Part 1 Unit 3 Answer Key

PART-1 UNIT 3
1.The role of the internal audit activity in the ethical culture of an organization is to
A.Avoid active support of the ethical culture because of possible loss of independence.
B.Evaluate the effectiveness of the organization’s formal code of conduct.
C.Assume accountability for the effectiveness of the governance process.
D.Become the chief ethics officer.
Answer (B) is correct.

The internal audit activity periodically assesses the elements of the ethical climate of the organization
and its effectiveness in achieving legal and ethical compliance. Internal auditors therefore evaluate the
effectiveness of, among other things, a formal code of conduct and related statements and policies.
A.Internal auditors must be active ethics advocates. However, assuming the role of, for example, chief
ethics officer may, in some circumstances, impair individual objectivity and the internal audit activity’s
independence.
C.The organization’s board and its senior management are responsible for the effectiveness of the
governance process.
D.The internal auditor’s basic role is to be the assessor of the ethical culture. However, an internal
auditor may become chief ethics officer or a member of an ethics council, although the first role may,
in some circumstances, impair individual objectivity and the internal audit activity’s independence.
2.The internal audit activity most directly contributes to an organization’s governance process by
A.Identifying significant exposures to risk.

B.Evaluating the effectiveness of internal control over financial reporting.
C.Promoting continuous improvement of controls.
D.Evaluating the design of ethics-related activities.
Answer (D) is correct.

Performance Standard 2110 states, “The internal audit activity must assess and make appropriate
recommendations to improve the organization’s governance processes for:
 Making strategic and operational decisions.
 Overseeing risk management and control.
 Promoting appropriate ethics and values within the organization.
 Ensuring effective organizational performance management and accountability.
 Communicating risk and control information to appropriate areas of the organization.
 Coordinating the activities of, and communicating information among, the board, external and
internal auditors, other assurance providers, and management.”
Thus, in an assurance engagement, the internal audit activity must evaluate the design, implementation,
and effectiveness of the organization’s ethics-related objectives, programs, and activities.
A.Identifying significant exposures to risk most directly relates to risk management rather than to
governance.
B.Evaluating the effectiveness of internal control over financial reporting more directly relates to risk
management rather than to governance.
C.Promoting continuous improvement of controls relates to controls rather than to governance.
3.Which of the following correctly classifies the corporate governance functions as internal or
external?
Internal External
A.Corporate charter Bylaws
B.Laws Board of directors
C.Internal audit function Corporate charter
D.Bylaws Government regulation
Bylaws are an example of internal corporate governance, and laws, regulations, and the government
regulators who enforce them are examples of external governance.
A.Bylaws are an example of internal corporate governance.

B.Laws provide external corporate governance, and a board of directors provides internal corporate
governance.
C.A corporate charter is an example of internal corporate governance
4.Which of the following is a false statement about the role of internal auditors in an organization’s
ethical culture?
A.Roles may include chief ethics officer.

B.The role of chief ethics officer sometimes conflicts with the independence of the internal audit
activity.
C.In a more mature system, the internal audit activity emphasizes compliance.
D.In a more mature governance system, the internal audit activity’s emphasis is on optimizing structure
and practices.
Answer (C) is correct.

The role of the internal audit activity depends on the maturity of the governance system. In a less
mature system, the internal audit activity emphasizes compliance with policies, procedures, laws, etc. It
also addresses the basic risks to the organization.
A.Internal auditors’ roles may include chief ethics officer.

B.In some circumstances, the role of chief ethics officer may conflict with the independence attribute
of the internal audit activity.
D.In a more mature governance system, the internal audit activity’s emphasis is on optimizing structure
and practices.
5.Senior management is primarily responsible for
A.Implementing and monitoring controls designed by the board of directors.

B.Ensuring that external auditors oversee risk management and control processes.
C.Evaluating the controls over the reliability and integrity of financial and operational information.
D.Determining who will be risk owners.

Senior management determines (1) where specific risks are to be managed, (2) who will be risk owners
(managers responsible for specific day-to-day risks), and (3) how specific risks will be managed.
A.The board has oversight responsibilities but ordinarily does not become involved in the details of
operations.
B.Management ensures that sound risk management processes are in place and are adequate and
effective.
C.Internal auditors are responsible for evaluating the adequacy and effectiveness of controls, including
those relating to the reliability and integrity of financial and operational information.
6.Ensuring effective organizational performance management and accountability is most directly the
proper function of
A.Control.
B.Governance.
C.Risk management.
D.A quality assurance program.

Organizational performance is measured by achieving objectives. The IIA Glossary defines governance
as the combination of processes and structures implemented by the board to inform, direct, manage,
and monitor the activities of the organization toward the achievement of its objectives. Thus, ensuring
effective organizational performance management and accountability is most directly the proper
function of governance.
A.Governance (not control) is directly responsible for ensuring effective organizational performance
management and accountability.
C.Governance (not risk management) is directly responsible for ensuring effective organizational
performance management and accountability.
D.A quality assurance program normally is implemented for an organizational unit, e.g., the internal
audit activity.
7.Which of the following is not a goal of corporate governance?
A.Complying with society’s legal and regulatory rules.

B.Providing an overall benefit to society.
C.Reporting fully and truthfully to stakeholders.
D.Maximizing executive compensation.

Governance practices may use various legal forms, structures, strategies, and procedures. They ensure
that the organization (1) complies with society’s legal and regulatory rules; (2) satisfies the generally
accepted business norms, ethical principles, and social expectations of society; (3) provides overall
benefit to society and enhances the interests of the specific stakeholders in both the long- and short-
term; and (4) reports fully and truthfully to its stakeholders, including the public, to ensure
accountability for its decisions, actions, and performances. But maximizing executive compensation is
not a goal of corporate governance.
A.Ensuring compliance with society’s legal and regulatory rules is a goal of corporate governance.
B.Proving an overall benefit to society is a goal of corporate governance.
C.Reporting fully and truthfully to stakeholders is a goal of corporate governance.
8.Which of the following is most likely an internal audit role in a less structured governance process?
A.Designing specific governance processes.

B.Playing a consulting role in optimizing governance practices and structure.
C.Providing advice about basic risks to the organization.
D.Evaluating the effectiveness of specific governance processes.

A less mature governance system will emphasize the requirements for compliance with policies,
procedures, plans, laws, regulations, and contracts. It will also address the basic risks to the
organization. Thus, the internal audit activity will provide advice about such matters. As the
governance process becomes more structured, the internal audit activity’s emphasis will shift to
optimizing the governance structure and practices.
A.Internal auditors impair their objectivity by designing processes. However, evaluating the design and
effectiveness of specific processes is a typical internal audit role.
B.Playing a consulting role in optimizing governance practices and structure is typical of a more
structured internal auditing governance maturity model. The emphasis shifts to considering best
practices and adapting them to the specific organization.
D.Evaluating the effectiveness of specific governance processes is typical of a more structured internal
auditing governance maturity model.
9.Which of the following is a situation in which an internal auditor’s role of chief ethics officer
conflicts with the independence attribute of the internal audit activity?
A.The chief ethics officer requests that the internal auditors assess whether the organization as a whole
is not complying with the organization’s code of conduct.
B.The chief ethics officer informs the board of recommendations made by the internal audit activity
regarding the organization’s compliance with the code of conduct.
C.The chief ethics officer proposes and implements a new whistleblower program for the organization.
D.The internal audit activity informs the chief ethics officer that the organization is in compliance with
all laws and regulations.

Proposing and implementing a new whistleblower program conflicts with the independence attribute of
the internal audit activity. Implementation is a management function and is therefore inconsistent with
the organizational independence of the internal audit activity.
A.Independence is not impaired when the chief ethics officer requests that the internal auditors assess
whether the organization as a whole is not complying with the organization’s code of conduct.
B.Independence is not impaired when the chief ethics officer informs the board of recommendations
made by the internal audit activity regarding the organization’s compliance with the code of conduct.
D.Independence is not impaired when the internal audit activity informs the chief ethics officer that the
organization is in compliance with all laws and regulations.
10.The role of the internal audit activity in the ethical culture of an organization is to
A.Assess its effectiveness in achieving legal compliance.

B.Avoid involvement in the ethical culture because of loss of objectivity.
C.Become a member of an ethics council.
D.Assume responsibility for the governance process.
Answer (A) is correct.

effectiveness of, among other things, a formal code of conduct and related statements and policies.
B.Internal auditors must be active ethics advocates. However, assuming the role of, for example, chief
ethics officer may, in some circumstances, impair individual objectivity and the internal audit activity’s
independence.
C.The internal auditor’s basic role is to be the assessor of the ethical culture. However, an internal
auditor may become chief ethics officer or a member of an ethics council, although the first role may,
in some circumstances, impair individual objectivity and the internal audit activity’s independence.
D.The organization’s board and its senior management are responsible for the effectiveness of the
governance process.
11.Which of the following correctly classifies governance functions as internal or external?
Internal External
A.Internal audit function Government regulation
B.Senior management Corporate charter
C.Privacy laws External auditors
D.Corporate charter Ethical culture

The internal audit function is an example of internal corporate governance, and laws, regulations, and
the government regulators who enforce them are examples of external governance.
B.A corporate charter is an example of internal corporate governance.

