IIA-CIA-Part2 IIA Internal Audit Engagement Free Practice Exam Questions (2026 Updated)

Audit workpapers are essential documents that provide evidence of the audit work performed and the conclusions reached.

Option A: While review notes can be useful, they do not need to be retained if they do not add value to the audit evidence.

Option B: Audit workpaper documentation policies are typically established by the internal audit department, not reviewed or approved by the audit committee.

Option C: Management should not review the workpapers for accuracy as this could compromise the independence of the audit.

Option D: Preparing workpapers helps auditors document their work thoroughly, facilitating learning and professional development​​.

Identify the Conflict of Interest: The internal auditor learns about a large loan made to another auditor's relative, which represents a conflict of interest.

Refer to Professional Standards: According to the Institute of Internal Auditors' (IIA) standards, an internal auditor must maintain objectivity and avoid conflicts of interest (IIA Standard 1100 – Independence and Objectivity).

Escalate the Issue: The appropriate course of action is to escalate this matter to the chief audit executive (CAE) and management, as they are responsible for determining the impact of the conflict and the appropriate response.

Decision Making: The CAE and management will assess whether the conflict of interest could impair the auditor's objectivity and decide whether the auditor should be removed from the engagement or if additional oversight is needed.

Documentation: It is important to document the conflict and the decision-making process in the audit documentation for transparency and accountability.

 Specialized Knowledge: Interrogating a suspected fraudster requires specialized knowledge and skills that go beyond the typical expertise of internal auditors. This includes understanding interrogation techniques, legal implications, and psychological aspects.

 Fraud Specialist: A fraud specialist is trained in conducting investigations, including interrogations, and can provide valuable insights and evidence in cases of suspected fraud.

 IIA Standards: According to Standard 1210.A2, internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.

 Collaborative Approach:

Fraud Investigations: Engaging a fraud specialist ensures that the investigation is conducted thoroughly and professionally, adhering to legal and ethical standards.

Support to Internal Audit: The fraud specialist can provide support and guidance to the internal audit activity, enhancing the overall effectiveness of the fraud investigation.

 References:

Employing a fraud specialist to interrogate a suspected fraudster ensures that the investigation is handled with the necessary expertise and legal compliance, thereby increasing the chances of uncovering the truth and taking appropriate actions​​​​.

When the rate of deviations discovered in the sample equals the tolerable deviation rate, it means that the control is functioning at the level deemed acceptable by the auditor's predefined criteria. This does not necessarily imply that the control is flawless, but rather that its effectiveness meets the minimum standards set by the audit plan. Therefore, the internal auditor can conclude that the control is acceptably effective, but should also note the potential need for improvement.

The Institute of Internal Auditors (IIA) - Standards for the Professional Practice of Internal Auditing, Standard 2320 - Analysis and Evaluation

COSO Framework - Control Activities

The chief audit executive (CAE) should meet with the chief IT officer to discuss the incident, the investigation, and any control improvements that will be implemented (1). Additionally, developing an appropriate audit program with the IT auditor to review the organization’s Internet-based sales process and key controls (3) is a proactive approach to ensure future incidents are prevented and to enhance the organization's security posture. References: = IIA Standard 2120 - Risk Management and IIA Standard 2201 - Planning Considerations.

According to MA (Management Accounting) guidance and internal auditing standards, when assessing the likelihood of fraud risk, internal auditors should consider historical data and patterns within the organization. Past fraud allegations and actual occurrences provide valuable insights into potential vulnerabilities and areas where controls might have previously failed. This historical perspective helps in evaluating the current fraud risk environment and in identifying areas that require stronger controls or more vigilant monitoring.

IIA Practice Guide: "Assessing the Risk of Fraud"

COSO (Committee of Sponsoring Organizations of the Treadway Commission) Fraud Risk Management Guide

Introduction:

When the internal audit team lacks necessary skills for an ad-hoc assurance engagement, leveraging internal resources can be a practical solution.

