List of Questions CIA Part 1

Essentials of Internal Auditing

Certified Internal Auditor (CIA) Certification

1. Several internal audit customers have indicated that audit
reports are not impactful by the time they receive them. The
chief audit executive (CAE) has identified the root cause of the
issue as the reporting process, which requires several levels of
review, resulting in numerous edits and delays in audit report
release. The CAE should

A. limit reviewer report edits to a maximum number of edits per

reviewer.
B. be the only internal audit leader who reviews audit reports.
C. establish a performance metric measuring the number of
days between fieldwork completion and report issuance.
D. consider report-writing training designed to improve the
written communication skills of the auditor-in-charge.
Answer: C

According to The IIA’s implementation guidance for Standard

1311, “Internal Assessments,” the internal audit activity may
perform steps to support periodic self-assessment, such as
analysing key performance indicators (KPIs) related to the
efficiency of standard internal audit practices (e.g., number of
days between fieldwork completion and report issuance).
While the other three answer choices may help to accelerate
delivery of audit reports, establishing a process to measure,
monitor, and report on the timeliness of audit report delivery
will drive improvement.

For more information, refer to Section III, Chapter 0, Topic D

2. Which of the following goals sets risk management
strategies at the optimum level?

A. Maximizing market share

B. Minimizing losses
C. Minimizing costs
D. Maximizing shareholder value
Answer: D

This is a comprehensive approach and will relate to risk

management strategies across the enterprise. The other goals
are not part of a comprehensive approach to risk
management.

For more information, refer to Section V, Chapter 0, Topic E

3. The operating manager of a department requests the chief
audit executive (CAE) to perform a consulting review of
industrial escalator maintenance at the plant. The manager
wants the CAE to identify best practices in similar industries.
The CAE also wants to recommend those best practices that the
department should implement. Is the recommendation part of
the project something the CAE should add?

A. Yes, the operating department would want that information.

B. No, the recommendation work should have been requested
by the operating manager.
C. No, these recommendations would constitute management
work.
D. Yes, the CAE is independent from the operating location and
has the purpose, authority and responsibility to do so.
Answer: B

Consulting services are advisory in nature and are generally

performed at the specific request of an engagement client.
The nature and the scope of a consulting engagement are
subject to agreement with the engagement client.
Benchmarking internal areas with comparable areas of
similar organizations to identify best practices would add
value to the organization.

For more information, refer to Section I, Chapter 0, Topic C

4. During a regularly scheduled audit of a billing area, an
internal auditor is told by an employee that a new
manager frequently takes the place of workers who are
absent or on break. The predecessor never did this. What
should the auditor do next?

A. Nothing. This is only rumour and does not constitute

proof of wrongdoing.
B. Immediately inform senior management.
C. Include the comment in the auditing report so that the
chief audit executive can decide on further action.
D. Gather evidence to establish either cause for fraud
investigation or a lack of cause.
Answer: D

Although the report is not proof, the activity is suspicious and

must be investigated further by the internal auditor to
determine if fraud may be occurring. The results of this
preliminary investigation are included in the audit report.

For more information, refer to Section VI, Chapter 0, Topic B

5. Which of the following is part of the Mission of Internal
Audit?

A. Reducing the occurrence of fraud

B. Respecting the value and ownership of information
received and not disclosing information without
appropriate authority
C. Protecting organizational value
D. Promoting an ethical culture in the profession of internal
auditing
Answer: C

The Mission of Internal Audit is to enhance and protect

organizational value by providing risk-based and objective
assurance, advice, and insight. Promoting an ethical culture is
the purpose of The IIA's Code of Ethics, and respecting the
value and ownership of information received and not
disclosing it is the confidentiality principle from the Code of
Ethics. Reducing the occurrence of fraud is management’s
responsibility.

For more information, refer to Section I, Chapter 0, Topic A

6. What is the distinction between hotline anonymity and
confidentiality?

A. Anonymity provides nondisclosure of the caller’s identity,

and confidentiality removes reference to gender or other
identifying information, even if a name is not provided.
B. The two terms are synonyms.
C. Anonymity does not disclose the caller's identity, while
confidentiality discloses it securely.
D. Anonymity can be maintained only within the limits
allowed by law, while promises of confidentiality must be
kept.
Answer: C

Confidentiality and anonymity are mutually exclusive, as the

correct answer clearly states.