C.Laws provide external corporate governance, and a board of directors provides internal corporate
governance.
D.An ethical culture is an example of internal corporate governance.
12.Governance should help ensure that the objectives of an entity’s stakeholders are met. Stakeholders
include
1.Employees
2.Regulators
3.Suppliers
4.Customers
A.1 and 4 only.
B.2 and 3 only.
C.2, 3, and 4 only.
D.1, 2, 3, and 4.

Stakeholders are persons or entities who are affected by the activities of the entity. Among others, these
include (1) shareholders, (2) employees, (3) suppliers, (4) customers, (5) neighbors of the entity’s
facilities, and (6) government regulators.
A.Regulators and suppliers are stakeholders.

B.Employees and customers are stakeholders.
C.Employees are stakeholders.
13.The internal and external auditors report directly to an audit committee composed of independent
directors. This practice is directly related to which of the following governance principles?
1. Effective use of internal and external auditors.
2. Effective interaction among the board, management, and assurance providers.
3. An organizational structure that supports accomplishing strategic objectives.
4. An organizational structure used to measure organizational and individual performance.
A.1 and 2 only.

B.2 and 3 only.
C.3 and 4 only.
D.1, 2, 3, and 4.

Internal and external auditors should be used effectively to ensure (1) their independence, (2) the
adequacy of their resources and the scope of their activities, and (3) the effectiveness of operations.
Moreover, an entity should have an independent and objective board with sufficient expertise,
experience, authority, and resources to conduct independent inquiries.
B.An organizational structure that supports accomplishing strategic objectives is not directly related
C.An organizational structure that supports accomplishing strategic objectives and an organizational
structure used to measure organizational and individual performance are not directly related.
D.An organizational structure that supports accomplishing strategic objectives and an organizational
structure used to measure organizational and individual performance are not directly related.
14.Which of the following should be stated in an organization’s code of conduct?

1.The organization’s values and objectives
2.The behavior expected
3.The strategies for maintaining a culture inconsistent with legal, ethical, and societal responsibilities
A.1 and 2 only.

B.1 and 3 only.
C.2 and 3 only.
D.1, 2, and 3.

Codes of conduct and vision statements are issued to state
 The organization’s values and objectives;
 The behavior expected; and
 The strategies for maintaining a culture consistent with legal, ethical, and societal responsibilities.
B.The code of conduct and vision statements should state the strategies for maintaining a culture
consistent, not inconsistent, with legal, ethical, and societal responsibilities. Additionally, the behavior
expected should be stated.
C.The code of conduct and vision statements should state the strategies for maintaining a culture
consistent, not inconsistent, with legal, ethical, and societal responsibilities. Additionally, the
organization’s values and objectives should be stated.
D.The code of conduct and vision statements should state the strategies for maintaining a culture
consistent, not inconsistent, with legal, ethical, and societal responsibilities.
15.Directors, management, external auditors, and internal auditors all play important roles in creating
proper control processes. Senior management is primarily responsible for
A.Establishing and maintaining an organizational culture.

B.Reviewing the reliability and integrity of financial and operational information.
C.Ensuring that external and internal auditors oversee the administration of the system of risk
management and control processes.
D.Implementing and monitoring controls designed by the board of directors.

Management plans, organizes, and directs the performance of sufficient actions to provide reasonable
assurance that goals and objectives will be achieved. Management periodically reviews its objectives
and goals and modifies its processes to accommodate changes in internal and external conditions.
Management also establishes and maintains an organizational culture, including an ethical climate that
fosters control.
B.Internal auditors are responsible for evaluating the adequacy and effectiveness of controls, including
C.Senior management’s role is to oversee the establishment, administration, and assessment of the
system of risk management and control processes.
D.The board has oversight responsibilities but ordinarily does not become involved in the details of
operations.
16.Which of the following statements regarding corporate governance is not correct?
A.Corporate control mechanisms include internal and external mechanisms.

B.The compensation scheme for management is part of the corporate control mechanisms.
C.The dilution of shareholders’ wealth resulting from employee stock options or employee stock
bonuses is an accounting issue rather than a corporate governance issue.
D.The internal auditor of a company has more responsibility than the board for the company’s
corporate governance.

Governance is the responsibility of the board. Internal audit’s responsibility is to assess governance
processes and make appropriate recommendations for improvement.
A.Corporate control mechanisms include both internal (e.g., internal auditing) and external (e.g.,
external auditing) mechanisms.
B.Management’s compensation scheme is part of the control environment, specifically, the human
resource element.
C.The dilution of shareholders’ wealth resulting from employee stock options or employee stock
bonuses is an accounting issue. Governance is “the combination of processes and structures
implemented by the board to inform, direct, manage, and monitor the activities of the organization
toward the achievement of its objectives” (The IIA Glossary).
17.Which of the following statements about organizational governance is true?
A.The internal auditor has more responsibility than the board for organizational governance.
B.Governance functions are internal but not external.
C.The compensation of management is a governance process.
D.The dilution of shareholders wealth from stock options or bonuses is a governance issue.

Management’s compensation is part of the control environment, specifically, the human resource
element. Governance applies to all organizational activities, including risk management and control.
A.Governance is the responsibility of the board. Internal audit’s responsibility is to assess governance
processes and make appropriate recommendations for improvement.
B.Governance functions are internal (e.g., internal auditing) and external (e.g., external auditing).
D.The dilution of shareholders’ wealth resulting from stock options or bonuses is an accounting issue.
Governance is “the combination of processes and structures implemented by the board to inform,
direct, manage, and monitor the activities of the organization toward the achievement of its objectives”
(The IIA Glossary).
18.Which of the following is a function of the internal audit activity in organizational governance?
A.Carrying out board directives to achieve organizational objectives.

B.Ensuring the timely implementation of audit recommendations.
C.Monitoring compliance with the code of conduct.
D.Establishing the definition of governance.

The internal audit activity should monitor compliance with the organizational code of conduct set by
the board and management.
A.Management is responsible for carrying out board directives to achieve organizational objectives.
B.Management has the responsibility of ensuring the timely implementation of the audit
recommendations. The internal audit activity is responsible for the development of a timely procedure
to monitor the disposition of the audit recommendations.
D.The internal audit activity is responsible for working with the board and senior management to
determine the definition of governance.
19.A code of conduct was developed several years ago and distributed by a large financial institution to
all its officers and employees. What is the internal auditor’s best approach to providing the board with
the highest level of comfort about the code of conduct?
A.Fully evaluate the comprehensiveness of the code and compliance with it and report the results to the
board.
B.Fully evaluate organizational practices for compliance with the code and report to the board.
C.Review employee activities for compliance with provisions of the code and report to the board.
D.Perform tests on various employee transactions to detect potential violations of the code of conduct.

When evaluating a code of conduct, it is important to consider two items: comprehensiveness and
compliance. The code should address the ethical issues that the employees are expected to encounter
and provide suitable guidance. The internal auditor also must consider the extent to which employees
are complying with the standards established.
B.Evaluating practices and reporting to the board is not the best approach.
C.Reviewing employee activities does not provide as much comfort about the code of conduct as
evaluation of comprehensiveness.
D.Performing tests on employee transactions is not the best approach.
20.In an assurance engagement, what is the internal auditor’s responsibility for evaluating ethics-
related activities?
A.Evaluate their design, implementation, and effectiveness.

B.Evaluate only the design of ethics-related activities.
C.Review employee activities for compliance with provisions of the code.
D.Perform tests on various employee transactions.

The internal audit activity must evaluate the design, implementation, and effectiveness of the
organizations ethics-related objectives, programs, and activities.
B.Internal auditors must evaluate the design, implementation, and effectiveness of ethics-related
activities, objectives, and programs.
C.Internal auditors must evaluate the design, implementation, and effectiveness of ethics-related
activities, objectives, and programs
D.Internal auditors must evaluate the design, implementation, and effectiveness of ethics-related
activities, objectives, and programs.
21.What are the major components of governance?

1. Strategic direction
2. Oversight
3. Regulations
4. Ethics
A.1 and 2 only.

B.1, 2, and 4 only.
C.3 and 4 only.
D.2 and 4 only.

Strategic direction determines (1) the business model, (2) overall objectives, (3) the risk appetite, and
(4) the limits of organizational conduct. The elements of oversight are (1) the board’s responsibilities to
stakeholders, (2) the risk management activities of senior management and the board, and (3) internal
and external assurance activities.
B.Ethics is not a major component of governance.

