Certified Internal Auditor® (CIA®) Sample Exam Questions
Part 1 Sample Exam Questions
Which of the following actions should the audit committee take to promote organizational independence for the internal audit function?
A. Delegate final approval of the risk-based internal audit plan to the chief audit executive (CAE).
B. Approve the annual budget and resource plan for the internal audit function.
C. Assist the CAE with hiring objective and competent internal audit staff.
D. Encourage the CAE to communicate and coordinate with the external auditor.
-
A. Incorrect. Final approval of the audit plan should reside with the board.
B. Correct. Approving the internal audit budget and resource plan is critical in establishing organizational independence.
C. Incorrect. Assisting with the hiring of staff is not an appropriate role for the board, though the board should approve decisions regarding the appointment and removal of the CAE.
D. Incorrect. Although coordination between internal and external auditors is encouraged, this would not promote organizational independence.
With regard to IT governance, which of the following is the most effective and appropriate role for the internal audit function?
A. Independently evaluate the skills and experience of potential chief information officer candidates to assess the best fit based on the organization's risk appetite.
B. Evaluate the organization's governance standards and assess IT-related activities to identify gaps and develop policies, ensuring alignment with the organization's risk appetite.
C. Assist management in interpreting complex IT-related privacy and security risk exposures and evaluating potential mitigation strategies.
D. Assess whether governance activities are aligned with the organization's risk appetite and take into consideration emerging risks.
-
A. Incorrect. While internal audit can assess whether a Chief Information Officer (CIO) is in place and part of senior management, evaluating and selecting candidates is a management responsibility, not an appropriate role for internal audit.
B. Incorrect. Internal audit can assess governance standards and identify gaps, but developing policies to address these gaps is a management function. Internal audit must remain independent and avoid assuming management responsibilities.
C. Incorrect. Assisting management in evaluating complex IT-related risks and mitigation strategies may exceed the internal audit function's skills or expertise. Additionally, determining and implementing mitigation strategies is the responsibility of management.
D. Correct. Internal audit's role is to assess whether governance activities, including IT governance, align with the organization's risk appetite and consider emerging risks. This is consistent with internal audit's assurance and advisory roles, ensuring oversight without assuming management’s responsibilities.
Which of the following is an example of a management control technique?
A. A budget.
B. A risk assessment.
C. The board of directors.
D. The control environment.
-
A. Correct. A budget serves as a management control technique because it allows organizations to monitor performance, control costs, allocate resources, and make adjustments if actual results deviate from budgeted figures.
B. Incorrect. A risk assessment is used to identify and rank risks found in an organization.
C. Incorrect. The board of directors performs an oversight and establish the overall risk management framework.
D. Incorrect. The control environment reflects the collective attitude prevalent in an organization and is taken into consideration when a control technique is recommended.
What is the primary purpose of internal auditing, as defined by the Global Internal Audit Standards?
A. To detect and investigate fraud within an organization.
B. To ensure compliance with external regulations and laws.
C. To develop and implement financial strategies for organizational growth.
D. To provide assurance and advisory services to improve an organization's governance, risk management, and control processes.
-
A. Incorrect. This option is a common misconception. While internal auditors may assess the effectiveness of anti-fraud controls, detecting and investigating fraud is typically the responsibility of management or specialized fraud investigators.
B. Incorrect. While compliance auditing is a part of internal audit activities, it is not the primary purpose of internal auditing. Internal auditors focus on broader aspects, including governance, risk management, and advisory services.
C. Incorrect. This option describes a responsibility more aligned with financial management or strategic planning functions, not internal auditing. Internal auditors do not develop or implement financial strategies; they evaluate and advise on existing processes.
D. Correct. The Global Internal Audit Standards emphasize the dual role of internal auditing in providing independent assurance and valuable advisory services to help organizations achieve their objectives.
Upon joining the internal audit function, each new auditor receives a copy of the audit handbook. Which of the following handbook policies has the greatest risk of compromising audit objectivity?
A. Internal auditors should obtain 80 hours of continuing professional education every two years, 20 of which should be audit-related, and the remainder may be operations-related.
B. Internal auditors should rotate to other areas of the organization for nonaudit assignments to gain an understanding of the organization’s operations.
C. Internal auditors should have direct and unrestricted access to personnel and information throughout the organization and the governing board.
D. Internal auditors should undergo annual performance appraisals conducted by the chief audit executive, who reports administratively to the chief financial officer.
-
A. Incorrect. An internal auditor’s objectivity is not affected by completing 80 hours of CPE, and operations-related education may contribute to their competence to perform audits.
B. Correct. Rotating to other activities within the organization increases the risk that the internal auditor’s objectivity may be compromised, and internal auditors must refrain from assessing specific operations for which they were previously responsible.
C. Incorrect. This describes a policy which promotes independence of the internal audit function, not one which compromises objectivity.
D. Incorrect. It is appropriate for the CAE to conduct performance appraisals of audit staff. Reporting administratively to the CFO does not impair the independence of internal audit as long as functional reporting remains at the board level.
