CIA Part 1

Question 1

The Institute of Internal Auditing (IIA) provides two types of guidance for internal auditors:
mandatory and strongly recommended guidance. Which of the following is true concerning recommended
guidance?

Answer 1

Correct. Practice guides provide guidance for conducting an internal audit. These practice guides include
processes and procedures, tool and techniques, programs, step-by-step approaches, and
examples of deliverables.

Question 2

The Standards are a component of the IIA’s International Professional Practices Framework
(IPPF). The IPPF is the conceptual framework that organizes authoritative guidance promulgated by The Institute
of Internal Auditors. Which of the following is true concerning the Standards? The Standards:

Answer 2

Correct. This is true concerning Standards. They do help internal auditors fulfill their responsibilities
when conducting internal audits.

Question 3

The IPPF provides guidance to internal auditors so they can do their job in accordance with
generally accepted internal auditing practices. Which of the following situations would not be a possible violation
of the IIA’s Standards?
I. At the conclusion of an engagement, the internal auditor invited the client to a football conference
championship game.
II. The internal auditor functionally reports to the Chief Finance Officer (CFO).
III. The internal auditor drafted the internal audit charter.
IV. The internal auditor, who is not a Certified

Answer 3

3 Solution: d (I, III and IV)
I. Not a Violation. Since the internal auditor invited the client, this would not be a violation of the
Standards.
II. Violation. The internal auditor should not functionally report to the CFO. The internal auditor should
functionally report to the board/audit committee.
III. Not a Violation. It is acceptable for the internal auditor to write the draft copy of the charter. Approval
of the charter is the responsibility of senior management and the board.
IV. Not a Violation. Internal auditors are encouraged to be certified, however, it is not mandated that
they are certified.

Question 4

Which of the following activities would internal auditing be least likely to perform?

Answer 4

4 Solution: c
a. Incorrect. Investigating suspected fraud is something internal auditing could do.
b. Incorrect. Verifying the value of an asset account balance is something internal auditing could do.
c. Correct. Prescribing compensation packages is outside the scope of internal auditing.
d. Incorrect. Determining the company’s compliance with environmental laws and regulations is something
internal auditing could do.

Question 5

The Implementation Guides:

Answer 5

5 Solution: b
a. Incorrect. The Implementation Guidance does not detail internal auditing processes and procedures.
b. Correct. The Implementation Guidance does assist internal auditors in applying the Definition of Internal
Auditing, the Code of Ethics, and the Standards, and promoting good practices.
c. Incorrect. The Implementation Guidance does not highlight significant audit findings and recommendations
and report on the approved audit work schedule.
d. Incorrect. The Implementation Guidance does not assist the CAE in resolving issues before reporting
the findings to the audit committee.

Question 6

According to the IPPF, The IIA’s Standards

Answer 6

6 Solution: b
a. Incorrect. The Standards are based on principles, not on rules.
b. Correct. According to the IPPF, the Standards are principles-focused and provide a framework for performing
and promoting internal auditing.
c. Incorrect. The Practice Advisories provide guidelines for conducting an internal audit.
d. Incorrect. The Standards do not assist internal auditors in better understanding significant issues of
internal auditing.

Question 7

Which of the following best describes the mission of internal auditing? The Mission of Internal
Auditing is:

Answer 7

7 Solution: d
a. Incorrect. Internal auditing does not design controls.
b. Incorrect. The mission of internal auditing is not to verify that conflicts between management and
stakeholders do not result in bankruptcies or major frauds.
c. Incorrect. To ensure the quality of information provided to shareholders and financial markets through
the financial statements is the function of the external auditor.
d. Correct. Directing the establishment of internal controls systems would impair objectivity.

Question 8

A newly hired Chief Audit Executive (CAE) was reviewing the company’s internal audit charter
as presented by the chair of the audit committee. The CAE noted that the charter was written and approved
by the company’s Chief Financial Officer (CFO). Based on best practices, is this acceptable?

Answer 8

8 Solution: d
a. Incorrect. The charter should be approved by the board of directors.
b. Incorrect. The charter should be approved by the board of directors. It should not be written by someone
outside the company.
c. Incorrect. If the CFO writes and approves the charter, this would impair the independence of internal
auditing.
d. Correct. If the CFO writes and approves the internal auditing charter, the CFO could control the work
of the internal auditor. This could impair the work of the internal auditor.

Question 9

The internal audit charter provides internal auditors the means to do their work. Which of the
following would generally not be included in the charter?

Answer 9

9 Solution: a
a. Correct. The scope of an individual engagement would not be included in the charter. The scope of the
engagement would be in the engagement work plan.
b. Incorrect. The charter should include the scope, objectives, authority, accountability, and accountability
of the IAA.
c. Incorrect. The charter should include the scope, objectives, authority, accountability, and accountability
of the IAA.
d. Incorrect. The charter should include the scope, objectives, authority, accountability, and accountability
of the IAA.

Question 10

The audit committee is a sub-committee of the board of directors. All of the following are the
general duties and responsibilities of the audit committee except:

Answer 10

10 Solution: b
a. Incorrect. The audit committee is responsible for the hiring and firing of the external auditor.
b. Correct. Evaluating the compensation packages of senior managers would be the general responsibility
of the remuneration committee, not the audit committee.
c. Incorrect. The audit committee is responsible for approving the annual audit plan.
d. Incorrect. Reporting to the audit committee confirms the independence of the IAA.

Question 11

Which of the following would not be a specific audit committee function?

Answer 11

11 Solution: a
a. Correct. Strategic planning is a function generally left to the board and management. It is not something
the audit committee would be involved in.
b. Incorrect. Reviewing financial statements before publication is a function of the audit committee.
c. Incorrect. Reviewing the work of the external auditor is a function of the audit committee.
d. Incorrect. Reviewing the work plan of the IAA is a function of the audit committee.

