This PDF contains a set of carefully selected practice questions for the

IIA-CIA-Part2 exam. These questions are designed to reflect the

structure, difficulty, and topics covered in the actual exam, helping you
reinforce your understanding and identify areas for improvement.

What's Inside:

1. Topic-focused questions based on the latest exam objectives

2. Accurate answer keys to support self-review
3. Designed to simulate the real test environment
4. Ideal for final review or daily practice

Important Note:

This material is for personal study purposes only. Please do not

redistribute or use for commercial purposes without permission.

For full access to the complete question bank and topic-wise explanations, visit:
CertQuestionsBank.com

Our YouTube: https://www.youtube.com/@CertQuestionsBank

FB page: https://www.facebook.com/certquestionsbank
Share some IIA-CIA-Part2 exam online questions below.
1.An internal auditor wanted to determine whether the organization's 200 employees are charging
their work hours accurately to the correct project. The internal auditor selected a sample of 30
employee time reports for testing.
Based on the testing, the internal auditor determined the following:
- 5 Time reports were incorrect.
- 21 Time reports were correct.
- 4 Time reports were not supported.
A. The organization has significant flaws in its reporting of employee time, which could lead to the
overstatement of project labor costs. The organization's failure to report accurate and complete
employee time could lead to potential fraud and abuse.
B. The organization needs to ensure that all reporting of employee time is accurate and complete for
each of its projects By dang so the organization can minimize potential issues related to overstating
employee tames and labor project costs.
C. The organization overstated project costs due to inaccurate and incomplete reporting of employee
time charged to the affected accounts As a result the organization cannot ensure at protects costs are
accurately reported to stakeholders
D. The organization generally ensured that employee hours charged to each project were accurate
and complete. However, there were instances of employee time reports that were incorrect or not
supported to justify the multiple project labor coats
Answer: B

2.During a consulting engagement an internal auditor wants to determine whether all principal
stakeholders are involved in a project.
Which tool should the auditor use?
A. RACI (responsible, accountable, consult and inform) chart
B. Flowchart
C. SWOT {strengths. weaknesses opportunities, and threats) analysis
D. Workflow analysis
Answer: A

3.A manufacturer is under contract to produce and deliver a number of aircraft to a major airline. As
part of the contract, the manufacturer is also providing training to the airline's pilots. At the time of the
audit, the delivery of the aircraft had fallen substantially behind schedule while the training had
already been completed.
If half of the aircraft under contract have been delivered, which of the following should the internal
auditor expect to be accounted for in the general ledger?
A. Training costs allocated to the number of aircraft delivered, and the cost of actual production hours
completed to date.
B. All completed training costs, and the cost of actual production hours completed to date.
C. Training costs allocated to the number of aircraft delivered, and 50% of contracted production
costs.
D. All completed training costs, and 50% of the contracted production costs.
Answer: D

4. The results of a preliminary risk assessment of the activity under review: High-risk areas may
require more experienced auditors or additional staff. CIA Exam Syllabus
Reference: Domain IV: Managing the Internal Audit Function C Staffing and Resource Allocation.

5.Which of the following statements is true regarding engagement planning?

A. The engagement objectives are the boundaries for the engagement, which outline what will be
included in the review
B. The risk-based objectives of the engagement can be determined once the scope of the
engagement has been formed
C. For a consulting engagement, planning typically occurs after the engagement objectives and scope
have already been determined
D. For an assurance engagement, once the scope is established and testing has begun, the scope
cannot be modified.
Answer: C

6. Conclusion on the control weakness.

7. Consider whether the information collected is in compliance with applicable laws.

8.Which of the following behaviors could represent a significant ethical risk if exhibited by an
organization's board?

9.An internal auditor was assigned to review controls in the accounts payable function. Most of tie
accounts payable processes are performed by a third-party service provider. The auditor included in
the audit report a number of control deficiencies involving processes performed by the service
provider. The service provider requested a copy of the report.
Which of Vie following would be the most appropriate response from the chief audit executive (CAE)?
A. The CAE would automatically sand a copy of the report to the service provider as many of the
findings relate to Via area managed by the service provider
B. The CAE may distribute the report to tie service provider at no cost, after consulting with legal
counsel and tie chief compliance officer
C. The CAE may provide a copy of the audit report to the service provider If an agreement & signed
and the service provider agrees to reimburse the cost of the audit
D, The CAE should benchmark with other organization in the industry by consorting with colleagues
and distribute the report only I it is an acceptable practice m the industry
Answer: A

10. If there is a significant error or omission in the final audit report that was communicated to
management, which of the following is the key action for the internal audit activity?
A. Communicate the corrected information to the manager of the audited department.
B. There should be a follow-up audit to address the error or omission.
C. The auditor should update the scope of the audit to include the omission.
D. The corrected communication should be redistributed to the original recipients.
Answer: D
Explanation:
If a significant error or omission is found in the final audit report, it is crucial for the internal audit
activity to correct the information and redistribute the corrected report to all original recipients. This
ensures that all stakeholders are informed of the accurate findings and can take appropriate actions
based on correct information.
IIA
Reference: IIA Standard 2440: Disseminating Results requires that the internal audit activity
communicate accurate and complete results. If an error or omission is identified, the corrected
information must be promptly communicated to all relevant parties to maintain the integrity of the audit
process. The Practice Guide on Communicating Results emphasizes that errors in audit reports
should be corrected and the revised report should be distributed to ensure stakeholders are acting on
accurate information.