For more information, refer to Section VI, Chapter 0, Topic C

7. An internal auditor believes that the accounts receivable
account balances may not be accurate. Which procedure
listed would best demonstrate his/her professional
scepticism?

A. Performing a statistical sample of the accounts and

tracing them to the source documentation.
B. Tracing the fund balance to the general ledger.
C. Interviewing the company’s sales people responsible for
generating the sales.
D. Issuing third party confirmations to the customers owing
the money.
Answer: D

Maintaining professional scepticism ensures internal auditors

do not make undue assumptions about the validity of
“support” such as verbal explanations from management or
other information received without an appropriate level of
objective verification of such support. Issuing third-party
confirmations to the customers owing the money would be an
independent source to verify the accounts. The information
would be information outside of the company and so
demonstrates an attitude of professional scepticism.

For more information, refer to Section II, Chapter 0, Topic D

8. Organizational control systems are made up of various
components that govern the operations of all levels of the
organization. Some of these components originate at the
senior management level, while others can be developed
at the department level. What is the most basic
component of the organizational control system meant to
guide the daily operations of the organization or a
department?

A. Policies and procedures

B. Statistical reports
C. Performance appraisals
D. Strategic plans
Answer: A

Policies and procedures are the most basic control subsystem

of an organization.

For more information, refer to Section I, Chapter 0, Topic B

9. Which of the following describes the board’s major
responsibilities related to risk management?

A. Assuming direct responsibility

B. Ensuring that an effective, ongoing process to manage
risk is in place
C. Ensuring that the risk management architecture
enhances shareholder value
D. Apprising management of the most significant risks and
determining whether mitigating actions are appropriate
Answer: C

Management has responsibility for risk management and

ensuring that the risk management architecture enhances
shareholder value. The board needs to be certain that this
responsibility is carried out—effectively, proactively, and in an
ongoing manner.

For more information, refer to Section V, Chapter 0, Topic J

10.Which is an example of an internal auditor living up to
Implementation Guide 1220, “Due Professional Care”?

A. Give absolute assurance that noncompliance or

irregularities do not exist.
B. Consider the possibility of material irregularities or
noncompliance on any internal audit assignment.
C. Conduct examinations and verifications to the fullest
extent possible.
D. Check for material irregularities or noncompliance if the
probability of these issues is high.
Answer: B

Implementation Guide 1220 tells us that due professional

care implies reasonable care and competence, not infallibility
or extraordinary performance. Due professional care requires
the internal auditor to conduct examinations and verifications
to a reasonable extent. Internal auditors cannot give absolute
assurance that noncompliance or irregularities do not exist.

For more information, refer to Section III, Chapter 0, Topic C

11.An organization uses a risk map with impact and
likelihood values to classify fraud. The theft of proprietary
customer data (i.e., credit card numbers) is classified as
high likelihood and high impact. Based on this
classification, the organization should

A. reduce the risk likelihood.

B. share the risk with a backup plan.
C. reduce the risk impact.
D. pay little attention to the risk.
Answer: A

The risk map for likelihood and impact looks at each type of
fraud and determines how likely the fraud is to occur and how
significant it would be if it did occur. Any fraud that has a high
probability and high significance of material effect must be
addressed with controls, processes, and procedures to prevent
it, or more realistically, to drastically reduce its likelihood.
Reducing the impact implies that the organization is willing to
incur the theft. This would not be true for a high impact loss of
proprietary data. A backup plan is not an valid example of
sharing the risk.

For more information, refer to Section V, Chapter 0, Topic G

12.In planning an audit, the internal auditor should design
audit objectives and procedures to address the risk
associated with the activity. Risk is defined as

A. the possibility that an event may affect the achievement

of objectives.
B. the failure to accomplish established objectives and
goals for operations or programs.
C. the possibility that the financial statements contain
material misstatements.
D. the failure to adhere to organizational policies, plans,
and procedures or relevant laws and regulations.
Answer: A

The Standards Glossary defines risk as "the possibility of an

event occurring that will have an impact on the achievement
of objectives.“

For more information, refer to Section V, Chapter 0, Topic E

13.In regards to organizational responsibilities for internal
control, the CAE is responsible for

A. overseeing the establishment, administration, and

assessment of the system of risk management and
control processes.
B. designing and monitoring control processes.
C. communicating an overall judgment of the
organization’s enterprise risk management (ERM)
process effectiveness to management.
D. providing oversight of the organization’s risk
management and control processes.
Answer: C

The CAE also is responsible for communicating this to the

audit committee. Oversight is the board’s responsibility;
Establishment, administration and so on are senior
management’s responsibility; and designing and monitoring
control processes is operational management’s responsibility.