Question 12

The Standards state that internal auditors are able to provide both assurance and consulting
engagements. Like assurance engagements, consulting engagements are also meant to add value and improve
operations. Which of the following activities would be categorized as consulting engagement(s)?
I. Advising management on the benefits of an acquisition.
II. Assisting management in estimating the savings from outsourcing a process.
III. Assessing the adequacy of internal control in a proposed accounts payable system.
IV. Assessing the adequacy of internal control over the accounts receivable system.

Answer 12

12 Solution: c (I, II and III)
I. Correct. Advising management on the benefits of an acquisition is a possible consulting service.
II. Correct. Assisting management in estimating the savings from outsourcing a process is a possible consulting
service.
III. Correct. Assessing the adequacy of internal control in a proposed accounts payable system is a possible
consulting service.
IV. Incorrect. Assessing the adequacy of internal control over the accounts receivable system is an assurance
engagement, not consulting.

Question 13

Which of the following is not true concerning the internal auditing charter?

Answer 13

13 Solution: a
a. Correct. Based on the Standards, the charter gives the internal auditor authority to have access to all
records and personnel deemed necessary for the completion of an engagement. However, there still
might be some company information that the internal auditor would not have access to, such as information
concerning a possible merger or acquisition.
b. Incorrect. The IAA charter should be a formal, written document.
c. Incorrect. The IAA charter should be approved by the board.
d. Incorrect. The CAE has responsibility to periodically review the IAA charter to make sure it is still adequate
for the IAA to accomplish its objectives.

Question 14

A newly hired Chief Audit Executive (CAE) was reviewing the contents of the company’s IAA
charter. The CAE wanted to make sure the charter was adequate so he would be able to accomplish the objectives
laid out by the audit committee and CEO. Which of the following would generally not be a function
of the IAA charter?

Answer 14

14 Solution: d
a. Incorrect. Stating who the CAE will report to should be included in the IAA charter.
b. Incorrect. Laying out the objectives of the IAA should be included in the IAA charter.
c. Incorrect. Providing information about the need for a QAIP should be included in the IAA charter.
d. Correct. Detailing the compensation package of the CAE is not a function of the charter. The CAE’s
compensation would be the responsibility of the audit committee, not the IAA charter.

Question 15

Internal auditing is an assurance and consulting activity designed to add value and improve
operations. Which of the following could be examples of assurance services provided by internal auditing for
a company’s credit department?
I. The internal auditor recommended standards of control.
II. The internal auditor provided a training course on the implementation of new controls.
III. The internal auditor advised the credit manager on the impact of changing the credit terms.
IV. The internal auditor assessed and evaluated credit risks.

Answer 15

15 Solution: a (I and IV only)
I. Correct. “Assurance engagements involve the auditor’s objective assessment of evidence to provide an
independent opinion or conclusion regarding an entity, operation, process system, or other subject
matter.” Based on this, internal auditors are expected to recommend standards of control.
II. Incorrect. Providing training courses would be a consulting service.
III. Incorrect. Providing advice to a client would be connected with a consulting service.
IV. Correct. “Assurance engagements involve the auditor’s objective assessment of evidence to provide an
independent opinion or conclusion regarding an entity, operation, process system, or other subject
matter.” Based on this, assessing and evaluating credit risk would be connected with an assurance engagement.

Question 16

Of the following, which statements best describe the purpose of the IIA’s Standards?
I. To provide a framework for performing and promoting a broad range of value-added internal auditing
services.
II. To establish a basis for evaluating the performance of internal auditing.
III. To describe the basic principles of best practices of internal auditing.
IV. To provide the principles of how internal auditors should conduct themselves during engagements.

Answer 16

16 Solution: b (I, II and III)
I. Correct. The Standards do provide a framework for performing and promoting a broad range of valueadded
internal auditing services.
II. Correct. The Standards do establish a basis for evaluating the performance of internal auditing.
III. Correct. The Standards do describe the basic principles of best practices of internal auditing.
IV. Incorrect. The Standards do not to tell internal auditors how they should conduct themselves during
engagements.

Question 17

Which of the following would most likely be a violation of the IIA’s Code of Ethics?
a) An internal auditor divulged confidential company information as requested by a judge.
b) An internal auditor, with limited IT experience, was involved in an IT audit.
c) An internal auditor accepted a fairly inexpensive gift after finishing an audit.
d) An internal auditor reported an illegal act to a local newspaper after consulting with the company’s
controller.

Answer 17

17 Solution: d
a. Incorrect. If requested by a judge, an internal auditor would be obliged to divulge confidential information.
b. Incorrect. With proper supervision, an internal auditor with limited IT experience could be involved in
an IT audit.
c. Incorrect. An inexpensive gift would not be a violation of the Code of Ethics.
d. Correct. No information should be divulged to a local newspaper under any circumstance. Illegal acts
have to be first reported to senior management, and in some cases, reported to the appropriate authorities,
if requested to do so.

Question 18

As a member of the Institute of Internal Auditing (IIA) you are required to abide by the organization’s
Code of Ethics. According to the IIA’s Code of Ethics, integrity:

Answer 18

18 Solution: a
a. Correct. Integrity is performing work with honesty, diligence, and responsibility.
b. Incorrect. Integrity does not have to do with adhering to the IIA’s Code of Conduct.
c. Incorrect. Not disclosing information has to do with confidentiality, not with integrity.
d. Incorrect. Making sure the auditor has the skills, knowledge, qualifications, and capacity to do their job
effectively is connected with competence, not with integrity.

