CIA Part 1 Mock Exam 2

Download as pdf or txt
Download as pdf or txt
You are on page 1of 64

CIA

Preparatory Program

Part 1

Essentials of Internal Auditing

Mock Exam #2
CIA Part 1 Mock Exam #2

125 Multiple Choice Questions


Time: 2 Hours, 30 Minutes (150 Minutes)
Select a single answer that best completes the statement or answers the question.

Question 1: The Institute of Internal Auditing (IIA) provides two types of guidance for internal auditors:
mandatory and strongly recommended guidance. Which of the following is true concerning recommended
guidance?

a) The guidance states how internal auditors should act when conducting their work.

b) The guidance provides a framework for performing and promoting internal auditing.

c) The guidance provides details on how internal auditors should conduct an internal audit.

d) The guidance states the fundamental purpose, nature, and scope of internal auditing.

Question 2: The Standards are a component of the IIA’s International Professional Practices Framework
(IPPF). The IPPF is the conceptual framework that organizes authoritative guidance promulgated by The In-
stitute of Internal Auditors. Which of the following is true concerning the Standards? The Standards:

a) Define the function of internal auditing.

b) Only apply when internal auditors are performing assurance engagements.

c) Help internal auditors fulfill their responsibilities.

d) Do not take precedence over the standards issued by other authoritative bodies.

Question 3: The IPPF provides guidance to internal auditors so they can do their job in accordance with
generally accepted internal auditing practices. Which of the following situations would not be a possible vio-
lation of the IIA’s Standards?

I. At the conclusion of an engagement, the internal auditor invited the client to a football confer-
ence championship game.

II. The internal auditor functionally reports to the Chief Finance Officer (CFO).

III. The internal auditor drafted the internal audit charter.

IV. The internal auditor, who is not a Certified Internal Auditor, is being encouraged by the audit
committee to become certified.

a) I and II.

b) II and III.

c) I, II, III, and IV.

d) I, III, and IV.

Question 4: Which of the following activities would internal auditing be least likely to perform?

a) Investigating suspected fraud.

b) Verifying the value of an asset account balance.

c) Prescribing compensation packages for the remuneration board.

d) Determining the company’s compliance with environmental laws and regulations.

2
CIA Part 1 Mock Exam #2

Question 5: The Implementation Guides:


a) Detail internal auditing processes and procedures.
b) Assist internal auditors in applying the Definition of Internal Auditing, the Code of Ethics, and the
Standards, and promoting good practices.
c) Highlight significant audit findings and recommendations and report on the approved audit work
schedule.
d) Assist the CAE in resolving issues before reporting the findings to the audit committee.

Question 6: According to the IPPF, The IIA’s Standards:

a) Are rules-focused and describe the best practices of internal auditing.

b) Are principles-focused and are used to perform and promote internal auditing.

c) Provide guidelines for conducting an internal audit.

d) Assist internal auditors in better understanding significant issues of internal auditing.

Question 7: Which of the following best describes the mission of internal auditing? The Mission of Internal
Auditing is:

a) To design and monitor controls that reasonably assure that objectives are met.

b) To verify that conflicts between management and stakeholders do not result in bankruptcies or ma-
jor frauds.

c) To ensure the quality of information provided to shareholders and financial markets through the fi-
nancial statements.

d) To enhance and protect organizational value by providing risk-based and objective assurance, ad-
vice, and insight.

Question 8: A newly hired Chief Audit Executive (CAE) was reviewing the company’s internal audit charter
as presented by the chair of the audit committee. The CAE noted that the charter was written and approved
by the company’s Chief Financial Officer (CFO). Based on best practices, is this acceptable?

a) Yes, because the CFO is directly concerned about controls, and thus, should have this responsibility.

b) No, because someone outside the company should write and approve the charter.

c) Yes, because the Standards specifically state that the CFO has this responsibility.

d) No, because independence of internal auditing could be impaired.

Question 9: The internal audit charter provides internal auditors the means to do their work. Which of the
following would generally not be included in the charter?

a) The scope of an internal auditor’s engagement.

b) The authority to have access to all records and personnel.

c) The responsibility of the IAA.

d) The objectives of the IAA.

3
CIA Part 1 Mock Exam #2

Question 10: The audit committee is a sub-committee of the board of directors. All of the following are the
general duties and responsibilities of the audit committee except:

a) Recommending the appointment/removal of the external auditor.

b) Evaluating the remuneration packages of senior managers.

c) Approving the annual audit plan.

d) Confirming the independence of the IAA.

Question 11: Which of the following would not be a specific audit committee function?

a) Assist in the development of strategic plans.

b) Review financial statements before their publication.

c) Review the work of the external auditor.

d) Review the work plan of the internal auditing activity.

Question 12: The Standards state that internal auditors are able to provide both assurance and consulting
engagements. Like assurance engagements, consulting engagements are also meant to add value and im-
prove operations. Which of the following activities would be categorized as consulting engagement(s)?

I. Advising management on the benefits of an acquisition.

II. Assisting management in estimating the savings from outsourcing a process.

III. Assessing the adequacy of internal control in a proposed accounts payable system.

IV. Assessing the adequacy of internal control over the accounts receivable system.

a) I, II, III, and IV.

b) II and IV.

c) I, II, and III.

d) I and II.

Question 13: Which of the following is not true concerning the internal auditing charter?

a) The charter gives the IAA the authority to have access to all company information, even information
concerning a possible merger or acquisition.

b) The charter should be a formal, written document.

c) The charter should be approved by the board.

d) The CAE has responsibility to periodically review the IAA charter to make sure it is still adequate for
the IAA to accomplish its objectives.

4
CIA Part 1 Mock Exam #2

Question 14: A newly hired Chief Audit Executive (CAE) was reviewing the contents of the company’s IAA
charter. The CAE wanted to make sure the charter was adequate so he would be able to accomplish the ob-
jectives laid out by the audit committee and CEO. Which of the following would generally not be a function
of the IAA charter?

a) Detailing who the CAE will report to.

b) Providing information about the objectives of the internal auditing activity (IAA).

c) Providing information about the need for a quality assurance and improvement program (QAIP).

d) Detailing the compensation package of the CAE.

Question 15: Internal auditing is an assurance and consulting activity designed to add value and improve
operations. Which of the following could be examples of assurance services provided by internal auditing for
a company’s credit department?

I. The internal auditor recommended standards of control.

II. The internal auditor provided a training course on the implementation of new controls.

III. The internal auditor advised the credit manager on the impact of changing the credit terms.

IV. The internal auditor assessed and evaluated credit risks.

a) I and IV.

b) II and III.

c) I and III.

d) I, II, and IV.

Question 16: Of the following, which statements best describe the purpose of the IIA’s Standards?

I. To provide a framework for performing and promoting a broad range of value-added internal au-
diting services.

II. To establish a basis for evaluating the performance of internal auditing.

III. To describe the basic principles of best practices of internal auditing.

IV. To provide the principles of how internal auditors should conduct themselves during engage-
ments.

a) II, III, and IV.

b) I, II and III.

c) I and III.

d) II and IV.

Question 17: Which of the following would most likely be a violation of the IIA’s Code of Ethics?

a) An internal auditor divulged confidential company information as requested by a judge.

b) An internal auditor, with limited IT experience, was involved in an IT audit.

c) An internal auditor accepted a fairly inexpensive gift after finishing an audit.

d) An internal auditor reported an illegal act to a local newspaper after consulting with the company’s
controller.

5
CIA Part 1 Mock Exam #2

Question 18: As a member of the Institute of Internal Auditing (IIA) you are required to abide by the or-
ganization’s Code of Ethics. According to the IIA’s Code of Ethics, integrity:

a) Is making sure the work of the internal auditor is done with honesty and diligence.

b) Involves adhering to the IIA’s Code of Conduct.

c) Involves not disclosing information to individuals who are not authorized to receive the information.

d) Is making sure the auditor has the skills, knowledge, qualifications, and capacity to do their job ef-
fectively.

Question 19: David is a CIA and works as one of two senior internal auditors of a manufacturing company.
David plays on the company’s tag-football team. Recently, the company played a rival team, and during the
game, a serious altercation occurred between David and a player from the other team. David was at fault.
Luckily, no one was seriously injured, but the police were called and David was charged with a misdemean-
or. Is David’s altercation and arrest a violation of the IIA’s Code of Ethics?

a) Yes, because David acted unprofessionally and was charged with a misdemeanor.

b) No, because a fight that occurred during a football game is not a professional activity.

c) No, because no one was injured.

d) Yes, because David is bound by the IIA’s Code of Ethics.

Question 20: An internal auditor was reviewing a company’s fixed assets account to determine the exist-
ence and valuation of the company’s fixed assets. The internal auditor was particularly interested in the
company’s capitalization policy. The internal auditor knows that management likes to capitalize as much as
possible to improve short-term profitability. When reviewing the capitalization account, the internal auditor
noted several questionable transactions, all of which were considered significant. Because of the capitaliza-
tion, the company was able to meet its targeted operating profit for the accounting period. The internal
auditor approached the CFO and chief accountant about the issue; however, the internal auditor was told
that the company’s controller accepted the capitalization values, and not to worry about it. If the internal
auditor still believes that the company improperly capitalized some expenses and does nothing about it, the
internal auditor could possibly be in violation of which ethic’s principle(s)?

a) Integrity, competence, and objectivity.

b) Objectivity and integrity.

c) Integrity and competence.

d) Objectivity, integrity, and confidentiality.

Question 21: The independence and objectivity of an internal auditor are crucial components for an effec-
tive internal audit. Which of the following best describes the distinction between the two terms?

a) Objectivity refers to the unbiased mental attitude of individual auditors while independence gives
internal auditors the freedom to operate with an objective, unbiased attitude.

b) Independence is achieved through the status of the IAA while objectivity refers to the freedom an
internal auditor has to conduct the engagement in an unbiased manner.

c) Objectivity is gained through the organizational status of the IAA while independence refers to the
mental attitude of individual internal auditors.

d) The terms can be used interchangeably.

6
CIA Part 1 Mock Exam #2

Question 22: Which of the following situations could be considered an engagement scope limitation?

a) The internal auditor does not have complete access to information deemed confidential by the board.

b) The audit committee or board refuses to approve the internal audit work plan.

c) The company’s chief accountant states that requested information is not necessary.

d) The company’s controller makes suggestions to improve controls over operations.

Question 23: During a management meeting, the company’s financial controller was asked how the design
of controls over the company’s new credit-lending process was going. The company recently updated the
process so it would be more automated than in the past. The controller mentioned that he was using the
services of internal auditing to help him design controls over the process. The company’s chief financial of-
ficer (CFO) was surprised that internal auditing was included in the designing of controls. The CFO
commented that based on his knowledge of the internal auditing Standards, “internal auditors cannot de-
sign, draft procedures, install, or manage processes, because the independence and objectivity of the
auditor would be impaired.” Is the CFO’s statement correct?

a) Yes, because internal auditors are only able to conduct assurance engagements, therefore, the audi-
tor’s independence and objectivity would be impaired.

b) No, because internal auditors are part of the management team, therefore, they should be involved
in the design of controls.

c) Yes, because by helping the controller, the CFO understands that the internal auditor would be tak-
ing ownership of the control process, therefore, the auditor’s independence and objectivity would be
impaired.

d) No, because internal auditing is able to conduct consulting services, as long as the nature of the ser-
vice is known and included in the internal auditing charter.

Question 24: An internal auditor was transferred from the company’s payables department six months ago.
The internal auditor’s job responsibility was to match vendor invoices with the company’s purchase orders
and receiving reports. Among other things, the internal auditor was supposed to catch invoice errors and
make sure that the company did not pay for goods not received. The internal auditor has now been assigned
the task of reviewing the controls over accounts payable. Based on the available information, the internal
auditor should:

a) Refuse the engagement, because objectivity could be impaired when only six months have passed
since working in the department.

b) Accept the engagement, because the internal auditor knows the functioning of the department.

c) Refuse the engagement, because independence could be impaired when only six months have
passed since working in the department.

d) Accept the engagement, because enough time has passed since working in the department.

7
CIA Part 1 Mock Exam #2

Question 25: An internal auditor of a medium-sized company has been requested by the company’s chief
executive officer (CEO) to temporarily take over responsibility of the company’s accounts receivable depart-
ment. The internal auditor managed the department two years ago and knows the department well. The
internal auditor does not feel comfortable with the assignment because the department will be audited in the
near future. The internal auditor knows that objectivity could be impaired if he manages the department and
then has to audit the department. The internal auditor is in a dilemma and does not know what to do. What
would be the best course of action for the internal auditor to take?

a) The auditor should refuse the CEO’s request because independence and objectivity would be im-
paired.

b) The auditor ultimately works for the CEO, so the auditor should accept the assignment, but do so
under protest.

c) The auditor ultimately works for the CEO, so the auditor has no choice but to accept the assignment.
However, when time comes to audit the department the internal auditor should not participate in the
audit of the department.

d) The auditor should consult with the audit committee about the issue.

Question 26: Which of the following might give rise to a conflict of interest for a chief audit executive
(CAE)?

I. The CAE teaches internal auditing courses on the weekends.

II. The CAE recently hired an internal auditor who worked in the company as a financial manager
six months ago.

III. The CAE owns a mutual fund that includes the stock of the company.

IV. A relative of the CAE works as a clerk in a department that is audited by the internal auditing ac-
tivity.

a) I, II, and IV.

b) II, III, and IV.

c) II only.

d) II and IV.

Question 27: Internal auditors need a mandate that provides the necessary authority within a structure
that supports their independence and objectivity. This mandate can best be achieved by:

a) Having the IAA administratively report to the audit committee.

b) Having a written charter for the IAA.

c) Having the IAA functionally report to the CEO.

d) All of the above are true.

8
CIA Part 1 Mock Exam #2

Question 28: Which of the following is/are true concerning the decision to establish an internal audit activi-
ty (IAA) within an organization?

a) The board/audit committee wants to get independent and objective assurance on the adequacy of
internal controls from someone other than the CEO or CFO.

b) The chief accountant wants to get independent and objective assurance on the adequacy of internal
controls from someone other than line managers.

c) The organization gets too large or geographically dispersed for frequent and economical first-hand
monitoring of controls by the board/audit committee, CEO, or CFO.

d) Both (a) and (c) are true.

Question 29: Internal auditors are encouraged to avoid all conflicts of interest. Under which circumstance
would there not be a conflict of interest?

a) The internal auditor accepted a gift of significant value from a client.

b) The internal auditor borrowed money from a client.

c) The internal auditor was a facilitator during a control self-assessment workshop.

d) The internal auditor recently completed an audit of a department where the manager is the internal
auditor’s brother-in-law.

