Part 1 Unit 3 Answer Key
Part 1 Unit 3 Answer Key
Part 1 Unit 3 Answer Key
1.The role of the internal audit activity in the ethical culture of an organization is to
A.Avoid active support of the ethical culture because of possible loss of independence.
B.Evaluate the effectiveness of the organization’s formal code of conduct.
C.Assume accountability for the effectiveness of the governance process.
D.Become the chief ethics officer.
A.Internal auditors must be active ethics advocates. However, assuming the role of, for example, chief
ethics officer may, in some circumstances, impair individual objectivity and the internal audit activity’s
independence.
C.The organization’s board and its senior management are responsible for the effectiveness of the
governance process.
D.The internal auditor’s basic role is to be the assessor of the ethical culture. However, an internal
auditor may become chief ethics officer or a member of an ethics council, although the first role may,
in some circumstances, impair individual objectivity and the internal audit activity’s independence.
2.The internal audit activity most directly contributes to an organization’s governance process by
A.Identifying significant exposures to risk most directly relates to risk management rather than to
governance.
B.Evaluating the effectiveness of internal control over financial reporting more directly relates to risk
management rather than to governance.
C.Promoting continuous improvement of controls relates to controls rather than to governance.
3.Which of the following correctly classifies the corporate governance functions as internal or
external?
Internal External
A.Corporate charter Bylaws
B.Laws Board of directors
C.Internal audit function Corporate charter
D.Bylaws Government regulation
Answer (D) is correct.
Bylaws are an example of internal corporate governance, and laws, regulations, and the government
regulators who enforce them are examples of external governance.
4.Which of the following is a false statement about the role of internal auditors in an organization’s
ethical culture?
A.The board has oversight responsibilities but ordinarily does not become involved in the details of
operations.
B.Management ensures that sound risk management processes are in place and are adequate and
effective.
C.Internal auditors are responsible for evaluating the adequacy and effectiveness of controls, including
those relating to the reliability and integrity of financial and operational information.
6.Ensuring effective organizational performance management and accountability is most directly the
proper function of
A.Control.
B.Governance.
C.Risk management.
D.A quality assurance program.
A.Governance (not control) is directly responsible for ensuring effective organizational performance
management and accountability.
C.Governance (not risk management) is directly responsible for ensuring effective organizational
performance management and accountability.
D.A quality assurance program normally is implemented for an organizational unit, e.g., the internal
audit activity.
A.Ensuring compliance with society’s legal and regulatory rules is a goal of corporate governance.
B.Proving an overall benefit to society is a goal of corporate governance.
C.Reporting fully and truthfully to stakeholders is a goal of corporate governance.
8.Which of the following is most likely an internal audit role in a less structured governance process?
A.Internal auditors impair their objectivity by designing processes. However, evaluating the design and
effectiveness of specific processes is a typical internal audit role.
B.Playing a consulting role in optimizing governance practices and structure is typical of a more
structured internal auditing governance maturity model. The emphasis shifts to considering best
practices and adapting them to the specific organization.
D.Evaluating the effectiveness of specific governance processes is typical of a more structured internal
auditing governance maturity model.
9.Which of the following is a situation in which an internal auditor’s role of chief ethics officer
conflicts with the independence attribute of the internal audit activity?
A.The chief ethics officer requests that the internal auditors assess whether the organization as a whole
is not complying with the organization’s code of conduct.
B.The chief ethics officer informs the board of recommendations made by the internal audit activity
regarding the organization’s compliance with the code of conduct.
C.The chief ethics officer proposes and implements a new whistleblower program for the organization.
D.The internal audit activity informs the chief ethics officer that the organization is in compliance with
all laws and regulations.
A.Independence is not impaired when the chief ethics officer requests that the internal auditors assess
whether the organization as a whole is not complying with the organization’s code of conduct.
B.Independence is not impaired when the chief ethics officer informs the board of recommendations
made by the internal audit activity regarding the organization’s compliance with the code of conduct.
D.Independence is not impaired when the internal audit activity informs the chief ethics officer that the
organization is in compliance with all laws and regulations.
