CIA Part 1 Mock Exam 2
CIA Part 1 Mock Exam 2
CIA Part 1 Mock Exam 2
Preparatory Program
Part 1
Mock Exam #2
CIA Part 1 Mock Exam #2
Question 1: The Institute of Internal Auditing (IIA) provides two types of guidance for internal auditors:
mandatory and strongly recommended guidance. Which of the following is true concerning recommended
guidance?
a) The guidance states how internal auditors should act when conducting their work.
b) The guidance provides a framework for performing and promoting internal auditing.
c) The guidance provides details on how internal auditors should conduct an internal audit.
d) The guidance states the fundamental purpose, nature, and scope of internal auditing.
Question 2: The Standards are a component of the IIA’s International Professional Practices Framework
(IPPF). The IPPF is the conceptual framework that organizes authoritative guidance promulgated by The In-
stitute of Internal Auditors. Which of the following is true concerning the Standards? The Standards:
d) Do not take precedence over the standards issued by other authoritative bodies.
Question 3: The IPPF provides guidance to internal auditors so they can do their job in accordance with
generally accepted internal auditing practices. Which of the following situations would not be a possible vio-
lation of the IIA’s Standards?
I. At the conclusion of an engagement, the internal auditor invited the client to a football confer-
ence championship game.
II. The internal auditor functionally reports to the Chief Finance Officer (CFO).
IV. The internal auditor, who is not a Certified Internal Auditor, is being encouraged by the audit
committee to become certified.
a) I and II.
b) II and III.
Question 4: Which of the following activities would internal auditing be least likely to perform?
2
CIA Part 1 Mock Exam #2
b) Are principles-focused and are used to perform and promote internal auditing.
Question 7: Which of the following best describes the mission of internal auditing? The Mission of Internal
Auditing is:
a) To design and monitor controls that reasonably assure that objectives are met.
b) To verify that conflicts between management and stakeholders do not result in bankruptcies or ma-
jor frauds.
c) To ensure the quality of information provided to shareholders and financial markets through the fi-
nancial statements.
d) To enhance and protect organizational value by providing risk-based and objective assurance, ad-
vice, and insight.
Question 8: A newly hired Chief Audit Executive (CAE) was reviewing the company’s internal audit charter
as presented by the chair of the audit committee. The CAE noted that the charter was written and approved
by the company’s Chief Financial Officer (CFO). Based on best practices, is this acceptable?
a) Yes, because the CFO is directly concerned about controls, and thus, should have this responsibility.
b) No, because someone outside the company should write and approve the charter.
c) Yes, because the Standards specifically state that the CFO has this responsibility.
Question 9: The internal audit charter provides internal auditors the means to do their work. Which of the
following would generally not be included in the charter?
3
CIA Part 1 Mock Exam #2
Question 10: The audit committee is a sub-committee of the board of directors. All of the following are the
general duties and responsibilities of the audit committee except:
Question 11: Which of the following would not be a specific audit committee function?
Question 12: The Standards state that internal auditors are able to provide both assurance and consulting
engagements. Like assurance engagements, consulting engagements are also meant to add value and im-
prove operations. Which of the following activities would be categorized as consulting engagement(s)?
III. Assessing the adequacy of internal control in a proposed accounts payable system.
IV. Assessing the adequacy of internal control over the accounts receivable system.
b) II and IV.
d) I and II.
Question 13: Which of the following is not true concerning the internal auditing charter?
a) The charter gives the IAA the authority to have access to all company information, even information
concerning a possible merger or acquisition.
d) The CAE has responsibility to periodically review the IAA charter to make sure it is still adequate for
the IAA to accomplish its objectives.
4
CIA Part 1 Mock Exam #2
Question 14: A newly hired Chief Audit Executive (CAE) was reviewing the contents of the company’s IAA
charter. The CAE wanted to make sure the charter was adequate so he would be able to accomplish the ob-
jectives laid out by the audit committee and CEO. Which of the following would generally not be a function
of the IAA charter?
b) Providing information about the objectives of the internal auditing activity (IAA).
c) Providing information about the need for a quality assurance and improvement program (QAIP).