For more information, refer to Section VI, Chapter 0, Topic A

14. Audit committees have been identified as a major factor in
promoting the independence of both internal and external
auditors. Which of the following is the most important limitation
on the effectiveness of audit committees?

A. Audit committees may be composed of independent

directors. However, those directors may have close personal
and professional friendships with management.
B. Audit committees devote most of their efforts to external
audit concerns and do not pay much attention to internal
auditing and the overall control environment.
C. Audit committee members are compensated by the
organization and thus favour a stockholder's view.
D. Audit committee members do not normally have degrees in
the accounting or auditing fields.
Answer: A

Having close relationships with management is a major

limitation that has hampered the effective operation of audit
committees. Audit committee members are usually outside
directors. Many of these directors have a broad viewpoint and
are not limited to a stockholder's view. Audit committees
devote considerable time to the external audit function, but
the evidence is that they are increasingly devoting time to
internal audit reports. A committee member need not have an
accounting degree to understand most reporting and control
issues.

For more information, refer to Section II, Chapter 0, Topic A

15.Which action below would preclude perpetuating
individual objectivity:

A. The internal audit staff is required to submit conflict of

interest statements.
B. Two years after the internal auditor transfers from an
operating department, he is given an audit engagement
in that area.
C. A guest auditor from a subsidiary is added to the audit
team for a specific period for her technical expertise.
D. Having the same internal auditor perform the same
specific audit in consecutive years.
Answer: D

Policies and ongoing assessment of individual objectivity set the

stage for an internal auditor to perform his or her duties
objectively. Additional best practices for perpetuating individual
objectivity include rotating internal auditor staff assignments
periodically whenever it is practical to do so.

For more information, refer to Section II, Chapter 0, Topic C

16.Which is an essential skill for a forensic auditor?

A. Ability to persuade others through selective choice of

information to withhold
B. Awareness of evidence requirements in criminal but not
civil cases
C. Commitment to discussing the principles of accounting
without prejudice to the case
D. Ability to track down and recover evidence
Answer: D

A forensic auditor has special skills apart from a knowledge of

accounting practices, including understanding evidence
requirements in civil and criminal courts, uncovering
evidence, and assembling the evidence into a convincing
narrative (withholding key information would not be ethical).
Forensic auditors are not impartial.

For more information, refer to Section VI, Chapter 0, Topic D

17.The Institute of Chartered Accountants in England and
Wales (ICAEW) generated the Cadbury framework, which
was concerned with reporting on controls related to which
of the following?

A. Full spectrum of internal control

B. Efficiency and effectiveness of corporate social
responsibility policies
C. Reliability of financial reporting
D. Discipline, transparency, and accountability of the
governance function
Answer: C

While the Cadbury model acknowledged that the board has

responsibility for the full spectrum of internal control, it dealt
primarily with the reliability of financial reporting.
Subsequently, in 1999, the ICAEW issued the Turnbull
guidance, which expanded the concept beyond financial
controls.

For more information, refer to Section V, Chapter 0, Topic J

18.Which of the following is least likely to be a part of internal
control monitoring in a small business?

A. Building monitoring into processes to reduce cost and

effort
B. Ongoing monitoring, separate evaluations, and reporting
deficiencies
C. Full external quality assessments
D. Involving key managers in activities
Answer: C

Smaller businesses with limited human resources and budget

may struggle with the expense and rigor of a full external
assessment. They may instead opt for a self-assessment with
independent external evaluation or break the external
assessment into manageable chunks per each year of a five-
year cycle. All of the other monitoring activities can help a
small business achieve effective internal control.

For more information, refer to Section IV, Chapter 0, Topic B

19.Which activity would be presumed to impair the
independence of an internal auditor if done within the
past year?