10.The role of the internal audit activity in the ethical culture of an organization is to
B.Internal auditors must be active ethics advocates. However, assuming the role of, for example, chief
ethics officer may, in some circumstances, impair individual objectivity and the internal audit activity’s
independence.
C.The internal auditor’s basic role is to be the assessor of the ethical culture. However, an internal
auditor may become chief ethics officer or a member of an ethics council, although the first role may,
in some circumstances, impair individual objectivity and the internal audit activity’s independence.
D.The organization’s board and its senior management are responsible for the effectiveness of the
governance process.
Internal External
A.Internal audit function Government regulation
B.Senior management Corporate charter
C.Privacy laws External auditors
D.Corporate charter Ethical culture
12.Governance should help ensure that the objectives of an entity’s stakeholders are met. Stakeholders
include
1.Employees
2.Regulators
3.Suppliers
4.Customers
A.1 and 4 only.
B.2 and 3 only.
C.2, 3, and 4 only.
D.1, 2, 3, and 4.
13.The internal and external auditors report directly to an audit committee composed of independent
directors. This practice is directly related to which of the following governance principles?
1. Effective use of internal and external auditors.
2. Effective interaction among the board, management, and assurance providers.
3. An organizational structure that supports accomplishing strategic objectives.
4. An organizational structure used to measure organizational and individual performance.
B.An organizational structure that supports accomplishing strategic objectives is not directly related
C.An organizational structure that supports accomplishing strategic objectives and an organizational
structure used to measure organizational and individual performance are not directly related.
D.An organizational structure that supports accomplishing strategic objectives and an organizational
structure used to measure organizational and individual performance are not directly related.
B.The code of conduct and vision statements should state the strategies for maintaining a culture
consistent, not inconsistent, with legal, ethical, and societal responsibilities. Additionally, the behavior
expected should be stated.
C.The code of conduct and vision statements should state the strategies for maintaining a culture
consistent, not inconsistent, with legal, ethical, and societal responsibilities. Additionally, the
organization’s values and objectives should be stated.
D.The code of conduct and vision statements should state the strategies for maintaining a culture
consistent, not inconsistent, with legal, ethical, and societal responsibilities.
15.Directors, management, external auditors, and internal auditors all play important roles in creating
proper control processes. Senior management is primarily responsible for
B.Internal auditors are responsible for evaluating the adequacy and effectiveness of controls, including
those relating to the reliability and integrity of financial and operational information.
C.Senior management’s role is to oversee the establishment, administration, and assessment of the
system of risk management and control processes.
D.The board has oversight responsibilities but ordinarily does not become involved in the details of
operations.
A.Corporate control mechanisms include both internal (e.g., internal auditing) and external (e.g.,
external auditing) mechanisms.
B.Management’s compensation scheme is part of the control environment, specifically, the human
resource element.
C.The dilution of shareholders’ wealth resulting from employee stock options or employee stock
bonuses is an accounting issue. Governance is “the combination of processes and structures
implemented by the board to inform, direct, manage, and monitor the activities of the organization
toward the achievement of its objectives” (The IIA Glossary).
A.The internal auditor has more responsibility than the board for organizational governance.
B.Governance functions are internal but not external.
C.The compensation of management is a governance process.
D.The dilution of shareholders wealth from stock options or bonuses is a governance issue.
18.Which of the following is a function of the internal audit activity in organizational governance?
A.Management is responsible for carrying out board directives to achieve organizational objectives.
B.Management has the responsibility of ensuring the timely implementation of the audit
recommendations. The internal audit activity is responsible for the development of a timely procedure
to monitor the disposition of the audit recommendations.
D.The internal audit activity is responsible for working with the board and senior management to
determine the definition of governance.
19.A code of conduct was developed several years ago and distributed by a large financial institution to
all its officers and employees. What is the internal auditor’s best approach to providing the board with
the highest level of comfort about the code of conduct?
A.Fully evaluate the comprehensiveness of the code and compliance with it and report the results to the
board.
B.Fully evaluate organizational practices for compliance with the code and report to the board.
C.Review employee activities for compliance with provisions of the code and report to the board.
D.Perform tests on various employee transactions to detect potential violations of the code of conduct.
B.Evaluating practices and reporting to the board is not the best approach.