Question 30: The internal audit activity (IAA) may not be able to operate independently and objectively
without sufficient resources and funding. Under which circumstance would independence and objectivity not
be an issue for internal auditing?

a) The CAE was unable to get additional funding for the training of staff.

b) The IAA is understaffed and overworked.

c) The CAE personally reviews all working papers.

d) The IAA uses outdated technology.

Question 31: Objectivity is assumed to be impaired in all of the following situations except:

a) The internal auditor periodically evaluates the bank reconciliation process.

b) The internal auditor is responsible for a part of operations that could be subject to periodic internal
auditing assessment.

c) The internal auditor performed an assurance review of an activity over which the internal auditor
was responsible for 9 months ago.

d) The internal auditor is scheduled to audit an area for which the internal auditor will have future re-
sponsibility.

9
CIA Part 1 Mock Exam #2

Question 32: A new member of the audit committee met with an organization’s CAE. During the meeting,
the audit committee member wanted to know more about the activities that are performed by the organiza-
tion’s internal audit activity (IAA). Which of the following activities mentioned by the CAE would be
appropriate for the IAA to perform?

I. Designing controls for a new accounts payable software program.

II. Recommending procedures for systems of control for the accounts payable process.

III. Installing the system of control for the accounts payable process.

IV. Reviewing control procedures before implementing the accounts payable software program.

a) I and II.

b) I, III and IV.

c) II and III.

d) II and IV.

Question 33: Which of the following is/are true concerning auditor independence. An internal auditor with
independence is:

I. Able to review contracts prior to their execution.

II. Able to reduce the scope of an audit due to budget cutbacks.

III. Able to continue on an audit assignment at a division for which the auditor was responsible for 4
months ago.

IV. Able to participate on a task force that designed standards of control for a new distribution pro-
cess.

a) I and II.

b) I, III, and IV.

c) I and IV.

d) I, II, III, and IV.

Question 34: An organization’s audit committee recently designed a compensation package for its internal
auditors. One of the audit committee members was concerned that the compensation package could impair
the internal auditor’s objectivity. Which of the following is true concerning compensation packages for inter-
nal auditors?

a) All forms of compensation would impair objectivity.

b) Internal auditors should only be compensated based on monetary amounts recovered or recom-
mended future savings as a result of engagements.

c) The compensation package should be administrated by the organization’s board of directors or the
board’s remuneration committee.

d) The compensation package should only consist of stock options.

10
CIA Part 1 Mock Exam #2

Question 35: An IT department team is studying the possibility of upgrading to an enterprise resource
planning (ERP) system. The team leader of the project has asked for internal auditing’s help to assist with
the project. In this case, what would be an appropriate role for internal auditing?

a) Ascertain the cost-benefit relationship of the system.

b) Determine management’s requirements of the system.

c) Design a standard of control for the system.

d) Assist with the implementation of the system.

Question 36: A company’s chief financial officer (CFO) is assessing the company’s credit terms. The CFO
believes the company could increase sales by loosening up the credit terms; however the CFO is not sure
about the impact on bad debt. The CFO made a request for internal audit to assess the impact on revenue
and bad debt if changes in the credit terms are made. To complete the assignment, at a minimum, the in-
ternal auditor should have what level of competency?

a) Proficiency level.

b) Appreciation level.

c) Understanding level.

d) Knowledge level.

Question 37: Once an internal auditor attains the designation of CIA, in order to maintain this designation,
the internal auditor must:

a) Achieve a specific number of accounting credits.

b) Show proficiency in the application of management principles.

c) Maintain an acceptable level of skill through achieving a certain number of accounting credits.

d) Maintain an acceptable level of competence through achieving a certain number of continuing pro-
fessional development credits.

Question 38: There are three levels of competences. Two of the competence levels are understanding and
appreciation. What is the difference between the two?

a) Understanding is the ability to recognize the existence of a problem. Appreciation is the ability to
know how to solve the problem.

b) Understanding is the ability to recognize problems and solve them without too much assistance. Ap-
preciation is the ability to know the existence of a problem.

c) Appreciation is the ability to recognize the impact the problem will have on operations. Understand-
ing is the ability to know that there is a problem.

d) Appreciation is the ability to recognize the existence of a problem. Understanding is the ability to
understand its impact on operations.

11
CIA Part 1 Mock Exam #2

Question 39: Based on the Standards, an internal auditor should have a proficiency level in accounting
principles if the auditor is:

a) Reviewing controls over the handling of inventory.

b) Checking the valuation of inventory.

c) Assessing the impact on operations if credit terms are relaxed.

d) Reviewing controls over the petty cash account.

Question 40: Based on the Standards, internal auditors must exercise due professional care when conduct-
ing engagements. Which of the following is not true concerning due professional care?

a) Auditors are not expected to be infallible when conducting audits.

b) Proper assurance procedures guarantee significant risks will be identified.

c) Due professional care applies to both assurance and consulting engagements.

d) Auditors must consider the cost of the engagement in relation to its benefits.

Question 41: An internal auditor was conducting an audit of the company’s revenue-receivables cycle.
When reviewing the accounts receivable process, the auditor discovered that the department was recently
reorganized to cut costs. The auditor noted that positions that should be segregated are now performed by
the same person – the accounts receivable manager. The auditor has known the accounts receivable man-
ager for several years, so the auditor did no further investigation. At what point did the internal auditor fail
to exercise due professional care?

a) The auditor noted the lack of segregation of duties in the final audit report.

b) The auditor did not test for the possibility of fraud.

c) The auditor made a recommendation for additional compensating controls over the department.

d) The auditor informed the CAE and asked for advice.

Question 42: Concerning continuing professional education (CPE), which of the following is not true?

a) Chief audit executives (CAE) are required to complete and report a specified number of CPE hours
every two years.

b) Internal auditors need continuing professional development regardless of whether or not they hold
the CIA designation.

c) Continuing professional development includes maintaining proficiency through continuing education


and staying informed about improvements and current developments in the audit standards, proce-
dures, and techniques.

d) Internal auditors currently not holding an appropriate certification are encouraged to pursue an edu-
cation program, or obtain a professional certification.

12
CIA Part 1 Mock Exam #2

Question 43: Proficiency means that an internal auditor possesses the knowledge, skills, and other compe-
tencies needed to perform his or her responsibilities. Concerning proficiency, which of the following
statements would not be true?

a) Individual internal auditors are required to be experts in accounting.

b) Regardless of an internal auditor’s expertise, every internal auditor must be able to evaluate the risk
of fraud and identify key IT risks and controls.

c) Internal auditors are expected to maintain and update their skills through continuing professional
education (CPE).

d) Necessary skills and knowledge are different for each auditor, and an auditor might be proficient in a
number of areas.

Question 44: A chief audit executive (CAE) was discussing the technical competency of his staff with the
audit committee. The CAE is very proud of the team he has put together and is looking to expand the size of
the organization’s internal audit activity (IAA). Besides technical expertise, the CAE also mentioned that he
expects his staff to be proficient in all of the following areas except:

a) Communication.

b) Critical thinking.

c) Satisficing.

d) Negotiation.

Question 45: The IIA’s Global Audit Competency Framework lists ten “core competencies” that are consid-
ered essential for all internal auditors. Which of the following would not be an essential core competency for
internal auditors?

a) Improvement and innovation.

b) Operations management.

c) Internal audit delivery.

d) Professional ethics.

Question 46: The foundation of The IIA’s Competency Framework includes:

I. Professional Ethics.

II. Governance, Risk, and Control.

III. IPPF.

IV. Internal Auditing Management.

V. Internal Audit Delivery.

a) I and II.

b) II and III.

c) II and V.

d) I and IV.

13
CIA Part 1 Mock Exam #2

Question 47: An organization’s chief audit executive (CAE) was reviewing existing internal audit staff com-
petencies. The CAE’s review would include all of the following except:

a) The ability of the staff to complete engagements within the reporting deadline.

b) The ability to manage internal operating systems.

c) The knowledge of relevant risk management and control systems.

d) The knowledge of the regulatory requirements.

Question 48: Which of the following are true concerning what auditors should know? Auditors should
know:

I. The indicators of fraud.

II. Key information-technology risks and controls.

III. Available technology-based audit techniques.

IV. How to maintain satisfactory relationships with engagement clients.

a) I and II.

b) II, III, and IV.

c) I, II, and III.

d) I, II, III, and IV.

Question 49: The chief audit executive (CAE) is supervising an audit of the organization’s new payroll ac-
counting system and needs to hire an IT specialist. When reviewing the specialist’s qualifications to conduct
the audit, the CAE would assess all of the following except:

a) Relevant professional certifications.

b) Reputation of the specialist.

c) Fieldwork conducted by the specialist.

d) Experience and education of the specialist in similar situations.

Question 50: Internal auditors must exercise due professional care by considering all of the following ex-
cept:

a) The adequacy and effectiveness of the audit committee.

b) The cost of assurance in relation to potential benefits.

c) The relative complexity of the engagement.

d) The probability of significant errors and fraud.

14
CIA Part 1 Mock Exam #2

The following information is for questions 51 and 52:

The Chair of a company’s audit committee was attending a training program on corporate governance com-
pliance. The Chair, recently appointed, was surprised by the amount of interaction the audit committee
should have with internal auditing. The Chair did not realize that the company’s internal audit activity should
report to the audit committee. The Chair thought the audit committee was only responsible for overseeing
the work of the external auditor.

Question 51: When discussing the desired reporting structure for internal auditing, the training speaker
mentioned several reasons why internal auditing should report to the audit committee. Which of the follow-
ing would not be one of those reasons?

a) Reporting to the audit committee gives the audit committee someone inside the company who is
able to report illegal or unethical practices.

b) Reporting to the audit committee enhances the independence and objectivity of internal auditing.

c) Reporting to the audit committee allows the audit committee the opportunity to review the work of
internal auditing so the board and management understand whether internal auditing is a value-
added activity.

d) Reporting to the audit committee gives the audit committee additional authority to take action on
identified control deficiencies.

Question 52: During the training program, the Chair learned about the importance for internal auditing to
establish a quality assurance and improvement program (QAIP). All of the following are reasons for a QAIP
except:

a) To give the audit committee and management confidence that the IAA is operating in conformance
with best practices.

b) To highlight areas that need improving.

c) To assist in the planning of engagements.

d) To monitor the effectiveness of the IAA.

Question 53: Which of the following would not be part of an internal assessment?

a) Reviewing whether the IAA is in compliance with the internal audit charter.

b) Assessing how many recommendations were implemented by management.

c) Assessing how well internal auditing is viewed by its clients.

d) Reviewing actual and budgeted costs.

Question 54: A common problem that arises when conducting a quality assessment of an internal audit
activity (IAA) is understanding what is meant by quality. Quality can mean different things to different peo-
ple. When measuring the quality of an IAA, which of the following would be least useful to the assessment
team in its quality assessment?

a) Using The IIA’s Standards.

b) Getting feedback from the audit committee and/or board.

c) Getting feedback from the clients.

d) Benchmarking against other IAAs.

15
CIA Part 1 Mock Exam #2

Question 55: Which of the following is false concerning external assessments?

a) Its purpose is to provide an independent opinion on the quality of the IAA.

b) It should be done at least every five years.

c) The assessor should be independent but should be from within the organization.

d) The assessor would determine whether the IAA adds value and improves the operations of the or-
ganization.

Question 56: The function of internal auditing is to add value and improve operations. A quality assurance
and improvement program (QAIP) is established to assess the work of internal auditing. The QAIP consists
of both internal and external assessments. Which of the following would not be part of the external assess-
ment?

a) Get feedback from clients on their satisfaction with the work of the internal auditor.

b) Express an opinion on the overall work of the IAA.

c) Benchmark against best internal auditing practices.

d) Communicate with the external auditor on the work of the internal auditor.

Question 57: The Chair of the audit committee and the chief audit executive (CAE) were discussing the
need for an external review of the internal auditing activity. The Chair believes that an external review would
be useful for several reasons. The CAE agrees with the Chair on the need, however, the CAE thinks a full-
blown external assessment is not necessary. The CAE believes a self-assessment with external validation
would be adequate. Which of the following is/are true concerning the circumstances where a self-
assessment would be justified?

I. The organization frequently has agency regulators reviewing its books and internal controls.

II. The organization operates in an industry that has extensive oversight.

III. The organization is a publicly-listed company.

IV. The CAE believes the costs of a full external assessment outweigh its benefits.

a) I, II and III.

b) I, II and IV.

c) I and IV.

d) I and II.

16
CIA Part 1 Mock Exam #2

Question 58: Regarding internal auditing, which of the following is/are true concerning the quality of indi-
vidual audit engagements? A quality engagement is one which:

I. Meets the client’s expectations.

II. Conforms with the Standards.

III. Is undertaken in accordance with an established methodology.

IV. Assists independent auditors in their review of an organization’s risk management and control
processes.

a) I and II.

b) II, III and IV.

c) I, II and III.

d) I, II, III and IV.

Question 59: A Quality Assurance and Improvement Program (QAIP) should conclude on the quality of the
internal audit activity (IAA) and lead to recommendations for appropriate improvements. Which of the fol-
lowing is/are true? A QAIP enables an evaluation of:

I. The adequacy of audit committee’s charter.

II. Conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards.

III. The risks affecting the operation of the IAA.

IV. Compliance with applicable laws, regulations, and government or industry standards to which
the independent auditor may be subject.

V. Whether the IAA adds value and offers improvements the organization’s operations.

a) II, III, IV, and V.

b) II, III, and V.

c) I, III, IV, and V.

d) I, II, III, IV, and V.

Question 60: The chief audit executive (CAE) of a newly-formed internal audit activity (IAA) knows that a
successful IAA has to be perceived as being a value-added function that improves the organization’s opera-
tions. To understand whether the IAA is doing what it needs to be doing in order to achieve its goals, the
CAE should develop and implement a Quality Assurance and Improvement Program (QAIP). QAIPs are in-
tended to provide the means to assess the efficiency and effectiveness of the IAA. When developing the
QAIP, the CAE needs to determine all of the following except:

a) The size, structure, and nature of the IAA.

b) The role of internal audit management and staff in the quality process.

c) The frequency of self-assessments and external assessments.

d) The level of quality desired by the IAA and expected by its stakeholders.

17
CIA Part 1 Mock Exam #2

Question 61: The chief audit executive (CAE) has a responsibility to develop and maintain the Quality As-
surance and Improvement Program (QAIP) for both internal and external assessments. The QAIP should be
reviewed at least annually and individual sections of the program should be updated throughout the year as
needed. The inputs to the review include, but should not be limited to:

I. Results from the independent auditor’s assessment of governance, risk management, and con-
trol.

II. Customer (client) feedback.

III. Follow-up actions from previous assessments and/or reviews.

IV. Recommendations for improvement.

V. Other changes that could impact the quality management system.

a) I, II, III, IV, and V.

b) II, III, IV, and V.

c) I, III, IV, and V.

d) II, III, and V.