Part 2 Sample Exam Questions
During the review of an organization's retail fraud deterrence program, an employee mentions that an expensive fraud surveillance information system is rarely used. The internal auditor concludes that additional staff are required to properly utilize the system to its full potential. According to IIA guidance, which criteria for evidence is most lacking to reach this conclusion?
A. Sufficiency.
B. Reliability.
C. Relevancy.
D. Usefulness.
-
A. Correct. This does not represent sufficient evidence to support the conclusion that additional staff are required. Additional evidence, such as discussions with fraud unit supervisors, surveillance system access logs, or a review of the system's usefulness, should be gathered to substantiate the claim.
B. Incorrect. Staff testimony is partially reliable in this situation but is limited by the perspective of the individual employee and does not independently verify the need for additional staff.
C. Incorrect. The staff member’s opinion is relevant, as they are knowledgeable about the program and the surveillance system; however, relevancy alone is insufficient to support the conclusion.
D. Incorrect. If corroborated, this information would be useful in assisting the auditor to form an appropriate conclusion, but usefulness is not the primary issue in this case.
Which of the following best describes the guideline for preparing audit engagement workpapers?
A. Workpapers should be understandable to the auditor in charge and the chief audit executive.
B. Workpapers should be understandable to the audit client and the board.
C. Workpapers should be understandable to another internal auditor who was not involved in the engagement.
D. Workpapers should be understandable to external auditors and regulatory agencies.
-
A. Incorrect. While the auditor-in-charge and the chief audit executive (CAE) should understand the workpapers, the true test of understandability is whether the workpapers can be understood by a skilled internal auditor who was not involved in the engagement.
B. Incorrect. Management of the audit client and the board are not the primary audience for workpapers. Although they might understand the workpapers, they are unlikely to review them, making this standard insufficient.
C. Correct. Workpapers should be understandable to another skilled internal auditor who was not involved in the engagement. This ensures that the workpapers are clear, comprehensive, and can allow another auditor to continue the engagement seamlessly if necessary.
D. Incorrect. While external auditors and regulatory agencies may need to review workpapers, the standard for understandability is whether a skilled internal auditor not involved in the engagement can understand them.
When reviewing workpapers, engagement supervisors may ask for additional evidence or clarification via review notes. According to IIA guidance, which of the following statements is true regarding the engagement supervisor's review notes?
A. The review notes may be cleared from the final documentation once the engagement supervisor's concerns have been addressed.
B. Management of the area under review must address the engagement supervisor's review notes before the audit report can be finalized.
C. The chief audit executive must initial or sign the engagement supervisor's review notes to provide evidence of appropriate engagement supervision.
D. Review notes provide documented proof that the engagement is supervised properly and must be retained for the quality assurance and improvement program.
-
A. Correct. The auditor may clear the note once all points have been resolved satisfactorily, which helps ensure accuracy and completeness.
B. Incorrect. Management of the area under review should address issues directly in their operations but is not responsible for clearing the notes.
C. Incorrect. The chief audit executive may review work but is not required to initial or sign notes.
D. Incorrect. Review notes may be cleared upon sufficient clarification or resolution.
When planning an audit engagement, what should be recognized regarding cybersecurity risk?
A. Cybersecurity risks are identical across all organizations, regardless of industry.
B. Installation of antivirus and malware software prevents cybersecurity risks.
C. Deployment of proper cybersecurity measures guarantees business success.
D. Critical businesses and valuable information increase cybersecurity risks.
-
A. Incorrect. Cybersecurity risks are not identical across all organizations; they vary by industry. For example, the retail industry faces risks related to customer data protection, while research and development organizations face risks related to intellectual property security.
B. Incorrect. Installing antivirus and malware software addresses certain cybersecurity risks but does not prevent all risks. Cybersecurity threats can originate from multiple sources, including insiders and third-party service providers, which require additional controls beyond software installation.
C. Incorrect. While deploying proper cybersecurity measures mitigates risks and helps achieve organizational objectives, it does not guarantee business success.
D. Correct. Organizations with critical business operations and valuable information inherently face increased cybersecurity risks. Valuable information is often targeted by attackers, increasing the likelihood and impact of cybersecurity incidents.
Which of the following is the advantage of using internal control questionnaires (ICQs) as part of a preliminary survey for an engagement?
A. ICQs provide testimonial evidence.
B. ICQs are efficient.
C. ICQs provide tangible evidence to be quantified.
D. ICQs put observations into perspective.
-
A. Incorrect. ICQs do not provide testimonial evidence, which is typically obtained through interviews or direct statements from individuals.
B. Correct. The primary advantage of using internal control questionnaires (ICQs) is their efficiency. They allow auditors to quickly cover a large number of control procedures during the preliminary survey phase.
C. Incorrect. ICQs do not provide tangible evidence; they gather responses about control processes, but tangible evidence typically comes from document inspection or physical verification.
D. Incorrect. Putting observations into perspective is more associated with interviews, where discussions can provide context and nuance to findings.
Part 3 Sample Exam Questions
According to IIA guidance, which of the following statements is true regarding the follow-up process responsibilities of the chief audit executive (CAE)?