Question 15: Internal auditing is an assurance and consulting activity designed to add value and improve
operations. Which of the following could be examples of assurance services provided by internal auditing for
a company’s credit department?
II. The internal auditor provided a training course on the implementation of new controls.
III. The internal auditor advised the credit manager on the impact of changing the credit terms.
a) I and IV.
b) II and III.
c) I and III.
Question 16: Of the following, which statements best describe the purpose of the IIA’s Standards?
I. To provide a framework for performing and promoting a broad range of value-added internal au-
diting services.
IV. To provide the principles of how internal auditors should conduct themselves during engage-
ments.
b) I, II and III.
c) I and III.
d) II and IV.
Question 17: Which of the following would most likely be a violation of the IIA’s Code of Ethics?
d) An internal auditor reported an illegal act to a local newspaper after consulting with the company’s
controller.
5
CIA Part 1 Mock Exam #2
Question 18: As a member of the Institute of Internal Auditing (IIA) you are required to abide by the or-
ganization’s Code of Ethics. According to the IIA’s Code of Ethics, integrity:
a) Is making sure the work of the internal auditor is done with honesty and diligence.
c) Involves not disclosing information to individuals who are not authorized to receive the information.
d) Is making sure the auditor has the skills, knowledge, qualifications, and capacity to do their job ef-
fectively.
Question 19: David is a CIA and works as one of two senior internal auditors of a manufacturing company.
David plays on the company’s tag-football team. Recently, the company played a rival team, and during the
game, a serious altercation occurred between David and a player from the other team. David was at fault.
Luckily, no one was seriously injured, but the police were called and David was charged with a misdemean-
or. Is David’s altercation and arrest a violation of the IIA’s Code of Ethics?
a) Yes, because David acted unprofessionally and was charged with a misdemeanor.
b) No, because a fight that occurred during a football game is not a professional activity.
Question 20: An internal auditor was reviewing a company’s fixed assets account to determine the exist-
ence and valuation of the company’s fixed assets. The internal auditor was particularly interested in the
company’s capitalization policy. The internal auditor knows that management likes to capitalize as much as
possible to improve short-term profitability. When reviewing the capitalization account, the internal auditor
noted several questionable transactions, all of which were considered significant. Because of the capitaliza-
tion, the company was able to meet its targeted operating profit for the accounting period. The internal
auditor approached the CFO and chief accountant about the issue; however, the internal auditor was told
that the company’s controller accepted the capitalization values, and not to worry about it. If the internal
auditor still believes that the company improperly capitalized some expenses and does nothing about it, the
internal auditor could possibly be in violation of which ethic’s principle(s)?
Question 21: The independence and objectivity of an internal auditor are crucial components for an effec-
tive internal audit. Which of the following best describes the distinction between the two terms?
a) Objectivity refers to the unbiased mental attitude of individual auditors while independence gives
internal auditors the freedom to operate with an objective, unbiased attitude.
b) Independence is achieved through the status of the IAA while objectivity refers to the freedom an
internal auditor has to conduct the engagement in an unbiased manner.
c) Objectivity is gained through the organizational status of the IAA while independence refers to the
mental attitude of individual internal auditors.
6
CIA Part 1 Mock Exam #2
Question 22: Which of the following situations could be considered an engagement scope limitation?
a) The internal auditor does not have complete access to information deemed confidential by the board.
b) The audit committee or board refuses to approve the internal audit work plan.
c) The company’s chief accountant states that requested information is not necessary.
