IT Certification Guaranteed, The Easy Way!

Exam : IIA-CIA-Part1

Title : Essentials of Internal Auditing

Vendor : IIA

Version : V17.65

1
 IT Certification Guaranteed, The Easy Way!

NO.1 According to IIA guidance, which of the following is ultimately responsible for seeing that the
internal control system of an organization's social responsibility program is effective?
(A). Senior management
(B). Internal audit activity.
(C). All employees.
(D). Board of directors.
Answer: B

NO.2 An internal auditor is finalizing an audit report on the effectiveness of the organization's overall
system of internal control. Several audit tests were performed, and the only issue identified was that
the CEO frequently asks employees to make exceptions or bypass the organization's standard written
policies and procedures. Which of the following conclusions is most appropriate for the auditor to
report?
(A). The auditor should indicate that the system of internal control is not effective.
(B). The auditor should indicate that the system of internal control is generally effective, except for
the minor issue identified.
(C). The auditor should indicate that the system of internal control is effective.
(D). The auditor cannot express a conclusive opinion in the audit report.
Answer: A

NO.3 According to MA guidance, which of the following statements is true regarding internal
auditors' use of technology-based techniques?
(A). Auditors must consider using technology if it advances the engagement, even when
implementation costs exceed the benefits.
(B). Auditors must considering using technology to reduce the organization's risk by detecting all
instances of fraud.
(C). Auditors must consider using technology only when the Implementation cost does not exceed
benefits.
(D). Auditors must consider using technology in a variety of engagements to ensure that their work is
substantiated and infallible.
Answer: C

NO.4 According to The IIA's Code of Ethics, which of the following statements is true?
(A). When an internal auditor releases required information to a regulator, resulting in a significant
loss through fines and penalties for the organization, he fails to add value.
(B). When an internal auditor limits the scope of the audit engagement after learning that
management is hiding relevant information, he demonstrates integrity.
(C). When an internal auditor disagrees with the treatment received by workers in the organization's
foreign subsidiary and alters the audit program to highlight the issue, the fails to demonstrate
objectivity.
(D). When an internal auditor continues with an audit engagement, despite the audit client's claims
that the work performed is unnecessary and redundant, he fails to demonstrate competency.
Answer: C

NO.5 Which of the following situations would cause the greatest concern regarding impairment of
internal audit objectivity?

2
 IT Certification Guaranteed, The Easy Way!

(A). The eternal auditor reviewed the audit clients proposed procedures and standards of control and
offered suggested improvements at the client's request.
(B). The internal auditor performed nonaudit work for the audit client which was communicated to
senior management and the board before the engagement was performed and restated in the audit
report
(C). internal auditors accepted limited access to the audit client's systems and records m accordance
with the scope of the engagement
(D). The internal auditor used his in-depth knowledge of systems development to assist the audit
client m designing a new operational system with robust controls.
Answer: C

NO.6 An organization opened its warehouse to sell written-off surplus and outdated office furniture
to the general public. Prices were negotiable, and customers could pay by cash, check, or credit card.
Receipts were available upon request, and were issued by the inventory manager upon collection of
payment. At the end of the day, the manager forwarded all of the funds he had collected to the
finance department for deposit. Which of the following types of fraud is most likely to occur under
these circumstances?
(A). Asset misappropriation.
(B). Bribery.
(C). Falsifying records.
(D). Skimming
Answer: B

NO.7 Which competency is required of all staff internal auditors prior to the commencement of an IT
audit?
(A). The ability to assess IT governance.
(B). The ability to provide an explanation on the risk profile of the organization to the board and
senior management.
(C). The ability to ensure that proposals for improvements to internal controls are balanced with
organizational objectives and capabilities.
(D). The ability to assess the potential for fraud risk and identifying common types of fraud associated
with the engagement.
Answer: A

NO.8 Which of the following statements about internal audit consulting engagements is true?
(A). The primary purpose of a consulting engagement is to assess evidence and provide conclusions.
(B). The internal audit activity determines the nature and scope of work for the specific consulting
engagement
(C). Internal auditors may provide consulting services relating to operations for which they had
previous responsibilities.
(D). It is not appropriate to communicate control issues identified during consulting engagements to
the board
Answer: C

NO.9 Which of the following actions by the internal audit activity requires disclosure to the board of
nonconformance with the Standards?

3
 IT Certification Guaranteed, The Easy Way!

(A). The internal audit activity did not complete an external assessment within the last seven years
(B). The internal audit activity performed an engagement with limited scope due to lack of knowledge
(C). The internal audit activity failed to consider risk when conducting a review of a department
(D). An internal auditor was assigned to an engagement m an area where she previously worked
more than 10 years ago
Answer: A

NO.10 Which of the following represents an example of an ethical issue that the organization should
address'?

Answer: D

NO.11 Which requirement should the chief audit executive consider when communicating results of
the quality assurance and improvement program to the board of a large organization?
(A). The internal assessment results should be discussed once every five years,
(B). The rating conclusions and the impact from results of the external assessment should be
explained,
(C). The results of the external assessment should be discussed every seven years,
(D). The qualifications and independence of the internal assessment team should be discussed
Answer: B

NO.12 The chief audit executive (CAE) planned an in-person group training to help internal auditors
perform onsite inspections of an automobile manufacturing facility. The training would have allowed
the auditors to better understand the production of the organization's automobiles. However, a
global health crisis has impacted the training by prohibiting in-person contact at the facility. Which of
the following could the CAE use to provide auditors with a better understanding of the organization s
production process?
(A). A general web-based training on auditing manufacturing processes.
(B). Self-study courses on the industry's production practices
(C). Industry publications that discuss production methods
(D). A virtual meeting with management that explains the production of automobiles
Answer: D

NO.13 Which of the following is a role internal auditors should undertake related to risk
management?
(A). Evaluate the reporting of key risks
(B). Set the risk appetite
(C). Implement risk responses on management's behalf
(D). Impose risk management processes
Answer: A

4
 IT Certification Guaranteed, The Easy Way!

NO.14 Which of the following best describes the board's role in establishing effective organizational
governance?
(A). The board is involved in approving operational policy
(B). The board monitors key processes and procedures
(C). The board has oversight responsibility for organizational resources
(D). The board approves management's detailed plans and objectives
Answer: C

NO.15 According to IIA guidance, an internal audit charter should detail which of the following?
(A). The objectives and goals of management
(B). The process used by the CAE to manage the organization's internal controls
(C). The nature of services that the internal audit activity will provide to external third parties
(D). The responsibilities of the audit committee
Answer: C

NO.16 According to IIA guidance, which of the following statements regarding the internal audit
charter is true?
(A). The nature of consulting services typically is not included in the charter.
(B). The chief audit executive must formally review the charter at least once a year
(C). The nature of assurances provided to parties outside of the organization typically is not included
in the charter.
(D). The charter typically defines the internal audit activity's position within the organization.
Answer: D

NO.17 After the final audit report was issued, the engagement supervisor received an expensive gift
from management recognizing her assistance in improving the business, if the gift is accepted, which
of the following would be true?
(A). The engagement supervisor violated The IIA's Code of Ethics principle of integrity.
(B). The engagement supervisor violated The IIA's Code of Ethics principle of objectivity.
(C). The engagement supervisor violated The IIA's Code of Ethics principle of confidentiality.
(D). The engagement supervisor did not violate any principles of The IIA's Code of Ethics.
Answer: B

NO.18 Which of the following is an example of risk monitoring to ensure a system is performing as
intended?
(A). Checking the progress of risk treatment plans
(B). Considering the consequence and likelihood of risks
(C). Documenting the risks and their areas of impact
(D). Communicating to management about risks
Answer: A

NO.19 According to IIA guidance, which of the following statements is true regarding mentoring
programs designed to assist internal auditors with their professional development?
(A). The mentor must have a higher position in the organization than the mentee
(B). An auditor s supervisor is best positioned to serve as the auditor's mentor
(C). Meetings between a mentor and a mentee should be formal and well documented

5
 IT Certification Guaranteed, The Easy Way!

(D). Auditors at the same level may be assigned different mentors and some auditors may have no
mentor
Answer: B

NO.20 Which of the following situations undermines the independence of the internal audit activity?

Answer: A

NO.21 At a conference, an interna! auditor presented a new computer-assisted audit technique

developed by his organization. The presentation included sample data derived from performing audit
engagements for the organization. Travel costs were paid by the conference organizers, and the trip
was approved by the chief audit executive (CAE).
However, neither management nor the CAE was aware that the internal auditor would be making a
presentation based on work completed for the organization. According to IIA guidance, which of the
following statements is most relevant regarding the actions of the auditor?
(A). The auditor did not violate the standard of objectivity because the presentation had no impact
on the organization.
(B). The auditor violated the principle of confidentiality by disclosing information about the
organization without approval.
(C). The auditor should have obtained permission before using the material, but did not violate the
IIA Code of Ethics or Standards,
(D). The auditor breached the conflict of interest standard by accepting payment for travel costs
Answer: C

NO.22 A global organization established a new internal audit activity and the recently hired chief
audit executive needs to develop an internal audit manual for internal auditors Among the following
policies in the manual, which would facilitate internal auditors in upholding their objectivity?
(A). Internal auditors shall attend professional workshops to refresh internal audit norms and
concepts
(B). Internal auditors' performance is synchronized with satisfaction ratings given by audit clients
(C). Internal auditors take prior audit results into account when conducting current audit
engagements
(D). Internal auditors observe the audit client's expectations when scoping audit engagements
Answer: A

NO.23 Which of the following activities aligns with The IIA's Core Principles for the Professional
Practice of Internal Auditing?
(A). The chief audit executive reports to senior management for compensation decisions and
communications of audit results to the board
(B). Final reports from consulting engagements show the summary of findings, and the internal

6
 IT Certification Guaranteed, The Easy Way!

auditor's advice is clearly distinct and separate from management's decisions

(C). Internal auditors rotate through operations and management positions then perform audit
engagements on these areas to ensure timely application of their knowledge
(D). Due to limited resources, internal auditors prioritize assurance on internal controls and risk
management and exclude evaluating governance processes, which are deemed outside of their core
responsibilities
Answer: D

NO.24 Whch ol the following would show appropriate disclosure of nonconformance with the
Standards?
(A). The chief audit executive (CAE) documented in the personal file a critical conflict of interest
involving an internal audit on a upcoming contracting engagement.
(B). The CAE discussed with the board an issue regarding the internal activity performing an IT
engagement without proper skills and knowledge.
(C). The CAE met with the peer review team to discuss an internal auditor's failure to meet the annual
requirements for continuing professional education.
(D). The CAE revealed to revealed to operational manager that he failed to appropriately consider
risks while he was developing the audit plan.
Answer: B

NO.25 Which of the following activities would an internal auditor perform as a consulting
engagement for an organization?
(A). Advising new internal auditors working for the organization on how to develop strategies on
planning audits for the upcoming fiscal year
(B). Assessing whether the organization's corporate social responsibility program is meeting its yearly
goals to reduce carbon emissions.
(C). Briefing the organization's department managers on how to implement risk management
processes into their daily operations.
(D). Communicating with senior management to better understand how new purchasing controls will
minimize payment processing time.
Answer: C

NO.26 According to IIA guidance, which of the following is true of the internal audit activity's quality
assurance and improvement program?
1 Monitoring the internal audit activity's performance must be ongoing
2 All aspects of the internal audit activity should be evaluated
3 The requirement for external assessments can be satisfied through self-assessments that are
validated by an independent external party
4 The review of assurance services should be the primary focus
(A). 1 and 2 only
(B). 2 and 3 only
(C). 1, 2 and 3
(D). 1 3 and 4
Answer: C

NO.27 According to IIA guidance, which of the following statements is true regarding reporting the

7
 IT Certification Guaranteed, The Easy Way!

results of the quality assurance and improvement program?

(A). Results of internal assessments need to be reported to the board at least once every five years.
(B). The external assessor must present the findings from the external assessment to senior
management and the board upon completion.
(C). Deficiencies within the internal audit activity must be reported to the board as soon as they are
noted.
(D). Results of ongoing monitoring of the internal audit activity's performance must be reported to
senior management and the board at least annually
Answer: D

NO.28 A manufacturing organization's chief audit executive (CAE) was approached by the head of
security from one of the manufacturer's third party suppliers The head of security requested internal
audit records from a recent audit engagement involving the third-party supplier The head of security
believed those records contained information that would enable to identify employees of the third-
party supplier who may be involved m fraudulent activities What is the most appropriate course of
action for the CAE?
(A). Obtain approval from the manufacturer's audit committee regarding the release of audit records
(B). Release the records but first remove all data regarding the manufacturing organization s internal
actions and procedures
(C). Deny access to the records as the third party supplier s security learn should be able to
investigate then own employees.
(D). Consult with the manufacturer's senior management to determine whether releasing tie records
would be appropriate
Answer: D

NO.29 According to IIA guidance, which of the following best demonstrates that the chief audit
executive is properly reporting the results of the quality assurance and improvement program to
senior management and the board?
(A). Providing a written conformance statement to both senior management and the board.
(B). Giving copies of both external and internal assessments to the board.
(C). Keeping files of reports of ongoing external assessment monitoring.
(D). Retaining copies of board meeting minutes showing that discussions of assessments took place.
Answer: D

NO.30 Which of the following statements is true with regard to the quality assurance and
improvement program (GAIP)?

Answer: C

8
 IT Certification Guaranteed, The Easy Way!

NO.31 In which of the following scenarios would the chief audit executive (CAE) be required to
decline the assignment?
(A). The CAE would need to procure external services to deliver the internal audit assurance program.
(B). There is no expertise within the internal audit team for detecting and investigating fraud.
(C). There is no expertise within the internal audit team for auditing an IT engagement.
(D). There is no available expertise on the internal audit team to perform a consulting engagement
Answer: D

NO.32 A new internal audit activity is considering the adoption of a risk and control framework.
Which of the following is the most appropriate consideration during this process?
(A). The framework should not be developed by the internal audit activity
(B). The framework should apply to individual projects rather than the organization as a whole
(C). The framework should always be tailored to the organization
(D). The framework should require fewer resources to implement
Answer: C

NO.33 During an audit engagement, a junior staff internal auditor begins to suspect a fraud may
have occurred involving a friend of the engagement supervisor. He reports his concerns to the
engagement supervisor, who disagrees with his suspicions and directs him to continue with the
engagement as planned. Given the circumstance, what is the most appropriate action for the junior
auditor to take?
(A). Document in the workpapers and expand testing.
(B). Continue with the engagement as planned, per the more senior auditor.
(C). Report the suspected fraud to law enforcement officials and seek financial restitution.
(D). Escalate the concern to the chief audit executive.
Answer: D

NO.34 According to IIA guidance, which of the following statements is true regarding proficiency?
(A). The globally accepted Certified Internal Auditor designation is mandatory at chief audit executive
levels.
(B). Internal auditors are encouraged to obtain appropriate professional designations.
(C). Specialty designations are required for those who perform specialized audit and consulting work.
(D). Studies for professional designations are the preferred source of continuing professional
education
Answer: B

NO.35 Which of the following describes the internal audit activity's most appropriate role in an
organization's risk management process?
(A). Reporting to the board on management's assessment of current risks
(B). Establishing a risk management policy and framework for the organization
(C). Assigning responsibility for identifying and managing significant risks
(D). Developing key controls to mitigate risks across the organization
Answer: A

NO.36 After being assigned to an audit of the accounts payable process, an internal auditor privately

9
 IT Certification Guaranteed, The Easy Way!

notifies the chief audit executive that she is a finalist for an open manager position within the
accounts payable department. Which of the following is the IIA Code of Ethics principle that the
auditor upheld?
(A). Independence.
(B). Confidentiality.
(C). Objectivity.
(D). Competency
Answer: C

NO.37 In which of the following scenarios would it be appropriate for the chief audit executive (CAE)
to report that the internal audit activity conforms with the Standards?
(A). It A new internal audit activity was formed four years ago. An external assessment was never
performed, but successive internal assessments were performed and support the conclusion that the
internal audit activity conforms with the Standards
(B). An internal self-assessment completed yesterday found that the internal audit activity did not
conform with the Standards when carrying out its work. However, the preceding independent
external assessment supports the conclusion that the internal audit activity conforms with the
Standards.
(C). To reduce costs, the CAE excluded the use of external assessors from the internal audit activity's
quality assurance and improvement program for the past seven years.
However, the CAE concluded that the internal audit activity conforms with the Standards because all
internal assessments over the period have supported this conclusion.
(D). The results of the last external assessment of the internal audit activity, performed a little over
five years ago, indicated that the internal audit activity conforms with the Standards. The most recent
internal assessment performed within the past year also indicates conformance.
Answer: A

NO.38 An internal auditor believes that the internal audit activity's independence is impaired. Which
of the following actions should the internal auditor take first?
(A). Report the impairment to senior management
(B). Discuss the impairment with the audit manager
(C). Ascertain the best approach to disclose the impairment.
(D). Decide on the extent of impact of the impairment
Answer: C

NO.39 When dealing with various stakeholders which of the following is true regarding an internal
auditor's responsibility to remain objective and independent?
(A). When deciding between conflicting reports of a control's performance from a control operator
and the operator's manager the internal auditor should generally believe the manager
(B). Some audit issues may remain unremediated and unreported if management will accept
recommendations that the internal auditor deems more important
(C). The internal auditor may initially disagree with management s acceptance of a risk, but
reevaluate and agree with management's judgment after further discussion
(D). When working on business unit audits it is sometimes sufficient for the internal auditor to report
deficiencies only to the unit manager when remediation is not complex
Answer: C

10
 IT Certification Guaranteed, The Easy Way!

NO.40 Which of the following needs to be established prior to undertaking an assessment of the
quality assurance and improvement program?

Answer: D

NO.41 A newly hired internal auditor is most likely to need further education in the area of business
acumen in which of the following situations?
(A). She was transferred from the managerial accounting department of the same organization.
(B). She was recruited from the internal audit activity of another organization that operates in a
different industry.
(C). She was offered a permanent position after she had worked with the organization for two years
in a temporary auditor-in-training position.
(D). She previously served on the organization's external audit team and was recruited to the internal
audit activity following the current year's financial audit.
Answer: B

NO.42 An internal auditor is performing testing to gather evidence regarding an organization's

inventory account balance and is mindful of the possibility that the sample used might support the
conclusion that the recorded account balance is not materially misstated when, in fact, it is. The
auditor's concern best describes which of the following risks?
(A). incorrect rejection risk
(B). Incorrect acceptance risk.
(C). Tolerable misstatement risk.
(D). Anticipated misstatement risk
Answer: B

NO.43 Which of the following scenarios depicts an appropriate role for the internal audit activity to
take regarding an organization's risk management process?
(A). Internal audit designs and implements the organization's controls to help manage risk.
(B). Internal audit sets the organization's risk tolerance and promotes awareness throughout the
organization.
(C). Internal audit assesses whether the organization's risk management processes are effective.
(D). Internal audit is responsible for safeguarding the organization's assets and preventing loss from
occurring.
Answer: C

NO.44 Which of the following best describes the differences between internal auditors and external
auditors?
(A). External auditors are concerned about misstatements in the organization's financial statements,
while internal auditors are concerned about fraudulent activities that could impact the organization's
financial statements
(B). External auditors are required to hold an accounting designation and are responsible for

11
 IT Certification Guaranteed, The Easy Way!

continuing their education, while internal auditors are required to hold an internal audit designation.
(C). External auditors focus on the accuracy and understandability of financial statements, while
internal auditors help the organization accomplish its objectives by evaluating and improving the
effectiveness of the control process.
(D). External auditors are not employees of the organization, while internal auditors are employees
who have in-depth knowledge of the business, making their opinion more reliable to the board and
senior management.
Answer: D

NO.45 Which of the following accurately describes the concept of inherent risk?
(A). Risk factors that exist when controls are in place and operating effectively
(B). Internal risk factors assuming no controls are in place
(C). Risk factors that cannot be mitigated because they are innate to a process
(D). Combination of internal and external risk factors in their pure state assuming no controls are in
place
Answer: D

NO.46 An internal auditor is providing consulting services on an area he was responsible for three
years ago. Part of the consulting scope covers a review of a performance measuring system that the
auditor helped to develop. What is the best course of action for the auditor to take concerning the
consulting service?
(A). Accept the consulting services only after receiving approval to do so from the board.
(B). Accept the consulting services. The objectivity won't be impaired if it has been more than a year
since he last worked in the area under review.
(C). Refrain from providing the consulting service because he was responsible for that area and his
objectivity will be impaired,
(D). Disclose the potential impairment to the customer before accepting the consulting engagement
Answer: D

NO.47 Which of the following activities best demonstrates an internal auditor's commitment to
developing professional competencies?
(A). Requesting to be part of all engagements on the annual audit plan.
(B). Attending a series of locally offered training courses.
(C). Completing a skills assessment and development plan for targeted training needs,
(D). Attending a webinar on how to use data analytics
Answer: C

NO.48 According to IIA guidance, which of the following training methods is considered most
effective in assisting new entry-level internal auditors in achieving competence with internal audit
practices in the workplace?
(A). Pursuance of an internal audit certification.
(B). Enrollment in internal audit practice webinars.
(C). Attendance of internal audit workshops.
(D). Involvement in a variety of audit assignments.
Answer: D

12
 IT Certification Guaranteed, The Easy Way!

NO.49 In which of the following ways could stakeholders be engaged in corporate social
responsibility efforts?
(A). Investigation of health and safety incidents.
(B). Auditing of controls and management systems.
(C). Communication of disclosures and external reporting,
(D). Involvement in focus groups and complaint management
Answer: C

NO.50 According to IIA guidance, which of the following activities would typically be examined when
using the maturity model approach for assessing an organization's risk management program?

Answer: A

NO.51 Which of the following indicates that internal audit independence may be compromised?
(A). The internal auditor maintains a close personal relationship with operational management.
(B). Material observations were intentionally left out of the audit report.
(C). Internal auditors assigned to the audit engagement did not have the knowledge, skills, and
competencies needed to perform their responsibilities.
(D). An internal auditor failed to apply professional skepticism while performing audit tests in an area
overseen by an experienced, reputable manager
Answer: C

NO.52 Which of the following would be considered an indicator that an organization's ethics
program is not yet well developed?
(A). Disciplinary actions for ethics compliance violations are reviewed by the internal audit activity for
consistency.
(B). Communication of ethics compliance expectations is the responsibility of employees' direct
managers.
(C). The organization's code of ethics and related compliance policy are reviewed annually for
potential updates.
(D). The board of directors reviews ethics oversight metrics for violations and compliance.
Answer: B

NO.53 Which of the following statements is true regarding consulting engagements?

(A). Internal auditors cannot provide consulting services related to operations for which they had
previous responsibilities.
(B). The nature of consulting services to be performed by internal auditors must be defined in the
internal audit charter
(C). If internal auditors have potential impairments to objectivity related to the proposed consulting
engagement, the engagement must be declined.
(D). If internal auditors lack the knowledge, skills, or other competencies needed to perform the
consulting engagement, the engagement can proceed with proper disclosures.
Answer: B

13
 IT Certification Guaranteed, The Easy Way!

NO.54 Which of the following engagements would be considered an appropriate consulting service?
(A). The internal audit activity of a commercial bank routinely performs branch audits for compliance
with regulations.
(B). The internal audit activity participates in a cosourcing arrangement with an IT audit firm to test
information systems security.
(C). The internal audit activity facilitates biannual training of the risk management team in risk
identification methodologies.
(D). The internal audit activity partners with external auditors annually to complete fieldwork
required as a part of the external audit exercise.
Answer: C

NO.55 An engagement supervisor obtains facilities maintenance reports from a contractor during an
audit of third-party services. Which of the following is the source of authority for the engagement
supervisor to make such contact outside the organization?
(A). The policies and procedures of the internal audit activity.
(B). The provisions of the internal audit charter.
(C). The authority of the CEO.
(D). The IIA's Code of Ethics.
Answer: B

NO.56 Which of the following best demonstrates organizational independence of the internal audit
activity?
(A). The chief audit executive reports directly to the board
(B). Internal auditors may not disclose personal data of the audit client
(C). Internal auditors may not accept gifts from management of the area under review
(D). Internal auditors must observe the law and make required disclosures
Answer: D

NO.57 Which of the following actions would best help the internal audit activity promote continuous
improvement in control effectiveness within the organization?
(A). Determining whether management measures and monitors the costs and benefits of controls.
(B). Providing training on controls and ongoing self-monitoring processes.
(C). Developing flowcharts to obtain information about control design adequacy.
(D). Identifying objectives and the risks involved in achieving them.
Answer: B

NO.58 An internal auditor discovered fraud while performing an audit of an organization's

procurement process. Which of the following describes the greatest benefit of using forensic auditing
techniques in this scenario?
(A). Enhanced capability to prevent frauds from occurring.
(B). Greater assurance that procurement frauds will be detected in a timely manner
(C). Improved capability of evaluating fraud risks within the organization.
(D). Greater understanding of fraud through better evidence collection
Answer: D

14
 IT Certification Guaranteed, The Easy Way!

NO.59 What should be the first step for a newly hired chief audit executive to build and maintain the
proficiency of the internal audit activity'?
(A). Incorporate the basic criteria of internal audit competency into job descriptions
(B). Complete a periodic skills assessment of the internal audit activity
(C). Develop a competency or skill assessment tool.
(D). Perform benchmarking with competitors to learn what other firms are doing related to this topic
Answer: B

NO.60 Which of the followIng would permit an internal audit activity to use the statement
"conducted m conformance with the International Standards for the Professional Practice of Internal
Auditing m audit reports?

Answer: A

NO.61 The internal audit activity was denied access to expenditure and budget reports because they
were considered to be confidential. This situation would result in which of the following limitations of
the internal audit activity?
(A). Independence
(B). Integrity
(C). objectivity
(D). Authority
Answer: D

NO.62 Which of the following qualifies as an acceptable consulting service provided by the internal
audit activity?
(A). Develop training and system rollout plans in response to the results of the change readiness
assessment of a new sales distribution model
(B). Lead a risk self assessment session for laboratory managers to help identify inherent risks and
provide recommendations on how to evaluate the risks
(C). Audit a third party cloud service provider to review the effectiveness of governance and
management controls in providing secure services to its customers
(D). Conduct a post-implementation assessment of the enterprise resource planning system to
determine whether project objectives were met and to identify opportunities to maximize potential
benefits
Answer: B

NO.63 The internal audit activity is asked to provide consulting services regarding the risks related to
implementing a proposed new Inventory management system. Which of the following would be a
key consideration of the internal audit activity in accepting this engagement?
(A). Ask the inventory manager to determine whether the work planned would be sufficient to meet
the consulting engagement objectives.

15
 IT Certification Guaranteed, The Easy Way!

(B). Ensure that the method used to communicate the results of the consulting engagement is
consistent with the board's preferred method.
(C). Determine whether the benefits to be derived from the requested assessment would exceed the
cost of providing the consulting service.
(D). Use email and telephone conversations to convey the results of the engagement, as these may
prove to be the most efficient methods for communicating.
Answer: A

NO.64 Operational management in the IT department has developed key performance indicator
reports, which are reviewed in detail during monthly staff meetings. This activity is designed to
prevent which of the following conditions?
(A). Knowledge/skills gap,
(B). Monitoring gap.
(C). Accountability/reward failure,
(D). Communication failure.
Answer: B

NO.65 A chief audit executive added more money to the IT training budget to ensure the
organization's internal auditors were able to perform data analytics while performing an audit. Which
core competency is being addressed?
(A). Data analytics
(B). IT fraud detection.
(C). Continuing professional development
(D). Due professional care.
Answer: D

NO.66 Which of the following best describes the risk contained in an initial public offering for a new
stock?
(A). Residual risk.
(B). Net risk.
(C). Inherent risk.
(D). Underlying risk.
Answer: C

NO.67 During an assurance engagement, an internal auditor uses benchmarking research to support
preparation of a report to stakeholders that contains significant findings about control deficiencies.
Which of the following skills did the auditor demonstrate?
(A). Internal audit management.
(B). Conflict negotiation.
(C). Critical thinking.
(D). Persuasion and collaboration.
Answer: C

NO.68 Which of the following statements is true regarding the role of the internal audit activity in
the organization's risk management process?
(A). The internal audit activity should not be responsible for developing the organization's risk

16
 IT Certification Guaranteed, The Easy Way!

management framework, even with appropriate safeguards.

(B). The internal audit activity is typically responsible for alerting operational management to
emerging risks and changes in regulatory scenarios
(C). The internal audit activity may coach management on risk response scenarios if safeguards have
been implemented.
(D). The internal audit activity should avoid giving assurance regarding the accuracy of risk
evaluations if safeguards have not been implemented.
Answer: C

NO.69 Which of the following is part of a fraud detection program?

