CIA Part 1 Flashcards
The Institute of Internal Auditing (IIA) provides two types of guidance for internal auditors:
mandatory and strongly recommended guidance. Which of the following is true concerning recommended
guidance?
Correct. Practice guides provide guidance for conducting an internal audit. These practice guides include
processes and procedures, tool and techniques, programs, step-by-step approaches, and
examples of deliverables.
The Standards are a component of the IIA’s International Professional Practices Framework
(IPPF). The IPPF is the conceptual framework that organizes authoritative guidance promulgated by The Institute
of Internal Auditors. Which of the following is true concerning the Standards? The Standards:
Correct. This is true concerning Standards. They do help internal auditors fulfill their responsibilities
when conducting internal audits.
The IPPF provides guidance to internal auditors so they can do their job in accordance with
generally accepted internal auditing practices. Which of the following situations would not be a possible violation
of the IIA’s Standards?
I. At the conclusion of an engagement, the internal auditor invited the client to a football conference
championship game.
II. The internal auditor functionally reports to the Chief Finance Officer (CFO).
III. The internal auditor drafted the internal audit charter.
IV. The internal auditor, who is not a Certified
3 Solution: d (I, III and IV)
I. Not a Violation. Since the internal auditor invited the client, this would not be a violation of the
Standards.
II. Violation. The internal auditor should not functionally report to the CFO. The internal auditor should
functionally report to the board/audit committee.
III. Not a Violation. It is acceptable for the internal auditor to write the draft copy of the charter. Approval
of the charter is the responsibility of senior management and the board.
IV. Not a Violation. Internal auditors are encouraged to be certified, however, it is not mandated that
they are certified.
Which of the following activities would internal auditing be least likely to perform?
4 Solution: c
a. Incorrect. Investigating suspected fraud is something internal auditing could do.
b. Incorrect. Verifying the value of an asset account balance is something internal auditing could do.
c. Correct. Prescribing compensation packages is outside the scope of internal auditing.
d. Incorrect. Determining the company’s compliance with environmental laws and regulations is something
internal auditing could do.
The Implementation Guides:
5 Solution: b
a. Incorrect. The Implementation Guidance does not detail internal auditing processes and procedures.
b. Correct. The Implementation Guidance does assist internal auditors in applying the Definition of Internal
Auditing, the Code of Ethics, and the Standards, and promoting good practices.
c. Incorrect. The Implementation Guidance does not highlight significant audit findings and recommendations
and report on the approved audit work schedule.
d. Incorrect. The Implementation Guidance does not assist the CAE in resolving issues before reporting
the findings to the audit committee.
According to the IPPF, The IIA’s Standards
6 Solution: b
a. Incorrect. The Standards are based on principles, not on rules.
b. Correct. According to the IPPF, the Standards are principles-focused and provide a framework for performing
and promoting internal auditing.
c. Incorrect. The Practice Advisories provide guidelines for conducting an internal audit.
d. Incorrect. The Standards do not assist internal auditors in better understanding significant issues of
internal auditing.
Which of the following best describes the mission of internal auditing? The Mission of Internal
Auditing is:
7 Solution: d
a. Incorrect. Internal auditing does not design controls.
b. Incorrect. The mission of internal auditing is not to verify that conflicts between management and
stakeholders do not result in bankruptcies or major frauds.
c. Incorrect. To ensure the quality of information provided to shareholders and financial markets through
the financial statements is the function of the external auditor.
d. Correct. Directing the establishment of internal controls systems would impair objectivity.
A newly hired Chief Audit Executive (CAE) was reviewing the company’s internal audit charter
as presented by the chair of the audit committee. The CAE noted that the charter was written and approved
by the company’s Chief Financial Officer (CFO). Based on best practices, is this acceptable?
8 Solution: d
a. Incorrect. The charter should be approved by the board of directors.
b. Incorrect. The charter should be approved by the board of directors. It should not be written by someone
outside the company.
c. Incorrect. If the CFO writes and approves the charter, this would impair the independence of internal
auditing.
d. Correct. If the CFO writes and approves the internal auditing charter, the CFO could control the work
of the internal auditor. This could impair the work of the internal auditor.
The internal audit charter provides internal auditors the means to do their work. Which of the
following would generally not be included in the charter?
9 Solution: a
a. Correct. The scope of an individual engagement would not be included in the charter. The scope of the
engagement would be in the engagement work plan.
b. Incorrect. The charter should include the scope, objectives, authority, accountability, and accountability
of the IAA.
c. Incorrect. The charter should include the scope, objectives, authority, accountability, and accountability
of the IAA.
d. Incorrect. The charter should include the scope, objectives, authority, accountability, and accountability
of the IAA.
The audit committee is a sub-committee of the board of directors. All of the following are the
general duties and responsibilities of the audit committee except:
10 Solution: b
a. Incorrect. The audit committee is responsible for the hiring and firing of the external auditor.
b. Correct. Evaluating the compensation packages of senior managers would be the general responsibility
of the remuneration committee, not the audit committee.
c. Incorrect. The audit committee is responsible for approving the annual audit plan.
d. Incorrect. Reporting to the audit committee confirms the independence of the IAA.