Question 23: During a management meeting, the company’s financial controller was asked how the design
of controls over the company’s new credit-lending process was going. The company recently updated the
process so it would be more automated than in the past. The controller mentioned that he was using the
services of internal auditing to help him design controls over the process. The company’s chief financial of-
ficer (CFO) was surprised that internal auditing was included in the designing of controls. The CFO
commented that based on his knowledge of the internal auditing Standards, “internal auditors cannot de-
sign, draft procedures, install, or manage processes, because the independence and objectivity of the
auditor would be impaired.” Is the CFO’s statement correct?
a) Yes, because internal auditors are only able to conduct assurance engagements, therefore, the audi-
tor’s independence and objectivity would be impaired.
b) No, because internal auditors are part of the management team, therefore, they should be involved
in the design of controls.
c) Yes, because by helping the controller, the CFO understands that the internal auditor would be tak-
ing ownership of the control process, therefore, the auditor’s independence and objectivity would be
impaired.
d) No, because internal auditing is able to conduct consulting services, as long as the nature of the ser-
vice is known and included in the internal auditing charter.
Question 24: An internal auditor was transferred from the company’s payables department six months ago.
The internal auditor’s job responsibility was to match vendor invoices with the company’s purchase orders
and receiving reports. Among other things, the internal auditor was supposed to catch invoice errors and
make sure that the company did not pay for goods not received. The internal auditor has now been assigned
the task of reviewing the controls over accounts payable. Based on the available information, the internal
auditor should:
a) Refuse the engagement, because objectivity could be impaired when only six months have passed
since working in the department.
b) Accept the engagement, because the internal auditor knows the functioning of the department.
c) Refuse the engagement, because independence could be impaired when only six months have
passed since working in the department.
d) Accept the engagement, because enough time has passed since working in the department.
7
CIA Part 1 Mock Exam #2
Question 25: An internal auditor of a medium-sized company has been requested by the company’s chief
executive officer (CEO) to temporarily take over responsibility of the company’s accounts receivable depart-
ment. The internal auditor managed the department two years ago and knows the department well. The
internal auditor does not feel comfortable with the assignment because the department will be audited in the
near future. The internal auditor knows that objectivity could be impaired if he manages the department and
then has to audit the department. The internal auditor is in a dilemma and does not know what to do. What
would be the best course of action for the internal auditor to take?
a) The auditor should refuse the CEO’s request because independence and objectivity would be im-
paired.
b) The auditor ultimately works for the CEO, so the auditor should accept the assignment, but do so
under protest.
c) The auditor ultimately works for the CEO, so the auditor has no choice but to accept the assignment.
However, when time comes to audit the department the internal auditor should not participate in the
audit of the department.
d) The auditor should consult with the audit committee about the issue.
Question 26: Which of the following might give rise to a conflict of interest for a chief audit executive
(CAE)?
II. The CAE recently hired an internal auditor who worked in the company as a financial manager
six months ago.
III. The CAE owns a mutual fund that includes the stock of the company.
IV. A relative of the CAE works as a clerk in a department that is audited by the internal auditing ac-
tivity.
c) II only.
d) II and IV.
Question 27: Internal auditors need a mandate that provides the necessary authority within a structure
that supports their independence and objectivity. This mandate can best be achieved by:
8
CIA Part 1 Mock Exam #2
Question 28: Which of the following is/are true concerning the decision to establish an internal audit activi-
ty (IAA) within an organization?
a) The board/audit committee wants to get independent and objective assurance on the adequacy of
internal controls from someone other than the CEO or CFO.
b) The chief accountant wants to get independent and objective assurance on the adequacy of internal
controls from someone other than line managers.
c) The organization gets too large or geographically dispersed for frequent and economical first-hand
monitoring of controls by the board/audit committee, CEO, or CFO.
Question 29: Internal auditors are encouraged to avoid all conflicts of interest. Under which circumstance
would there not be a conflict of interest?
d) The internal auditor recently completed an audit of a department where the manager is the internal
auditor’s brother-in-law.