C.Reviewing employee activities does not provide as much comfort about the code of conduct as
evaluation of comprehensiveness.
D.Performing tests on employee transactions is not the best approach.
20.In an assurance engagement, what is the internal auditor’s responsibility for evaluating ethics-
related activities?
B.Internal auditors must evaluate the design, implementation, and effectiveness of ethics-related
activities, objectives, and programs.
C.Internal auditors must evaluate the design, implementation, and effectiveness of ethics-related
activities, objectives, and programs
D.Internal auditors must evaluate the design, implementation, and effectiveness of ethics-related
activities, objectives, and programs.
A.The interests of specific stakeholders also should be enhanced in the long term.
B.The social expectations of society should be satisfied.
C.The board is responsible for overseeing the organization’s activities and cannot delegate this
responsibility to another function.
24.A corporation’s results met the expectations of the market, but many people in the organization
noticed that they were overly optimistic. Moreover, no one suggested that the results be changed. Who,
whether officially or informally, should have been an ethics advocate regarding the results?
1.Senior management
2.Internal auditors
3.Employees in the accounting department
A.1 only.
B.1 and 2 only.
C.1 and 3 only.
D.1, 2, and 3.
A.The internal auditors and employees in the accounting department also should have been ethics
advocates.
B.The employees in the accounting department also should have suggested that the results might not be
accurate.
C.The internal auditors also should have suggested that the results might not be accurate
25.Which of the following is most likely an internal audit activity’s function in a less structured
governance process?
A.Evaluating the effectiveness of specific governance processes that are distinct from control.
B.Compliance with procedures, policies, and plans.
C.Acting as a consultant in optimizing governance practices.
D.Designing processes to address basic risks.
A.Evaluating the effectiveness of specific governance processes is typical of a more structured internal
auditing governance maturity model. Moreover, governance does not exist as processes distinct from
control and risk management.
C.Playing a consulting role in optimizing governance practices and structure is typical of a more
structured internal auditing governance maturity model. The emphasis shifts to considering best
practices and adapting them to the specific organization.
D.Internal auditors impair their objectivity by designing processes. However, evaluating the design and
effectiveness of specific processes is a typical internal audit role.
26.Which of the following is a situation in which an internal auditor’s role conflicts with the
independence attribute of the internal audit activity?
A.The internal audit activity recommends a new whistleblower program for the organization.
B.The internal audit activity informs the board that it has implemented an organization-wide employee
ethics program.
C.The board requests that the internal auditors assess whether the organization is complying with the
code of conduct.
D.The CEO informs the board of recommendations made by the internal audit activity regarding the
organization’s compliance with the code of conduct.
A.Recommending a new whistleblower program does not conflict with the independence attribute of
the internal audit activity. But design and implementation are management functions inconsistent with
the organizational independence of the internal audit activity.
C.The internal audit activity may assess governance processes.
D.The internal audit activity may recommend improvements in government processes.
27.Careful Corp. always has its internal auditors review transactions between Careful Corp. and its
subsidiary, Risky Corp., to ensure that the transactions are carried out in a fair and transparent manner.
This practice is most closely related to which of the following governance principles?
B.Although this practice would involve effective interaction among the board, management, and
assurance providers, this practice is most closely related to another governance principle.
C.This practice will not necessarily support the organization in accomplishing strategic objectives.
D.This practice will not help measure organizational and individual performance.
A.Risk management activities are performed by senior management and risk owners.
B.Oversight includes internal and external assurance activities.
C.Oversight is the governance component with which internal auditing is most concerned.
D.Oversight determines the overall objectives.
Answer (D) is correct.
The elements of oversight are (1) the risk management activities of senior management and the board
and (2) internal and external assurance activities. Strategic direction determines (1) the business model,
(2) overall objectives, (3) the risk appetite, and (4) the limits of organizational conduct. Strategic
direction, not oversight, determines overall objectives.
A.The performance of risk management activities by senior management and risk owners is an element
of oversight.
B.Internal and external assurance activities are elements of oversight.
C.Oversight is the governance component with which internal auditing is most concerned. It is also the
component to which risk management and control activities are most likely to be applied.
A.The performance of risk management activities by senior management and risk owners is an element
of oversight.