Question 62: The IIA published a Position Paper titled “The Three Lines of Defense in Effective Risk Man-
agement and Control.” All of the following would be an appropriate internal audit role in the Three Lines of
Defense model except:

a) Taking corrective action to address any and all identified control deficiencies.

b) Working together with other control professionals to help the organization manage its risks.

c) Providing assurance on the effectiveness of governance, risk management, and control processes.

d) Reporting to the board and senior management on significant control deficiencies.

Question 63: At the top of the hierarchy of an organization is the board of directors. Which of the following
statements is false concerning the characteristics of good corporate governance and the board?

a) The roles of the Board Chair and CEO should be separated.

b) The majority of board members should be executive directors.

c) The board members should reflect a mix of backgrounds and perspectives.

d) The board should contain a suitable balance of power in order to prevent one person or group of
people from dominating the decision-making of the board.

Question 64: Based on Mendelow’s power/interest matrix, how should a business respond if a stakeholder
has a high level of interest but a low level of power?

a) Take notice of them and engage directly with them.

b) Communicate only when necessary.

c) Communicate regularly with the stakeholder.

d) Keep the stakeholder satisfied.

18
CIA Part 1 Mock Exam #2

Question 65: Audit committee members should be independent non-executive directors. In which of the
following situations would an audit committee member not be considered independent?

I. The member is the former CFO. The member left the company eight months ago.

II. The member’s brother-in-law is CEO of the company.

III. The member has significant stock options in the company that have not vested.

IV. The member is also CEO of the company’s main raw material supplier.

a) I and III.

b) II and IV.

c) I, II, and III.

d) I, II, III, and IV.

Question 66: The Chair of the audit committee was discussing with other committee members the need for
the company to have an internal auditing activity (IAA). The Chair mentioned that good corporate govern-
ance promotes the establishment of an effective IAA. Which of the following would indicate that the
company needs an effective IAA?

I. There is a legal requirement.

II. The company has a large number of employees.

III. There has been a recent increase in the number of unexplained or unacceptable risks.

IV. There have been past problems with internal controls.

a) I, III, and IV.

b) I, II, and III.

c) I and IV.

d) I, II, III, and IV.

Question 67: Which of the following would not likely be part of internal auditing’s role in the evaluation and
improvement of an organization’s control process?

a) Developing a plan to systematically assess controls across the organization.

b) Reporting on significant control deficiencies to management and the audit committee.

c) Testing controls across the organization.

d) Designing control procedures.

Question 68: An important part of improving an organization’s governance process is to make sure that the
organization conducts its business ethically. The internal audit activity is encouraged to be an ethics advo-
cate for the organization. All of the following are ways that the IAA can be an ethics advocate except:

a) Conducting an ethics training program.

b) Disciplining employees for unethical behavior.

c) Reviewing the company’s code of conduct.

d) Getting feedback from clients on the ethical conduct of the company.

19
CIA Part 1 Mock Exam #2

Question 69: In the area of governance, internal auditors and the internal audit activity (IAA) are encour-
aged to take an active role in support of the organization’s ethical culture. This may entail sponsoring an
ethics training program or identifying possible ethics violations. During a review of possible ethics violations,
the chief audit executive identified four possible violations. Of the possible violations, which one(s) would be
more likely to be unethical?

I. The marketing manager takes home his business computer for work but also uses the computer
for personal use.

II. The budgeting supervisor promises his assistant an extra day off if she rushes out an important
project by a certain date, but then reneges on the promise by saying there is too much work to
be done.

III. The purchasing agent accepts a gift from a vendor.

IV. The finance director applies a common accounting practice to improve earnings that leads to in-
creased management compensation.

a) II and III.

b) I and III.

c) I and II.

d) II and IV.

Question 70: Corporate social responsibility (CSR) recognizes that:

a) The social environment should be the main focus of a company’s CSR activities.

b) Business ethics is a complex issue and is the responsibility of senior management and the board.

c) The natural environment should be the main focus of a company’s CSR activities.

d) Companies should be conscious of the impact they are having on society, including economic, social,
and environmental.

Question 71: Archie B. Carroll developed the pyramid of corporate social responsibility. The pyramid sug-
gests that philanthropic social responsibility is:

a) The foundation of the pyramid.

b) Desired by society.

c) Expected by society.

d) Mandated by society.

Question 72: An organization’s chief audit executive (CAE) was discussing with board members why the
organization should implement a corporate social responsibility (CSR) program. One of the arguments made
by the CAE in favor of CSR is that:

a) It would help the organization gain competitive advantage.

b) The company is financially able to absorb the cost of the CSR program.

c) It would help ward off future government regulations.

d) The company’s management and board have the skills to solve today’s social problems.

20
CIA Part 1 Mock Exam #2

Question 73: Of the following, which statement best describes the term risk? Risks are:

a) Negative events that could occur.

b) Negative events that will occur.

c) Negative or positive events that shall occur.

d) Negative or positive events that must occur.

Question 74: Hazard risks are:

a) Events that cannot be insured against, such as natural disasters, death of key employees, or per-
sonal injury on the business premises.

b) Events that can be insured against, such as natural disasters, death of key employees, or personal
injury on the business premises.

c) Events that can cause personal financial loss or property damage, or mission degradation.

d) Events that can cause personal financial loss or property damage, or mission completion.

Question 75: The members of a risk committee of a global service company are assessing the risks associ-
ated with logistical disruptions in the countries in which it operates. Which of the following best describes
these risks?

a) Internal – Supply chain risk.

b) Internal – Process-related risk events.

c) External – Supply chain risk.

d) External – Process-related risk events.

Question 76: Which of the following would you expect to find in an organization’s risk strategy?

I. The CAE reports to the audit committee/board on a regular basis.

II. The level of risk tolerance has been defined.

III. The ownership of risk is delegated to business units.

IV. The organization has a defined risk appetite.

a) I and III.

b) II, III, and IV.

c) II and IV.

d) I, II, and IV.

Question 77: Which of the following would not be a factor that influences an organization’s risk appetite?

a) The volume of transactions and complexity of the accounting system.

b) The identification of key stakeholders.

c) The opportunity for fraud.

d) Changes in technology.

21
CIA Part 1 Mock Exam #2

The following information is for questions 78 through 80:

The success of any risk management process depends on the identification of risks. The following list con-
tains some examples of potential risks:

I. There is a possible infraction of the “Privacy Act.”


II. There is the potential to lose a key supplier.
III. There is the potential to lose key personnel.
IV. There is a pending lawsuit against the company.
V. There is the potential loss of the company’s image or reputation.
VI. There are potential problems with key machinery or equipment.

VII. There are quality and service concerns that affect the customers.

Question 78: Of the listed items, which would be considered operational risks?

a) II, VI, and VII.

b) II, III, and VI.

c) I and IV.

d) V and VII.

Question 79: Of the listed items, which would be considered compliance risks?

a) II, VI, and VII.

b) II, III, and VI.

c) I and IV.

d) V and VII.

Question 80: Of the listed items, which would be considered strategic risks?

a) II, VI, and VII.

b) II, III, and VI.

c) I and IV.

d) V and VII.

Question 81: It is common to assess risk based on the probability of the risk occurring and its impact on
operations, if the risk event does occur. Which of the following items are influences of probability?

I. The company uses the derivative market for both hedging and speculative purposes.

II. Top management practices what it preaches concerning the need for strong controls.

III. Top management is particularly concerned about damage to its brand name.

IV. The cost to get operations back to normal is significant.

a) I and II.

b) I and III.

c) II and IV.

d) III and IV.

22
CIA Part 1 Mock Exam #2

Question 82: Risks can be objectively evaluated based on the probability of the risk occurring and its po-
tential impact on operations. One particular risk that an internal auditor assessed had a low impact but a
higher than average probability of occurring. How should the internal auditor respond to the risk?

a) Establish additional control procedures because there is a high probability of something going wrong.

b) Do nothing because its impact is low.

c) Terminate the activity that is causing the risk.

d) Transfer the risk through insurance or some other means.

Question 83: ISO 31000: 2018 is a family of standards that provides a set of principles and guidelines for
an organization’s risk management process. ISO 31000 identified six stages in its framework, including
“Monitoring and Review.” Monitoring and Review is best thought of as:

a) The final stage.

b) The feedback system.

c) The documentation and reporting stage.

d) The recording of outcomes.

Question 84: Which of the following would not be a reason for management to improve its system of inter-
nal control?

a) To help management eliminate all fraudulent activities.

b) To help management minimize errors due to faulty decision-making.

c) To ensure compliance with laws and regulations.

d) To ensure the reliability of financial reports.

The following information is for questions 85 and 86:

There are three levels of control within organizations: corporate, operational, and transactional.

Question 85: Which of the following would not be an example of an operational-level control?

a) The financial controller submits a 90-day rolling cash budget to the company’s CEO and CFO the first
week of every month.

b) The purchasing officer signs off on purchasing orders to vendors.

c) The accounting system flags a possible duplicate payment to a vendor.

d) The production manager reviews quarterly production variance reports.

Question 86: Which of the following would be a corporate-level control?

a) The financial controller submits a 90-day rolling cash budget to the company’s CEO and CFO the first
week of every month.

b) The human resource manager reviews a job description for a financial manager position.

c) The disclosure committee reviews financial and non-financial notes and disclosures over financial
reporting.

d) The production manager reviews quarterly production variance reports.

23
CIA Part 1 Mock Exam #2

Question 87: A company’s human resource manager received a request from the chief executive officer
(CEO) to start working on a job description for a new investment manager position. The CEO is looking for
someone who has at least 3 years of investment management experience, and ideally, the person would be
a chartered financial analyst (CFA). The CEO asked the human resource manager to write up a draft job de-
scription for the position and present it to the executive committee for final review and approval. Making
sure the person is qualified and experienced for the new position is what type of control?

a) Preventive control.

b) Directive control.

c) Corrective control.

d) Detective control.

The following information is for questions 88 and 89:

When a technician in a production area found a product quality problem, he took the initiative and found a
remedy to the problem. Additionally, the technician created procedures so the problem can be quickly identi-
fied and corrected if detective units are found. After meeting with the technician, the quality control
manager decided that additional testing procedures were needed to further minimize the risk of defective
units.

Question 88: The action taken by the technician to create procedures is what type of control?

a) Preventive control.

b) Directive control.

c) Corrective control.

d) Detective control.

Question 89: What type of control is it when the quality control manager decided additional testing proce-
dures were needed?

a) Preventive control.

b) Directive control.

c) Corrective control.

d) Detective control.

Question 90: When reviewing controls over credit sales, an internal auditor found that the sales manager
authorizes new credit sales. The internal auditor knows that the sales manager should not have the authori-
ty to authorize new credit sales. However, because the company is growing and still has not yet reached its
breakeven point, it was decided not to change the current practice. Based on this, the internal auditor still
recommended that someone not in the sales department provide independent verification that all new credi-
tors are credit-worthy. What type of control is this?

a) Preventive control.

b) Compensating control.

c) Corrective control.

d) Detective control.

24
CIA Part 1 Mock Exam #2

Question 91: Controls can focus on events before, during, or after a process. There are three control types
that managers implement to ensure that work is done according to the plan, or based on some standard.
These controls are referred to as feedforward, feedback, and concurrent controls. A program that alerts
technicians of a problem is an example of what type of control?

a) Concurrent control.

b) Feedforward control.

c) Planning control.

d) Feedback control.

Question 92: Which of the following are true concerning feedback controls?

I. Feedback controls can provide management with useful information on how effective their plan-
ning efforts are.

II. Feedback controls can enhance employee motivation.

III. Feedback controls are the most desirable type of control.

a) I and III.

b) I and II.

c) II and III.

d) I, II, and III.

Question 93: Business professionals talk about the importance of information and the need for an effective
internal control system. Which of the following statements is not a characteristic of an effective control sys-
tem?

a) The more material an item is, the more important it is to have tighter controls.

b) The control system should be complex enough so that fraud can be eliminated.

c) The control system must provide the information in a timely manner so that decisions can be made.

d) There should be a positive cost/benefit ratio, which means the cost is less than the benefit received
by implementing the control.

Question 94: Controls can be broken down into two broad categories: (1) automated controls and (2)
manual controls. Which of the following would not be an advantage of an automated control system?

a) Automated controls are more reliable and less prone to error.

b) Automated controls can provide information in a timelier manner.

c) Automated controls eliminate the need for manual controls in the tracking and monitoring of risks.

d) Automated controls tend to be more efficient than manual controls.

25
CIA Part 1 Mock Exam #2

Question 95: The chief audit executive (CAE) for a large manufacturing company gave a lecture on the im-
portance of internal control to a group of new hires. Which of the following should the CAE list as benefits of
having a sound system of internal control?

I. Greater assurance that all transactions are completely and accurately processed.

II. Confidence that only authorized transactions take place.

III. Assurance that adequate documentation supporting transactions is created and retained.

IV. Assurance that the company’s assets and liabilities are correctly stated so management can
make informed decisions on the operations of the business.

V. Less risk of fraud and misappropriation of assets.

a) All are benefits of having a sound system of control.

b) I, II, III, and V.

c) II, III, IV, and V.

d) I, II, III, and IV.

The following information is for questions 96 and 97:

A company was having its annual employee training program. One of the main subjects for this year’s pro-
gram was the topic of internal control. For this part, the company invited its internal auditor to talk about
the company’s control system.

Question 96: The internal auditor started off his lecture by talking about the primary beneficiaries of strong
internal controls. Which of the following is not true concerning the beneficiaries of strong internal controls?

a) Investors benefit because they will feel more confident in the reliability of the company’s financial
statements.

b) Customers benefit because they will feel more confident about the quality of the product and/or ser-
vice.

c) External auditors benefit because they will feel more confident on the opinion they give concerning
the reliability of the company’s financial statements.

d) Management benefits because they will be able to rely less on the work of the internal auditor.

Question 97: The internal auditor further discussed the different parties who are responsible for ensuring
that the company has an effective system of internal control. Which of the following are true concerning
responsibility and a system of internal control?

I. The board is responsible for ensuring that management has the right system of control.

II. The company’s CEO is ultimately responsible for ensuring that the system of control is estab-
lished and being executed.

III. Senior managers are responsible for ensuring that the right control policies and procedures are
implemented.

IV. The external auditor is responsible for ensuring that management is carrying out their control
responsibilities.

a) I, II, and III.

b) II, III, and IV.

c) III and IV.

d) I, II, III, and IV.

