IIA-CIA-Part2 IIA Internal Audit Engagement Free Practice Exam Questions (2026 Updated)

A gap analysis is used to assess the completeness of sales invoices by identifying any missing records within a sequence. This technique helps in pinpointing any sales that might have been omitted or unrecorded during the invoicing process. By comparing expected sequences with actual recorded transactions, the auditor can identify discrepancies and ensure all sales are accounted for.

The Institute of Internal Auditors (IIA) Practice Guide: Data Analytics

IIA Standard 2320 - Analysis and Evaluation

For internal audit findings and recommendations to be effectively implemented and to ensure that they receive adequate consideration, formal follow-up procedures are essential. According to IIA guidance, it is important that the internal audit activity not only reports the results to management but also ensures that corrective actions are taken or that management consciously accepts the associated risks.

IIA Standard 2500 – Monitoring Progress:

This standard requires that the chief audit executive (CAE) establish a process to monitor and ensure that management actions are effectively implemented or that risks are appropriately accepted. Follow-up is crucial for verifying that management has taken the recommended actions or has acknowledged and accepted the risk of not doing so.

Formal Follow-Up Procedures:

These procedures involve tracking the status of management's responses to audit recommendations, checking if actions were implemented as planned, and determining whether the intended outcomes were achieved. If management decides not to act, the CAE must ensure that the decision is documented and the associated risks are understood and accepted by senior management.

IIA Practice Advisory 2500-1:

This advisory emphasizes the importance of follow-up to ensure that significant audit findings and recommendations are addressed. Without this follow-up, there is a risk that important issues might be neglected or forgotten.

Option A (Reporting results with recommendations): While reporting is important, it does not ensure that recommendations are acted upon.

Option C (Quarterly reporting on audit plan focus): This is related to audit planning, not to ensuring that specific findings and recommendations are considered.

Option D (Discussing findings with independent auditors): This might be useful, but it does not directly influence whether management considers and acts on the internal audit findings.

Detailed Explanation:Why Not Other Options?

The statistical model indicates that daily sales have a direct relationship with the cost of ingredients used and an inverse relationship with rainy days.

Option A: On a rainy day, if total sales are greater than expected compared to the cost of ingredients used, it may indicate discrepancies that could be a sign of employee theft. For instance, if ingredients are used but not reflected in the sales, it suggests that items might be missing (stolen).

Option B: On a sunny day, lower-than-expected sales compared to the cost of ingredients could indicate wastage but not necessarily theft.

Option C and D: Both scenarios where total sales and the cost of ingredients are higher or lower than expected do not specifically point to theft without additional context​​.

Stratified sampling is a technique that involves dividing a population into subgroups (strata) that share similar characteristics and then taking a sample from each subgroup. In the context of testing purchase transactions by different procurement officers, the transactions can be stratified based on the officers, ensuring that the audit team selects a sample that represents each officer's transactions. This method helps in achieving a more accurate and reliable assessment of the procurement process across all officers.

The Institute of Internal Auditors (IIA), Practice Guide on Sampling

"Auditing and Assurance Services: An Integrated Approach" by Alvin A. Arens, Randal J. Elder, Mark S. Beasley

 Conducting a documented skills assessment helps in identifying the existing competencies and any gaps within the internal audit team.

 Post-audit surveys can provide feedback on the performance and areas for improvement, which can be used to further refine the skills and competencies of the audit staff (Ref: [16†source])

Internal auditors must corroborate employee testimonials with tangible evidence to ensure the reliability and validity of the findings. Relying solely on testimonials without supporting evidence can lead to inaccurate conclusions. Standard 2310 – Identifying Information of the International Standards for the Professional Practice of Internal Auditing emphasizes that sufficient, reliable, relevant, and useful information should be obtained to achieve the engagement’s objectives.

Institute of Internal Auditors (IIA), International Standards for the Professional Practice of Internal Auditing (Standards), Standard 2310 – Identifying Information.

Assessing the effectiveness of management's self-assessment activities in the context of risk management requires a thorough examination of the processes that management uses to monitor and control risks. The most effective way to evaluate these activities is to observe and test the control and monitoring procedures in place.

IIA Standard 2130 – Control:

This standard highlights the internal audit activity’s responsibility to assess whether the organization’s controls are adequate to manage risks. Observing and testing controls directly is the most effective way to determine their operational effectiveness.

IIA Practice Advisory 2130-1:

The advisory recommends that internal auditors should focus on the design and effectiveness of control activities. Observing and testing controls ensures that the auditor can verify whether management's self-assessments accurately reflect the risk environment.

Effectiveness of Risk Management Processes:

To assess the effectiveness of self-assessment, internal auditors need to ensure that the procedures for identifying, assessing, and monitoring risks are robust. Direct observation and testing provide tangible evidence of how these processes are functioning.