(A). Whistleblower hotline.
(B). Authority limits.
(C). Background investigations
(D). Evaluation of compensation programs.
Answer: A

NO.70 Of all the common characteristics of frauds, which of the following can the organization
influence the most?

Answer: C

NO.71 Which of the following represents a deficiency in the control environment?

(A). The sales department has failed to achieve targets for the last nine months.
(B). Employees report suspicious activity by calling the organization's ethics hotline.
(C). Hiring procedures do not include background checks for prospective job candidates.
(D). Management reports three potential ethics issues to the board of directors.
Answer: C

NO.72 Which of the following documents are internal auditors most likely to be asked to sign as a
demonstration of due professional care?
A description of their job responsibilities,
(A). A non-disclosure agreement.
(B). An annual declaration of commitment to
(C). The IIA s Code of Ethics.
(D). The internal audit charter.
Answer: B

NO.73 When beginning an engagement to assess the effectiveness of the organization's newly
revamped risk management processes, which of the following should internal auditors review first?
(A). Key risk disclosures in the annual report.
(B). Existing risk assessment and identification processes.
(C). Organizational strategy and business plans.
(D). Risk mitigation plans and risk responses.

17
 IT Certification Guaranteed, The Easy Way!

Answer: C

NO.74 An internal auditor performed a risk assessment and concluded that the controls over access
privileges to a bank account were appropriate. Later, the auditor learned that a contractor was using
a shared password provided by an authorized user of the account. Which of the following statements
best describes the auditor's application of due professional care?
(A). Due professional care was exercised, despite the auditor's failure to identify the significant risk.
(B). Due professional care was not exercised because the auditor failed to identify all the significant
risks during the risk assessment.
(C). Due professional care was not exercised because the residual risk from the possibility of
authorized users sharing their passwords was not considered.
(D). Due professional care was not exercised because the auditor failed to conduct interviews to
obtain testimonial evidence of possible password sharing
Answer: C

NO.75 While auditing an organization's credit approval process, an internal auditor learns that the
organization has made a large loan to another auditor's relative. Which course of action should the
auditor take?
(A). Proceed with the audit engagement, but do not include the relative's information.
(B). Have the chief audit executive and management determine whether the auditor should continue
with the audit engagement.
(C). Disclose in the engagement final communication that the relative is a customer.
(D). Immediately withdraw from the audit engagement.
Answer: B

NO.76 A chief audit executive (CAE) has no direct access to the board. According to IIA guidance,
which of the following is the most appropriate way for the CAE to react?
(A). Ensure all subsequent audit reports include a disclaimer as to the lack of access to the board,
(B). Focus on operational audit work and disregard lack of direct access to the members of the board.
(C). Initiate changes to the internal audit charter to report to senior management for the time being,
(D). Engage in written communications with the board and present relevant issues in writing
Answer: D

NO.77 Which of the following statements best illustrates why internal auditors assess soft controls?
(A). Assessing soft controls are an effective method of assessing risk related to personnel.
(B). Assessing soft controls, as opposed to hard controls, makes it easier to evaluate operating
effectiveness.
(C). Assessing soft controls can help internal auditors in undertaking root-cause analysis.
(D). Assessing soft controls provides more objective information than assessing hard controls.
Answer: A

NO.78 Which of the following policies promotes internal audit objectivity?

(A). The chief audit executive (CAE) reports functionally to the CEO
(B). The CAE s compensation is approved by the chief financial officer
(C). The CAF's appointment is determined by the CEO
(D). The CAE reports administratively to the chief operating officer

18
 IT Certification Guaranteed, The Easy Way!

Answer: C

NO.79 Which of the following should the internal audit activity establish to ensure auditors develop
the appropriate skills for conducting audits?
(A). An audit charter that includes the internal audit activity mission and vision
(B). A policy encouraging audit staff to earn certifications
(C). A quality assurance and improvement program to address audit risk areas
(D). An internal audit plan that links engagements to strategic objectives
Answer: D

NO.80 As part of a fraud investigation by regulators, a court order was issued to a bank. The court
order requested the chief audit executive (CAE) to provide access to a number of audit reports and
workpapers, some of which included customers' confidential information such as transaction activity
and other personal details. What is the appropriate response by the CAE?

Answer: C

NO.81 A senior executive at a government-owned organization received an invitation to attend a

public exhibition where he can learn about new trucks relevant to the organization's business. As a
special perk, the executive is offered an opportunity to drive a luxury vehicle manufactured by one of
the exhibiting companies. Prior to the event, the executive asked for the chief audit executive s
(CAE's) advice. What should the CAE recommend as the most appropriate course of action for the
executive?
(A). Attend the event, but decline the offer to use the luxury vehicle
(B). Decline the invitation to the exhibition.
(C). Ask the board to decide on the issue.
(D). Select a lower-level employee to enjoy the luxury vehicle instead
Answer: A

NO.82 Which of the following statements is true regarding consulting and assurance engagements
performed by the internal audit activity'?
(A). For both assurance and consulting engagements, the auditor must independently and objectively
select the criteria for evaluation
(B). For a consulting engagement, internal auditors and management jointly agree on the adequate
criteria needed to evaluate governance, risk management, and controls. This is not true of assurance
engagements
(C). Engagement planning and fieldwork are similar for both types of engagements (there are no
major differences) although the reporting process is different depending on which service is provided
(D). For a consulting engagement objectives must address governance risk management and control
processes to the extent agreed upon with the client. This is not true of assurance engagements
Answer: B

NO.83 During an audit engagement of a large retail store, internal auditors noted significant

19
 IT Certification Guaranteed, The Easy Way!

discrepancies between available inventory and sales and suspect an abuse of cash register refunds
and voids. Which of the following would be the most effective preventative control to reduce these
losses?
(A). Ensure that returned merchandise is restocked to shelves or sent to the manufacturer by an
independent employee.
(B). Call a sample of customers who returned merchandise to test the legitimacy of the returns and
check refund amounts.
(C). Require that a manager use a reserved register code to approve voids or refunds.
(D). Analyze voids and refunds by employee, credit card number, and amount for unusual numbers,
amounts, or patterns.
Answer: C

NO.84 Which of the following statements best describes how the internal audit activity obtains
reasonable assurance that significant risks in the organization are identified and assessed?
(A). The internal auditors review the organization's strategic plan, business plan, and policies, and
have discussions with the board and senior management.
(B). The internal auditors evaluate the adequacy and timeliness of management's reporting of risk
management results.
(C). The internal auditors interview staff at various levels and determine whether the organization's
objectives, significant risks, and risk appetite are articulated sufficiently.
(D). The internal auditors review recently completed risk assessments and related reports issued by
senior management, external auditors, and other sources.
Answer: C

NO.85 Which of the following best describes the internal audit activity's contribution to the
implementation of the risk management framework?
(A). Internal audit identifies key risk areas during assurance reviews and provides audit findings.
(B). Internal audit assists with the prioritization of identified risks.
(C). Internal audit participates in setting the risk appetite.
(D). Internal audit takes part in the design of risk mitigation measures.
Answer: A

NO.86 It is important for the chief audit executive to consider the level of competence of the
internal audit staff because their competence influences which of the following?
(A). The cost-benefit relationship of planned audits.
(B). Proficiency needed to carry out engagements.
(C). Achievement of the objectives of internal control.
(D). Quantity of the audits performed.
Answer: B

NO.87 Which of the following statements is true regarding the quality assurance and improvement
program (QAIP)?
(A). Reporting on the QAIP to the board should occur at least once every five years
(B). The responsibility for the selection of an external assessor rests with the board
(C). The qualifications of the assessors must be communicated to the board
(D). The reporting of outcomes of the QAIP can be delegated to senior audit staff

20
 IT Certification Guaranteed, The Easy Way!

Answer: C

NO.88 The internal audit activity is responsible for conducting fraud investigations. A potential fraud
instance was identified during an audit engagement. The chief audit executive appoints a lead
investigate. Which of the following would most likely be the next step?
(A). Ask internal auditors to gather all relevant information evidence
(B). Identify and interview witnesses first potential suspects later.
(C). Conduct a fraud risk assessment to the most vulnerable areas.
(D). Determine me competencies needed and assess whatever team members have a conflict of
interest.
Answer: B

NO.89 Wi ch of the following circumstances would most likely be considered a potential red flag for
fraud by the internal audit activity?
(A). The monthly payroll reports are not vetted to ensure terminated employees have been removed
from the payroll system
(B). The volume of nonroutine journal entries has steadily increased over time.
(C). The database of approved suppliers has not been reviewed the last year
(D). The recent employee survey indicates that some employees remain unaware of the
organization's whistieblower hotline.
Answer: A

NO.90 Which of the following skills is most important for an internal auditor who facilitates control
self-assessment workshops to possess?

Answer: C

NO.91 During an audit of company expenses, the internal auditor performed a test using data
analytics and identified a violation of the company's expenses policy. The auditor who discovered the
issue considered it a potential fraudulent transaction and informed the chief financial officer (CFO).
The CFO dismissed the concern because he did not understand the data analytics test that was
performed and the transaction was of a low value. Given this situation, which skills or competencies
should this internal auditor seek to improve?
(A). Skills in evaluating the risk of fraud.
(B). Knowledge of key IT risks and controls
(C). Soft skills such as communication and negotiation.
(D). Knowledge and understanding of the company's expenses policy
Answer: C

NO.92 Which of the following preventative controls would be most effective for organizations facing
business disruptions and respective financial losses?
(A). Develop a business continuity plan for contingent situations,
(B). Insure the organization against financial losses.

21
 IT Certification Guaranteed, The Easy Way!

(C). Rely on third-party cloud solution providers for the organization's systems.
(D). Hedge company assets via purchasing derivatives.
Answer: A

NO.93 Which of the following approaches will internal audit utilize when developing a set of
performance standards to measure an organization's risk management process against?
(A). Key principles approach
(B). Process elements approach
(C). Holistic approach
(D). Maturity model approach
Answer: D

NO.94 Which of the following statements is the most appropriate for a chief audit executive to
include in the internal audit policy manual in order to promote objectivity?
(A). Internal auditors may conduct a financial effectiveness engagement in a business unit at any
point after being transferred from that area.
(B). Internal auditors may conclude that a business unit's current control environment is adequate
and effective if the review of the prior year's workpapers and audit report supports that conclusion.
(C). Internal auditors may conduct an engagement in a business unit at any point after providing a
training workshop in that area.
(D). Internal auditors should limit the scope of an engagement if they become aware of a potential
impairment of their objectivity in order to reduce the potential impact of the impairment on the
engagement results.
Answer: D

NO.95 Which of the following best demonstrates the authority of the internal audit activity?
(A). Suggesting alternatives to decision makers.
(B). Improving the integrity of information.
(C). Determining the scope of internal audit services
(D). Achieving engagement objectives.
Answer: C

NO.96 Which of the following actions is the internal audit activity best positioned within the
organization to perform?
(A). Determine organizational risk tolerances
(B). Monitor the organization's risk mitigations
(C). Determine the likelihood and impact of risks
(D). Advise the board on risk management issues
Answer: D

NO.97 According to IIA guidance, which of the following statements is true regarding internal
auditors' knowledge, skills and other competencies?
(A). The chief audit executive (CAE) must obtain competent advice and assistance if the internal audit
activity lacks the knowledge, skills, or other competencies needed to complete the audit engagement
(B). Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in
which it is managed by the organization and should have the expertise of a fraud investigator

22
 IT Certification Guaranteed, The Easy Way!

(C). Internal auditors need to have basic knowledge of key IT risks and controls and available
technology-based audit techniques in order to perform their assigned work
(D). The CAE must refuse a consulting engagement if the internal audit activity lacks the knowledge,
skills, or other competencies needed to perform all or part of the engagement
Answer: D

NO.98 A significant number of employees expressed concerns of a hostile work environment within
a large manufacturing plant, which is in contrast to the organization's stated culture of tolerance and
open communication. Which of the following approaches would be most effective for an internal
auditor to assess whether the organization supports a culture of tolerance and open communication?
(A). Assess plant employees' social media activity for specific messages related to tolerance and open
communication
(B). Compare plant employees' compensation and benefits with those at similar sized organizations
that have a stated culture of tolerance and open communication.
(C). Evaluate organization policies and procedures for references related to encouraging tolerance
and open communication.
(D). Conduct a meeting with all plant employees and management to discuss tolerance and open
communication
Answer: C

NO.99 An audit client who was unsatisfied with the audit report rating called the chief audit
executive (CAE) and complained that the internal auditor who performed the audit was biased
because his spouse, who worked in the area under review, was on a list of employees to be
terminated. Which of the following measures would be most appropriate to prevent this situation
from arising?
(A). Initiating an internal investigation to clarify whether a biased judgment took place.
(B). Requiring the internal auditors to disclose any potential conflicts of interest.
(C). Requiring that the audit client disclose any potential conflicts of interest with the auditor.
(D). Requiring human resources manager to submit all future job applicants' data in order to identify
relatives of auditors.
Answer: B

NO.100 During an assurance engagement an internal auditor discovered that risk limits risk limit
were set for a new market expansion project Management of the area under review was eager to
comply and submitted a potential risk limit value for the auditor's review and approval. Which of the
following would be an appropriate course of action for the auditor to take?

Answer: A

NO.101 Which of the following internal controls best mitigates the risk of corruption schemes
between employees and vendors?

23
 IT Certification Guaranteed, The Easy Way!

(A). Establishing policies that prohibit an employee from receiving gifts from an interested party.
(B). Having employees sign annual attestations that they adhere to the organization's code of ethics.
(C). Having strong management oversight of the purchasing and accounts payable functions.
(D). Conducting regular examinations of documentation both paper and electronic.
Answer: C

NO.102 Which of the following should catch the internal auditor's attention as a potential red flag
for fraud?
(A). The accounting unit keeps detailed records and preserves supporting documentation in excess of
company requirements
(B). One of the subsidiaries has more bank accounts than any other comparable subsidiary
(C). The same external audit firm has been with the company for three years without rotation
(D). The arithmetic median tenure of employees working at production facilities is 15 years
Answer: B

NO.103 Which of the following is a true statement regarding whistleblowing?

(A). Whistleblowing is one of several possible ethical structures an organization can undertake to
encourage ethical behavior.
(B). Whistleblowing programs help employees deal with ethical questions and instill ethical values
into everyday behavior
(C). Whistleblowers are current or former employees who are disgruntled and looking to retaliate.
(D). Whistleblowers should inform the organization about actual criminal circumstances, not
assumed allegations
Answer: A

NO.104 In which of the following scenarios is the internal auditor in conformance with The IIA's
Code of Ethics and the Standards?
(A). The auditor testifies in front of a jury about an organization's fraudulent financial practices after
receiving a subpoena
(B). Management has agreed to remedy a significant control deficiency, so the auditor excludes the
deficiency from the engagement report
(C). The chief audit executive declines an assurance engagement in IT because the internal audit
activity is not proficient in IT
(D). The auditor communicates an audit opinion on fraud risk during an audit engagement's
preliminary fraud risk assessment
Answer: A

NO.105 An internal audit activity includes in its audit reports the assertion that its work is performed
in conformance with the International Standards for the Professional Practice of Internal Auditing (
Standards). A recent external quality assessment concluded that the internal audit activity had
substantial deficiencies that impact its overall operations.
According to IIA guidance, which of the following is the most appropriate action for issuing future
audit reports?
(A). Refrain from indicating that the internal audit activity operates in conformance with the
Standards until the chief audit executive confirms that the internal audit activity has addressed all
areas of nonconformance and the audit committee has been notified.

24
 IT Certification Guaranteed, The Easy Way!

(B). Refrain from indicating that the internal audit activity operates in conformance with the
Standards until another external assessment confirms that the significant areas of nonconformance
have been addressed.
(C). Indicate that the internal audit activity operates in partial conformance with the Standards t as
the internal audit activity has a quality assurance and improvement program in place to address
deficiencies and has met the requirement for conducting an external assessment.
(D). Update and reissue previous audit reports, removing the assertion that the internal audit activity
operates in conformance with the Standards, and distribute them to ail parties who received the
original reports.
Answer: A

NO.106 Which of the following is an example of an application control?

(A). Employees in the data center must always wear identification badges
(B). Operating system updates must be installed within 48 hours.
(C). A two stage authentication process must be used to access customer information
(D). System backup and recovery testing must be done monthly
Answer: C

NO.107 In the COSO internal control framework, which of the following components serves as the
foundation for the other components?
(A). Control activities.
(B). Control environment.
(C). Risk assessment.
(D). Monitoring
Answer: B

NO.108 An internal auditor is updating the risk register for risks identified during a recent
organizational risk assessment. According to the Standards, which of the following would the auditor
include in the risk register?
(A). Management's acceptance of inadequate controls for cybersecurity risk.
(B). Discussions with senior management relating to a new revenue stream.
(C). Mitigating controls implemented by the engagement supervisor
(D). Project manager planned hours versus time spent for all prior year projects
Answer: A

NO.109 In a small organization, management is unable to achieve adequate segregation of duties for
its cash-handling procedures Therefore hidden surveillance cameras were installed to monitor cash-
handling activities Which of the following best describes this type of control?
(A). Corrective control
(B). Process-level control
(C). Compensating control
(D). Preventive control
Answer: C

NO.110 An internal auditor was offered expensive tickets to a sporting event by the manager of an
area that she was currently auditing. The auditor politely declined. Which of the following

25
 IT Certification Guaranteed, The Easy Way!

fundamental principles of the MA Code of Ethics did she display?

Answer: B

NO.111 The chief audit executive (CAE) has assigned an internal auditor to an upcoming
engagement. Which of the following requirements would most likely indicate that the internal
auditor was assigned to an assurance engagement?
(A). The assigned internal auditor must determine the objectives, scope, and techniques of the
engagement.
(B). The CAE must personally obtain the needed skills, knowledge, or other competencies if the
internal auditor does not have them.
(C). The assigned internal auditor must not assume management responsibilities while performing
the engagement
(D). The assigned internal auditor must maintain objectivity while performing the engagement.
Answer: A

NO.112 Which of the following items related to the quality assurance and improvement program
should the chief audit executive report to the board?
(A). Ongoing monitoring results
(B). Periodic management assessment results
(C). Annual risk assessment results
(D). Internal auditors' training evaluation results
Answer: C

NO.113 Which of the following best describes the internal audit activity's responsibility within a risk
and control framework?
(A). The internal audit activity constitutes the first line of defense in effective risk management.
(B). The internal audit activity provides direction regarding internal controls implementation.
(C). The internal audit activity verifies that management has met its responsibility for implementing
effective controls.
(D). The internal audit activity implements the internal control framework and advises management
regarding best practices.
Answer: C

NO.114 Which of the following is the best example of a computer forensic audit activity?
(A). An internal auditor compared vendor addresses to employee home addresses.
(B). An internal auditor used analytical software to trace all disbursements processed on weekends.
(C). An internal auditor tried to circumvent the logical access controls of the purchasing system.
(D). An internal auditor recovered emails of an employee who was suspected of fraudulent activities
Answer: D

NO.115 Outsourcing a business activity is considered which of the following risk management
techniques?

26
 IT Certification Guaranteed, The Easy Way!

(A). Sharing a risk.

(B). Avoiding a risk.
(C). Reducing a risk.
(D). Mitigating a risk
Answer: A

NO.116 An internal auditor wants to compare her organization's governance processes to those of a
well-known governance model. Which of the following approaches would the auditor take for this
purpose?
(A). Perform a gap analysis to assess me differences between the approaches
(B). Assess the governance processes using computerized modeling techniques
(C). identify any differences between the processes using a variance analysis
(D). Benchmark the governance processes using a capability maturity modal
Answer: D

NO.117 The organization s procurement manager asks the internal auditor to deliver training to the
procurement team on the organization's third-party risk management process. Which of the
following is the most appropriate response?
(A). The internal auditor should reject the request it she previously worked in the procurement area
to maintain objectivity
(B). The internal auditor should reject the request if the internal audit team does not have the
requisite expertise.
(C). The internal auditor should accept the request and in fact she may assume some management
responsibilities temporarily if the result is a relevant training benefit
(D). The internal auditor may accept the request only if she defines the scope to ensure conformance
with the Code of Ethics
Answer: D

NO.118 While preparing the audit plan for an automobile manufacturing company, the chief audit
executive (CAE) noted that the company's engineering department received a high risk ranking.
However, the internal audit activity is understaffed, and current staff do not possess the necessary
skills to adequately assess the effectiveness of the engineering department. What is the most
appropriate course of action for the CAE to take?
(A). Include the engineering department on the audit plan, use the available internal audit resources
to conduct the review, and exclude procedures that cannot be adequately assessed.
(B). Advise management to accept the assessed risk until the internal auditors are able to review the
area adequately.
(C). Recruit internal auditors with the required competencies and wait until they are employed
before including this audit on the internal audit plan.
(D). Proceed with a review of the engineering department but supplement the internal audit team
with nonauditors from an external engineering company who have the required skills to assist
Answer: D

NO.119 An internal audit of an organization's disbursement department revealed that multiple

payments were made to legitimate vendors bearing fraudulent banking information belonging lo
employees in the department. These vendors were initially set up with accurate banking information

27
 IT Certification Guaranteed, The Easy Way!

but were subsequently modified by disbursement officers with access to the vendor management
system. Which of the following controls would have likely prevented the fraudulent modification of
vendors' banking information?
(A). Management periodically reviews and verifies the information in the vendor master Tile.
(B). Management's approval is required for update to vendors' banking information.
(C). Management randomly audits a sample of payments to verify the accuracy of vendors' banking
information.
(D). Management's approval is required before payments can be processed.
Answer: B

NO.120 Which of the following are considered root causes of fraud?

Answer: C

NO.121 An electric company hires several independent contractors to trim trees that are in close
proximity to electricity lines. Which of the following would be the most effective control to mitigate
the risk of contractors submitting fraudulent invoices regarding work completed?
(A). Require contractors to submit completed and signed work acceptance sheets
(B). Utilize unmanned drones to conduct regular flights and photo shoots over the areas where work
is performed
(C). Reconcile invoices and work acceptance sheets submitted by contractors
(D). Compare actual payments to contractors with budgeted values and analyze discrepancies
Answer: C

NO.122 A fraud investigation was completed by management, and a proven fraud was
communicated to relevant authorities. According to IIA guidance, which of the following roles would
be most appropriate for the internal audit activity to undertake after the investigation?
(A). Plan employee sessions and team building strategies for the organization to improve awareness
of fraud among employees
(B). Review the investigation and implement any improvements to the process.
(C). Conduct lessons learned sessions to ascertain how the fraud occurred and which controls failed.
(D). Determine why the fraud was not detected earlier and design controls to strengthen early
detection.
Answer: C

NO.123 If an internal auditor suspects fraud during an engagement which of the following is
expected of the auditor?
(A). Evaluate the suspected activities to determine whether a forma! investigation is warranted,
(B). Immediately inform senior management and the board of the suspected fraud.
(C). Ascertain the level of resources needed to formally investigate the fraud, and proceed with the
investigation if resources permit,
(D). Include in the engagement documentation all possible effects and the potential impact of the
fraud to the organization

28
 IT Certification Guaranteed, The Easy Way!

Answer: A

NO.124 Why is it imperative for the chief audit executive to track and develop the educational
qualifications of internal audit staff?
(A). To accurately conduct performance appraisals
(B). To ensure that staff complete required continuing professional education credits annually.
(C). To ensure that the resources needed to complete the audit plan are available.
(D). To satisfy the audit committee requirements.
Answer: C

NO.125 Which of the following scenarios demonstrates nonconformance with the Standards?
(A). An internal auditor failed to expand the engagement and include managements preferences
when determining the scope of an upcoming assurance engagement.
(B). An internal audit activity lacks the skills need to perform a high-risk security engagement
included on the annual audit plan.
(C). A chief audit executive fated to perform a risk assessment prior to preparing the audit plan
(D). An internal audit activity has existed for two years and has not undergone external quality
assessment
Answer: C

NO.126 Upon completion of an external quality assessment, which of the following would the chief
audit executive be required to report to the board?
(A). The total time spent to accomplish the external assessment
(B). The detailed evaluation results of the external assessment
(C). The competency and independence of the external assessment team
(D). The timetable and schedule of the next external assessment
Answer: B

NO.127 An internal auditor performed a consulting engagement last year which included assisting
with management's design of controls over the procurement function. How should the chief audit
executive plan an assurance engagement on the adequacy of the internal control system in the
procurement function in the current year?
(A). Assign the engagement to another internal auditor on staff
(B). Outsource the engagement to ensure independence
(C). Harness the auditor's knowledge of the procurement function by assigning the engagement to
the same internal auditor
(D). Postpone the engagement to the following year to ensure enough time has passed since the
controls were designed
Answer: A

NO.128 Which of the following statements relating to risk management is true?

(A). The high-level risk assessment performed during engagement planning is a detailed step-by-step
analytical process
(B). External auditors must be engaged to evaluate the potential for fraud and how the organization
manages fraud risk
(C). A lack of controls is acceptable if the risk is reduced to an acceptable level in some other way

29
 IT Certification Guaranteed, The Easy Way!

(D). Internal auditors are responsible for managing the risks of the organization
Answer: C

NO.129 According to IIA guidance, the nature and scope of assurance and consulting services to be
offered must be clearly delineated in which of the following internal audit documents?
(A). The internal audit policies and procedures handbook.
(B). The internal audit charter.
(C). The internal audit mission statement.
(D). Each internal audit engagement letter.
Answer: B

NO.130 Which of the following preventative controls would be most effective for organizations
facing business disruptions and respective financial losses?

Answer: A

NO.131 Which of the following would be an important aspect of an internal auditor's role in fraud
management?
(A). Utilizing analytical techniques to actively discover instances of potential fraud
(B). Conducting fraud based audits to ensure that fraud will be detected during engagements
(C). Implementing fraud prevention controls to minimize and mitigate the risk of fraud
(D). Reporting instances of fraud discovered during engagements to regulatory bodies
Answer: A

NO.132 Which of the following best describes a responsibility of the board of directors with regard
to risk management throughout the organization?
(A). Monitor the organization's overall risk activities in relation to its risk appetite and other risk
criteria.
(B). Guide the integration of risk management with other business planning and management
activities.
(C). Review the portfolio of risk of the organization in relation to its risk appetite.
(D). Assume responsibility for the effectiveness and success of the risk management framework
Answer: D

NO.133 Which of the following could increase risks to the organization's control environment?
(A). Strong board of directors oversight.
(B). Incentive-based compensation structures.
(C). Lower than average employee turnover.
(D). Implementation of a fraud hotline.
Answer: B

NO.134 A whistleblower reveals to the chief audit executive (CAE) detailed allegations of potential
fraud at the senior management level. Although the CAE has some experience in the area, she

30
 IT Certification Guaranteed, The Easy Way!

chooses to retain an external fraud expert to conduct the investigation. When asked by the director
of finance to defend the expenditure, which of the following statements represents the CAE's best
response?
(A). The CAE refers to the Standards and explains that to protect her independence, she needs to
remain isolated from the investigation.
(B). The CAE refers to the Standards and explains that the internal audit activity must obtain
competent assistance if needed.
(C). The CAE refers to the Standards and explains that to protect her objectivity, she needs to remain
isolated from the investigation.
(D). The CAE describes the specifics of the allegation to underscore the importance of the situation
and the need for expert investigation
Answer: B

NO.135 An organization's operations management is aware of existing internal control deficiencies

but they lack the competency to execute internal control measures. Which of the following actions if
taken by the internal audit activity is appropriate to assist operating management in achieving
continuous improvement on internal controls?
(A). Foster the importance of the control environment
(B). Provide training on controls and on self-monitoring processes
(C). Recommend installing an enterprisewide risk management system.
(D). Conduct more assurance assignments on high risk areas
Answer: B

NO.136 Which of the following most accurately describes the role of the board when it comes to
organizational governance?
(A). Responsibility for outcome of the process.
(B). Responsibility to be involved in management of the organization.
(C). Responsibility to determine who is accountable for outcomes.
(D). Responsibility to identify risks in the organization's business environment
Answer: C

NO.137 Which of the following is the first step in the process of identifying relevant fraud risk
factors?
(A). Identifying preventive and detective controls
(B). Gathering information about the organization's business activities to gain an understanding of
fraud risks
(C). Engaging in strategic reasoning to anticipate the fraud scheme
(D). The use of brainstorming, management interviews, analytical procedures and review of prior
frauds.
Answer: B

NO.138 During the audit of taxation processes in the organization internal auditors have verified
that all employees of the finance department received training on taxation guidelines. The training is
mandatory and is automatically assigned via email invitation to all new employees in the department.
Which type of controls have the auditors tested?
(A). Directive

31
 IT Certification Guaranteed, The Easy Way!

(B). Preventive
(C). Detective
(D). Automatic
Answer: A

NO.139 Which of the following is true regarding risk analysis?