26
CIA Part 1 Mock Exam #2

Question 98: Controls can be classified as either manual or automated. Automated controls would include
all of the following except:

a) Automated balancing and reconciliations.

b) Systems access controls.

c) The identification of invalid or duplicate entries.

d) A manager’s review of a variance report.

Question 99: Application controls are established to ensure that specific applications are processed in ac-
cordance with management’s specifications and in an accurate and timely manner. Application controls can
be classified as input, processing, and output controls. Which of the following would not be an input control?

a) The functions of computer programmer and input operator are segregated.

b) The program checks the validity and accuracy of the inputted data.

c) A note is sent back to the input operator that the sent files are being printed.

d) The input operator has to enter a new password twice.

Question 100: Internal controls are actions taken by management that enhance the likelihood that estab-
lished goals and objectives will be achieved. Management actions include the establishment and
implementation of control policies and procedures. Which of the following statements are true concerning
the difference between control policies and control procedures?

I. Policies are made by senior management while procedures are usually made in consultation with
employees.

II. Policies guide senior management in decision-making while procedures guide the actions of em-
ployees.

III. Policies can be modified by senior management while procedures can only be modified by em-
ployees.

IV. Policies are more like rules while procedures are less detailed than policies.

a) I and III.

b) II and IV.

c) I and II.

d) II and III.

27
CIA Part 1 Mock Exam #2

Question 101: The Turnbull report was created for the U.K. Financial Reporting Council, which informs di-
rectors of their obligations to keep an effective internal control system, and to maintain appropriate audits
and checks to ensure the quality of financial reporting. Which of the following is/are true concerning what
Turnbull states about a sound system of internal controls? A sound system of control should:

I. Primarily be embedded at the functional level of the company.

II. Be part of the organization’s culture.

III. Be capable of responding quickly to evolving internal risks.

IV. Include procedures for reporting significant weaknesses and failures of controls to the appropri-
ate level of management.

a) I and III.

b) II and IV.

c) II and III.

d) I and IV.

Question 102: COSO states that the foundation of any control system is the company’s control environ-
ment. An important aspect of a company’s control environment is having the right “tone at the top.” All of
the following are examples of having the right “tone at the top” except:

a) A senior manager is disciplined for abusing the company’s credit card.

b) The board decided not to take action against a senior manager for embezzlement because the
amount was not considered significant and the person agreed to return the embezzled funds.

c) Based on company policy, an assembly line worker stopped production when a defective unit was
detected.

d) The board is primarily made up of independent directors who regularly review the company’s inter-
nal controls and risk management policies.

Question 103: An internal auditor was reviewing controls in the mailroom and verifying that checks are
properly received and deposited. The internal auditor is particularly concerned that checks might be lost or
stolen, or a check could be fraudulently altered so an employee could cash the check under his or her own
name. The best control to minimize these risks would be:

a) For checks to be deposited daily.

b) For there to be independent review of the mailroom procedures.

c) For checks to be independently listed by someone outside the mailroom.

d) For a mailroom clerk to immediately endorse incoming checks.

Question 104: During a review of the sales department, an internal auditor discovered that there had been
several incidences of stock-out, which led to customer complaints. Further investigation found that the items
should have been in stock based on information given by the computer system. The best control to make
sure a sales clerk does not make a sale based on faulty stock information is to:

a) Make sure all stock items are electronically tagged.

b) Have inventory information updated at the end of each business day.

c) Check to make sure items are in stock before processing the sales order.

d) Have a regular inventory count so the inventory can be brought up to date.

28
CIA Part 1 Mock Exam #2

Question 105: The head of security received some information that a purchasing agent was receiving kick-
backs from one of company’s vendors. The best control to minimize the possibility of kickbacks is to:

a) Have a strong code of conduct.

b) Have a strong code of conduct and periodically rotate the purchasing agents.

c) Stop doing business with any vendor suspected of giving kickbacks.

d) Verify that the purchasing agent is not living beyond his or her means.

Question 106: Risks assessment includes the identification, analysis, and management of risks. Concerning
risk assessment, which of the following is not true?

a) A pre-condition to risk assessment is the establishment of objectives.

b) The formality of a company’s risk assessment process depends on the size and complexity of the
company.

c) Risk assessment in larger companies is most often the responsibility of lower-level managers.

d) It is generally recognized that smaller and less complex companies are going to have less effective
risk assessment processes.

The following information is for questions 107 through 109:

An internal auditor was reviewing controls over the sales process. The internal auditor noted the following
activities within the sales department:

I. The sales clerk, who makes the sale and collects the cash, does not reconcile the daily cash re-
ceipts account.

II. A designated person has to sign off on trade discounts.

III. On a regular basis, the internal controller takes a sample of sales to be sure that they are
properly recorded.

Question 107: Item (I) is connected with which control procedure?

a) Physical controls to safeguard assets.

b) Segregation of duties.

c) Authorization.

d) Independent checks.

Question 108: Item (II) is connected with which control procedure?

a) Physical controls to safeguard assets.

b) Segregation of duties.

c) Authorization.

d) Independent checks.

29
CIA Part 1 Mock Exam #2

Question 109: Item (III) is connected with which control procedure?

a) Physical controls to safeguard assets.

b) Segregation of duties.

c) Authorization.

d) Independent checks.

Question 110: The objective of the purchases-payable cycle is to make sure only authorized orders are re-
ceived and inventoried. Concerning the purchases-payable cycle, which of the following activities would not
be compatible?

a) The purchasing manager reviews the purchase requisition and approves the vendor purchase order.

b) The purchasing manager approves the vendor purchase order and records the transaction to the ac-
counts payable journal.

c) The purchasing manager reviews the purchase requisition and approves bad debt write-offs.

d) The purchasing manager approves the vendor purchase order and reconciles daily cash receipts.

Question 111: COSO defines monitoring as a system that is implemented to help ensure that internal con-
trols continue to operate effectively. All of the following are benefits of having a properly designed and
implemented monitoring program except:

a) Private companies will be in a better position to be in compliance with SOX 404.

b) There is a greater chance that control problems will be identified and corrected on a timely basis.

c) Financial and management information should be more accurate and timely.

d) The company should be able to produce more accurate and reliable information for decision-making.

Question 112: If an internal auditor wanted to know if a particular risk had the right control, which matrix
should the internal auditor use?

a) Questionnaire matrix.

b) Sampling matrix.

c) Risk and control matrix.

d) Risk interaction matrix.

Question 113: Fraud is defined as any illegal act characterized by deceit, concealment, or violation of trust.
Of particular concern for companies is management fraud, because those in a position of authority are com-
mitting the fraud. Which of the following is not likely to be a fraud risk factor relating to management?

a) There is high management turnover in the company.

b) Management decides to hide some off-shore transactions to avoid taxes.

c) Management decides to be liberal in their revenue recognition.

d) Management decides to adopt conservative accounting principles.

30
CIA Part 1 Mock Exam #2

Question 114: Ian Dunhill, CIA and Certified Fraud Examiner (CFE), is the leader of a team investigating
the finances of GreenVest, a venture capital firm that funds alternative sources of energy. Because of its
wide-ranging investment portfolio, the company has a fairly complex financial structure. Dunhill and his
team are to assess the firm’s operational results, including a recent decline in operating profits and cash
flows. Dunhill must also determine how the firm responds to its strict investment covenants. Lastly, Dunhill
is to investigate the executive directors’ compensation packages, including holdings of stock options in the
firm, which are believed to be quite high. Which portion of the fraud triangle are Dunhill and his team inves-
tigating?

a) Opportunity

b) Policies

c) Incentives

d) Compliance

Question 115: The fraud triangle consists of three:

a) Actions that management takes to minimize fraud.

b) Conditions usually present when fraud occurs.

c) Of the most common types of fraud.

d) Strategies for unearthing financial fraud.

Question 116: An internal auditor was conducting an engagement to review controls over the capitalization
of fixed assets. The purpose of the review is to verify that:

a) Management has not put some legitimate costs to the balance sheet.

b) All maintenance charges are expensed in the period they arose.

c) Management has not put some immaterial expenses to the fixed asset account.

d) Fixed assets are being properly depreciated.

Question 117: Which of the following situations might undermine a company’s integrity?

a) The marketing manager proposes to delay installment of a new marketing software package until
after closing an important client contract.

b) The CFO tells the chief accountant to expense some costs that the chief accountant believes could be
capitalized.

c) The production manager proposes a new input material mix to reduce costs and increase profitabil-
ity.

d) The procurement manager proposes to source an important input material from a close relative.

31
CIA Part 1 Mock Exam #2

Question 118: When planning an engagement, internal auditors need to have some awareness of the risk
factors and red flags of fraud. All of the following are possible red flags the internal auditor needs to be
aware of except:

a) The lack of segregation of duties.

b) Managers not having the ability to override controls.

c) Managers who refuse to take a vacation because they are too busy.

d) Unrestricted access to electronic data or databases.

Question 119: During a fraud investigation, a forensic auditor was hired to help with the investigation. All
of the following are reasons a company would hire a forensic auditor except:

a) To understand the money trail.

b) To coerce a confession from the accused fraudster.

c) To help gather evidence used in court proceedings.

d) To quantify the financial loss suffered by the company.

Question 120: Fraud is most often thought of as being a detriment to organizations; however, there are
cases where fraud could be beneficial. Which of the following examples of fraud would benefit an organiza-
tion?

a) The marketing manager accepts a kickback from an advertising company.

b) The chief accountant embezzles funds.

c) The CFO authorizes a payment to a foreign governmental official to expedite a business deal.

d) The sales manager approves the sale of goods to a close relative at below cost.

Question 121: Managers commit fraud for all of the following reasons except:

a) To override the company’s control system.

b) To distort facts to hold off divestment.

c) To deceive others in order to keep their job.

d) To gain a larger bonus.

Question 122: Which of the following is/are true when assessing fraud risk? Internal auditors should de-
termine whether or not:

I. The organization has set realistic goals and objectives.

II. The organization fosters an environment of control consciousness.

III. The organization has a forensic auditing expert on staff.

IV. Recommendations are established to enhance the control structure to help deter fraud.

a) I and II.

b) I, II, and IV.

c) II, III, and IV.

d) I, II, III, and IV.

32
CIA Part 1 Mock Exam #2

Question 123: The Practice Guide Internal Auditing and Fraud outlines five key steps of fraud risk assess-
ment. Which of the following would not be a fraud risk assessment step?

a) Impact to the organization’s reputation.

b) Identifying relevant fraud risk factors.

c) Mapping existing controls to potential fraud schemes and identifying gaps.

d) Documenting and reporting fraud risk assessment.

Question 124: It is not unusual for internal auditing to be part of a fraud investigation. Based on this, at
the conclusion of a fraud investigation, internal auditors should do all of the following except:

a) Draft controls that need to be implemented or strengthened.

b) Maintain sufficient knowledge of fraud to identify possible future fraud incidents.

c) Determine if controls need to be implemented or strengthened.

d) Design engagement tests to help disclose frauds in the future.

Question 125: During a preliminary fraud investigation, an internal auditor suspected that a departmental
manager had embezzled a sizeable amount of money from the company. The internal auditor reported the
matter to management and turned over all findings to the security department. The manager denied embez-
zling the funds, but the internal auditor did not believe the manager. During a company get-together, the
internal auditor talked about the manager’s guilt to other employees. When the manager found out about
the internal auditor’s behavior, the manager proceeded to sue the company for:

a) Malicious prosecution.

b) Libel.

c) Slander.

d) Compounding a felony.

33
CIA Part 1 Mock Exam #2 Answers

Solutions

The chart below cross-references the question numbers for Part 1 (MOCK EXAM #2) with the top-
ics tested:

Sections Question Numbers

The IIA’s International Standards 1 - 16


Section I: Foundations of In-
ternal Auditing
Code of Ethics 17 - 20

Section II: Independence &


Independence & Objectivity 21 - 35
Objectivity

Section III: Proficiency and


Proficiency & Due Diligence 36 - 50
Due Diligence

Section IV: Quality Assurance Quality Assurance & Improvement Pro-


51 - 61
& Improvement Program gram

A & B. Organizational Governance and


62 - 67
Culture

C. Ethics 68 - 69
Section V: Governance, Risk
D. Corporate Social Responsibility 70 - 72
Management, and Control
E, F, G, H. Risk and Risk Management 73 - 83

I, J, K. Internal Control Concepts, Ef-


84 - 112
fectiveness and Efficiency

Section VI: Fraud Risks Fraud risks 113 - 125

34
CIA Part 1 Mock Exam #2 Answers

Solutions

1 Solution: c

a. Incorrect. Mandatory guidance states how internal auditors should act when conducting their work.
b. Incorrect. Mandatory guidance provides a framework for performing and promoting internal auditing.

c. Correct. Practice guides provide guidance for conducting an internal audit. These practice guides in-
clude processes and procedures, tool and techniques, programs, step-by-step approaches, and
examples of deliverables. These practice guides are part of the IIA’s strongly recommended guidance
framework.

d. Incorrect. Mandatory guidance states the fundamental purpose, nature, and scope of internal auditing.

2 Solution: c

a. Incorrect. The Standards do not define the function of internal auditing.

b. Incorrect. Internal auditors are held accountable even when performing consulting engagements, not
just during assurance engagements.

c. Correct. This is true concerning Standards. They do help internal auditors fulfill their responsibilities
when conducting internal audits.

d. Incorrect. The IIA’s Standards do take precedence over other standards.

3 Solution: d (I, III and IV)

I. Not a Violation. Since the internal auditor invited the client, this would not be a violation of the
Standards.

II. Violation. The internal auditor should not functionally report to the CFO. The internal auditor should
functionally report to the board/audit committee.

III. Not a Violation. It is acceptable for the internal auditor to write the draft copy of the charter. Approval
of the charter is the responsibility of senior management and the board.

IV. Not a Violation. Internal auditors are encouraged to be certified, however, it is not mandated that
they are certified.

4 Solution: c

a. Incorrect. Investigating suspected fraud is something internal auditing could do.

b. Incorrect. Verifying the value of an asset account balance is something internal auditing could do.

c. Correct. Prescribing compensation packages is outside the scope of internal auditing.

d. Incorrect. Determining the company’s compliance with environmental laws and regulations is something
internal auditing could do.

35
CIA Part 1 Mock Exam #2 Answers

5 Solution: b

a. Incorrect. The Implementation Guidance does not detail internal auditing processes and procedures.

b. Correct. The Implementation Guidance does assist internal auditors in applying the Definition of Inter-
nal Auditing, the Code of Ethics, and the Standards, and promoting good practices.

c. Incorrect. The Implementation Guidance does not highlight significant audit findings and recommenda-
tions and report on the approved audit work schedule.

d. Incorrect. The Implementation Guidance does not assist the CAE in resolving issues before reporting
the findings to the audit committee.