11. Which of the following is the primary reason a chief audit executive should network with an
organization’s executives?
A. To better understand and influence executives' planning.
B. To make executives aware of the benefits that the internal audit activity can provide.
C. To assist executives in setting the organization’s risk appetite.
D. To have a better understanding of the training needed to strengthen the audit team.
Answer: B
Explanation:
Step-by-Step Detailed Explanation
A . To better understand and influence executives' planning:
Influencing planning is not a primary purpose of networking.
B . To make executives aware of the benefits that the internal audit activity can provide:
Correct. Networking ensures executives understand how internal audit can add value.
C . To assist executives in setting the organization’s risk appetite:
Risk appetite is primarily a management responsibility.
D . To have a better understanding of the training needed for the audit team:
Training needs can be assessed through other means.
CIA Exam Syllabus
Reference: Domain IV: Managing the Internal Audit Function C Stakeholder Engagement.

12.A newly appointed chief audit executive (CAE) of a small organization is developing a resource
management plan.
Which of the following approaches would be most beneficial to help the CAE obtain details of the
Internal audit activity's collective knowledge skills, and other competencies?
A. Review or establish a documented skills assessment of the internal audit staff and gather
information from post-audit surveys
B. Obtain from the human resources department the job descriptions and position requirements for all
internal audit staff
C. Conduct an objective written test of the internal audit staff to assess their knowledge and skills
related to core internal audit competencies
D. Request the internal audit staff to submit a document that summarizes their most recent
performance appraisals and post audit reviews
Answer: A

13.Which of the following engagement supervision activities should be performed first?

A. Ensure that internal audit recommendations are practical, cost-effective, and value-added
B. Ensure that internal audit conclusions am based on sufficient and reliable evidence
C. Ensure that risks to the timely completion of the engagement are assessed
D. Ensure that performance assessments are completed for audit team members
Answer: C
14. Which type of engagement would be the most appropriate to assess the maturity and rigor of the
organization wide risk management process of a target entity that management is considering
acquiring?
A. A due diligence engagement.
B. An operational audit engagement.
C. A feasibility study engagement.
D. A risk and control self-assessment engagement.
Answer: A
Explanation:
A due diligence engagement is the most appropriate type of engagement for assessing the maturity
and rigor of the organization-wide risk management process of a target entity that management is
considering acquiring. Due diligence involves a comprehensive appraisal of a business undertaken by
a prospective buyer, especially to establish its assets and liabilities and evaluate its commercial
potential. It typically includes evaluating financials, operational processes, and risk management
frameworks to ensure informed decision-making about the acquisition.
Reference: The Institute of Internal Auditors (IIA), Practice Guide on Due Diligence
"Mergers and Acquisitions: A Step-by-Step Legal and Practical Guide" by Edwin L. Miller, Jr.

15. A preliminary observation document contains more detail than tie observation description in the
engagement workpapers
A. 1 and 2
B. 1 and 4
C. 2 and3
D. 3 and 4
Answer: C

16.According to IIA guidance, which of the following is true about the supervising internal auditor's
review notes?
• They are discussed with management prior to finalizing the audit.
• They may be discarded after working papers are amended as appropriate.
• They are created by the auditor to support her fieldwork in case of questions.
• They are not required to support observations issued in the audit report.
A. 1 and 3 only
B. 1 and 4 only
C. 2 and 3 only
D. 2 and 4 only
Answer: D

17.A chief audit executive (CAE) determined that management chose to accept a high-level risk that
may be unacceptable lo the organization.
Which is the best course of action for the CAE to Follow?
A. Include using in a subsequent audit to determine if the risks are still present
B. Discuss the matter with senior management and it not reserved with the board
C. Require that management implement controls to mitigate lie risks
D. Report the risks to the process owners so that they can modify their process
Answer: B
18.Which of the following parties is accountable for ensuring adequate support for conclusions and
opinions readied by the internal audit activity while relying on external auditors' work?
A. Board of directors
B. External auditors
C. Chief audit executive
D. Senior management
Answer: C

19. During the review of an organization's retail fraud deterrence program, an employee mentions that
an expensive fraud surveillance information system is rarely used. The internal auditor concludes that
additional staff are required to properly utilize the system to its full potential.
According to IIA guidance, which criteria for evidence is most lacking to reach this conclusion?
A. Sufficiency.
B. Reliability.
C. Relevancy.
D. Usefulness.
Answer: A
Explanation:
In internal auditing, evidence must meet certain criteria to support conclusions and recommendations.
According to IIA guidance, evidence should be sufficient, reliable, relevant, and useful. In this
scenario, the internal auditor concludes that additional staff are needed to fully utilize a fraud
surveillance system based on an employee’s statement. However, the conclusion may lack sufficient
evidence to support it.
Detailed Explanation
IIA Standard 2310 C Identifying Information:
This standard requires that internal auditors identify sufficient, reliable, relevant, and useful
information to achieve the engagement’s objectives. "Sufficiency" refers to the quantity of evidence
necessary to convince an informed person of the validity of the auditor’s findings and
recommendations.
Sufficiency of Evidence:
The auditor's conclusion about the need for additional staff is based on a single employee’s remark,
which is not sufficient evidence. The auditor would need to gather more evidence, such as analyzing
workload data, reviewing system logs, or assessing staff capacity, to support the conclusion fully.
IIA Practice Advisory 2310-1:
This advisory emphasizes the need for auditors to obtain enough factual evidence to support their
findings. Relying solely on anecdotal evidence from one employee does not meet the standard for
sufficiency.
Why Not Other Options?
Option B (Reliability): Reliability refers to the accuracy and credibility of the evidence. The employee's
statement might be credible but still insufficient in quantity.
Option C (Relevancy): The employee’s comment is relevant to the issue, but relevancy alone does
not make the evidence sufficient.
Option D (Usefulness): The information could be useful, but it lacks the sufficiency needed to justify
the auditor’s conclusion.

