could on its own.
D. The internal auditor believes that the problem will not be properly investigated by
management.
D. The internal auditor believes that the problem will not be properly investigated by
management.
Which of the following should not be one of the primary reasons why an internal auditor may
communicate sensitive information outside the normal chain of command?

A. The internal auditor does not agree with how the board or directors or management may
correct the problem.
B. The desire to stop the wrongful, harmful, or improper activity.
C. A professional obligation requires disclosure of the activity to an outside party.
D. Legal advice indicates that the internal auditor should disclose the sensitive information to an
outside party.
A. The internal auditor does not agree with how the board or directors or management may
correct the problem.