IIA-CIA-Part2 IIA Practice of Internal Auditing Free Practice Exam Questions (2025 Updated)

According to IIA guidance, to maximize the value of the current internal audit activity (IAA) resources, it is appropriate to hire external resources to provide subject-matter expertise while ensuring they are supervised (3). Additionally, assigning auditors to complex audits for learning opportunities helps in skill development and enhances the overall capability of the IAA (4). These strategies ensure that the IAA can address complex and high-risk areas effectively while also fostering professional growth among internal auditors. References: IIA Practice Guide – Staffing the Internal Audit Activity, IIA Standard 2030 – Resource Management

A compliance assurance engagement focuses on evaluating whether an organization is adhering to applicable laws, regulations, policies, and procedures. Assessing the design adequacy of controls related to consumer privacy and confidentiality is a prime example of such an engagement, as it ensures that the organization’s controls are designed to comply with relevant privacy laws and regulations, thereby protecting consumer data and maintaining compliance.

The Institute of Internal Auditors (IIA) - Standards for the Professional Practice of Internal Auditing, Standard 2410 - Criteria for Communicating

A draft internal audit report citing deficient conditions should be reviewed with relevant stakeholders to ensure accuracy, address concerns, and plan corrective actions. This includes the client manager and her superior (Option 1) to inform them of the findings and obtain their perspective. It should also be reviewed with anyone who may object to the report’s validity (Option 2) to address potential disagreements or misunderstandings early in the process. Finally, it should include anyone required to take action (Option 3) so they are aware of their responsibilities and can begin planning remediation efforts. While it may be beneficial to review with those who receive the final report (Option 4), it is not essential for the draft stage. References:

The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards), Standard 2440 - Disseminating Results.

When setting the scope for identifying and assessing key risks and controls in a process, developing the scope of the audit based on a bottom-up perspective is the least appropriate approach. A bottom-up perspective typically focuses on individual controls and processes without necessarily aligning with the organization’s critical business objectives and risk appetite. Effective risk assessment should begin with a top-down approach, identifying key business objectives and the associated risks, and then determining the necessary controls to manage these risks. References: IIA Practice Guide – Auditing Key Risk Management, IIA Standard 2200 – Engagement Planning

According to the IIA guidance, the most appropriate next step when discovering a sales manager approving contracts beyond their authorization limit is to communicate the finding to the supervisor of the sales manager through an interim report. This approach ensures that the issue is addressed promptly and management can take immediate corrective actions to prevent further unauthorized activities. Including new contracts under negotiation in the final report would delay action, while reminding the sales manager of their authority limits does not escalate the issue appropriately.

IIA Standards: 2440 - Disseminating Results

IIA Practice Guide: Communicating Audit Results

The most effective way to identify the HR department's risks and controls, especially after recent process changes, is to discuss the department's present strategies and objectives with the head of the HR department. This approach allows the auditor to gain current and relevant insights directly from the person most knowledgeable about the department's current operations, risks, and controls. It ensures that the auditor understands the current environment, any new challenges, and the specific controls in place to mitigate risks. This method is more comprehensive and current compared to reviewing past reports or generalized organizational frameworks, which might not reflect recent changes accurately.

The Institute of Internal Auditors (IIA) Standard 2010 – Planning: "The chief audit executive must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization’s goals."

IIA Practice Guide on "Engaging with Stakeholders"

ISO 31000 Context: ISO 31000 provides guidelines on risk management, emphasizing the importance of understanding the external context.

External Context: This includes external factors such as regulatory and competitive environments that can impact the organization’s risk profile.

Regulatory Environment: Understanding regulations helps the organization ensure compliance and avoid legal risks.

Competitive Environment: Analyzing the competitive environment allows the organization to anticipate market changes and manage competitive risks.

When conducting a review of an electronic data interchange (EDI) application provided by a third-party service, the internal auditor should ensure several key aspects to maintain security and compliance:

Independent Review of Service Provider: Determine whether an independent review of the service provider's operations has been conducted. This review helps ensure that the service provider meets necessary standards and maintains adequate controls.

Contractual Clauses: Verify that the service provider's contracts include necessary clauses. These clauses should cover aspects like data security, confidentiality, compliance with standards, and performance metrics.

Ensuring encryption keys meet ISO standards and verifying the use of public-switched data networks are important but are more specific technical controls that might be part of broader reviews. The focus here should be on independent verification and robust contractual agreements

An internal control questionnaire (ICQ) is a tool used by auditors to gather detailed information about the internal control system of an audited area. The primary purpose of an ICQ is to identify and assess risks that could prevent the area from achieving its objectives. By systematically covering various control points, the questionnaire helps the auditor evaluate the adequacy and effectiveness of controls in place and identify areas where controls may be lacking or need improvement.