B.Internal and external assurance activities are elements of oversight.
C.Oversight is the governance component with which internal auditing is most concerned. It is also the
component to which risk management and control activities are most likely to be applied.
A.Risk committees also delegate risks to risk owners and consider whether tolerance levels delegated
to risk owners are consistent with the organization’s risk appetite.
B.Risk committees also connect risks to risk management processes, delegate risks to risk owners, and
consider whether tolerance levels delegated to risk owners are consistent with the organization’s risk
appetite.
C.Risk committees also identify key risks.
A.The organizational culture does set the values, objectives, and strategies of the organization
C.The organizational culture does define roles and behaviors.
D.Organizational culture is reflected in complying with corporate social responsibilities.
33.Which of the following most likely should be stated in an entity’s vision statement?
A.Personnel policies.
B.The strategic plan.
C.The strategy for maintaining a culture consistent with legal responsibilities.
D.Principles of internal control.
A.Personnel policies are operating matters not appropriate for a vision statement.
B.The strategic plan is developed after a vision (mission) statement is drafted.
D.A vision statement is a broad description of an entity’s mission, not a list of control principles
A.Shareholders.
B.Employees.
C.Suppliers.
D.All of the answers are correct.
35.Which of the following most likely are considered potential stakeholders of an entity?
A.Close competitors.
B.Tax authorities.
C.Creditors of employees.
D.Neighbors of its facilities.
A.Close competitors are less likely than neighbors of an entity’s facilities to be stakeholders.
B.Tax authorities are less likely than neighbors of an entity’s facilities to be stakeholders.
C.Creditors of employees are less likely than neighbors of an entity’s facilities to be stakeholders.
B.This practice does not demonstrate that there is an independent and objective board with sufficient
expertise, experience, authority, and resources to conduct independent inquiries.
C.This practice does not reinforce an ethical culture, including employee feedback without fear of
retaliation.
D.This practice does not facilitate a clear definition and implementation of risk management policies
and processes.
37.<List A> applies to all organizational activities. Thus, its processes provide overall direction for
<List B> activities. <List C> activities are a key element of risk management.
40. The internal audit activity periodically assesses the elements of the ethical climate of the
organization and its effectiveness in achieving legal and ethical compliance. Internal auditors therefore
evaluate the effectiveness of which of the following?
A.The internal audit staff also evaluates the effectiveness of personnel practices that encourage
contributions by employees
B.The internal auditors also evaluate the effectiveness of regular reviews of the processes that
undermine the ethical culture.
C.The internal auditors also evaluate the effectiveness of confidential reporting of alleged misconduct.
41.The internal audit activity’s evaluation of the ethical climate of the organization extends to
1. Evaluating the effectiveness of background checks
2. Defining roles and specifying accountability
3. Evaluating the effectiveness of declarations by suppliers about the requirements of ethical
behavior
A.The internal audit staff also evaluates the effectiveness of declarations by suppliers about required
behavior.
B.The internal auditors also evaluate the effectiveness of background checks.
D.The internal auditors do not have the authority to define roles and specify accountability
B.Internal auditors are responsible for evaluating the adequacy and effectiveness of controls, including
those relating to the reliability and integrity of financial and operational information.
C.Senior management’s role is to oversee the establishment, administration, and assessment of the
system of risk management and control processes.
D.The board has oversight responsibilities but ordinarily does not become involved in the details of
operations.
B.A code of conduct does not establish internal control principles and standards.
C.The governance bodies in an organization determine the overall approach to risk-taking.
D.Management identifies the key risk areas within the organization. The internal auditor reviews these
decisions to evaluate risk management within the organization.
A.Government regulators.
B.Internal audit functions.
C.External service providers.
D.Corporate charters and bylaws.
A.A process to identify, assess, manage, and control potential events or situations to provide reasonable
assurance regarding the achievement of the organization’s objectives.
B.The combination of processes and structures implemented by the board to inform, direct, manage,
and monitor the activities of the organization toward the achievement of its objectives.
C.The leadership, organizational structures, and processes that ensure that the enterprise’s information
technology supports the organization’s strategies and objectives.
D.The highest level governing body charged with the responsibility to direct and or oversee the
organization’s activities and hold senior management accountable.