Resolving Skill Gaps:

Using employees from other departments can provide the needed expertise while maintaining the engagement's integrity.

Options Analysis:

Option A: Declining the engagement may not be feasible and does not address the need.

Option B: Completing the engagement without the required skills can compromise quality.

Option C: Using employees from other departments brings in the necessary competencies and supports cross-functional collaboration.

Option D: Changing the scope may limit the effectiveness of the engagement.

Conclusion:

The acceptable resolution is to consider using employees from other departments in the organization to bring in the required skills for the engagement.

Internal Audit Standards and Practice Guides

Comprehensive and Detailed Explanation:

Software development security requires internal auditors to understand change management processes (B) — how updates, patches, and new code are introduced and controlled to prevent vulnerabilities. While IT general controls (A) are important, they are broader (e.g., access, backup, operations). Fluency in programming languages (D) and proficiency in design software (C) are too technical and unnecessary for audit. Instead, auditors need to understand how changes are authorized, tested, and implemented, ensuring that the development process follows security and governance standards. According to Standard 1210 – Proficiency, internal auditors must have or obtain sufficient knowledge to evaluate relevant risks, making change management competency most critical.

When concerned about whether a transaction is recorded in the correct period, the internal auditor should consult accounting principles, standards, and relevant guidelines to determine the appropriate timing of the entry. External auditor approval does not negate the internal auditor's responsibility to ensure that the transaction complies with established accounting standards and principles. Consulting the relevant guidelines provides an objective basis for assessing the accuracy of the transaction's recording.

The Institute of Internal Auditors (IIA) Standard 1220 – Due Professional Care: "Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor."

Generally Accepted Accounting Principles (GAAP) or International Financial Reporting Standards (IFRS) depending on the applicable framework.

When an internal auditor conducts a walk-through to evaluate the control design of a process, the techniques most likely to be used are inquiry and observation. These techniques allow the auditor to understand how the process is designed and how controls are implemented and followed in practice.

IIA Standard 2320 – Analysis and Evaluation:

This standard requires internal auditors to analyze and evaluate the information gathered during the engagement to ensure that it is sufficient, relevant, and reliable. During a walk-through, inquiry and observation are key techniques for gathering this information.

Inquiry:

Inquiry involves asking questions of personnel involved in the process to understand the control design, its purpose, and how it is intended to work. This helps the auditor gain insight into the process and identify any potential gaps or weaknesses in control design.

Observation:

Observation allows the auditor to see the process in action. By watching how the process is carried out, the auditor can verify whether the controls are being applied as designed and whether they are effective in practice.

IIA Practice Advisory 2320-1:

The advisory supports the use of inquiry and observation as primary techniques for understanding and evaluating the design and operation of controls during a walk-through.

Option A (Observation and inspection): While useful, inspection is more about examining documents or physical evidence rather than understanding process design.

Option C (Inspection and reperformance): Reperformance involves independently executing a control, which is more relevant for testing control effectiveness rather than evaluating design.

Option D (Inquiry and reperformance): Reperformance is not typically used in a walk-through focused on control design evaluation.

Detailed Explanation:Why Not Other Options?Conclusion: Option B is correct because inquiry and observation are the most appropriate techniques for conducting a walk-through to evaluate the design of a control, as they provide direct insight into how the process and controls are intended to work, in line with IIA standards.

A. Decline the audit engagement, because the Standards prohibit internal auditors from performing engagements where they lack the necessary competencies:The Standards allow for outsourcing or co-sourcing to meet competency gaps. Declining outright is not necessary.

B. Accept the audit engagement and use the engagement as an opportunity to develop the audit team’s IT expertise while performing the audit work:This approach risks compromising audit quality as the team lacks expertise.

C. Temporarily hire an experienced and knowledgeable IT analyst from the organization's IT department to lead the audit:This could create independence issues, as the IT analyst is part of the auditee’s function.