20.The chief audit executive of an international organization is planning an audit of the treasury
function located at the organization's headquarters. The current internal audit team at headquarters
lacks expertise in the area of financial markets which is needed tor the engagement.
When of the following would be the most approbate solution considering the time constraint?
A. Outsource the engagement 10 tie organization's external auditor who has expertise in the area of
financial markets
B. Hire additional internal auditors who have expertise in the area of financial markets.
C. Invite a guest auditor from one of the organization's affiliates who has expertise m the area of
financial markets.
D. Limit the scope of the engagement to the knowledge and skills possessed by the internal audit
team.
Answer: C

21. According to IIA guidance, which of the following statements about analytical procedures is true?
A. Analytical procedures compare information against expectations.
B. Analytical procedures begin after the engagement’s planning phase.
C. Analytical procedures provide internal auditors with explainable results.
D. Analytical procedures are computer-assisted audit techniques.
Answer: A
Explanation:
Analytical procedures involve evaluating financial and operational information by comparing it with
expected values. These expectations can be based on historical data, industry benchmarks, budgets,
or other relevant criteria. The primary purpose of analytical procedures is to identify any unusual or
unexpected variations that could indicate potential issues or areas requiring further investigation. IIA
Reference: IIA Standard 2320: Analysis and Evaluation requires internal auditors to analyze and
evaluate the information gathered during an engagement. Analytical procedures are a critical part of
this process, as they help auditors identify trends, anomalies, and areas of risk by comparing actual
results with expectations.
The Practice Guide on Analytical Procedures defines these procedures as the analysis of
relationships between different sets of data, with the goal of identifying inconsistencies or unexpected
patterns.

22.An internal auditor submitted a report containing recommendations for management to enhance
internal controls related to investments.
To follow up, which of the following is the most appropriate action for the internal auditor to take?
A. Observe corrective measures.
B. Seek a management assurance declaration.
C. Follow up during the next scheduled audit.
D. Conduct appropriate testing to verify management responses.
Answer: D

23. Approach an external service provider to conduct internal audits on certain areas of the
organization, due to a lack of skills in the organization.

24.What is the primary objective of an engagement supervisor's review of key activities performed
during the engagement?
A. To ensure that the engagement is completed on time and within budget
B. To ensure that all work performed meets acceptable quality standards
C. To ensure that management has provided suitable responses to all observations
D. To ensure that management is satisfied with the progress of the engagement
Answer: A
25.According to MA guidance, which of the following factors should an internal auditor consider when
assessing the likelihood of fraud risk1?
A. The effect on the organization's reputation
B. Any potential damage to the organization's relationship with customers.
C. Past fraud allegations and actual occurrences
D. The potential and realized financial impacts
Answer: C

26.During follow-up, the chief audit executive (CAE) is having a discussion with management about
the internal audit team's recommendations related to a significant issue Management accepted the
issue but took no remedial action.
What is the next step for the CAE?
A. The CAE should reassess and validate the risk tolerance policy
B. The CAE should escalate the issue to senior management .
C. The CAE should reiterate the internal audit team's recommendations to management .
D. The CAE should grant management more time to implement the recommendation and check the
status of the issue during the next scheduled follow-up.
Answer: B

27.Which of the following has the greatest effect on the efficiency of an audit?
A. The complexity of deficiency findings.
B. The adequacy of preliminary survey information.
C. The organization and content of workpapers.
D. The method and amount of supporting detail used for the audit report.
Answer: B

28. An internal auditor performed a test of controls and found that a statistically selected
representative sample of recorded transactions within the account receivables ledger had an error
rate that was within management expectations. The associated revenue account was outside the
scope of the audit engagement.
How should the conclusion to this engagement be reported?
A. The auditor should state that the error rate was within the selected confidence level.
B. Negative assurance should be provided, as the associated revenue account was not examined.
C. The auditor should state that controls over the recording of transactions in the revenue account are
operating effectively.
D. Positive assurance could be provided for the effectiveness of the accounts receivable controls.
Answer: D
Explanation:
In this scenario, the internal auditor performed a test of controls on the accounts receivable ledger
and found that the error rate was within management's expectations. Since the audit focused on the
accounts receivable controls, the conclusion should be specific to the scope of the engagement. The
auditor can provide positive assurance about the effectiveness of the controls over the recording of
transactions in the accounts receivable ledger, as the evidence gathered supports this conclusion. IIA
Reference: IIA Standard 2410: Criteria for Communicating states that communications must include
the engagement’s objectives and scope as well as applicable conclusions, recommendations, and
action plans. Since the engagement was focused on accounts receivable, the assurance provided
should relate specifically to the controls in that area.
The Practice Guide on Communicating Results emphasizes that conclusions and assurance should
be directly related to the scope of the engagement and the evidence obtained.
29. The auditors’ preference to audit the area:
Preferences should not determine staffing; decisions should be based on the organization’s needs.

30.The human resources (HR) department was last reviewed three years ago and is due for an
assurance engagement after undergoing recent process changes.
Which of the following would the most effective option identify the HR department's risks and
controls?
A. Meet with the chief operating officer 10 obtain Information about the MR department
B. Review the previous internal audit report and locus on key audit observations and action plans
C. Review the organization's risk strategy and risk appetite framework
D. Discuss the department's present strategies ‘and objectives with the head of the HR department
Answer: D

31. In the opinion of the CAE the level of residual risk assumed by senior management is too high

32.Which of the following is an appropriate documentation of proper engagement supervision?