Answer (B) is correct.
Governance is defined in the Standards as the “combination of processes and structures implemented
by the board to inform, direct, manage, and monitor the activities of the organization toward the
achievement of its objectives.”
A.Governance models are most effective when the framework is modeled after publicly traded
companies’ processes or systems.
B.Governance involves a set of relationships between an organization’s management, board,
shareholders, and other stakeholders.
C.Governance is independent of organizational culture.
D.Governance exists as a distinct process and structure separate from risk management and control.
A.Governance requirements vary by entity type and regulatory jurisdiction. The design and practice of
effective governance vary with the size and complexity of the organizations, along with the legal and
regulatory requirements of the jurisdiction.
C.Governance practices reflect the organization’s unique culture and largely depend on it for
effectiveness.
D.Governance does not exist independently of risk management and control. Rather, governance, risk
management, and control are closely related. Effective governance considers risk when setting strategy,
and risk management relies on effective governance. Additionally, effective governance relies on
controls and communication to the board on their effectiveness. Control and risk are also related as
controls manage risks.
A.The board determines the expectations of stakeholders and the outcomes that are unacceptable.
B.Risk owners also are responsible for ensuring that information to be reported to senior management
and the board is accurate, timely, and available.
D.Risk owners also are responsible for evaluating the adequacy of the design of risk management
activities and the organization’s ability to carry them out as designed.
51.Which group is responsible for the initiation of fundamental changes for the organization?
A.Senior management.
B.Risk committee.
C.Internal audit activity.
D.Board of directors.
A.Senior management performs day-to-day governance functions and carries out the board’s directives
to achieve the organization’s objectives. Senior management is not responsible for the initiation of
fundamental changes for the organization.
B.A risk committee may be created by the board to identify key risks and to consider whether tolerance
levels delegated to risk owners are consistent with the organization’s risk appetite.
C.The role of the internal audit activity depends on the maturity of the governance system. In a less
mature system, the internal audit activity emphasizes compliance with policies, procedures, and laws.
In a more mature governance system, the internal audit activity’s emphasis is on optimizing structure
and practices. The internal audit activity is not responsible for the initiation of fundamental changes for
the organization.
52.The responsibility of the internal audit activity in an assurance engagement for ethics-related
matters is
A.To evaluate the design and effectiveness of the organization’s ethics-related activities.
B.To promote and set the example of ethical behavior.
C.To establish and maintain sound ethics-related objectives and programs.
D.To oversee the organization’s ethical climate.
B.Senior management has ultimate responsibility for promoting and setting the example of ethical
behavior (i.e., setting the tone at the top).
C.Senior management is responsible for establishing and maintaining sound ethics-related objectives
and programs.
D.The board oversees the organization’s ethical climate.
A.Codes of conduct and vision statements are issued to state the behavior expected within the
organization.
B.The control environment reflects the attitude and actions of the board and management regarding the
importance of control within the organization.
C.Answer (C) is incorrect.
Governance is the combination of processes and structures implemented by the board to inform, direct,
manage, and monitor the activities of the organization toward the achievement of its objectives.
A.I only.
B.I and II only.
C.II and III only.
D.I, II, and III.
A.Organizational culture also is reflected in specifying accountability and complying with corporate
social responsibilities.
B.Organizational culture also is reflected in complying with corporate social responsibilities.
C.Organizational culture also is reflected in measuring performance.
55.Organizational culture that is risk averse likely has which of the following effects on the
organization’s control environment?
Importance of control within the organization Engagement risks are assessed high
A.Although the importance of control within the organization is likely to be high when organizational
culture is risk averse, engagement risks are less likely to be assessed high.
C.An organizational culture that is risk aggressive is more likely to regard the importance of control
within the organization as low. Consequently, engagement risks and controls are more likely to be
assessed high.
D.Although engagement risks are less likely to be assessed high when organizational culture is risk
averse, the importance of control within the organization is more likely to be high.
56.Which of the following should be defined in the internal audit plan for an assessment of
governance?
A.The nature of the assessments also should be defined in the audit plan.
B.The nature of the work also should be defined in the audit plan.
C.The governance process also should be defined in the audit plan.