(A). Impact and likelihood should be assessed together.
(B). Impact and likelihood should be given equal consideration by the internal auditor.
(C). Impact and likelihood should be measured using quantitative methods.
(D). Impact and likelihood should be used to determine risk response.
Answer: A

NO.140 Which type(s) of assessments in an internal audit activity's quality assurance and
improvement program requires ongoing monitoring to evaluate internal audit activity's efficiency and
effectiveness?

Answer: B

NO.141 Which of the following options describes the reason that conformance with The IIA's Code
of Ethics is mandatory for internal auditors?
(A). Ethical compliance provides the basis for stakeholder confidence in the competence of the
internal audit activity and of professional internal auditors.
(B). Ethical compliance is necessary for internal auditors and the internal audit activity to accept
responsibility for providing g absolute assurance about the organization's risk management.
(C). Ethical compliance provides the basis for stakeholder trust and confidence in the validity of the
profession of internal auditing and the internal audit activity's findings.
(D). The internal audit activity's ethical compliance sets the tone for the ethical compliance by the
organization's board, management, and employees.
Answer: C

NO.142 Which of the following statements is true regarding an organization's code of ethics?
(A). It should be written with primary consideration given to using a rule-based approach.
(B). It should be of two variations: one applicable internally and one applicable for third parties.
(C). Its operational effectiveness cannot be tested using traditional audit and rating systems such as
maturity models.
(D). It should require an annual attestation of compliance with the code of conduct by all employees.
Answer: D

NO.143 According to NA guidance, which of the following describes the primary reason to
implement environmental and social safeguards within an organization?
(A). To enable Triple Bottom Line reporting capability.
(B). To facilitate the conduct of risk assessment.
(C). To achieve and maintain sustainable development.

32
 IT Certification Guaranteed, The Easy Way!

(D). To fulfill regulatory and compliance requirements.

Answer: A

NO.144 During a payroll audit, the internal auditor discovered that several individuals who have the
same position classification as he are earning a significantly higher salary. The auditor noted the
names and amounts of each, and he planned to prepare a request to the chief audit executive for a
salary increase based on this information. Which of the following IIA Code of Ethics principles was
violated in this scenario?
(A). Competency.
(B). Objectivity,
(C). Integrity.
(D). Confidentiality
Answer: D

NO.145 Which of the following is an advantage of using nongovernmental organization (NGO)

members on an assurance team when auditing corporate social responsibility?
(A). Typically less time is needed to train the NGO members on the audit process.
(B). NGO members are often more unbiased and objective
(C). A report with a positive statement from an NGO member is deemed to be more credible. As
opposed to auditors.
(D). NGO members are licensed to audit corporate social responsibility.
Answer: B

NO.146 Which of the following is a consulting service the internal audit activity can perform with
respect to the organization's risk management?
(A). Delivering assurance on the risk management system
(B). Facilitating risk assessment workshops
(C). Evaluating principal risk reporting
(D). Deciding on the appropriate risk response
Answer: B

NO.147 An investment advisory firm purchased professional liability insurance to offer protection
from lawsuits brought by customers claiming they received poor or erroneous advice. Which of the
following best describes this risk management technique?
(A). Mitigation.
(B). Acceptance
(C). Transfer.
(D). Avoidance
Answer: C

NO.148 Which of the following statements is true regarding the independent peer review process
undertaken to fulfill the requirement for an external quality assessment?
(A). Two individuals in the same internal audit activity may perform an independent peer review as
long as they do not report to the same audit manager
(B). Individuals from a separate but related organization such as an affiliate may perform peer
reviews

33
 IT Certification Guaranteed, The Easy Way!

(C). Individuals working in separate internal audit activities may be considered independent as long as
do not report to the same chief audit executive
(D). Peer reviews are generally less cost-effective than hiring an external quality assessor
Answer: B

NO.149 Which of the following best describes the risk created when a manager bypasses
organizational policies and procedures in order to meet an organization's objective?
(A). Accountability/reward risk.
(B). Monitoring failure risk.
(C). Communication failure risk.
(D). Knowledge/skills risk
Answer: A

NO.150 A newly hired chief audit executive is reviewing available documentation to provide
evidence of conformance with the standard for continuing professional development. Which of the
following documents is the most reliable source for this purpose?

Answer: C

NO.151 The largest risks facing an organization should be mitigated by which type of controls?
(A). Entity-level
(B). Activity-level
(C). Transaction-level
(D). Process-level
Answer: A

NO.152 Which of the following best demonstrates conformance with IIA standards related to
continuing professional development?
(A). Retaining evidence of training in the form of continuing education credits
(B). Seeking guidance regarding internal audit best practices from The IIA
(C). Retaining supervisory reviews conducted on the basis of the development plan
(D). Giving consideration to certain areas of specialization as part of development planning
Answer: B

NO.153 A business unit manager was impressed by the competence of the internal auditor who was
conducting an assurance engagement in his area and the manager made the auditor an attractive job
offer to begin after the audit was completed The auditor later told her auditor in charge that she was
considering the offer. Which of the following IIA Code of Ethics principles was most likely violated?
(A). Integrity
(B). Confidentiality
(C). Objectivity
(D). No violation was committed
Answer: C

34
 IT Certification Guaranteed, The Easy Way!

NO.154 What is expected of internal auditors in regards to due professional care?

(A). Auditors perform assurance services without regard to cost
(B). Auditors perform assurance services effectively to identify all risks
(C). Auditors perform assurance services needed to achieve the engagement's objectives
(D). Auditors perform assurance services to guarantee all significant risks will be addressed
Answer: C

NO.155 Which of the following would be the most effective in helping to detect fraud?
(A). Code of conduct.
(B). Exit interviews.
(C). Fraud awareness training
(D). Employee promotion policy.
Answer: B

NO.156 Which of the following best describes the Standards requirement for collective proficiency
of the internal audit activity?
(A). The internal audit activity must have auditors on staff who collectively possess all of the
competencies required to fulfill the internal audit plan,
(B). All internal auditors on staff should possess the knowledge, skills, and competencies needed to
perform any assurance engagement on the audit plan.
(C). The internal audit activity must possess or obtain the competencies needed to carry out their
professional responsibilities, including providing relevant advice and recommendations.
(D). Internal auditors collectively are responsible for ensuring that the internal audit activity has the
competencies required to fulfill the internal audit plan.
Answer: C

NO.157 The internal audit activity was asked to conduct an investigation for potential fraud in the
treasury department and subsequently contracted with a forensic accountant to join the team for the
engagement. Which of the following parties has the primary responsibility for resolving any fraud
incidents found as a result of this investigation?
(A). Chief audit executive.
(B). Senior management.
(C). The forensic accountant.
(D). The legal department.
Answer: B

NO.158 According to IIA guidance which of the following statements is true regarding the internal
audit charier?
(A). The charier should be revised and re-approved whenever a new chief audit executive (CAE) is
appointed or at the request of the board
(B). The charier should be re-approved every five years, in conjunction with the external quality
assessment
(C). The charier can be revised at the discretion of the CAE whenever 4 is determined that its content
no longer supports the achievement of objectives
(D). The charier should be reviewed and resubmitted for board approval annually together with the

35
 IT Certification Guaranteed, The Easy Way!

audit plan
Answer: C

NO.159 Which of the following is most likely to impair the internal audit activity's independence?
(A). Undertaking audit work in an area where internal auditors lack the necessary skills.
(B). Establishing an internal audit activity without documented policies and procedures.
(C). Assigning compliance responsibilities to the chief audit executive.
(D). Concluding that an internal control is effective without first obtaining evidence
Answer: C

NO.160 Which of the following is a preventive control the organization could implement to mitigate
fraudulent activity in the accounts payable department?

Answer: B

NO.161 Which of the following would be the most appropriate first step for the board to take when
developing an effective system of governance?
(A). Determine the organization's overall risk appetite.
(B). Establish a governance committee.
(C). Delegate authority to members of senior management.
(D). Identify key stakeholders and their expectations
Answer: B

NO.162 A chief audit executive (CAE) is considering hiring a candidate who most recently worked for
a large public accounting firm What would be the CAE's most likely concern regarding this
candidate*?
(A). Low-level audit expertise
(B). Narrow industry experience
(C). MPotential conflict of interest
(D). Weak interpersonal skills
Answer: C

NO.163 While conducting an engagement in the procurement department, the internal auditor
noticed that the department head's travel reports showed minor travel expenses, and there were no
charges for hotels, meals, or transportation. However, the auditor knew that the department head
frequently traveled worldwide to meet with suppliers and visit their production sites. Which of the
following would be the most appropriate next step for the auditor?
(A). The auditor should make a note of the issue for follow-up when employee travel expenses are
audited.
(B). The auditor should analyze trends and changes among the organization's suppliers over the past
few years.
(C). The auditor should investigate whether there are any special arrangements regarding senior

36
 IT Certification Guaranteed, The Easy Way!

management travel.
(D). The auditor should analyze the list of destinations the department head visited to estimate
typical costs.
Answer: C

NO.164 Guidelines need to be set for various levels of suspected fraud within an organization and
when it would be reported to the audit committee. Which of the following would be reported at the
next meeting?
(A). Minor theft of less than $10,000, not involving senior management.
(B). Theft using collusion for more than $10,000. but not involving senior management.
(C). Denial of access to requested employees during an audit.
(D). Discussion of replacement of the chief audit executive.
Answer: B

NO.165 In order for an internal auditor to assess the opportunity for fraud to occur in an
organization, which of the following does the auditor first need to understand?
(A). Fraud prevention.
(B). Fraud detection.
(C). Corporate culture.
(D). Forensic analysis techniques.
Answer: C

NO.166 Which of the following would decrease or be reduced if an organization establishes and
implements excessive internal controls?
(A). Production cycle time.
(B). Activities that add no value.
(C). Staff productivity.
(D). Complexity of operations.
Answer: C

NO.167 Which of the following actions should an organization take to detect an emerging risk of
potential fraud?
(A). Adopt reward and recognition programs that promote good behaviors
(B). Undertake background checks for new employees as part of the hiring process
(C). Establish an anonymous platform for reporting suspected unethical behaviors
(D). Institute periodic educational training on expected ethical behaviors
Answer: C

NO.168 Which of the following describes a primary responsibility for the internal audit activity in
helping management maintain effective controls?
(A). Promoting continuous evaluation
(B). Promoting continuous monitoring
(C). Promoting continuous improvement
(D). Promoting continuous reporting
Answer: A

37
 IT Certification Guaranteed, The Easy Way!

NO.169 Which of the following best describes the type of risk that an adequately designed and
effectively operating system of internal controls should mitigate?
(A). Net.
(B). Controllable.
(C). inherent,
(D). Residual.
Answer: C

NO.170 An internal audit team analyzed the organization's value-at-risk model during an assurance
engagement and suggested several useful improvements. Management was impressed by the
internal audit team's work and requested additional actions. Which of the following requested
actions would impact internal audit independence most severely if fulfilled?

Answer: A

NO.171 Which of the following is an example of a risk avoidance strategy?

(A). Hedging against exchange rate variations.
(B). Limiting access to an organization's data center.
(C). Selling a nonstrategic business unit.
(D). Outsourcing a high-risk activity
Answer: C

NO.172 To encourage internal audit objectivity, which of the following is an appropriate policy the
chief audit executive should establish?
(A). Internal auditors should report their audit findings directly to the audit committee.
(B). To receive an outstanding performance rating, internal auditors are required to generate audit
findings.
(C). Prior to hiring a new internal auditor, the chief audit executive must determine whether the
auditor owns stock in the organization.
(D). Internal auditors are permitted to audit an entity managed by a close friend or relative, as long as
they notify the chief audit executive.
Answer: C

NO.173 Which of the following documents would promote objectivity within an organization's
internal audit activity?
(A). Internal audit charter.
(B). Internal audit manual.
(C). Audit committee charter
(D). Human resources employee handbook.
Answer: B

NO.174 Which of the following controls would best mitigate the risk of fraud in the bidding process?
(A). Have a bidding committee open the tender bids.

38
 IT Certification Guaranteed, The Easy Way!

(B). Restrict the time to submit tender bids.

(C). Keep minutes of pre-bid meetings.
(D). Allow the higher tenders to rebid.
Answer: B

NO.175 After the draft engagement report is issued, the manager of the area that was reviewed is
informally interviewed by the engagement supervisor regarding the audit experience. Which of the
following is most likely the purpose for this interview?
(A). The manager will provide insights into the audited industry's trends
(B). Such an interview is performed when there is a need to dismiss an internal auditor
(C). Feedback from the manager will contribute to the audit team's professional development
(D). The manager's opinion will be used to form the final audit assessment and report rating.
Answer: C

NO.176 A snow removal company is conducting a scenario planning exercise where participating
employees consider the potential impacts of a significant reduction in annual snowfall for the coming
winter. Which of the following best describes this type of risk?
(A). Residual.
(B). Net.
(C). Inherent.
(D). Accepted.
Answer: C

NO.177 Which of the following would be considered a violation of The HAfs mandatory guidance on
independence?
(A). The chief audit executive (CAE) reports functionally to the board and administratively to the chief
financial officer.
(B). The board seeks senior management's recommendation before approving the annual salary
adjustment of the CAE.
(C). The CAE confirms to the board, at least once every five years, the organizational independence of
the internal audit activity,
(D). The CAE updates the internal audit charter and presents it to the board for approval periodically,
not on a specific timeline
Answer: B

NO.178 To assure that the technical proficiency of internal auditors is appropriate for the audit
engagements to be performed, a chief audit executive should:
(A). Consider the scope of work and level of responsibility when establishing criteria for education
and experience in filling internal audit positions.
(B). Ensure that each newly hired auditor is qualified in all of the disciplines needed to accomplish the
department's audit mission.
(C). Oversee a training program that matches the actual training provided with the interests of
individual auditors.
(D). Require all of the audit staff to pursue a minimum number of continuing professional education
hours each year
Answer: A

39
 IT Certification Guaranteed, The Easy Way!

NO.179 In an assurance engagement focused on the adequacy of organizationwide risk

management practices, which of the following best describes a primary area of interest for the
engagement?
(A). The effectiveness of process-level and transaction-level controls.
(B). Conflicts of interest within the organizational structure of the senior management.
(C). The alignment of management decisions with the level of risk the organization is willing to
accept.
(D). The actions of upper management in response to the internal audit activity's reporting
Answer: C

NO.180 Which of the following should play a leading role in overseeing the ethical atmosphere of an
organization?

Answer: D

NO.181 According to NA guidance, which of the following actions by the chief audit executive would
best ensure that internal auditors demonstrate due professional care?
(A). Developing policies and procedures for the internal audit activity.
(B). Ensuring the internal audit activity is not found fallible during audit engagements.
(C). Undertaking all engagements that management requests of the internal audit activity.
(D). Ensuring the internal audit activity reports functionally to the board of directors.
Answer: B

NO.182 According to MA guidance, which of the following is an appropriate role for the internal
audit activity?
(A). Coaching management in responding to risks.
(B). Implementing risk responses on management's behalf.
(C). Imposing risk management processes.
(D). Setting the risk appetite.
Answer: A

NO.183 The chief audit executive (CAE) of a new internal audit activity is creating an internal audit
charter According to IIA guidance, which of the following terms is most likely to be included in the
charter?
(A). Senior management will be present whenever the CAE interacts with the board, to ensure
effective communication among all three parties.
(B). Internal auditors will advise on the design of control policies and procedures in any area where
the organization does not possess the requisite expertise,
(C). Internal auditors will demonstrate competence, concern, and the dedication expected of a
professional,
(D). Internal auditors will receive performance-based compensation, including bonuses for reporting
more than a stipulated number of observations.

40
 IT Certification Guaranteed, The Easy Way!

Answer: C

NO.184 According to IIA guidance, which of the following most appropriately justifies the CEO's
decision that the internal audit activity shall be responsible for risk management and investigation at
a multinational organization?
(A). The recommendation of the parent office external auditors.
(B). The provisions of the internal audit charter
(C). The authority of the CEO.
(D). The level of proficiency of the chief audit executive
Answer: B

NO.185 Which data analytics competency is critical for new internal auditors to possess in order to
plan and perform internal audit engagements in conformance with the Standards?
(A). Describe data analytics and the application of data analytics methods in internal auditing.
(B). Apply data analytics methods in internal auditing.
(C). Evaluate the use of data analytics in an internal audit.
(D). Understand the definition of data analytics only.
Answer: C

NO.186 Which of the following is the best reason why the engagement supervisor should take care
in explaining to local management the criteria that will be used to measure the effectiveness of the
control environment?
(A). The assessment will cover soft controls and company values.
(B). The assessment will focus on the policy for a particular process.
(C). The assessment will lack a defined scope
(D). The assessment will probably uncover fraud risks.
Answer: A

NO.187 Which type of engagement requires that the client agrees with the techniques used by the
internal audit activity?
(A). A performance audit.
(B). A sensitive fraud investigation.
(C). A compliance audit
(D). A consulting service.
Answer: D

NO.188 Which of the following best demonstrates conformance with the Standards relating to
continuing professional development of internal auditors?
(A). Regulatory approval from an accrediting agency.
(B). Self-assessments against a competency framework.
(C). Approval and signoff from the board of directors.
(D). A review by external auditors on an annual basis
Answer: C

NO.189 An internal audit activity maintains a quality assurance and improvement program that
includes annual self-assessments. The internal audit activity includes in each engagement report a

41
 IT Certification Guaranteed, The Easy Way!

clause that the engagement is conducted in conformance with the International! Standards for the
Professional Practice of Internal Auditing (Standards). Which of the following justifies inclusion of this
clause in the reports?
(A). Internal audit activity policies and engagement records provide relevant, sufficient, and
competent evidence that the statement is correct.
(B). The audit committee has reviewed the annual self-assessment results and approved the use of
the clause.
(C). The self-assessment results were validated by a qualified external review team three years prior.
(D). The internal audit charter, approved by the audit committee, requires conformance with the
Standards
Answer: C

NO.190 Which of the following is a legitimate requirement for an internal audit activity's quality
assurance and improvement program (QAIP)?

Answer: C

NO.191 Which of the following would best assist the internal audit activity in assessing whether an
organization's responses to risk are aligned with its risk appetite?
(A). Analyzing the results of successful testing of controls and monitoring procedures implemented by
management
(B). Determining that there are no gaps between the internal auditors' risk assessment and the risk
assessment performed by the organization
(C). Obtaining evidence that employees throughout the organization are aware of the organization s
risk appetite
(D). Verifying that previously identified organizational risks were documented in board meeting
minutes
Answer: A

NO.192 Which of the following offers the best evidence that the internal audit activity has achieved
organizational independence?
(A). An independent third party has assessed the organization's system of internal controls to be
adequate and effective,
(B). The chief audit executive reports both functionally and administratively to the CEO.
(C). The internal audit charter is drafted properly and approved by the appropriate parties.
(D). The mission statement and strategy of the internal audit activity demonstrates alignment to
organizational objectives.
Answer: C

NO.193 Which of the following best describes the approach the internal audit activity should take to
assess and make appropriate recommendations to improve the organization?

42
 IT Certification Guaranteed, The Easy Way!

(A). To evaluate an organization s governance processes for making strategic and operational
decisions eternal auditors should review the organization s policies and processes related to staff
compensation
(B). To determine how an organization provides oversight of its isk management and control activities
internal auditors should review board meeting minutes and the board policy manual
(C). To assess how an organization promotes ethics and values both internally and among its external
business partners, internal auditors should review the organization' s related objectives programs
and activities
(D). To evaluate how an organization ensures effective performance management and accountability
internal auditors should review previously conducted risk assessments
Answer: B

NO.194 To comply with the proficiency standard which of the following would the chief audit
executive likely consider as the primary hiring criterion when choosing a new internal auditor?
(A). The length and consistency of the auditor's work experience
(B). The auditor's demonstrated problem-solving skills
(C). The auditor's skills compared to those already possessed by other audit staff
(D). The auditor's ability to be self motivated and a good team player
Answer: C

NO.195 Which of the following indicates an appropriate disclosure of a potential nonconformance

with the Standards?
(A). An external assessment of the internal audit activity was last performed six years ago.
(B). The internal audit activity has been in existence for four years but has not performed an external
assessment.
(C). An internal assessment is not performed every year.
(D). The internal audit activity has been in existence for two years and has documented only an
internal assessment.
Answer: A

NO.196 A newly appointed chief audit executive (CAE) is tasked with creating a new internal audit
activity within the organization. Which of the following would the CAE need to include in the new
internal audit charter?
(A). The requirement to provide an annual cost analysis that justifies having an internal audit activity
(B). The specific engagements that the internal audit activity will perform for the organization
(C). The board s oversight role and responsibilities pertaining to the internal audit activity
(D). The relevant regulations that will guide the internal audit activity's regulatory compliance
assessments
Answer: D

NO.197 Which of the following situations best describes an internal auditor who may have violated
the IIA Code of Ethics principle of confidentiality?
(A). The auditor intentionally omitted from his resume that he was fired from his previous job for
fraud allegations,
(B). The auditor decided not to notify her supervisor that her brother-in-law was responsible for the
project the auditor was expected to evaluate.

43
 IT Certification Guaranteed, The Easy Way!

(C). The auditor asked the audit client to copy requested files to her personal unencrypted memory
stick because it was faster and more convenient.
(D). The auditor was assigned to analyze the organization's incentive program and spent long hours
reviewing other employees' bonuses,
Answer: D

NO.198 IT management requires all employees in the IT department to attend annual training on
the department's mission values and key performance measures This activity is designed to prevent
which of the following conditions?
(A). Knowledge's kills gap
(B). Monitoring gap
(C). Accountability/reward failure
(D). Communication failure
Answer: A

NO.199 Which of the following actions should the internal audit activity take during an audit
engagement when examining the effectiveness of risk management processes?
(A). Evaluate how the organization manages fraud risk.
(B). Establish procedures for improving risk management processes.
(C). Ensure risk responses are aligned with industry standards.
(D). Verify that organizational objectives are aligned with each department's objectives.
Answer: A

NO.200 Which of the following is a detective control strategy against fraud?

Answer: D

NO.201 An accounts payable clerk has recently transferred Into the internal audit activity and has
been assigned to an engagement related to accounts payable processes for which he was previously
responsible Which of the following is the best action for the new internal auditor to take?
(A). If it is an assurance engagement accept the assignment because direct knowledge of the existing
accounts payable processes will provide depth and add more value
(B). If it is a consulting engagement decline the assignment and ask to be reassigned, because in a
consulting engagement the auditor must not assess operations for areas in which they were
previously responsible
(C). If it is a consulting engagement accept the assignment because direct knowledge of the existing
accounts payable processes will provide depth and add more value
(D). If it is an assurance engagement accept the assignment becausethe chief audit executive had
knowledge of the internal auditor's previous role when this engagement was assigned
Answer: C

NO.202 Due to unfavorable economic conditions management decided to postpone new

investments for the next year. Which of the following best describes the risk management strategy

44
 IT Certification Guaranteed, The Easy Way!

used to address this situation?

(A). Risk mitigation
(B). Risk avoidance
(C). Risk reduction
(D). Risk transfer
Answer: B

NO.203 Which of the following should be part of the internal audit activity's duties?
(A). Actively reporting to the governing body.
(B). Providing risk management frameworks.
(C). Assisting management in developing processes and controls to manage risks and issues.
(D). Identifying and mitigating significant risks to the organization.
Answer: C

NO.204 An internal auditor is assessing the effectiveness of the organization's risk management
practices She checks to see whether risk management is an integrai part of decision making and
whether risk management is transparent, responsive to change and addresses uncertainty. According
to HA guidance on risk management frameworks, which of the following approaches is the auditor
most likely using?
(A). Maturity model approach
(B). Process element approach
(C). Key principles approach
(D). Key performance indicators approach.
Answer: A

NO.205 According to the Standards, which of the following is a requirement for internal audit
professional development plans?
(A). Plans must include a path to certification so that each internal auditor has a certification in
auditing finances.
(B). Plans must ensure that staff development activities are based primarily on the skills and
competencies needed to complete the audit plan.
(C). Plans must include rotating audit areas so that auditors acquire business knowledge to be
efficient in performing engagements.
(D). Plans must include rotating auditors out into business units for temporary assignments so they
can obtain more business knowledge.
Answer: D

NO.206 An IT contractor applied for an internal audit position at a bank. The contractor worked for
the bank's IT security manager two years ago. If the audit manager interviewed the contractor and
wants to extend a job offer, which of the following actions should the chief audit executive pursue?
(A). Allow the audit manager to hire the contractor and state that the individual is free to perform IT
audits, including security.
(B). Not allow the audit manager to hire the contractor, as it would be a conflict of interest
(C). Allow the audit manager to hire the contractor, but state that the individual is not allowed to
work on IT security audits for one year.
(D). Not allow the audit manager to hire the contractor and ask the individual to apply again in one

45
 IT Certification Guaranteed, The Easy Way!

year.
Answer: A

NO.207 An engagement supervisor noticed that a newly hired internal auditor struggles with large
data samples because he appears reluctant to apply available spreadsheet statistical functions and
tends to perform testing of transactions manually In which of the following areas does the internal
auditor most likely need training?
(A). Critical thinking.
(B). International Professional Practices Framework
(C). Professional ethics
(D). Business acumen
Answer: A

NO.208 With regard to IT governance, which of the following is the most effective and appropriate
role for the internal audit activity?
(A). Independently evaluate the skills and experience of potential chief information officer candidates
to assess the best fit based on the organization's risk appetite.
(B). Evaluate the organization's governance standards and assess IT-related activities to identify gaps
and develop policies, ensuring alignment with the organization's risk appetite.
(C). Assist management in interpreting complex IT-related privacy and security risk exposures and
evaluating potential mitigation strategies.
(D). Assess whether governance activities are aligned with the organization's risk appetite and take
into consideration emerging risks
Answer: D

NO.209 An organization employs ongoing monitoring and is considering implementing periodic

evaluations to assess the continuing effectiveness of its risk management process. Which of the
following statements Is true with regard to such periodic evaluations?
(A). Periodic evaluations are considered to be less objective than ongoing monitoring.
(B). Periodic evaluations can be more effective than ongoing monitoring.
(C). Periodic evaluation frequency may depend on the results of ongoing monitoring.
(D). Periodic evaluations frequently identify problems more quickly than ongoing monitoring.
Answer: C

NO.210 A large commercial bank was fined by regulators for fraudulent practices when employees,
over a period of time, opened thousands of new accounts for existing clients without the clients'
consent. It was later found that employees were given unrealistic new account targets and were
aggressively monitored by management on a daily basis.
Which of the following controls would have most likely reduced the likelihood of the fraudulent
practice from occurring?