A. The CAE is responsible for the remediation of risks identified during an engagement.
B. The CAE is responsible for monitoring the disposition of results communicated to management.
C. The CAE is responsible for scheduling follow-ups of all outstanding recommendations on a quarterly basis.
D. The CAE is responsible for scheduling a follow-up engagement where key risk exposures have been accepted by management.
-
A. Incorrect. The CAE is not responsible for directly remediating risks identified during an engagement. Risk remediation is the responsibility of management, while the CAE oversees the follow-up process to ensure that risks are addressed appropriately.
B. Correct. According to IIA guidance, the CAE is responsible for monitoring the disposition of results communicated to management. This includes ensuring that management has addressed audit recommendations or has accepted the risks of not taking action.
C. Incorrect. The CAE is not required to schedule follow-ups on a quarterly basis. The frequency of follow-ups depends on the nature and severity of the findings and the agreed-upon action plans according to the established follow-up procedure.
D. Incorrect. Scheduling a follow-up engagement is not the CAE’s direct responsibility if management accepts key risk exposures. The CAE’s role is to communicate these risks to senior management and the board for resolution, not to mandate follow-up engagements unless at request or according to established procedures.
Which of the following is most appropriate for internal auditors to do with regard to the internal audit recommendations monitoring process?
A. Report the monitoring status to senior management when requested.
B. Assist management with implementing corrective actions.
C. Determine the frequency and approach to monitoring.
D. Include all types of observations in the monitoring process.
-
A. Incorrect. While reporting the monitoring status to senior management is important, it should be done based on internal auditors' professional judgment regarding frequency and approach, rather than only when requested by senior management.
B. Incorrect. It is management’s responsibility to implement corrective actions. Internal auditors’ role is to provide recommendations and monitor the implementation but not to directly assist with implementation.
C. Correct. Determining the frequency and approach to monitoring is in line with Global Internal Audit Standards. Internal auditors must exercise professional judgment to establish an appropriate process for monitoring management action plans.
D. Incorrect. Internal auditors should use professional judgment to decide which types of observations to include in the monitoring process. Not all types of observations necessarily require follow-up and monitoring.
The chief audit executive is developing the annual audit plan. What should be the primary focus?
A. Align the plan with past audit successes.
B. Ensure the plan addresses the highest risk areas identified in the risk assessment.
C. Focus on areas requested by stakeholders.
D. Limit the plan to areas where internal resources are available.
-
A. Incorrect. Past successes do not necessarily address current risks.
B. Correct. Addressing high-risk areas ensures alignment with organizational priorities.
C. Incorrect. Solely focusing on stakeholder requests may overlook significant risks.
D. Incorrect. Resource-based limitations may neglect critical risks.
Which of the following is the most appropriate reason for a chief audit executive to conduct an external assessment more frequently than five years?
A. Significant changes in the organization's accounting policies or procedures would warrant timely analysis and feedback.
B. More frequent external assessments can serve as an equivalent substitute for internal assessments.
C. The parent organization's internal audit function agreed to perform biennial reciprocal external assessments to provide greater assurance at a reduced cost.
D. A change in senior management or internal audit leadership may change expectations and commitment to conformance.
-
A. Incorrect. Significant changes in the organization's accounting policies or procedures are operational issues and do not directly justify conducting an external assessment more frequently than five years. External assessments focus on the internal audit function’s conformance with professional standards rather than operational changes.
B. Incorrect. External assessments cannot replace internal assessments. Internal assessments, which include ongoing monitoring and periodic reviews, are essential for continuous improvement and complement external assessments.
C. Incorrect. Reciprocal arrangements, such as biennial assessments with a parent organization, may compromise objectivity and do not serve as recognized justifications for more frequent external assessments under IIA guidance.
D. Correct. A change in senior management or internal audit leadership may significantly alter expectations, commitment to conformance, and strategic objectives. Conducting a more frequent external assessment in these circumstances ensures alignment with new leadership’s vision and helps maintain the internal audit function’s credibility and effectiveness.
Which of the following is the most appropriate objective for establishing a professional development plan for the internal audit function?
A. A plan that focuses on furthering the independence of the internal audit function.
B. A plan that ensures internal auditors collectively possess expertise in various fields to avoid outsourcing.
C. A plan based on individual preferences and proposals, which helps internal auditors achieve greater success.
D. A plan that focuses on filling gaps in the current skills needed to complete audit objectives.
-
A. Incorrect. Establishing independence for internal auditors is achieved through the internal audit charter, not through a professional development plan. A professional development plan is aimed at improving skills and knowledge rather than defining independence.
B. Incorrect. While it is important for internal auditors to collectively possess diverse skills and knowledge, avoiding outsourcing should not be the ultimate objective. The CAE can obtain competent external advice and assistance when necessary, as it is impractical to train internal auditors in all potential areas of expertise.
C. Incorrect. While individual preferences and inclinations are valuable considerations, a professional development plan should prioritize organizational requirements, the extent and scope of audit work, and identified skills gaps over individual preferences.
D. Correct. A professional development plan should focus on addressing gaps in the skills needed to complete audit objectives effectively. Assessing current skills and pursuing educational and professional opportunities to fill development areas aligns with best practices.