A. Drafting procedures for running a new computer

application to ensure that proper controls are installed
B. Recommending standards of control for a new
information system application
C. Noting that the chief audit executive has multiple direct
interactions with the board related to a new information
system
D. Performing reviews of procedures for a new computer
application before it is installed
Answer: A

Standard 1130.A1 says in part, "Objectivity is presumed to be

impaired if an internal auditor provides assurance services for
an activity for which the internal auditor had responsibility
within the previous year." The remainder of these are not
presumed to impair independence per Standard 1130.

For more information, refer to Section II, Chapter 0, Topic B

20.While screening proposals for a contract, a bid solicitor
overlooks the fact that a company has no references and
minimal related work history and qualifications. The bid
solicitor helps the company falsify its documentation in
exchange for a cut of the contract. What type of fraud is
this an example of?

A. Misuse of assets
B. Bribery
C. Fraudulent disbursement
D. Cash theft
Answer: B

This is an example of bribery, in the form of kickbacks. Money

was paid to influence the bid solicitor to make a decision that
benefited the bribe payer.

For more information, refer to Section VI, Chapter 0, Topic A

21. Which of the following statements provides the best example of proficiency as
defined in The IIA's International Professional Practices Framework?

A. Based upon a review of the organization's objectives and a general

knowledge of contracts, an internal auditor is able to recommend further
study of the methods used to evaluate work agreements between the
company and its outside consultants.
B. An internal auditor uses knowledge of management principles to identify a
weakness in the organization's reporting structure and follows up with a
recommendation after spending significant time doing further research.
C. Based upon a workshop focused on a specific area of taxation relevant to
the organization, an internal auditor is able to assess the organization's
use of available research credits and suggest a more profitable approach.
D. Based upon prior experience and training, an internal auditor for a utility
evaluates the emissions controls at a coal-fired plant and provides
sufficient documentation that the plant is in full compliance with
governmental mandates.
Answer: D

Proficiency exists when internal auditors possess the

knowledge, skills, and other competencies needed to perform
their individual responsibilities. This is illustrated by the internal
auditor's definitive assessment of the power plant's compliance
with regulations based on evaluation of emissions controls. The
other answer choices refer to the less advanced levels of
knowledge, skills, and other competencies.

For more information, refer to Section III, Chapter 0, Topic A

22.The IIA's Standards require internal auditors to have
knowledge about red flags that have proven to be
associated with management fraud. Which is a factor
generally associated with management fraud?

A. Manager complaints about government regulation and

health-care laws
B. Manager delegation of responsibility, but not oversight,
to subordinates
C. Generous performance-based reward systems
D. Regular comparison of actual results to budgets
Answer: C

Generous performance-based reward systems could provide

motive and perhaps opportunity for fraud. The reward systems
may also create pressure or additional needs that stem from
company expectations. Regular actual-to-budget comparisons
encourage performance and detect problems before they
become too big. Delegation by managers while retaining
oversight is usually considered a positive management trait.
Managers complaining about government regulations or
health-care laws is simply an expression of a political
viewpoint.

For more information, refer to Section VI, Chapter 0, Topic B

23.A written charter that outlines the internal audit
department's purpose, authority, and responsibility and is
approved by the audit committee or board of directors is
primarily meant to enhance the department’s

A. due professional care.

B. independence.
C. stature within the organization.
D. relationship with management.
Answer: B

A charter establishes the department's independence from

management. Due care is a function of audit work, not the
charter.

For more information, refer to Section I, Chapter 0, Topic B

24. Which of the following best describes an internal auditor's
purpose in reviewing the organization’s existing risk
management, control, and governance processes?

A. To ensure that weaknesses in the internal control system are

corrected
B. To help determine the nature, timing, and extent of tests
necessary to achieve engagement objectives
C. To determine whether the processes ensure that the
accounting records are correct and that financial statements
are fairly stated
D. To provide reasonable assurance that the processes will
enable the organization's objectives and goals to be met
efficiently and economically
Answer: D

The purpose stated in Implementation Guide 2120 is to

provide reasonable assurance that the processes will enable
the organization's objectives and goals to be met efficiently
and economically.

For more information, refer to Section V, Chapter 0, Topic H

25.Communication skills are important to internal auditors.
According to the Standards, the auditor should be able to
effectively convey what to the auditee?