B.The internal audit activity is an assessor of the governance process. It is not accountable for that
process.
C.External parties and internal auditors may provide assurance about the governance process
D.The internal audit activity must assess and make appropriate recommendations for improving the
governance process in its promotion of appropriate ethics and values within the organization.
58.In the governance process, the internal audit activity most likely should
A.Coordinate the activities of the external and internal auditors and management.
B.Communicate risk and control information.
C.Evaluate the process for performance management.
D.Promote ethics and values.
A.The internal audit activity evaluates the processes by which activities of the external and internal
auditors and management are coordinated.
B.The internal audit activity evaluates the processes by which risk and control information is
communicated.
D.The internal audit activity evaluates the processes by which ethics and values are promoted.
59.Which of the following should an internal auditor consider when assessing governance?
1) Audits of specific processes
2) Governance issues arising from audits not focused on governance
3) The results of other assurance providers’ work
4) Information such as adverse incidents indicating an opportunity to improve governance
A.Internal auditors should also consider governance issues arising from audits not focused on
governance and other information such as adverse incidents indicating an opportunity to improve
governance.
B.Internal auditors should also consider audits of specific processes and the results of other assurance
providers’ work.
C.Internal auditors should also consider other information such as adverse incidents indicating an
opportunity to improve governance.
60.The internal audit activity should contribute to the organization’s governance process by evaluating
the processes through which
1. Ethics and values are promoted.
2. Effective organizational performance management and accountability are ensured.
3. Risk and control information is communicated.
4. Activities of the external and internal auditors and management are coordinated.
A.1 only.
B.4 only.
C.2 and 3 only.
D.1, 2, 3, and 4.
A.The internal audit activity also evaluates the processes through which effective organizational
performance management and accountability are ensured, risk and control information is
communicated, and activities of the external and internal auditors and management are coordinated.
B.The internal audit activity also evaluates the processes through which ethics and values are
promoted, effective organizational performance management and accountability are ensured, and risk
and control information is communicated.
C.The internal audit activity also evaluates the processes through which ethics and values are promoted
and activities of the external and internal auditors and management are coordinated.
A.The design and practice of effective governance also vary with legal and cultural requirements.
B.The design and practice of effective governance also vary with the size, complexity, and life-cycle
maturity of the organization.
C.The design and practice of effective governance also vary with its stakeholder structure.
62.Craig is the chief audit executive (CAE) of Marlin, Inc., and is in the process of planning an
assessment of governance at Marlin. Which of the following should Craig consider in planning the
assessment of governance?
A.Craig also should determine whether he can rely on the assessment of internal control performed by
external auditors and whether employees at all levels of the organization adhere to the code of ethics.
B.Craig also should verify that all major decisions have been authorized by senior management and
determine whether employees at all levels of the organization adhere to the code of ethics.
C.Craig also should verify that all major decisions have been authorized by senior management and
determine whether he can rely on the assessment of internal control performed by external auditors.
63.Which of the following most likely should be considered in the internal audit activity’s planning for
the assessment of governance?
A.Management performs most governance functions. For example, senior management determines (1)
where risks are managed, (2) who will be risk owners, and (3) how risks will be managed.
C.The internal audit activity should agree upon the definition of governance with the board and senior
management. The IIA has defined governance. But if the organization’s definition differs, the CAE
may use that definition.
D.Controls address risks. Thus, they are related.
64.Which of the following are roles of the internal audit activity in best practice governance activities?
1) Report significant audit issues
2) Support the board in enterprise-wide risk assessment
3) Conduct follow-up and report on management’s response to external audit
4) Act as custodian of corporate assets in the pursuit of positive outcomes for stakeholders
A.The internal audit activity also supports the board in enterprise-wide risk assessment.
B.The internal audit activity also reports significant audit issues and conducts follow-up and reports on
management’s response to external audits but does not act as custodian of corporate assets in pursuit of
positive outcomes for stakeholders.
D.The board and senior management, not the internal audit activity, act as custodians of corporate
assets in the pursuit of positive outcomes for stakeholders.
A.Yes Yes
B.Yes No
C.No Yes
D.No No
B.Management is also responsible for the design and implementation of governance processes.