C.Regulations and ethics are not major components of governance
D.Ethics is not, and strategic direction is, a major component of governance.
22.What are the elements of the oversight component of governance?

1.The business model
2.Limits of organizational conduct
3.External assurance
4.Internal auditing
A.2 and 4 only.

B.3 and 4 only.
C.1, 2, and 4 only.
D.1, 2, 3, and 4.

(4) the limits of organizational conduct. The elements of oversight are (1) the risk management
activities of senior management and the board and (2) internal and external assurance activities.
A.Strategic direction determines the limits of organizational conduct.

C.Strategic direction determines the business model and limits of organizational conduct.
D.The elements of oversight are external assurance and internal auditing
23.Which of the following is a purpose of governance practices?
A.Enhancing the interests of specific stakeholders only in the short term.

B.Satisfying ethical principles but not society’s expectations.
C.Delegating organizational oversight to the internal audit activity.
D.Reporting fully and truthfully to the public.

Governance practices may use various legal forms, structures, strategies, and procedures. They ensure
that the organization (1) complies with society’s legal and regulatory rules; (2) satisfies the generally
accepted business norms, ethical principles, and social expectations of society; (3) provides overall
benefit to society and enhances the interests of the specific stakeholders in both the long- and short
term; and (4) reports fully and truthfully to its stakeholders, including the public, to ensure
accountability for its decisions, actions, and performances.
A.The interests of specific stakeholders also should be enhanced in the long term.
B.The social expectations of society should be satisfied.
C.The board is responsible for overseeing the organization’s activities and cannot delegate this
responsibility to another function.
24.A corporation’s results met the expectations of the market, but many people in the organization
noticed that they were overly optimistic. Moreover, no one suggested that the results be changed. Who,
whether officially or informally, should have been an ethics advocate regarding the results?
1.Senior management
2.Internal auditors
3.Employees in the accounting department
A.1 only.
B.1 and 2 only.
C.1 and 3 only.
D.1, 2, and 3.

Because decision making in most organizations is complex and dispersed, each individual should be an
ethics advocate, whether officially or informally. Thus, it is the responsibility of senior management,
the internal auditors, and the employees in the accounting department to be ethics advocates and
suggest that the results might not be accurate.
A.The internal auditors and employees in the accounting department also should have been ethics
advocates.
B.The employees in the accounting department also should have suggested that the results might not be
accurate.
C.The internal auditors also should have suggested that the results might not be accurate
25.Which of the following is most likely an internal audit activity’s function in a less structured
governance process?
A.Evaluating the effectiveness of specific governance processes that are distinct from control.
B.Compliance with procedures, policies, and plans.
C.Acting as a consultant in optimizing governance practices.
D.Designing processes to address basic risks.

A less mature governance system emphasizes the requirements for compliance with policies,
procedures, plans, laws, regulations, and contracts. It also addresses the basic risks to the organization.
Thus, the internal audit activity provides advice about such matters. As the governance process
becomes more structured, the internal audit activity’s emphasis will shift to optimizing the governance
structure and practices.
A.Evaluating the effectiveness of specific governance processes is typical of a more structured internal
auditing governance maturity model. Moreover, governance does not exist as processes distinct from
control and risk management.
C.Playing a consulting role in optimizing governance practices and structure is typical of a more
structured internal auditing governance maturity model. The emphasis shifts to considering best
practices and adapting them to the specific organization.
D.Internal auditors impair their objectivity by designing processes. However, evaluating the design and
effectiveness of specific processes is a typical internal audit role.
26.Which of the following is a situation in which an internal auditor’s role conflicts with the
independence attribute of the internal audit activity?
A.The internal audit activity recommends a new whistleblower program for the organization.
B.The internal audit activity informs the board that it has implemented an organization-wide employee
ethics program.
C.The board requests that the internal auditors assess whether the organization is complying with the
code of conduct.
D.The CEO informs the board of recommendations made by the internal audit activity regarding the
organization’s compliance with the code of conduct.

The design and implementation of governance processes are the responsibility of the board and
management.
A.Recommending a new whistleblower program does not conflict with the independence attribute of
the internal audit activity. But design and implementation are management functions inconsistent with
the organizational independence of the internal audit activity.
C.The internal audit activity may assess governance processes.
D.The internal audit activity may recommend improvements in government processes.
27.Careful Corp. always has its internal auditors review transactions between Careful Corp. and its
subsidiary, Risky Corp., to ensure that the transactions are carried out in a fair and transparent manner.
This practice is most closely related to which of the following governance principles?
A.Oversight of related party transactions and conflicts of interest.

B.Effective interaction among the board, management, and assurance providers.
C.An organizational structure that supports accomplishing strategic objectives.
D.An organizational structure used to measure organizational and individual performance

Careful Corp. and Risky Corp. are related (a parent and its subsidiary). Accordingly, having the
internal auditors review transactions between Careful and Risky is most closely related to the
governance principle of oversight of related party transactions and conflicts of interest.
B.Although this practice would involve effective interaction among the board, management, and
assurance providers, this practice is most closely related to another governance principle.
C.This practice will not necessarily support the organization in accomplishing strategic objectives.
D.This practice will not help measure organizational and individual performance.
28.Which of the following is consistent with a governance principle?
A.Members of the audit committee are executives of the entity.

B.The internal audit activity is organizationally independent.
C.The entity engages in undisclosed related party transactions.
D.A senior executive who can influence accounting policies receives stock options if earnings targets
are met.

Internal and external auditors should be used effectively to ensure (1) their independence, (2) the
adequacy of their resources and the scope of their activities, and (3) the effectiveness of operations.
A.The board should be independent and objective.

C.The entity should oversee related party transactions.
D.Compensation policies should encourage appropriate behavior consistent with the entity’s values.
29.Which of the following statements regarding oversight as a component of governance is false?
A.Risk management activities are performed by senior management and risk owners.
B.Oversight includes internal and external assurance activities.
C.Oversight is the governance component with which internal auditing is most concerned.
D.Oversight determines the overall objectives.
The elements of oversight are (1) the risk management activities of senior management and the board
and (2) internal and external assurance activities. Strategic direction determines (1) the business model,
(2) overall objectives, (3) the risk appetite, and (4) the limits of organizational conduct. Strategic
direction, not oversight, determines overall objectives.
A.The performance of risk management activities by senior management and risk owners is an element
of oversight.
B.Internal and external assurance activities are elements of oversight.
C.Oversight is the governance component with which internal auditing is most concerned. It is also the
component to which risk management and control activities are most likely to be applied.
30.Strategic direction includes
A.Risk management activities performed by risk owners.

B.External assurance activities.
C.The governance component with which internal auditing is most concerned.
D.The organization’s risk appetite.

(4) the limits of organizational conduct. The elements of oversight are (1) the risk management
activities of senior management and the board and (2) internal and external assurance activities.
A.The performance of risk management activities by senior management and risk owners is an element
of oversight.
B.Internal and external assurance activities are elements of oversight.
C.Oversight is the governance component with which internal auditing is most concerned. It is also the
component to which risk management and control activities are most likely to be applied.
31.Which of the following are duties of risk committees?

1.Identifying key risks
2.Connecting risks to risk management processes
3.Delegating risks to risk owners
4.Considering whether tolerance levels delegated to risk owners are consistent with the organization’s
risk appetite.
A.1 and 2 only.

B.1 only.
C.2, 3, and 4 only.
D.1, 2, 3, and 4.

A risk committee may be created that
 Identifies key risks,
 Connects them to risk management processes,
 Delegates them to risk owners, and
 Considers whether tolerance levels delegated to risk owners are consistent with the organization’s
risk appetite.
A.Risk committees also delegate risks to risk owners and consider whether tolerance levels delegated
to risk owners are consistent with the organization’s risk appetite.
B.Risk committees also connect risks to risk management processes, delegate risks to risk owners, and
consider whether tolerance levels delegated to risk owners are consistent with the organization’s risk
appetite.
C.Risk committees also identify key risks.
32.Which of the following statements about organizational culture is false?

A.The organizational culture sets the values, objectives, and strategies of the organization.
B.Governance does not largely depend on organizational culture for effectiveness.
C.Organizational culture defines roles and behaviors.
D.The culture influences compliance with corporate social responsibilities.

Governance practices reflect the organization’s unique culture and largely depend on it for
effectiveness.
A.The organizational culture does set the values, objectives, and strategies of the organization
C.The organizational culture does define roles and behaviors.
D.Organizational culture is reflected in complying with corporate social responsibilities.
33.Which of the following most likely should be stated in an entity’s vision statement?
A.Personnel policies.
B.The strategic plan.
C.The strategy for maintaining a culture consistent with legal responsibilities.
D.Principles of internal control.