A. Evaluations that are constructive in that they omit

information that would lead to unwise conclusions
regarding needed controls
B. The audit objectives designed for a specific auditable
entity
C. The risk assessment used in selecting the area for audit
investigation
D. Recommendations that are generated by managers of
other auditable entities
Answer: B

Auditors should be proficient in communicating audit objectives,

evaluations, and recommendations (their own
recommendations). Evaluations should be complete and not
omit information contrary to the point the auditor would like to
make. The risk assessment process is not normally
communicated to the auditee.

For more information, refer to Section III, Chapter 0, Topic B

26. Which of the following is true of quality assessments that are
implemented according to IIA guidance?

A. A quality assessment team would not be expected to review

the internal audit activity's efficiency and effectiveness.
B. Company managers or members of the board may be
members of the external quality assessment team if they are
qualified, since they are independent of the internal audit
activity.
C. The results of a quality assessment can be shared with the
board but not senior management.
D. The quality assessment process may include feedback from
engagement clients through interviews and questionnaires or
surveys.
Answer: D

Implementation Guide 1311 recommends feedback from

audit customers and other stakeholders (the clients).
Implementation Guide 1312 explicitly states that assessment
team members must be from outside of the organization
being assessed -- therefore, use of company managers or
members of the board is not permitted. Efficiency and
effectiveness are among the recommended key components
of an external assessment's scope, per Implementation Guide
1312. Reporting results to senior management and the board
is the final step of a quality assessment.

For more information, refer to Section IV, Chapter 0, Topic A

27.The best way a new internal auditor can learn about the
company's corporate culture would be to

A. seek the advice of a more experienced person who was

hired at the same time to learn about how the company
works.
B. watch the behaviour of others to determine what works
and what does not.
C. ask several managers to explain how their behaviour is
consistent with the organizational culture.
D. read professional literature and journals to ascertain
how experts view the company.
Answer: B

Rather than trying to fit in too rapidly, a new internal auditor

should watch others and see what kind of behaviour is most
successful.

For more information, refer to Section V, Chapter 0, Topic B

28.Who is responsible for overseeing the evaluation of
information security (data protection) and control?

A. Senior managers
B. Chief audit executive (CAE)
C. Audit committee
D. Chief risk officer (CRO)
Answer: C

Every person in an organization has a role in implementing

internal controls. The audit committee (or the board of
directors if no audit committee exists) oversees the evaluation
of the organization’s internal control system. The CRO
establishes policies related to information security, and senior
managers ensure compliance with the policies. The CAE
assesses (evaluates) the system of controls over information
security.

For more information, refer to Section V, Chapter 0, Topic K

29.Which of the following exemplifies a key performance
indicator (KPI) that targets performance necessary to
meet audit activity objectives?

A. Monitoring, measuring and reporting internal audits

completed compared to the approved risk-based audit
plan.
B. The external auditor’s opinion regarding the quality of
internal controls over financial reporting.
C. The extent of coordination of work with a compliance
function or the enterprise risk management activity.
D. The measured timeliness of clients’ responses to
internal control questionnaires (ICQs).
Answer: A

A primary operational objective for an internal audit activity is to

accomplish its audit plan; a KPI that targets performance necessary
to meet this objective would be to compare audits completed to the
approved work plan. The external auditor’s opinion regarding the
quality of internal controls over financial reporting is related to the
financial reporting activity, not the internal audit activity. Timeliness
of client responses to ICQs would not be an effective measure of
internal audit performance necessary to meet audit activity
objectives. The extent of coordination of work with other internal
assurance providers would not be a KPI that targets performance
necessary to meet audit activity objectives.

For more information, refer to Section III, Chapter 0, Topic D

30.An internal auditor reports directly to the board of
directors. The auditor discovers a material cash shortage.
When questioned, the person responsible explains that
the cash was used to cover sizable medical expenses for a
child and agrees to replace the funds. Because of the
corrective action, the internal auditor does not inform
management. In this instance, the auditor

A. has neither organizational independence nor objectivity.

B. has organizational independence but not objectivity.
C. has objectivity but not organizational independence.
D. has both organizational independence and objectivity.
Answer: B

Because the auditor reports directly to the board of directors,

he has organizational independence. However, by trying to
avoid conflict, the individual is not exercising objectivity.

For more information, refer to Section II, Chapter 0, Topic C

 End-of-Transmission- - - -

THANK YOU!