IIA-CIA-Part2 IIA Practice of Internal Auditing Free Practice Exam Questions (2025 Updated)

When performing a consulting project to assist in making a decision on a new software system, the engagement objectives would be determined by understanding the engagement client's expectations. This ensures that the consulting engagement is aligned with what the client needs and expects, leading to more relevant and useful recommendations.

A material impact on the accuracy of the prior year's financial statements due to the inaccurate operation of controls is a significant issue that would likely prompt special notification from the chief audit executive (CAE) to senior management. This is because such an issue can have substantial implications for the organization's financial reporting, stakeholder trust, and compliance with regulatory requirements. Immediate notification ensures that senior management can take timely corrective action to address and remediate the issue.

An The top-down approach to understanding business processes is conducted from a broad organizational perspective, beginning with the overall objectives and strategic goals of the organization and then drilling down into the specific processes that support these goals. While this approach ensures alignment with the organization's objectives, it has the greatest risk of overlooking critical processes at the lower levels, especially those that might be operationally significant but not directly linked to top-level objectives.

IIA References:

IIA Standard 2010: Planning suggests that internal auditors should understand the organization’s business processes in relation to its objectives. The top-down approach aligns with this but can risk missing important operational details that might be captured through a more granular (e.g., bottom-up) approach.

The IIA Standards require the CAE to communicate risk acceptance that may be unacceptable to senior management and the board. The first step is to discuss the issue with senior management to understand their perspective and potentially resolve the concern. If senior management does not take appropriate action, the CAE must then inform the board to ensure they are aware of the risk and can take necessary action.References:

The Institute of Internal Auditors (IIA), International Standards for the Professional Practice of Internal Auditing (Standards)

"Internal Auditing: Assurance and Advisory Services" by Urton L. Anderson et al.

Meeting with the procurement card program administrator is a crucial step in identifying relevant risks and controls. This individual can provide detailed insights into how the procurement card program operates, potential risks, existing controls, and any issues or areas of concern. This information is vital for developing a comprehensive understanding of the program and for planning the audit engagement effectively. Actions like comparing card transaction types against policy guidelines, determining cardholder limit exceedances, and developing scope and objectives are important but are typically undertaken after initial risk and control identification.References:

The Institute of Internal Auditors (IIA) - Practice Guide: Engagement Planning

According to the International Standards for the Professional Practice of Internal Auditing, particularly Standard 2420 – Quality of Communications, internal audit communications should be accurate, objective, clear, concise, constructive, complete, and timely. Ensuring that communications are relevant, logical, and free from errors is essential for maintaining the credibility and effectiveness of the internal audit function and for providing management with reliable information for decision-making.References:

Institute of Internal Auditors (IIA), International Standards for the Professional Practice of Internal Auditing (Standards), Standard 2420 – Quality of Communications.

When an assurance engagement concludes with no key controls being compromised but notes some opportunities for improvement, the most appropriate approach for the chief audit executive (CAE) is to send the final report to operational management. This ensures that the responsible management can act on the improvement opportunities. Additionally, notifying senior management and the audit committee that no significant findings were identified keeps them informed without overloading them with less critical details, maintaining transparency and proper communication channels. References: IIA Standard 2400 – Communicating Results, IIA Practice Guide – Communicating Assurance Engagement Results

A. Review year-over-year trending of total dollars spent in each period:This is the correct approach because year-over-year analysis focuses on identifying anomalies or significant variances in expenses over time. Trends in data can help detect unexpected spikes, dips, or patterns that indicate irregularities or inefficiencies. This aligns with analytical procedures in expense analysis under the CIA Exam Syllabus Part 2, which emphasizes the use of comparative techniques to evaluate reasonableness.

B. Review changes to the vendor master file for suspicious activity:While reviewing vendor master file changes is essential for fraud detection and control testing, it does not directly help in determining the reasonableness of monthly expenses.

C. Review the percentage of on-time payments against prior periods:Examining payment timeliness relates to operational efficiency and cash flow management, not directly to evaluating whether monthly expenses are reasonable.

D. Review total expenses for accounting against other department expenses in the organization:Comparing accounting department expenses to those of other departments might indicate disparities but does not consider differences in department-specific activities and needs.

CIA Exam Syllabus Reference:

Domain V: Performing Internal Audit Services – Analytical Procedures and Testing Methods.