6 Solution: b

a. Incorrect. The Standards are based on principles, not on rules.

b. Correct. According to the IPPF, the Standards are principles-focused and provide a framework for per-
forming and promoting internal auditing.

c. Incorrect. The Practice Advisories provide guidelines for conducting an internal audit.

d. Incorrect. The Standards do not assist internal auditors in better understanding significant issues of
internal auditing.

7 Solution: d

a. Incorrect. Internal auditing does not design controls.

b. Incorrect. The mission of internal auditing is not to verify that conflicts between management and
stakeholders do not result in bankruptcies or major frauds.

c. Incorrect. To ensure the quality of information provided to shareholders and financial markets through
the financial statements is the function of the external auditor.

d. Correct. Directing the establishment of internal controls systems would impair objectivity.

8 Solution: d

a. Incorrect. The charter should be approved by the board of directors.

b. Incorrect. The charter should be approved by the board of directors. It should not be written by some-
one outside the company.

c. Incorrect. If the CFO writes and approves the charter, this would impair the independence of internal
auditing.

d. Correct. If the CFO writes and approves the internal auditing charter, the CFO could control the work
of the internal auditor. This could impair the work of the internal auditor.

36
CIA Part 1 Mock Exam #2 Answers

9 Solution: a

a. Correct. The scope of an individual engagement would not be included in the charter. The scope of the
engagement would be in the engagement work plan.

b. Incorrect. The charter should include the scope, objectives, authority, accountability, and accountability
of the IAA.

c. Incorrect. The charter should include the scope, objectives, authority, accountability, and accountability
of the IAA.

d. Incorrect. The charter should include the scope, objectives, authority, accountability, and accountability
of the IAA.

10 Solution: b

a. Incorrect. The audit committee is responsible for the hiring and firing of the external auditor.

b. Correct. Evaluating the compensation packages of senior managers would be the general responsibility
of the remuneration committee, not the audit committee.

c. Incorrect. The audit committee is responsible for approving the annual audit plan.

d. Incorrect. Reporting to the audit committee confirms the independence of the IAA.

11 Solution: a

a. Correct. Strategic planning is a function generally left to the board and management. It is not some-
thing the audit committee would be involved in.

b. Incorrect. Reviewing financial statements before publication is a function of the audit committee.

c. Incorrect. Reviewing the work of the external auditor is a function of the audit committee.

d. Incorrect. Reviewing the work plan of the IAA is a function of the audit committee.

12 Solution: c (I, II and III)

I. Correct. Advising management on the benefits of an acquisition is a possible consulting service.

II. Correct. Assisting management in estimating the savings from outsourcing a process is a possible con-
sulting service.

III. Correct. Assessing the adequacy of internal control in a proposed accounts payable system is a possible
consulting service.

IV. Incorrect. Assessing the adequacy of internal control over the accounts receivable system is an assur-
ance engagement, not consulting.

37
CIA Part 1 Mock Exam #2 Answers

13 Solution: a

a. Correct. Based on the Standards, the charter gives the internal auditor authority to have access to all
records and personnel deemed necessary for the completion of an engagement. However, there still
might be some company information that the internal auditor would not have access to, such as infor-
mation concerning a possible merger or acquisition.

b. Incorrect. The IAA charter should be a formal, written document.

c. Incorrect. The IAA charter should be approved by the board.

d. Incorrect. The CAE has responsibility to periodically review the IAA charter to make sure it is still ade-
quate for the IAA to accomplish its objectives.

14 Solution: d

a. Incorrect. Stating who the CAE will report to should be included in the IAA charter.

b. Incorrect. Laying out the objectives of the IAA should be included in the IAA charter.

c. Incorrect. Providing information about the need for a QAIP should be included in the IAA charter.

d. Correct. Detailing the compensation package of the CAE is not a function of the charter. The CAE’s
compensation would be the responsibility of the audit committee, not the IAA charter.

15 Solution: a (I and IV only)

I. Correct. “Assurance engagements involve the auditor’s objective assessment of evidence to provide an
independent opinion or conclusion regarding an entity, operation, process system, or other subject
matter.” Based on this, internal auditors are expected to recommend standards of control.

II. Incorrect. Providing training courses would be a consulting service.

III. Incorrect. Providing advice to a client would be connected with a consulting service.

IV. Correct. “Assurance engagements involve the auditor’s objective assessment of evidence to provide an
independent opinion or conclusion regarding an entity, operation, process system, or other subject
matter.” Based on this, assessing and evaluating credit risk would be connected with an assurance en-
gagement.

16 Solution: b (I, II and III)

I. Correct. The Standards do provide a framework for performing and promoting a broad range of value-
added internal auditing services.

II. Correct. The Standards do establish a basis for evaluating the performance of internal auditing.

III. Correct. The Standards do describe the basic principles of best practices of internal auditing.

IV. Incorrect. The Standards do not to tell internal auditors how they should conduct themselves during
engagements.

38
CIA Part 1 Mock Exam #2 Answers

17 Solution: d

a. Incorrect. If requested by a judge, an internal auditor would be obliged to divulge confidential infor-
mation.

b. Incorrect. With proper supervision, an internal auditor with limited IT experience could be involved in
an IT audit.

c. Incorrect. An inexpensive gift would not be a violation of the Code of Ethics.

d. Correct. No information should be divulged to a local newspaper under any circumstance. Illegal acts
have to be first reported to senior management, and in some cases, reported to the appropriate author-
ities, if requested to do so.

18 Solution: a

a. Correct. Integrity is performing work with honesty, diligence, and responsibility.

b. Incorrect. Integrity does not have to do with adhering to the IIA’s Code of Conduct.

c. Incorrect. Not disclosing information has to do with confidentiality, not with integrity.

d. Incorrect. Making sure the auditor has the skills, knowledge, qualifications, and capacity to do their job
effectively is connected with competence, not with integrity.

19 Solution: b

a. Incorrect. Even though David’s behavior is suspect, the incident was not related to his professional
work.

b. Correct. The IIA Code of Ethics covers member’s professional activity only, such as fraud, theft, or de-
ceit. Being charged with a misdemeanor because of an altercation during a football game would not be
a violation of the IIA’s Code of Ethics.

c. Incorrect. The Code of Ethics only covers member’s professional activity only.

d. Incorrect. The Code of Ethics only covers member’s professional activity.

20 Solution: b

a. Incorrect. Only the principles of integrity and objectivity are violated. The competence principle is not
violated because the internal auditor had the skills and knowledge to perform the engagement.

b. Correct. If the internal auditor does nothing to rectify the situation, then the internal auditor could be
in violation of two ethics principles: integrity and objectivity. Concerning objectivity, the internal au-
ditor “shall disclose all material facts known to them, that if not disclosed, may distort the reporting of
activities under review.” Concerning integrity, the internal auditor “shall perform their work with hones-
ty, diligence, and responsibility.” It also says the internal auditor “shall not knowingly be party to any
illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the
organization.” If the internal auditor does nothing about the matter, then the internal auditor is com-
plicit in the act.

c. Incorrect. The principle of integrity is violated; however, the principle of competence is not violated.

d. Incorrect. The principles of objectivity and integrity are violated; however, the confidentiality principle
is not violated because no information was compromised.

39
CIA Part 1 Mock Exam #2 Answers

21 Solution: a

a. Correct. Objectivity is a mental attitude that internal auditors should maintain while performing en-
gagements. The internal auditor should have an impartial, unbiased attitude and avoid conflict of
interest situations. Independence refers to the freedom to conduct audit activities in an unbiased man-
ner. Therefore, objectivity refers to the unbiased mental attitude of individual auditors while
independence gives internal auditors the freedom to operate with an objective, unbiased attitude.

b. Incorrect. Independence is achieved through the status of the IAA; however, objectivity refers to the
unbiased mental attitude of individual auditors.

c. Incorrect. Independence is gained through the organizational status of the IAA, not objectivity.

d. Incorrect. The terms are different. The words are not synonymous, nor are they interchangeable.

22 Solution: c

a. Incorrect. It is possible that the board might deem some information confidential, even from internal
auditing.

b. Incorrect. Refusing to approve the internal audit work plan is not a scope limitation.

c. Correct. A scope limitation is a restriction that keeps internal auditors from achieving the objectives of
an engagement. Internal auditors need to have complete access to all information deemed necessary to
complete an engagement, including access to records, personnel, and property. The chief accountant
saying that some information is not necessary could be seen as a scope limitation.

d. Incorrect. A company’s controller should suggest ways to improve controls over operations.

23 Solution: d

a. Incorrect. Internal auditors are able to conduct not only assurance engagements, but also perform con-
sulting services as well. It is acceptable for the controller to use the services of the IAA as long as the
IAA does not take ownership of the controls.

b. Incorrect. Internal auditors are not part of management.

c. Incorrect. Independence would be impaired only if the internal auditor has ownership of the control
process, which does not happen automatically simply by helping the controller.

d. Correct. Based on the Standards, internal auditing is able to conduct consulting services as long as the
nature of the internal auditor’s help is known and included in the charter. The internal auditor would be
OK, as long as the internal auditor provided advice and does not take ownership of the controls.

24 Solution: a

a. Correct. The internal auditor should not be assigned the task of reviewing controls over the payable
department because only six months have passed since working in the department. It is advised that
the waiting period should be no less than one year.

b. Incorrect. The internal auditor should not accept the engagement because objectivity would be im-
paired since the internal auditor knows the department.

c. Incorrect. Objectivity would be impaired, not independence.

d. Incorrect. It is generally accepted that a period of no less than one year should pass between working
in a department and auditing it.

40
CIA Part 1 Mock Exam #2 Answers

25 Solution: c

a. Incorrect. Ultimately, the internal auditor works for the CEO and therefore the internal auditor cannot
refuse the CEO.

b. Incorrect. Ultimately, the internal auditor works for the CEO so protesting the CEO would not be a rec-
ommended course of action.

c. Correct. If the CEO makes a request of the internal auditor, the internal auditor has no choice but to
accept the assignment. However, the internal auditor needs to make sure not to participate in the audit
of the department.

d. Incorrect. The best course of action would be to accept the assignment, but when time comes to audit
the department the internal auditor should not participate in the audit of the department.

26 Solution: c (II only)

I. Incorrect. Teaching IAA courses on the weekend would not give rise to a conflict of interest.

II. Correct. The only situation that could give rise to a conflict of interest for the CAE is hiring someone
who worked as a financial manager in the company. The Standards say that a period of at least one
year should pass before auditing the area you were once responsible for. Based on this, the internal
auditor should not be involved in any engagements concerning his or her former responsibility area.

III. Incorrect. Mutual funds are investment funds that consist of many different types of investment assets.
It would not be unusual for the CAE to own a mutual fund that might include the stock of the company
the CAE works for.

IV. Incorrect. Because clerks have no managerial responsibility, it would not be a conflict of interest if a
relative of the CAE works in the department being audited by the IAA.

27 Solution: b

a. Incorrect. The IAA should administratively report to the CEO.

b. Correct. Internal auditors need a mandate that provides the authority they need within a structure that
supports their independence and objectivity. This can best be achieved through a written charter for the
internal audit function that is aligned with the mandate and needs of the audit committee.

c. Incorrect. The IAA should functionally report to the board or audit committee.

d. Incorrect. Only answer (b) is true concerning the mandate of the IAA.

28 Solution: d

a. Incorrect. This is a true statement; however, answer (c) is also true.

b. Incorrect. The primary function of the chief accountant is to oversee all accounting functions such as
ledger accounts, financial statements, and cost control systems. The focus of the chief accountant in-
cludes regulatory compliance and practices and collaborating with the CFO developing financial
strategies.

c. Incorrect. This is a true statement; however, answer (a) is also true.

d. Correct. Both (a) and (c) are true. The board/audit committees do want to get independent and objec-
tive assurance on the adequacy of internal controls from someone other than the CEO or CFO. Also, the
organization gets too large or geographically dispersed for frequent and economical first-hand monitor-
ing of controls by the board/audit committee, CEO, or CFO.

41
CIA Part 1 Mock Exam #2 Answers

29 Solution: c

a. Incorrect. Accepting gifts of significant value is prohibited.

b. Incorrect. Borrowing money from a client could impair the internal auditor’s objectivity.

c. Correct. Facilitating a control self-assessment workshop is something internal auditors can do, and are
encouraged to do.

d. Incorrect. Auditing a department where the internal auditor’s brother-in-law is the manager could im-
pair the internal auditor’s objectivity.

30 Solution: c

a. Incorrect. Insufficient training might invite compromises or shortcuts that would impair the IAA’s posi-
tion in the organization.

b. Incorrect. Inadequate staffing might invite compromises or shortcuts that would impair the IAA’s posi-
tion in the organization.

c. Correct. The CAE has a responsibility to make sure all working papers provide evidence that sufficient
information was obtained by the internal auditor to support his or her recommendation.

d. Incorrect. Outdated technology might invite compromises or shortcuts that would impair the IAA’s posi-
tion in the organization.

31 Solution: a

a. Correct. Periodically evaluating the bank reconciliation process is something the internal auditor should
do.

b. Incorrect. If the internal auditor is responsible for a part of operations that could be subject to periodic
internal auditing assessment, then this could impair the internal auditor’s objectivity.

c. Incorrect. Reviewing an activity over which the internal auditor was responsible for 9 months ago could
impair the internal auditor’s objectivity.

a) Incorrect. Scheduling an audit of an area that the internal auditor will have future responsibility could
impair the internal auditor’s objectivity.

32 Solution: d (II and IV)

I. Incorrect. Internal auditing should not design controls, because this could impair the internal auditor’s
objectivity.

II. Correct. Recommending procedures is something that internal auditing could perform.

III. Incorrect. Internal auditing should not install systems of control, because this could impair the internal
auditor’s objectivity.

IV. Correct. Reviewing controls before implementation is something that internal auditing could perform.

42
CIA Part 1 Mock Exam #2 Answers

33 Solution: a (I and II)

I. Correct. An auditor may review contracts prior to their execution.

II. Correct. Reducing the scope of an audit due to budget cutbacks does not constitute a violation of an
auditor's independence.

III. Incorrect. The Standards says that a period of at least one year should pass before assigning an auditor
to an area where he or she previously worked.

IV. Incorrect. The Standards states that an auditor may recommend standards of control for new systems.
However, designing, installing, or operating such systems might impair objectivity.