Answer: A

46
 IT Certification Guaranteed, The Easy Way!

NO.211 The chief audit executive (CAE) is drafting the annual internal audit plan and seeks input
from senior management and the external auditor prior to submitting it for approval to the board.
According to MA guidance, which of the following statements is true regarding this scenario?
(A). The CAE's actions are likely to impair the Independence of the internal audit activity.
(B). The CAE acted appropriately, and the independence of the internal audit activity was not
impaired.
(C). The CAE should have developed the audit plan without outside influence to maintain objectivity.
(D). The CAE acted appropriately, as he has authority to determine who reviews and approves the
audit plan.
Answer: B

NO.212 Which of the following is the best example of a risk appetite statement concerning an
investment portfolio?
(A). We will request CEO approval for investments greater than S20 million and board approval for
investments greater than $50 million.
(B). We will hedge 95 percent of our U S. currency exposure and 100 percent of our European
currency exposure.
(C). We have a moderate tolerance for investment earnings volatility with a target value at risk of S50
million.
(D). We will report to the risk committee all credit losses greater than S10 million and all market
value losses greater than S20 million.
Answer: C

NO.213 An organization's board recommends revising the internal audit charter by adding
requirements regarding the hiring and compensation of the chief audit executive as well as
information on approving the internal audit budget. Which of the following is the board most likely
defining in the charter?
(A). Functional and administrative responsibilities of internal audit activity.
(B). Authority and objectivity of internal audit activity.
(C). Independence and objectivity of internal audit activity.
(D). Assurance and improvement of internal audit activity.
Answer: C

NO.214 Upon joining the internal audit activity, each new auditor receives a copy of the audit
handbook. Which of the following handbook policies has the greatest risk of compromising audit
objectivity?
(A). Internal auditors should obtain 80 hours of continuing professional education every two years, 20
of which should be audit-related, and the remainder may be operations-related.
(B). Internal auditors should rotate to other areas of the organization for nonaudit assignments to
gain an understanding of the organization's operations.
(C). Internal auditors should have direct and unrestricted access to personnel and information
throughout the organization and the governing board.
(D). Internal auditors should undergo annual performance appraisals conducted by the chief audit
executive, who reports administratively to the chief financial officer.
Answer: B

47
 IT Certification Guaranteed, The Easy Way!

NO.215 The internal audit activity audited an organization's risk management function multiple
times, and the recommendations that were made remain unaddressed by the head of risk
management. Which of the following would be the next step for the internal audit activity?
(A). The internal audit activity should add value by implementing the recommendations on
management's behalf.
(B). The chief audit executive (CAE) must discuss this matter with senior management and the board
(C). The CAE should determine which recommendations to implement based on the severity of the
associated risks.
(D). The internal audit activity, led by the CAE. should assume responsibility for risk management
function.
Answer: C

NO.216 An internal auditor believes that a weakness exists in the control environment relating to
the delegation of authority and responsibility within the management structure. Which of the
following actions should the internal auditor first consider in this matter?
(A). Recommend a control change and obtain management support
(B). Evaluate the potential impact on related controls
(C). Address the risk with senior management and the board
(D). Develop and communicate the scope and evaluation criteria to be used by management
Answer: B

NO.217 During an assurance engagement the internal audit team discovers that employees
performing a control do not understand the principles behind it. Before the engagement concludes,
at management's request the audit team facilitates several formal training sessions to help explain
those principles to the employees. Which of the following best describes the engagement provided
by the internal audit activity in this scenario?
(A). Assurance services
(B). Blended services
(C). Consulting services
(D). Prohibited services
Answer: C

NO.218 Which of the following best demonstrates the application of due professional care?
(A). An engagement supervisor requests that the employment of a process owner be terminated due
to a significant control failure.
(B). An audit lead establishes internal audit manuals to guide the internal audit activity on now to
undertake audit engagements.
(C). An audit manager provides a guarantee to senior management that internal controls relating to
an audited process operate effectively.
(D). An organization's internal audit activity operates under a direct reporting structure to tie audit
committee of the board
Answer: B

NO.219 According to IIA guidance, which of the following would be included in an internal audit
charter to help establish the authority of the internal audit activity?
(A). Outline expectations for communicating the results of all aspects of the internal audit activity.

48
 IT Certification Guaranteed, The Easy Way!

(B). Declare the internal audit activity's accountability for safeguarding assets and confidentiality.
(C). Document the chief audit executive's (CAE's) reporting line
(D). Document agreement between the CAE and the individual to whom the CAE reports
Answer: C

NO.220 An internal audit team was assigned to review the organization's information security
protocol After fieldwork was completed an internal auditor identified an error in the review of
security access The error could affect the overall results of the engagement Which of the following is
the most appropriate course of action for the internal auditor?

Answer: D

NO.221 According to MA guidance, which of the following statements is true regarding an effective
governance process?
(A). It stipulates that risk needs to be considered when making strategic decisions.
(B). It encourages strict segregation of the risk management and internal control processes.
(C). It relies on effective risk management when establishing the organization's risk appetite.
(D). It relies on the board to devise ways to communicate the effectiveness of internal controls.
Answer: A

NO.222 Which of the following best describes why a chief audit executive might obtain the services
of a fraud specialist to assist in a major fraud investigation'?
(A). Fraud specialists are better at using computer-assisted audit techniques
(B). Fraud specialists are better equipped to act as an expert witness in court
(C). Fraud specialists are better able to properly apply due professional care
(D). Fraud specialists are better at using crime scene investigation techniques
Answer: D

NO.223 The board of a newly established organization was discussing the contents of the draft
internal audit charter One board member suggested adding to the charter an obligation for the
internal audit activity to develop controls in business procedures. The board member explained that
the new organization needs professional-level developers, internal auditors have the necessary skills
and competencies, and the internal audit activity is well positioned to assume this responsibility.
Which of the following would be a potential concern if the board member's suggestion is adopted?
(A). Due professional care.
(B). Internal audit objectivity.
(C). Risk management assurance.
(D). Professional development.
Answer: A

NO.224 A technology company recently hired an entry-level internal auditor. To achieve

49
 IT Certification Guaranteed, The Easy Way!

conformance with the Standards, which of the following must the newly hired internal auditor
possess?
(A). An understanding of fraud and fraud risk.
(B). IT audit expertise.
(C). Industry-specific knowledge
(D). At least one audit-related certification
Answer: A

NO.225 Which of the following is an example of an entity-level control pertaining to the finance area
of an organization'?
(A). Key account reconciliation such as bank reconciliation
(B). Segregation of duties between posting and reviewing journal entnes
(C). A signing authority matrix for spending approvals
(D). The establishment of a finance and audit committee
Answer: D

NO.226 According to IIA guidance, which of the following activities would typically be examined
when using the maturity model approach for assessing an organization's risk management program?
(A). Monitor and review
(B). Performance measurement.
(C). Setting the context.
(D). Communication.
Answer: A

NO.227 According to IIA guidance, which of the following best describes the chief audit executive s
responsibility for confirming to the board the organizational independence of the internal audit
activity'?
(A). The CAE must do this at least annually
(B). The CAE must do this at least once every five years
(C). The CAE must do this upon completion of each external quality assessment
(D). The CAE should do this periodically in conjunction with a review of the internal audit charter
Answer: A

NO.228 According to IIA guidance, which of the following threats to objectivity is described as
familiarity'?
(A). An internal auditor is a close friend or relative of the manager or an employee of the audit client
(B). An internal auditor has a long-term business relationship with the audit client.
(C). An internal auditor has an economic stake in the performance of the organization
(D). An internal auditor is exposed to or perceived to be exposed to pressures from external parties
Answer: A

NO.229 Which of the following is a strategic risk that internal auditors should consider when
performing a third-party risk management engagement?
(A). Physical security
(B). Loss of intellectual property
(C). Cost overruns

50
 IT Certification Guaranteed, The Easy Way!

(D). Conflict of interest

Answer: D

NO.230 Which of the following actions should the audit committee take to promote organizational
independence for the internal audit activity?

Answer: B

NO.231 Which of the following fundamental principles of The IIA's Code of Ethics is best described
as performing work honestly diligently and responsibly?
(A). Integrity
(B). Proficiency
(C). Due Professional Care
(D). Competency
Answer: A

NO.232 Which of the following types of policies best helps promote objectivity in the interna! audit
activity's work?
(A). Policies that are distributed to all members of the internal audit activity and require a signed
acknowledgment,
(B). Policies that match internal auditors' performance with feedback from management of the area
under review.
(C). Policies that keep internal auditors in areas where they have vast audit expertise.
(D). Policies that provide examples of inappropriate business relationships.
Answer: D

NO.233 In which scenario might it be considered problematic for the chief audit executive (CAE) to
provide assurance services over the payroll function?
(A). The CAE previously undertook a consulting assignment in that area to improve processes,
(B). A couple of years ago, the CAE performed accounting functions for the payroll department.
(C). Prior to becoming the CAE, the CAE was the payroll manager.
(D). The assurance review was initiated following issues identified during a consulting assignment
requested by management.
Answer: A

NO.234 During the closing meeting of a procurement audit, the business manager disagrees with
the observation presented by the engagement supervisor and accuses the team of not understanding
the procurement objectives The engagement supervisor blames the manager for impeding the audit
What skillset should the chief audit executive utilize to manage this situation?
(A). The ability to negotiate
(B). The ability to use analytical tools
(C). The ability to foresee issues
(D). The ability to manage conflict

51
 IT Certification Guaranteed, The Easy Way!

Answer: D

NO.235 Which of the following disclosures must the chief audit executive (CAE) include when
communicating the results of the quality assurance and improvement program to senior
management and the board?
(A). Authority and responsibility of the internal audit activity
(B). Hours and sources of continuing professional education
(C). Scope and frequency of both the internal and external assessments
(D). independence and objectivity impairments of the CAE
Answer: C

NO.236 An employee accepts cash payments from customers and does not record the sale. This is
an example of which of the following types of fraud?
(A). Asset misappropriation.
(B). Skimming
(C). Corruption.
(D). Lapping.
Answer: C

NO.237 Which of the following is an example of an impairment to an internal auditor's

independence?
(A). An internal auditor delays reporting material financial statement audit findings until after his
parents sell all of their stock in the company
(B). Following the restructuring of the organization, the internal audit activity now reports
functionally to the chief financial officer
(C). A new member of the internal audit activity, who was the accounts payable supervisor for two
years, is asked to consult on the implementation of a new accounts payable system
(D). Believing there must be errors in a given balance sheet account the internal auditor decides to
expand his testing
Answer: B

NO.238 Which of the following best describes organizational governance processes?

(A). Processes employed by internal and external assurance providers to authorize, direct, and
provide oversight to management to better enable the meeting of organizational objectives
(B). Processes employed by the board of directors to authorize and provide guidance and oversight to
management to promote the achievement of organizational objectives.
(C). Processes employed by the board of directors and senior management to mitigate risks to
acceptable levels.
(D). Processes employed by risk owners to mitigate risks to acceptable levels within the organization's
risk appetite
Answer: B

NO.239 Which of the following is an example of a risk avoidance strategy?

(A). Outsourcing the payroll function
(B). Installing cameras in the mailroom
(C). Exiting a product line

52
 IT Certification Guaranteed, The Easy Way!

(D). Insuring all fixed assets

Answer: C

NO.240 At a construction company, supervisors are entitled to bonus payments if there are no
safety rule violations on their teams. There are several channels available for workers to report
accidents and violations, and all reported violations are investigated. Bonus payment calculations are
approved by managers and the head of safety. Which of the controls best addresses the risk that
supervisors will conceal accidents on their teams in order to receive the bonus?

Answer: C

NO.241 Which of the following statements is true regarding corporate social responsibility (CSR)?
(A). Many of the areas explored by CSR are normally included in an audit universe or annual audit
plan
(B). Despite significant corporate resources spent on CSR reporting investors generally do not rely on
CSR information
(C). Unlike many other areas of reporting responsibilities impacting stakeholders, CSR is largely
voluntary
(D). Typically operating management does not have a major role to play based on the public nature of
reporting
Answer: A

NO.242 Which of the following drivers of fraud is directly controllable by an organization?

(A). Pressure
(B). Rationalization
(C). Opportunity
(D). Incentive
Answer: C

NO.243 Management of an area under review is aggressive, upset, and questioning the knowledge
and experience of the organization's internal auditors, as the audit results highlight critical findings.
The relationship between the internal audit activity and management has continued to degenerate.
as previous audit reports also showed a large number of issues. What would be the best strategy for
working through the current audit results while also attempting to repair the relationship with
management?
(A). Take an accommodating approach and change the overall rating of the audit report.
(B). Take a compromising approach by modifying the tone of the report, while maintaining the critical
findings.
(C). Take an assertive approach and be persistent in attempting to convince the director.
(D). Take an assisting approach and offer to assist with the implementation of action plans.
Answer: C

NO.244 Who is responsible for ensuring internal auditors' continuing professional development?

53
 IT Certification Guaranteed, The Easy Way!

(A). Individual internal auditors.

(B). Chief audit executive.
(C). The board.
(D). Engagement supervisors.
Answer: B

NO.245 When issuing his department's performance report, a sales director in an insurance
company knowingly fails to correct the reserves for unearned income that resulted from
cancellations of policy subscriptions. This could be considered which of the following types of fraud?
(A). Asset misappropriation
(B). Skimming
(C). Disbursement fraud
(D). Information misrepresentation
Answer: D

NO.246 Which of the following statements is true regarding corporate social responsibility (CSR)?
(A). Many of the areas explored by CSR are normally included in an audit universe or annual audit
plan,
(B). Despite significant corporate resources spent on CSR reporting, investors generally do not rely on
CSR information.
(C). Unlike many other areas of reporting responsibilities impacting stakeholders, CSR is largely
voluntary.
(D). Typically, operating management does not have a major role to play based on the public nature
of reporting
Answer: A

NO.247 Which of the following would be the most effective fraud prevention control?
(A). Email alert sent to management for checks issued over $100,000.
(B). Installation of a video surveillance system in a warehouse prone to inventory loss.
(C). New hire training to explain fraud and employee misconduct.
(D). Daily report that identifies unsuccessful system log-in attempts
Answer: C

NO.248 An internal auditor is assessing fraud risks and creating a fraud risk matrix for a particular
branch location. Which of the following is most likely to be included in the matrix?
(A). Risks and relevant mitigating controls.
(B). Business processes and relevant fraud risks.
(C). Fraud scenarios and relevant risks.
(D). Opportunity, rationalization, and pressure to commit fraud.
Answer: A

NO.249 During engagement planning, an internal auditor determines that the cost of a certain test
outweighs the benefit that can be expected from the results. He determines that this test can be
removed from the audit work program. Which of the following did the internal auditor best
demonstrate?
(A). Due professional care

54
 IT Certification Guaranteed, The Easy Way!

(B). Individual objectivity

(C). Proficiency
(D). Internal assessment
Answer: A

NO.250 In which of the following situations would the organizational independence of an internal
audit activity be impaired?

Answer: B

NO.251 What is the primary reason a chief audit executive should dedicate time and resources to
support continuing professional development of internal audit staff?
(A). To ensure that internal audit staff maintains high overall job satisfaction.
(B). To ensure that internal audit staff acquired continuing professional education credits timely.
(C). To ensure that top risks are mitigated to an acceptance level.
(D). To ensure that internal audit staff have he competency to address high-priority risks.
Answer: A

NO.252 Senior management purchased surveillance cameras and installed them over a door that
provides entry to an area where according to a recent internal audit report, hazardous materials exist
and there is a high risk of explosion Which type of control was implemented in this situation?
(A). A corrective control
(B). A detective control
(C). A preventive control
(D). A directive control
Answer: B

NO.253 Which of the following organizations has reached the most mature level of corporate social
responsibility?
(A). An organization that is able to provide goods and services society needs and thus maximizes
profit to its owners.
(B). An organization that ensures compliance to legal frameworks of the countries in which it
operates and sells its products.
(C). An organization that is willing to make contributions not mandated by law or economics and
expects no payback.
(D). An organization that requires its decision makers to act with equity, fairness, and respect for the
rights of individuals.
Answer: D

NO.254 During a quality assessment of the internal audit activity an auditor is assessing whether the
independence of the internal audit activity is at risk of being compromised. According to IIA guidance,
which of the following would provide the best source of evidence for such an assessment?

55
 IT Certification Guaranteed, The Easy Way!

(A). An organizational chart showing the reporting line of the chief audit executive to the CEO
(B). The internal audit charter as endorsed by the organization's governing body
(C). A review of the audit opinions issued from a sample of recent audit engagements
(D). An assessment of the scope of the audit work performed by the internal au<M activity
Answer: B

NO.255 According to IIA guidance, which of the following is the most accurate statement regarding
the internal audit charter?
(A). The IIA's Code of Ethics must exist outside of the charter to maintain independence.
(B). The charter must be approved by both senior management and the board.
(C). The nature of consulting services does not need to be defined in the internal audit charter.
(D). The charter provides a framework for performing a broad range of value-added audit services.
Answer: B

NO.256 When would on-the-job training be more effective?

(A). When participants already have a certain degree of experience and knowledge.
(B). When it makes up the largest part of the training budget.
(C). When it includes ongoing feedback and coaching from experienced team members.
(D). When it is standardized for the whole entire staff.
Answer: C

NO.257 If the skills and competencies are not present within the internal audit activity to complete
an ad-hoc assurance engagement, which of the following is an acceptable resolution?
(A). Politely decline the engagement due to a lack of qualified staff available at the time.
(B). Complete the engagement as requested, with the best of the current staffs abilities.
(C). Consider using employees from other departments in the organization on the audit team.
(D). Change the scope of the testing to ensure that only available staff proficiencies are used
Answer: C

NO.258 Which of the following is a key determinant used by external auditors to decide whether
they can rely on work performed by the internal audit activity?
(A). The auditors' independence.
(B). The auditors' objectivity.
(C). The auditors' integrity.
(D). The auditors' confidentiality.
Answer: B

NO.259 Which of the following would be a red flag for potential issues in the control environment?
(A). Segregation of duties during preparation of the financial statements
(B). Compensation structures that are based on commissions
(C). A low rate of turnover in key financial positions
(D). The presence of a whistleblower policy and fraud hotlinea
Answer: B

NO.260 The internal audit activity completed its analysis of sample transactions to determine
occurrences of double billings According to If A guidance, which of the following best demonstrates

56
 IT Certification Guaranteed, The Easy Way!

that internal auditors exercised due professional care during the review?

Answer: B

NO.261 Which of the following scenarios best demonstrates the application of internal audit
proficiency?
(A). Management requests that the internal audit activity review and provide feedback on its
strategic plans for a merger, but the chief audit executive (CAE) declines the engagement due to the
team's lack of experience with mergers.
(B). A CAE reassigns auditors from other audits to perform testing on all of the fixed asset additions
for a period, including amounts below the materiality level stated by external auditors.
(C). Due to the routine and recurring nature of bank branch audits, an audit manager often excludes
detailed planning at the beginning of the audit and immediately performs fieldwork.
(D). During fieldwork, an auditor observed a lack of segregation of duties over cash management. The
auditor reported this observation to his supervisor, who decided that the area should be examined in
a subsequent audit.
Answer: A

NO.262 According to MA guidance, which of the following is the strongest indicator of deficiencies in
the risk management process?
(A). The periodic evaluation of risk ratings is primarily dependent on subjective assessments.
(B). Separate evaluations of the risk management process were conducted, but the results were
never integrated.
(C). Management's primary objective is minimizing changes to the structure and operation of the risk
management process.
(D). Many aspects of the related enterprise risk management program are informal and
undocumented.
Answer: B

NO.263 During a review of the procurement function, an internal auditor identified an existing
control for adding new vendors into the vendor contract system. Which of the following would best
help the auditor determine the adequacy of the control's design?
(A). Flowchart of the vendor addition process.
(B). Independent confirmations sent to vendors.
(C). Analysis of the control's costs and benefits.
(D). Interview with management of the procurement function.
Answer: A

NO.264 The collaborating style for conflict resolution, where the parties promote assertiveness and
work together to develop a mutually beneficial solution, is best used in which of the following
situations?
(A). Parties are confident of the solution and are ready to defend it.

57
 IT Certification Guaranteed, The Easy Way!

(B). There is a high level of trust among the parties.

(C). Resolution is time sensitive and a quick decision is necessary.
(D). The issue is more important to one patty than the others.
Answer: B

NO.265 An internal auditor notes that inventory counts are conducted on Mondays only and that all
documentation is on paper as there are no computers in the underground warehouses. Also she
notices that the person responsible for receiving the goods is the same one who distributes materials
and spare parts Finally, she sees that spare parts are written off and taken by the heads of mining
units to different underground locations to wait for their turn to be installed. Which of the described
findings requires more consideration from a fraud risk perspective?
(A). The job responsibilities of the warehouse employee compromise segregation of duties
(B). Spare parts are written off before their actual usage and installation
(C). Warehouse management is conducted on paper and requires further investigation
(D). The inventory counts take place on specific days of the week for no apparent reason
Answer: B

NO.266 Which of the following demonstrates that the internal audit activity exercises due
professional care?
(A). Supervisors provide feedback to internal auditors after workpapers are reviewed
(B). A self-assessment is conducted through the quality assurance and improvement program every
five years
(C). Internal auditors are required to give absolute assurance of regulatory compliance
(D). The chief audit executive reports functionally to the board
Answer: A

NO.267 According to The IIA's Code of Ethics, which of the following best describes the principle of
integrity?
(A). Auditors shall observe the law and make disclosures expected by the law and the profession
(B). Auditors shall disclose all material facts known to them that if not disclosed may distort the
reporting of activities under review
(C). Auditors shall engage only in those services for which they have the necessary knowledge skills
and experience
(D). Auditors shall be prudent in the use and protection of information acquired in the course of their
duties
Answer: A

NO.268 A new company's risk management function is developing its cybersecurity risk
management program Which of the following actions should be the first priority when developing
the program?
(A). Start building a cybersecurity culture and set the desired behavior using a bottom-up approach
(B). Determine the cybersecurity framework that will establish and report on the effectiveness of the
program
(C). Define the cybersecurity risk appetite and perform a cost-benefit analysis of the program
(D). Raise cybersecurity awareness across various departments outside of the IT department
Answer: C

58
 IT Certification Guaranteed, The Easy Way!

NO.269 Anew internal auditor suspects fraud is taking place. Which action should the new auditor
take?
(A). Collect relevant audit evidence and begin working with management of the area to investigate
the fraud.
(B). Inform the chief audit executive and meet with the suspect to determine whether the person
committed fraud.
(C). Document supporting information and recommend an investigation to the appropriate audit
management.
(D). Evaluate existing controls and implement new procedures to mitigate the opportunity for fraud.
Answer: C

NO.270 With regard to organizational governance assurance, which of the following is an

appropriate role for the internal audit activity'?

Answer: A

NO.271 Which of the following is a legitimate role for the internal audit activity in the organization's
risk management process'?
(A). Championing the establishment of a risk management framework
(B). Creating and implementing new risk management processes
(C). Maintaining sole responsibility for risk management within the organization
(D). Setting the risk appetite of the organization
Answer: A

NO.272 Which of the following scenarios best illustrates the concept of due professional care?
(A). After establishing engagement objectives and reviewing a process, the internal auditor assured
process owners that all significant risk events were identified and tested using a systematic,
disciplined approach.
(B). After conducting an audit based upon a predefined scope and objective, the internal auditor
guaranteed management that the system of internal controls in an audited area operates effectively.
(C). As head of the internal audit activity, the chief audit executive reported functionally to the
organization's board and administratively to senior management.
(D). As head of the internal audit activity, the chief audit executive ensures that engagement
supervisors conduct post-engagement staff meetings.
Answer: A

NO.273 Which of the following would the chief audit executive be required to disclose in the
communication of quality assessment results to senior management and the board?
(A). The cost and frequency of both internal and external assessments.
(B). Any assumptions made by the assessment team
(C). A potential conflict of interest of the assessment team.
(D). The assessment team's execution plan of relevant procedures.

59
 IT Certification Guaranteed, The Easy Way!

Answer: C

NO.274 Which of the following would best serve to deter unethical behavior and encourage internal
auditors to be objective in their work?
(A). A requirement that internal auditors undergo objectivity training periodically
(B). Periodic communications reminding internal auditors of Standards requirements
(C). A review of the final audit report by the audit committee
(D). Ongoing monitoring and periodic internal quality assessments
Answer: B

NO.275 Which of the following is true for consulting engagements'?

(A). The internal audit activity must ensure management actions have been effectively implemented
or risk accepted
(B). A work program for the engagement is not required but may be developed
(C). The nature of consulting services does not have to be in the internal audit charter
(D). Risks identified from the engagement must be considered when evaluating the organization's risk
management processes
Answer: B

NO.276 Which of the following activities is most likely to require a fraud specialist to supplement
the knowledge and skills of the internal audit activity?
(A). Planning an engagement of the area in which fraud is suspected.
(B). Employing audit tests to detect fraud.
(C). Interrogating a suspected fraudster
(D). Completing a process review to improve controls to prevent fraud
Answer: B

NO.277 An internal auditor is assessing how the organization processes financial transactions and
whether written policies and procedures are followed. The auditor requested to meet with certain
employees to understand their related roles and responsibilities. However the employees refuse to
meet with the auditor claiming they are too busy. Which of the following responses would best
demonstrate the auditor's conflict-resolution skills?
(A). The auditor considers the employees to be unresponsive and proceeds to document the actions
and concerns as a scope limitation that can affect the engagement
(B). The auditor considers other options to determine whether the employees are processing
financial transactions as required by the organization
(C). The auditor meets with senior management of the organization to discuss the employees'
behavior and possible resolutions that would satisfy all parties
(D). The auditor meets with the department supervisor and staff to discuss the employees' actions in
order to obtain an understands and potential resolution
Answer: A

NO.278 Which of the following is true regarding the use of a formal risk management framework?
1. It facilitates a methodical approach to risk mitigation.
2. It defines and standardizes the terminology used in risk communication.
3. It establishes the risk tolerance levels to be accommodated in the strategy.

60
 IT Certification Guaranteed, The Easy Way!

4. It facilitates the alignment of risk mitigation strategies with management priorities.

(A). 1. 2. and 3.
(B). 1.2. and 4.
(C). 1.3. and 4.
(D). 2. 3, and 4.
Answer: B

NO.279 Management assessed the organization's risk of expanding operations into a new, but
volatile, region and began looking for a compatible local partner to manage sales and distribution.
Which of the following best describes this risk management technique?
(A). Avoidance.
(B). Acceptance.
(C). Reduction.
(D). Sharing
Answer: C

NO.280 According to IIA guidance, which of the following actions by the chief audit executive (CAE)
best demonstrates the organizational independence of the internal audit activity?

Answer: D

NO.281 Which of the following factors are commonly assessed to determine the magnitude of risk
events?
(A). Tolerance and appetite
(B). Inherent and residual risk
(C). Cost and benefit
(D). Impact and likelihood
Answer: D

NO.282 According to NA guidance, which of the following is true regarding typical fraud schemes?
1. A diversion occurs when an employee has an undisclosed personal economic interest in a
transaction that adversely affects the organization.
2. Tax evasion is intentional reporting of false or misleading information on a tax return by an
organization to reduce taxes owed.
3. Skimming involves stealing cash or assets from the organization and is normally concealed by
adjusting the organization's records.
4, Disbursement fraud occurs when a person causes the organization to issue a payment for fictitious
goods or services.
(A). 1 and 3.B.
(B). 1 and 4.
(C). 2 and 3.
(D). 2 and 4.
Answer: D

61
 IT Certification Guaranteed, The Easy Way!

NO.283 The board of directors of a global organization has found an increased number of reported
cases of unethical practices since last year. To assist the board in gaining a better understanding of
the degree of ethics awareness within the organization, which of the following actions should be
undertaken?
(A). Request the internal audit activity to perform an ethics-related assurance engagement.
(B). Offer in-house ethics-related training seminars for employees to attend.
(C). Reaffirm the importance of the organization's code of ethics to all employees.
(D). Conduct an organizationwide employee survey on ethical practices
Answer: D

NO.284 Which of the following would most likely be classified as a consulting engagement?
(A). Reviewing the application controls in the human resources system
(B). Examining the internal control effectiveness of the marketing department
(C). Assessing the adequacy of the IT system's business process design
(D). Facilitating a self assessment of the organizations business risk and control identification
Answer: D

NO.285 The chief audit executive (CAE) of a large organization has been asked by the board to
assume responsibility for risk management and compliance operations, both of which are distinct
departments within the organization and are subject to periodic audits by the internal audit activity
In regards to future audits of these functions which of the following approaches would be most
appropriate?
(A). Audits of risk management and compliance functions should be overseen by a competent
external assurance provider
(B). Audits of risk management and compliance functions should be overseen by a senior audit
manager within the internal audit activity other than the CAE
(C). Audits of risk management and compliance functions should be conducted by internal auditors
under the supervision of management from both functions
(D). Audits of risk management and compliance functions should be earned out by a team of the
most experienced auditors overseen by the CAE
Answer: A

NO.286 Following a quality assurance review of a small internal audit activity, the external reviewer
and the chief audit executive (CAE) cannot agree on the importance of several deficiencies noted
during the review. Which of the following would be the most appropriate next step for the reviewer
to take?
(A). Remove the areas of disagreement from the scope of the engagement and seek informal
compromises with the CAE.
(B). Issue the report to senior management, noting the deficiencies for immediate resolution.
(C). Issue the report, noting the deficiencies with comments that address the areas of disagreement.
(D). Request arbitration from the audit committee to resolve discrepancies prior to issuing the final
report
Answer: D

NO.287 According to IIA guidance, which of the following best describes expense reimbursement

62
 IT Certification Guaranteed, The Easy Way!

fraud?
(A). Theft of cash after it is recorded in the books
(B). Theft of cash before it is recorded in the books
(C). Theft of assets through fictitious or inflated invoices
(D). Theft of assets through false mileage travel logs and meal charges
Answer: D

NO.288 Which of the following resources would be most effective for an organization that would
like to improve how it informs stakeholders of its social responsibility performance?
(A). ISO 26000.
(B). Global Reporting Initiative.
(C). Open Compliance and Ethics Group.
(D). COSO's enterprise risk management framework
Answer: B

NO.289 Which of the following statements represents the most appropriate correlation between an
organization's risk maturity and the internal audit activity's consulting role in risk management
processes?
(A). When an organization has a high level of risk maturity the internal audit activity is less likely to
provide consulting services related to risk management
(B). When an organization has a low level of risk maturity, the internal audit activity is less likely to
provide consulting services related to risk management
(C). When an organization has a high level of risk maturity the internal audit activity is more likely to
provide consulting services related to risk management
(D). There is typically no correlation between an organization's risk maturity and the extent to which
the internal audit activity's consulting role in risk management processes
Answer: D

NO.290 Which principle of the HA Code of Ethics focuses on continuing education and professional
development?