Option A (Reviewing corporate policies and board minutes): This provides context but does not directly assess the effectiveness of control procedures.

Option B (Conducting interviews): Interviews can provide insights but are subjective and may not reflect actual control effectiveness.

Option C (Researching industry information): This helps in understanding risks but does not assess how well the organization manages those risks.

Detailed Explanation:Why Not Other Options?Conclusion: Option D is correct as it involves the direct evaluation of the effectiveness of control and monitoring procedures, aligning with IIA’s guidance on assessing risk management processes.

According to the CIA study materials, in small audit functions where one person conducts the engagement, a checklist ensures that tasks are documented and provides a record of completion. This creates a reliable audit trail and supports supervisory review (per Standard 2330 – Documenting Information).

Option A does not apply since only one auditor is involved.

Option B is incorrect because checklists are not primarily for business representatives.

Option C is incorrect: prior audit results would be found in past reports, not a checklist.

Therefore, the primary benefit in this scenario is retention of an audit trail (Option D).

To confirm the existence of a specific vehicle selected from the fixed asset register, the best indirect evidence would be to compare the registered details of the vehicle with a date-stamped photograph. This method provides a verifiable form of evidence that the vehicle exists and matches the details recorded in the asset register. It ensures that the vehicle is still in possession of the organization and can be indirectly verified without the need for physical presence at an off-site location.

IIA Practice Guide: "Auditing Fixed Assets"

COSO Internal Control – Integrated Framework

In internal auditing, the use of Computer-Assisted Audit Techniques (CAATs) allows auditors to analyze large datasets efficiently and effectively. When it comes to fraud detection, analyzing the full population of data is often the best approach.

IIA Practice Guide on CAATs:

CAATs enable auditors to analyze entire datasets rather than relying on samples. This approach is particularly useful in fraud detection, where anomalies or fraudulent transactions may be rare and could be missed if only a sample is analyzed.

Full Population Analysis:

By analyzing the entire dataset, the auditor can identify patterns, anomalies, and outliers that could indicate fraudulent activity. This comprehensive approach increases the likelihood of detecting fraud.

IIA Standard 1220 – Due Professional Care:

This standard requires auditors to exercise due care, which includes considering the use of CAATs for fraud detection to ensure that all relevant data is reviewed, not just a subset.

Option A (Data should remain segregated): Keeping data segregated may complicate the analysis and hinder the discovery of cross-division anomalies.

Option C (Reactive approach): While tips and whistleblowing are important, a proactive approach using CAATs to analyze full populations is more effective in detecting fraud.

Option D (Random sampling): Sampling may not be sufficient to detect fraud, as it could miss infrequent but significant fraudulent transactions.

Detailed Explanation:Why Not Other Options?

The CIA Exam (Part 2 – Practice of Internal Auditing) requires auditors to identify the root causes of issues and deviations from criteria, not just report symptoms. A root cause analysis seeks the underlying reason for a problem, rather than describing its occurrence.

Option A simply describes the condition (missing results).

Option B identifies a trend but not the underlying cause.

Option D shifts responsibility to employees without addressing why results were not saved.

Option C identifies a system design flaw that prevents employees from saving results, which is a true root cause.

Therefore, including Option C in the audit report demonstrates compliance with internal audit methodology, as it highlights the underlying systemic problem instead of merely documenting symptoms or assigning blame.

After management has implemented an action plan to improve controls, the most appropriate follow-up action for the auditor is to perform retesting. Retesting involves verifying that the new procedures are effective in addressing the control deficiencies identified during the initial audit.

IIA Standard 2500 – Monitoring Progress:

This standard requires the internal audit activity to monitor and ensure that management actions have been implemented and are working as intended. Retesting is a critical component of this process because it confirms that the new controls effectively mitigate the risks.

Importance of Retesting:

Retesting allows the auditor to verify that the specific control activities, which were previously found to be deficient, have been corrected. This hands-on approach provides direct evidence of the effectiveness of the new procedures.

IIA Practice Advisory 2500-1:

The advisory emphasizes the need for follow-up activities to include retesting when necessary to confirm that management’s actions have resolved the issues identified.

Option A (Conduct another audit): Conducting a completely new audit might be excessive; follow-up and retesting are sufficient to confirm the effectiveness of the corrective actions.

Option B (Ensure procedures are documented): Documentation is important, but it does not confirm that the procedures are actually effective.

Option D (Analyze procedures and report to management): Analysis is useful, but retesting provides direct verification of effectiveness.

Detailed Explanation:Why Not Other Options?Conclusion: Option C is correct because retesting confirms that the new procedures effectively address the previously identified deficiencies, ensuring that the risks have been mitigated as intended, in line with IIA guidance.