Internal control questionnaires are an efficient information-gathering method for an internal auditor to determine whether specified control procedures are in place. These questionnaires are designed to capture detailed information about controls through structured questions, enabling auditors to quickly identify the existence and nature of controls. This method is systematic and allows for comprehensive coverage of various control aspects, making it efficient for initial assessments.References:

IIA Standard 2240: Engagement Work Program

IIA Practice Guide: Using Control Self-Assessment for Continuous Improvement

According to IIA guidance, if management refuses to accept audit recommendations and implement corrective actions, the chief audit executive (CAE) has a responsibility to ensure that the audit committee or the board is aware of the unresolved risks. The CAE should escalate the matter to senior management first. If senior management still does not take action, the CAE should then inform the board. This escalation process ensures that the board is fully informed about significant risks that management has decided to accept and can take appropriate action if necessary.References:

The Institute of Internal Auditors (IIA) - Standards for the Professional Practice of Internal Auditing, Standard 2600 - Communicating the Acceptance of Risks

Discovery sampling is most effective for investigating the auditor's suspicion that the head of commercial lending has been granting loans without the required collateral. This sampling technique is designed to detect at least one occurrence of a specific characteristic (in this case, loans without collateral) within a population. It is particularly useful for identifying fraud or non-compliance with specific policies and procedures. Discovery sampling focuses on finding exceptions, making it suitable for the auditor’s investigation into potential misconduct.References: The IIA's Global Technology Audit Guide (GTAG) and The IIA's International Standards for the Professional Practice of Internal Auditing.

In this scenario, the most appropriate action for the internal auditor is to verify that the risk highlighted by the previous audit has indeed been addressed by the new IT system. This involves a detailed examination of the system documentation and possibly testing the controls within the new system. Once the auditor confirms that the new system adequately addresses the identified risk, they should report this finding to senior management and close the issue.

This approach ensures that the internal audit activity adheres to the IIA Standards regarding follow-up on audit findings, which requires auditors to ensure that agreed-upon actions have been implemented effectively.

IIA References:

IIA Standard 2500: Monitoring Progress mandates that the chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management. This includes ensuring that the risks identified are appropriately addressed.

The Practice Advisory 2500.A1-1: Follow-up Process advises that follow-up is a critical part of the audit process, and it is essential to confirm that management actions address the risks identified during the audit.

Given these considerations, the correct answer is A. The auditor examines the system documentation of the new system to verify that the risk has been addressed in the new system, then reports to senior management the closure of the issue.

Analytical procedures involve evaluating financial and operational information by comparing it with expected values. These expectations can be based on historical data, industry benchmarks, budgets, or other relevant criteria. The primary purpose of analytical procedures is to identify any unusual or unexpected variations that could indicate potential issues or areas requiring further investigation.

IIA References:

IIA Standard 2320: Analysis and Evaluation requires internal auditors to analyze and evaluate the information gathered during an engagement. Analytical procedures are a critical part of this process, as they help auditors identify trends, anomalies, and areas of risk by comparing actual results with expectations.

The Practice Guide on Analytical Procedures defines these procedures as the analysis of relationships between different sets of data, with the goal of identifying inconsistencies or unexpected patterns.

When there is a disagreement between the audit team and management, and if the disagreement concerns a significant risk, the issue should be escalated to the audit committee. The audit committee has the authority to review and resolve such disputes. Escalating the issue ensures that the concern is addressed at the highest governance level, maintaining the integrity and effectiveness of the internal audit function.

A. The policy for granting, modifying, and deleting user access:Correct. Understanding the policy ensures the auditor knows the framework and controls in place.

B. A sample of change request forms:Useful for testing but not as foundational as reviewing the policy.

C. User access reports reviewed by management:This evaluates monitoring but does not establish a baseline understanding of controls.

D. A current listing of system users and employees:Important for reconciliation but secondary to understanding the control framework.

CIA Exam Syllabus Reference:

Domain V: Performing Internal Audit Services – Preliminary Surveys.

According to the Institute of Internal Auditors (IIA) guidance, the independence and objectivity of the internal audit function are fundamental principles. Independence is compromised if the internal audit function takes on roles or responsibilities that are part of management's duties. Coordinating and managing the risk management process is a management responsibility. If internal auditors assume this role, it impairs their ability to remain independent and objective when auditing the effectiveness of the risk management process. References: IIA Standard 1112 – Chief Audit Executive Roles Beyond Internal Auditing

The balanced scorecard, introduced by Robert Kaplan and David Norton, includes four main components that provide a comprehensive view of an organization’s performance. These components are:

Financial Measures – to track financial success and shareholder value.

Learning and Growth – to foster an environment of continuous improvement and innovation.

Customers – to measure customer satisfaction and market share goals.

Internal Processes – to ensure that critical operations and business processes are running efficiently. These elements together help an organization balance short-term objectives with long-term goals. References:

Kaplan, R.S., & Norton, D.P. (1996). The Balanced Scorecard: Translating Strategy into Action.

The primary advantage of using internal control questionnaires (ICQs) as part of a preliminary survey for an engagement is their efficiency. ICQs allow auditors to quickly gather a large amount of information about the control environment by asking structured questions that cover key areas of interest. This helps in identifying areas that require further investigation or where controls may need improvement.

IIA References:

The IIA’s Practice Guide on Evaluating Internal Controls mentions that ICQs are useful for obtaining an initial understanding of controls and are particularly efficient when time or resources are limited. They allow auditors to systematically cover a wide range of control-related topics in a relatively short period.

Benchmarking in internal auditing involves comparing the performance or practices of the audited entity against a standard or best practice, which often involves using information from other organizations or sources as a reference. This process helps identify areas for improvement and set performance targets. Thus, comparing the collected information with similar information from another source is the correct definition of benchmarking.