34 Solution: c

a. Incorrect. The compensation package should be administrated by the organization’s board of directors
or the board’s remuneration committee.

b. Incorrect. Objectivity would be impaired if compensation is based on monetary amounts recovered, or


recommendations for future savings as a result of engagements. It is presumed that a bonus based on
either of these could unduly influence the judgment of the CAE.

c. Correct. The board of directors should administer the internal auditor’s compensation package.

d. Incorrect. The compensation package might consist of other forms of compensation, such as stock op-
tions, cash bonuses, and so forth, but would not consist only of stock options.

35 Solution: a

a. Correct. Internal auditors must consider standards of control and review procedures before implemen-
tation. However, objectivity is considered to be impaired if internal auditing designs, installs, drafts
procedures, or operates systems (PA 1120-1). However, ascertaining the cost-benefit relationships
would be an appropriate role for the internal auditor.

b. Incorrect. Determining management’s requirements is management’s responsibility.

c. Incorrect. Designing a system of control is management’s responsibility.

d. Incorrect. Implementing the system is management’s responsibility.

36 Solution: c

a. Incorrect. Assessing the impact on revenue and bad debt takes an understanding level of competence,
not a proficiency level.

b. Incorrect. The internal auditor would have to have more than an appreciation level of competence.

c. Correct. At a minimum, the internal auditor should have an understanding level of competency. This
means the auditor is able to assess the impact that changes in the credit terms will have on revenue
and bad debt.

d. Incorrect. The internal auditor would have to have more than a knowledge level competence.

43
CIA Part 1 Mock Exam #2 Answers

37 Solution: d

a. Incorrect. To maintain the CIA designation, internal auditors must achieve a specific number of CPD
credits, not accounting credits.

b. Incorrect. Showing proficiency in the application of management principles does not have to do with
maintaining the CIA designation.

c. Incorrect. To maintain the CIA designation, internal auditors must achieve a specific number of CPD
credits, not accounting credits.

d. Correct. All certified internal auditors must achieve a specific number of CPD credits every two years.
The CPDs are required so that the internal auditor can maintain his or her skill and proficiency level.

38 Solution: d

a. Incorrect. Appreciation is the ability to recognize the existence of a problem, not understanding. Also,
proficiency is the ability to know how to solve the problem.

b. Incorrect. Solving problems takes a level of proficiency, not understanding.

c. Incorrect. Understanding is the ability to recognize the impact the problem will have on operations, not
appreciation. Also, appreciation is the ability to know that there is a problem, not understanding.

d. Correct. Understanding means the ability to apply broad knowledge to situations likely to be encoun-
tered, to recognize significant deviations, and to be able to carry out the research necessary to arrive at
a reasonable solution. Appreciation is the ability to recognize the existence of problems or potential
problems and to identify the additional research to be undertaken or the assistance to be obtained.

39 Solution: b

a. Incorrect. Reviewing controls over the handling of inventory takes an understanding of control process-
es, not a proficiency in accounting standards.

b. Correct. An internal auditor should be proficient in accounting standards if the auditor is checking the
valuation of inventory. The auditor would have to know how to value the inventory based on the ac-
ceptable accounting principles. If inventory is found to be overstated, then the auditor has to know how
much to write down the inventory. This takes a high level of knowledge about accounting.

c. Incorrect. Assessing the impact on operations if credit terms are relaxed takes analytical skills, not a
proficiency in accounting standards.

d. Incorrect. Reviewing controls over petty cash takes an understanding of control processes, not a profi-
ciency in accounting standards.

40 Solution: b

a. Incorrect. Exercising due professional care does not mean internal auditors are expected to be infallible
when conducting engagements.

b. Correct. Even having proper assurance procedures does not guarantee significant risks will be identi-
fied.

c. Incorrect. Exercising due professional care does apply to both assurance and consulting engagements.

d. Incorrect. Exercising due professional care means internal auditors must consider the cost of the en-
gagement in relation to its benefits.

44
CIA Part 1 Mock Exam #2 Answers

41 Solution: b

a. Incorrect. Noting the lack of segregation of duties is exercising due professional care.

b. Correct. The auditor failed to exercise due professional care because the auditor presumed everything
was OK because of his or her relationship with the manager. In this case, the auditor should have ex-
panded the testing to feel comfortable that fraud is not being committed.

c. Incorrect. Recommending additional controls if found to be deficient is exercising due professional care.

d. Incorrect. Informing the CAE of the deficiency and asking for advice is exercising due professional care.

42 Solution: a

a. Correct. It is possible for the CAE to be non-CIA certified, however, the CAE is still encouraged to en-
hance and maintain his or her skill and knowledge level by attending education programs, or obtaining
a relevant professional certification, such as CMA, CIA, CPA, ACA, ACCA, and so on.

b. Incorrect. The work of an internal auditing takes a high level of skill and knowledge. Therefore, internal
auditors should always be looking for ways to improve their skill level through some type of education
program.

c. Incorrect. The work of an internal auditing takes a high level of skill and knowledge. Therefore, internal
auditors should always be looking for ways to improve their skill level through some type of education
program.

d. Incorrect. The work of an internal auditing takes a high level of skill and knowledge. Therefore, internal
auditors should always be looking for ways to improve their skill level through some type of education
program.

43 Solution: a

a. Correct. A single auditor can be proficient in a number of areas, not just accounting.

b. Incorrect. This is true concerning proficiency. Every internal auditor must be able to evaluate the risk of
fraud and identify key IT risks and controls.

c. Incorrect. This is true concerning proficiency. Internal auditors are expected to maintain and update
their skills through continuing professional education (CPE).

d. Incorrect. This is true concerning proficiency. The necessary skills and knowledge are different for each
auditor, and an auditor might be proficient in a number of areas.

44 Solution: c

a. Incorrect. Internal auditors should be proficient communicators.

b. Incorrect. Internal auditors should be proficient in critical thinking.

c. Correct. Satisficing is choosing the first satisfactory option instead of looking for the optimal solution.
Internal auditors should always strive for the optimal solution.

d. Incorrect. Internal auditors should be proficient in negotiation.

45
CIA Part 1 Mock Exam #2 Answers

45 Solution: b

a. Incorrect. Improvement and innovation is one of the ten core competencies that is considered essential
for all internal auditors.

b. Correct. A core competency is internal audit management, not operations management.

c. Incorrect. Internal audit delivery is one of the ten core competencies. This means that the internal audit
activity is able to deliver internal audit engagements.

d. Incorrect. Professional ethics promotes ethical behavior and is one of The IIA’s core competencies.

46 Solution: d (I and IV)

I. Correct. The foundation that forms the Competency Framework consists of Professional Ethics and In-
ternal Auditing Management.

II. Incorrect. Governance, Risk, and Control is under the heading of Technical Expertise.

III. Incorrect. IPPF is under the heading of Technical Expertise.

IV. Correct. The foundation that forms the Competency Framework consists of Professional Ethics and In-
ternal Auditing Management.

V. Incorrect. Internal Audit Delivery is at the top of the Framework, along with Improvement and Innova-
tion.

47 Solution: b

a. Incorrect. The ability of staff to complete audits on time would be part of the CAE’s review process.

b. Correct. Internal auditors should not manage operating systems, so this would not be part of the CAE’s
review process.

c. Incorrect. The knowledge of relevant risk management and control systems would be part of the CAE’s
review process.

d. Incorrect. The knowledge of the regulatory requirements would be part of the CAE’s review process.

48 Solution: a (I, II, and III)

I. Correct. Based on PA 1210-1, auditors should know the indicators of fraud.

II. Correct. Based on PA 1210-1, auditors should know key information-technology risks and controls.

III. Correct. Based on PA 1210-1, auditors should know available technology-based audit techniques.

IV. Incorrect. Maintaining a satisfactory relationship with engagement clients is a skill that internal auditors
should develop.

49 Solution: c

a. Incorrect. The CAE would assess the relevant professional certifications of the specialists.

b. Incorrect. The CAE would assess the reputation of the specialist.

c. Correct. Fieldwork is what occurs after the hiring of the specialist.

d. Incorrect. The CAE would review the experience and education of the specialist.

46
CIA Part 1 Mock Exam #2 Answers

50 Solution: a

a. Correct. The adequacy and effectiveness of the audit committee is the responsibility of the board.

b. Incorrect. Internal auditors exercise due professional care by considering the cost of assurance in rela-
tion to potential benefits.

c. Incorrect. Internal auditors exercise due professional care by considering the relative complexity of the
engagement.

d. Incorrect. Internal auditors exercise due professional care by considering the probability of significant
errors and fraud.

51 Solution: d

a. Incorrect. Being the “eyes and ears” of the audit committee is a valid reason for internal auditing to
report to the audit committee.

b. Incorrect. Reporting to the audit committee does in fact enhance the independence of internal auditing.

c. Incorrect. Reporting to the audit committee does allow the audit committee the opportunity to review
the work of internal auditing in order to better understand whether it is a value-added function.

d. Correct. The audit committee reviews, assesses, and evaluates controls, but the audit committee is not
part of management, so it does not have the authority to take action on identified control deficiencies.

52 Solution: c

a. Incorrect. Establishing a QAIP is done so the audit committee and management can have greater as-
surance that the IAA is conforming to best practices.

b. Incorrect. Establishing a QAIP is done so areas of the IAA that need improving can be highlighted.

c. Correct. The QAIP is designed to evaluate whether or not the work of the company’s IAA is in con-
formance with the definition of internal auditing, the Standards of internal auditing, and the Code of
Ethics. Assisting in the planning of engagements is not a reason of the QAIP.

d. Incorrect. Establishing a QAIP is done to monitor the effectiveness of the IAA.

53 Solution: a

a. Correct. Reviewing the IAA charter would be part of the external assessment, not internal assessment.

b. Incorrect. Assessing how many recommendations were implemented by management would be part of
the internal assessment.

c. Incorrect. Assessing how well internal auditing is viewed by its clients would be part of the internal as-
sessment.

d. Incorrect. Reviewing actual and budgeted costs would be part of the internal assessment.

47
CIA Part 1 Mock Exam #2 Answers

54 Solution: b

a. Incorrect. Using The IIA’s Standards would be a useful tool for the assessment team.

b. Correct. Getting feedback from the audit committee would probably assist the team the least in its as-
sessment. The others, including using the Standards, benchmarking, and getting feedback from the
clients would be more helpful in assessing the effectiveness and efficiency of the IAA.

c. Incorrect. It is the clients who benefit from the services of the IAA, therefore, getting feedback from
the clients would be a useful source for the assessment team.

d. Incorrect. Benchmarking against other IAAs would be a useful source for the assessment team.

55 Solution: c

a. Incorrect. Providing an independent opinion is a reason for conducting an external assessment.

b. Incorrect. The external assessment should be done at least every five years.

c. Correct. The assessor should be independent. This means that there should not be any conflict of in-
terest. This generally means the assessor does not work for the company and is not intimately familiar
with the operations.

d. Incorrect. Assessing whether the IAA adds value and improves operations is a reason for the external
assessment.

56 Solution: d

a. Incorrect. Client satisfaction with internal auditing would be part of the external assessment.

b. Incorrect. Expressing an opinion on the overall work of the IAA would be part of the external assess-
ment.

c. Incorrect. Benchmarking against the best practices would be part of the external assessment.

d. Correct. The results of the external assessment would generally not be communicated to the external
auditor. The results are for internal purposes so the company’s board and management can feel com-
fortable with the work of internal auditing – it is doing what it should be doing.

57 Solution: b (I, II and IV)

I. Correct. A self-assessment may be appropriate if the organization frequently has agency regulators
reviewing its books and internal controls.

II. Correct. A self-assessment may be appropriate if the organization operates in an industry that has ex-
tensive oversight.

III. Incorrect. Whether an organization is publicly-listed or not does not impact whether a self-assessment
is appropriate.

IV. Correct. A self-assessment may be appropriate if, in the opinion of the CAE, the costs of the external
assessment outweigh the benefits.

48
CIA Part 1 Mock Exam #2 Answers

58 Solution: c (I, II and III)

I. Correct. A quality audit engagement is one that meets the client’s expectations.

II. Correct. A quality audit engagement is one that conforms with the Standards.

III. Correct. A quality audit engagement is one that is undertaken in accordance with an established meth-
odology that promotes quality.

IV. Incorrect. Assisting independent auditors is not a characteristic of a quality audit.

59 Solution: b (II, III and V)

I. Incorrect. This would be true if the statement said the adequacy of the IAA’s charter.

II. Correct. This is true. The QAIP enables an evaluation of the conformance with the Definition of Internal
Auditing, the Code of Ethics, and the Standards.

III. Correct. This is true. The QAIP enables an evaluation of the risks affecting the operation of the IAA.

IV. Incorrect. This would be true if the statement said compliance with applicable laws, regulations, and
government or industry standards to which the IAA may be subject.

V. Correct. This is true. The QAIP enables an evaluation of whether the IAA adds value and offers im-
provements the organization’s operations.

60 Solution: a

a. Correct. The size, structure, and nature of the IAA will depend on the needs of the organization.

b. Incorrect. This is true. A key aspect to developing a QAIP is to determine the role of internal audit man-
agement and staff in the quality process.

c. Incorrect. This is true. A key aspect to developing a QAIP is to determine the frequency of self-
assessments and external assessments.

d. Incorrect. This is true. A key aspect to developing a QAIP is to determine the level of quality desired by
the IAA and expected by its stakeholders.

61 Solution: b (II, III, IV, and V)

I. Incorrect. This is not true. Independent auditors, unless specifically hired to do so, will not do an as-
sessment of governance, risk management, and control.

II. Correct. This is true. The input for the QAIP would include client feedback.

III. Correct. This is true. The input for the QAIP would include follow-up actions from previous assess-
ments and/or reviews.

IV. Correct. This is true. The input for the QAIP would include recommendations for improvement.

V. Correct. This is true. The input for the QAIP would include other changes that could impact the quality
management system.

49
CIA Part 1 Mock Exam #2 Answers

62 Solution: a

a. Correct. Taking corrective action is a management function, not an internal audit function.

b. Incorrect. The role of internal audit is to work together with other control professionals to help organi-
zations manage their risks.

c. Incorrect. The role of internal audit is to provide assurance on the effectiveness of governance, risk
management, and control processes.

d. Incorrect. The role of internal audit is to report to the board and senior management on significant con-
trol deficiencies.

63 Solution: b

a. Incorrect. This statement is true. The roles of the board Chair and CEO should be separated.

b. Correct. This statement is false. The majority of the board members should be independent non-
executive directors.

c. Incorrect. The statement is true. The board members should reflect a mix of backgrounds and perspec-
tives.

d. Incorrect. This statement is true. The board should contain a suitable balance of power in order to pre-
vent one person or group of people from dominating the decision making of the board.