Which of the following would not be a specific audit committee function?
11 Solution: a
a. Correct. Strategic planning is a function generally left to the board and management. It is not something
the audit committee would be involved in.
b. Incorrect. Reviewing financial statements before publication is a function of the audit committee.
c. Incorrect. Reviewing the work of the external auditor is a function of the audit committee.
d. Incorrect. Reviewing the work plan of the IAA is a function of the audit committee.
The Standards state that internal auditors are able to provide both assurance and consulting
engagements. Like assurance engagements, consulting engagements are also meant to add value and improve
operations. Which of the following activities would be categorized as consulting engagement(s)?
I. Advising management on the benefits of an acquisition.
II. Assisting management in estimating the savings from outsourcing a process.
III. Assessing the adequacy of internal control in a proposed accounts payable system.
IV. Assessing the adequacy of internal control over the accounts receivable system.
12 Solution: c (I, II and III)
I. Correct. Advising management on the benefits of an acquisition is a possible consulting service.
II. Correct. Assisting management in estimating the savings from outsourcing a process is a possible consulting
service.
III. Correct. Assessing the adequacy of internal control in a proposed accounts payable system is a possible
consulting service.
IV. Incorrect. Assessing the adequacy of internal control over the accounts receivable system is an assurance
engagement, not consulting.
Which of the following is not true concerning the internal auditing charter?
13 Solution: a
a. Correct. Based on the Standards, the charter gives the internal auditor authority to have access to all
records and personnel deemed necessary for the completion of an engagement. However, there still
might be some company information that the internal auditor would not have access to, such as information
concerning a possible merger or acquisition.
b. Incorrect. The IAA charter should be a formal, written document.
c. Incorrect. The IAA charter should be approved by the board.
d. Incorrect. The CAE has responsibility to periodically review the IAA charter to make sure it is still adequate
for the IAA to accomplish its objectives.
A newly hired Chief Audit Executive (CAE) was reviewing the contents of the company’s IAA
charter. The CAE wanted to make sure the charter was adequate so he would be able to accomplish the objectives
laid out by the audit committee and CEO. Which of the following would generally not be a function
of the IAA charter?
14 Solution: d
a. Incorrect. Stating who the CAE will report to should be included in the IAA charter.
b. Incorrect. Laying out the objectives of the IAA should be included in the IAA charter.
c. Incorrect. Providing information about the need for a QAIP should be included in the IAA charter.
d. Correct. Detailing the compensation package of the CAE is not a function of the charter. The CAE’s
compensation would be the responsibility of the audit committee, not the IAA charter.
Internal auditing is an assurance and consulting activity designed to add value and improve
operations. Which of the following could be examples of assurance services provided by internal auditing for
a company’s credit department?
I. The internal auditor recommended standards of control.
II. The internal auditor provided a training course on the implementation of new controls.
III. The internal auditor advised the credit manager on the impact of changing the credit terms.
IV. The internal auditor assessed and evaluated credit risks.
15 Solution: a (I and IV only)
I. Correct. “Assurance engagements involve the auditor’s objective assessment of evidence to provide an
independent opinion or conclusion regarding an entity, operation, process system, or other subject
matter.” Based on this, internal auditors are expected to recommend standards of control.
II. Incorrect. Providing training courses would be a consulting service.
III. Incorrect. Providing advice to a client would be connected with a consulting service.
IV. Correct. “Assurance engagements involve the auditor’s objective assessment of evidence to provide an
independent opinion or conclusion regarding an entity, operation, process system, or other subject
matter.” Based on this, assessing and evaluating credit risk would be connected with an assurance engagement.
Of the following, which statements best describe the purpose of the IIA’s Standards?
I. To provide a framework for performing and promoting a broad range of value-added internal auditing
services.
II. To establish a basis for evaluating the performance of internal auditing.
III. To describe the basic principles of best practices of internal auditing.
IV. To provide the principles of how internal auditors should conduct themselves during engagements.
16 Solution: b (I, II and III)
I. Correct. The Standards do provide a framework for performing and promoting a broad range of valueadded
internal auditing services.
II. Correct. The Standards do establish a basis for evaluating the performance of internal auditing.
III. Correct. The Standards do describe the basic principles of best practices of internal auditing.
IV. Incorrect. The Standards do not to tell internal auditors how they should conduct themselves during
engagements.
Which of the following would most likely be a violation of the IIA’s Code of Ethics?
a) An internal auditor divulged confidential company information as requested by a judge.
b) An internal auditor, with limited IT experience, was involved in an IT audit.
c) An internal auditor accepted a fairly inexpensive gift after finishing an audit.
d) An internal auditor reported an illegal act to a local newspaper after consulting with the company’s
controller.
