CIA Exam Part 1 - Practice Exam
Questions And Answers
The CAE is considering different methods of providing training in personal communication skills
for the entire internal audit staff. Which of the following methodologies would be the most
effective means of delivering such training?
A) Computer-based training in human relations skills
B) Individual coaching by a professional communications specialist
C) Self-study booklets explaining communication theory
D) Lecture course on communications delivered by a motivational speaker - ANS B)
Individual coaching by a professional communications specialist
Which is an acceptable role for the internal audit activity in the risk management process?
A) No role
B) Managing specific risks if defined in the internal audit plan
C) Active, continuous support in the process such as leadership of oversight committees
D) Managing and coordinating the risk management process - ANS A) No role
Which is a required type of knowledge, skill, and other competency for an internal auditor?
A) Basic comprehension of internal audit standards, procedures, and techniques required in
performing engagements
B) An understanding of management principles and good business practices so deviations can
be recognized and evaluated
C) Proficiency in accounting principles and techniques for all auditors
D) Proficiency in subjects such as accounting, economics, commercial law, quantitative
methods, and IT - ANS B) An understanding of management principles and good business
practices so deviations can be recognized and evaluated
The bank's internal audit charter neither authorizes nor forbids the internal audit activity to
perform assurances for outside parties. Which of the following conditions apply to providing the
requested service?
A) The vice president of finance may authorize the chief audit executive to schedule the
engagement without amending the charter.
B) Providing assurances to outside parties is a violation of the Standards.
,C) The vice president of finance needs approval of the chief financial officer or the audit
committee before authorizing the chief audit executive to schedule the engagement without
amending the charter.
D) The charter should be amended to allow the internal audit activity to provide assurance
services to outside parties. - ANS D) The charter should be amended to allow the internal
audit activity to provide assurance services to outside parties.
How should the process be handled when considering risk response (or risk treatment) when
the organization uses an ERM environment?
A) As an iterative process that looks at the big picture but also departments and functions
B) As a waterfall process that considers the risks at a holistic level
C) As a process that sets the risk tolerance at the enterprise level and ensures that all
departments adhere to it
D) As a method for setting control activities that ensures that collective risk limits are not
exceeded in any individual instances - ANS A) As an iterative process that looks at the big
picture but also departments and functions
An internal auditor is assigned financial audits. She performs the audits out of the audit
department, downloads records electronically, communicates with the client through email, and
uses audit software. Is the internal auditor demonstrating the required knowledge, skills, and
competencies for an IA?
A) Yes, the auditor is working very efficiently by taking advantage of technology
B) No, financial audits require working more closely with top finance executives due to the need
to provide assurance on ICFR for this type of audit client
C) No, by limiting contact with the client, oral communications skills are not being used to clearly
and effectively convey items such as engagement objectives, evaluations, conclusions, and
recommendations.
D) Yes, the auditor is avoiding taking up too much of the audit client's time, which is
value-added, and is demonstrating professional skepticism by focusing primarily on financial -
ANS C) No, by limiting contact with the client, oral communications skills are not being
used to clearly and effectively convey items such as engagement objectives, evaluations,
conclusions, and recommendations.
Goods received from a certain supplier occasionally arrive without a proper bill of lading. In
these situation, the receiving clerk is directed to telephone the supplier and request a bill of
lading by fax so that he or she can compare what was actually received to the bill and research
any discrepancies. Which of the following is this type of control?
A) application control
B) preventative control
C) governance control
D) detective control - ANS D) detective control
An adequate system of internal controls is most likely to detect an irregularity perpetrated by a
,A) single manager
B) single employee
C) group of managers in collusion
D) group of employees in collusion - ANS B) single employee
Which activity should be treated as a clear impairment of an internal auditor's independence and
objectivity?
A) Overseeing installation of new IT equipment to ensure compliance with the Orgs objectives
B) Participating in a team that assesses IT acquisition possibilities
C) Reviewing competitive bids for development of new sales-tracking software before a
purchase decision is made
D) Applying for a position in a different organization's IT department while participating in a
consulting engagement with the current organization's IT department - ANS A) Overseeing
installation of new IT equipment to ensure compliance with the Orgs objectives
An organization has projected the direct and indirect costs of relocating some of its operations
offshore. Based on analysis results, the organization decides to move forward with offshoring.
Which of the following statements best describes this outcome?
A) The major risk events associated with success are high in impact and high in likelihood
B) the analysis determined that pervasive risk is minimal
C) the decision falls within the organization's risk appetite
D) Inherent risk is lower than residual risk - ANS C) the decision falls within the
organization's risk appetite
In the final report for an internal audit, the internal auditor states that security controls are at the
same level of effectiveness as in the previous audit. There is no mention that control activities in
the previous audit were found to be unsatisfactory. According to the Code of Ethics, this
communication is...