Question 19

David is a CIA and works as one of two senior internal auditors of a manufacturing company.
David plays on the company’s tag-football team. Recently, the company played a rival team, and during the
game, a serious altercation occurred between David and a player from the other team. David was at fault.
Luckily, no one was seriously injured, but the police were called and David was charged with a misdemeanor.
Is David’s altercation and arrest a violation of the IIA’s Code of Ethics?

Answer 19

19 Solution: b
a. Incorrect. Even though David’s behavior is suspect, the incident was not related to his professional
work.
b. Correct. The IIA Code of Ethics covers member’s professional activity only, such as fraud, theft, or deceit.
Being charged with a misdemeanor because of an altercation during a football game would not be
a violation of the IIA’s Code of Ethics.
c. Incorrect. The Code of Ethics only covers member’s professional activity only.
d. Incorrect. The Code of Ethics only covers member’s professional activity.

Question 20

An internal auditor was reviewing a company’s fixed assets account to determine the existence
and valuation of the company’s fixed assets. The internal auditor was particularly interested in the
company’s capitalization policy. The internal auditor knows that management likes to capitalize as much as
possible to improve short-term profitability. When reviewing the capitalization account, the internal auditor
noted several questionable transactions, all of which were considered significant. Because of the capitalization,
the company was able to meet its targeted operating profit for the accounting period. The internal
auditor approached the CFO and chief accountant about the issue; however, the internal auditor was told
that the company’s controller accepted the capitalization values, and not to worry about it. If the internal
auditor still believes that the company improperly capitalized some expenses and does nothing about it, the
internal auditor could possibly be in violation of which ethic’s principle(s)?

Answer 20

20 Solution: b
a. Incorrect. Only the principles of integrity and objectivity are violated. The competence principle is not
violated because the internal auditor had the skills and knowledge to perform the engagement.
b. Correct. If the internal auditor does nothing to rectify the situation, then the internal auditor could be
in violation of two ethics principles: integrity and objectivity. Concerning objectivity, the internal auditor
“shall disclose all material facts known to them, that if not disclosed, may distort the reporting of
activities under review.” Concerning integrity, the internal auditor “shall perform their work with honesty,
diligence, and responsibility.” It also says the internal auditor “shall not knowingly be party to any
illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the
organization.” If the internal auditor does nothing about the matter, then the internal auditor is complicit
in the act.
c. Incorrect. The principle of integrity is violated; however, the principle of competence is not violated.
d. Incorrect. The principles of objectivity and integrity are violated; however, the confidentiality principle
is not violated because no information was compromised.

Question 21

The independence and objectivity of an internal auditor are crucial components for an effective
internal audit. Which of the following best describes the distinction between the two terms?

Answer 21

Solution: a
a. Correct. Objectivity is a mental attitude that internal auditors should maintain while performing engagements.
The internal auditor should have an impartial, unbiased attitude and avoid conflict of
interest situations. Independence refers to the freedom to conduct audit activities in an unbiased manner.
Therefore, objectivity refers to the unbiased mental attitude of individual auditors while
independence gives internal auditors the freedom to operate with an objective, unbiased attitude.
b. Incorrect. Independence is achieved through the status of the IAA; however, objectivity refers to the
unbiased mental attitude of individual auditors.
c. Incorrect. Independence is gained through the organizational status of the IAA, not objectivity.
d. Incorrect. The terms are different. The words are not synonymous, nor are they interchangeable.

Question 22

Which of the following situations could be considered an engagement scope limitation?

Answer 22

22 Solution: c
a. Incorrect. It is possible that the board might deem some information confidential, even from internal
auditing.
b. Incorrect. Refusing to approve the internal audit work plan is not a scope limitation.
c. Correct. A scope limitation is a restriction that keeps internal auditors from achieving the objectives of
an engagement. Internal auditors need to have complete access to all information deemed necessary to
complete an engagement, including access to records, personnel, and property. The chief accountant
saying that some information is not necessary could be seen as a scope limitation.
d. Incorrect. A company’s controller should suggest ways to improve controls over operations

Question 23

During a management meeting, the company’s financial controller was asked how the design
of controls over the company’s new credit-lending process was going. The company recently updated the
process so it would be more automated than in the past. The controller mentioned that he was using the
services of internal auditing to help him design controls over the process. The company’s chief financial officer
(CFO) was surprised that internal auditing was included in the designing of controls. The CFO
commented that based on his knowledge of the internal auditing Standards, “internal auditors cannot design,
draft procedures, install, or manage processes, because the independence and objectivity of the
auditor would be impaired.” Is the CFO’s statement correct?

Answer 23

23 Solution: d
a. Incorrect. Internal auditors are able to conduct not only assurance engagements, but also perform consulting
services as well. It is acceptable for the controller to use the services of the IAA as long as the
IAA does not take ownership of the controls.
b. Incorrect. Internal auditors are not part of management.
c. Incorrect. Independence would be impaired only if the internal auditor has ownership of the control
process, which does not happen automatically simply by helping the controller.
d. Correct. Based on the Standards, internal auditing is able to conduct consulting services as long as the
nature of the internal auditor’s help is known and included in the charter. The internal auditor would be
OK, as long as the internal auditor provided advice and does not take ownership of the controls.

Question 24

An internal auditor was transferred from the company’s payables department six months ago.
The internal auditor’s job responsibility was to match vendor invoices with the company’s purchase orders
and receiving reports. Among other things, the internal auditor was supposed to catch invoice errors and
make sure that the company did not pay for goods not received. The internal auditor has now been assigned
the task of reviewing the controls over accounts payable. Based on the available information, the internal
auditor should:

Answer 24

Solution: a
a. Correct. The internal auditor should not be assigned the task of reviewing controls over the payable
department because only six months have passed since working in the department. It is advised that
the waiting period should be no less than one year.
b. Incorrect. The internal auditor should not accept the engagement because objectivity would be impaired
since the internal auditor knows the department.
c. Incorrect. Objectivity would be impaired, not independence.
d. Incorrect. It is generally accepted that a period of no less than one year should pass between working
in a department and auditing it.