Question 30: The internal audit activity (IAA) may not be able to operate independently and objectively
without sufficient resources and funding. Under which circumstance would independence and objectivity not
be an issue for internal auditing?
a) The CAE was unable to get additional funding for the training of staff.
Question 31: Objectivity is assumed to be impaired in all of the following situations except:
b) The internal auditor is responsible for a part of operations that could be subject to periodic internal
auditing assessment.
c) The internal auditor performed an assurance review of an activity over which the internal auditor
was responsible for 9 months ago.
d) The internal auditor is scheduled to audit an area for which the internal auditor will have future re-
sponsibility.
9
CIA Part 1 Mock Exam #2
Question 32: A new member of the audit committee met with an organization’s CAE. During the meeting,
the audit committee member wanted to know more about the activities that are performed by the organiza-
tion’s internal audit activity (IAA). Which of the following activities mentioned by the CAE would be
appropriate for the IAA to perform?
II. Recommending procedures for systems of control for the accounts payable process.
III. Installing the system of control for the accounts payable process.
IV. Reviewing control procedures before implementing the accounts payable software program.
a) I and II.
c) II and III.
d) II and IV.
Question 33: Which of the following is/are true concerning auditor independence. An internal auditor with
independence is:
III. Able to continue on an audit assignment at a division for which the auditor was responsible for 4
months ago.
IV. Able to participate on a task force that designed standards of control for a new distribution pro-
cess.
a) I and II.
c) I and IV.
Question 34: An organization’s audit committee recently designed a compensation package for its internal
auditors. One of the audit committee members was concerned that the compensation package could impair
the internal auditor’s objectivity. Which of the following is true concerning compensation packages for inter-
nal auditors?
b) Internal auditors should only be compensated based on monetary amounts recovered or recom-
mended future savings as a result of engagements.
c) The compensation package should be administrated by the organization’s board of directors or the
board’s remuneration committee.
10
CIA Part 1 Mock Exam #2
Question 35: An IT department team is studying the possibility of upgrading to an enterprise resource
planning (ERP) system. The team leader of the project has asked for internal auditing’s help to assist with
the project. In this case, what would be an appropriate role for internal auditing?
Question 36: A company’s chief financial officer (CFO) is assessing the company’s credit terms. The CFO
believes the company could increase sales by loosening up the credit terms; however the CFO is not sure
about the impact on bad debt. The CFO made a request for internal audit to assess the impact on revenue
and bad debt if changes in the credit terms are made. To complete the assignment, at a minimum, the in-
ternal auditor should have what level of competency?
a) Proficiency level.
b) Appreciation level.
c) Understanding level.
d) Knowledge level.
Question 37: Once an internal auditor attains the designation of CIA, in order to maintain this designation,
the internal auditor must:
c) Maintain an acceptable level of skill through achieving a certain number of accounting credits.
d) Maintain an acceptable level of competence through achieving a certain number of continuing pro-
fessional development credits.
Question 38: There are three levels of competences. Two of the competence levels are understanding and
appreciation. What is the difference between the two?
a) Understanding is the ability to recognize the existence of a problem. Appreciation is the ability to
know how to solve the problem.
b) Understanding is the ability to recognize problems and solve them without too much assistance. Ap-
preciation is the ability to know the existence of a problem.
c) Appreciation is the ability to recognize the impact the problem will have on operations. Understand-
ing is the ability to know that there is a problem.
d) Appreciation is the ability to recognize the existence of a problem. Understanding is the ability to
understand its impact on operations.
11
CIA Part 1 Mock Exam #2
Question 39: Based on the Standards, an internal auditor should have a proficiency level in accounting
principles if the auditor is:
Question 40: Based on the Standards, internal auditors must exercise due professional care when conduct-
ing engagements. Which of the following is not true concerning due professional care?
d) Auditors must consider the cost of the engagement in relation to its benefits.
Question 41: An internal auditor was conducting an audit of the company’s revenue-receivables cycle.