A) specific but not ethical
B) prudent and competent
C) balanced and objective
D) potentially biased - ANS D) potentially biased
Internal auditing is unique in that its scope often encompasses all areas of an organization. It is
not possible for each internal auditor to possess detailed competence in all areas that might be
audited. However, which of the following competencies is required by the Standards for every
internal auditor?
A) proficiency in management principles
B) taxation and law as it applies to the operation of the organization
, C) sufficient knowledge of key information technology risks and controls
D) proficiency in accounting principles - ANS C) sufficient knowledge of key information
technology risks and controls
Who should be the direct recipient of reports that show the results of periodic reviews for
internal assessment of the internal audit function?
A) Senior Management
B) process owners
C) board of dire
D) CAE - ANS D) CAE
Which of the following is the appropriate way to respond to an ethics violation that involves
workplace theft in the U.S.?
A) report the issue directly to legal authorities
B) Terminate the employee, but press charges only if the employee fails to return all of the
funds.
C) Start a progressive disciplinary process with counseling or probation as the first step
D) Terminate the employee, but do not press charges to keep the matter from becoming public.
- ANS A) report the issue directly to legal authorities
Which is a prerequisite in order for the people, processes, and technologies that are put in place
to mitigate ethics and compliance risks to be effective?
A) A well-funded organizational compliance function that serves as the first line of defense
B) An organizational code of conduct that is written in the hearts of the organization's people
rather than on paper
C) As much emphasis on the means to the end as the end results themselves
D) Values that emphasize aggressive risk taking so long as it is directed toward achieving
strategic objectives - ANS C) As much emphasis on the means to the end as the end
results themselves
During an external quality assessment, the outside review team determines that internal
auditors were unable to comply with a particular standard during a specific audit. The internal
auditors noted the noncompliance issue in their final engagement communications but still
claimed that their work was conducted in accordance with the Standards. How does this
situation impact the internal audit activity's use of the statement "Conforms with the International
Standards for the Professional Practice of Internal Auditing"?
A) No impact on use of statement
B) necessitates more frequent external assessments
C) disclosure to sernior mgmt and the board is required before statement is used
D) it negates the use of the statement - ANS A) No impact on use of statement
Questions And Answers
The CAE is considering different methods of providing training in personal communication skills
for the entire internal audit staff. Which of the following methodologies would be the most
effective means of delivering such training?
A) Computer-based training in human relations skills
B) Individual coaching by a professional communications specialist
C) Self-study booklets explaining communication theory
D) Lecture course on communications delivered by a motivational speaker - ANS B)
Individual coaching by a professional communications specialist
Which is an acceptable role for the internal audit activity in the risk management process?
A) No role
B) Managing specific risks if defined in the internal audit plan
C) Active, continuous support in the process such as leadership of oversight committees
D) Managing and coordinating the risk management process - ANS A) No role
Which is a required type of knowledge, skill, and other competency for an internal auditor?
A) Basic comprehension of internal audit standards, procedures, and techniques required in
performing engagements
B) An understanding of management principles and good business practices so deviations can
be recognized and evaluated
C) Proficiency in accounting principles and techniques for all auditors
D) Proficiency in subjects such as accounting, economics, commercial law, quantitative
methods, and IT - ANS B) An understanding of management principles and good business
practices so deviations can be recognized and evaluated
The bank's internal audit charter neither authorizes nor forbids the internal audit activity to
perform assurances for outside parties. Which of the following conditions apply to providing the
requested service?
A) The vice president of finance may authorize the chief audit executive to schedule the
engagement without amending the charter.
B) Providing assurances to outside parties is a violation of the Standards.
,C) The vice president of finance needs approval of the chief financial officer or the audit
committee before authorizing the chief audit executive to schedule the engagement without
amending the charter.
D) The charter should be amended to allow the internal audit activity to provide assurance
services to outside parties. - ANS D) The charter should be amended to allow the internal
audit activity to provide assurance services to outside parties.
How should the process be handled when considering risk response (or risk treatment) when
the organization uses an ERM environment?
A) As an iterative process that looks at the big picture but also departments and functions
B) As a waterfall process that considers the risks at a holistic level
C) As a process that sets the risk tolerance at the enterprise level and ensures that all
departments adhere to it
D) As a method for setting control activities that ensures that collective risk limits are not
exceeded in any individual instances - ANS A) As an iterative process that looks at the big
picture but also departments and functions
An internal auditor is assigned financial audits. She performs the audits out of the audit
department, downloads records electronically, communicates with the client through email, and
uses audit software. Is the internal auditor demonstrating the required knowledge, skills, and
competencies for an IA?
