Chapter 5 - Quiz English
Chapter 5 - Quiz English
Chapter 5 - Quiz English
GAMBAR
4. If a risk appears in the bottom right of quadrant II in the above risk control map, it means that:
b. The controls may be excessive relative to the risk.
Following cost/benefit principles, processes with lower risk significance should generally have
fewer resources devoted to managing those risks. Since the control effectiveness is high in this
question, the controls may be excessive relative to the risk.
5. If a risk appears in the middle of quadrant IV in the above risk control map, it means that:
a. There is an appropriate balance between risk and control.
Since the risk significance is so high, it is very important that the organization have high control
effectiveness.
6. Which of the following circumstances would concern the internal auditor the most?
c. A risk in the upper left corner of quadrant III.
This risk is highly significant but control effectiveness is low, indicating the risk is not likely to be
managed to an acceptable level.
7. Which of the following are business processes?
I. Strategic planning.
II. Review and write-off of delinquent loans.
III. Safeguarding of assets.
IV. Remittance of payroll taxes to the respective tax authorities.
c. I, II, and IV.
All of these choices could be part of an organization's business processes. Safeguarding of assets
is an important control objective, but it is not a business process.
8. Which of the following symbols in a process map will most likely contain a question?
b. Diamond.
A diamond symbol represents a decision that is made; therefore, a question is typically included
in the symbol.
9. After business risks have been identified, they should be assessed in terms of their inherent:
a. Impact and likelihood.
Inherent impact and likelihood are the common risk assessment criteria.
10. In a risk by process matrix, a process that helps to manage a risk indirectly would be shown to
have:
b. A secondary link.
When a process manages a risk in an indirect manner, it is considered a secondary link.
11. A major upgrade to an important information system would most likely represent a high:
b. Internal risk factor.
An important information system upgrade would represent a significant change in operations,
processes, personnel, or technology, which is factor #8 in Exhibit 5-12.
12. Which of the following is true regarding business process outsourcing?
d. Management’s controls to ensure the outsourcing provider meets contractual performance
requirements should be tested by the internal audit function.
Outsourcing a business process does not allow management to abdicate responsibility for
ensuring the process operates effectively. Therefore, performance requirements should be built
into the outsourcing contract. Compliance with performance requirements is a relevant and
important internal audit activity. The internal audit function should consider outsourced
processes as part of the audit universe and take a proactive approach, reviewing risk and control
activities prior to implementation. Outsourcing the process does not remove the operational
risks. The internal auditor still needs to consider the risks to the organization and address those
risks in the risk assessment process. The independent outside auditor is not required to consider
risks that are not related to the financial statements and, thus, may not be interested in all
outsourced processes.
13. A company has recently outsourced its payroll process to a thirdparty service provider. An audit
team was scheduled to audit payroll controls in the annual audit plan prepared prior to the
outsourcing. What action should the audit team take, considering the outsourcing decision?
c. Review only the company’s controls over data sent to and received from the third-party
service provider.
Management of the company is still accountable for the risks, so controls at the third-party
processor and the user organization are both important. As the controls at the third party and
the user organization interact, both must be reviewed. Although the process is being performed
outside the organization, the third party is an extension of the organization’s payroll process. The
risk here may actually increase because an external party controls part of the control
environment.
14. Which flowcharting symbol indicates the start or end of a process?
c. Oval.
An oval is used to indicate the start or end of a flow.
15. How does a control manage a specific risk?
c. It reduces either likelihood or impact or both.
A control can reduce event likelihood, or reduce the event impact, or both. In each case, the risk
is lessened.
NOTHING IN BOOK