Certified Internal Auditor® (CIA®) Sample Exam Questions

A. Incorrect. Final approval of the audit plan should reside with the board.
B. Correct. Approving the internal audit budget and resource plan is critical in establishing organizational independence.
C. Incorrect. Assisting with the hiring of staff is not an appropriate role for the board, though the board should approve decisions regarding the appointment and removal of the CAE.
D. Incorrect. Although coordination between internal and external auditors is encouraged, this would not promote organizational independence.

A. Incorrect. While internal audit can assess whether a Chief Information Officer (CIO) is in place and part of senior management, evaluating and selecting candidates is a management responsibility, not an appropriate role for internal audit.
B. Incorrect. Internal audit can assess governance standards and identify gaps, but developing policies to address these gaps is a management function. Internal audit must remain independent and avoid assuming management responsibilities.
C. Incorrect. Assisting management in evaluating complex IT-related risks and mitigation strategies may exceed the internal audit function's skills or expertise. Additionally, determining and implementing mitigation strategies is the responsibility of management.
D. Correct. Internal audit's role is to assess whether governance activities, including IT governance, align with the organization's risk appetite and consider emerging risks. This is consistent with internal audit's assurance and advisory roles, ensuring oversight without assuming management’s responsibilities.

A. Correct. A budget serves as a management control technique because it allows organizations to monitor performance, control costs, allocate resources, and make adjustments if actual results deviate from budgeted figures.
B. Incorrect. A risk assessment is used to identify and rank risks found in an organization.
C. Incorrect. The board of directors performs an oversight and establish the overall risk management framework.
D. Incorrect. The control environment reflects the collective attitude prevalent in an organization and is taken into consideration when a control technique is recommended.

A. Incorrect. This option is a common misconception. While internal auditors may assess the effectiveness of anti-fraud controls, detecting and investigating fraud is typically the responsibility of management or specialized fraud investigators.
B. Incorrect. While compliance auditing is a part of internal audit activities, it is not the primary purpose of internal auditing. Internal auditors focus on broader aspects, including governance, risk management, and advisory services.
C. Incorrect. This option describes a responsibility more aligned with financial management or strategic planning functions, not internal auditing. Internal auditors do not develop or implement financial strategies; they evaluate and advise on existing processes.
D. Correct. The Global Internal Audit Standards emphasize the dual role of internal auditing in providing independent assurance and valuable advisory services to help organizations achieve their objectives.

A. Incorrect. An internal auditor’s objectivity is not affected by completing 80 hours of CPE, and operations-related education may contribute to their competence to perform audits.
B. Correct. Rotating to other activities within the organization increases the risk that the internal auditor’s objectivity may be compromised, and internal auditors must refrain from assessing specific operations for which they were previously responsible.
C. Incorrect. This describes a policy which promotes independence of the internal audit function, not one which compromises objectivity.
D. Incorrect. It is appropriate for the CAE to conduct performance appraisals of audit staff. Reporting administratively to the CFO does not impair the independence of internal audit as long as functional reporting remains at the board level.

A. Correct. This does not represent sufficient evidence to support the conclusion that additional staff are required. Additional evidence, such as discussions with fraud unit supervisors, surveillance system access logs, or a review of the system's usefulness, should be gathered to substantiate the claim.
B. Incorrect. Staff testimony is partially reliable in this situation but is limited by the perspective of the individual employee and does not independently verify the need for additional staff.
C. Incorrect. The staff member’s opinion is relevant, as they are knowledgeable about the program and the surveillance system; however, relevancy alone is insufficient to support the conclusion.
D. Incorrect. If corroborated, this information would be useful in assisting the auditor to form an appropriate conclusion, but usefulness is not the primary issue in this case.

A. Incorrect. While the auditor-in-charge and the chief audit executive (CAE) should understand the workpapers, the true test of understandability is whether the workpapers can be understood by a skilled internal auditor who was not involved in the engagement.
B. Incorrect. Management of the audit client and the board are not the primary audience for workpapers. Although they might understand the workpapers, they are unlikely to review them, making this standard insufficient.
C. Correct. Workpapers should be understandable to another skilled internal auditor who was not involved in the engagement. This ensures that the workpapers are clear, comprehensive, and can allow another auditor to continue the engagement seamlessly if necessary.
D. Incorrect. While external auditors and regulatory agencies may need to review workpapers, the standard for understandability is whether a skilled internal auditor not involved in the engagement can understand them.

A. Correct. The auditor may clear the note once all points have been resolved satisfactorily, which helps ensure accuracy and completeness.
B. Incorrect. Management of the area under review should address issues directly in their operations but is not responsible for clearing the notes.
C. Incorrect. The chief audit executive may review work but is not required to initial or sign notes.
D. Incorrect. Review notes may be cleared upon sufficient clarification or resolution.