Codes of conduct and vision statements are issued to state
 The organization’s values and objectives;
 The behavior expected; and
 The strategies for maintaining a culture consistent with legal, ethical, and societal responsibilities.
A.Personnel policies are operating matters not appropriate for a vision statement.
B.The strategic plan is developed after a vision (mission) statement is drafted.
D.A vision statement is a broad description of an entity’s mission, not a list of control principles
34.Which of the following is considered a potential stakeholder of an entity?
A.Shareholders.
B.Employees.
C.Suppliers.
D.All of the answers are correct.

Stakeholders are persons or entities who are affected by the activities of the entity. Among others, these
include shareholders, employees, suppliers, customers, neighbors of the entity’s facilities, and
government regulators.
A.Employees and suppliers are also stakeholders.

B.Shareholders and suppliers are also stakeholders.
C.Shareholders and employees are also stakeholders.
35.Which of the following most likely are considered potential stakeholders of an entity?
A.Close competitors.
B.Tax authorities.
C.Creditors of employees.
D.Neighbors of its facilities.

Stakeholders are persons or entities who are affected by the activities of the entity. Among others, they
include (1) shareholders, (2) employees, (3) suppliers, (4) customers, (5) neighbors of the entity’s
facilities, and (6) government regulators.
A.Close competitors are less likely than neighbors of an entity’s facilities to be stakeholders.
B.Tax authorities are less likely than neighbors of an entity’s facilities to be stakeholders.
C.Creditors of employees are less likely than neighbors of an entity’s facilities to be stakeholders.
36.Attentive, Inc., has three managers: Albert, Bradley, and Chris.

 Albert is in charge of the accounting department. His duties involve the daily audit and producing
the year-end financial statements.
 Bradley is in charge of production. His duties involve ensuring that production stays on schedule
and that waste is minimized.
 Chris is in charge of support staff. His duties include ensuring that the workplace remains clean.
This practice is most closely related to which of the following governance principles?
A.Clear, enforced lines of responsibility and accountability.

B.An independent and objective board with sufficient expertise, experience, authority, and resources to
conduct independent inquiries.
C.Reinforcement of an ethical culture, including employee feedback without fear of retaliation.
D.Clear definition and implementation of risk management policies and processes.

Albert, Bradley, and Chris are responsible for different departments. This practice is therefore most
closely related to the governance principle of clear, enforced lines of responsibility.
B.This practice does not demonstrate that there is an independent and objective board with sufficient
expertise, experience, authority, and resources to conduct independent inquiries.
C.This practice does not reinforce an ethical culture, including employee feedback without fear of
retaliation.
D.This practice does not facilitate a clear definition and implementation of risk management policies
and processes.
37.<List A> applies to all organizational activities. Thus, its processes provide overall direction for
<List B> activities. <List C> activities are a key element of risk management.
List A List B List C
A.Governance Risk management Internal control

B.Risk management Governance Internal control
C.Internal control Risk management Governance
D.Risk management Internal control Governance

Governance applies to all organizational activities. Thus, its processes provide overall direction for risk
management activities. Internal control activities are a key element of risk management. They
implement the organization’s risk management strategies.
B.Governance, not risk management, applies to all organizational activities.

C.Governance, not internal control, applies to all organizational activities.
D.Governance, not risk management, applies to all organizational activities. Additionally, internal
control activities, not governance activities, are a key element of risk management.
38.In the governance structure, risk owners
A.Are senior managers.

B.Are responsible for day-to-day operations.
C.Identify stakeholders and unacceptable outcomes.
D.Carry out board directives.

Risk owners are managers responsible for specific day-to-day operations. Senior managers determine
who will be risk owners.
A.Senior managers determine who will be risk owners.

C.Directors identify stakeholders and unacceptable outcomes.
D.Senior managers carry out board directives.
39.The board as defined by The IIA
A.Ordinarily is a supervisory group appointed by senior managers.

B.May be the head of the organization.
C.Performs day-to-day governance functions.
D.Establishes reporting requirements for risk owners.

The board is defined by The IIA as the highest governing body responsible for directing or overseeing
the activities and management of the organization. It ordinarily includes an independent group of
directors (e.g., a board of directors, a supervisory board, or a board of governors or trustees). If such a
group does not exist, the board may be the head of the organization. The term also may refer to an audit
committee to which the governing body has delegated certain functions. Thus, the board is the source
of overall direction to, and the authority of, management. It also has the ultimate responsibility for
oversight.
A.The board ordinarily includes an independent group of directors.

C.Management performs day-to-day governance functions.
D.Senior management establishes reporting requirements for risk owners related to their risk
management activities.
40. The internal audit activity periodically assesses the elements of the ethical climate of the
organization and its effectiveness in achieving legal and ethical compliance. Internal auditors therefore
evaluate the effectiveness of which of the following?
1) Regular reviews of the processes that undermine the ethical culture

2) Confidential reporting of alleged misconduct
3) Personnel practices that encourage contributions by employees
A.1 and 2 only.

B.2 and 3 only.
C.1 and 3 only.
D.1, 2, and 3.

effectiveness of regular reviews of the processes that undermine the ethical culture, confidential
reporting of alleged misconduct, and personnel practices that encourage contributions by employees.
A.The internal audit staff also evaluates the effectiveness of personnel practices that encourage
contributions by employees
B.The internal auditors also evaluate the effectiveness of regular reviews of the processes that
undermine the ethical culture.
C.The internal auditors also evaluate the effectiveness of confidential reporting of alleged misconduct.
41.The internal audit activity’s evaluation of the ethical climate of the organization extends to
1. Evaluating the effectiveness of background checks
2. Defining roles and specifying accountability
3. Evaluating the effectiveness of declarations by suppliers about the requirements of ethical
behavior
A.1 and 2 only.

B.2 and 3 only.
C.1 and 3 only.
D.1, 2, and 3.
and its effectiveness in achieving legal and ethical compliance. As part of this assessment, the internal
audit activity evaluates the effectiveness of background checks and of declarations by suppliers about
the requirements of ethical behavior. However, defining roles and specifying accountability are
management functions.
A.The internal audit staff also evaluates the effectiveness of declarations by suppliers about required
behavior.
B.The internal auditors also evaluate the effectiveness of background checks.
D.The internal auditors do not have the authority to define roles and specify accountability
42.The board of directors of a corporation is not responsible for
A.Electing or removing directors.

B.Selecting and removing officers.
C.Coordinating audit activities.
D.Setting management compensation.

The board of directors is responsible for (1) selecting and removing officers; (2) making decisions
about capital structure; (3) adding, amending, or repealing bylaws; (4) initiating fundamental changes;
(5) declaring and distributing dividends; (6) setting management compensation; (7) coordinating audit
activities; and (8) evaluating and managing risk. But shareholders can elect or remove directors at the
annual meeting.
B.The board is responsible for selecting and removing officers.

C.The board is responsible for coordinating audit activities.
D.The board is responsible for setting management compensation.
43.The board of director’s primary responsibility regarding internal control is to
A.Identify stakeholders and the outcomes that are unacceptable.

B.Review the reliability and integrity of financial and operational information.
C.Establish a system of risk management.
D.Implement and monitor controls designed.

The board acts on behalf of the entity’s stakeholders. Typically, the board discusses yearly
performance and expected outcomes at an annual shareholders’ meeting.
B.Internal auditors are responsible for evaluating the adequacy and effectiveness of controls, including
C.Senior management’s role is to oversee the establishment, administration, and assessment of the
system of risk management and control processes.
D.The board has oversight responsibilities but ordinarily does not become involved in the details of
operations.
44.An organization’s code of conduct should address
A.The organization’s values, objectives, and adherence to legal responsibilities.

B.Internal controls and proper reporting guidelines.
C.The complexity of the organization and approach to risk-taking.
D.Areas of significant risk within the organization.

When evaluating a code of conduct, an internal auditor should consider (1) comprehensiveness and (2)
compliance. The code should address the ethical issues that employees are expected to encounter and
provide suitable guidance.
B.A code of conduct does not establish internal control principles and standards.
C.The governance bodies in an organization determine the overall approach to risk-taking.
D.Management identifies the key risk areas within the organization. The internal auditor reviews these
decisions to evaluate risk management within the organization.
45.An organization’s code of conduct should
A.Establish monitoring activities.

B.Address expected behavior and societal responsibilities.
C.Specify key risks.
D.Measure performance.

Codes of conduct and vision statements are issued to state the organization’s values and objectives; the
behavior expected; and the strategies for maintaining a culture consistent with legal, ethical, and
societal responsibilities.
A.A code of conduct does not establish monitoring activities.