Answer: D

NO.291 According to NA guidance which of the following should be documented in the internal
audit chatter?
(A). The risk assessment process applied by the internal audit activity
(B). The organization's internal control framework used by the internal audit activity
(C). The nature of consulting services provided by the internal audit activity
(D). The performance evaluation process used by the internal audit activity
Answer: C

NO.292 According to IIA guidance, which of the following corporate social responsibility {CSR)
evaluation activities may be performed by the internal audit activity?

63
 IT Certification Guaranteed, The Easy Way!

1. Consult on CSR program design and implementation

2. Serve as an advisor on CSR governance and risk management.
3. Review third parties for contractual compliance with CSR terms.
4. Identify and mitigate risks to help meet the CSR program objectives.
(A). 1,2, and 3.
(B). 1,2, and 4.
(C). 1, 3, and 4.
(D). 2, 3, and 4
Answer: A

NO.293 Which of the following statements is true regarding control activities?

(A). Control activities are carried out by first-line and second-line functions to mitigate risks.
(B). Control activities are implemented by internal auditors to mitigate risks to an acceptable level.
(C). Control activities provide the foundation for the organization to establish its risk appetite.
(D). Control activities are a precondition to setting risk tolerance levels.
Answer: A

NO.294 According to MA guidance, which of the following best describes how often the chief audit
executive should review the quality assurance and improvement program of the internal audit
activity?
(A). Whenever the business objectives of the organization change
(B). Just prior to an external assessment of the internal audit activity
(C). At the completion of each engagement.
(D). Progressively on a day-to-day basis
Answer: C

NO.295 Which of the following statements is true regarding intangible assets?

(A). The amortization period of an intangible asset cannot exceed 20 years.
(B). The cost intangible assets with indefinite lives should be amortized.
(C). Intangible assets are categorized as having either a limited life or an indefinite life.
(D). Companies should record intangible assets at fair market value
Answer: C

NO.296 Which of the following is an example of the chief audit executive (CAE) demonstrating due
professional care?
(A). The CAE relies on CAEs in other organizations to understand how due professional care should be
executed in her internal audit activity
(B). The CAE meets with the board of directors on a quarterly basis to provide a status update.
(C). The CAE assesses the audit staff's knowledge and skills annually to determine whether additional
resources are needed to fulfill the internal audit plan.
(D). The CAE provides absolute assurance to line management during each eternal audit engagement
Answer: B

NO.297 An organization is testing a new IT system for digital data storage and security. The internal
audit activity has been asked to evaluate the system in a consulting engagement. Although several
internal auditors on staff are qualified to perform basic assessments of IT systems, none are familiar

64
 IT Certification Guaranteed, The Easy Way!

with the new system. Which of the following is a legitimate response to the prospective client?
1. Decline the engagement.
2. Proceed with the engagement, performing only those parts of the engagement that the internal
auditors are qualified to perform.
3. Accept the engagement and develop the additional competencies in-house prior to the
engagement's starting date.
4. Make arrangements to obtain assistance from a competent IT auditing expert.
(A). 1 and 4 only.
(B). 2 and 3 only.
(C). 1. 2, and 3 only.
(D). 1, 3, and 4 only.
Answer: A

NO.298 In an environment where employees are frequently penalized for mistakes and the
organizational culture is one of fear and blame which of the following is an internal auditor most
likely to find?
(A). Management regularly overrides key controls
(B). Employee turnover is tow
(C). Careless behavior becomes normal
(D). Employee morale is low
Answer: D

NO.299 Evidence discovered during the course of an engagement suggests that multiple incidents of
fraud have occurred. There do not appear to be sufficient controls in place to prevent reoccurrence.
Which of the following is the internal auditor's most appropriate next step?
(A). Immediately notify management of the area under review and the other internal auditors
involved in the engagement.
(B). Discuss the situation with the engagement supervisor to determine whether fraud investigation
experts are required to investigate the matter properly.
(C). Fully document in the workpapers the evidence that has been discovered and recommend
appropriate controls to address the fraud.
(D). Provide the evidence that was discovered to local law enforcement for possible prosecution of
the suspected fraud.
Answer: A

NO.300 Which of the following statements is true regarding control activities'?

Answer: B

NO.301 A chief audit executive (CAE) has just joined an organization with an existing internal audit
activity. Based on her review of the current organizational structure, the CAE determines that the

65
 IT Certification Guaranteed, The Easy Way!

internal audit activity lacks adequate independence. Which of the following actions is the CAE's best
step to take next to move the internal audit activity toward organizational independence?
(A). Ensure the limitations are disclosed through communication with the board and senior
management, so that the internal audit activity can continue operating under the same
organizational structure.
(B). Request that the board restructure the reporting line of the internal audit activity to ensure the
CAE has unrestricted access to the board.
(C). Rotate internal audit assignments among members of the internal audit activity to minimize the
effects of the current structure.
(D). Train internal auditors about organizational independence and have them sign an
acknowledgment of understanding.
Answer: B

NO.302 Which of the following best describes the type of organizational culture known as
adaptability culture'?
(A). A results-oriented culture that values competitiveness and personal initiative
(B). A culture that emerges in quick-response and high-risk decision-making environments
(C). A culture that is characterized by low involvement with environmental and health issues
(D). A culture that places high value on participation and meeting the needs of employees.
Answer: B

NO.303 Which of the following conditions classifies an engagement as a consulting service provided
by the internal audit activity?
(A). The internal auditor assigned to the engagement previously worked in the area under review and
lacks objectivity.
(B). The internal audit engagement will involve providing an opinion on the effectiveness of controls.
(C). The internal auditor assigned to the engagement was specifically requested by management of
the area under review.
(D). he internal audit engagement involves only two parties: the internal auditor and the engagement
client.
Answer: D

NO.304 According to NA guidance, which of the following provides the best evidence of
conformance with the Standards with respect to the proficiency required of the internal audit
activity?
(A). Discussions with the chief audit executive.
(B). A listing of employee profiles and certifications.
(C). Inquiry of external auditors.
(D). Validation by human resources.
Answer: B

NO.305 An internal audit team received the following feedback from operational management via a
post-engagement survey "Management agrees with all audit findings However, the audit team did
not consider our input on the best way to resolve the issues" This feedback is an indication that the
internal audit activity may need to improve which of the following interpersonal skills?
(A). Leadership

66
 IT Certification Guaranteed, The Easy Way!

(B). Conflict management

(C). Communication
(D). Influence
Answer: C

NO.306 Which of the following would be the best choice for a continuing professional development
requirement for a newly created internal audit activity?
(A). Require all internal auditors to create a training plan based on a competency self-assessment.
(B). Require internal auditors to complete all of their training through webinars, to increase efficiency
and avoid traveling
(C). Require all internal auditors to become a member of The Institute of Internal Auditors.
(D). Require internal auditors to create a training plan based on their areas of interest
Answer: A

NO.307 The internal audit activity is undergoing a self-assessment as part of its quality assurance
and improvement program Which of the following observations must be addressed in order for the
internal audit activity to achieve conformance with the Standards?
(A). The internal audit charter does not identify which audit services are outsourced
(B). The internal audit charter has not been reviewed by the legal department
(C). The internal audit charter has not been approved by the board within the past year
(D). The internal audit charter does not describe the authority of the internal audit activity
Answer: D

NO.308 Which of the following is a true statement regarding controls such as ethical values, tone at
the top and operational style?
(A). Transaction testing, mapping and flowcharting is applicable while testing such controls
(B). Breakdowns in the these types of controls have historically led to fraudulent financial reporting
(C). Such controls can be defined as inherently ob)ective and tangible elements of control
(D). From an audit perspective it is significantly easier to assess ethical values than segregation of
duties
Answer: B

NO.309 According to The IIA's Code of Ethics, which of the following scenarios offers the best
example of violating the principle of integrity?
(A). An internal audit manager collaborates with senior management to provide misleading
information to government authorities.
(B). An internal audit manager provides sample audit reports and workpapers to a friend without
obtaining prior approval
(C). An internal audit manager carries out a technical audit request without seeking expert opinion,
despite a lack of the requisite skills.
(D). An internal audit manager assigned to audit a sales process failed to reveal that the process
owner is a relative
Answer: B

NO.310 Which of the following strategies for professional development best demonstrates an
internal auditor's competency'?

67
 IT Certification Guaranteed, The Easy Way!

Answer: A

NO.311 Which of the following is an indicator that the organization s risk management process is
effective?
(A). The organization s risk appetite mission, and objectives are dearly outlined.
(B). The organization s risk management practices are assessed as mature.
(C). The organization has adopted risk management frameworks and global models.
(D). The organization s significant risks are identified and adequately assessed
Answer: B

NO.312 Which of the following scenarios provides the most concerning red flag or indicator of
possible fraud?
(A). An employee receives a bonus for perfect attendance
(B). During the past 18 months three chief financial officers have left the organization after having
been promoted to the position
(C). The organization does not perform any due diligence research on third party service providers
(D). Three competitors are highly profitable but a fourth equal in size is approaching bankruptcy
limits
Answer: B

NO.313 Which of the following statements is true regarding occupational fraud?

(A). An employee who diverts the organization's purchases for personal use is demonstrating asset
misappropriation
(B). An employee who intentionally omits negative information in the financial statement disclosures
is demonstrating an example of corruption
(C). An employee who made an error in estimating losses may have committed fraud even if the error
was not intentional
(D). An employee who creates a denial of service in the organization's computer systems is
committing asset misappropriation
Answer: A

NO.314 An internal auditor assessed that the risk of steel theft at a plant is high. In response, the
plant's management introduced a number of controls, including fences around the facility, a metal
detector at the entrance, and monthly steel inventory counts. If the controls operate as intended,
which of the following outcomes would the internal auditor hope to see?
(A). The inherent risk will be mitigated to a level lower than the residual risk.
(B). The inherent risk will be reduced to an acceptable level.
(C). The residual risk will be reduced to an acceptable level.
(D). The residual risk will be eliminated
Answer: C

NO.315 During a review of employee benefits, a staff internal auditor observed an ambiguity in the

68
 IT Certification Guaranteed, The Easy Way!

incentive compensation policy. If reported, it could negatively impact the internal auditor's
compensation. Which of the following would encourage the internal auditor to be objective in his
work?
(A). Periodic reinforcement of the internal audit activity's code of ethics disclosure practices.
(B). External assessments of the internal audit activity every five years.
(C). Audit committee review of every engagement report at the conclusion of the audit.
(D). Internal audit charter approved by the board.
Answer: D

NO.316 Senior management has decided to adopt the key principles approach of the ISO 31000 risk
management framework. According to IIA guidance, which of the following principles is most
appropriate when implementing the risk management process in a dynamic agency?
(A). Everyone in the agency has a primary responsibility for identifying and managing risks as part of
the risk management process.
(B). The risk management process, while evaluating risk, should develop a mechanism to rank the
relative importance of each risk.
(C). The risk management process should be regularly reviewed and respond to changes in the
environment, to remain relevant.
(D). The risk management process should use a formal technique to consider the consequence and
likelihood of each risk.
Answer: C

NO.317 Which of the following would be the most suitable internal control framework for an
organization to adopt?
(A). A framework that specifies common best practices for an organization to evaluate and
benchmark.
(B). A framework that specifies correct and incorrect business methodologies.
(C). A framework with precise specifications for how controls and processes should be employed.
(D). A framework that offers step-by-step guidance for remedial action for all organization types.
Answer: A

NO.318 Which of the following would an internal auditor expect to find within an organization's
internal control framework?
(A). A compliance risk mitigation strategy to be implemented by the compliance function.
(B). A statement of the organization s values, reflecting its attitude toward risk
(C). Details of how each group from the Three Lines Model fits into the risk management strategy.
(D). The risk appetite related to establishing and approving process
Answer: B

NO.319 Which of the following situations would best indicate to the chief audit executive that one
of the audit team members is struggling with application of due professional care?
(A). The engagement supervisor requests that an auditor carry out improvements to workpapers to
address numerous problems: evidence is missing, references are incorrect, and conclusions are
superfluous
(B). Audit work was completed m accordance with the established goals; however, a material
misstatement was later uncovered in the audited area by another assurance provider.

69
 IT Certification Guaranteed, The Easy Way!

(C). According to the audit report, several control failures occurred due to irresponsible behavior of
local management, who was consequently deprived of bonuses and wrote a negative feedback to the
auditor
(D). The delivery of audit results was several weeks late because the internal auditor had to spend
additional time trying to understand the nature of certain transactions with derivation.
Answer: B

NO.320 Which of the following situations presents the lowest risk of impairing an internal audit
activity's independence?

Answer: C

NO.321 According to MA guidance, which of the following is true with regard to the internal audit
charter?
1. It specifies the minimum resources needed for assurance engagements.
2. It requires final approval from senior management.
3. It defines the internal audit activity's authority and responsibilities.
4. It describes the expectations for communicating the results of a quality assurance and
Improvement program.
(A). 1 and 4 only.
(B). 3 and 4 only.
(C). 1.2. and 4.
(D). 2. 3. and 4.
Answer: D

NO.322 Which of the following statements is true regarding management's use of judgement to
design, implement, and conduct internal control?
(A). The use of judgment enhances management's ability to make better decisions about internal
control, but cannot guarantee perfect outcomes.
(B). Introducing judgment generally diminishes management's ability to make good decisions about
internal control.
(C). It is inappropriate for management to exercise judgement in areas such as specifying and using
suitable accounting principles.
(D). It is inappropriate for management to exercise judgement in assessing whether components are
present, functioning, and operating together
Answer: A

NO.323 Which of the following is most likely to be considered a control weakness?

(A). Vendor invoice payment requests are accompanied by a purchase order and receiving report.
(B). Purchase orders are typed by the purchasing department using prenumbered forms.
(C). Buyers promptly update the official vendor listing as new supplier sources become known.
(D). Department managers initiate purchase requests that must be approved by the plant
superintendent.

70
 IT Certification Guaranteed, The Easy Way!

Answer: C

NO.324 According to IIA guidance, which of the following would the internal audit activity examine
in order to evaluate the organization's governance process for strategic and operational decisions'?
(A). The risk assessment process including interviews with senior management.
(B). The organization's mission and value statements, code of conduct, and whistleblowing policy
(C). Board meeting minutes the board policy manual, and past audit reports
(D). Staff compensation objective setting and the performance evaluation policy and process
Answer: B

NO.325 The management team of an agricultural organization has prioritized corporate social
responsibility (CSR) initiatives. Which of the following would be considered a CSR activity?
(A). Offering a one-off donation to an environmental charity for its expansion efforts
(B). Organizing organization volunteers to provide periodic plantation skill sharing to farmers
(C). Providing special year-end monetary bonuses to the organization's employees at all levels
(D). Arranging a free-of-charge picnic for all of the organization's employees and their family
members
Answer: B

NO.326 Which of the following situations is most likely to heighten an internal auditor's professional
skepticism regarding potential fraud?
(A). A procurement manager does not have the expected academic credentials for his position.
(B). A salesperson frequently complains about the organization's policy on sales commissions.
(C). The accounts payable supervisor has requested advances against her monthly salary on several
occasions.
(D). A financial accountant is absent from work frequently due to regular medical procedures.
Answer: B

NO.327 Which of the following is an example of a risk reduction strategy?

(A). Outsourcing the payroll function.
(B). Absorbing the cost of losses.
(C). Insuring fixed assets.
(D). Installing cameras around the plant
Answer: D

NO.328 An electrician visits a client to assess the scope of work. After the visit, the sales office
compiles and sends the client a proposal based on the electrician's estimation and approved price
list. The internal auditor notices that in the last six months, the number of cancelled proposals has
increased substantially. Which of the following is a fraud risk scenario that the auditor should
consider in this situation?
(A). Some electricians may be offering clients opportunities for reduced fees if they pay with cash.
(B). There is a new competitor in the area who offers better prices.
(C). Sales representatives may be manipulating the proposals to include additional costs.
(D). An unauthorized person may be modifying client data and cancelling the proposals.
Answer: A

71
 IT Certification Guaranteed, The Easy Way!

NO.329 Which of the following processes does the board manage to ensure adequate governance?
(A). Establish and measure performance objectives for the internal audit activity.
(B). Select board members with necessary knowledge and skills.
(C). Develop, approve, and execute the strategic plan of the organization.
(D). Develop strategies to mitigate the risks to achieving the organization's objectives
Answer: B

NO.330 Which of the following best illustrates the application of due professional care during an
audit of the procurement department?

Answer: C

NO.331 Which of the following statements best represents the duo professional care that is
required of internal auditor's?
(A). Internal auditors should perform assurance procedures to ensure that all significant risks are
identified.
(B). Internal auditor should not perform consulting engagements for operations for which they had
previous responsibilities.
(C). Internal auditors should consider the cost of assurance in relation to the potential benefits.
(D). Internal auditors should device internal audit programs to confirm that the results are accurate.
Answer: A

NO.332 Which of the following is true about a system of internal control?

(A). Internal control should be updated at least annually.
(B). Technology does not change the internal control landscape.
(C). Strategy should fit the system of internal control.
(D). Articulating measurable objectives is part of internal control.
Answer: C

NO.333 Which of the following statements is most accurate with respect to the required elements
of the quality assurance and improvement program?
(A). Internal assessments provide sufficient objectivity to provide evidence to the board that the
internal audit activity understands the organization's control processes.
(B). Quality assessments focus on the internal audit activity's structure, relationships with
stakeholders, compliance with the Standards, and internal audit staff proficiency.
(C). In order to comply with the Standards, the internal audit activity must obtain an objective

72
 IT Certification Guaranteed, The Easy Way!

assessment of its processes and function at least once a year.

(D). Internal auditors completing internal assessments must demonstrate certification to perform
quality assessments.
Answer: A

NO.334 An internal auditor discovered that a former colleague from the internal audit activity now
works in a junior position in a department scheduled for an upcoming audit. How can the auditor
best ensure his objectivity for this engagement?
(A). Recommend mat the chief audit executive outsource the upcoming audit engagement
(B). Proceed with the audit engagement in accordance with the internal audit manual
(C). Increase the amount of fieldwork in order to build greater credibility for audit conclusions
(D). Declare a conflict of interest and hand over the engagement to another auditor
Answer: B

NO.335 Which of the following statements best describes the difference between risk appetite and
risk tolerance?
(A). Risk appetite applies to specific objectives, while risk tolerance refers to an organization's general
attitude toward risk,
(B). Risk appetite refers to the degree of risk acceptance for a particular objective, while risk
tolerance is one approach to risk management.
(C). Risk appetite refers to an organization's general level of acceptance, while risk tolerance is a
more specific and subordinate concept.
(D). There is no significant difference between the two terms.
Answer: C

NO.336 In which of the following scenarios would the internal auditor's objectivity be best
protected?
(A). A former human resources manager conducts an effectiveness review of the appointment and
termination process six months after transferring to the internal audit activity.
(B). An accounts payable clerk assists the internal auditors during an effectiveness review of the
physical access controls to the server room.
(C). An internal auditor writes the system manual for a newly acquired payroll software application
prior to conducting an effectiveness review of the system.
(D). An internal auditor conducts an effectiveness review of an organization's business continuity plan
in which his son is a minority stockholder.
Answer: D

NO.337 According to MA guidance, which of the following is the most accurate statement regarding
the internal audit charter?
(A). The IIA's Code of Ethics must exist outside of the charter to maintain independence.
(B). The charter must be approved by both senior management and the board.
(C). The nature of consulting services does not need to be defined in the Internal audit charter.
(D). The charter provides a framework for performing a broad range of value-added audit services.
Answer: B

NO.338 Which of the following actions is a chief audit executive most likely to take in order to

73
 IT Certification Guaranteed, The Easy Way!

identify gaps in the internal audit activity's knowledge, skills, and competencies?
(A). Complete a skills assessment of the internal audit activity based on. The IIA Global Internal Audit
Competency Framework.
(B). Develop a competency assessment tool for the internal audit activity based on The IIA Global
Internal Audit Competency Framework.
(C). Incorporate the basic criteria for competency of the internal audit activity into the job
descriptions of potential internal auditors,
(D). Develop an internal audit activity plan for training internal auditors to perform required
assurance and consulting activities.
Answer: B

NO.339 Which of the following best demonstrates the board of directors' governance over internal
control?
(A). The board bears direct responsibility for developing and implementing the internal control
system.
(B). The majority of board members are experienced and qualified members of the organization's
executive management team.
(C). The board may be assisted by an audit committee, chaired by the chief audit executive.
(D). The board is responsible for succession planning for the CEO and other key members of the
executive management team.
Answer: B

NO.340 An internal auditor assigned to a supplier management process engagement reviews the
risk assessment with the process owner The auditor inquires about the risk response for potentially
engaging unqualified third-party service providers The process owner responds that due diligence
checks are undertaken to make sure that third parties possess requisite competencies before they
are engaged Which of the following risk management techniques is the process owner using?

Answer: B

NO.341 Senior management relies on the professional judgment of an internal auditor and uses
outcomes of her audit work to make business decisions Which of the following personal qualities
displayed by the internal auditor is most likely the foundation for this relationship?
(A). Integrity
(B). Negotiation skills.
(C). Business acumen
(D). Flexibility
Answer: A

NO.342 An accounts payable clerk who has access to the vendor master file replaced the payment
details of a legitimate vendor with those of a friend before processing the payment through the
organization's cashier. Immediately afterward, he restored the original vendor information. Which of
the following controls could have prevented this fraud?

74
 IT Certification Guaranteed, The Easy Way!

(A). Approval of master file change requests by the accounts payable supervisor
(B). Comparison of the check register to original invoices.
(C). Segregation of duties between accounts payable and the cashier.
(D). Frequent issuance of account statements sent to the vendors.
Answer: A

NO.343 Who is responsible for setting the risk appetite?

(A). External auditors.
(B). Chief risk officer.
(C). Operations management.
(D). Board of directors.
Answer: D

NO.344 Which of the following statements is most likely to be true regarding a consulting
engagement involving an organization's new payroll system?
(A). The internal auditor and engagement client established an understanding that the scope would
include the new payroll system project.
(B). The payroll system engagement was scheduled as a result of internal audit's risk-based annual
planning process.
(C). The internal auditor concluded that the engagement objectives would include assessing the
effectiveness of the payroll process controls.
(D). The internal auditor acknowledged the engagement client's satisfactory performance in the final
engagement results that were communicated to senior management and the board.
Answer: A

NO.345 Management has implemented a segregation-of-duties policy for handling inventory. Which
of the following fraud risks would be more concerning to an internal auditor following the
implementation of this new policy?
(A). The risk of collusion between parties.
(B). The risk of falsified reconciliations.
(C). The risk of low-liquidity inventory.
(D). The risk of damages to the inventory.
Answer: A

NO.346 The board requested the chief audit executive (CAE) to provide consulting services for a new
systems implementation project Which of the following statements is true regarding this scenario?
(A). The CAE should avoid making decisions on risk responses within risk management processes.
(B). The CAE may only provide consulting and not assurance services in risk management processes
(C). The CAE may manage the project risks on behalf of management in this particular situation
(D). The CAE should avoid giving assurance on risk management processes in this particular situation
Answer: D

NO.347 Which of the following scenarios violates The IIA's standard regarding internal audit
independence?
(A). The chief audit executive (CAE) reports on the internal audit activity's day-to-day tasks and
responsibilities to the CEO.

75
 IT Certification Guaranteed, The Easy Way!

(B). An assessment of the risk management function is reviewed by an outside consulting firm
because the CAE is temporarily fulfilling the role of risk manager.
(C). The CAE regularly meets with the organization's chief risk officer, who validates all reported audit
findings and dictates which will be Included In the package to the audit committee.
(D). The internal audit activity will experience staffing shortages for the next six months due to
planned and unplanned leaves of absence; therefore the CAE proposed including fewer audits in the
annual audit plan compared to the previous financial year.
Answer: C

NO.348 Which of the following actions by an internal auditor would be the most relevant to
determine the effectiveness of controls?
(A). Participate in a fraud risk-assessment session as an in-house facilitator.
(B). Send regular written updates to senior management on new control-related regulations.
(C). Lead a seminar on internal controls and provide numerous examples to the audience.
(D). Conduct a surprise inventory count at the raw materials warehouse.
Answer: D

NO.349 Which of the following is an indicator that an organization's risk management processes are
effective?
(A). Departmental objectives are managed by department heads and are independent of the
organization's mission.
(B). Organization wide mechanisms exist to enable the identification and assessment of all significant
risks.
(C). Department heads have the autonomy to determine risk responses that fall outside of the
organizations risk appetite
(D). Relevant risk information is captured and communicated primarily between management and
the board
Answer: B

NO.350 What is an appropriate first step in an internal auditor's fraud risk assessment to evaluate
how the organization manages such risk?

Answer: B

NO.351 Which of the following is the primary engagement responsibility of an entry-level internal
auditor?
(A). Leadership.
(B). Documentation.
(C). Analysis.
(D). Reporting.
Answer: C

NO.352 An organization is considering purchasing a new banking software system and has asked the

76
 IT Certification Guaranteed, The Easy Way!

internal audit activity to evaluate the system. An internal auditor assigned to perform the
engagement worked at the software company two years ago and is familiar with the system's design
strengths and weaknesses. Which of the following is true regarding impairment to the auditor's
objectivity?
(A). This situation does not necessitate any action related to the auditor's objectivity.
(B). The auditor should decline to perform the audit because personal conflicts of interest are likely.
(C). The auditor must disclose to the chief audit executive that this situation may impair her
objectivity.
(D). The auditor can provide only consulting services, not assurance.
Answer: C

NO.353 Which of the following best demonstrates conformance with the Standards regarding the
internal audit activity's purpose authority, and responsibility?
(A). Discussion and formal presentation of the internal audit charter to the board of directors
(B). Certification by external auditors on the purpose, authority and responsibility of the internal
audit activity
(C). Approval of senior management that the internal audit activity is functioning as originally
designed
(D). Self-assessment of the internal audit activity completed by the chief audit executive
Answer: A

NO.354 Which of the following statements would typically be included in the responsibility section
of the internal audit charter?
(A). The internal audit activity will have free and unrestricted access to the chief executive officer,
audit committee, and chairman of the board of directors.
(B). The internal audit activity shall develop a flexible audit plan, based on a risk assessment
conducted at least annually and taking into consideration the risks or control concerns identified by
management, and shall submit the plan to the board for approval.
(C). The chief audit executive shall obtain the necessary assistance of personnel in areas where audits
are performed, as well as specialized services within or outside of the organization.
(D). The internal audit activity will not implement controls, develop procedures, install systems,
prepare records, or engage in activities that may impair internal auditors' judgments.
Answer: B

NO.355 The chief audit executive (CAE) has hired a new internal auditor who was immediately
assigned to a procurement function audit. Because the new auditor's name is similar to that of the
procurement manager, some staff members think the two are related, although they are not. Which
of the following actions is most appropriate for the CAE to take?
(A). Take no action, as there is no impairment to independence.
(B). Remove the new internal auditor from the engagement team.
(C). Discuss the matter with the appropriate personnel to alleviate concerns.
(D). Closely supervise the new auditor and carefully review his work.
Answer: A

NO.356 Which of the following should a general internal auditor be able to characterize as an IT-
related risk?