The Institute of Internal Auditors (IIA) - Practice Guide: Internal Control Questionnaire

In flat organizational structures, there are fewer hierarchical levels, which can create challenges with career progression and promotion opportunities (B).

Option A applies to hierarchical structures.

Option C is associated with centralized structures.

Option D contradicts flat structures, where employees typically have more autonomy.

Thus, the key risk is unclear career and promotion paths.

Comprehensive and Detailed Explanation:

The auditor’s goal is to test compliance with a set threshold (daily meal stipend). The most direct technique is compliance verification through data analytics (A), which compares actual expenses against policy limits. Regression analysis (B) is used to identify correlations, not compliance with fixed limits. Gap testing (C) identifies missing values in sequences, not threshold violations. Flowcharts (D) document processes but do not test compliance. Therefore, the best approach is to use compliance analytics to flag all transactions exceeding the approved stipend, providing reliable evidence of policy adherence or violation.

Independence Requirement: The IIA's mandatory guidance emphasizes the importance of the CAE's independence to ensure unbiased internal audit activities.

Conflict of Interest: Seeking senior management’s recommendation for the CAE’s salary adjustment can create a conflict of interest and potentially compromise the CAE’s independence.

Best Practices: To maintain independence, the CAE’s compensation should be determined by the board without influence from senior management.

Standard Compliance: According to the IIA's Attribute Standard 1110 – Organizational Independence, the CAE must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities.

While discussing risks with the audit client can provide useful insights, it is the least structured method compared to using all available information from the risk-based plan, considering client efforts to manage risk, and reviewing prior risk assessments. These latter methods are more systematic and ensure that the audit work program is comprehensive and focused on relevant risks. References: = IIA Standard 2200 - Engagement Planning, IIA Practice Guide: “Developing the Audit Plan”.

Introduction:

The independence and objectivity of the internal audit function are paramount, especially when the CAE has had prior involvement in the area under review.

Scenario Analysis:

Option A: Previous consulting assignments may raise concerns but do not inherently impair independence if managed correctly.

Option B: A historical role in accounting functions is less problematic if sufficient time has passed and there is no ongoing influence.

Option C: Having been the payroll manager presents a direct conflict of interest, compromising the CAE's objectivity.

Option D: Reviews following consulting assignments are common practice and do not necessarily indicate a conflict.

Conclusion:

It is problematic for the CAE to provide assurance over payroll functions if they were previously the payroll manager, as this creates a clear conflict of interest and threatens audit objectivity.

IIA’s International Standards for the Professional Practice of Internal Auditing, Standard 1130: Impairment to Independence or Objectivity.

According to IIA guidance, internal auditors should use relevant information obtained during a consulting engagement to inform and enhance their evaluation of internal controls during related audit engagements. This is because the knowledge gained from consulting activities can provide valuable insights into the functioning of controls and processes, which can be applied when assessing their effectiveness in a subsequent audit.

IIA References:

IIA Standard 1220: Due Professional Care indicates that internal auditors should consider all relevant information available to them when making judgments and recommendations. This includes information obtained from consulting engagements.

The IIA’s Practice Guide on Consulting Engagements advises that while internal auditors must maintain objectivity, they can and should use knowledge gained from consulting engagements to enhance the value and accuracy of their assurance work.

When internal audit resources are limited, it is crucial to focus on the most critical aspects of the control environment. Preventive key controls are designed to prevent errors or irregularities from occurring, which are essential for maintaining a strong control environment. Given the mature control environment of the organization, prioritizing preventive key controls ensures that potential issues are addressed before they materialize, providing a proactive approach to risk management.

The primary reason for audit supervision, including the approval of the engagement report, is to ensure that the findings presented in the report are substantiated by adequate and appropriate evidence. This step is crucial to maintain the credibility and reliability of the audit process and its outcomes.

Substantiation of Findings: Ensuring that findings are substantiated helps in providing a clear and defensible basis for the conclusions and recommendations made in the report.

Audit Quality: This step ensures the quality and integrity of the audit process, confirming that the evidence collected during the audit is sufficient and appropriate to support the findings.

Credibility: By substantiating findings, the report gains credibility, which is essential for the stakeholders who rely on the audit report for decision-making.

In a compliance audit, the objective is to assess adherence to laws, regulations, or regulatory requirements. For banking compliance, this means verifying whether business continuity plans comply with mandatory regulations (Option B). Options A, C, and D relate to efficiency, best practices, or operations — not compliance.

Interim communications are used when urgent issues require immediate attention by management before the final audit report is issued (Standard 2440 – Disseminating Results).

Option A involves follow-up but does not require an interim report.

Option C is a whistleblower concern that would be investigated confidentially, not reported as an interim memo.

Option D reflects incomplete fieldwork, not a reporting need.