A. A completed engagement workpaper review checklist.
B. The supervisor's review notes on engagement workpapers.
C. The email exchanges between the audit team and the supervisor.
D. A supervisor's approval of resources allocated to the engagement
Answer: B

33. CORRECT TEXT

Which of the following is one of the five basic financial statement assertions when an internal auditor
evaluates controls over financial reporting?
A. Reliability or appropriateness
B. Reasonableness
C. Existence or occurrence
D. Relevance
Answer: C

34. Which of the following is an appropriate activity when supervising engagements?

A. During engagement planning, the audit work program should be discussed between auditors and
the engagement supervisor with the supervisor approving the work program.
B. During fieldwork, scope changes made to the work program are at the auditor's discretion and
should be supported adequately in the workpapers.
C. Engagement supervision is most critical to the fieldwork and reporting phases of the audit, as this
is where the majority of the work takes place.
D. A degree of high supervision to no supervision may be provided to an auditor depending on his
level of competence and the complexity of the engagement.
Answer: A
Explanation:
According to the IIA’s Implementation Guide for Standard 2340 - Engagement Supervision1, one of
the activities that the chief audit executive or the designated engagement supervisor should perform
is to review and approve the engagement work program before the commencement of fieldwork. The
engagement work program should be based on the engagement objectives, scope, and approach,
and should reflect the risks and controls identified during the planning phase. The engagement work
program should also be discussed with the engagement team to ensure that they understand the
tasks and procedures to be performed, and to address any questions or concerns. The engagement
supervisor should document the approval of the work program and any subsequent changes in the
workpapers.

35. In which of following scenarios is the internal auditor performing benchmarking?

A. The auditor compares information from one period with the same information from the poor period
B. The auditor compares new information to his general knowledge of the organization
C. The auditor compares information he collected with simmer information from another source
D. The auditor compares expected outcomes with actual results
Answer: C

36.1.An internal auditor accessed accounts payable records and extracted data related to fuel
purchased tor the organization's vehicles As a first step, she sorted the data by vehicle and used
spreadsheet functions to identify all instances of refueling on the same or sequential dates She then
performed other tests.
Based on the auditor's actions which of the following is most likely the objective of this engagement1?
A. To identify whether fuel was purchased for work-related purposes
B. To estimate future fuel costs for the organization's fleet of vehicles
C. To determine trends in average fuel consumption by vehicle
D. To determine whether the organization is paying more than the industry average for fuel
Answer: C

37.Which method of examining entity-level controls involves gathering information from work groups
that represent different levels in an organization?
A. Questionnaires.
B. Surveys.
C. Structured interviews
D. Facilitated team workshops
Answer: C

38.After the team member who specialized in fraud investigations left the internal audit team, the chief
audit executive decided to outsource fraud investigations to a third party service provider on an as
needed basis.
Which of the following is most likely to be a disadvantage of this outsourcing decision?
A. Cost.
B. Independence.
C. Familiarity.
D. Flexibility.
Answer: A

39. The internal audit activity needs to review the information security function but does not have the
IT expertise needed for the engagement.
Which of the following actions should the chief audit executive take to ensure the internal audit activity
conforms with the Standards?
A. Assign the engagement to a staff auditor and closely review his work and report.
B. Assign the engagement to a senior auditor, who carefully researches and studies the company’s
IT infrastructure.
C. Contract an external service provider auditor with the experience necessary to perform the audit.
D. Perform the audit herself and work closely with the information security function to obtain expertise
in the area.
Answer: C
Explanation:
When the internal audit activity lacks the necessary IT expertise to review the information security
function, the chief audit executive (CAE) should contract an external service provider with the
required experience. This ensures that the audit is conducted effectively and in accordance with the
Standards, which require internal auditors to have or acquire the necessary skills to perform their
work.
IIA
Reference: IIA Standard 1210: Proficiency requires internal auditors to possess the knowledge, skills,
and other competencies needed to perform their responsibilities. When the necessary expertise is not
available within the internal audit activity, the CAE must obtain competent advice and assistance by
either contracting external experts or outsourcing the audit.
The Practice Guide on Engaging External Service Providers suggests that when specialized skills are
required, engaging an external service provider is a practical solution to ensure the audit's quality and
effectiveness.

40.Which of the following is the primary purpose of implementing a program whereby employees are
rotated from other parts of the organization into the internal audit activity?
A. It provides the internal audit activity with more resourcing options to meet the audit plan
B. It offers internal auditors the opportunity to learn more about other work areas.
C. It gives nonauditors a better understanding of the control environment.
D. It provides an opportunity for the recruitment of employees as permanent internal auditors
Answer: B

41.The internal audit activity (IAA) wants to measure its performance related to the quality of audit
recommendations.
Which of the following client survey questions would best help the IAA meet this objective?
A. Were audit findings relevant and useful to management?
B. Does the audit report format present issues clearly and concisely?
C. Does the IAA work with a high degree of professionalism and objectivity?
D. Were the findings reported in a timely manner?
Answer: A

42. Following an IT systems audit, management agreed to implement a specific control in one of the
IT systems. After a period, the internal auditor followed up and learned that management had not
implemented the agreed management action due to the decision to move to another IT system that
has built-in controls, which may address the risks highlighted by the internal audit.
Which of the following is the most appropriate action to address the outstanding audit
recommendation?
A. The auditor examines the system documentation of the new system to verify that the risk has been
addressed in the new system, then reports to senior management the closure of the issue.
B. The auditor accepts management's explanation that the previously identified issue is adequately
addressed by the new IT system, as management understands the concern and is most
knowledgeable about the new system, and closes the outstanding issue.
C. The auditor advises management that replacing the IT system does not dismiss the prior obligation
to implement the agreed action plan, and escalates the issue to senior management and the board.
D. The auditor requires management to provide details regarding the process for selecting the new IT
system and whether other systems were evaluated, and closure of the issue would depend on the
new information provided.
Answer: A
Explanation:
In this scenario, the most appropriate action for the internal auditor is to verify that the risk highlighted
by the previous audit has indeed been addressed by the new IT system. This involves a detailed
examination of the system documentation and possibly testing the controls within the new system.
Once the auditor confirms that the new system adequately addresses the identified risk, they should
report this finding to senior management and close the issue.
This approach ensures that the internal audit activity adheres to the IIA Standards regarding follow-
up on audit findings, which requires auditors to ensure that agreed-upon actions have been
implemented effectively.
IIA
Reference: IIA Standard 2500: Monitoring Progress mandates that the chief audit executive must
establish and maintain a system to monitor the disposition of results communicated to management.
This includes ensuring that the risks identified are appropriately addressed.
The Practice Advisory 2500.A1-1: Follow-up Process advises that follow-up is a critical part of the
audit process, and it is essential to confirm that management actions address the risks identified
during the audit.
Given these considerations, the correct answer is A. The auditor examines the system documentation
of the new system to verify that the risk has been addressed in the new system, then reports to senior
management the closure of the issue.

