IIA PRACTICE TEST PART 1 QUESTIONS WITH CORRECT
ANSWERS
You are asked to audit the control environment for an organization. Elements you will look at include
integrity and ethical values, organizational structure, and human resources policies and practices. Which
is another element to consider?
-Creation of a mission statement
-Adherence to regulations
-Competence of stakeholders
-Assignment of authority and responsibility - CORRECT ANSWER✅✅✅Assignment of authority and
responsibility -
Per the Practice Guide "Auditing the Control Environment," additional elements to consider include the
assignment of authority and responsibility, management philosophy and operating style, and
competence of personnel (not of stakeholders).
Goods received from a certain supplier occasionally arrive without a proper bill of lading. In these
situations, the receiving clerk is directed to telephone the supplier and request a bill of lading by fax so
that he or she can compare what was actually received to the bill and research any discrepancies. Which
of the following is this type of control?
-Governance control
-Detective control
-Preventive control
-Application control - CORRECT ANSWER✅✅✅Detective control -
Because it detects something wrong, it is a detective control.
Which of the following is the appropriate way to respond to an ethics violation that involves workplace
theft in the U.S.?
-Start a progressive disciplinary process with counseling or probation as the first step.
-Terminate the employee, but do not press charges to keep the matter from becoming public.
-Report the issue directly to legal authorities.
-Terminate the employee, but press charges only if the employee fails to return all of the funds. -
CORRECT ANSWER✅✅✅Report the issue directly to legal authorities. -
,In the U.S., illegal activities must be reported to the police. In some countries, victims may choose not to
press charges, especially if the loss has been recovered.
Who should be the direct recipient of reports that show the results of periodic reviews for internal
assessment of the internal audit function?
-Board of directors
-Process owners
-Chief audit executive (CAE)
-Senior management - CORRECT ANSWER✅✅✅Chief audit executive (CAE) -
Typically, those individuals conducting ongoing and periodic reviews should report to the CAE while
performing the reviews and should communicate their results directly to the CAE.
A chief audit executive (CAE) suspects that several employees have used desktop computers for
personal gain. In conducting an investigation, the primary reason that the CAE chooses to engage a
forensic information systems auditor rather than using the organization's information systems auditor is
that a forensic auditor would possess
-knowledge of the computing system that would enable a more comprehensive assessment of the
computer use and abuse.
-superior documentation and organizational skills that would facilitate in the presentation of findings to
senior management and the board.
-superior analytical skills that would facilitate the identification of computer abuse.
-knowledge of what constitutes evidence acceptable in a court of law. - CORRECT
ANSWER✅✅✅knowledge of what constitutes evidence acceptable in a court of law. -
The distinguishing characteristic of forensic auditing is the knowledge needed to testify as an expert
witness in a court of law. Although a forensic auditor may possess the other attributes listed, the
organization's information systems auditor may also possess these skills or knowledge elements.
Which of the following best describes an event that would be placed in the low impact, high likelihood
area of a risk heat map?
-Downsizing consolidates the check signing and check authorization functions in the controller job role.
-Employees could find a way to bypass the automated controls over web surfing and thus waste time.
-Petty cash is kept in a high traffic area, and the organization doesn't use an imprest account system.
, -Computer output sits at the printer after it is printed, and valuable material could end up in
competitors' hands. - CORRECT ANSWER✅✅✅Petty cash is kept in a high traffic area, and the
organization doesn't use an imprest account system. -
The controls over petty cash are almost nonexistent. This makes the event very likely, but the loss of
some petty cash would not have a high impact on business continuity. The computer output answer is
high impact but low likelihood, because an employee would likely need to be colluding with the
competitor. The downsizing answer is high impact and high likelihood, while the web surfing answer is
low likelihood and low impact.
Internal auditors at an organization have found evidence showing that many employees are using
workarounds to bypass controls. Which would be the best way to reduce the control risk the
organization is facing?
-Communicate the reasoning behind the control objectives to employees.
-Create supervisory positions to monitor the use of controls.
-Communicate the fact that these controls are mandatory.
-Terminate employees who have been using the workarounds. - CORRECT
ANSWER✅✅✅Communicate the reasoning behind the control objectives to employees. -
Objectives and reasons for controls need to be communicated to employees. If this is not done,
employees may see controls as unnecessary, irrelevant, and a waste of time. The other answer choices
would be less effective or efficient.
Question: A receiving department receives copies of purchase orders for use in identifying and recording
inventory receipts. The purchase orders list the name of the vendor and the quantities of the materials
ordered. What is a possible error that this system could allow?
a. delay in recording purchases. b. payment to unauthorized vendors. c. payment for unauthorized
purchases. d. overpayment for partial deliveries. - CORRECT ANSWER✅✅✅Answer: Overpayment
for partial deliveries.
Rationale: The risk of telling the receiving department the quantities ordered is that the receiving
department may fail to make an accurate count of the materials received. The receiving department
needs to know quantities, but the receiving clerk counting materials received does not. This system
could lead to overpayment for partial deliveries.
Question: Which activity should be treated as a clear impairment of an internal auditor's independence
and objectivity?
a. Overseeing installation of new IT equipment to ensure compliance with the organization's objectives.