64 Solution: c

a. Incorrect. This statement is true of key players. Key players are stakeholders with high interest and
strong power.

b. Incorrect. Communicating only when necessary would be the strategy for stakeholders with low interest
and low power. Organizations can ignore these stakeholders.

c. Correct. Stakeholders with high interest but low power need to receive regular communications.
Stakeholders in this quadrant can increase their overall influence by forming coalitions with other
stakeholders to exert greater pressure.

d. Incorrect. Stakeholders that need to be kept satisfied have low interest but strong power.

65 Solution: d (I, II, III and IV)

I. Correct. The Standards recommend a period of no less than one year from the time the member left
the position.

II. Correct. If the member’s brother in law was the CEO, then this could be an impairment to independ-
ence.

III. Correct. Having a significant number of stock options could be an impairment to independence.

IV. Correct. The member is also the CEO of the company’s main raw material supplier could be an im-
pairment to independence.

50
CIA Part 1 Mock Exam #2 Answers

66 Solution: d (I, II, III and IV)

a. Correct. Publicly-listed companies are required to have a functioning IAA.

b. Correct. Generally, the larger the company, the greater the need for a functioning IAA.

c. Correct. A recent increase in the number of unexplained or unacceptable risks is a good reason to have
a functioning IAA.

d. Correct. Having problems with internal controls is a good reason to have a functioning IAA.

67 Solution: d

a. Incorrect. Developing a plan to systematically assess controls across the organization is something that
internal auditing could do.

b. Incorrect. Reporting on significant control deficiencies to management and the audit committee is
something that internal auditing could do.

c. Incorrect. Testing controls across the organization is something that internal auditing could do.

d. Correct. Internal auditing cannot design, draft, install, or manage controls. This is the function of man-
agement.

68 Solution: b

a. Incorrect. Conducting ethics training programs is a method of promoting ethics within the organization.

b. Correct. Internal auditors are never responsible for disciplining employees for unethical behavior. Man-
agement is responsible for disciplining employees.

c. Incorrect. Reviewing the company’s code of conduct is a method of promoting an ethics-based organi-
zation.

d. Incorrect. Getting feedback from clients is a way for internal auditing to understand whether there are
ethical issues within the company.

69 Solution: a (II and III only)

I. Not unethical. Taking computers home for work is common. Using the computer for personal use at
home would not be considered unethical as long as it was done at home and not at work.

II. Unethical. The supervisor reneging on a promise promotes future unethical behavior. This is not set-
ting the “right tone at the top.”

III. Unethical. Accepting a gift of non-trivial value is unethical and also sometimes illegal.

IV. Not unethical. As long as the accounting practice is consistently applied, what the finance director is
doing would not be considered unethical. This is referred to as earnings management. If the financial
director were intentionally misstating the financials to get higher levels of compensation, then this
would be considered unethical and illegal.

51
CIA Part 1 Mock Exam #2 Answers

70 Solution: d

a. Incorrect. The focus of CSR is on economic, social, and environmental impact, not just social.

b. Incorrect. Business ethics is just one part of CSR.

c. Incorrect. The focus of CSR is on economic, social, and environmental issues, not just the environ-
ment.

d. Correct. CSR is where companies are conscious of the kind of impact they are having on all aspects of
society including economic, social, and environmental. To engage in CSR means that a company is op-
erating in ways that enhance society and the environment, instead of contributing negatively to them.

71 Solution: b

a. Incorrect. The foundation of the other responsibilities is economic responsibility.

b. Correct. Philanthropic responsibility is on top of Carroll’s pyramid. This is where companies want to be
a good corporate citizen, where they contribute resources to the community, and try to improve the
quality of life of the community.

c. Incorrect. Expected by society is Carroll’s ethical responsibility.

d. Incorrect. Mandated by society is Carroll’s legal responsibility.

72 Solution: c

a. Incorrect. CSR is not geared to help organizations gain competitive advantage.

b. Incorrect. There is a cost to any CSR program.

c. Correct. This is true. By taking social responsibility, organizations are attempting to ward off future
government regulations.

d. Incorrect. It is unlikely a company’s management and board will have the skills to solve today’s social
problems.

73 Solution: a

a. Correct. Risk is most often defined as any event or action that can keep an organization from achiev-
ing its objectives. Based on this definition, risk are negative events that could occur.

b. Incorrect. Risk is defined as negative events that could occur, not will occur.

c. Incorrect. Risk is defined as negative events that could occur. Uncertainty could be negative or posi-
tive.

d. Incorrect. Risk is defined as negative events that could occur. Uncertainty could be negative or posi-
tive.

74 Solution: b

a. Incorrect. Hazard risks are events that can be insured against.

b. Correct. Hazard risks are events that can be insured against, such as natural disasters, death of key
employees, or personal injury on the business premises

c. Incorrect. Hazard risks are not events that can cause personal financial loss, or mission degradation.

d. Incorrect. Hazard risks are not events that can cause personal financial loss, or mission completion.

52
CIA Part 1 Mock Exam #2 Answers

75 Solution: c

a. Incorrect. Logistical disruptions are not internal, but they are supply chain risks.

b. Incorrect. Logistical disruptions are not internal and not process-related risk events.

c. Correct. Logistical disruptions are external and they are supply chain risks.

d. Incorrect. Logistical disruptions are external, but not process-related.

76 Solution: c (II and IV)

I. Incorrect. One of the responsibilities of the CAE is to report to the audit committee/board on a regular
basis, so it would not be part of an organization’s risk strategy.

II. Correct. An organization’s risk strategy is going to define its risk tolerance level.

III. Incorrect. The ownership of risk is going to be delegated to those held responsible for the risks.

IV. Correct. An organization’s risk strategy is going to define its risk appetite.

77 Solution: b

a. Incorrect. The volume of transactions and complexity of the accounting system could be factors that
influence an organization’s risk appetite.

b. Correct. Simply identifying key stakeholders would not be a factor influencing an organization’s risk
appetite; however, the viewpoints of the stakeholders would be a factor.

c. Incorrect. The opportunity for fraud could be a factor that influences an organization’s risk appetite.

d. Incorrect. Changes in technology could be a factor that influences an organization’s risk appetite.

78 Solution: b (II, III and VI)

I. Incorrect. Infraction of the Privacy Act would be a compliance risk.

II. Correct. Potential loss of a key supplier would be an operational risk.

III. Correct. Potential loss of key personnel would be an operational risk.

IV. Incorrect. A pending lawsuit would be a compliance risk.

V. Incorrect. Potential loss of reputation would be a strategic risk.

VI. Correct. Potential problems with key machinery would be an operational risk.

VII. Incorrect. Quality and service concerns that affect customers would be strategic risks.

79 Solution: c (I and IV only)

I. Correct. Infraction of the Privacy Act would be a compliance risk.

II. Incorrect. Potential loss of a key supplier would be an operational risk.

III. Incorrect. Potential loss of key personnel would be an operational risk.

IV. Correct. A pending lawsuit would be a compliance risk.

V. Incorrect. Potential loss of reputation would be a strategic risk.

VI. Incorrect. Potential problems with key machinery would be an operational risk.

VII. Incorrect. Quality and service concerns that affect customers would be strategic risks.

53
CIA Part 1 Mock Exam #2 Answers

80 Solution: d (V and VII only)

I. Incorrect. Infraction of the Privacy Act would be a compliance risk.

II. Incorrect. Potential loss of a key supplier would be an operational risk.

III. Incorrect. Potential loss of key personnel would be an operational risk.

IV. Incorrect. A pending lawsuit would be a compliance risk.

V. Correct. Strategic risks are risks that could potential keep the company from achieving its long-term
goals and objectives. Potential loss of reputation would be a strategic risk.

VI. Incorrect. Potential problems with key machinery would be an operational risk.

VII. Correct. Quality and service concerns that affect customers would be strategic in nature.

81 Solution: a (I and II only)

I. Correct. Using the derivative markets for hedging and speculative purposes increases the probability of
having losses, and it also increases the risk of there being a material mistake on the financial state-
ments.

II. Correct. If management practices what it preaches concerning the need for strong internal control, the
company is setting the right “top at the top.” If management believes in strong controls there is less
risk of there being a material mistake.

III. Incorrect. Damage to the company’s reputation would influence the size of the impact, not its probabil-
ity.

IV. Incorrect. Cost of getting operations back to normal would influence the size of the impact, not its
probability.

82 Solution: a

a. Correct. If the probability is high and its impact is low, then controls should put in to reduce the risk.

b. Incorrect. The company should do nothing if the probability of the event occurring is low as well.

c. Incorrect. Terminating the activity is appropriate if both probability and impact are high.

d. Incorrect. Transferring the risk is done if impact is high but probability is low, such as the probability of
fire, or a natural disaster.

83 Solution: b

a. Incorrect. The monitoring and review stage is not the final stage. The final stage is recording and re-
porting.

b. Correct. Once a risk management process has been implemented, the next stage is to get feedback
on how the system is working. This is the function of the monitoring and review stage.

c. Incorrect. Documenting and reporting the risk management process is the last stage.

d. Incorrect. The recording of outcomes is part of the recording and reporting stage.

54
CIA Part 1 Mock Exam #2 Answers

84 Solution: a

a. Correct. Establishing a sound system of internal control can only provide reasonable assurance that
fraudulent activities will be prevented and detected. Even the best of control systems cannot fully elim-
inate fraud.

b. Incorrect. Minimizing errors is a valid reason for improving controls.

c. Incorrect. Ensuring compliance with laws and regulations is a valid reason for improving controls.

d. Incorrect. Ensuring the reliability of financial reports is a valid reason for improving controls.

85 Solution: c

a. Incorrect. Submitting a 90-day rolling budget is an operational level control.

b. Incorrect. Signing off on purchase orders is an operational level control.

c. Correct. Operational-level controls encompass planning and performance monitoring, the system of
accountability to supervisors, and risk evaluation. Operational-level controls include both manual and
automated controls. The accounting system flagging a possible duplicate payment is an example of
control at the transaction-level, not at the operational-level.

d. Incorrect. The manager reviewing quarterly production variance reports is an operational level control.

86 Solution: c

a. Incorrect. Submitting a 90-day rolling budget is an operational level control.

b. Incorrect. Having the HR manager review a job description for a financial manager position is an opera-
tional level control.

c. Correct. Corporate-level controls are mostly manual and they include general policy statements such
as values and overall monitoring procedures. COSO refers to these entity-level controls as the control
environment. When the disclosure committee reviews financial and non-financial notes and disclosures
over financial reporting, this is an example of a corporate (or entity) level control.

d. Incorrect. The manager reviewing quarterly production variance reports is an operational level control.

87 Solution: b

a. Incorrect. Making sure there is a job description for the new position is a directive control, not a pre-
ventive control.

b. Correct. Directive controls cause or encourage a desirable event to occur, such as making sure the
new position has a job description. The job description is directive because it lays out the qualifications
and experience needed for the position.

c. Incorrect. Making sure there is a job description for the new position is a directive control, not a correc-
tive control.

d. Incorrect. Making sure there is a job description for the new position is a directive control, not a detec-
tive control.

55
CIA Part 1 Mock Exam #2 Answers

88 Solution: c

a. Incorrect. The actions of the technician were corrective, not preventive.

b. Incorrect. The actions of the technician were corrective, not directive.

c. Correct. The technician putting in production procedures so the problem can be quickly identified and
corrected is a corrective control. Corrective controls are meant to correct problems that have occurred.

d. Incorrect. The actions of the technician were corrective, not detective.

89 Solution: d

a. Incorrect. Additional controls to find defective productions are detective, not preventive.

b. Incorrect. Additional controls to find defective productions are detective, not directive.

c. Incorrect. Additional controls to find defective productions are detective, not corrective.

d. Correct. Detective controls are needed to detect undesirable events that occur. Additional controls to
improve the chance of finding defective products is a detective control.

90 Solution: b

a. Incorrect. Independent verification is a compensating control, not a preventive control.

b. Correct. Compensating controls compensate for a control weakness, such as a lack of segregation of
duties. In this case, there has to be an independent verification to make sure the sales manager is ap-
proving new credit sales only to credit-worthy customers.

c. Incorrect. Independent verification is a compensating control, not a corrective control.

d. Incorrect. Independent verification is a compensating control, not a detective control.

91 Solution: a

a. Correct. Concurrent controls operate at the same time as the process and make ongoing adjustments
based on the immediate feedback from the system. Based on this, a program that alerts a technician of
a problem is a concurrent control.

b. Incorrect. Feedforward controls prevent undesirable events from happening. Getting immediate feed-
back is a concurrent control.

c. Incorrect. Getting immediate feedback is a concurrent control, not a planning control.

d. Incorrect. Feedback controls detect a defective unit after it has been already produced. Getting imme-
diate feedback is a concurrent control.

92 Solution: b (I and II only)

I. Correct. Feedback controls can provide management with useful information about the effectiveness of
their planning efforts.

II. Correct. Feedback controls can enhance employee motivation. People want information on how well
they have performed, and feedback controls provide that information. The most desirable type of con-
trol is feedforward.

III. Incorrect. The most desirable type of control is feedforward controls, not feedback. Feedback controls
are more expensive and less efficient because deficiencies are discovered after the fact.

56
CIA Part 1 Mock Exam #2 Answers

93 Solution: b

a. Incorrect. A characteristic of an effective control system is the more material an item, the tighter the
control system needs to be.

b. Correct. An effective control system should be simply enough so the system can be understood by
those using it. The more complex the control system is, the more likely fraud will be committed.

c. Incorrect. An effective control system must provide information in a timely manner.

d. Incorrect. A characteristic of an effective control system is that the benefits of the control system are
greater than its cost.

94 Solution: c

a. Incorrect. Automated controls are more reliable.

b. Incorrect. Automated controls can provide information in a timelier manner.

c. Correct. Automated controls can help track and monitor risks, but when it comes to managing risks,
automated controls are not a substitute for experienced human insight.

d. Incorrect. Automated controls do tend to be more efficient than manual controls.

95 Solution: a (I, II, III, IV, and V)

I. Correct. An effective control system ensures that all transactions are complete and accurate is a char-
acteristic of an effective control system.

II. Correct. An effective control system means that there is greater confidence that only authorized trans-
actions take place.

III. Correct. An effective control system makes sure there is adequate documentation supporting transac-
tions.

IV. Correct. An effective control system ensures that assets and liabilities are correctly stated on the fi-
nancial statements.