43. Which of the following statistical sampling approaches is the most appropriate for testing a
population for fraud?
A. Discovery sampling.
B. Stop-or-go sampling.
C. Haphazard sampling.
D. Stratified attribute sampling.
Answer: A
Explanation:
Discovery sampling is a statistical sampling method that is specifically designed for detecting fraud or
other irregularities. It is most appropriate when the auditor expects that deviations or fraud may be
rare but significant if found.
Detailed Explanation
Discovery Sampling:
Discovery sampling is used when the auditor is trying to identify at least one occurrence of a
particular event, such as fraud. The sample is designed so that if a single error is found, it suggests
that more may exist within the population, warranting further investigation.
Application in Fraud Detection:
Discovery sampling is effective in fraud detection because it focuses on identifying whether any
instances of fraud exist within a population. This approach is well-suited for situations where even a
small number of fraudulent transactions could have a significant impact.
IIA Practice Guide on Statistical Sampling:
The IIA suggests that discovery sampling is appropriate when the goal is to find the presence of an
error or fraud, particularly in populations where such occurrences are expected to be infrequent.
Why Not Other Options?
Option B (Stop-or-go sampling): This method is used to control the risk of over-auditing when errors
are expected to be low, but it is not specifically designed for fraud detection.
Option C (Haphazard sampling): This is a non-statistical sampling method and is not appropriate for
systematic fraud detection.
Option D (Stratified attribute sampling): This method divides the population into subgroups but is not
specifically aimed at discovering fraud.
Conclusion: Option A is correct because discovery sampling is the most appropriate statistical method
for testing a population for fraud, as it is designed to detect even a small number of significant
deviations, consistent with IIA guidance.

44. Flowcharts are useful during audit planning because they contain information that may help
internal auditors with which of the following?
A. Understanding management's risk tolerance.
B. Understanding business processes.
C. Determining the size of the audit team needed to perform the review.
D. Understanding organizational objectives.
Answer: B
Explanation:
Flowcharts are a valuable tool in internal auditing, particularly during the audit planning phase. They
provide a visual representation of business processes, which helps internal auditors gain a
comprehensive understanding of how these processes function .
Detailed Explanation
Understanding Business Processes:
Flowcharts are used to depict the steps in a process, illustrating how inputs are transformed into
outputs, the sequence of activities, and the points where decisions are made. This visual
representation makes it easier for auditors to understand the flow of transactions, identify potential
control points, and recognize areas where risks may arise. IIA Standard 2201 C Planning
Considerations:
According to this standard, internal auditors must consider the objectives, scope, and risks associated
with the audit engagement during the planning phase. Understanding business processes is crucial
for this, and flowcharts are an effective way to achieve this understanding. IIA Practice Advisory
2210.A1-1:
This advisory suggests using various tools, including flowcharts, to enhance understanding of the
area under review. Flowcharts help auditors see the process as a whole and identify where controls
should be in place.
Why Not Other Options?
Option A (Understanding management's risk tolerance): Flowcharts focus on processes, not on
management’s subjective risk tolerance.
Option C (Determining the size of the audit team): While flowcharts provide process insights, they do
not directly inform team size decisions.
Option D (Understanding organizational objectives): Flowcharts focus on specific processes rather
than high-level organizational objectives.
Conclusion: Option B is correct as it aligns with the purpose of flowcharts in audit planning, which is to
understand business processes effectively.

45.During the planning phase of an assurance engagement, an internal auditor seeks to gam an
understanding of now when the area under review is accomplishing its objectives.
When of the Following information-gathering techniques is the auditor most likely to use?
A. A review of the key performance indicators of me area under review.
B. A walkthrough of the key processes of the area under review.
C. An interview with the manager regarding the area's business plan.
D. A review of previous audit and follow- up results of the area under review
Answer: B

46. Which of the following would be most likely found in an internal audit procedures manual?
A. A summary of the strategic plan of the area under review.
B. Appropriate response options for when findings are disputed by management.
C. An explanation of the resources needed for each engagement.
D. The extent of the auditor's authority to collect data from management.
Answer: D
Explanation:
An internal audit procedures manual typically includes detailed information on the methodologies,
tools, and techniques used during audits. It also outlines the protocols and guidelines for auditors to
follow, including their authority and the scope of their work. Clearly defining the extent of the auditor's
authority to collect data from management ensures that auditors understand their rights and
limitations, which is essential for carrying out effective and efficient audits.
Reference: The Institute of Internal Auditors (IIA), Practice Guide on Developing the Internal Audit
Manual "Internal Auditing: Assurance and Advisory Services" by Urton L. Anderson, Michael J. Head,
Sridhar Ramamoorti, Chris
A . Bailey, and David
A. Sarens