C.Management identifies the key risks within the organization. The internal auditor reviews these
decisions to evaluate risk management within the organization.
D.A code of conduct states (1) values and objectives, (2) expected behavior, and (3) strategies for
maintaining an ethical culture.
46.Which of the following is least likely to influence corporate governance?
A.Government regulators.
B.Internal audit functions.
C.External service providers.
D.Corporate charters and bylaws.

Corporate governance can be influenced by internal mechanisms (e.g., corporate charters and bylaws,
boards of directors, and internal audit functions) and by external mechanisms (e.g., laws, regulations,
and the government regulators who enforce them). As defined by The IIA Glossary, an external service
provider is a person or firm outside of the organization that has special knowledge, skill, and
experience in a particular discipline. Though external, an external service provider is least likely to
influence corporate governance. Instead, they are relied upon to supplement the internal audit function
when internal audit staff lack necessary knowledge, skill, or experience.
A.Corporate governance can be influenced by internal or external mechanisms. External mechanisms

include government regulators who influence corporate governance by enforcing laws and regulations.
B.Corporate governance can be influenced by internal or external mechanisms. Internal mechanisms
include internal audit functions, which influence corporate governance by evaluating and improving the
processes and structures that enable an organization to achieve its objectives.
D.Corporate governance can be influenced by internal or external mechanisms. Internal mechanisms
include corporate charters and bylaws, which influence corporate governance by establishing structures
and policies.
47.According to the Standards, governance is
A.A process to identify, assess, manage, and control potential events or situations to provide reasonable
assurance regarding the achievement of the organization’s objectives.
B.The combination of processes and structures implemented by the board to inform, direct, manage,
and monitor the activities of the organization toward the achievement of its objectives.
C.The leadership, organizational structures, and processes that ensure that the enterprise’s information
technology supports the organization’s strategies and objectives.
D.The highest level governing body charged with the responsibility to direct and or oversee the
organization’s activities and hold senior management accountable.
Governance is defined in the Standards as the “combination of processes and structures implemented
by the board to inform, direct, manage, and monitor the activities of the organization toward the
achievement of its objectives.”
A.This statement defines risk management according to the Standards.

C.This statement defines information technology governance according to the Standards.
D.The statement defines, in part, board according to the Standards.
48.Which of the following statements is correct regarding governance?
A.Governance models are most effective when the framework is modeled after publicly traded
companies’ processes or systems.
B.Governance involves a set of relationships between an organization’s management, board,
shareholders, and other stakeholders.
C.Governance is independent of organizational culture.
D.Governance exists as a distinct process and structure separate from risk management and control.
B.Answer (B) is correct.

The globally accepted definition of corporate governance given by the Organization for Economic Co-
operation and Development (OECD) states, “Corporate governance involves a set of relationships
between a company’s management, its board, its shareholders, and other stakeholders. Corporate
governance also provides the structure through which the objectives of the company are set, and the
means of attaining those objectives and monitoring performance are determined.”
A.Governance requirements vary by entity type and regulatory jurisdiction. The design and practice of
effective governance vary with the size and complexity of the organizations, along with the legal and
regulatory requirements of the jurisdiction.
C.Governance practices reflect the organization’s unique culture and largely depend on it for
effectiveness.
D.Governance does not exist independently of risk management and control. Rather, governance, risk
management, and control are closely related. Effective governance considers risk when setting strategy,
and risk management relies on effective governance. Additionally, effective governance relies on
controls and communication to the board on their effectiveness. Control and risk are also related as
controls manage risks.
49.Which of the following is the least likely purpose of governance?
A.Influence government regulators.

B.Establish appropriate structures.
C.Provide direction to the organization.
D.Establish appropriate processes

Governance is concerned with optimizing organizational activities to achieve the organization’s
objectives. Thus, its primary purposes are to inform, direct, manage, and monitor “internal” activities.
Although government regulators influence governance, reciprocating such influence is not a primary
purpose of governance.
B.A purpose of governance is to establish necessary structures to achieve organizational objectives.

C.Governance informs, directs, manages, and monitors the activities of the organization toward the
achievement of its objectives.
D.A purpose of governance is to establish necessary processes to achieve organizational objectives.
50.Risk owners are responsible for which of the following?

I. Evaluating the organization’s ability to carry out risk management activities as designed.
II. Determining the expectations of stakeholders and the outcomes that are unacceptable.
III. Establishing monitoring activities.
IV. Ensuring that information to be reported is accurate, timely, and available.
A.I and II only.
B.I and III only.
C.I, III, and IV only.
D.III and IV only.

Risk owners are responsible for (1) evaluating the adequacy of the design of risk management activities
and the organization’s ability to carry them out as designed; (2) determining whether risk management
activities are operating as designed; (3) establishing monitoring activities; and (4) ensuring that
information to be reported to senior management and the board is accurate, timely, and available.
A.The board determines the expectations of stakeholders and the outcomes that are unacceptable.
B.Risk owners also are responsible for ensuring that information to be reported to senior management
and the board is accurate, timely, and available.
D.Risk owners also are responsible for evaluating the adequacy of the design of risk management
activities and the organization’s ability to carry them out as designed.
51.Which group is responsible for the initiation of fundamental changes for the organization?
A.Senior management.
B.Risk committee.
C.Internal audit activity.
D.Board of directors.

The board of directors is the source of overall direction to, and the authority of, management and has
the ultimate responsibility for oversight. The board has the following duties: (1) selection and removal
of officers; (2) decisions about capital structure; (3) adding, amending, or repealing bylaws; (4)
initiation of fundamental changes; (5) decisions to declare and distribute dividends; (6) setting of
management compensation; (7) coordinating audit activities; and (8) evaluating and managing risk.
Initiation of fundamental changes for the organization includes mergers and acquisitions.
A.Senior management performs day-to-day governance functions and carries out the board’s directives
to achieve the organization’s objectives. Senior management is not responsible for the initiation of
fundamental changes for the organization.
B.A risk committee may be created by the board to identify key risks and to consider whether tolerance
levels delegated to risk owners are consistent with the organization’s risk appetite.
C.The role of the internal audit activity depends on the maturity of the governance system. In a less
mature system, the internal audit activity emphasizes compliance with policies, procedures, and laws.
In a more mature governance system, the internal audit activity’s emphasis is on optimizing structure
and practices. The internal audit activity is not responsible for the initiation of fundamental changes for
the organization.
52.The responsibility of the internal audit activity in an assurance engagement for ethics-related
matters is
A.To evaluate the design and effectiveness of the organization’s ethics-related activities.
B.To promote and set the example of ethical behavior.
C.To establish and maintain sound ethics-related objectives and programs.
D.To oversee the organization’s ethical climate.

Implementation Standard 2110.A1 states, “The internal audit activity must evaluate the design,
implementation, and effectiveness of the organization’s ethics-related objectives, programs, and
activities.” The internal audit activity periodically assesses the elements of the ethical climate of the
organization and its effectiveness in achieving legal and ethical compliance.
B.Senior management has ultimate responsibility for promoting and setting the example of ethical
behavior (i.e., setting the tone at the top).
C.Senior management is responsible for establishing and maintaining sound ethics-related objectives
and programs.
D.The board oversees the organization’s ethical climate.
53.According to COSO, culture is
A.The behavior expected within the organization.

B.The attitude and actions of the board and management regarding the importance of control within the
organization.
C.The combination of processes and structures within the organization.
D.A reflection of the organization’s mission and vision and consists of the attitudes, behaviors, and
understanding about risk.

According to the COSO Enterprise Risk Management framework, culture consists of the attitudes,
behaviors, and understanding about risk, both positive and negative, that influence the decisions of
management and personnel and reflect the mission, vision, and core values of the organization.
A.Codes of conduct and vision statements are issued to state the behavior expected within the
organization.
B.The control environment reflects the attitude and actions of the board and management regarding the
importance of control within the organization.
C.Answer (C) is incorrect.
Governance is the combination of processes and structures implemented by the board to inform, direct,
manage, and monitor the activities of the organization toward the achievement of its objectives.
54.Organizational culture is reflected in which of the following?

I. Measuring performance
II. Specifying accountability
III. Complying with corporate social responsibilities
A.I only.
B.I and II only.
C.II and III only.
D.I, II, and III.