Strategic sourcing would best assist the CAE in balancing the internal audit activity's needs for technical audit skills, budget efficiency, and staff development opportunities. Strategic sourcing involves using a mix of internal resources, co-sourcing, and outsourcing to optimize the audit function. This approach allows the CAE to leverage external expertise for specialized skills, manage costs effectively, and provide growth opportunities for internal staff.

IIA Standards: 2030 - Resource Management

IIA Practice Guide: Developing the Internal Audit Strategic Plan

An operational audit is conducted to evaluate whether an organization’s processes or areas are performing as intended, accomplishing their objectives, and doing so in an efficient and economical way. This type of audit focuses on the effectiveness, efficiency, and economy of operations.

IIA Definition of Operational Auditing:

Operational auditing involves reviewing and assessing the effectiveness and efficiency of operations. The goal is to ensure that the organization’s operations are running as intended and achieving their objectives in a cost-effective manner.

IIA Standard 2100 – Nature of Work:

This standard emphasizes that internal audit activity should evaluate the effectiveness and efficiency of operations, aligning with the objectives of an operational audit.

Key Aspects of Operational Audits:

Effectiveness: Evaluates whether objectives are being met.

Efficiency: Assesses whether resources are being used optimally.

Economy: Ensures that costs are minimized without compromising quality or performance.

Option A (Compliance audit): Focuses on whether the organization adheres to laws, regulations, and policies, not on operational efficiency.

Option C (Financial audit): Involves verifying the accuracy of financial records, not the operational performance.

Option D (Provider audit): This term is not commonly used in IIA guidance and does not accurately describe the scenario.

Detailed Explanation:Why Not Other Options?

 Customer Departmentalization: This method categorizes departments based on the type of customers they serve. It aligns services and strategies with the specific needs and characteristics of different customer groups.

 Examples of Customer Departmentalization:

Community Banking: Focuses on services tailored for local communities, often involving personal banking services.

Institutional Banking: Caters to large organizations, offering specialized financial products and services.

Agricultural Banking: Provides financial services to farmers and agricultural businesses, addressing their unique needs.

 Comparison with Other Options:

Product Departmentalization: Option B categorizes by products offered, such as mortgages and credit cards.

Geographical Departmentalization: Option C categorizes by regions, such as south and southwest.

Functional Departmentalization: Option D categorizes by job functions, such as teller and manager.

 References:

Customer departmentalization is exemplified by categorizing banking services into community, institutional, and agricultural sectors, focusing on the distinct needs of different customer groups​​​​.

The primary advantage of using internal control questionnaires (ICQs) as part of a preliminary survey for an engagement is their efficiency. ICQs allow auditors to quickly gather a large amount of information about the control environment by asking structured questions that cover key areas of interest. This helps in identifying areas that require further investigation or where controls may need improvement.

IIA References:

The IIA’s Practice Guide on Evaluating Internal Controls mentions that ICQs are useful for obtaining an initial understanding of controls and are particularly efficient when time or resources are limited. They allow auditors to systematically cover a wide range of control-related topics in a relatively short period.

The organization and content of workpapers should be based on the professional judgment of the internal auditor. Workpapers should provide sufficient detail to support the audit findings and conclusions but do not need to answer every conceivable question. Standard 2330 – Documenting Information states that internal auditors must document relevant information to support the conclusions and engagement results. This allows for flexibility and professional judgment in determining what is necessary and appropriate to include.

Institute of Internal Auditors (IIA), International Standards for the Professional Practice of Internal Auditing (Standards), Standard 2330 – Documenting Information.

Generalized audit software (GAS) is specifically designed to assist auditors in performing various audit tasks, including extracting specific files and records from databases. GAS tools, such as ACL and IDEA, allow auditors to import data from various systems, query databases, perform data analysis, and generate reports. This makes them ideal for tasks that require the extraction and examination of specific records or data sets within a database. Other options, such as expert systems or system utility programs, do not offer the same targeted capabilities for data extraction relevant to auditing tasks.

Institute of Internal Auditors (IIA), Global Technology Audit Guide (GTAG) – Generalized Audit Software (GAS).

If operational management has not implemented effective actions to address a significant control breach, the most appropriate next step for the chief audit executive is to discuss the matter with senior management. This step involves escalating the issue to a higher level of authority to ensure that the risks associated with the control breach are properly understood and addressed. If senior management fails to take appropriate action, the CAE may then escalate the issue to the board.

IIA Standard 2500: Monitoring Progress

IIA Practice Guide: Auditing Organizational Governance

An internal auditor's decision to issue a preliminary audit report is best justified when the internal audit team expects management to address certain issues immediately due to their severe impact. Preliminary reports are issued to promptly communicate critical findings that require urgent attention, ensuring that management is aware of and can take corrective action on significant issues without waiting for the final report.