77
 IT Certification Guaranteed, The Easy Way!

(A). Computer servers are in a room that is accessible to all employees,

(B). An IT architect avoids taking vacations and sharing his workload with coworkers,
(C). Hours billed by IT developers exceed 24 hours daily.
(D). Audit logs are lacking in a system that processes personal data.
Answer: D

NO.357 Which of the following is an appropriate roe fa the internal audit activity?
(A). Ensuring the organization's key risks are managed through appropriate controls.
(B). Assisting the organization in maintaining effective controls.
(C). implementing new controls to promote continuous improvement
(D). Validating control assessments performed by the external auditor.
Answer: A

NO.358 During an audit of a foreign subsidiary an internal audit team discovered that products were
sold to a prohibited country due to sanctions. What is the best course of action for the internal audit
team?
(A). Include the facts m the engagement communications
(B). Inform me external auditors of the violation.
(C). Report the violation to the government regulators
(D). Consult with the legal department
Answer: D

NO.359 Management would like to self-assess the overall effectiveness of the controls in place for
its 200-person manufacturing department. Which of the following client-facilitated approaches is
likely to be the most efficient way to accomplish this objective?
(A). Workshops.
(B). Surveys.
(C). Interviews.
(D). Observation.
Answer: B

NO.360 Which of the following would best describe a control implemented to detect cash register
disbursement fraud in a large retail store?

Answer: C

NO.361 Which of the following parties would be responsible for ongoing monitoring of the
organization's corporate social responsibility activities to reduce its carbon footprint?
(A). Chief audit executive
(B). Facility operation manager
(C). Public relations manager
(D). Regulatory agency

78
 IT Certification Guaranteed, The Easy Way!

Answer: B

NO.362 According to IIA guidance, which of the following actions best demonstrates due
professional care by an internal auditor when she discovers a number of fraud-related red flags
during an audit engagement?
(A). Conclude the engagement and inform management that fraud has occurred
(B). Perform further testing to verify the existence of fraud.
(C). Suspend the engagement and undertake a formal fraud investigation.
(D). Notify the board of the possible fraud immediately
Answer: B

NO.363 What is the primary reason for establishing a continuing professional development program
within an organization's internal audit activity?
(A). To ensure all internal audit responsibilities can be met
(B). To ensure all audit staff members are capable of performing a quality self-assessment.
(C). To ensure that each auditor maintains responsibility for his own professional development.
(D). To attract the best and most talented candidates in the profession
Answer: A

NO.364 Which of the following strategies would be the most effective to share an organization's risk
of losses through foreign currency transactions related to the accounts payable process?
(A). Using a hedging strategy.
(B). Implementing controls to follow up on deviations.
(C). Purchasing liability insurance.
(D). Purchasing foreign currency reserves.
Answer: A

NO.365 Which of the following statements is true regarding the disclosure of results of the quality
assurance and improvement program?
(A). If the results of both internal and external assessments support conformance with the Standards,
the internal audit activity must communicate this to the board and senior management in writing.
(B). If it has been in existence fewer than five years and has no documented external assessment, the
internal audit activity may not indicate that it is operating in conformance with the Standards.
(C). If nonconformance affects its ability to fulfill its professional responsibilities or stakeholder
expectations, the internal audit activity should disclose nonconformance as well as its impact.
(D). If an external assessment reflects an overall conclusion of nonconformance, the internal audit
activity may continue to communicate that it conforms with the
Answer: C
Standards if it discloses a remediation plan, including timeline with subsequent validation.

NO.366 Which of the following can be used to minimize employees' resentment of controls?
(A). Making sure employees are exempt from participating in control creation
(B). Implementing controls without lengthy explanations of their purpose
(C). Developing general constricting controls rather than detailed ones
(D). Not using controls to achieve goals
Answer: C

79
 IT Certification Guaranteed, The Easy Way!

NO.367 A whistle blower notified internal audit of a conflict of interest between an organization's
employee and a major supplier. Which of the following steps should be undertaken first?
(A). Interview the employee identified by the whistleblower.
(B). Attain an understanding of the employee's role, responsibilities, and relationship with the
supplier.
(C). Notify senior management, the board, and the external auditor about the alleged fraud
(D). Review all the orders issued to the supplier to investigate potential fraud.
Answer: B

NO.368 During an assurance engagement internal auditors interview operational management to

gather and evaluate information. Which approach is most important for internal auditors to be able
to listen effectively to interviewees in the given situation?
(A). Make an audio recording of the interview
(B). Interrupt with questions during unclear statements
(C). Express interest by asking follow-up questions
(D). Avoid periods of silence
Answer: C

NO.369 In an internal audit charter, which of the following statements regarding the chief audit
executive (CAE) would be most directly related to describing the responsibilities of the internal audit
activity*?
(A). The CAE shall report functionally to the board and administratively to the chief financial officer
(B). The CAE and the Internal audit activity shall have full access to any and all records and personnel
of the organization that are relevant to audit engagements
(C). The CAE and the internal audit activity shall be independent and objective in performing their
work.
(D). The CAE shall report periodically on the performance of the internal audit activity relative to its
plan
Answer: A

NO.370 An organization allows the same individuals to physical access inventory and purchase new
assets when supplies are depleted. Which of the following would best help the organization manage
the risk of fraud?

Answer: D

NO.371 The accounting department asked the chief audit executive (CAE) to perform a review of
suspicious transactions The CAE was an accounting manager for the organization six months ago How

80
 IT Certification Guaranteed, The Easy Way!

should she respond to the request?

(A). Decline, if it is consulting engagement because she recently worked in the organization s
accounting department
(B). Accept, 11 is an assurance engagement, as she has been out of the department long enough to
not impair objectivity.
(C). Inform the accounting department mat me engagement can take place m the future once she has
been removed from accounting for a longer period of time.
(D). Accept, it is a consulting engagement with agreed-upon scope and services to be provided by me
internal audit activity.
Answer: D

NO.372 To achieve conformance with the Standards, the chief audit executive must include which of
the following activities in the quality assurance and improvement program (QAIP)?
(A). Require board oversight of the QAIP.
(B). Assess Standards conformance for each individual engagement.
(C). Conduct a self assessment at least once every five years.
(D). Report the results of the QAIP to senior management
Answer: D

NO.373 Which of the following characteristics is typical of the internal audit activity?
(A). Serves third parties that need reliable financial information from audit engagements
(B). Responds to the needs and desires of senior management and the board, but remains
independent of areas under review
(C). Ensures the organization complies with laws and regulations in the area under review
(D). Is completely independent of senior management, the board and the area under review
Answer: D

NO.374 Internal audit is performing an engagement to determine whether there were indications of
questionable bidding on a city s infrastructure project. As part of the engagement the internal audit
activity became aware that certain firms tend to receive the contracts for large city projects. How
should the internal audit activity proceed with the engagement and identify questionable bidding
practices?
(A). Obtain the city s vendor listing to determine whether there was an adequate number of firms
available to solicit bids for protects
(B). Obtain at of the city s financial records to identify any firms that received payments for
contracted goods and services.
(C). Obtain the city's contracting files to determine whether the city demonstrated efforts to solicit
bids from various interested firms.
(D). Obtain the city's official public meeting minutes to determine whether there were concerns
about the contracting practices
Answer: C

NO.375 Which of the following is the primary benefit of an effective professional development
program for internal auditors?
(A). An effective program may enhance internal auditors' business acumen
(B). An effective program may ensure that HA Standards requirements are adhered to during audit

81
 IT Certification Guaranteed, The Easy Way!

engagements
(C). An effective program may ensure internal auditors' effectiveness in setting the organization's nsk
management process
(D). An effective program may clarify management's expectations of the auditors and their
responsibilities to the organization
Answer: B

NO.376 The principle that "no action should be taken that may harm in some way the least
fortunate people" is an expression of which of the following more general ethical principles?
(A). Utilitarian benefits.
(B). Personal virtues.
(C). Religious injunctions.
(D). Distributive justice.
Answer: A

NO.377 Which of the following fraud prevention measures is most likely to trigger undesired
adverse behavior if improperly designed?
(A). Disclosure of outside business activities
(B). Ethics training programs
(C). Compensation programs
(D). Exit interviews
Answer: C

NO.378 According to IIA guidance, which of the following corporate social responsibility (CSR)
evaluation activities may be performed by the internal audit activity?
1. Consult on CSR program design and implementation.
2. Serve as an advisor on CSR governance and risk management.
3. Review third parties for contractual compliance with CSR terms.
4. Identify and mitigate risks to help meet the CSR program objectives.
(A). 1,2, and 3,
(B). 1 2, and 4.
(C). 1, 3, and 4.
(D). 2, 3, and 4.
Answer: A

NO.379 Which of the following best demonstrates organizational independence of the internal audit
activity?
(A). The chief audit executive (CAE) reports functionally to the CEO.
(B). The CAE's compensation is approved by the chief financial officer.
(C). The CAE's appointment Is determined by the CEO
(D). The CAE reports administratively to the chief operating officer.
Answer: D

NO.380 Which of the following fraud schemes is often an off-book fraud*?

82
 IT Certification Guaranteed, The Easy Way!

Answer: C

NO.381 An organization's senior management team is awarding substantial bonuses if employees

meet financial targets. Which of the following motivators to potentially commit fraud would become
most likely in this scenario?
(A). Opportunity
(B). Pressure
(C). Rationalization
(D). Justification
Answer: B

NO.382 Which of the following describes two duties that should not be performed by the same
person?
(A). Posting cash receipts and cash payments to the general ledger.
(B). Posting bad debt write-offs and reconciling the accounts payable subsidiary ledger.
(C). Distributing payroll checks and approving sales returns for credit.
(D). Recording cash receipts and preparing bank reconciliations.
Answer: D

NO.383 Which of the following best describes a consulting engagement rather an assurance
engagement?
(A). Bank internal auditors review an activity checklist to determine that the loan officer followed
proper procedures.
(B). The chief financial officer asks for the internal auditor's opinion regarding whether the new
accounting pronouncements were properly and comprehensively adopted
(C). An internal auditor is assigned to assess whether a proposed new initiative to convert a customer
service system would be cost effective.
(D). Senior management asks the internal audit activity to review compliance with customer data
security regulations
Answer: C

NO.384 Applying ISO 31000, which of the following is part of the external context for risk
management?
(A). Risk treatment method based on risk evaluation.
(B). Organizational culture, objectives, and processes.
(C). The regulatory and competitive environment
(D). The method of determining the risk level.
Answer: C

NO.385 Which of the following is the most effective way for internal auditors to determine whether
ethical values are followed throughout the organization?
(A). Review the organization's ethical value structure and reporting procedures.

83
 IT Certification Guaranteed, The Easy Way!

(B). Review what the organization considers to be ethical behavior, such as the employee code of
conduct.
(C). Review employee survey responses and follow up on those that suggest weaknesses in the
ethical climate.
(D). Review the organization's records to ensure all employees have signed statements that they will
follow ethical practices.
Answer: B

NO.386 According to MA guidance, which of the following gives the internal audit activity the
authority to request supporting documentation for the invoices of a third-party service provider?
(A). The internal audit policy manual.
(B). The internal audit charter.
(C). The board of directors.
(D). The quality assurance and improvement program.
Answer: B

NO.387 Which action by senior management indicates to the internal auditor that there may be
fraudulent activities occurring within the organization?
(A). Setting unrealistic targets for staff to achieve
(B). Granting external audit firms access to staff and records.
(C). Automating some processes and allowing others to be performed manually
(D). Enforcing a zero-tolerance policy for misconduct
Answer: A

NO.388 An internal auditor was completely honest with operational management when delivering
unfavorable audit results. Which of the following best describes the IIA Code of Ethics principle that
the auditor demonstrated?
(A). Integrity
(B). Objectivity
(C). Competency
(D). Transparency
Answer: A

NO.389 Which of the following is true with regard to an organization's risk management practices?
(A). Risks represent a single point estimate
(B). Each organization faces the same types of risk.
(C). Risks may relate to failing to achieve positive outcomes.
(D). Mitigated risks are no longer considered to be inherent.
Answer: A

NO.390 Which of the following actions taken during an audit engagement is the best demonstration
of an internal auditor's due professional care?

84
 IT Certification Guaranteed, The Easy Way!

Answer: C

NO.391 According to IIA guidance, which of the following activities is appropriate for an internal
auditor to perform with regard to the organization's corporate social responsibility (CSR) program?
1. Determine whether the organization has adequate controls to achieve its CSR objectives.
2. Facilitate a management self-assessment of CSR controls and results.
3. Consult on the project design and implementation for the CSR program.
4. Exclude CSR-related external risks that are beyond the control of the organization.
(A). 1 and 2 only.
(B). 1, 2 and 3 only.
(C). 2, 3, and 4 only.
(D). 3 and 4 only.
Answer: B

NO.392 Which of the following best describes a purpose for the internal audit charter?
(A). The internal audit charter authorizes the internal audit activity's reporting structure and clearly
defines the roles of each internal auditor.
(B). The internal audit charter defines the roles and responsibilities of the chief audit executive, board
of directors, and senior management.
(C). The internal audit charter authorizes access to records, personnel, and physical properties
relevant to the performance of audit engagements.
(D). The internal audit charter defines the criteria by which the internal audit activity's performance
will be evaluated
Answer: C

NO.393 During an audit of the purchasing department, an internal auditor identifies significant
issues that could affect the organization's financial reporting. Management disagrees with the audit
results. Which of the following responses best demonstrates the internal auditor has the necessary
competencies related to professional Judgment and conflict management?
(A). The auditor maintains his convictions and continues to proceed with the review process despite
management's concerns related to the results.
(B). The auditor bypasses management, discusses the results with the board, and seeks the board's
input on how best to address the recommendations.
(C). The auditor consults with other members of the audit team, and together they develop
alternative recommendations that management may be more likely to accept.
(D). The auditor meets with management to discuss the results and obtain a better understanding of
the specific concerns.
Answer: D

NO.394 According to IIA guidance, which of the following is required of an internal audit activity?
(A). The internal audit activity should refrain from conducting an assurance engagement for which it

85
 IT Certification Guaranteed, The Easy Way!

lacks the necessary competencies or skills

(B). The chief audit executive must decline a consulting engagement or obtain competent advice and
assistance if internal auditors lack the necessary competencies or skills
(C). The audit committee should ensure that the internal audit activity continuously improves its
knowledge and skills in order to fulfill its responsibilities
(D). In today's business climate which is dominated by technology and big data, it is imperative that
each staff internal auditor has detailed knowledge about IT risks and technology-based audit
techniques
Answer: B

NO.395 According to ISO 31000, which of the following statements is correct?

(A). The board is responsible for setting the organizational attitude through tone at the top,
(B). The internal audit activity will provide assurance over operating effectiveness but not over the
design of risk management activities,
(C). The internal audit activity can give objective assurance on any part of the risk management
framework for which it is responsible.
(D). The framework is designed to be effective for organizations no matter how small.
Answer: D

NO.396 According to IIA guidance, which of the following is most critical to ensuring that an
organization's risk management program remains effective over time?
(A). Ensuring a fully executed assurance role for the internal audit activity.
(B). Conducting risk evaluations that include ranking the relative importance of each risk.
(C). Establishing a risk management function and appointing a chief risk officer.
(D). Conducting a combination of ongoing risk reviews and individual evaluations.
Answer: C

NO.397 Which of the following statements is true regarding the internal audit activity's quality
assurance and improvement program (QAIP)?
(A). Internal assessments must be performed by the chief audit executive.
(B). An internal assessment must be performed at least once every five years.
(C). It Is permissible to share the results of the QAIP with the organization's external auditors.
(D). Results of ongoing monitoring must be validated annually by an independent external assessor.
Answer: C

NO.398 According to IIA guidance, which of the following statements is true regarding due
professional care?
(A). Internal auditors must exercise due professional care to Insure that all significant risks will be
identified,
(B). Internal auditors must apply the care and skill expected of a reasonably prudent and competent
internal auditor
(C). Due professional care requires the internal auditor to conduct extensive examinations and
verifications to ensure fraud does not exist,
(D). Due professional care is displayed during a consulting engagement when the internal auditor
focuses on potential benefits of the engagement rather than the cost.
Answer: B

86
 IT Certification Guaranteed, The Easy Way!

NO.399 Which of the following statements is true regarding internal controls?

(A). Strategic objectives are prerequisites to establishing internal controls.
(B). Internal controls eliminate process breakdowns caused by human errors.
(C). Well-established internal controls cannot be overridden.
(D). Robust internal controls ensure business success.
Answer: A

NO.400 Which of the following is a primary responsibility of senior management with respect to
ethical violations?

Answer: C

NO.401 According to IIA guidance, which of the following statements is true regarding risk
management in an organization?
(A). The risk management function has the sole responsibility for identifying and managing risks in all
departments
(B). Risk management is a core responsibility of the internal audit activity
(C). The internal audit activity should consider the organization's maturity, structure, and the
competitive environment to establish the organization's risk appetite
(D). The internal audit activity may use a risk management or control framework to assist in risk
identification
Answer: D

NO.402 The chief audit executive of an organization assigns audit resources to undertake a
consulting engagement requested by senior management the previous year, and a scheduled
assurance audit of the procurement process Which of the following appropriately differentiates the
two engagements?
(A). The details of assurance services are expected to be included in the risk-based audit plan; this is
not the case for consulting services.
(B). The objectivity of assurance services is impaired when undertaken by internal auditors who have
had recent prior responsibility in the area under review; this is not the case for consulting services
(C). The performance of assurance services may be outsourced for competency gaps: this is not the
case for consulting services.
(D). The results of assurance services are required to be monitored; this is not the case for consulting
services
Answer: B

NO.403 Which of the following factors is most important for internal auditors to consider when
prioritizing fraud risks?
(A). The organization's code of conduct.
(B). The organization's competition.
(C). The organization's code of ethics.

87
 IT Certification Guaranteed, The Easy Way!

(D). The organization's culture

Answer: D

NO.404 In which of the following ways can a chief audit executive demonstrate to the board that
the internal audit activity collectively possesses all of the skills needed to complete its annual goals?
(A). Involve board members in hiring activities and request advice.
(B). Require all internal audit staff to complete the same training course on a general audit subject,
(C). Require senior auditors to obtain a professional certification.
(D). Provide a competency assessment of the internal audit staff.
Answer: D

NO.405 Who is held responsible for oversight of the organization's risk management framework?
(A). Operational management.
(B). Board of directors.
(C). Internal auditors.
(D). Head of risk management.
Answer: B

NO.406 An engagement supervisor noted that an internal auditor's personal relationship with a
process owner resulted in the auditor providing a favorable and partial assessment during an audit
within that process owner's are a. According to MA guidance, which of the following should be used
to manage this impairment?
(A). An internal audit charter.
(B). An employee disciplinary policy.
(C). A functional audit committee.
(D). A functional reporting placement.
Answer: A

NO.407 Which of the following situations undermines the independence of the internal audit
activity?
(A). The internal audit activity is responsible for the company's risk management function and its
head manager reports to the chief audit executive
(B). A senior member of the internal audit activity once worked in the corporate finance department
(C). The organization's CEO reviews the internal audit activity's annual budget per the organization's
policies and procedures
(D). The internal audit activity often uses management's risk profile to build its own risk profile for
annual planning
Answer: A

NO.408 According to IIA guidance, which of the following actions best demonstrates that due
professional care has been considered by the internal audit activity when conducting a review of an
organization's assets?
(A). Determining whether any opportunity exists for senior executives to misappropriate property or
funds
(B). Planning and executing fieldwork In a complete and timely manner to identify all significant risks
(C). Verifying whether the board of directors has implemented effective internal controls

88
 IT Certification Guaranteed, The Easy Way!

(D). Having senior management determine whether the degree of work planned is sufficient to meet
engagement objectives
Answer: B

NO.409 Due to the increased operational responsibility of the CEO the chief audit executive (CAE) of
an organization currently reports to the chief financial officer (CFO) What is the likely impact of such
a situation?
(A). There may be limitation in the scope of engagements that can be undertaken
(B). The CFO could provide expert advice when auditing areas under his purview
(C). The internal audit activity is adequately positioned when the CAE reports to a member of
executive management
(D). The expertise of finance staff can be called upon during an audit of finance-related areas
Answer: A

NO.410 A newly appointed chief audit executive (CAE) started analyzing the organization's policies
in an attempt to customize them to address internal audit specifics. Which of the following
organizationwide practices is most likely to be acceptable to the CAE?

Answer: D

NO.411 Regarding assurance and consulting services provided by the internal audit activity which of
the following statements is correct?
(A). The nature and scope of a consulting engagement are determined by the internal audit activity
based on its risk assessment
(B). The nature and scope of an assurance engagement are subject to agreement with management
of the area under review
(C). Both assurance services and consulting services can be focused on controls or performance or
both
(D). The assurance engagement process ends with reporting
Answer: D

NO.412 An internal auditor observed that sales staff are able to modify or cancel an order in the
system prior to shipping* She wonders whether they can also modify orders after shipping. Which of
the following types of controls should she examine?
(A). Batch controls.
(B). Application controls.
(C). General IT controls.
(D). Logical access controls
Answer: B

NO.413 Which of the following skills is critical for assessing corporate social responsibility through a

89
 IT Certification Guaranteed, The Easy Way!

self-assessment?
(A). Assessment skills
(B). Assurance skills
(C). Interviewing skills
(D). Facilitation skills
Answer: A

NO.414 Which documents would help a forensic auditor identify instances of collusion between an
employee and vendor to defraud the organization?
(A). Email correspondence.
(B). Payment request forms.
(C). Vendor invoices.
(D). Bank statements.
Answer: D

NO.415 The internal audit activity is asked to review the effectiveness of controls around the
disposal of chemical waste. However, the internal auditors on staff lack the necessary skills to
conduct this review. Which of the following would be the most appropriate approach?
(A). An internal auditor who recently attended a three-day workshop on chemical waste disposal, and
therefore has the most knowledge on the topic, should lead the engagement.
(B). A team of available internal auditors should be assembled and should consult with an external
nonaudit expert on chemical waste disposal to plan and conduct the engagement.
(C). A team of the most knowledgeable auditors could be assembled and use the engagement work
program from the previous year to gather additional insight regarding recommended audit
procedures.
(D). A nonaudit employee from the chemical disposal area may share his expertise with the audit
team, provided the internal audit manager conducts a detailed review of all engagement work
performed.
Answer: D

NO.416 Which of the following would be included in quality assurance and improvement program
(QAIP) reporting?
(A). Descriptions of standardized work practices.
(B). Outcomes of internal audit key performance indicators.
(C). Conformance of individual engagements with the Standards,
(D). Annual summaries of consulting and audit engagements.
Answer: C

NO.417 Which of the following actions should the organization's governing body perform to provide
the most effective governance over the organization's culture?
(A). Coordinate control activities.
(B). Provide direction.
(C). Design key controls.
(D). Deliver assurance.
Answer: B

90
 IT Certification Guaranteed, The Easy Way!

NO.418 A newly hired internal auditor is performing an engagement that requires significant IT
expertise that he does not possess. If the auditor does not alert the chief audit executive about his
lack of expertise and decides to perform the engagement anyhow, which principle of the IIA's Code of
Ethics would he violate?
(A). Due professional care.
(B). Competency.
(C). Effective communication
(D). Professionalism
Answer: B

NO.419 What is the primary purpose of The IIA's Code of Ethics?

(A). Communicate specific activities appropriate to the performance of internal auditing
(B). Promote ethical culture within corporations and other business organizations
(C). Establish mandatory standards of competence for the practice of internal auditing
(D). Establish principles and expectations governing behavior of individuals and organizations in the
conduct of internal auditing
Answer: D

NO.420 An internal auditor in a busy internal audit activity reviews her continuing professional
development records toward the end of the year and is concerned to find she has undertaken limited
training and formal professional development. Which of the following actions is the most appropriate
for her to take?

Answer: D

NO.421 The internal audit activity is performing an assessment of an organization's ethics program,
and the engagement scope specifies a focus on the training program's design. According to IIA
guidance, which of the following questions would be the most relevant?
1. Does the training include situations that require an ethical decision?
2. What percentage of employees have taken the training?
3. What are the results of the employee assessment of the organization's ethical climate?
4. Does the instructor provide feedback on the thought process to reach an ethical resolution?
(A). 1 and 2.
(B). 1 and 4.
(C). 2 and 3.
(D). 3 and 4.
Answer: A

NO.422 Which of the following would be considered advanced expertise which most internal

91
 IT Certification Guaranteed, The Easy Way!

auditors are not expected to possess'?

(A). The ability to evaluate fraud risk
(B). The ability to detect and investigate fraud
(C). The ability to assess risk management strategies
(D). The ability to create test databases
Answer: B

NO.423 A series of incidents over the past year reveals several members of senior management
possess a limited understanding of the concept and impact of fraud. Which of the following would be
the most effective way to approach this issue?
(A). The board should ask the internal audit activity to perform additional assurance engagements.
(B). A comprehensive fraud risk assessment and management program should be carried out.
(C). The organization should conduct training sessions on fraud, which should be attended by senior
management and staff.
(D). Anti-fraud and whistleblowing policies should be implemented and their importance should be
clearly stated.
Answer: C

NO.424 Which of the following scenarios is a characterize of an organization with a highly effective
ethical culture?
(A). An organization implements and communicates to staff a formal and comprehensive code of
conduct, which is clear and understandable.
(B). An organization waives reference and background checks when hiring for certain sensitive
positions in order to not violate potential employees' rights to privacy.
(C). An organization punishes senior management more harshly for ethics violations than it would for
lower-level staff to send a message throughout the organization.
(D). An organization conducts surveys of employees, suppliers, and customers once every five years
to determine the slate of the ethical climate in the organization.
Answer: A

NO.425 Which of the following is an example of a management control technique?

(A). A budget.
(B). A risk assessment.
(C). The board of directors.
(D). The control environment
Answer: A

NO.426 A chief audit executive assigned an internal auditor to perform an assurance engagement.
The auditor concluded with a major audit finding based on hearsay evidence Which of the following
competencies did the auditor appear to be lacking?
(A). Effective communication skills
(B). Risk-based assurance knowledge
(C). Demonstration of due professional care.
(D). Demonstration of ethical behavior
Answer: A

92
 IT Certification Guaranteed, The Easy Way!

NO.427 Which of the following is the best way for an internal auditor to demonstrate due
professional care?
(A). Conduct an audit to the same extent that another prudent auditor would under similar
circumstances
(B). Seek feedback from the engagement supervisor during the engagement
(C). Execute internal audit work in such a manner as to provide absolute assurance of compliance
(D). Request and receive client feedback surveys during the engagement
Answer: A

NO.428 Which of the following is considered to be a threat to the internal auditor's objectivity?
(A). The auditor drafted the operational procedures of the area that she is currently auditing.
(B). The auditor received a bonus that was approved by the board of directors.
(C). The assigned auditor recommended operational procedures for the organization.
(D). The assigned auditor rotated out of the same business activity three years ago
Answer: A

NO.429 Which of the following is true regarding the stakeholder theory of corporate social
responsibility?
(A). An organization has a fiduciary duty to put shareholders' needs first
(B). Customers' needs are the primary responsibility of the organization
(C). Competitors are considered stakeholders of the organization
(D). Employees are the organization's best assets and primary responsibility
Answer: A

NO.430 According to The IIA's Code of Ethics, an internal auditor who has a romantic relationship
with an audit client violates which of the following rules of conduct?

Answer: D

NO.431 A chief audit executive (CAE) identifies that the internal audit activity lacks a necessary skill
to perform a management request for a consulting engagement. According to IIA guidance, which of
the following is the most appropriate action the CAE should take regarding the request?
(A). Assign the engagement to a more senior internal auditor.
(B). Decline the engagement request.
(C). Allow the internal auditors to acquire the needed skills while performing the engagement.
(D). Supervise the assigned internal auditors throughout the engagement.
Answer: B

NO.432 Which of the following is a primary benefit of implementing a governance risk management
and compliance framework within an organization?
(A). Fewer internal audits
(B). More effective interviews
(C). Automated risk management strategy tools

93
 IT Certification Guaranteed, The Easy Way!

(D). Reduced assurance costs

Answer: D

NO.433 Under which of the following circumstances should the final audit report include a
disclosure of nonconformance with the Standards?
(A). An external quality assessment of the internal audit activity is performed only once every five
years.
(B). The internal auditor provided negative assurance, because he found no evidence of misconduct.
(C). The annual internal audit plan includes some consulting engagements that are based on
opportunities rather than risks to the organization.
(D). A new internal auditor moved into the internal audit activity from the payroll department and
was immediately assigned to the payroll audit.
Answer: C

NO.434 Which of the following is most accurate concerning corporate social responsibility?
(A). A moral agent in an organization makes decisions that are based on the rules and regulations of
the organization as they apply to human resources decisions
(B). The utilitarian approaching deciding on ethical dilemmas is concerned with choosing the simplest
solution that will apply to the most people
(C). Ethics are not defined by laws but they are not a matter of free choice ethics are based on
standards of conduct derived from shared principles and values
(D). The individualism approach to ethical decision making is focused on implementing a customized
long-term outcome that is most beneficial for the entire organization
Answer: C

NO.435 Which of the following would be considered a monitoring activity in organization wide risk
management?
(A). Validate the results of management's self-assessment.
(B). Perform reviews of personnel.
(C). Maintain rigorous and comprehensive documentation.
(D). Obtain authorizations and signatures.
Answer: A

NO.436 Which of the following scenarios would most significantly restrict the areas where internal
audit could perform assurance services?
(A). Regulators mandate specific audit engagements to be included in the audit plan.
(B). The internal audit activity reports functionally to the chief financial officer
(C). The internal audit activity reports administratively to the CEO and functionally to the audit
committee.
(D). The internal audit activity reports administratively to the chief financial officer.
Answer: B

NO.437 When a plant manager from within the organization is hired as a rotational internal auditor
within the internal audit activity which area should he most likely be trained for immediately?
(A). Industry knowledge
(B). Project management

94
 IT Certification Guaranteed, The Easy Way!

(C). Leadership skills

(D). Risk assessments
Answer: D

NO.438 In addition to her internal audit activity responsibilities, the chief audit executive has been
asked to oversee the organization's insurance function. Which of the following responses is most
appropriate?
(A). Welcome the additional responsibility, as it represents an opportunity to gain more information
for future audits.
(B). Revise the internal audit charter to include oversight of the insurance function, ensuring that all
of her responsibilities are properly documented.
(C). Report the request to the board and recommend alternate processes to obtain assurance related
to insurance activities.
(D). Promptly remove the organization's insurance function from the audit universe.
Answer: B

NO.439 An organization sells products through distributors. The organization's chief audit executive
insists that the organization's code of conduct be applicable to their distributors as well. Which of the
following risks would this mitigate?
(A). Business continuity
(B). Market manipulation
(C). intellectual property leakage
(D). Reputational damage
Answer: D

NO.440 Which of the following organizations is adopting an acceptance technique in terms of its risk
response?