V. Correct. An effective control system ensures there is less risk of fraud and misappropriation of assets.

96 Solution: d

a. Incorrect. Investors do benefit because they will feel more confident in the reliability of the company’s
financial statements.

b. Incorrect. Customers do benefit because they will feel more confident about the quality of the product
and/or service.

c. Incorrect. External auditors do benefit because they will feel more confident on the opinion they give
concerning the reliability of the company’s financial statements.

d. Correct. Management benefits because with strong control systems they will be able to do their job
more efficiently and effectively.

57
CIA Part 1 Mock Exam #2 Answers

97 Solution: a (I, II and III only)

I. Correct. The board has an oversight responsibility.

II. Correct. The CEO is ultimately responsible the company’s control system.

III. Correct. Senior managers are responsible for ensuring that the right control policies and procedures
are implemented.

IV. Incorrect. External auditors provide feedback on the effectiveness of the control system; however, ex-
ternal auditors are not responsible for ensuring management is carrying out their control
responsibilities. This is the management’s responsibility.

98 Solution: d

a. Incorrect. Automated balancing and reconciliations are automated controls.

b. Incorrect. System access controls are automated controls.

c. Incorrect. The identification of invalid or duplicate entries are automated controls.

d. Correct. A manager’s review of a variance report is a manual control.

99 Solution: a

a. Correct. Segregation of duties between the programmer and input operator is a processing control, not
an input control.

b. Incorrect. Checking on the validity and accuracy of the inputted data is an example of an input control.

c. Incorrect. A note sent back to the input operator is an example of an input control.

d. Incorrect. Entering a new password twice is an example of an input control.

100 Solution: c (I and II only)

I. Correct. This is true. Policies are made by senior management while procedures are usually made in
consultation with employees.

II. Correct. This is true. Policies guide senior management in decision-making while procedures guide the
actions of employees.

III. Incorrect. Employees can suggest changes to procedures, but management must approve the changes.

IV. Incorrect. Procedures are more detailed than polices, not less.

101 Solution: b (II and IV only)

I. Incorrect. This is not true because a sound system of control should be embedded at all levels of the
organization, not just at the functional level.

II. Correct. This is true because a sound system of control should be part of the company’s way of doing
thing, in other words, a part of its culture.

III. Incorrect. This is not true because a sound system of control should be able to respond to all evolving
internal and external risks.

IV. Correct. This is true because a sound system of control should include procedures for reporting signifi-
cant weaknesses and failures of control to the appropriate level of management.

58
CIA Part 1 Mock Exam #2 Answers

102 Solution: b

a. Incorrect. The right “tone at the top” means sending the message that abusing the company’s credit
card will not be tolerated.

b. Correct. Letting a senior manager get away with embezzlement sends the wrong message to the em-
ployees. Everybody in the organization needs to understand that there are consequences for violations.

c. Incorrect. The right “tone at the top” means that employees do have the ability to take action based on
company policy. This would include the ability to stop production when defective units are detected.

d. Incorrect. The right “tone at the top” means supporting best corporate governance, which means that
the board is primarily made up of independent directors who review the company’s internal controls
and risk management policies.

103 Solution: d

a. Incorrect. Checks could be still be fraudulently altered even if the checks are deposited on a daily basis.

b. Incorrect. Checks could still be fraudulently altered even if there was an independent review of mail-
room procedures.

c. Incorrect. Checks could still be fraudulently altered even if the checks are independently listed by
someone outside the mailroom.

d. Correct. To minimize the risks, the internal auditor needs to verify that checks are immediately en-
dorsed by someone in the mailroom.

104 Solution: c

a. Incorrect. Making sure all stock items are electronically tagged would not ensure items are in stock at
the time of sale.

b. Incorrect. Making sure inventory information is updated at the end of each business day would not en-
sure items are in stock at the time of sale.

c. Correct. The best control is for the sales clerk to make sure the inventory is in stock before processing
the sales order.

d. Incorrect. Having a regular inventory count would not ensure items are in stock at the time of sale.

105 Solution: b

a. Incorrect. Every company should have a code of conduct; however, the company should also rotate the
purchasing agents so that they do not become too close to the vendors.

b. Correct. The best control to minimize the possibility of kickbacks is to make sure the company has a
strong code of conduct and occasionally rotate purchasing agents from one vendor to another.

c. Incorrect. This is incorrect because a suspected company may be innocent.

d. Incorrect. This is incorrect because proving the purchasing agent is not living beyond his or her means
would be subjective and difficult to verify.

59
CIA Part 1 Mock Exam #2 Answers

106 Solution: d

a. Incorrect. This is true concerning the risk assessment process. A pre-condition to risk assessment is the
establishment of objectives.

b. Incorrect. This is true concerning the risk assessment process. The formality of a company’s risk as-
sessment process is dependent on the size and complexity of the company.

c. Incorrect. This is true concerning the risk assessment process. In larger companies, the risk assess-
ment process is most often the responsibility of lower-level managers.

d. Correct. In smaller companies, senior managers (e.g. the CEO or CFO) will probably take a more ac-
tive role in the assessment of risks. Because senior management will have a better understanding of
the risks, they will probably also have a more effective risk assessment process.

107 Solution: b

a. Incorrect. Item (I) is connected with segregation of duties, not with physical controls to safeguard as-
sets.

b. Correct. The control procedure connected with Item (I) is segregation of duties. The person who col-
lects the cash should not be able to reconcile the daily cash receipts account. Without segregation of
duty, the sales clerk could take the cash and say everything reconciles.

c. Incorrect. Item (I) is connected with segregation of duties, not with authorization.

d. Incorrect. Item (I) is connected with segregation of duties, not with independent checks.

108 Solution: c

a. Incorrect. Item (II) is connected with authorization, not with physical controls to safeguard assets.

b. Incorrect. Item (II) has to do with having proper authorization to perform a transaction, not with seg-
regating duties.

c. Correct. The control procedure connected with Item (II) is authorization. The proper person should
have the authority to sign off on trade discounts.

d. Incorrect. Item (II) has to do with authorization, not with independent checks.

109 Solution: d

a. Incorrect. Item (III) has to do with verifying independently that transactions are processed properly,
not with the physical safeguarding of assets.

b. Incorrect. Item (III) has to do with verifying independently that transactions are processed properly,
not with making sure specific functions are segregated.

c. Incorrect. Item (III) has to do with verifying independently that transactions are processed properly,
not with making sure transactions are properly authorized.

d. Correct. Independent checks are checks performed by someone other than the person responsible for
the original operation and are generally more effective at assuring that transactions are processed and
activities are performed accurately.

60
CIA Part 1 Mock Exam #2 Answers

110 Solution: b

a. Incorrect. It is acceptable for the purchasing manager to review the purchase requisition and approve
the purchase order.

b. Correct. The following functions within the Purchases-Payable cycle should be segregated.

• Approval of purchase: The purchasing manager should review the purchase requisition and ap-
prove (or reject) the purchase of goods.

• Custody of goods: Custody of goods lies with receiving (who receives the goods) and warehouse
(who stores the goods until needed).

• Recording of transaction: An accounts payable clerk records the transaction to the accounts
payable journal. An accounting clerk records the transaction to the general ledger.

• Reconciliation: There needs to be reconciliation between the G/L and A/P file. There also needs
to be reconciliation between the G/L and inventory records. Reconciliations should be done by in-
dependent persons.

Based on segregation of duties, the purchasing manager should not be able record the transaction to
the accounts payable journal.

c. Incorrect. It would be acceptable for the purchasing manager to review the purchase requisition and
approve bad debt write-offs because the functions are not related to each other.

d. Incorrect. It would be acceptable for the purchasing manager to approve the purchase order while at
the same time reconciling daily cash receipts because the functions are not related to each other.

111 Solution: a

a. Correct. This answer is not true because there is no requirement for private companies to be in com-
pliance with SOX 404. Only publicly-listed companies listed in the U.S. have this requirement.

b. Incorrect. A strong monitoring program will increase the chances of identifying control problems.

c. Incorrect. A strong monitoring program increases the likelihood that financial and management infor-
mation will be more accurate and timely.

d. Incorrect. A strong monitoring program increases the likelihood that financial and management infor-
mation will be more accurate.

112 Solution: c

a. Incorrect. A questionnaire matrix would help the internal auditor understand if there is a problem.

b. Incorrect. A sampling matrix would be a useful tool to understand the characteristics of a population,
such as age, race, religion, and so on. It is not a tool that matches controls to risks.

c. Correct. The risk and control matrix would be the most appropriate matrix to use. The risk and control
matrix is an excellent tool that matches controls to risks, assuring that every risk is covered by an ap-
propriate control. This matrix also shows where a particular control might provide protection over more
than one risk.

d. Incorrect. A risk interaction matrix is a good tool to understand the severity of the risks.

61
CIA Part 1 Mock Exam #2 Answers

113 Solution: d

a. Incorrect. A red flag of fraud is high management turnover. This shows that managers are not happy
with management practices.

b. Incorrect. Off-shore transactions may be an indicator of tax evasion, which is illegal.

c. Incorrect. Management should be conservative in revenue recognition, not liberal.

d. Correct. Management deciding to be conservative in their accounting is a good thing. Being conserva-
tive means not overvaluing assets and not underreporting liabilities. It also means recognizing revenue
when it is earned and not underreporting expenses.

114 Solution: c

a. Incorrect. Dunhill is investigating management’s incentives to commit accounting fraud.

b. Incorrect. Dunhill is investigating management’s incentives to commit accounting fraud.

c. Correct. The issues Dunhill is investigating represent potential incentives (or motive) for management
to commit accounting fraud.

d. Incorrect. Dunhill is not investigating compliance, but the incentives to commit accounting fraud.

115 Solution: b

a. Incorrect. Actions that management takes to minimize fraud would be to implement control procedures.

b. Correct. The fraud triangle represents three conditions usually present when fraud occurs. The three
conditions are: pressure (motive), opportunity, and rationalization. Without all three of the conditions
being present, a person will not commit fraud.

c. Incorrect. The fraud triangle represents conditions that need to be present for fraud to occur. It is not a
type of fraud.

d. Incorrect. The fraud triangle represents conditions that need to be present for fraud to occur. It is not
the strategies for unearthing fraud.

116 Solution: c

a. Incorrect. There may be some legitimate costs that could have been capitalized; however, that is not
the purpose of the review. The purpose of the review is to make sure no immaterial costs were capital-
ized.

b. Incorrect. Making sure all maintenance charges were expensed in the period they arose is not the pur-
pose of the review.

c. Correct. When reviewing controls over the capitalization of fixed assets, internal auditors want to verify
that management has not put some immaterial expenses, such as maintenance charges, to the fixed
asset account. The reason for putting maintenance charges to the balance sheet is to improve profita-
bility because these charges would not be expensed in the current period.

d. Incorrect. Reviewing fixed asset depreciation is not the reason for the engagement.

62
CIA Part 1 Mock Exam #2 Answers

117 Solution: d

a. Incorrect. Delaying installment of a new marketing software package would not be a source of conflict
for the company.

b. Incorrect. Expensing some costs that might be able to be capitalized would not be a conflict for the
company because accountants are supposed to be conservative.

c. Incorrect. The production manager proposing ways to cut costs is what the manager should do.

d. Correct. The procurement manager’s proposal to source an important input material from a relative is
a conflict of interest.

118 Solution: b

a. Incorrect. The lack of segregation of duties is a red flag for an auditor.

b. Correct. A manager’s inability to override controls is not a red flag, but a control strength.

c. Incorrect. A manager who refuses to take his or her normal vacation might signal that the manager is
trying to hide something.

d. Incorrect. Unrestricted access to electronic data or databases would be a red flag for an auditor.

119 Solution: b

a. Incorrect. To understand the money trail is a reason to hire a forensic auditor.

b. Correct. The ultimate goal of the forensic auditor is to obtain a confession by the fraudster, if fraud did
actually occur. Confessions should never be coerced because the accused individual could be innocent.

c. Incorrect. To gather evidence used in court proceedings is a reason to hire a forensic auditor.

d. Incorrect. To quantify the financial loss suffered by the company is a reason to hire a forensic auditor.

120 Solution: c

a. Incorrect. The marketing manager accepting a kickback from an advertising company is detrimental to
the organization. This is because the organization is probably paying more than it should for the ad-
vertising.

b. Incorrect. Embezzling funds is detrimental to organizations.

c. Correct. Paying governmental officials is illegal, but expediting a service would be beneficial to the
organization.

d. Incorrect. Approving a sale to a close relative at below cost is detrimental to the organization.

121 Solution: a

a. Correct. Overriding controls is how management commits fraud, but it is not a reason that managers
commit fraud.

b. Incorrect. Distorting facts to hold off divestment is a reason to commit fraud.

c. Incorrect. Trying to keep your job is a reason to commit fraud.

d. Incorrect. To gain a larger bonus is a reason to commit fraud.

63
CIA Part 1 Mock Exam #2 Answers

122 Solution: b (I, II and IV)

I. Correct. When assessing fraud risk, internal auditors should determine whether or not the organiza-
tion has set realistic goals and objectives.

II. Correct. When assessing fraud risk, internal auditors should determine whether or not the organiza-
tion fosters an environment of control consciousness.

III. Incorrect. It is not likely an organization would have a forensic auditing expert on staff.

IV. Correct. When assessing fraud risk, internal auditors should determine whether or not recommenda-
tions are established to enhance the control structure to help deter fraud.

123 Solution: a

a. Correct. Impact to the organization’s reputation is the result of fraud being committed by the organi-
zation, but it is not a step in the risk assessment process.

b. Incorrect. Identifying relevant fraud risk factors is a step in the risk assessment process.

c. Incorrect. Mapping existing controls to potential fraud schemes and identifying gaps is a step in the
risk assessment process.

d. Incorrect. Documenting and reporting fraud risk assessment is a step in the risk assessment process.

124 Solution: a

a. Correct. Internal auditing should not design, draft, implement, or manage controls. This is the re-
sponsibility of management.

b. Incorrect. At the conclusion of a fraud investigation, internal auditors should maintain sufficient
knowledge of fraud to identify possible future fraud incidents.

c. Incorrect. At the conclusion of a fraud investigation, internal auditors should determine if controls need
to be implemented or strengthened.

d. Incorrect. At the conclusion of a fraud investigation, internal auditors should design engagement tests
to help disclose frauds in the future.

125 Solution: c

a. Incorrect. Malicious prosecution refers to the prosecution of an individual without probable cause.

b. Incorrect. Libel is published defamation (for example, in a newspaper, film, or letter).

c. Correct. If found innocent, the manager could sue the company and the internal auditor for slander,
which is spoken defamation.

d. Incorrect. Compounding a felony is a situation where an employee has committed a crime, but the em-
ployer agrees not to prosecute in exchange for a consideration (such as repaying stolen funds).

64

You might also like