C.The board is also responsible for the design and implementation of governance processes.
D.Both management and the board are responsible for the design and implementation of governance
processes.
A.Governance does have a range of definitions depending on the circumstances. The chief audit
executive may use a different definition when the organization uses a different model.
C.Governance requirements do vary by entity type and regulatory jurisdiction. Examples include
publicly traded companies, not-for-profits, governments, private companies, and stock exchanges.
D.Governance does not exist as distinct processes and control structures but instead as relationships
with risk management and control.
A.Governance does not exist as distinct processes and structures but as relationships with risk
management and control.
B.The chief audit executive is likely to use consultants to assess governance when the organization’s
process is (1) not mature, or (2) control issues are known.
C.Governance models generally treat governance as a process or a system that is not static. The
approach in the Standards emphasizes the board and its governance activities.
68.The internal audit activity assesses the coordination of the activities of the board, management, and
auditors. This assessment most directly relates to the function of
A.Quality assurance.
B.Risk management.
C.Governance.
D.The control environment.
A.A quality assurance program normally is implemented for an organizational unit, e.g., the internal
audit activity.
B.Governance (not risk management) is directly responsible for coordinating the activities of, and
communicating information among, the board, external and internal auditors, other assurance
providers, and management
D.Governance (not control) is directly responsible for coordinating the activities of, and
communicating information among, the board, external and internal auditors, other assurance
providers, and management
69.Which of the following is not a role of the internal audit activity in best practice governance
activities?
A.One internal audit activity role is to support the board in enterprise-wide risk assessment. The board
and management are responsible for the identification of an appropriate risk model and methodology.
C.The internal audit activity should monitor compliance with the corporate code of conduct set by the
board and management.
D.The internal audit activity is responsible for discussing significant financial, technical, and
operational risks and exposures as well as the plans to minimize such risks.
70.The internal audit activity most directly contributes to the governance process by
B.Evaluating the adequacy of controls over safeguarding of assets relates to controls, not governance.
C.Evaluating the effectiveness of the risk-management system relates to risk management, not
governance.
D.Assessing whether the organization’s objectives align with its mission relates to risk management,
not governance.
71.Examples of CSR include all of the following except
A.A pharmaceutical company that produces potentially addictive pain medication donates to addiction
treatment facilities.
B.A tobacco company donates money to stop-smoking initiatives as a result of the settlement to a
lawsuit.
C.A professional services firm pays its employees a bonus each year for providing services as
volunteers to local not-for-profit organizations.
D.A delivery company uses its distribution network to deliver supplies for free to areas affected by
natural disasters.
A.The donation is voluntary and intended to benefit groups other than shareholders.
C.The bonus is voluntary and benefits groups other than shareholders. CSR does not only apply to
corporate entities, despite its title.
D.The delivery is voluntary and benefits groups other than shareholders.
B.Using ISO 14000 should result in savings in consumption of energy and materials
C.Using ISO 14000 should lower distribution costs.
D.Using ISO 14000 should improve corporate image among regulators, customers, and the public.
73.Which of the following stakeholders have needs that must be considered when determining the
effects of a corporate social responsibility (CSR) program?
1. Shareholders
2. Employees
3. Competitors
4. Society
A.1 only.
B.4 only.
C.1 and 3 only.
D.1, 2, and 4 only.
A.Shareholders are not the only stakeholders that must be considered in a CSR program.
B.Society is not the only stakeholder that must be considered in a CSR program.
C.Competitors are not a stakeholder to be considered in a CSR program.
74.Although corporate social responsibility (CSR) involves the incurrence of certain costs, in what
ways can CSR also produce benefits?
1) Positive public perception on a local, national, and international level
2) Retention of workers
3) Charity as a form of advertising
4) Deductibility of charitable donations
A.The benefits of CSR can also include the retention of workers and the deductibility of charitable
donations.
B.The benefits of CSR can also include positive public perception on a local, national, and
international level.
C.The benefits of CSR can also include positive public perception on a local, national, and
international level.
A.It is a set of criteria established by the International Organization for Standardization for financial
reporting.
B.It details certain requirements for environmental performance and details the punishments for failing
to meet those requirements.