Organizational culture is reflected in measuring performance, specifying accountability and complying
with corporate social responsibilities.
A.Organizational culture also is reflected in specifying accountability and complying with corporate
social responsibilities.
B.Organizational culture also is reflected in complying with corporate social responsibilities.
C.Organizational culture also is reflected in measuring performance.
55.Organizational culture that is risk averse likely has which of the following effects on the
organization’s control environment?
Importance of control within the organization Engagement risks are assessed high
A.High More likely

B.High Less likely
C.Low More likely
D.Low Less likely

Organizational culture that is risk averse is more likely to regard the importance of control within the
organization as high. Consequently, engagement risks and controls are less likely to be assessed high.
A.Although the importance of control within the organization is likely to be high when organizational
culture is risk averse, engagement risks are less likely to be assessed high.
C.An organizational culture that is risk aggressive is more likely to regard the importance of control
within the organization as low. Consequently, engagement risks and controls are more likely to be
assessed high.
D.Although engagement risks are less likely to be assessed high when organizational culture is risk
averse, the importance of control within the organization is more likely to be high.
56.Which of the following should be defined in the internal audit plan for an assessment of
governance?
1. The nature of the work

2. The governance process
3. The nature of the assessments
A.1 and 2 only.

B.2 and 3 only.
C.1 and 3 only.
D.1, 2, and 3.

The audit plan should include higher-risk governance processes. It should define (1) the nature of the
work; (2) the governance processes; and (3) the nature of the assessments, e.g., consideration of
specific risks, processes, or activities.
A.The nature of the assessments also should be defined in the audit plan.
B.The nature of the work also should be defined in the audit plan.
C.The governance process also should be defined in the audit plan.
57.A basic principle of governance is
A.Assessment of the governance process by an independent internal audit activity.

B.Holding the board, senior management, and the internal audit activity accountable for its
effectiveness.
C.Exclusive use of external auditors to provide assurance about the governance process.
D.Separation of the governance process from promoting an ethical culture in the organization.

The internal audit activity must assess and make appropriate recommendations for improving the
governance process.
B.The internal audit activity is an assessor of the governance process. It is not accountable for that
process.
C.External parties and internal auditors may provide assurance about the governance process
D.The internal audit activity must assess and make appropriate recommendations for improving the
governance process in its promotion of appropriate ethics and values within the organization.
58.In the governance process, the internal audit activity most likely should
A.Coordinate the activities of the external and internal auditors and management.
B.Communicate risk and control information.
C.Evaluate the process for performance management.
D.Promote ethics and values.

The internal audit activity must assess and make appropriate recommendations to improve the
organization’s governance processes for
 Making strategic and operational decisions;
 Overseeing risk management and control;
 Promoting appropriate ethics and values within the organization;
 Ensuring effective organizational performance management and accountability;
 Communicating risk and control information to appropriate areas of the organization; and
internal auditors, other assurance providers, and management (Perf. Std. 2110).
A.The internal audit activity evaluates the processes by which activities of the external and internal
auditors and management are coordinated.
B.The internal audit activity evaluates the processes by which risk and control information is
communicated.
D.The internal audit activity evaluates the processes by which ethics and values are promoted.
59.Which of the following should an internal auditor consider when assessing governance?
1) Audits of specific processes
2) Governance issues arising from audits not focused on governance
3) The results of other assurance providers’ work
4) Information such as adverse incidents indicating an opportunity to improve governance
A.1 and 3 only.

B.2 and 4 only.
C.1, 2, and 3 only.
D.1, 2, 3, and 4.

Assessments of governance are likely to be based on numerous audits. The internal auditor should
consider
 Audits of specific processes,
 Governance issues arising from audits not focused on governance,
 The results of other assurance providers’ work, and
 Other information such as adverse incidents indicating an opportunity to improve governance
A.Internal auditors should also consider governance issues arising from audits not focused on
governance and other information such as adverse incidents indicating an opportunity to improve
governance.
B.Internal auditors should also consider audits of specific processes and the results of other assurance
providers’ work.
C.Internal auditors should also consider other information such as adverse incidents indicating an
opportunity to improve governance.
60.The internal audit activity should contribute to the organization’s governance process by evaluating
the processes through which
1. Ethics and values are promoted.
2. Effective organizational performance management and accountability are ensured.
3. Risk and control information is communicated.
4. Activities of the external and internal auditors and management are coordinated.
A.1 only.
B.4 only.
C.2 and 3 only.
D.1, 2, 3, and 4.

organization’s governance processes for:
A.The internal audit activity also evaluates the processes through which effective organizational
performance management and accountability are ensured, risk and control information is
communicated, and activities of the external and internal auditors and management are coordinated.
B.The internal audit activity also evaluates the processes through which ethics and values are
promoted, effective organizational performance management and accountability are ensured, and risk
and control information is communicated.
C.The internal audit activity also evaluates the processes through which ethics and values are promoted
and activities of the external and internal auditors and management are coordinated.
61.The design and practice of effective governance vary with

1) The size, complexity, and life-cycle maturity of the organization
2) The organization’s stakeholder structure
3) Legal and cultural requirements
A.1 and 2 only.

B.2 and 3 only.
C.1 and 3 only.
D.1, 2, and 3.

The design and practice of effective governance vary with
 The size, complexity, and life-cycle maturity of the organization;
 The organization’s stakeholder structure; and
 Legal and cultural requirements.
A.The design and practice of effective governance also vary with legal and cultural requirements.
B.The design and practice of effective governance also vary with the size, complexity, and life-cycle
maturity of the organization.
C.The design and practice of effective governance also vary with its stakeholder structure.
62.Craig is the chief audit executive (CAE) of Marlin, Inc., and is in the process of planning an
assessment of governance at Marlin. Which of the following should Craig consider in planning the
assessment of governance?
A.Whether all major decisions have been authorized by senior management.

B.Whether he can rely on the assessment of internal control performed by external auditors.
C.Whether employees at all levels of the organization adhere to the code of ethics.
D.All of the answers are correct.

The CAE should consider the following in planning assessments of governance:
 An audit should address controls in governance processes that are designed to prevent or detect
events that could have a negative effect on the organization;
 Controls within governance processes often are significant in managing multiple risks; and,
 If other audits assess controls in governance processes, the auditor should consider relying on
their results.
Thus, Craig should consider all of the answer choices when planning the assessment of governance.
A.Craig also should determine whether he can rely on the assessment of internal control performed by
external auditors and whether employees at all levels of the organization adhere to the code of ethics.
B.Craig also should verify that all major decisions have been authorized by senior management and
determine whether employees at all levels of the organization adhere to the code of ethics.
C.Craig also should verify that all major decisions have been authorized by senior management and
determine whether he can rely on the assessment of internal control performed by external auditors.
63.Which of the following most likely should be considered in the internal audit activity’s planning for
the assessment of governance?
A.Whether all decisions have been authorized by the board.

B.Relying on the assessment of internal control in other audits.
C.The compliance of the organization with the internal audit activity’s definition of governance.
D.The ways in which control and risk are unrelated.

The chief audit executive should consider the following in planning assessments of governance:
 An audit should address controls in governance processes that are designed to prevent or detect
events that could have a negative effect on the organization;
 Controls within governance processes often are significant in managing multiple risks; and,
 If other audits assess controls in governance processes, the auditor should consider relying on
their results.
A.Management performs most governance functions. For example, senior management determines (1)
where risks are managed, (2) who will be risk owners, and (3) how risks will be managed.
C.The internal audit activity should agree upon the definition of governance with the board and senior
management. The IIA has defined governance. But if the organization’s definition differs, the CAE
may use that definition.
D.Controls address risks. Thus, they are related.
64.Which of the following are roles of the internal audit activity in best practice governance activities?
1) Report significant audit issues
2) Support the board in enterprise-wide risk assessment
3) Conduct follow-up and report on management’s response to external audit
4) Act as custodian of corporate assets in the pursuit of positive outcomes for stakeholders
A.1 and 3 only.

B.2 and 4 only.
C.1, 2, and 3 only.
D.1, 2, 3, and 4.

The internal audit activity reports significant audit issues, supports the board in enterprise-wide risk
assessment, and conducts follow-up and reports on management’s response to external audits as part of
its best practice governance activities.
A.The internal audit activity also supports the board in enterprise-wide risk assessment.
B.The internal audit activity also reports significant audit issues and conducts follow-up and reports on
management’s response to external audits but does not act as custodian of corporate assets in pursuit of
positive outcomes for stakeholders.
D.The board and senior management, not the internal audit activity, act as custodians of corporate
assets in the pursuit of positive outcomes for stakeholders.
65.The design and implementation of governance processes are the responsibility of
The board Management
A.Yes Yes
B.Yes No
C.No Yes
D.No No

Governance is one of the three basic processes identified in the Definition of Internal Auditing. The
design and implementation of governance processes are the responsibility of the board and
management.
B.Management is also responsible for the design and implementation of governance processes.
C.The board is also responsible for the design and implementation of governance processes.
D.Both management and the board are responsible for the design and implementation of governance
processes.
66.Which of the following statements regarding governance is false?
A.Governance has a range of definitions depending on the circumstances.

B.Governance models generally treat governance as a process or a system that is static.
C.Governance requirements vary by entity type and regulatory jurisdiction.
D.Governance does not exist as distinct processes and control structures.