47.Which of the following would most likely cause an internal auditor to consider adding fraud work
steps to the audit program?
A. Improper segregation of duties.
B. Incentives and bonus programs.
C. An employee's reported concerns.
D. Lack of an ethics policy.
Answer: C

48. Which of the following statements is true regarding engagement planning?

A. The scope of the engagement should be planned according to the internal audit activity’s budget
and then aligned to the risk universe.
B. The audit engagement objectives should be based on operational management's view of risk
objectives.
C. The planning phase of the engagement should be completed and approved before the fieldwork of
the engagement begins.
D. The main purpose of the engagement work program is to determine the nature and timing of
procedures required to gather audit evidence.
Answer: C
Explanation:
The planning phase is crucial for any audit engagement and must be completed and approved before
starting fieldwork. This ensures that the engagement has a clear scope, objectives, and methodology,
which are necessary for conducting an effective and efficient audit. Without proper planning, the audit
team may miss critical areas or waste resources on low-priority risks. IIA
Reference: IIA Standard 2200: Engagement Planning requires that internal auditors develop and
document a plan for each engagement, including the engagement’s objectives, scope, timing, and
resource allocations, before starting fieldwork.
The Practice Guide on Planning emphasizes that completing and approving the planning phase
ensures that all necessary preparations are made, and potential risks are identified and mitigated
before fieldwork begins.
49. Testing of compliance with the new process finds that all new contracts in excess of $1 million
have been approved by the vice president of sales

50.Which of the following approaches would best help an internal auditor determine whether a retailer
database of 100,000 customers has nay duplicate accounts?
A. Stratifying the customer information
B. Extracting the customer information
C. Filtering the customer information
D. Sorting the customer information
Answer: C

51.Which of the following is not an outcome of control self-assessment?

A. Informal, soft controls are omitted, and greater focus is placed on hard controls.
B. The entire objectives-risks-controls infrastructure of an organization is subject to greater monitoring
and continuous improvement.
C. Internal auditors become involved in and knowledgeable about the self-assessment process.
D. Nonaudit employees become experienced in assessing controls and associating control processes
with managing risks.
Answer: A

52. Which type of assurance engagement is conducted to determine whether a process or area is
performing as intended, accomplishing its objectives, and doing so in an efficient and economical
way?
A. Compliance audit.
B. Operational audit.
C. Financial audit.
D. Provider audit.
Answer: B
Explanation:
An operational audit is conducted to evaluate whether an organization’s processes or areas are
performing as intended, accomplishing their objectives, and doing so in an efficient and economical
way. This type of audit focuses on the effectiveness, efficiency, and economy of operations .
Detailed Explanation
IIA Definition of Operational Auditing:
Operational auditing involves reviewing and assessing the effectiveness and efficiency of operations.
The goal is to ensure that the organization’s operations are running as intended and achieving their
objectives in a cost-effective manner.
IIA Standard 2100 C Nature of Work:
This standard emphasizes that internal audit activity should evaluate the effectiveness and efficiency
of operations, aligning with the objectives of an operational audit. Key Aspects of Operational Audits:
Effectiveness: Evaluates whether objectives are being met.
Efficiency: Assesses whether resources are being used optimally.
Economy: Ensures that costs are minimized without compromising quality or performance.
Why Not Other Options?
Option A (Compliance audit): Focuses on whether the organization adheres to laws, regulations, and
policies, not on operational efficiency.
Option C (Financial audit): Involves verifying the accuracy of financial records, not the operational
performance.
Option D (Provider audit): This term is not commonly used in IIA guidance and does not accurately
describe the scenario.

53.Which of the following statements is true regarding the audit objective for an assurance
engagement?
A. Operational management must determine the audit objective in cooperation with the internal
auditor
B. The audit objective may be adjusted after the start of an engagement and it does not need to align
with the assessed risks
C. The audit objective must consider the possibility of fraud and noncompliance
D. The audit objective may or may not consider the possibility of fraud depending on the assessed
likelihood and impact
Answer: C

54. Are there any written policies and procedures that document the flow of investment processing?

55. The competency and qualifications of the audit staff for specific assignments.

56. Effect of the control weakness.

57. Evaluate the adequacy and effectiveness of the corrective action proposed by management.

58. Flowcharts highlight the control points to help internal auditors evaluate control design
A. 1 and 3 only
B. 2 and 4 only.
C. 1.2. and 3 only
D. 2. 3 and 4 only
Answer: D

59.A corporate merger decision prompts the chief audit executive (CAE) lo propose interim changes
to the existing annual audit plan to account for emerging risks.
Which of the following is the most appropriate action for the CAE to take regarding the changes made
to the audit plan''
A. Present the revised audit plan directly to the board for approval.
B. Communicate with the chief financial officer and present the revised audit plan to the CEO tor
approval
C. Present the revised audit plan directly to the CEO for approval
D. Communicate with the CEO and present the revised audit plan to the board for approval.
Answer: D

60. Which of the following actions should the chief audit executive take when senior management
decides to accept risks by choosing to do business with a questionable vendor?
A. Persuade senior management to take appropriate action.
B. Cancel issuing the engagement report due to the assumed risks.
C. Accept senior management’s assumption of the risks.
D. Discuss the issue with the board for them to take appropriate action.
Answer: D
Explanation:
If senior management decides to accept risks, such as doing business with a questionable vendor,
and the chief audit executive (CAE) believes this poses a significant risk to the organization, the CAE
should escalate the issue to the board. The board has the ultimate responsibility for overseeing risk
management and can decide on the appropriate action to take in response to the risk. IIA
Reference: IIA Standard 2600: Communicating the Acceptance of Risks states that when the CAE
believes that senior management has accepted a level of residual risk that may be unacceptable to
the organization, the CAE must discuss the matter with senior management. If the decision regarding
risk remains unchanged, the CAE must inform the board.
The Practice Guide on Risk Management highlights the importance of the CAE keeping the board
informed of significant risks that management has chosen to accept, particularly when these risks
could have a material impact on the organization.