D. Outsource the audit engagement to a reputable IT audit consulting firm:Correct. Outsourcing ensures that the engagement is performed by qualified professionals, maintaining quality and adherence to the Standards.

CIA Exam Syllabus Reference:

Domain IV: Managing the Internal Audit Function – Resourcing and Competency Management.

According to the Institute of Internal Auditors (IIA) guidance, the independence and objectivity of the internal audit function are fundamental principles. Independence is compromised if the internal audit function takes on roles or responsibilities that are part of management's duties. Coordinating and managing the risk management process is a management responsibility. If internal auditors assume this role, it impairs their ability to remain independent and objective when auditing the effectiveness of the risk management process. References: IIA Standard 1112 – Chief Audit Executive Roles Beyond Internal Auditing

 Plant Assets Cost: For plant assets, which are tangible fixed assets such as buildings and machinery, the cost includes all expenditures necessary to acquire the asset and prepare it for its intended use. This includes the purchase price and additional costs such as design and construction.

This aligns with standard accounting practices where costs related to bringing an asset to its operational state are capitalized as part of the asset's cost.

 Intangible Assets Cost: The cost of intangible assets, such as patents and trademarks, typically includes the purchase price and development costs. However, option B refers to this, but the correct focus for plant assets is emphasized in option A.

 Amortization of Intangible Assets: Intangible assets with finite useful lives are subject to amortization, contradicting option C. Those with indefinite lives are not amortized but tested annually for impairment.

 Expense of Developing Plant Assets: Development costs for plant assets are capitalized, not expensed immediately, making option D incorrect.

According to IIA guidance, the primary purpose of the exit conference is to ensure timely communication of observations and findings, especially those that require immediate management action. This meeting allows auditors to discuss their findings with management, address any disagreements, and clarify the facts before the final report is issued. It does not require the attendance of both the chief audit executive and the chief executive over the activity (B), nor is it solely for reviewing anticipated results (C) or the performance of the internal auditors (D). References: IIA Standard 2440 – Disseminating Results, IIA Practice Advisory 2440-1

According to the IIA guidance, reviewing and approving payroll timesheets by the timekeeper before processing is considered least effective in managing the risk of payroll fraud. While this procedure might detect some errors or irregularities, it does not provide a robust control against fraud because the timekeeper can collude with employees or fail to review timesheets adequately. On the other hand, procedures such as comparing payroll lists to personnel records, deactivating payroll database access upon termination, and validating changes to payroll by the personnel department involve checks and balances that are more effective at preventing or detecting fraudulent activities.

IIA Practice Guide: Managing the Business Risk of Fraud: A Practical Guide

IIA Standards and Guidance: IPPF – Practice Guide

Introduction:

When duplicate payments are identified and corrected, the management’s response typically addresses the immediate impact or effect of the issue.

Types of Action Plans:

Condition-Based: Addresses the condition or the issue itself.

Cause-Based: Focuses on the underlying cause of the issue.

Root Cause-Based: Delves deeper to identify and address the fundamental reason for the issue.

Effect-Based: Focuses on addressing the consequences or the effects of the issue.

Options Analysis:

Option A: A condition-based action plan would involve identifying and rectifying the condition that led to the duplicate payments.

Option B: A cause-based action plan would address the immediate causes of the duplicate payments.

Option C: A root cause-based action plan would investigate and mitigate the fundamental reasons behind the duplicate payments.

Option D: An effect-based action plan addresses the consequences of the duplicate payments, such as recouping the funds, which is what management did in this scenario.

Conclusion:

Management’s action in recouping the duplicate payments is an effect-based action plan as it focuses on addressing the impact of the error.

Internal Audit Standards and Practice Guides .