A. Incorrect. Cybersecurity risks are not identical across all organizations; they vary by industry. For example, the retail industry faces risks related to customer data protection, while research and development organizations face risks related to intellectual property security.
B. Incorrect. Installing antivirus and malware software addresses certain cybersecurity risks but does not prevent all risks. Cybersecurity threats can originate from multiple sources, including insiders and third-party service providers, which require additional controls beyond software installation.
C. Incorrect. While deploying proper cybersecurity measures mitigates risks and helps achieve organizational objectives, it does not guarantee business success.
D. Correct. Organizations with critical business operations and valuable information inherently face increased cybersecurity risks. Valuable information is often targeted by attackers, increasing the likelihood and impact of cybersecurity incidents.

A. Incorrect. ICQs do not provide testimonial evidence, which is typically obtained through interviews or direct statements from individuals.
B. Correct. The primary advantage of using internal control questionnaires (ICQs) is their efficiency. They allow auditors to quickly cover a large number of control procedures during the preliminary survey phase.
C. Incorrect. ICQs do not provide tangible evidence; they gather responses about control processes, but tangible evidence typically comes from document inspection or physical verification.
D. Incorrect. Putting observations into perspective is more associated with interviews, where discussions can provide context and nuance to findings.

A. Incorrect. The CAE is not responsible for directly remediating risks identified during an engagement. Risk remediation is the responsibility of management, while the CAE oversees the follow-up process to ensure that risks are addressed appropriately.
B. Correct. According to IIA guidance, the CAE is responsible for monitoring the disposition of results communicated to management. This includes ensuring that management has addressed audit recommendations or has accepted the risks of not taking action.
C. Incorrect. The CAE is not required to schedule follow-ups on a quarterly basis. The frequency of follow-ups depends on the nature and severity of the findings and the agreed-upon action plans according to the established follow-up procedure.
D. Incorrect. Scheduling a follow-up engagement is not the CAE’s direct responsibility if management accepts key risk exposures. The CAE’s role is to communicate these risks to senior management and the board for resolution, not to mandate follow-up engagements unless at request or according to established procedures.

A. Incorrect. While reporting the monitoring status to senior management is important, it should be done based on internal auditors' professional judgment regarding frequency and approach, rather than only when requested by senior management.
B. Incorrect. It is management’s responsibility to implement corrective actions. Internal auditors’ role is to provide recommendations and monitor the implementation but not to directly assist with implementation.
C. Correct. Determining the frequency and approach to monitoring is in line with Global Internal Audit Standards. Internal auditors must exercise professional judgment to establish an appropriate process for monitoring management action plans.
D. Incorrect. Internal auditors should use professional judgment to decide which types of observations to include in the monitoring process. Not all types of observations necessarily require follow-up and monitoring.

A. Incorrect. Past successes do not necessarily address current risks.
B. Correct. Addressing high-risk areas ensures alignment with organizational priorities.
C. Incorrect. Solely focusing on stakeholder requests may overlook significant risks.
D. Incorrect. Resource-based limitations may neglect critical risks.

A. Incorrect. Significant changes in the organization's accounting policies or procedures are operational issues and do not directly justify conducting an external assessment more frequently than five years. External assessments focus on the internal audit function’s conformance with professional standards rather than operational changes.
B. Incorrect. External assessments cannot replace internal assessments. Internal assessments, which include ongoing monitoring and periodic reviews, are essential for continuous improvement and complement external assessments.
C. Incorrect. Reciprocal arrangements, such as biennial assessments with a parent organization, may compromise objectivity and do not serve as recognized justifications for more frequent external assessments under IIA guidance.
D. Correct. A change in senior management or internal audit leadership may significantly alter expectations, commitment to conformance, and strategic objectives. Conducting a more frequent external assessment in these circumstances ensures alignment with new leadership’s vision and helps maintain the internal audit function’s credibility and effectiveness.

A. Incorrect. Establishing independence for internal auditors is achieved through the internal audit charter, not through a professional development plan. A professional development plan is aimed at improving skills and knowledge rather than defining independence.
B. Incorrect. While it is important for internal auditors to collectively possess diverse skills and knowledge, avoiding outsourcing should not be the ultimate objective. The CAE can obtain competent external advice and assistance when necessary, as it is impractical to train internal auditors in all potential areas of expertise.
C. Incorrect. While individual preferences and inclinations are valuable considerations, a professional development plan should prioritize organizational requirements, the extent and scope of audit work, and identified skills gaps over individual preferences.
D. Correct. A professional development plan should focus on addressing gaps in the skills needed to complete audit objectives effectively. Assessing current skills and pursuing educational and professional opportunities to fill development areas aligns with best practices.