Question 25

An internal auditor of a medium-sized company has been requested by the company’s chief
executive officer (CEO) to temporarily take over responsibility of the company’s accounts receivable department.
The internal auditor managed the department two years ago and knows the department well. The
internal auditor does not feel comfortable with the assignment because the department will be audited in the
near future. The internal auditor knows that objectivity could be impaired if he manages the department and
then has to audit the department. The internal auditor is in a dilemma and does not know what to do. What
would be the best course of action for the internal auditor to take?

Answer 25

Solution: c
a. Incorrect. Ultimately, the internal auditor works for the CEO and therefore the internal auditor cannot
refuse the CEO.
b. Incorrect. Ultimately, the internal auditor works for the CEO so protesting the CEO would not be a recommended
course of action.
c. Correct. If the CEO makes a request of the internal auditor, the internal auditor has no choice but to
accept the assignment. However, the internal auditor needs to make sure not to participate in the audit
of the department.
d. Incorrect. The best course of action would be to accept the assignment, but when time comes to audit
the department the internal auditor should not participate in the audit of the department.

Question 26

Which of the following might give rise to a conflict of interest for a chief audit executive
(CAE)?
I. The CAE teaches internal auditing courses on the weekends.
II. The CAE recently hired an internal auditor who worked in the company as a financial manager
six months ago.
III. The CAE owns a mutual fund that includes the stock of the company.
IV. A relative of the CAE works as a clerk in a department that is audited by the internal auditing activity.

Answer 26

Solution: c (II only)
I. Incorrect. Teaching IAA courses on the weekend would not give rise to a conflict of interest.
II. Correct. The only situation that could give rise to a conflict of interest for the CAE is hiring someone
who worked as a financial manager in the company. The Standards say that a period of at least one
year should pass before auditing the area you were once responsible for. Based on this, the internal
auditor should not be involved in any engagements concerning his or her former responsibility area.
III. Incorrect. Mutual funds are investment funds that consist of many different types of investment assets.
It would not be unusual for the CAE to own a mutual fund that might include the stock of the company
the CAE works for.
IV. Incorrect. Because clerks have no managerial responsibility, it would not be a conflict of interest if a
relative of the CAE works in the department being audited by the IAA.

Question 27

Internal auditors need a mandate that provides the necessary authority within a structure
that supports their independence and objectivity. This mandate can best be achieved by:

Answer 27

Solution: b
a. Incorrect. The IAA should administratively report to the CEO.
b. Correct. Internal auditors need a mandate that provides the authority they need within a structure that
supports their independence and objectivity. This can best be achieved through a written charter for the
internal audit function that is aligned with the mandate and needs of the audit committee.
c. Incorrect. The IAA should functionally report to the board or audit committee.
d. Incorrect. Only answer (b) is true concerning the mandate of the IAA.

Question 28

Which of the following is/are true concerning the decision to establish an internal audit activity
(IAA) within an organization?

Answer 28

Solution: d
a. Incorrect. This is a true statement; however, answer (c) is also true.
b. Incorrect. The primary function of the chief accountant is to oversee all accounting functions such as
ledger accounts, financial statements, and cost control systems. The focus of the chief accountant includes
regulatory compliance and practices and collaborating with the CFO developing financial
strategies.
c. Incorrect. This is a true statement; however, answer (a) is also true.
d. Correct. Both (a) and (c) are true. The board/audit committees do want to get independent and objective
assurance on the adequacy of internal controls from someone other than the CEO or CFO. Also, the
organization gets too large or geographically dispersed for frequent and economical first-hand monitoring
of controls by the board/audit committee, CEO, or CFO.

Question 29

Internal auditors are encouraged to avoid all conflicts of interest. Under which circumstance
would there not be a conflict of interest?

Answer 29

29 Solution: c
a. Incorrect. Accepting gifts of significant value is prohibited.
b. Incorrect. Borrowing money from a client could impair the internal auditor’s objectivity.
c. Correct. Facilitating a control self-assessment workshop is something internal auditors can do, and are
encouraged to do.
d. Incorrect. Auditing a department where the internal auditor’s brother-in-law is the manager could impair
the internal auditor’s objectivity.

Question 30

The internal audit activity (IAA) may not be able to operate independently and objectively
without sufficient resources and funding. Under which circumstance would independence and objectivity not
be an issue for internal auditing?
a) The CAE was unable to get additional funding for the training of staff.
b) The IAA is understaffed and overworked.
c) The CAE personally reviews all working papers.
d) The IAA uses outdated technology.

Answer 30

Solution: c
a. Incorrect. Insufficient training might invite compromises or shortcuts that would impair the IAA’s position
in the organization.
b. Incorrect. Inadequate staffing might invite compromises or shortcuts that would impair the IAA’s position
in the organization.
c. Correct. The CAE has a responsibility to make sure all working papers provide evidence that sufficient
information was obtained by the internal auditor to support his or her recommendation.
d. Incorrect. Outdated technology might invite compromises or shortcuts that would impair the IAA’s position
in the organization.

Question 31

Objectivity is assumed to be impaired in all of the following situations except:
a) The internal auditor periodically evaluates the bank reconciliation process.
b) The internal auditor is responsible for a part of operations that could be subject to periodic internal
auditing assessment.
c) The internal auditor performed an assurance review of an activity over which the internal auditor
was responsible for 9 months ago.
d) The internal auditor is scheduled to audit an area for which the internal auditor will have future responsibility.