To address the risk of fraud in the cash receipts process, it is essential to ensure that the accounts payable department reconciles all purchasing documents (purchase requisitions, purchase orders, packing slips, and invoices) before making payments. This step helps to detect discrepancies and prevent fraudulent activities, ensuring that payments are made only for legitimate and verified transactions. References:

IIA Standards - 1220: Due Professional Care

IIA Practice Guide - Auditing Accounts Payable: Reducing the Risk of Fraud

In addition to gathering information, a primary objective of a client interview during the planning stage of an audit engagement is to establish rapport with the client. Building rapport helps in fostering a cooperative relationship, ensuring that the client is open and forthcoming with information, which can significantly enhance the effectiveness of the audit.

IIA References:

IIA Standard 2201: Planning Considerations suggests that internal auditors should establish good communication and rapport with clients during the planning phase to facilitate the audit process.

The Practice Guide on Effective Interviewing Techniques emphasizes that establishing rapport during initial meetings is crucial for gaining the client’s trust and cooperation throughout the audit.

When the internal audit activity lacks the expertise to perform an audit engagement in a specialized area like IT, the most appropriate action for the CAE is to outsource the engagement to a reputable IT audit consulting firm. This ensures that the audit is conducted by professionals with the necessary skills and experience, thereby maintaining the quality and reliability of the audit.

IIA References:

IIA Standard 1210: Proficiency requires that internal auditors possess the knowledge, skills, and other competencies needed to perform their responsibilities. When the internal audit activity does not have the required expertise for a specific engagement, the CAE must obtain competent advice and assistance, either by hiring external experts or outsourcing the work.

IIA Standard 2070: External Service Provider and Organizational Responsibility for Internal Auditing advises that when the internal audit activity uses external service providers, the CAE must ensure that the provider possesses the necessary skills and knowledge.

Internal control questionnaires are used to determine whether specific control procedures are in place within an organization. They help auditors identify the existence and implementation of controls designed to mitigate risks. These questionnaires can provide a preliminary understanding of the control environment and identify areas that may require further detailed testing.

The Institute of Internal Auditors (IIA) Practice Guide: Using Internal Control Questionnaires to Assess Risk

IIA Standard 2130 - Control

Internal control questionnaires (ICQs) are used to gather information about the presence and effectiveness of controls within an organization. One of the limitations of ICQs is that the answers provided by respondents can be easily misinterpreted. This misinterpretation can occur due to unclear questions, differences in understanding terminology, or respondents not fully comprehending the context of the questions. Therefore, while ICQs are useful tools for identifying control issues, they require careful interpretation and often necessitate follow-up for clarification to ensure accurate understanding and assessment of the controls.

The Institute of Internal Auditors (IIA) Practice Guide: "Internal Control Questionnaires"

IIA Standard 2310: Identifying Information

To obtain a general understanding of the natural gas market, the market share the organization wants to win, and the competitive advantage the organization may have, the best source of information is to interview responsible managers and read strategic documents. Managers involved in the new line of business will have insights into the market dynamics, strategic goals, and competitive positioning. Strategic documents will provide detailed plans and objectives, giving a comprehensive understanding of the organization's approach and expectations.

The Institute of Internal Auditors (IIA) Practice Guide: Business Acumen for Internal Auditors

IIA Standard 2120 - Risk Management

Intervening during an audit involving ethical wrongdoing (Option 1) and negotiating a settlement of an employee claim for personal damages (Option 4) represent significant ethical risks if exhibited by an organization’s board. These actions could indicate attempts to influence or undermine the audit process and the fair handling of ethical issues, leading to potential conflicts of interest and compromising the integrity of the organization’s governance processes. Discussing periodic reports of ethical breaches (Option 2) and authorizing an investigation of an unsafe product (Option 3) are appropriate and responsible board actions that do not pose ethical risks.

IIA Standard 1110: Organizational Independence.

IIA Code of Ethics.

Comprehensive and Detailed Explanation:

To evaluate the project manager’s effectiveness at controlling costs, the auditor should verify whether payments are properly authorized, valid, and consistent with agreements. The most direct test is to track a sample of project payments (B) from accounts payable back to contracts and authorizations. This demonstrates whether project expenditures were controlled and aligned with agreements. Bank reconciliations (A) are unrelated to project-level cost control. Validating feasibility model assumptions (C) relates to project planning, not ongoing cost control. Checking budget approval timing (D) relates to compliance but not cost management effectiveness. Therefore, Option B best aligns with the engagement objective.

