A bank uses a risk analysis matrix to quantify the relative risk of auditable entities. The analysis involves rating auditable entities on risk factors using a scale of 1 to 10, with 10 representing the greatest risk. A partial list of risk factors and the ratings given to three of the bank's departments is provided below:

Which of the following statements regarding risk in the department is true?

Which of the following represents appropriate evidence of supervisory review of engagement workpapers?
I. A supervisor's initials on each workpaper.
II. An engagement workpaper review checklist.
III. A memorandum specifying the nature, extent, and results of the supervisory review of workpapers.
IV. Performance appraisals that assess the quality of workpapers prepared by auditors.

Which of the following would most likely include recommendations for process improvements?
* Due diligence engagement.
* Forensic investigation.
* Internal audit engagement.
* Consulting engagement.

An audit of customer accounts receivable found that outstanding receivables as a percentage of revenue had increased significantly during the past two years. The increase was attributed to the extension of credit, at the urging of the marketing department, to a number of companies that were not credit worthy.
Which of the following would be least useful in monitoring the disposition of this finding?

An internal auditor wants to determine whether employees are complying with the information security policy, which prohibits leaving sensitive information on employee desks overnight. The auditor checked a sample of
90 desks and found eight that contained sensitive information. How should this observation be reported, if the organization tolerates 4 percent noncompliance?