Answer: A

NO.441 During a complex financial compliance engagement, a senior internal auditor determines
that current audit procedures are not sufficient for adequate testing She consults with a colleague
and learns that a spreadsheet application contains a helpful tool She proceeds to use the tool to
properly complete the evaluation Which of the following best describes the core competency
displayed by the senior auditor?
(A). Business acumen
(B). Persuasion and collaboration
(C). Critical thinking
(D). Communication
Answer: D

NO.442 Which of the following is the most appropriate reason for a chief audit executive to conduct
an external assessment more frequently than five years?

95
 IT Certification Guaranteed, The Easy Way!

(A). Significant changes in the organization's accounting policies or procedures would warrant timely
analysis and feedback.
(B). More frequent external assessments can serve as an equivalent substitute for internal
assessments.
(C). The parent organization's internal audit activity agreed to perform biennial reciprocal external
assessments to provide greater assurance at a reduced cost.
(D). A change in senior management or internal audit leadership may change expectations and
commitment to conformance.
Answer: D

NO.443 Six months after an employee was transferred to the internal audit activity his former
operating manager requested that he return to assist a project team with the evaluation of a new
pricing module for the organization's online ordering system According to IIA guidance which of the
following statements is true?
(A). The auditor cannot be assigned to this project, as it has been fewer than 12 months since he was
transferred from that department.
(B). Another internal auditor should be appointed to the engagement to preserve the independence
of the internal audit activity
(C). The auditor cannot participate in the assignment, as providing an opinion would impair his
objectivity
(D). The auditor may participate on the project, as the nature of the assignment is consulting
Answer: D

NO.444 Which of the following must be in existence as a precondition to developing an effective

system of internal controls?
(A). A monitoring process,
(B). A risk assessment process.
(C). A strategic objective-setting process.
(D). An information and communication process.
Answer: B

NO.445 Which of the following techniques should an internal auditor use in order to conduct an
effective interview?
(A). Use technical language to establish credibility with the employee being interviewed
(B). Avoid straightforward questions to make the person being interviewed think before answering
(C). Prepare the next question while the interviewee is responding to demonstrate preparedness
(D). Appear confident but not arrogant during the interview to show professionalism
Answer: A

NO.446 A regional entertainment organization is in the process of developing a corporate social

responsibility (CSR) policy. Management invites ideas from employees when developing the CSR
policy. Which of the following is the most appropriate idea to include?
(A). Management has overall responsibility for the effectiveness of governance, risk management,
and internal control processes associated with CSR.
(B). The board is responsible for ensuring that CSR objectives are established, risks are managed,
performance is measured, and activities are appropriately monitored and reported.

96
 IT Certification Guaranteed, The Easy Way!

(C). Management is responsible for ensuring that the organization's CSR principles are
communicated, understood, and integrated into decision-making processes.
(D). Generally, CSR activities are limited to the management of the organization; thus, employees do
not have a responsibility for ensuring the success of CSR objectives.
Answer: B

NO.447 At the beginning of an IT development project key risks were identified and assessed and
risk owners were appointed Six months later the IT development team reported that the project Is
significantly over budget, it will not be completed on time and key personnel had left the
organization. Which of the following risk management practices should be improved for future
projects?
(A). Risk response.
(B). Risk assessment
(C). Risk monitoring.
(D). Risk avoidance.
Answer: B

NO.448 An organization has limited resources to spend on corporate social responsibility initiatives.
Which is the most suitable approach to determine how these resources should be used?
(A). Support a mix of environmental economic and social initiatives to ensure a balanced approach is
taken
(B). Survey employees and external stakeholders to see which causes are best suited to the
organization.
(C). Select corporate social responsibility initiatives that support the overall strategic goals of the
organization
(D). Conduct a financial analysis to determine where the most impact can be made with the budget
available
Answer: A

NO.449 The results of an assessment of the adequacy of controls would be considered incomplete
or misleading unless the internal auditor considers which of the following?
(A). Number of mitigating controls.
(B). Effectiveness of the control environment
(C). Use of computer-assisted auditing techniques.
(D). IT security controls
Answer: B

NO.450 Which of the following is an example of a detective control?

Answer: C

NO.451 A third-party provider's questionable labor practices have exposed the organization to
reputational risks and regulatory risks. Which of the organization's risk management practices was

97
 IT Certification Guaranteed, The Easy Way!

most likely ineffective?

(A). The organization ensured that the third-party vendor provided the best pricing for the requested
services.
(B). The organization conducted quality control reviews of provided services to ensure industry
standards were met.
(C). The organization performed a due diligence review of all vendors during the bid review process.
(D). The organization planned to issue a resolution concerning the third-party provider's labor
practices.
Answer: A

NO.452 Which of the following statements is true regarding reporting results of the quality
assurance and improvement program to senior management and the board?
(A). Internal assessments must be reported to the board at least every five years
(B). If supported by assessment results, reporting provides assurance that internal auditors
demonstrate conformance with the Code of Ethics
(C). Following the reporting the board must give the internal audit activity five years to correct any
deviations
(D). A report, including the results of both internal and external assessments must be provided to the
board annually
Answer: B

NO.453 What should the chief audit executive do when the internal audit activity is found to be in
nonconformance with the Code of Ethics or the Standards?
(A). Assign competent staff to the area under audit to remediate the nonconformance.
(B). Determine how the deviation impacted the overall scope of the internal audit activity.
(C). Meet with the board to gam an understanding of the board's expectations.
(D). Communicate the matter to the board at the time of the next external assessment.
Answer: B

NO.454 Which of the following describes an ongoing monitoring activity that could be performed as
part of an internal assessment for a quality assurance and improvement program (QAIP)?
(A). Planning and supervising engagements
(B). Evaluating the quality of supervision
(C). Identifying opportunities for improvement m internal audit's processes and procedures
(D). Determining if the objectives of QAIP are current
Answer: C

NO.455 Which of the following statements is true regarding how the scope of a consulting
engagement should be established?
(A). The engagement client should be able to determine the scope to be applied to the engagement
(B). The internal auditor should establish a scope that does not impair her objectivity
(C). Any attempts by the engagement client to limit the scope should be considered a scope
limitation
(D). The scope should include reviewing the effectiveness of the internal control environment
Answer: A

98
 IT Certification Guaranteed, The Easy Way!

NO.456 During fieldwork, an internal auditor located a significant internal control issue. Without
identifying the origins of the issue, the auditor concluded the engagement and included the issue in
the final audit report. To enhance audit quality, which of the following skills should the internal
auditor improve?
(A). Business acumen.
(B). Critical thinking.
(C). Communication.
(D). Audit report writing.
Answer: C

NO.457 Which of the following activities best ensures that internal auditors grow professionally in
alignment with current industry trends to meet the expectations of primary stakeholders?
(A). Deploying self-assessments against a competency benchmark.
(B). Acquiring memberships in professional organizations.
(C). Developing professional succession plans.
(D). Obtaining subscriptions to professional journals in their area of interest.
Answer: A

NO.458 An internal auditor was assigned to work in the procurement department for six months to
gam m-depth knowledge about the procurement process. Which of the following personnel
development practices was applied in this situation?
(A). Cosourcing
(B). Inbound rotation
(C). Guest auditor
(D). Outbound rotation
Answer: D

NO.459 The manager of the payroll department requested a review of the payroll process, but only
wants the engagement to include processes related to approval of time worked. What type of activity
is this?
(A). Financial assurance engagement.
(B). Operational consulting engagement.
(C). Compliance assurance engagement.
(D). Risk management consulting engagement.
Answer: C

NO.460 Which of the following threatens internal audit objectivity'?

Answer: B

99
 IT Certification Guaranteed, The Easy Way!

NO.461 According to IIA guidance, which of the following best demonstrates how the chief audit
executive may ensure that due professional care is applied?
(A). Establish policies and procedures concerning the engagement process
(B). Develop a strategy for recruiting assigning, and training staff
(C). Outsource complex engagements to an external service provider
(D). Base the auditor evaluation process on the number of observations
Answer: A

NO.462 How should the internal audit activity promote continuous improvement of organizational
controls?
(A). By assessing implementation of controls m individual processes during audit engagements
(B). By identifying the most significant business processes and designing effective controls for those
processes
(C). By implementing an internationally accepted internal control framework across the organization
(D). By facilitating control self-assessment sessions for managers responsible for business processes
Answer: D

NO.463 According to IIA guidance, which of the following is a required aspect of an internal audit
charter?
(A). Management approval
(B). Independent review
(C). Reporting relationships
(D). Quarterly assessment
Answer: C

NO.464 In which of the following audits would the internal auditors most likely contribute to the
assessment of organizational governance?
(A). An assessment of compliance of individual data protection procedures with data protection
regulations
(B). An assessment of profit and loss generated by financial assets and instruments in the past
quarter
(C). An assessment of the effectiveness of back-up procedures and execution of business recovery
plans
(D). An assessment of performance management practices and establishment of key performance
indicators
Answer: D

NO.465 What is the ultimate goal of establishing a robust risk management framework in an
organization?
(A). To support the organization's risk culture, involving employees at all levels.
(B). To ensure that the organization attains a better financial position.
(C). To assist the organization in identifying and mitigating key risks.
(D). To facilitate the organization's achievement of business goals and objectives.
Answer: D

100
 IT Certification Guaranteed, The Easy Way!

NO.466 Try chiet audit executive (CAE) of large organization is preparing job descriptions to hire five
new general internal audit staff, two new IT auditors and a senior auditer how is the CAE likely to
describe IT requirements for me general internal audit statt positions?
(A). The candidate must be able to apply data analytics tolls methodologies
(B). The candidate must be able to evaluate IT governance and cybersecurity frameworks.
(C). The candidate must be able to understand IT-elated risk and general controls
(D). The candidate must be able to execute web servers, applications, and databases testing
procedures.
Answer: C

NO.467 According to IIA guidance, which of the following is the primary reason the chief audit
executive discusses the internal audit charter with senior management and the board?
(A). To provide guidance and solicit feedback on managing the internal audit activity as expected by
various stakeholders.
(B). To provide an understanding of the Mission of Internal Audit and The IIA's mandatory guidance
elements.
(C). To provide an update on the internal audit activity's quality of engagement supervision.
(D). To provide information on existing internal audit planning, changes to the internal audit plan,
and the rationale for the changes
Answer: D

NO.468 The chief audit executive (CAE) decided to conduct a self-assessment with independent
validation. Which of the following is the most likely reason the CAE selected this course of action?
(A). The audit committee requested the self assessment for quality assurance purposes
(B). The staff auditors have the necessary knowledge and experience to conduct the review
(C). The internal audit activity is relatively small in size and is due for an external assessment
(D). The internal audit activity is due for a self-assessment which is specifically required at least once
every five years
Answer: B

NO.469 An internal auditor has completed an assurance engagement. Which of the following is most
likely true regarding the engagement?
(A). During audit planning the auditor provided the client with the scope of the engagement for their
agreement
(B). The results of tie engagement were included m a written report mat was issued to the cleint who
requested me engagement
(C). During audit planning the auditor determined that the engagement scope would include a review
of the security and privacy of payroll records
(D). The client requested the review of a new payroll system in order to improve the security of fie
system
Answer: C

NO.470 The organization's chief audit executive (CAE) is planning an immediate assurance
engagement following several product recalls. However, the internal audit staff does not have the
required Knowledge and experience to adequately assess all the relevant processes and procedures.
According to 11A guidance, which of the following actions should the CAE take under these

101
 IT Certification Guaranteed, The Easy Way!

circumstances?

Answer: D

NO.471 Which of the following statements is true with regard to services provided by the internal
audit activity?
(A). For consulting engagements, internal auditors do not need to be alert to control issues.
(B). Assurance and consulting services have similar objectives.
(C). Internal auditors may not perform assurance and consulting roles at the same time.
(D). Both assurance and consulting engagements require a final engagement report
Answer: D

NO.472 Which of the following process weaknesses is most likely to cause an internal auditor the
most concern about fraud risk?
(A). Final employee payroll list is belatedly sent to the bank for payment processing.
(B). Employee salary is calculated by the payroll system without further verification.
(C). Employee personal records in the permanent file are not updated in a timely manner
(D). Employee personal information in the payroll system could be updated without approval.
Answer: D

NO.473 Which of the following statements best demonstrates application of due professional care
during an assurance engagement?
(A). The engagement detected irregularities and noncompliance instances.
(B). The engagement supervisor had no significant comments in the supervisory review.
(C). The audit procedures were systematically planned, executed, and documented.
(D). The engagement objectives were designed to assist the engagement client.
Answer: A

NO.474 The organization's internal audit charter was last updated six years ago. To update the
charter, which of the following actions is most appropriate for the chief audit executive to take?
(A). Wait for the next external assessment and address all of the missing information in the charter
based on the recommendations from the external assessment team.
(B). Perform a review of IIA guidance to become acquainted with the latest mandatory elements prior
to updating the charter
(C). Use an internal audit charter template from another organization that operates within the same
industry.
(D). Identify an individual within the internal audit activity who has in-depth knowledge of mandatory
IIA guidance elements to address any gaps or areas of the current version of the charter that could be
improved.

102
 IT Certification Guaranteed, The Easy Way!

Answer: D

NO.475 The internal auditor obtained large volumes of transaction history data for accounts on
which he suspected that some fraudulent transactions occurred. Which of the following actions best
demonstrates due professional care by the internal auditor?
(A). The internal auditor carefully scrutinized the data by manually reviewing each transaction to
ensure that all irregularities were identified.
(B). The internal auditor employed the use of data analytics tools to sort, analyze, and detect
anomalies in the data
(C). The internal auditor started the data analysis process by selecting a random sample of
transactions on which to perform further tests.
(D). The internal auditor requested that the branch supervisor assist in identifying fraudulent
transactions, as he was most familiar with the accounts being audited.
Answer: B

NO.476 An organization's board has approved an expansion plan into a new market. The board
acknowledged that if the expansion is not successful, the organization would encounter large
monetary losses consisting of legal fees, research and development costs, rent expenses, and labor
fees. Which of the following has the board approved?
(A). The risk response.
(B). The risk tolerance.
(C). The residual risk.
(D). The inherent risk.
Answer: D

NO.477 Which of the following would provide the best support for internal auditors to meet their
continuing professional development requirements?
(A). Access to online internal audit and business skills courses.
(B). Records of self-assessment reports completed by the internal audit staff.
(C). Cosourcing arrangements with external providers on specific engagements.
(D). Performance reviews comparing internal auditors' achievements against specified goals.
Answer: D

NO.478 Which of the following is the best example of an ongoing independent monitoring activity?
(A). Management quality assurance activities
(B). Internal audit fraud prevention and detection activities
(C). Management and supervisory activities
(D). External audit quality assurance activities
Answer: D

NO.479 At what point in time can an organization conclude that the established organizational
governance framework was correctly implemented?
(A). When the internal auditor conducts observations and fieldwork.
(B). When management completes the risk assessment.
(C). When the internal auditor evaluation shows its soundness.
(D). When the organization's goals and objectives are met.

103
 IT Certification Guaranteed, The Easy Way!

Answer: C

NO.480 According to IIA guidance, which of the following statements is true regarding the internal
audit activity's responsibilities in providing consulting services?

Answer: D

NO.481 Recently an organization's internal audit activity discovered ghost employees who receive
payments Senior management decides to strengthen the internal control measures to address this
Which of the following is considered an effective control to mitigate payments to ghost employees?
(A). Staff transfers are reviewed by the recruiting manager and approved by the head of human
resources
(B). New staff requisition forms are authorized by operational management and acknowledged by the
head of human resources
(C). Staff salary payments and accounting records are approved by the head of accounting and
acknowledged by the head of human resources
(D). The staff salary payment list is reviewed by the head of payroll and endorsed by the head of
human resources
Answer: D

NO.482 After the draft engagement report is issued, the manager of the area that was reviewed is
informally interviewed by the engagement supervisor regarding the audit experience. Which of the
following is most likely the purpose for this interview?
(A). Such an interview is performed when there is a need to dismiss an internal auditor
(B). Feedback from the manager will contribute to the audit team's professional development
(C). The manager's opinion will be used to form the final audit assessment and report rating.
(D). The manager will provide insights into the audited industry's trends
Answer: B

NO.483 An internal audit activity is using the auditing-by-element approach to audit the
organization's controls around corporate social responsibility. Which of the following would be an
element for the internal audit activity to consider?
(A). Working conditions.
(B). Employees' families.
(C). Marketplace competition.
(D). Shareholders and investors
Answer: A

NO.484 Which of the following activities should the chief audit executive perform to ensure
compliance with an organization's code of conduct?

104
 IT Certification Guaranteed, The Easy Way!

(A). Act as an advisor to the committee responsible for reviewing violations of the code.
(B). Review and adjudicate all violations of the code of conduct.
(C). Lead the committee responsible for the oversight of the code.
(D). Implement a system of procedures to inform all employees of the code.
Answer: A

NO.485 Which of the following is a greater consideration for internal auditors when they are
performing a consulting engagement than when they are performing an assurance engagement'?
(A). The relative complexity of the engagement
(B). The cost of the engagement relative to its benefits
(C). The extent of work needed to achieve the engagement's objective
(D). The needs and expectations of the engagement client
Answer: D

NO.486 Which of the following scenarios best illustrates the Fraud Triangle component known as
"perceived opportunity"?
(A). Substantial bonuses are awarded if financial targets are met.
(B). Duties are not properly segregated.
(C). Employees may perceive favoritism and feel overlooked and resentful.
(D). Bonuses may not be paid this year.
Answer: B

NO.487 Which statement accurately describes the authority of the internal audit activity as outlined
in the audit charter?
(A). The chief audit executive (CAE) shall report directly to the board and administratively to the CEO.
(B). The CAE shall provide senior management and the board with performance updates quarterly.
(C). The internal audit team shall have full access to the organization's records, physical property, and
personnel required to conduct audit engagements.
(D). The internal audit activity shall maintain a quality assurance and improvement program in
conformance with the Standards.
Answer: C

NO.488 An automobile manufacturer will become one of the first in the industry to adopt a new
inventory management software. Despite the system being new to the market, senior management
believes that the benefits are great enough to offset the potential risks. Which of the following
aspects of risk management does senior management's decision best illustrate?
(A). Residual risk.
(B). Inherent risk.
(C). Risk tolerance.
(D). Risk appetite.
Answer: C

NO.489 According to IIA guidance which of the following statements regarding ethics is true?
(A). Business ethics may vary within an organization with both domestic and foreign operations
(B). Business ethics are universal n nature and organizations across the world are expected to comply
with smear standards

105
 IT Certification Guaranteed, The Easy Way!

(C). A business ethics policy for an organization s established solely to direct me behavior and
expectations of employees
(D). Business ethics of an organization must remain independent torn those of supplier's customers
and business partners
Answer: D

NO.490 Which of the following is a responsibility of the internal audit activity as it relates to risk and
risk management?

Answer: D

NO.491 Management is installing security cameras to identify unauthorized physical access to the
organization's warehouse. This is an example of which of the following types of controls?
(A). Detective controls.
(B). Key controls.
(C). Primary controls.
(D). Preventive controls
Answer: A

NO.492 An internal audit activity maintains a quality assurance and improvement program that
includes annual self-assessments. The internal audit activity includes in each engagement report a
clause that the engagement is conducted in conformance with the International Standards for the
Professional Practice of Internal Auditing ( Standards) Which of the following justifies inclusion of this
clause in the reports?
(A). Internal audit activity policies and engagement records provide relevant, sufficient, and
competent evidence that the statement is correct
(B). The audit committee has reviewed the annual self-assessment results and approved the use of
the clause
(C). The self-assessment results were validated by a qualified external review team three years prior
(D). The internal audit charter, approved by the audit committee requires conformance with the
Standards
Answer: C

NO.493 Which of the following should be implemented to promote independence of the internal
audit activity?
(A). Internal auditors do not review an area where they previously worked
(B). The internal audit charter is reviewed and updated annually
(C). The chief audit executive reports functionally to the board
(D). Management does not influence the consulting services provided by the internal audit activity
Answer: C

NO.494 An accounts payable clerk has recently transferred into the internal audit activity and has
been assigned to an engagement related to accounts payable processes for which he was previously

106
 IT Certification Guaranteed, The Easy Way!

responsible. Which of the following is the best action for the new internal auditor to take?
(A). If it is an assurance engagement, accept the assignment because direct knowledge of the existing
accounts payable processes wifi provide depth and add more value.,
(B). If it is a consulting engagement, decline the assignment and ask to be reassigned, because in a
consulting engagement the auditor must not assess operations for areas in which they were
previously responsible.
(C). If it is a consulting engagement, accept the assignment because direct knowledge of the existing
accounts payable processes will provide depth and add more value.
(D). If it is an assurance engagement, accept the assignment because the chief audit executive had
knowledge of the internal auditor's previous role when this engagement was assigned.
Answer: C

NO.495 An organization's fraud policies and procedures dictate that the internal audit activity does
not have primary responsibility for conducting fraud investigations and should, in fact, refrain from
involvement in investigations. Which of the following activities would be considered acceptable for
internal auditors to perform of this organization?
(A). Evaluate the effectiveness of fraud investigations
(B). Oversee and monitor senior management s approach to manage fraud risks
(C). Set the tone for fraud risk management within an organization
(D). Evaluate whether the financial statements are free of material misstatement due to fraud
Answer: B

NO.496 An internal auditor extended the scope of testing for a disbursements engagement
following a fraud risk assessment Despite the investment of additional audit resources no significant
issues were found Unfortunately a major payment fraud was discovered several months later
According to IIA guidance which of the following statements is true regarding the internal auditor's
application of due professional care?
(A). Due professional care was not applied because no additional work should have been performed
unless there was actual evidence of fraud
(B). Due professional care was not applied because the extended scope resulted in no issues being
identified, while fraud actually existed
(C). Due professional care was applied as the internal auditor modified the scope based on
reasonable judgment, despite the additional cost of resources
(D). Due professional care was applied as the cost of audit resources should not be a determining
factor in the degree of testing undertaken
Answer: C

NO.497 Which of the following written documents typically offers the best evidence that internal
auditors exercise due professional care in conformance with the Standards?
(A). Internal audit charter.
(B). Workpaper.
(C). Audit report.
(D). Code of ethics.
Answer: B

NO.498 According to IIA guidance, which of the following is an appropriate role for the internal audit

107
 IT Certification Guaranteed, The Easy Way!

activity?
(A). Coaching management in responding to risks.
(B). Implementing risk responses on management's behalf.
(C). Imposing risk management processes.
(D). Setting the risk appetite.
Answer: A

NO.499 Which of the following is the most appropriate way to ensure that a newly formed internal
audit activity remains free from undue influence by management?
(A). Appoint the chief audit executive as a member of the board.
(B). Adopt written policies and procedures for the internal audit activity, approved by the board.
(C). Ensure the chief audit executive reports administratively to the audit committee.
(D). Establish the internal audit activity's position within the organization in an audit charter.
Answer: D

NO.500 According to IIA guidance which of the following correctly describes the standard risk
treatments outlined in the process element approach of the framework for risk management?

Answer: A

NO.501 According to IIA guidance, which of the following statements is true regarding the internal
audit activity's quality assurance and improvement program (QAIP)?
(A). Internal assessments rely solely on the review of completed audit engagements for
demonstrated performance.
(B). The chief audit executive is responsible for assessing the suitability and competence of an
external assessor.
(C). QAIP results must first be discussed with the board and approval obtained for distribution to
senior management.
(D). At the board's discretion, the frequency of external assessments can exceed the five-year
guideline.
Answer: B

NO.502 Who has the ultimate responsibility of implementing the organization's governance system?
(A). Stakeholders
(B). The board
(C). The chief executive officer
(D). Internal auditors
Answer: C

NO.503 A chief audit executive ensures that the internal audit activity provides annual training to
management on internal controls. Where is the nature of these services defined?
(A). The annual audit plan.
(B). The audit report.

108
 IT Certification Guaranteed, The Easy Way!

(C). The annual risk assessment.

(D). The audit charter.
Answer: D

NO.504 According to NA guidance, which of the following conditions would enhance the
independence of the internal audit activity?
(A). The organizational culture rewards critical and objective thinking.
(B). The quality of work performed by the internal audit activity is periodically reviewed,
(C). The organization establishes effective governing body oversight,
(D). Audit assignments are rotated among internal audit staff
Answer: C

NO.505 Due to toe increased operational responsibility of the CEO. The chief audit executive (CAE)
of an organization currently reports to the chief financial officer (CFO). What is the likely imped of
such a situation?
(A). There may be limitation m the scope of engagements that can be undertaken
(B). The CPO could provide expert advice when auditing areas under his purview
(C). The internal audit activity is adequately positioned when the CAE reports to a member of
executive management
(D). The expense of finance staff can be catted upon during an audit of finance-related areas
Answer: A

NO.506 Which of the following should an internal auditor take into consideration when making a
judgement regarding whether management selected appropriate risk responses?
(A). Risk tolerance
(B). Risk capacity
(C). Significant risks
(D). Risk appetite
Answer: D

NO.507 An internal audit activity is taking steps to promote professional development among the
staff, and is in the process of implementing a mentorship program. According to HA guidance, which
of the following is important for a successful mentorship program?
(A). It is best if the mentor is the chief audit executive.
(B). Mentor meeting documentation should be retained in personnel files.
(C). It should target both new hires and highly experienced staff.
(D). Meetings with mentors should be formal and scheduled.
Answer: D

NO.508 A chief audit executive (CAE) was asked by senior management to establish and manage a
risk management function. A new chief risk officer was hired a year later to assume these
responsibilities. As this function was included in the current annual audit plan, the CAE engaged an
external resource for a risk management engagement. Which of the following potential threats to
objectivity was the CAE likely addressing?
(A). Self-review threat.
(B). Advocacy threat.

109
 IT Certification Guaranteed, The Easy Way!

(C). Familiarity threat.

(D). Personal relationship threat.
Answer: A

NO.509 An audit engagement required that an internal auditor, using available tools, test a
transaction population for a period The auditor decided to test a sample of transactions rather than
the full population.
Results of the audit were reported as satisfactory to management. Subsequent to the audit report,
fraud was discovered in the area audited and was found to include transactions that were in the
relevant transaction population not tested by the auditor. The auditor later disclosed that he decided
to test a sample because it was representative of the population and facilitated quicker testing.
Which of the following skills below, if improved, would most likely have prevented this situation?
(A). Objectivity
(B). Critical thinking.
(C). Empathy.
(D). Communication
Answer: D

NO.510 An organization is implementing a new cybersecurity policy and has established a

committee to ensure stakeholder alignment across the organization's infrastructure, network, and
security teams. The head of the committee has asked the chief audit executive if the internal audit
activity could play a role in these efforts. According to HA guidance, which of the following is the
most appropriate response?