17 Solution: d
a. Incorrect. If requested by a judge, an internal auditor would be obliged to divulge confidential information.
b. Incorrect. With proper supervision, an internal auditor with limited IT experience could be involved in
an IT audit.
c. Incorrect. An inexpensive gift would not be a violation of the Code of Ethics.
d. Correct. No information should be divulged to a local newspaper under any circumstance. Illegal acts
have to be first reported to senior management, and in some cases, reported to the appropriate authorities,
if requested to do so.
As a member of the Institute of Internal Auditing (IIA) you are required to abide by the organization’s
Code of Ethics. According to the IIA’s Code of Ethics, integrity:
18 Solution: a
a. Correct. Integrity is performing work with honesty, diligence, and responsibility.
b. Incorrect. Integrity does not have to do with adhering to the IIA’s Code of Conduct.
c. Incorrect. Not disclosing information has to do with confidentiality, not with integrity.
d. Incorrect. Making sure the auditor has the skills, knowledge, qualifications, and capacity to do their job
effectively is connected with competence, not with integrity.
David is a CIA and works as one of two senior internal auditors of a manufacturing company.
David plays on the company’s tag-football team. Recently, the company played a rival team, and during the
game, a serious altercation occurred between David and a player from the other team. David was at fault.
Luckily, no one was seriously injured, but the police were called and David was charged with a misdemeanor.
Is David’s altercation and arrest a violation of the IIA’s Code of Ethics?
19 Solution: b
a. Incorrect. Even though David’s behavior is suspect, the incident was not related to his professional
work.
b. Correct. The IIA Code of Ethics covers member’s professional activity only, such as fraud, theft, or deceit.
Being charged with a misdemeanor because of an altercation during a football game would not be
a violation of the IIA’s Code of Ethics.
c. Incorrect. The Code of Ethics only covers member’s professional activity only.
d. Incorrect. The Code of Ethics only covers member’s professional activity.
An internal auditor was reviewing a company’s fixed assets account to determine the existence
and valuation of the company’s fixed assets. The internal auditor was particularly interested in the
company’s capitalization policy. The internal auditor knows that management likes to capitalize as much as
possible to improve short-term profitability. When reviewing the capitalization account, the internal auditor
noted several questionable transactions, all of which were considered significant. Because of the capitalization,
the company was able to meet its targeted operating profit for the accounting period. The internal
auditor approached the CFO and chief accountant about the issue; however, the internal auditor was told
that the company’s controller accepted the capitalization values, and not to worry about it. If the internal
auditor still believes that the company improperly capitalized some expenses and does nothing about it, the
internal auditor could possibly be in violation of which ethic’s principle(s)?
20 Solution: b
a. Incorrect. Only the principles of integrity and objectivity are violated. The competence principle is not
violated because the internal auditor had the skills and knowledge to perform the engagement.
b. Correct. If the internal auditor does nothing to rectify the situation, then the internal auditor could be
in violation of two ethics principles: integrity and objectivity. Concerning objectivity, the internal auditor
“shall disclose all material facts known to them, that if not disclosed, may distort the reporting of
activities under review.” Concerning integrity, the internal auditor “shall perform their work with honesty,
diligence, and responsibility.” It also says the internal auditor “shall not knowingly be party to any
illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the
organization.” If the internal auditor does nothing about the matter, then the internal auditor is complicit
in the act.
c. Incorrect. The principle of integrity is violated; however, the principle of competence is not violated.
d. Incorrect. The principles of objectivity and integrity are violated; however, the confidentiality principle
is not violated because no information was compromised.
The independence and objectivity of an internal auditor are crucial components for an effective
internal audit. Which of the following best describes the distinction between the two terms?
Solution: a
a. Correct. Objectivity is a mental attitude that internal auditors should maintain while performing engagements.
The internal auditor should have an impartial, unbiased attitude and avoid conflict of
interest situations. Independence refers to the freedom to conduct audit activities in an unbiased manner.
Therefore, objectivity refers to the unbiased mental attitude of individual auditors while
independence gives internal auditors the freedom to operate with an objective, unbiased attitude.
b. Incorrect. Independence is achieved through the status of the IAA; however, objectivity refers to the
unbiased mental attitude of individual auditors.
c. Incorrect. Independence is gained through the organizational status of the IAA, not objectivity.
d. Incorrect. The terms are different. The words are not synonymous, nor are they interchangeable.
Which of the following situations could be considered an engagement scope limitation?
22 Solution: c
a. Incorrect. It is possible that the board might deem some information confidential, even from internal
auditing.
b. Incorrect. Refusing to approve the internal audit work plan is not a scope limitation.
c. Correct. A scope limitation is a restriction that keeps internal auditors from achieving the objectives of
an engagement. Internal auditors need to have complete access to all information deemed necessary to
complete an engagement, including access to records, personnel, and property. The chief accountant
saying that some information is not necessary could be seen as a scope limitation.
d. Incorrect. A company’s controller should suggest ways to improve controls over operations