Governance models generally treat governance as a process or a system that is not static. The approach
in the Standards emphasizes the board and its governance activities.
A.Governance does have a range of definitions depending on the circumstances. The chief audit
executive may use a different definition when the organization uses a different model.
C.Governance requirements do vary by entity type and regulatory jurisdiction. Examples include
publicly traded companies, not-for-profits, governments, private companies, and stock exchanges.
D.Governance does not exist as distinct processes and control structures but instead as relationships
with risk management and control.
67.Which of the following statements about governance is true?
A.Governance exists as distinct processes and controls.

B.The chief audit executive is likely to use consultants to assess governance when the organization’s
process is mature.
C.Governance is essentially a static process.
D.Governance has a range of definitions depending on the circumstances.

Governance has a range of definitions depending on the circumstances. The chief audit executive
should work with the board and senior management, as appropriate, to determine how governance
should be defined for internal audit purposes.
A.Governance does not exist as distinct processes and structures but as relationships with risk
management and control.
B.The chief audit executive is likely to use consultants to assess governance when the organization’s
process is (1) not mature, or (2) control issues are known.
C.Governance models generally treat governance as a process or a system that is not static. The
approach in the Standards emphasizes the board and its governance activities.
68.The internal audit activity assesses the coordination of the activities of the board, management, and
auditors. This assessment most directly relates to the function of
A.Quality assurance.
B.Risk management.
C.Governance.
D.The control environment.

A.A quality assurance program normally is implemented for an organizational unit, e.g., the internal
audit activity.
B.Governance (not risk management) is directly responsible for coordinating the activities of, and
communicating information among, the board, external and internal auditors, other assurance
providers, and management
D.Governance (not control) is directly responsible for coordinating the activities of, and
communicating information among, the board, external and internal auditors, other assurance
providers, and management
69.Which of the following is not a role of the internal audit activity in best practice governance
activities?
A.Support the board in enterprise-wide risk assessment.

B.Ensure the timely implementation of audit recommendations.
C.Monitor compliance with the corporate code of conduct.
D.Discuss areas of significant risks.

Management has the responsibility of ensuring the timely implementation of the audit
recommendations. The internal audit activity is responsible for the development of a timely procedure
to monitor the disposition of the audit recommendations. It works with senior management and the
board to ensure that audit recommendations receive appropriate attention.
A.One internal audit activity role is to support the board in enterprise-wide risk assessment. The board
and management are responsible for the identification of an appropriate risk model and methodology.
C.The internal audit activity should monitor compliance with the corporate code of conduct set by the
board and management.
D.The internal audit activity is responsible for discussing significant financial, technical, and
operational risks and exposures as well as the plans to minimize such risks.
70.The internal audit activity most directly contributes to the governance process by
A.Assessing organizational performance management.

B.Evaluating the adequacy of controls over safeguarding of assets.
C.Evaluating the effectiveness of the risk-management system.
D.Assessing whether the organization’s objectives align with its mission.

B.Evaluating the adequacy of controls over safeguarding of assets relates to controls, not governance.
C.Evaluating the effectiveness of the risk-management system relates to risk management, not
governance.
D.Assessing whether the organization’s objectives align with its mission relates to risk management,
not governance.
71.Examples of CSR include all of the following except
A.A pharmaceutical company that produces potentially addictive pain medication donates to addiction
treatment facilities.
B.A tobacco company donates money to stop-smoking initiatives as a result of the settlement to a
lawsuit.
C.A professional services firm pays its employees a bonus each year for providing services as
volunteers to local not-for-profit organizations.
D.A delivery company uses its distribution network to deliver supplies for free to areas affected by
natural disasters.

The donation is not an example of CSR because it is not voluntary. Socially responsible actions that are
required in response to corporate misdeeds or in response to a lawsuit are more akin to punishment than
to CSR.
A.The donation is voluntary and intended to benefit groups other than shareholders.
C.The bonus is voluntary and benefits groups other than shareholders. CSR does not only apply to
corporate entities, despite its title.
D.The delivery is voluntary and benefits groups other than shareholders.
72.Which of the following is not a benefit of implementing ISO 14000?
A.Increased cost of waste management.

B.Savings in consumption of energy.
C.Lower distribution costs.
D.Improved corporate image.

Using ISO 14000 can (1) decrease, not increase, the cost of waste management; (2) provide savings in
consumption of energy and materials; (3) lower distribution costs; and (4) improve corporate image
among regulators, customers, and the public.
B.Using ISO 14000 should result in savings in consumption of energy and materials
C.Using ISO 14000 should lower distribution costs.
D.Using ISO 14000 should improve corporate image among regulators, customers, and the public.
73.Which of the following stakeholders have needs that must be considered when determining the
effects of a corporate social responsibility (CSR) program?
1. Shareholders
2. Employees
3. Competitors
4. Society
A.1 only.
B.4 only.
C.1 and 3 only.
D.1, 2, and 4 only.

An organization has many stakeholders whose needs must be balanced when developing a CSR
program. Shareholders, employees, and society must be considered, among others. Competitors’ needs
are not a factor in a CSR decision.
A.Shareholders are not the only stakeholders that must be considered in a CSR program.
B.Society is not the only stakeholder that must be considered in a CSR program.
C.Competitors are not a stakeholder to be considered in a CSR program.
74.Although corporate social responsibility (CSR) involves the incurrence of certain costs, in what
ways can CSR also produce benefits?
1) Positive public perception on a local, national, and international level
2) Retention of workers
3) Charity as a form of advertising
4) Deductibility of charitable donations
A.1 and 3 only.

B.2 and 4 only.
C.2, 3, and 4 only.
D.1, 2, 3, and 4.

CSR can be profitable. Serving the community involves certain costs; however, the benefits of CSR
may exceed the costs. Examples of the benefits are
 Positive public perception on a local, national, and international level;
 Retention of workers;
 Charity as a form of advertising (brand building); and
 Deductibility of charitable donations.
A.The benefits of CSR can also include the retention of workers and the deductibility of charitable
donations.
B.The benefits of CSR can also include positive public perception on a local, national, and
international level.
C.The benefits of CSR can also include positive public perception on a local, national, and
international level.
75.Which of the following is true regarding ISO 14000?
A.It is a set of criteria established by the International Organization for Standardization for financial
reporting.
B.It details certain requirements for environmental performance and details the punishments for failing
to meet those requirements.
C.It often results in higher costs in processes but is compensated for by an improved public image.
D.None of the answers are correct.

ISO 14000 is a set of criteria established by the International Organization for Standardization for an
environmental management system. This system is not required but provides standards for
implementing and maintaining environmental management systems. Additionally, such systems
provide lower costs and improve corporate image.
A.ISO 14000 is a set of criteria established by the International Organization for Standardization for an
environmental management system.
B.ISO 14000 does not state requirements for environmental performance.
C.ISO 14000 often results in lower costs of waste management, savings in consumption of energy and
materials, and lower distribution costs. Additionally, these standards often result in improved corporate
image among regulators, customers, and the public.
76.Which of the following is true regarding ISO 14000?
A.It applies to environmental management systems.

B.It provides for investigation of violations.
C.It states requirements for environmental performance, such as efficient uses of resources and
reductions of waste.
D.It is a set of criteria established for a quality management program.
A.Answer (A) is correct.

ISO 14000 is a set of criteria established by the International Organization for Standardization for an
environmental management system. This system is not required but provides standards for
implementing and maintaining environmental management systems. Moreover, such systems provide
lower costs and improve corporate image.
B.ISO 14000 does not state requirements for environmental performance.
C.ISO 14000 is merely a set of criteria for certification of an environmental management system. It
states no requirements and has no enforcement process.
D.ISO 14000 is a set of criteria established by the International Organization for Standardization for an
environmental management system.
77.Business ethics scholar Archie B. Carroll has identified four responsibilities an organization must
fulfill to be called socially responsible. All of the following is one of these four responsibilities except
A.Environmental responsibility in consumption of energy.

B.Philanthropic responsibility to be a good corporate citizen.
C.Economic responsibility to be profitable.
D.Ethical responsibility to be ethical in its practices.