Answer 31

Correct. Periodically evaluating the bank reconciliation process is something the internal auditor should
do.
b. Incorrect. If the internal auditor is responsible for a part of operations that could be subject to periodic
internal auditing assessment, then this could impair the internal auditor’s objectivity.
c. Incorrect. Reviewing an activity over which the internal auditor was responsible for 9 months ago could
impair the internal auditor’s objectivity.
a) Incorrect. Scheduling an audit of an area that the internal auditor will have future responsibility could
impair the internal auditor’s objectivity.

Question 32

A new member of the audit committee met with an organization’s CAE. During the meeting,
the audit committee member wanted to know more about the activities that are performed by the organization’s
internal audit activity (IAA). Which of the following activities mentioned by the CAE would be
appropriate for the IAA to perform?
I. Designing controls for a new accounts payable software program.
II. Recommending procedures for systems of control for the accounts payable process.
III. Installing the system of control for the accounts payable process.
IV. Reviewing control procedures before implementing the accounts payable software program.
a) I and II.
b) I, III and IV.
c) II and III.
d) II and IV.

Answer 32

Solution: d (II and IV)
I. Incorrect. Internal auditing should not design controls, because this could impair the internal auditor’s
objectivity.
II. Correct. Recommending procedures is something that internal auditing could perform.
III. Incorrect. Internal auditing should not install systems of control, because this could impair the internal
auditor’s objectivity.
IV. Correct. Reviewing controls before implementation is something that internal auditing could perform.

Question 33

Which of the following is/are true concerning auditor independence. An internal auditor with
independence is:
I. Able to review contracts prior to their execution.
II. Able to reduce the scope of an audit due to budget cutbacks.
III. Able to continue on an audit assignment at a division for which the auditor was responsible for 4
months ago.
IV. Able to participate on a task force that designed standards of control for a new distribution process.
a) I and II.
b) I, III, and IV.
c) I and IV.
d) I, II, III, and IV.

Answer 33

33 Solution: a (I and II)
I. Correct. An auditor may review contracts prior to their execution.
II. Correct. Reducing the scope of an audit due to budget cutbacks does not constitute a violation of an
auditor’s independence.
III. Incorrect. The Standards says that a period of at least one year should pass before assigning an auditor
to an area where he or she previously worked.
IV. Incorrect. The Standards states that an auditor may recommend standards of control for new systems.
However, designing, installing, or operating such systems might impair objectivity.

Question 34

Question 34: An organization’s audit committee recently designed a compensation package for its internal
auditors. One of the audit committee members was concerned that the compensation package could impair
the internal auditor’s objectivity. Which of the following is true concerning compensation packages for internal
auditors?
a) All forms of compensation would impair objectivity.
b) Internal auditors should only be compensated based on monetary amounts recovered or recommended
future savings as a result of engagements.
c) The compensation package should be administrated by the organization’s board of directors or the
board’s remuneration committee.
d) The compensation package should only consist of stock options.

Answer 34

34 Solution: c
a. Incorrect. The compensation package should be administrated by the organization’s board of directors
or the board’s remuneration committee.
b. Incorrect. Objectivity would be impaired if compensation is based on monetary amounts recovered, or
recommendations for future savings as a result of engagements. It is presumed that a bonus based on
either of these could unduly influence the judgment of the CAE.
c. Correct. The board of directors should administer the internal auditor’s compensation package.
d. Incorrect. The compensation package might consist of other forms of compensation, such as stock options,
cash bonuses, and so forth, but would not consist only of stock options.

Question 35

Question 35: An IT department team is studying the possibility of upgrading to an enterprise resource
planning (ERP) system. The team leader of the project has asked for internal auditing’s help to assist with
the project. In this case, what would be an appropriate role for internal auditing?
a) Ascertain the cost-benefit relationship of the system.
b) Determine management’s requirements of the system.
c) Design a standard of control for the system.
d) Assist with the implementation of the system.

Answer 35

35 Solution: a
a. Correct. Internal auditors must consider standards of control and review procedures before implementation.
However, objectivity is considered to be impaired if internal auditing designs, installs, drafts
procedures, or operates systems (PA 1120-1). However, ascertaining the cost-benefit relationships
would be an appropriate role for the internal auditor.
b. Incorrect. Determining management’s requirements is management’s responsibility.
c. Incorrect. Designing a system of control is management’s responsibility.
d. Incorrect. Implementing the system is management’s responsibility.

Question 36

Question 36: A company’s chief financial officer (CFO) is assessing the company’s credit terms. The CFO
believes the company could increase sales by loosening up the credit terms; however the CFO is not sure
about the impact on bad debt. The CFO made a request for internal audit to assess the impact on revenue
and bad debt if changes in the credit terms are made. To complete the assignment, at a minimum, the internal
auditor should have what level of competency?
a) Proficiency level.
b) Appreciation level.
c) Understanding level.
d) Knowledge level.

Answer 36

36 Solution: c
a. Incorrect. Assessing the impact on revenue and bad debt takes an understanding level of competence,
not a proficiency level.
b. Incorrect. The internal auditor would have to have more than an appreciation level of competence.
c. Correct. At a minimum, the internal auditor should have an understanding level of competency. This
means the auditor is able to assess the impact that changes in the credit terms will have on revenue
and bad debt.
d. Incorrect. The internal auditor would have to have more than a knowledge level competence.

Question 37

Question 37: Once an internal auditor attains the designation of CIA, in order to maintain this designation,
the internal auditor must:
a) Achieve a specific number of accounting credits.
b) Show proficiency in the application of management principles.
c) Maintain an acceptable level of skill through achieving a certain number of accounting credits.
d) Maintain an acceptable level of competence through achieving a certain number of continuing professional
development credits.