61.Besides a chief audit executive's professional experience what determines the frequency and
approach to assessing residual risk?
A. The frequency of executing the internal audit engagements
B. The frequency of changes in the organization environment
C. The expectations set by the board and senior management
D. The expectations set by operating management and senior management
Answer: B

62.According to IIA guidance, which of the following statements best justifies a chief audit executive's
request for external consultants to complement internal audit activity (IAA) resources?
A. The organization's audit universe is extensive and diverse.
B. There has been an increase in unanticipated requests for advisory work.
C. Previous work provided by the external service provider has been of great quality and value.
D. A recent benchmarking study found that using external service providers is a common practice of
similarly-sized IAAs in other organizations.
Answer: B

63.Which of the following is the primary purpose of financial statement audit engagements?
A. To assess the efficiency and effectiveness of the accounting department.
B. To evaluate organizational and departmental structures, including assessments of process flows
related to financial matters.
C. To provide a review of routine financial reports, including analyses of selected accounts for
compliance with generally accepted accounting principles.
D. To provide an analysis of business process controls in the accounting department, including tests
of compliance with internal policies and procedures.
Answer: C

64. According to the International Professional Practices Framework, which of the following is an
appropriate reason for issuing an interim report?
To keep management informed of audit progress when audit engagements extend over a long period
of time.
To provide an alternative to a final report for limited-scope audit engagements.
To communicate a change in engagement scope for the activity under review.
A. 1 and 2 only.
B. 1 and 3 only.
C. 2 and 3 only.
D. 1, 2, and 3.
Answer: B
Explanation:
According to the International Professional Practices Framework (IPPF), issuing an interim report is
appropriate for keeping management informed of audit progress, especially when audit engagements
extend over a long period of time, and for communicating any significant changes in the scope of the
engagement. Interim reports serve as a means of maintaining transparency with management and
ensuring that any adjustments to the audit plan are communicated promptly. IIA
Reference: IIA Standard 2440: Disseminating Results allows for interim reporting when there is a
need to communicate significant findings or changes in scope before the final report is issued. This
ensures that management remains informed of critical issues that may impact the audit or the
organization. The Practice Guide on Communicating Interim Results suggests that interim reports are
useful for providing updates during long engagements or when there are significant changes in the
engagement's scope that management needs to be aware of.

65.An organization recently acquired a subsidiary in a new industry, and management asked the chief
audit executive (CAE) to perform a comprehensive audit of the subsidiary prior to recommencing
operations. The CAE is unsure her team has the necessary skills and knowledge to accept the
engagement According to IIAguidance, which of the following responses by the CAE would be most
appropriate?
A. The CAE should accept the engagement and ensure that an explanation of the expertise
limitations is included in the final audit report.
B. The CAE should ask management to hire an external expert who is familiar with the industry to
perform an independent audit for management
C. The CAE should accept the engagement and hire an external expert to assist the audit team with
the audit of the subsidiary
D. The CAE should recommend postponing the engagement until the internal audit team is able to
develop sufficient knowledge of the new industry
Answer: C

66.An organization buys crude oil on the open market and refines it into a high-quality gasoline. The
price of crude oil is extremely volatile.
Which of the following is the most appropriate risk management technique to protect the organization
against these price fluctuations?
A. Enter into long-term gasoline purchase agreements with end customers.
B. Trade crude oil derivatives at financial markets in order to benefit from price fluctuations
C. Purchase crude oil-related derivatives such as futures or options
D. Stock as much raw materials as possible and consider Investing into additional facilities
Answer: A

67. Results of exit interviews with departing employees.

A. 1 and 2 only
B. 2 and 4 only
C. 1, 2, and 4
D. 2, 3, and 4
Answer: A

68. The interviewer is likely to begin the interview with open-ended questions.
69. Which phase of an audit engagement is typically the most effective time for an internal auditor to
develop a risk and control matrix?
A. When preparing to recap audit test results.
B. At sample selection, to determine sampling methodology.
C. At the start of fieldwork, as part of developing the annual audit plan.
D. At planning, to assist in developing the engagement work program.
Answer: D
Explanation:
The most effective time for an internal auditor to develop a risk and control matrix is during the
planning phase of an audit engagement. This matrix helps in identifying the key risks and the controls
in place to mitigate those risks, which is crucial for developing a focused and effective engagement
work program.
IIA
Reference: IIA Standard 2201: Planning Considerations requires internal auditors to consider
significant risks and controls when planning the engagement. Developing a risk and control matrix at
this stage ensures that the audit work is appropriately targeted at the most critical areas.
The Practice Guide on Risk Assessment advises that creating a risk and control matrix during
planning helps in structuring the audit to address identified risks effectively.

70. The scope of the audit.

71. Coordinate post-engagement conferences to discuss the final audit report with management.

72.Which of the following is a disadvantage of using flowcharts during a risk assessment?

A. People cannot quickly understand the processes via flowcharts
B. Flowcharts are not applicable for evaluating the design of controls
C. Some serious risks that are not part of the linear process can be missed
D. Flowcharts do not enable auditors to identify missing controls
Answer: C

73.The chief audit executive can illustrate the value of the internal audit activity by reporting which of
the following to the board?
A. The overall performance resulting from the internal audit balanced scorecard
B. The number of outstanding and overdue management actions
C. The experience of the organization's internal auditors
D. The number of audits in the annual audit plan relative to similar organizations
Answer: A

74.Which of the following should management action plans include at a minimum?