ISO 14000 standards are a set of criteria established by the International Organization for
Standardization (ISO) for certification of an environmental management system. The benefits of using
ISO 14000 can include (1) reduced cost of waste management; (2) savings in consumption of energy
and materials; (3) lower distribution costs; and (4) improved corporate image among regulators,
customers, and the public. However, compliance with an ISO 14000 criterion is not one of the four
responsibilities that an organization must fulfill to be called socially responsible as identified by Archie
B. Carroll. These four responsibilities are (1) economic responsibility, (2) legal responsibility, (3)
ethical responsibility, and (4) philanthropic responsibility.
B.Philanthropic responsibility to be a good corporate citizen, or to do what is desired by stakeholders,

can be described as engaging in corporate contributions and giving back to the communities in which
the corporations function. Philanthropic responsibility is one of the identified responsibilities an
organization must fulfill to be called socially responsible.
C.An organization has the economic responsibility to be profitable (or to do what is required by
capitalism) in order to provide an investment return to the organization’s owners and shareholders.
Economic responsibility to be profitable is one of the identified responsibilities an organization must
fulfill to be called socially responsible.
D.An organization has the ethical responsibility to be ethical in its practices, given local and global
standards. Ethical responsibility has a broad scope and includes (1) treatment of employees; (2) truthful
advertising; (3) providing a clean and safe workplace; and (4) managing waste, recycling, and
consumption. Ethical responsibility is one of the identified responsibilities an organization must fulfill
to be called socially responsible.
78.The Global Reporting Initiative (GRI) has developed a sustainability reporting framework that
A.Emphasizes how to implement and manage a CSR initiative.

B.Provides specific guidance on measuring CSR performance.
C.Manages the disclosure of CSR to stakeholders.
D.Provides a forum in which governments can work together to share experiences and to seek solutions
to common problems.

The GRI has developed a sustainability reporting framework that provides specific guidance on
measuring CSR performance against predefined criteria.
A.The International Organization for Standardization (ISO) 26000 framework emphasizes how to
implement and manage a CSR initiative.
C.Organizations exercise significant discretion in deciding what to disclose about their CSR
performance. In most jurisdictions, public companies are not required to disclose their CSR
performance. However, most organizations with stated CSR objectives provide public information
about their approach and results.
D.The mission of the Organization for Economic Co-operation and Development (OECD) is to provide
a forum in which governments can work together to share experiences and to seek solutions to common
problems.
79.A company has denied for years that it bears any responsibility for damage allegedly caused by its
trucks to public roads. No further actions have been taken by the company. This is an example of
which corporate social responsibility strategy?
A.Proaction.
B.Accommodation.
C.Defense.
D.Reaction.

Reaction is when the organization denies or ignores responsibility and tries to maintain the status quo.
The company has denied responsibility for years. Therefore, this is an example of a reaction strategy.
A.Proaction is when the organization takes the initiative in implementing a CSR program that serves as
an example for the industry. There is no indication the company has taken the initiative in
implementing a CSR program.
B.Accommodation is when the organization assumes additional responsibilities only when pressured.
The company has not assumed any responsibility for the damage to the roads.
C.Defense is when the organization uses legal action or public relations efforts to avoid additional
responsibilities. There is no indication the company has used public relations or initiated legal action.
80.Within the organization, who generally is responsible for establishing CSR objectives and
measuring performance?
A.Management.
B.The board.
C.All employees.
D.Internal auditors.

Management generally is responsible for establishing CSR objectives, assessing and managing risks,
measuring performance, and monitoring and reporting activities.
B.The board is responsible for overseeing CSR and the effectiveness of governance, risk management,
and the internal control process related to CSR.
C.All employees are responsible for the success of CSR initiatives. However, management generally is
responsible for establishing CSR objectives and measuring performance.
D.The internal auditor is responsible for evaluating whether controls over CSR are adequate to achieve
CSR objectives.
81.Which of the following is the least likely risk of failing to implement an effective CSR program?
A.Loss of reputation.
B.Failure to comply with regulations.
C.Failure to set performance targets.
D.Loss of employees.

Failing to set performance targets is not considered a risk of failing to implement an effective CSR
program. Setting objectives, performance goals, and strategies are generally considered to be CSR
business activities. Examples of CSR performance targets include reduced safety incidents and
increased employee volunteerism.
A.The organization’s brand or reputation could be damaged if an effective CSR program is not
implemented. Organizations, by behaving in a socially responsible manner, have the opportunity to
enhance, not damage, their reputation.
B.Failing to comply with regulations or contractual obligations is a likely consequence of failing to
implement an effective CSR program.
D.Risks of failing to implement an effective CSR program include employees leaving the organization
and difficulty attracting new employees.
82.In which CSR business activity would an organization consider CSR risks before projects are
approved?
A.Integrating CSR principles and controls into the decision-making process.

B.Establishing and communicating policies and procedures.
C.External and internal reporting of results.
D.Monitoring, evaluating results, and benchmarking.

CSR business activities generally include (1) establishing and communicating policies and procedures;
(2) setting objectives, performance goals, and strategies; (3) communicating and integrating CSR
principles and controls into the business decision making processes; (4) monitoring, evaluating results,
and benchmarking; (5) engaging stakeholders; (6) auditing; and (7) external and internal reporting of
results. CSR controls are actions taken to manage CSR risks. Thus, an organization considers CSR
risks before projects are approved and communicates and integrates CSR principles and controls into
the business decision-making processes.
B.In this activity, the organization establishes and communicates policies and procedures for areas such
as corporate governance, business ethics, human resources, and stakeholder relations. However, it is
not the business activity that includes considering CSR risks before approval of projects.
C.The external and internal reporting of results occurs after projects are approved.
D.The monitoring and evaluating of results is performed after projects are approved. Although
benchmarking may be performed before projects are approved, the consideration of CSR risks before
project approval is performed in a separate activity.
83.A CSR audit procedure requires the internal auditor to determine if the organization’s code of
conduct includes provisions on anti-corruption. This procedure is most likely testing which CSR
element?
A.Working conditions.
B.Environment.
C.Governance.
D.Ethics.

A CSR audit of the ethics element typically includes determining whether the organization reflects an
anti-corruption culture, as evidenced, for example, in the organization’s risk assessment, code of
conduct, or policies.
A.Tests relating to the working conditions element most likely concern fair pay and hiring practices,
among others.
B.Tests relating to the environment element most likely concern social and environmental issues (e.g.,
social and environmental impact assessments).
C.Tests relating to the governance element most likely concern the board and reporting information to
stakeholders.
84.The internal auditor is performing a CSR audit by stakeholder group. Which of the following
represent a stakeholder group?
I. Shareholders.
II. Neighboring communities.
III. Employees and their families.
IV. The environment.
A.I and III only.

B.I, II, and III only.
C.I, II, and IV only.
D.I, II, III, and IV.

Typical CSR stakeholder groups are (1) customers, (2) employees and their families, (3) the
environment, (4) neighboring communities, (5) shareholders, and (6) suppliers.
A.Stakeholder groups also include neighboring communities and the environment.

B.Stakeholder groups also include the environment.
C.Stakeholder groups also include employees and their families.

Part 1 Unit 3 Answer Key

Uploaded by

Copyright:

Available Formats

Part 1 Unit 3 Answer Key

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Part 1 Unit 3 Answer Key

Uploaded by

Copyright:

Available Formats

PART-1 UNIT 3

Answer (B) is correct.

A.Identifying significant exposures to risk.

Answer (D) is correct.

A.Bylaws are an example of internal corporate governance.

A.Roles may include chief ethics officer.

Answer (C) is correct.

A.Internal auditors’ roles may include chief ethics officer.

5.Senior management is primarily responsible for

A.Implementing and monitoring controls designed by the board of directors.

Answer (D) is correct.

Answer (B) is correct.

7.Which of the following is not a goal of corporate governance?

A.Complying with society’s legal and regulatory rules.

Answer (D) is correct.

A.Designing specific governance processes.

Answer (C) is correct.

Answer (C) is correct.

A.Assess its effectiveness in achieving legal compliance.

Answer (A) is correct.

11.Which of the following correctly classifies governance functions as internal or external?

Answer (A) is correct.

B.A corporate charter is an example of internal corporate governance.

Answer (D) is correct.

A.Regulators and suppliers are stakeholders.

A.1 and 2 only.

Answer (A) is correct.

14.Which of the following should be stated in an organization’s code of conduct?

A.1 and 2 only.

Answer (A) is correct.

A.Establishing and maintaining an organizational culture.

Answer (A) is correct.

16.Which of the following statements regarding corporate governance is not correct?

A.Corporate control mechanisms include internal and external mechanisms.

Answer (D) is correct.

17.Which of the following statements about organizational governance is true?

Answer (C) is correct.

A.Carrying out board directives to achieve organizational objectives.

Answer (C) is correct.

Answer (A) is correct.

A.Evaluate their design, implementation, and effectiveness.

Answer (A) is correct.

21.What are the major components of governance?

A.1 and 2 only.

Answer (A) is correct.

B.Ethics is not a major component of governance.

22.What are the elements of the oversight component of governance?

A.2 and 4 only.

Answer (B) is correct.

A.Strategic direction determines the limits of organizational conduct.

23.Which of the following is a purpose of governance practices?

A.Enhancing the interests of specific stakeholders only in the short term.

Answer (D) is correct.

Answer (D) is correct.

Answer (B) is correct.

Answer (B) is correct.

A.Oversight of related party transactions and conflicts of interest.

Answer (A) is correct.