C.It often results in higher costs in processes but is compensated for by an improved public image.
D.None of the answers are correct.
A.ISO 14000 is a set of criteria established by the International Organization for Standardization for an
environmental management system.
B.ISO 14000 does not state requirements for environmental performance.
C.ISO 14000 often results in lower costs of waste management, savings in consumption of energy and
materials, and lower distribution costs. Additionally, these standards often result in improved corporate
image among regulators, customers, and the public.
77.Business ethics scholar Archie B. Carroll has identified four responsibilities an organization must
fulfill to be called socially responsible. All of the following is one of these four responsibilities except
78.The Global Reporting Initiative (GRI) has developed a sustainability reporting framework that
A.The International Organization for Standardization (ISO) 26000 framework emphasizes how to
implement and manage a CSR initiative.
C.Organizations exercise significant discretion in deciding what to disclose about their CSR
performance. In most jurisdictions, public companies are not required to disclose their CSR
performance. However, most organizations with stated CSR objectives provide public information
about their approach and results.
D.The mission of the Organization for Economic Co-operation and Development (OECD) is to provide
a forum in which governments can work together to share experiences and to seek solutions to common
problems.
79.A company has denied for years that it bears any responsibility for damage allegedly caused by its
trucks to public roads. No further actions have been taken by the company. This is an example of
which corporate social responsibility strategy?
A.Proaction.
B.Accommodation.
C.Defense.
D.Reaction.
A.Proaction is when the organization takes the initiative in implementing a CSR program that serves as
an example for the industry. There is no indication the company has taken the initiative in
implementing a CSR program.
B.Accommodation is when the organization assumes additional responsibilities only when pressured.
The company has not assumed any responsibility for the damage to the roads.
C.Defense is when the organization uses legal action or public relations efforts to avoid additional
responsibilities. There is no indication the company has used public relations or initiated legal action.
80.Within the organization, who generally is responsible for establishing CSR objectives and
measuring performance?
A.Management.
B.The board.
C.All employees.
D.Internal auditors.
B.The board is responsible for overseeing CSR and the effectiveness of governance, risk management,
and the internal control process related to CSR.
C.All employees are responsible for the success of CSR initiatives. However, management generally is
responsible for establishing CSR objectives and measuring performance.
D.The internal auditor is responsible for evaluating whether controls over CSR are adequate to achieve
CSR objectives.
81.Which of the following is the least likely risk of failing to implement an effective CSR program?
A.Loss of reputation.
B.Failure to comply with regulations.
C.Failure to set performance targets.
D.Loss of employees.
A.The organization’s brand or reputation could be damaged if an effective CSR program is not
implemented. Organizations, by behaving in a socially responsible manner, have the opportunity to
enhance, not damage, their reputation.
B.Failing to comply with regulations or contractual obligations is a likely consequence of failing to
implement an effective CSR program.
D.Risks of failing to implement an effective CSR program include employees leaving the organization
and difficulty attracting new employees.
82.In which CSR business activity would an organization consider CSR risks before projects are
approved?
B.In this activity, the organization establishes and communicates policies and procedures for areas such
as corporate governance, business ethics, human resources, and stakeholder relations. However, it is
not the business activity that includes considering CSR risks before approval of projects.
C.The external and internal reporting of results occurs after projects are approved.
D.The monitoring and evaluating of results is performed after projects are approved. Although
benchmarking may be performed before projects are approved, the consideration of CSR risks before
project approval is performed in a separate activity.
83.A CSR audit procedure requires the internal auditor to determine if the organization’s code of
conduct includes provisions on anti-corruption. This procedure is most likely testing which CSR
element?
A.Working conditions.
B.Environment.
C.Governance.
D.Ethics.
A.Tests relating to the working conditions element most likely concern fair pay and hiring practices,
among others.
B.Tests relating to the environment element most likely concern social and environmental issues (e.g.,
social and environmental impact assessments).
C.Tests relating to the governance element most likely concern the board and reporting information to
stakeholders.
84.The internal auditor is performing a CSR audit by stakeholder group. Which of the following
represent a stakeholder group?
I. Shareholders.
II. Neighboring communities.
III. Employees and their families.
IV. The environment.