Answer 37

37 Solution: d
a. Incorrect. To maintain the CIA designation, internal auditors must achieve a specific number of CPD
credits, not accounting credits.
b. Incorrect. Showing proficiency in the application of management principles does not have to do with
maintaining the CIA designation.
c. Incorrect. To maintain the CIA designation, internal auditors must achieve a specific number of CPD
credits, not accounting credits.
d. Correct. All certified internal auditors must achieve a specific number of CPD credits every two years.
The CPDs are required so that the internal auditor can maintain his or her skill and proficiency level.

Question 38

Question 38: There are three levels of competences. Two of the competence levels are understanding and
appreciation. What is the difference between the two?
a) Understanding is the ability to recognize the existence of a problem. Appreciation is the ability to
know how to solve the problem.
b) Understanding is the ability to recognize problems and solve them without too much assistance. Appreciation
is the ability to know the existence of a problem.
c) Appreciation is the ability to recognize the impact the problem will have on operations. Understanding
is the ability to know that there is a problem.
d) Appreciation is the ability to recognize the existence of a problem. Understanding is the ability to
understand its impact on operations.

Answer 38

38 Solution: d
a. Incorrect. Appreciation is the ability to recognize the existence of a problem, not understanding. Also,
proficiency is the ability to know how to solve the problem.
b. Incorrect. Solving problems takes a level of proficiency, not understanding.
c. Incorrect. Understanding is the ability to recognize the impact the problem will have on operations, not
appreciation. Also, appreciation is the ability to know that there is a problem, not understanding.
d. Correct. Understanding means the ability to apply broad knowledge to situations likely to be encountered,
to recognize significant deviations, and to be able to carry out the research necessary to arrive at
a reasonable solution. Appreciation is the ability to recognize the existence of problems or potential
problems and to identify the additional research to be undertaken or the assistance to be obtained.

Question 39

Question 39: Based on the Standards, an internal auditor should have a proficiency level in accounting
principles if the auditor is:
a) Reviewing controls over the handling of inventory.
b) Checking the valuation of inventory.
c) Assessing the impact on operations if credit terms are relaxed.
d) Reviewing controls over the petty cash account.

Answer 39

39 Solution: b
a. Incorrect. Reviewing controls over the handling of inventory takes an understanding of control processes,
not a proficiency in accounting standards.
b. Correct. An internal auditor should be proficient in accounting standards if the auditor is checking the
valuation of inventory. The auditor would have to know how to value the inventory based on the acceptable
accounting principles. If inventory is found to be overstated, then the auditor has to know how
much to write down the inventory. This takes a high level of knowledge about accounting.
c. Incorrect. Assessing the impact on operations if credit terms are relaxed takes analytical skills, not a
proficiency in accounting standards.
d. Incorrect. Reviewing controls over petty cash takes an understanding of control processes, not a proficiency
in accounting standards.

Question 40

Question 40: Based on the Standards, internal auditors must exercise due professional care when conducting

engagements. Which of the following is not true concerning due professional care?
a) Auditors are not expected to be infallible when conducting audits.
b) Proper assurance procedures guarantee significant risks will be identified.
c) Due professional care applies to both assurance and consulting engagements.
d) Auditors must consider the cost of the engagement in relation to its benefits.

Answer 40

40 Solution: b
a. Incorrect. Exercising due professional care does not mean internal auditors are expected to be infallible
when conducting engagements.
b. Correct. Even having proper assurance procedures does not guarantee significant risks will be identified.
c. Incorrect. Exercising due professional care does apply to both assurance and consulting engagements.
d. Incorrect. Exercising due professional care means internal auditors must consider the cost of the engagement
in relation to its benefits.

Question 41

Question 41: An internal auditor was conducting an audit of the company’s revenue-receivables cycle.
When reviewing the accounts receivable process, the auditor discovered that the department was recently
reorganized to cut costs. The auditor noted that positions that should be segregated are now performed by
the same person – the accounts receivable manager. The auditor has known the accounts receivable manager
for several years, so the auditor did no further investigation. At what point did the internal auditor fail
to exercise due professional care?
a) The auditor noted the lack of segregation of duties in the final audit report.
b) The auditor did not test for the possibility of fraud.
c) The auditor made a recommendation for additional compensating controls over the department.
d) The auditor informed the CAE and asked for advice.

Answer 41

41 Solution: b
a. Incorrect. Noting the lack of segregation of duties is exercising due professional care.
b. Correct. The auditor failed to exercise due professional care because the auditor presumed everything
was OK because of his or her relationship with the manager. In this case, the auditor should have expanded
the testing to feel comfortable that fraud is not being committed.
c. Incorrect. Recommending additional controls if found to be deficient is exercising due professional care.
d. Incorrect. Informing the CAE of the deficiency and asking for advice is exercising due professional care.

Question 42

Question 42: Concerning continuing professional education (CPE), which of the following is not true?
a) Chief audit executives (CAE) are required to complete and report a specified number of CPE hours
every two years.
b) Internal auditors need continuing professional development regardless of whether or not they hold
the CIA designation.
c) Continuing professional development includes maintaining proficiency through continuing education
and staying informed about improvements and current developments in the audit standards, procedures,
and techniques.
d) Internal auditors currently not holding an appropriate certification are encouraged to pursue an education
program, or obtain a professional certification.