Answer: D

NO.511 According to the 11A Code of Ethics, which of the following is required with regard to
communicating results?
(A). The internal auditor should present material information to appropriate personnel within the
organization without revealing confidential matters that could be detrimental to the organization.
(B). The internal auditor should disclose all material information obtained by the date of the final
engagement communication.
(C). The internal auditor should obtain all material information within the established time and
budget parameters.
(D). The internal auditor should reveal material facts that could potentially distort the reporting of
activities under review.
Answer: D

NO.512 In which of the following situations has the internal auditor violated the IIA's Code of Ethics?
(A). An employee confided in an internal auditor and told him about fradulent activities. Although the

110
 IT Certification Guaranteed, The Easy Way!

employee asked for confidentially, the auditor disclosed her identity later during police questioning.
(B). While auditing payroll controls, an auditor was granted temporary access to salary data. The
auditor referred to the acquired information while negotiating her work conditions three months
later.
(C). Management considers an auditor to be highly competent and asked the audit to participate in
an upcoming acquisition project. The auditor declined the request, calming a lack of knowledge.
(D). An internal auditor failed to acquire the continuing education credits needed for the year and
requested that. The IIA change his certification status to inactive until the completed the required
education activities.
Answer: D

NO.513 Which of the following scenarios best illustrates a rationalization as the root cause of
potential fraud?
(A). Managers who have been with the organization for several decades become aware that newly
hired, younger managers are being moved more quickly into senior positions.
(B). The controller at a nationwide manufacturing company recently opted to no longer require two-
week mandatory vacations for accounting staff.
(C). Security cameras that monitor cash handling at the register are not functioning.
(D). The organization is slowly phasing out three mature products that produce the highest
commissions for the sales staff
Answer: A

NO.514 An external assessment of an organization's internal audit activity was last completed four
years ago Which of the following options would be acceptable this year if the internal audit activity is
to fulfill the requirements of the Standards?
(A). The internal audit activity conducts a self-assessment that is validated by a qualified and
experienced internal auditor and then schedules a qualified, independent external assessor
(B). The board nominates an independent individual from senior management in the organization to
conduct an assessment of the internal audit activity
(C). An external auditor conducts an audit of the organization which includes information about the
internal audit activity
(D). The chief audit executive schedules a self-assessment and the board approves the results
Answer: A

NO.515 Considering the concepts of organizationwide risk management and the system of internal
controls, the internal audit activity as a whole can be considered which of the following types of
control?
(A). Transaction-level control.
(B). Management-oversight control.
(C). Governance control.
(D). Process-level control.
Answer: C

NO.516 Which of the following types of fraud tests would be most effective if an internal auditor
was looking for possible fictitious vendors?
(A). Checking for invoice amounts that do not match that of the purchase order.

111
 IT Certification Guaranteed, The Easy Way!

(B). Searching for identical invoice numbers and payment amounts.

(C). Running checks to uncover post office box addresses matching employee addresses.
(D). Comparing prices across vendors to see whether one vendor is unreasonably high.
Answer: A

NO.517 Which of the following actions would an internal auditor perform primarily during a
consulting engagement of a debt collections process?
(A). Reviewing journal entries for accuracy and completeness.
(B). Comparing the policies and procedures to regulatory collections guidance.
(C). Advising management on streamlining the recording of accounts receivable.
(D). Performing a walk-through of the debt collections process to determine whether proper
segregation of duties exists
Answer: C

NO.518 According to IIA guidance, which of the following statements is true with regard to the chief
audit executive's (CAE's) responsibility for conducting a self-assessment of the internal audit activity?
1 The CAE should select an independent reviewer or review team to perform sufficient tests of the
self-assessment to validate the results
2 The CAE should validate results by engaging experienced audit professionals from a separate
internal audit activity outside of the organization to reperform all of the tests conducted for the
assessment
3. The CAE should select independent, nonaudit professionals who are knowledgeable about the
organization and the industry in which it operates to assist with performing the self-assessment
4. The CAE may consider performing a self-assessment with independent external validation in Iieu of
performing a full external assessment
(A). 1 and 2 only.
(B). 1 and 4 only
(C). 1, 2, and 3
(D). 3 and 4
Answer: B

NO.519 How do assurance services and consulting services differ?

(A). There is less variety of consulting services that an internal audit activity might provide compared
to assurance services
(B). Assurance services are limited to financial events or actions, and consulting services are not
limited in this way
(C). Consulting services do not have to be included in the internal audit charter
(D). Other employees in an organization can provide consulting services but only an internal audit
activity can provide assurance services
Answer: D

NO.520 The CEO has delegated several responsibilities to the internal audit activity. Which of the
following directives should concern the chief audit executive the most?

112
 IT Certification Guaranteed, The Easy Way!

Answer: D

NO.521 A multinational organization has asked the internal audit activity to assist in setting up the
organization's risk management system. The chief audit executive (CAE) agrees to take on the
engagement as a consultant. Which of the following tasks is appropriate for the CAE to undertake?
(A). Coordinate and facilitate risk workshops for management to attend.
(B). Establish the degree of risk appetite for management to accept.
(C). Set risk indicators and mitigation plans for management to implement
(D). Determine the number of significant risks for management to report to the board.
Answer: A

NO.522 Which of the following concepts is emphasized in the Mission of Internal Audit?
(A). Support of good governance and controls.
(B). Enhancement of organizational value.
(C). Protection of tangible and intangible assets.
(D). Provision of professional advisory and assurance services.
Answer: B

NO.523 Which of the following is the best way for internal auditors to demonstrate their proficiency
to effectively carry out their professional responsibilities?
(A). Volunteer for audit engagements in areas or industries in which the auditor is unfamiliar
(B). Sign an annual attestation indicating that the auditor has all required competencies to perform
her job effectively.
(C). Obtain appropriate professional certifications or other designations.
(D). Disclose potential impairments to independence or objectivity prior to performing an audit
engagement.
Answer: C

NO.524 Which of the following is an example of a directive control?

(A). Segregation of duties.
(B). Exception reports.
(C). Training programs.
(D). Supervisory review.
Answer: C

NO.525 In its five years of existence, an internal audit activity conducted a single internal
assessment of its quality assurance and improvement program (QAIP). The results of that assessment
showed that the internal audit activity did not conform with the Standards. Prior to this, an external
assessment of the internal audit activity's QAIP was conducted, which reported that the internal
audit activity was in conformance with the Standards. Considering the two assessments, what would
be the internal audit activity's current state of conformance with the Standards?
(A). Conformance with the Standards.

113
 IT Certification Guaranteed, The Easy Way!

(B). Nonconformance with the Standards

(C). Unable to determine conformance with the Standards.
(D). Partial conformance with the Standards
Answer: B

NO.526 Which of the following is a typical characteristic of an organization's risk management

framework?
(A). Risk tolerance may or may not align with risk appetite depending on whether the assessment is
quantitative or qualitative
(B). Risk is assessed on both an inherent and a residual basis
(C). The framework addresses four organizational objective categories strategic, historical,
operational, and investment
(D). External risks and internal opportunities are omitted from the risk assessment scope
Answer: B

NO.527 An internal audit activity uses a rotational program to recruit high-performing staff
members from other parts of the organization One of these individuals is nearing the end of her four-
year internal audit rotation The chief audit executive assigned her to an assurance engagement in the
business area she will be going into when she leaves the internal audit activity Which of the following
statements is true regarding this scenario?
(A). Accepting the assignment is a violation of internal audit independence
(B). Accepting the assignment will improve competencies and develop relationships that will be
needed in her next assignment
(C). Accepting the assignment creates the appearance of an impairment to her professional judgment
and detectivity
(D). Accepting the assignment on the assurance engagement would be a breach of due professional
care
Answer: C

NO.528 According to IIA guidance, which of the following is necessary for internal auditors to
comply with the requirements for proficiency?
1. Sufficient consideration of current activities, trends, and emerging issues to effectively carry out
their professional responsibilities.
2. Ability to provide relevant advice and recommendations to management and the board.
3. Understanding of key IT risks and controls and the ability to identify fraud using technology-based
audit techniques.
4. Knowledge, skills, and other competencies necessary to perform individual responsibilities during
the engagement.
(A). 1 and 4 only.
(B). 1, 2, and 3 only.
(C). 1, 2, and 4 only.
(D). 2, 3. and 4 only
Answer: B

NO.529 The management at a national consumer goods organization implements a fair work and
pay practice as well as a policy to treat employees equitably and consistently.

114
 IT Certification Guaranteed, The Easy Way!

Which common characteristics of fraud will the practice and policy most likely reduce?
(A). Pressure or incentive.
(B). Opportunity.
(C). Rationalization.
(D). Commitment.
Answer: C

NO.530 According to IIA guidance, which of the following actions by a new chief audit executive
would be most appropriate to gain an understanding of the current level of knowledge, skills, and
competencies required by an internal audit activity to fulfill its responsibilities?

Answer: A

NO.531 Which of the following specifications in an internal audit charter is the most important
factor in the internal audit activity's independence?
(A). Description of internal audit activity's responsibilities
(B). Definition of internal auditing
(C). Statement of internal audit activity's authority
(D). Description of internal audit activity's reporting structure
Answer: D

NO.532 Which of the following risk management techniques best describes the strategy of obtaining
insurance to protect against losses due to bad weather conditions?
(A). Risk avoidance
(B). Risk reduction
(C). Risk acceptance
(D). Risk sharing
Answer: D

NO.533 Which of the following describes the most appropriate match between a potential
temporary guest auditor candidate and an upcoming audit assignment?
(A). A purchasing manager with two years of prior audit experience in public practice to lead a
contracts management audit
(B). A communications officer who worked in the marketing department during the last six months to
conduct a customer loyalty program audit
(C). A manager of social responsibility who has a nursing background to participate m a health and
safety audit for the corporate office and plant facilities
(D). An accounting manager who discovered and reported fraud committed by a payables clerk to
conduct a performance audit of accounts payable
Answer: D

115
 IT Certification Guaranteed, The Easy Way!

NO.534 Which of the following actions best demonstrates an internal auditor exercising due
professional care?
(A). Testing an entire population, even when a sample would suffice
(B). Using technology and data analysis techniques for efficiency
(C). Enhancing knowledge, skills, and other competencies through professional development
(D). Establishing audit objectives, performing audit tests, and implementing missing controls
Answer: B

NO.535 Which of the following best demonstrates that an internal auditor is applying due
professional care when planning an assurance engagement?
(A). Assessing the risk of noncompliance with laws and regulations
(B). Following the policies as prescribed by the internal audit manual.
(C). Advising management of the area under review on how to mitigate internal control risks.
(D). Conducting the engagement on the presupposition that fraud exists.
Answer: D

NO.536 Which of the following would most likely be classified as a consulting engagement?
(A). Examining the internal control effectiveness of the marketing department
(B). Assessing the adequacy of the IT system's business process design
(C). Facilitating a self assessment of the organizations business risk and control identification
(D). Reviewing the application controls in the human resources system
Answer: C

NO.537 Which of the following tools would be most useful to an internal auditor performing an
assessment of the effectiveness of the organization's risk responses?
(A). Heat map.
(B). Risk and control matrix.
(C). Risk register.
(D). Process map.
Answer: C

NO.538 Which of the following scenarios best illustrates due professional care?
(A). An internal auditor who previously worked in the payroll department within the last year was
intentionally excluded by the chief audit executive from the audit team assigned to a payroll audit
(B). While performing a payroll audit an auditor became skeptical about significant payments made
to a manager. The auditor sought to determine whether these payments were reasonable through
discussion with a manager in a different department in the organization
(C). The head of the payroll department being audited is a business partner of the engagement
supervisor During the audit the engagement supervisor sought to maintain his objectivity by not
participating in fieldwork
(D). An auditor assigned to a payroll audit was unable to reperform some complex payroll
computations for a small number of employees The sum of these payments was below the
materiality thresholds provided so the auditor did not perform further tests
Answer: B

116
 IT Certification Guaranteed, The Easy Way!

NO.539 Which of the following is most likely to impair the organizational independence of the
internal audit activity?
(A). The chief audit executive (CAE) reports administratively to the chief financial officer.
(B). The CAE oversees the effectiveness of the organization's risk management function.
(C). The CAE reports functionally to the CEO.
(D). The CAE managed the finance department for the past five years.
Answer: C

NO.540 According to the Standards, which of the following demonstrates the proficiency of an
internal auditor?

Answer: B

NO.541 According to IIA guidance, which of the following should be formally documented in the
internal audit charter?
(A). The internal audit activity's responsibility for imposing risk management processes.
(B). The internal audit activity's responsibility for the FInance framework.
(C). The nature of consulting services provided by the internal audit activity.
(D). The budgeting process for the internal audit activity.
Answer: C

NO.542 Which of the following corporate social responsibility strategies is associated with
responding to outside pressure by assuming additional responsibility?
(A). Accommodation.
(B). Reaction.
(C). Defense.
(D). Proaction.
Answer: A

NO.543 Which of the following is an example of impairment to internal auditor independence or

objectivity'?
(A). Assurance engagements for functions over which the chief audit executive (CAE) has
responsibility are overseen by a party outside the internal audit activity
(B). Internal auditors provide consulting services relating to operations for which they had previous
responsibilities
(C). Internal auditors provide consulting services relating to operations for which they have current
responsibilities
(D). Consulting engagements for functions over which the CAE has responsibility are overseen by a
party outside the internal audit activity

117
 IT Certification Guaranteed, The Easy Way!

Answer: C

NO.544 Which of the following would be considered a primary control to reduce the risk associated
with setting up duplicate vendors?
(A). Receipt of a signed and approved vendor setup form.
(B). Segregation of duties between setting up vendors and making vendor payments.
(C). System validation and edit checks on vendor identification number
(D). A vendor setup policy and procedure.
Answer: D

NO.545 As a result of a high-profile processing error, respective business unit managers are
implementing new controls. The internal audit team was asked for their advice regarding the
controls. The objective of this consulting engagement would be determined by which of the
following?
(A). The organization's board of directors.
(B). The chief audit executive.
(C). The business unit manager and the engagement supervisor.
(D). The compliance manager and the business unit manager.
Answer: D

NO.546 Which of the following is a limitation of detective internal controls in fraud management?
(A). Implementation costs tend to be higher than the expected benefits.
(B). They tend to be easy for fraudsters to circumvent.
(C). They are not designed to improve efficiency of operations.
(D). They are not effective in preventing fraud.
Answer: C

NO.547 Which of the following would be considered an impairment to an internal auditor's

objectivity when performing a review of the organization's procurement function'?
(A). The internal auditor worked on the implementation of the accounting system within the
organization before joining the internal audit activity last year
(B). The internal auditor is part of a multidisciplinary team tasked to assist with a new project
implementation checklist within the organization
(C). The internal auditor worked as a sourcing specialist before joining the internal audit activity last
year
(D). The internal auditor participates in a cross-departmental team for information and data security
within the organization
Answer: B

NO.548 Which of the following is a way to demonstrate an individual internal auditor's competency
through continuing professional development?
(A). Create different training budgets for each of the internal auditors
(B). Define average training hours per auditor as a team performance measure
(C). Analyze internal audit client survey feedback following audits
(D). Review training records for all internal auditors
Answer: C

118
 IT Certification Guaranteed, The Easy Way!

NO.549 An internal auditor has completed an assurance engagement Which of the following is most
likely true regarding the engagement?
(A). During audit planning, the auditor provided the client with the scope of the engagement for their
agreement
(B). The results of the engagement were included in a written report that was issued to the client
who requested the engagement
(C). During audit planning, the auditor determined that the engagement scope would include a
review of the security and privacy of payroll records
(D). The client requested the review of a new payroll system in order to improve the security of the
system
Answer: C

NO.550 A chief audit executive has reported to the board that the internal audit activity is lacking
financial accounting knowledge for specific audit projects. Upon approval from the board which of
the following hiring approaches is best in this situation?

Answer: D

NO.551 When taken by a chief audit executive, which of the following actions would be most likely
to prevent division management from exaggerating sales reports?
1. Announcing a series of internal audit engagements focusing on compliance with corporate sales-
reporting policies.
2. Asking the president and the board to issue a statement of corporate policy stressing the
importance of accurate management reporting and the negative consequences of intentional
misreporting.
3. Setting up a hotline for employees to report fraudulent behavior anonymously,
4. Assisting the controller in developing and monitoring a series of business process indicators, which
are historically correlated with, but independent of sales.
(A). 1 and 2 only.
(B). 2 and 3 only.
(C). 2 and 4 only.
(D). 3 and 4 only
Answer: A

NO.552 Which of the following statements is true regarding organizational culture and an audit of
the control environment?
(A). For multinational organizations it is important to ensure that the organizational culture is
consistent at all locations
(B). Because the chief audit executive (CAE) is part of the organizational culture, external auditors
should be engaged to evaluate the control environment
(C). If there are unresolved scope restrictions, the CAE should consider whether to pursue the audit
and note the scope restrictions in the audit report

119
 IT Certification Guaranteed, The Easy Way!

(D). Because it will create a conflict of interest relating to the control environment, senior
management should not be consulted during the audit
Answer: C

NO.553 For a new board chair who has not previously served on the organization's board, which of
the following steps should first be undertaken to ensure effective leadership to the board?
(A). Chair should learn the current organizational culture of the company.
(B). Chair should learn the current risk management system of the company.
(C). Chair should determine the appropriateness of the current strategic risks.
(D). Chair should gain an understanding of the needs of key stakeholders.
Answer: A

NO.554 Which of the following would be addressed in the internal audit charter?
(A). Expertise requirements for internal auditors
(B). Functional and administrative reporting lines for the chief audit executive
(C). Audit engagements to be completed in the next fiscal year
(D). Budget requirements for each engagement
Answer: B

NO.555 Which of the following scenarios would most likely impair the independence of an internal
audit activity?
(A). A relative of an internal audit team member works m a department being reviewed
(B). The internal audit budget is reduced by management requiring the removal of all lT-related
engagements from the audit plan
(C). An audit manager removes a finding from the draft report due to disagreements with the chief
financial officer
(D). The operating effectiveness of a control is reported as 'satisfactory." because no concerns were
identified during planning
Answer: B

NO.556 Which of the following is most important for an internal auditor to consider when
developing an approach for an audit engagement in a foreign country?
(A). Currency exchange rates, as they relate to internal audit-related expenses.
(B). Differences in typical working hours, compared to other countries.
(C). The effects of subtle language nuances on translations.
(D). Accepted practices that may be illegal in other countries.
Answer: D

NO.557 According to IIA guidance, which of the following actions is a chief audit executive required
to take with regard to reporting the results of the quality assurance and improvement program?
(A). Report external assessments upon completion of such assessments
(B). Report external assessments at least annually
(C). Report ongoing monitoring quarterly
(D). Report post-engagement reviews at least once every five years
Answer: A

120
 IT Certification Guaranteed, The Easy Way!

NO.558 According to IIA guidance, which of the following statements is true regarding ISO 31000?
(A). The key principles approach checks whether each element of the risk management process is in
place.
(B). The framework is effective in addressing the organization's structure, size, and risk profile but not
its culture objectives.
(C). The end point for improving an organization s approach to risk management should be a gap
analysis that evaluates any changes.
(D). A combination of the three primary approaches to the framework generally yields the most
information despite the complexity
Answer: C

NO.559 During a procurement process audit the internal audit activity undertakes a fraud risk
assessment and considers a range of possible fraud scenarios within the process. Which of the
following scenarios constitutes a pressure to commit fraud?
(A). An employee believes his poor compensation package justifies engaging in unethical behavior.
(B). The head of the department is the only signatory to purchase orders issued to third party
contractors.
(C). Some employees strongly believe monetary gifts from vendors is a means of saving for life after
employment.
(D). One of the employees was found to have an obsession with expensive jewelry
Answer: D

NO.560 Which of the following best demonstrates that the internal audit activity is using due
professional care?

Answer: D

NO.561 Senior management has requested that the internal audit activity review and amend
policies where necessary when auditing the purchasing department. To which of the following would
the chief audit executive most likely give primary consideration when responding to this request?
(A). Auditor competency.
(B). Internal audit independence.
(C). Auditor objectivity.
(D). Engagement scope.
Answer: A

NO.562 Which of the following statements best describes internal auditors' role in fraud detection?
(A). Internal auditors' roles are similar to those performed by loss prevention managers or fraud
investigators.
(B). Internal auditors' demonstration of adequate professional skepticism during an audit
engagement is of paramount importance.
(C). Internal auditors should consider fraud risks in every assignment and demonstrate due care by
detecting fraud instances.

121
 IT Certification Guaranteed, The Easy Way!

(D). Internal auditors should possess a fraud-related body of knowledge, enabling them to carry out
preventative and detective measures.
Answer: B

NO.563 According to NA guidance, which of the following practices by the chief audit executive
(CAE) best enhances the organizational independence of the internal audit activity?
(A). CAE reviews and approves the annual audit plan,
(B). CAE meets privately with the CEO at least annually.
(C). CAE meets privately with the board at least annually,
(D). CAE reports to the board regarding audit staff performance evaluation and compensation.
Answer: D

NO.564 A manufacturer of power tools is experiencing regular fluctuations in the price of electrical
power which is having a serious impact on the bottom line. Which of the following would be the most
effective risk strategy to reduce the impact of these fluctuations?
(A). Use an average cost for power to smooth the bottom line.
(B). Analyze the amount of power used to produce each power tool.
(C). Review the current process to identify opportunities to reduce power usage.
(D). Use a forward contract for bulk power purchases
Answer: D

NO.565 An auditor for a large wholesaler is evaluating the controls over the approval and oversight
of credit sales. Which of the following procedures would be a control weakness?
(A). The credit department is responsible for approving shipments to all customers
(B). The finance committee of the board of directors periodically reviews credit standards
(C). Customers who fail to meet credit requirements must pay cash for shipments upon delivery
(D). The sales department is responsible for determining the credit ratings of customers
Answer: D

NO.566 Which of the following statements is true regarding electronic funds transfer (EFT)?
(A). EFT is a popular mechanism for improving efficiency, but results in less internal control.
(B). EFT significantly reduces the risk of fraud by eliminating the need for authorizations.
(C). EFT eliminates payment delays due mostly to the introduction of automated cash controls,
(D). EFT makes use of numerous automated controls, but is still vulnerable to fraudulent accounting
entries.
Answer: C

NO.567 Which of the following procedures will best help an internal auditor assess operating
effectiveness of fraud prevention and detection controls?
(A). Benchmarking best practices
(B). Testing,
(C). Mapping,
(D). Interviewing
Answer: B

NO.568 An internal auditor is reviewing employee travel expenses from the previous six months for

122
 IT Certification Guaranteed, The Easy Way!

fraud. Which of the following tests would best detect instances where personal travel has been
claimed?
(A). Verifying whether claims have been properly authorized for payment
(B). Verifying whether claims are properly supported by invoices or other documents.
(C). Confirming that all claims are within the limits of the organization's travel policy.
(D). Reconciling claims against business the requests that were approved by supervisors
Answer: D

NO.569 Which of the following statements is correct regarding disclosure of conformance or

Standards?
(A). An internal audit activity that has been in existence fewer than five years cannot Indicate that it is
operating in conformance with the Standards because it has not yet undergone an external
assessment.
(B). Once an external assessment validates conformance with the Standards, the internal audit
activity may continue to use the statement until the next external assessment.
(C). If it has been more than five years since the last external assessment was conducted, the Internal
audit activity must cease indicating that it operates in conformance with the Standards.
(D). The chief audit executive must disclose every instance of noncompliance with the Code of Ethics
or the Standards.
Answer: A

NO.570 Which of the following is an example of corruption?

Answer: D

NO.571 Which of the following should an internal auditor take into consideration when making a
judgement regarding whether management selected appropriate risk responses?
(A). Significant risks
(B). Risk capacity
(C). Risk appetite
(D). Risk tolerance
Answer: C

NO.572 The head of human resources notified the internal audit activity that a key account manager
was fired because he did not register a large number of contracts with clients As a result the
organization was unaware of its duties and would suffer some financial loss Which of the following
should be expected from a competent internal auditor who is analyzing this situation?
(A). The ability to apply forensic methods to obtain legally admissible evidence
(B). The ability to conduct admission-seeking interviews with potential suspects
(C). The ability to evaluate whether such attributes as intent and personal gain were present
(D). The ability to retrieve concealed or deleted information from the former employee's laptop
Answer: C

123
 IT Certification Guaranteed, The Easy Way!

NO.573 Upon completion of an external assessment as part of the quality assurance and
improvement program (QAIP), the chief audit executive (CAE) reported the results to senior
management and the board The CAE included the following elements in the report
- Qualifications and independence of me external assessment team
- Conclusions of assessors
- Corrective action plans
How should the CAE improve the aforementioned approach to reporting the resets of QAIP?
(A). Senior management should be excluded from the reporting as the QAiP results must be
communicated to re board only
(B). The report can be streamlined by removing unnecessary information such as the qualifications
and me independence of external assessors
(C). The results must be snared with the external a auditors as well, so they can determine the extent
to which they can rely on me work of the internal audit activity
(D). The report should indicate that the external assessment must be performed at least once every
five years
Answer: D

NO.574 Internal controls belong to which risk response category?

(A). Reduction.
(B). Avoidance.
(C). Sharing.
(D). Acceptance.
Answer: A

NO.575 Which of the following internal control components has COSO identified as the most
important?
(A). Information and communication
(B). Risk assessment
(C). Control activities
(D). Control environment
Answer: D

NO.576 The chief audit executive of a large national retailer is reviewing the purpose and objectives
of the organization's internal audit activity Which of the following objectives is best aligned with The
IIA's Mission of Internal Audit?
(A). To implement a quality assurance and improvement program
(B). To assess the effectiveness of internal controls over organizational assets
(C). To ensure internal auditors possess the competencies needed to perform their responsibilities
(D). To operate within the budget established by the board of directors
Answer: B

NO.577 An organization s board of directors has decided that the internal audit activity must have
greater access to different pans of the organization in order to perform their assurance work
effectively Which of !he following areas is the board seeking to improve by making this change?
(A). Internal audit authority.

124
 IT Certification Guaranteed, The Easy Way!

(B). Internal audit reporting structure.

(C). Internal audit independence and objectivity.
(D). Internal audit interaction with the board
Answer: A

NO.578 The internal audit activity is responsible for which of the following actions related to an
organization's internal controls?
(A). Mitigating risks affecting achievement of organizational objectives.
(B). Enabling opportunities affecting achievement of organizational objectives.
(C). Analyzing and advising regarding costs versus benefits of control activities,
(D). Attesting to fairness of financial statements.
Answer: D

NO.579 Prior to commencing a financial compliance engagement, the engagement supervisor reads
the business plan for the finance department and meets informally with the director to learn more
about any key issues. Which of the following competencies is the engagement supervisor
demonstrating?
(A). The ability to inspire trust
(B). The ability to communicate effectively
(C). The ability to display courage
(D). The ability to understand the needs of stakeholders
Answer: B

NO.580 Which of the following scenarios demonstrates an impairment to internal audit

independence?

Answer: A

NO.581 An internal auditor has suspicions that some fictitious vendors have been created in the
organization's computer system. Which of the following would be the best technique to detect this
fraud?
(A). Review for duplicate invoice numbers, duplicate dates, and duplicate amounts
(B). Run checks to find matches between vendor and employee addresses
(C). Check for recurring requests for refunds where invoices are paid twice
(D). Review for unexplained increases in inventory
Answer: B

NO.582 According to HA guidance, which of the following statements is true regarding the internal
audit activity's quality assurance and improvement program (QAIP)?

125
 IT Certification Guaranteed, The Easy Way!

(A). Internal assessments rely solely on the review of completed audit engagements for
demonstrated performance
(B). The chief audit executive is responsible for assessing the suitability and competence of an
external assessor.
(C). QAIP results must first be discussed with the board and approval obtained for distribution to
senior management
(D). At the board's discretion, the frequency of external assessments can exceed the five-year
guideline
Answer: B

NO.583 Which of the following best demonstrates internal auditors performing their work with
proficiency?
(A). Internal auditors meet with operational management at each phase of the audit process.
(B). Internal auditors adhere to The IIA's Code of Ethics.
(C). Internal auditors work collaboratively with their engagement team.
(D). Internal auditors complete a program of continuing professional development.
Answer: C

NO.584 In which of the following situations may the internal audit activity report conformance with
the Standards?
(A). An internal audit activity has been in existence at least five years and has not completed an
external assessment,
(B). An internal auditor was assigned to an audit engagement but did not meet individual objectivity
requirements.
(C). The internal audit activity prepared an internal audit plan that was not risk-based.
(D). The internal audit activity has been in existence fewer than five years, but periodic self-
assessments were conducted.
Answer: D

126