IIA Standards: 2410 - Criteria for Communicating

IIA Practice Guide: Reporting Results

The role of the CAE includes ensuring that all significant risks, including those related to health and safety, are properly managed. Even though the chief health and safety officer reports directly to the CEO, the CAE should still coordinate with and review the work of this officer to understand and evaluate the management of health and safety risks. This helps ensure a comprehensive risk management approach within the organization and supports the overall assurance framework. It is not appropriate for the CAE to have no role (Option A), report directly to the regulator (Option C), or hire an external specialist annually without internal coordination (Option D).

IIA Standard 2010: Planning.

IIA Practice Guide on Coordinating Risk Management and Assurance.

Proper engagement supervision is documented through formal records that show a systematic review and oversight process. A completed engagement workpaper review checklist provides evidence that the supervisor has reviewed and approved the work done by the audit team. This formal checklist ensures all critical aspects of the engagement are reviewed systematically, meeting the standards for proper supervision documentation. References:

"Internal Auditing: Assurance & Advisory Services" (The Institute of Internal Auditors)

"International Standards for the Professional Practice of Internal Auditing" (IIA)

 Training new hires on fraud and employee misconduct is a proactive measure that raises awareness and educates employees about the organization’s policies and the consequences of fraudulent behavior.

 Such training helps create a culture of integrity and compliance, making employees less likely to engage in or tolerate fraud.

 Continuous education and reinforcement of ethical behavior are essential components of an effective fraud prevention strategy

Introduction:

When verifying the validity of activities reported by a grantee, it is essential to gather evidence that the project was executed as intended and within the defined scope.

Effective Verification Methods:

A site visit allows the auditor to observe firsthand the activities and projects funded by the grant, ensuring they align with the grant's objectives and scope.

Options Analysis:

Option A: Visiting the grantee provides direct evidence of the project execution and alignment with the grant scope.

Option B: Verifying the final report against the initial budget request ensures financial compliance but does not confirm actual project activities.

Option C: Reconciling general ledger accounts verifies financial records but not the execution of activities.

Option D: Interviewing corporate affairs employees provides insight but not direct evidence of project execution.

Conclusion:

The best method to confirm the validity of the activities reported by a grantee is to visit the grantee and assess whether the project execution aligns with the defined grant scope.

Internal Audit Standards and Practice Guides .

A quality assurance and improvement program (QAIP) established by the chief audit executive (CAE) should ensure that the internal audit activity (IAA) adheres to the International Standards for the Professional Practice of Internal Auditing (Standards) and the IIA Code of Ethics. It should also aim to add value and improve the organization's operations. This comprehensive approach ensures that the internal audit function is not only compliant but also effective in enhancing the overall governance, risk management, and control processes within the organization.

IIA Standard 1300: Quality Assurance and Improvement Program.

IIA Standard 1320: Reporting on the Quality Assurance and Improvement Program.

According to IIA guidance, a draft work program prepared by the engagement supervisor after concluding a preliminary assessment would test the process controls. The work program outlines the specific procedures and steps the internal audit team will take to evaluate the effectiveness of the controls in place to mitigate identified risks.

IIA Standards: 2240 - Engagement Work Program

IIA Practice Guide: Engagement Planning

A. Increased completeness:Correct. Coordination ensures comprehensive risk identification across diverse categories.

B. Business managers can identify and assess risks:While true, this is not a primary advantage for internal audit coordination.

C. The internal audit activity can rely on management's risk assessment:Internal audit should validate, not solely rely on management’s assessment.

D. Organizationwide audits are required:Misrepresents the purpose of risk universe coordination.

CIA Exam Syllabus Reference:

Domain II: Risk Management and Control – Risk Universe.

In internal auditing, the "condition" of an observation refers to the specific state or situation that has been identified during the audit. It describes what is actually occurring and provides the factual basis for the observation. In this case, the statement "... the subsidiary did not submit required documentation for registration in the prior year." explicitly describes the observed deficiency, which is the failure to submit the necessary documentation. This condition highlights the exact issue that needs to be addressed by management.

IIA Practice Guide: "Audit Documentation"

IIA Standard 2410: "Criteria for Communicating"

The primary reasons for outsourcing internal audit activities typically include accessing a wider range of skills and competencies, complementing existing expertise for specific engagements, and strengthening core audit functions. Contingency planning, while beneficial, is not a primary reason for outsourcing internal audit activities as it pertains more to risk management strategies rather than the core objectives of outsourcing. References: = IIA’s Practice Advisory 1210.A1-1: Obtaining External Service Providers to Support or Complement the Internal Audit Activity.