Answer 42

42 Solution: a
a. Correct. It is possible for the CAE to be non-CIA certified, however, the CAE is still encouraged to enhance
and maintain his or her skill and knowledge level by attending education programs, or obtaining
a relevant professional certification, such as CMA, CIA, CPA, ACA, ACCA, and so on.
b. Incorrect. The work of an internal auditing takes a high level of skill and knowledge. Therefore, internal
auditors should always be looking for ways to improve their skill level through some type of education
program.
c. Incorrect. The work of an internal auditing takes a high level of skill and knowledge. Therefore, internal
auditors should always be looking for ways to improve their skill level through some type of education
program.
d. Incorrect. The work of an internal auditing takes a high level of skill and knowledge. Therefore, internal
auditors should always be looking for ways to improve their skill level through some type of education
program.

Question 43

Question 43: Proficiency means that an internal auditor possesses the knowledge, skills, and other competencies
needed to perform his or her responsibilities. Concerning proficiency, which of the following
statements would not be true?
a) Individual internal auditors are required to be experts in accounting.
b) Regardless of an internal auditor’s expertise, every internal auditor must be able to evaluate the risk
of fraud and identify key IT risks and controls.
c) Internal auditors are expected to maintain and update their skills through continuing professional
education (CPE).
d) Necessary skills and knowledge are different for each auditor, and an auditor might be proficient in a
number of areas.

Answer 43

43 Solution: a
a. Correct. A single auditor can be proficient in a number of areas, not just accounting.
b. Incorrect. This is true concerning proficiency. Every internal auditor must be able to evaluate the risk of
fraud and identify key IT risks and controls.
c. Incorrect. This is true concerning proficiency. Internal auditors are expected to maintain and update
their skills through continuing professional education (CPE).
d. Incorrect. This is true concerning proficiency. The necessary skills and knowledge are different for each
auditor, and an auditor might be proficient in a number of areas.

Question 44

Question 44: A chief audit executive (CAE) was discussing the technical competency of his staff with the
audit committee. The CAE is very proud of the team he has put together and is looking to expand the size of
the organization’s internal audit activity (IAA). Besides technical expertise, the CAE also mentioned that he
expects his staff to be proficient in all of the following areas except:
a) Communication.
b) Critical thinking.
c) Satisficing.
d) Negotiation.

Answer 44

44 Solution: c
a. Incorrect. Internal auditors should be proficient communicators.
b. Incorrect. Internal auditors should be proficient in critical thinking.
c. Correct. Satisficing is choosing the first satisfactory option instead of looking for the optimal solution.
Internal auditors should always strive for the optimal solution.
d. Incorrect. Internal auditors should be proficient in negotiation.

Question 45

Question 45: The IIA’s Global Audit Competency Framework lists ten “core competencies” that are considered
essential for all internal auditors. Which of the following would not be an essential core competency for
internal auditors?
a) Improvement and innovation.
b) Operations management.
c) Internal audit delivery.
d) Professional ethics.

Answer 45

45 Solution: b
a. Incorrect. Improvement and innovation is one of the ten core competencies that is considered essential
for all internal auditors.
b. Correct. A core competency is internal audit management, not operations management.
c. Incorrect. Internal audit delivery is one of the ten core competencies. This means that the internal audit
activity is able to deliver internal audit engagements.
d. Incorrect. Professional ethics promotes ethical behavior and is one of The IIA’s core competencies.

Question 46

Question 46: The foundation of The IIA’s Competency Framework includes:
I. Professional Ethics.
II. Governance, Risk, and Control.
III. IPPF.
IV. Internal Auditing Management.
V. Internal Audit Delivery.
a) I and II.
b) II and III.
c) II and V.
d) I and IV.

Answer 46

46 Solution: d (I and IV)
I. Correct. The foundation that forms the Competency Framework consists of Professional Ethics and Internal
Auditing Management.
II. Incorrect. Governance, Risk, and Control is under the heading of Technical Expertise.
III. Incorrect. IPPF is under the heading of Technical Expertise.
IV. Correct. The foundation that forms the Competency Framework consists of Professional Ethics and Internal
Auditing Management.
V. Incorrect. Internal Audit Delivery is at the top of the Framework, along with Improvement and Innovation.

Question 47

Question 47: An organization’s chief audit executive (CAE) was reviewing existing internal audit staff competencies.
The CAE’s review would include all of the following except:
a) The ability of the staff to complete engagements within the reporting deadline.
b) The ability to manage internal operating systems.
c) The knowledge of relevant risk management and control systems.
d) The knowledge of the regulatory requirements.

Answer 47

Incorrect. The ability of staff to complete audits on time would be part of the CAE’s review process.
b. Correct. Internal auditors should not manage operating systems, so this would not be part of the CAE’s
review process.
c. Incorrect. The knowledge of relevant risk management and control systems would be part of the CAE’s
review process.
d. Incorrect. The knowledge of the regulatory requirements would be part of the CAE’s review process.

Question 48

Question 48: Which of the following are true concerning what auditors should know? Auditors should
know:
I. The indicators of fraud.
II. Key information-technology risks and controls.
III. Available technology-based audit techniques.
IV. How to maintain satisfactory relationships with engagement clients.
a) I and II.
b) II, III, and IV.
c) I, II, and III.
d) I, II, III, and IV.

Answer 48

48 Solution: a (I, II, and III)
I. Correct. Based on PA 1210-1, auditors should know the indicators of fraud.
II. Correct. Based on PA 1210-1, auditors should know key information-technology risks and controls.
III. Correct. Based on PA 1210-1, auditors should know available technology-based audit techniques.
IV. Incorrect. Maintaining a satisfactory relationship with engagement clients is a skill that internal auditors
should develop.

Question 49

Question 49: The chief audit executive (CAE) is supervising an audit of the organization’s new payroll accounting
system and needs to hire an IT specialist. When reviewing the specialist’s qualifications to conduct
the audit, the CAE would assess all of the following except:
a) Relevant professional certifications.
b) Reputation of the specialist.
c) Fieldwork conducted by the specialist.
d) Experience and education of the specialist in similar situations.