Project crashing is a schedule compression technique used in project management to shorten the project duration without changing the project scope. It involves adding additional resources to critical path activities to complete them faster. This method can lead to increased costs but aims to reduce the project timeline effectively. Crashing is often used when project deadlines are tight and time is more critical than budget.

Project Management Institute (PMI) defines project crashing as a technique used to shorten the schedule duration for the least incremental cost by adding resources. This is detailed in the PMBOK Guide (Project Management Body of Knowledge)​​.

A control weakness occurs when there is a deficiency in internal controls that could allow errors or fraud to occur. While the act of buyers promptly updating the vendor listing might seem efficient, it could bypass necessary oversight and approval processes. This could lead to unauthorized or inappropriate vendors being added, increasing the risk of fraud or favoritism. Effective internal control requires that such updates be reviewed and approved by an independent party to ensure accuracy and appropriateness.

Best practices in internal control recommend segregation of duties and independent review processes to prevent unauthorized changes and ensure control integrity​​​​.

To ensure that recommendations for enhancing internal controls have been effectively implemented, the internal auditor should conduct appropriate testing to verify management responses. This involves re-performing procedures, reviewing documentation, and possibly observing operations to confirm that the corrective actions have been adequately executed and are effective. Simply seeking a management assurance declaration (Option B) or observing corrective measures (Option A) may not provide sufficient evidence of proper implementation. Following up during the next scheduled audit (Option C) may delay the verification process, potentially allowing risks to persist.

IIA Standard 2500: Monitoring Progress.

IIA Practice Guide on Follow-up Processes in Internal Auditing.

The engagement scope outlines the specific boundaries, focus areas, and activities that the internal audit will examine. The analysis of wire transfers exceeding $10,000 within a specified timeframe is a clear, specific task that defines what will be reviewed during the engagement, making it a typical element of an engagement scope.

IIA References:

IIA Standard 2220: Engagement Scope states that the scope must be sufficient to satisfy the engagement's objectives and should outline specific areas and processes to be reviewed. Analyzing transactions over a certain threshold, like wire transfers exceeding $10,000, is a well-defined aspect of what the audit will cover.

When the chief audit executive (CAE) is uncertain whether the internal audit team has the necessary knowledge to conduct a specific engagement, such as reviewing testing procedures for a large information system, the most appropriate course of action is to engage an external service provider with the required expertise. This option helps to preserve the independence and objectivity of the internal audit activity.

IIA Standard 1210 – Proficiency:

This standard requires that internal auditors possess the knowledge, skills, and other competencies needed to perform their responsibilities. If the current team lacks the necessary skills, the CAE must seek external expertise.

Preserving Independence:

Engaging an external service provider helps maintain the independence of the internal audit function, as the expertise is sourced from an independent party. This prevents potential conflicts of interest that might arise if resources are borrowed from within the organization (e.g., from the IT department).

IIA Practice Advisory 1210.A1-1:

This advisory suggests that the CAE may employ external experts to provide specialized knowledge for certain audit engagements, ensuring the audit activity remains independent and objective.

Option A (Contract with the software vendor): This could compromise independence, as the vendor may have a vested interest in the outcome of the audit.

Option B (Ask for a knowledgeable resource from IT): Using internal resources, especially from the IT department being audited, could impair independence and objectivity.

Option D (Request resources through the external auditor): This might be appropriate in some cases, but it is not as direct and effective as hiring an external provider with specialized skills for this specific engagement.

Detailed Explanation:Why Not Other Options?Conclusion: Option C is correct as it ensures the internal audit function maintains its independence while acquiring the necessary expertise to conduct the engagement effectively, in line with IIA standards.