Option B, a material variance in inventory, represents a significant and immediate issue that requires prompt communication to management before the audit concludes.

Thus, the most appropriate situation for issuing an interim report is Option B.

Per Standard 2330 – Documenting Information, workpapers must contain sufficient, reliable, relevant, and useful information to provide evidence of work performed and support conclusions. They do not all need to result in findings, fraud conclusions, or client approval. The correct criterion is reasonable evidence of work conducted (Option A).

For an action plan to be effective, it must address the root cause of an observation. The root cause is the underlying reason why a problem or issue has occurred. By targeting the root cause, the action plan can help prevent the recurrence of the issue and ensure long-term resolution. Addressing only the condition or the symptoms of the problem may lead to temporary fixes, whereas understanding and resolving the root cause leads to more sustainable improvements.

Institute of Internal Auditors (IIA), Practice Guide – Root Cause Analysis.

According to IIA guidance, there is no specific frequency mandated for conducting organization-wide risk assessments. Instead, the internal audit activity should perform risk assessments as necessary to reflect significant changes in the organization's business environment, risk profile, and operations. This flexibility allows the internal audit activity to remain responsive and relevant in a dynamic risk landscape.

IIA References:

IIA Standard 2010: Planning requires the CAE to establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization’s goals. The frequency and timing of risk assessments should be adapted to the organization’s changing conditions.

The IIA Practice Guide on Risk Assessment in Audit Planning emphasizes that risk assessments should be updated as needed, particularly when there are significant changes in the organization or external environment.

According to IIA Standards, acceptable practices for testing conformance through a quality assurance review include conducting a self-assessment with independent validation (2) and arranging for reciprocal peer review with another CAE (4). These methods provide a cost-effective and practical approach to ensuring compliance with professional standards, especially for small internal audit activities. Using an external service provider (1) and arranging for a review by qualified employees outside of the IAA (3) are also valid, but self-assessment with independent validation and peer review are specifically highlighted for smaller IAAs. References: IIA Standard 1312 – External Assessments, IIA Practice Guide – Quality Assurance and Improvement Program

According to the International Standards for the Professional Practice of Internal Auditing, the CAE must be kept informed of significant issues and deficiencies that are not addressed by management. Standard 2600 - Communicating the Acceptance of Risks requires the CAE to report any situation where management has accepted a level of risk that may be unacceptable to the organization. If the engagement supervisor learns that agreed-upon remedial actions have not been implemented, the CAE needs to be notified to determine further steps, ensuring that risks are managed appropriately and in alignment with the organization's risk tolerance. This response aligns with the internal audit function's responsibility to follow up on management's corrective actions.

The IIA's International Standards for the Professional Practice of Internal Auditing, Standard 2600 - Communicating the Acceptance of Risks.

When there is a disagreement between the audit team and management, and if the disagreement concerns a significant risk, the issue should be escalated to the audit committee. The audit committee has the authority to review and resolve such disputes. Escalating the issue ensures that the concern is addressed at the highest governance level, maintaining the integrity and effectiveness of the internal audit function.

Current ratio (A) measures general liquidity (Current Assets ÷ Current Liabilities).

Quick ratio (C) (Quick Assets ÷ Current Liabilities) excludes inventory and prepaid expenses, giving a more immediate liquidity measure.

Profit margin (B) measures profitability, and times interest earned (D) measures solvency.

Thus, the best measure of immediate liquidity is the quick ratio (C).

Comprehensive and Detailed Explanation:

The scope of an engagement defines the boundaries of the audit — what areas, functions, activities, or processes will be reviewed. In this case, the engagement’s purpose is to test adherence to the procurement policy, so the sub-processes (D) within procurement (e.g., vendor selection, purchase approvals, invoice processing) should be clearly defined in scope.

Sample size (A) and procedures (C) are part of the audit work program, not scope.

Inherent risks (B) are identified during planning but do not define scope boundaries.

Therefore, Option D is correct: defining sub-processes ensures that the audit scope is comprehensive and appropriately focused on procurement policy adherence.

When documenting findings from a nonstatistical sample, internal auditors should record the factual observations and quantify the results where possible. In this case, the auditor should document that 17% of the sampled accounts receivable balances exceeded the approved unsecured credit limit. This provides a clear, quantifiable basis for the finding, which is critical for accurate reporting and for management to understand the scope of the issue. Documenting this percentage also supports the auditor's conclusions and recommendations for corrective actions.

The Institute of Internal Auditors (IIA) Practice Guide: Audit Sampling.

IIA Standard 2310 - Identifying Information

When a significant finding is noted early during a review of the accounts payable function, the best course of action for communicating the issue is to inform internal accounting management via an interim memorandum update. This allows for timely communication and potential early remediation actions, ensuring that management is aware of the issue and can address it promptly before the final audit report is issued.