ANSWERS
You are asked to audit the control environment for an organization. Elements you will look at include
integrity and ethical values, organizational structure, and human resources policies and practices. Which
is another element to consider?
-Creation of a mission statement
-Adherence to regulations
-Competence of stakeholders
-Assignment of authority and responsibility - CORRECT ANSWER✅✅✅Assignment of authority and
responsibility -
Per the Practice Guide "Auditing the Control Environment," additional elements to consider include the
assignment of authority and responsibility, management philosophy and operating style, and
competence of personnel (not of stakeholders).
Goods received from a certain supplier occasionally arrive without a proper bill of lading. In these
situations, the receiving clerk is directed to telephone the supplier and request a bill of lading by fax so
that he or she can compare what was actually received to the bill and research any discrepancies. Which
of the following is this type of control?
-Governance control
-Detective control
-Preventive control
-Application control - CORRECT ANSWER✅✅✅Detective control -
Because it detects something wrong, it is a detective control.
Which of the following is the appropriate way to respond to an ethics violation that involves workplace
theft in the U.S.?
-Start a progressive disciplinary process with counseling or probation as the first step.
-Terminate the employee, but do not press charges to keep the matter from becoming public.
-Report the issue directly to legal authorities.
-Terminate the employee, but press charges only if the employee fails to return all of the funds. -
CORRECT ANSWER✅✅✅Report the issue directly to legal authorities. -
,In the U.S., illegal activities must be reported to the police. In some countries, victims may choose not to
press charges, especially if the loss has been recovered.
Who should be the direct recipient of reports that show the results of periodic reviews for internal
assessment of the internal audit function?
-Board of directors
-Process owners
-Chief audit executive (CAE)
-Senior management - CORRECT ANSWER✅✅✅Chief audit executive (CAE) -
Typically, those individuals conducting ongoing and periodic reviews should report to the CAE while
performing the reviews and should communicate their results directly to the CAE.
A chief audit executive (CAE) suspects that several employees have used desktop computers for
personal gain. In conducting an investigation, the primary reason that the CAE chooses to engage a
forensic information systems auditor rather than using the organization's information systems auditor is
that a forensic auditor would possess
-knowledge of the computing system that would enable a more comprehensive assessment of the
computer use and abuse.
-superior documentation and organizational skills that would facilitate in the presentation of findings to
senior management and the board.
-superior analytical skills that would facilitate the identification of computer abuse.
-knowledge of what constitutes evidence acceptable in a court of law. - CORRECT
ANSWER✅✅✅knowledge of what constitutes evidence acceptable in a court of law. -
The distinguishing characteristic of forensic auditing is the knowledge needed to testify as an expert
witness in a court of law. Although a forensic auditor may possess the other attributes listed, the
organization's information systems auditor may also possess these skills or knowledge elements.
Which of the following best describes an event that would be placed in the low impact, high likelihood
area of a risk heat map?
-Downsizing consolidates the check signing and check authorization functions in the controller job role.
-Employees could find a way to bypass the automated controls over web surfing and thus waste time.
-Petty cash is kept in a high traffic area, and the organization doesn't use an imprest account system.
, -Computer output sits at the printer after it is printed, and valuable material could end up in
competitors' hands. - CORRECT ANSWER✅✅✅Petty cash is kept in a high traffic area, and the
organization doesn't use an imprest account system. -
The controls over petty cash are almost nonexistent. This makes the event very likely, but the loss of
some petty cash would not have a high impact on business continuity. The computer output answer is
high impact but low likelihood, because an employee would likely need to be colluding with the
competitor. The downsizing answer is high impact and high likelihood, while the web surfing answer is
low likelihood and low impact.
Internal auditors at an organization have found evidence showing that many employees are using
workarounds to bypass controls. Which would be the best way to reduce the control risk the
organization is facing?
-Communicate the reasoning behind the control objectives to employees.
-Create supervisory positions to monitor the use of controls.
-Communicate the fact that these controls are mandatory.
-Terminate employees who have been using the workarounds. - CORRECT
ANSWER✅✅✅Communicate the reasoning behind the control objectives to employees. -
Objectives and reasons for controls need to be communicated to employees. If this is not done,
employees may see controls as unnecessary, irrelevant, and a waste of time. The other answer choices
would be less effective or efficient.
Question: A receiving department receives copies of purchase orders for use in identifying and recording
inventory receipts. The purchase orders list the name of the vendor and the quantities of the materials
ordered. What is a possible error that this system could allow?
a. delay in recording purchases. b. payment to unauthorized vendors. c. payment for unauthorized
purchases. d. overpayment for partial deliveries. - CORRECT ANSWER✅✅✅Answer: Overpayment
for partial deliveries.
Rationale: The risk of telling the receiving department the quantities ordered is that the receiving
department may fail to make an accurate count of the materials received. The receiving department
needs to know quantities, but the receiving clerk counting materials received does not. This system
could lead to overpayment for partial deliveries.
Question: Which activity should be treated as a clear impairment of an internal auditor's independence
and objectivity?
a. Overseeing installation of new IT equipment to ensure compliance with the organization's objectives.