A) Yes, the auditor is working very efficiently by taking advantage of technology
B) No, financial audits require working more closely with top finance executives due to the need
to provide assurance on ICFR for this type of audit client
C) No, by limiting contact with the client, oral communications skills are not being used to clearly
and effectively convey items such as engagement objectives, evaluations, conclusions, and
recommendations.
D) Yes, the auditor is avoiding taking up too much of the audit client's time, which is
value-added, and is demonstrating professional skepticism by focusing primarily on financial -
ANS C) No, by limiting contact with the client, oral communications skills are not being
used to clearly and effectively convey items such as engagement objectives, evaluations,
conclusions, and recommendations.
Goods received from a certain supplier occasionally arrive without a proper bill of lading. In
these situation, the receiving clerk is directed to telephone the supplier and request a bill of
lading by fax so that he or she can compare what was actually received to the bill and research
any discrepancies. Which of the following is this type of control?
A) application control
B) preventative control
C) governance control
D) detective control - ANS D) detective control
An adequate system of internal controls is most likely to detect an irregularity perpetrated by a
,A) single manager
B) single employee
C) group of managers in collusion
D) group of employees in collusion - ANS B) single employee
Which activity should be treated as a clear impairment of an internal auditor's independence and
objectivity?
A) Overseeing installation of new IT equipment to ensure compliance with the Orgs objectives
B) Participating in a team that assesses IT acquisition possibilities
C) Reviewing competitive bids for development of new sales-tracking software before a
purchase decision is made
D) Applying for a position in a different organization's IT department while participating in a
consulting engagement with the current organization's IT department - ANS A) Overseeing
installation of new IT equipment to ensure compliance with the Orgs objectives
An organization has projected the direct and indirect costs of relocating some of its operations
offshore. Based on analysis results, the organization decides to move forward with offshoring.
Which of the following statements best describes this outcome?
A) The major risk events associated with success are high in impact and high in likelihood
B) the analysis determined that pervasive risk is minimal
C) the decision falls within the organization's risk appetite
D) Inherent risk is lower than residual risk - ANS C) the decision falls within the
organization's risk appetite
In the final report for an internal audit, the internal auditor states that security controls are at the
same level of effectiveness as in the previous audit. There is no mention that control activities in
the previous audit were found to be unsatisfactory. According to the Code of Ethics, this
communication is...
A) specific but not ethical
B) prudent and competent
C) balanced and objective
D) potentially biased - ANS D) potentially biased
Internal auditing is unique in that its scope often encompasses all areas of an organization. It is
not possible for each internal auditor to possess detailed competence in all areas that might be
audited. However, which of the following competencies is required by the Standards for every
internal auditor?
A) proficiency in management principles
B) taxation and law as it applies to the operation of the organization
, C) sufficient knowledge of key information technology risks and controls
D) proficiency in accounting principles - ANS C) sufficient knowledge of key information
technology risks and controls
Who should be the direct recipient of reports that show the results of periodic reviews for
internal assessment of the internal audit function?
A) Senior Management
B) process owners
C) board of dire
D) CAE - ANS D) CAE
Which of the following is the appropriate way to respond to an ethics violation that involves
workplace theft in the U.S.?
A) report the issue directly to legal authorities
B) Terminate the employee, but press charges only if the employee fails to return all of the
funds.
C) Start a progressive disciplinary process with counseling or probation as the first step
D) Terminate the employee, but do not press charges to keep the matter from becoming public.
- ANS A) report the issue directly to legal authorities
Which is a prerequisite in order for the people, processes, and technologies that are put in place
to mitigate ethics and compliance risks to be effective?
A) A well-funded organizational compliance function that serves as the first line of defense
B) An organizational code of conduct that is written in the hearts of the organization's people
rather than on paper
C) As much emphasis on the means to the end as the end results themselves
D) Values that emphasize aggressive risk taking so long as it is directed toward achieving
strategic objectives - ANS C) As much emphasis on the means to the end as the end
results themselves
During an external quality assessment, the outside review team determines that internal
auditors were unable to comply with a particular standard during a specific audit. The internal
auditors noted the noncompliance issue in their final engagement communications but still
claimed that their work was conducted in accordance with the Standards. How does this
situation impact the internal audit activity's use of the statement "Conforms with the International
Standards for the Professional Practice of Internal Auditing"?
A) No impact on use of statement
B) necessitates more frequent external assessments
C) disclosure to sernior mgmt and the board is required before statement is used
D) it negates the use of the statement - ANS A) No impact on use of statement