A. An implementer for the action plan
B. An owner of the action plan
C. The internal auditor's next review date of the action plan
D. Detailed procedures for the action plan
Answer: B

75. Provide assurance that the internal audit activity conforms with the IIA Code of Ethics.
A. 1 only
B. 1 and 2 only
C. 1 and 3 only
D. 1, 2, 3, and 4
Answer: D

76. Senior management wants assurance that third-party contractors are following procedures as
agreed with the organization.
Which type of audit would be most appropriate to achieve this objective?
A. A compliance audit.
B. A due diligence audit.
C. A financial audit.
D. An external audit.
Answer: A

77. Determine how the information is stored.

A. 1 and 3 only
B. 2 and 4 only
C. 1, 3, and 4 only
D. 1, 2, 3, and 4
Answer: D

78.An internal auditor has suspicions that the management of a department splits me number of
planned purchases to avoid the approval process required for larger purchases.
Which of the following would be the most efficient technique to help the auditor identify the seventy of
this malpractice?
A. Examining the entire population
B. Asking management about the malpractice
C. Testing a sample of random transactions.
D. Using data analytics
Answer: D

79.Which of the following is true about surveys?

A. A survey with open-ended questions is weaker than a structured interview
B. A survey with closed-ended questions can produce quantifiable evidence
C. A survey's participants are likely to volunteer information that was not specifically requested
D. A survey, like inspections and confirmations are best used to test the operating effectiveness of
controls
Answer: B

80.Which of the following engagement techniques would be best to meet the objective of denting a
personal conflict -of -interest situation affecting an organization’s procurement function?
A. Inquiry
B. Analytical review
C. Observation
D. Inspection of documents
Answer: A
81.During an assurance engagement, an internal auditor discovered that a sales manager approved
numerous sales contracts for values exceeding his authorization limit. The auditor reported the finding
to the audit supervisor, noting that the sales manager had additional new contracts under negotiation.
According to IIA guidance, which of the following would be the most appropriate next step?
A. The audit supervisor should include the new contracts in the finding for the final audit report.
B. The audit supervisor should communicate the finding to the supervisor of the sales manager
through an interim report.
C. The audit supervisor should remind the sales manager of his authority limit for the contracts under
negotiation.
D. The auditor should not reference the new contracts, because they are not yet signed and therefore
cannot be included in the final report.
Answer: B

82.Which of the following internal control attributes should internal auditors consider testing during a
review of the board of directors?
A. The presence of an independent critical mass
B. The established philosophy and operating style of senior management
C. The articulated internal control objectives of the organization
D. The organization's employee recruiting and retention policies
Answer: A

83. Trend analysis.

3 External benchmarking

84.Which of the following constitutes supervisory activity undertaken during the planning phase of an
assurance engagement?
A. Ensuring the process owner with the engagement objectives
B. Reviewing engagement draft reports
C. Ensuring workpapers support audit findings
D. Approving audit work programs
Answer: D

85.Which of the following statements concerning workpapers is the most accurate?

A. The organization and the format of workpapers is the same for all engagements
B. The extent of what is included in workpapers is a matter of professional judgment
C. Workpapers should be complete so that every conceivable question that can be raised should be
answered
D. Copies of operational managements records should not be included, but referenced so that they
can be located
Answer: D

86. While planning an audit engagement of a procurement card activity.

which of the following actions should an internal auditor take to identify relevant risks and controls?
A. Compare card transaction types against procurement card policy guidelines.
B. Develop the scope and objectives of the engagement
C. Determine how many cardholders exceeded their daily limit.
D. Meet with the procurement card program administrator
Answer: D

87. Video recordings always should be used to provide the highest quality evidence.
A. 1 only
B. 4 only
C. 1 and 3
D. 2 and 4
Answer: C

88. Provide structured learning opportunities for engagement auditors when possible.

89. Which of the following would help the internal audit activity assess compliance with the
organization's standard operating procedures for bank deposits during a preliminary survey?
A. Issue an internal control questionnaire to select branch customers.
B. Issue an internal control questionnaire to the president of the organization.
C. Issue an internal control questionnaire to the director of bank operations.
D. Issue an internal control questionnaire to select branch managers.
Answer: D
Explanation:
The most appropriate action to assess compliance with the organization's standard operating
procedures for bank deposits during a preliminary survey is to issue an internal control questionnaire
to select branch managers. Branch managers are directly responsible for the day-to-day operations at
their branches, including adherence to standard operating procedures for bank deposits. They are in
the best position to provide accurate and relevant information about the controls in place and their
effectiveness.
IIA
Reference: IIA Standard 2210: Engagement Objectives and IIA Standard 2201: Planning
Considerations emphasize the importance of gathering relevant information from knowledgeable
sources during the planning phase of an engagement. Issuing ICQs to individuals who oversee the
processes under review, such as branch managers, helps in identifying potential risks and areas of
non-compliance.

90. Due to a recent system upgrade, an audit is planned to test the payroll process.
Which of the following audit objectives would be most important to prevent fraud?
A. Verify that amounts are correct.
B. Verify that payments are on time.
C. Verify that recipients are valid employees.
D. Verify that benefits deductions are accurate.
Answer: C

91.An internal audit team was conducting an assurance engagement to review segregation of duties
in the purchasing function. The internal auditors reviewed a sample of purchase orders from the past
two year and discovered that 2 percent were signed by employees who were operating in a
designated acting capacity due to employee absence.
According to IIA guidance, which of the following attributes of information would most likely assist the
auditor in deciding whether to report this finding?
A. Sufficiency
B. Reliability
 C. Relevance
D. Usefulness
Answer: D

Get IIA-CIA-Part2 exam dumps full version.

Powered by TCPDF (www.tcpdf.org)