Skip to Content

Certified Internal Auditor® (CIA®) Sample Exam Questions

Access CCMS

Part 1 Sample Exam Questions

Which of the following actions should the audit committee take to promote organizational independence for the internal audit function?

A. Delegate final approval of the risk-based internal audit plan to the chief audit executive (CAE).
B. Approve the annual budget and resource plan for the internal audit function.
C. Assist the CAE with hiring objective and competent internal audit staff.
D. Encourage the CAE to communicate and coordinate with the external auditor.

With regard to IT governance, which of the following is the most effective and appropriate role for the internal audit function?

A. Independently evaluate the skills and experience of potential chief information officer candidates to assess the best fit based on the organization's risk appetite.
B. Evaluate the organization's governance standards and assess IT-related activities to identify gaps and develop policies, ensuring alignment with the organization's risk appetite.
C. Assist management in interpreting complex IT-related privacy and security risk exposures and evaluating potential mitigation strategies.
D. Assess whether governance activities are aligned with the organization's risk appetite and take into consideration emerging risks.

Which of the following is an example of a management control technique?

A. A budget.
B. A risk assessment.
C. The board of directors.
D. The control environment.

What is the primary purpose of internal auditing, as defined by the Global Internal Audit Standards?

A. To detect and investigate fraud within an organization.
B. To ensure compliance with external regulations and laws.
C. To develop and implement financial strategies for organizational growth.
D. To provide assurance and advisory services to improve an organization's governance, risk management, and control processes.

Upon joining the internal audit function, each new auditor receives a copy of the audit handbook. Which of the following handbook policies has the greatest risk of compromising audit objectivity?

A. Internal auditors should obtain 80 hours of continuing professional education every two years, 20 of which should be audit-related, and the remainder may be operations-related.
B. Internal auditors should rotate to other areas of the organization for nonaudit assignments to gain an understanding of the organization’s operations.
C. Internal auditors should have direct and unrestricted access to personnel and information throughout the organization and the governing board.
D. Internal auditors should undergo annual performance appraisals conducted by the chief audit executive, who reports administratively to the chief financial officer.

Part 2 Sample Exam Questions

During the review of an organization's retail fraud deterrence program, an employee mentions that an expensive fraud surveillance information system is rarely used. The internal auditor concludes that additional staff are required to properly utilize the system to its full potential. According to IIA guidance, which criteria for evidence is most lacking to reach this conclusion?

A. Sufficiency.
B. Reliability.
C. Relevancy.
D. Usefulness.

Which of the following best describes the guideline for preparing audit engagement workpapers?

A. Workpapers should be understandable to the auditor in charge and the chief audit executive.
B. Workpapers should be understandable to the audit client and the board.
C. Workpapers should be understandable to another internal auditor who was not involved in the engagement.
D. Workpapers should be understandable to external auditors and regulatory agencies.

When reviewing workpapers, engagement supervisors may ask for additional evidence or clarification via review notes. According to IIA guidance, which of the following statements is true regarding the engagement supervisor's review notes?

A. The review notes may be cleared from the final documentation once the engagement supervisor's concerns have been addressed.
B. Management of the area under review must address the engagement supervisor's review notes before the audit report can be finalized.
C. The chief audit executive must initial or sign the engagement supervisor's review notes to provide evidence of appropriate engagement supervision.
D. Review notes provide documented proof that the engagement is supervised properly and must be retained for the quality assurance and improvement program.

When planning an audit engagement, what should be recognized regarding cybersecurity risk?

A. Cybersecurity risks are identical across all organizations, regardless of industry.
B. Installation of antivirus and malware software prevents cybersecurity risks.
C. Deployment of proper cybersecurity measures guarantees business success.
D. Critical businesses and valuable information increase cybersecurity risks.

Which of the following is the advantage of using internal control questionnaires (ICQs) as part of a preliminary survey for an engagement?

A. ICQs provide testimonial evidence.
B. ICQs are efficient.
C. ICQs provide tangible evidence to be quantified.
D. ICQs put observations into perspective.

Part 3 Sample Exam Questions

According to IIA guidance, which of the following statements is true regarding the follow-up process responsibilities of the chief audit executive (CAE)?

A. The CAE is responsible for the remediation of risks identified during an engagement.
B. The CAE is responsible for monitoring the disposition of results communicated to management.
C. The CAE is responsible for scheduling follow-ups of all outstanding recommendations on a quarterly basis.
D. The CAE is responsible for scheduling a follow-up engagement where key risk exposures have been accepted by management.

Which of the following is most appropriate for internal auditors to do with regard to the internal audit recommendations monitoring process?

A. Report the monitoring status to senior management when requested.
B. Assist management with implementing corrective actions.
C. Determine the frequency and approach to monitoring.
D. Include all types of observations in the monitoring process.

The chief audit executive is developing the annual audit plan. What should be the primary focus?

A. Align the plan with past audit successes.
B. Ensure the plan addresses the highest risk areas identified in the risk assessment.
C. Focus on areas requested by stakeholders.
D. Limit the plan to areas where internal resources are available.

Which of the following is the most appropriate reason for a chief audit executive to conduct an external assessment more frequently than five years?

A. Significant changes in the organization's accounting policies or procedures would warrant timely analysis and feedback.
B. More frequent external assessments can serve as an equivalent substitute for internal assessments.
C. The parent organization's internal audit function agreed to perform biennial reciprocal external assessments to provide greater assurance at a reduced cost.
D. A change in senior management or internal audit leadership may change expectations and commitment to conformance.

Which of the following is the most appropriate objective for establishing a professional development plan for the internal audit function?

A. A plan that focuses on furthering the independence of the internal audit function.
B. A plan that ensures internal auditors collectively possess expertise in various fields to avoid outsourcing.
C. A plan based on individual preferences and proposals, which helps internal auditors achieve greater success.
D. A plan that focuses on filling gaps in the current skills needed to complete audit objectives.