Answer 49

49 Solution: c

a. Incorrect. The CAE would assess the relevant professional certifications of the specialists.
b. Incorrect. The CAE would assess the reputation of the specialist.
c. Correct. Fieldwork is what occurs after the hiring of the specialist.
d. Incorrect. The CAE would review the experience and education of the specialist.

Question 50

Question 50: Internal auditors must exercise due professional care by considering all of the following except:

a) The adequacy and effectiveness of the audit committee.
b) The cost of assurance in relation to potential benefits.
c) The relative complexity of the engagement.
d) The probability of significant errors and fraud.

Answer 50

50 Solution: a
a. Correct. The adequacy and effectiveness of the audit committee is the responsibility of the board.
b. Incorrect. Internal auditors exercise due professional care by considering the cost of assurance in relation
to potential benefits.
c. Incorrect. Internal auditors exercise due professional care by considering the relative complexity of the
engagement.
d. Incorrect. Internal auditors exercise due professional care by considering the probability of significant
errors and fraud.

Question 51

Question 53: Which of the following would not be part of an internal assessment?

a) Reviewing whether the IAA is in compliance with the internal audit charter.
b) Assessing how many recommendations were implemented by management.
c) Assessing how well internal auditing is viewed by its clients.
d) Reviewing actual and budgeted costs.

Answer 51

53 Solution: a
a. Correct. Reviewing the IAA charter would be part of the external assessment, not internal assessment.
b. Incorrect. Assessing how many recommendations were implemented by management would be part of
the internal assessment.
c. Incorrect. Assessing how well internal auditing is viewed by its clients would be part of the internal assessment.
d. Incorrect. Reviewing actual and budgeted costs would be part of the internal assessment.

Question 52

Question 54: A common problem that arises when conducting a quality assessment of an internal audit
activity (IAA) is understanding what is meant by quality. Quality can mean different things to different people.
When measuring the quality of an IAA, which of the following would be least useful to the assessment
team in its quality assessment?
a) Using The IIA’s Standards.
b) Getting feedback from the audit committee and/or board.
c) Getting feedback from the clients.
d) Benchmarking against other IAAs.

Answer 52

54 Solution: b
a. Incorrect. Using The IIA’s Standards would be a useful tool for the assessment team.
b. Correct. Getting feedback from the audit committee would probably assist the team the least in its assessment.
The others, including using the Standards, benchmarking, and getting feedback from the
clients would be more helpful in assessing the effectiveness and efficiency of the IAA.
c. Incorrect. It is the clients who benefit from the services of the IAA, therefore, getting feedback from
the clients would be a useful source for the assessment team.
d. Incorrect. Benchmarking against other IAAs would be a useful source for the assessment team.

Question 53

Question 55: Which of the following is false concerning external assessments?

a) Its purpose is to provide an independent opinion on the quality of the IAA.
b) It should be done at least every five years.
c) The assessor should be independent but should be from within the organization.
d) The assessor would determine whether the IAA adds value and improves the operations of the organization.

Answer 53

55 Solution: c
a. Incorrect. Providing an independent opinion is a reason for conducting an external assessment.
b. Incorrect. The external assessment should be done at least every five years.
c. Correct. The assessor should be independent. This means that there should not be any conflict of interest.
This generally means the assessor does not work for the company and is not intimately familiar
with the operations.
d. Incorrect. Assessing whether the IAA adds value and improves operations is a reason for the external
assessment.

Question 54

Question 56: The function of internal auditing is to add value and improve operations. A quality assurance
and improvement program (QAIP) is established to assess the work of internal auditing. The QAIP consists
of both internal and external assessments. Which of the following would not be part of the external assessment?
a) Get feedback from clients on their satisfaction with the work of the internal auditor.
b) Express an opinion on the overall work of the IAA.
c) Benchmark against best internal auditing practices.
d) Communicate with the external auditor on the work of the internal auditor.

Answer 54

56 Solution: d
a. Incorrect. Client satisfaction with internal auditing would be part of the external assessment.
b. Incorrect. Expressing an opinion on the overall work of the IAA would be part of the external assessment.
c. Incorrect. Benchmarking against the best practices would be part of the external assessment.
d. Correct. The results of the external assessment would generally not be communicated to the external
auditor. The results are for internal purposes so the company’s board and management can feel comfortable
with the work of internal auditing – it is doing what it should be doing.

Question 55

Question 57: The Chair of the audit committee and the chief audit executive (CAE) were discussing the
need for an external review of the internal auditing activity. The Chair believes that an external review would
be useful for several reasons. The CAE agrees with the Chair on the need, however, the CAE thinks a fullblown
external assessment is not necessary. The CAE believes a self-assessment with external validation
would be adequate. Which of the following is/are true concerning the circumstances where a selfassessment
would be justified?
I. The organization frequently has agency regulators reviewing its books and internal controls.
II. The organization operates in an industry that has extensive oversight.
III. The organization is a publicly-listed company.
IV. The CAE believes the costs of a full external assessment outweigh its benefits.
a) I, II and III.
b) I, II and IV.
c) I and IV.
d) I and II.

Answer 55

57 Solution: b (I, II and IV)
I. Correct. A self-assessment may be appropriate if the organization frequently has agency regulators
reviewing its books and internal controls.
II. Correct. A self-assessment may be appropriate if the organization operates in an industry that has extensive
oversight.
III. Incorrect. Whether an organization is publicly-listed or not does not impact whether a self-assessment
is appropriate.
IV. Correct. A self-assessment may be appropriate if, in the opinion of the CAE, the costs of the external
assessment outweigh the benefits.