When reviewing the accounts receivable process, the auditor discovered that the department was recently
reorganized to cut costs. The auditor noted that positions that should be segregated are now performed by
the same person – the accounts receivable manager. The auditor has known the accounts receivable man-
ager for several years, so the auditor did no further investigation. At what point did the internal auditor fail
to exercise due professional care?
a) The auditor noted the lack of segregation of duties in the final audit report.
c) The auditor made a recommendation for additional compensating controls over the department.
Question 42: Concerning continuing professional education (CPE), which of the following is not true?
a) Chief audit executives (CAE) are required to complete and report a specified number of CPE hours
every two years.
b) Internal auditors need continuing professional development regardless of whether or not they hold
the CIA designation.
d) Internal auditors currently not holding an appropriate certification are encouraged to pursue an edu-
cation program, or obtain a professional certification.
12
CIA Part 1 Mock Exam #2
Question 43: Proficiency means that an internal auditor possesses the knowledge, skills, and other compe-
tencies needed to perform his or her responsibilities. Concerning proficiency, which of the following
statements would not be true?
b) Regardless of an internal auditor’s expertise, every internal auditor must be able to evaluate the risk
of fraud and identify key IT risks and controls.
c) Internal auditors are expected to maintain and update their skills through continuing professional
education (CPE).
d) Necessary skills and knowledge are different for each auditor, and an auditor might be proficient in a
number of areas.
Question 44: A chief audit executive (CAE) was discussing the technical competency of his staff with the
audit committee. The CAE is very proud of the team he has put together and is looking to expand the size of
the organization’s internal audit activity (IAA). Besides technical expertise, the CAE also mentioned that he
expects his staff to be proficient in all of the following areas except:
a) Communication.
b) Critical thinking.
c) Satisficing.
d) Negotiation.
Question 45: The IIA’s Global Audit Competency Framework lists ten “core competencies” that are consid-
ered essential for all internal auditors. Which of the following would not be an essential core competency for
internal auditors?
b) Operations management.
d) Professional ethics.
I. Professional Ethics.
III. IPPF.
a) I and II.
b) II and III.
c) II and V.
d) I and IV.
13
CIA Part 1 Mock Exam #2
Question 47: An organization’s chief audit executive (CAE) was reviewing existing internal audit staff com-
petencies. The CAE’s review would include all of the following except:
a) The ability of the staff to complete engagements within the reporting deadline.
Question 48: Which of the following are true concerning what auditors should know? Auditors should
know:
a) I and II.
Question 49: The chief audit executive (CAE) is supervising an audit of the organization’s new payroll ac-
counting system and needs to hire an IT specialist. When reviewing the specialist’s qualifications to conduct
the audit, the CAE would assess all of the following except:
Question 50: Internal auditors must exercise due professional care by considering all of the following ex-
cept:
14
CIA Part 1 Mock Exam #2
The Chair of a company’s audit committee was attending a training program on corporate governance com-
pliance. The Chair, recently appointed, was surprised by the amount of interaction the audit committee
should have with internal auditing. The Chair did not realize that the company’s internal audit activity should
report to the audit committee. The Chair thought the audit committee was only responsible for overseeing
the work of the external auditor.
Question 51: When discussing the desired reporting structure for internal auditing, the training speaker
mentioned several reasons why internal auditing should report to the audit committee. Which of the follow-
ing would not be one of those reasons?
a) Reporting to the audit committee gives the audit committee someone inside the company who is
able to report illegal or unethical practices.
b) Reporting to the audit committee enhances the independence and objectivity of internal auditing.
c) Reporting to the audit committee allows the audit committee the opportunity to review the work of
internal auditing so the board and management understand whether internal auditing is a value-
added activity.
d) Reporting to the audit committee gives the audit committee additional authority to take action on
identified control deficiencies.
Question 52: During the training program, the Chair learned about the importance for internal auditing to
establish a quality assurance and improvement program (QAIP). All of the following are reasons for a QAIP
except:
a) To give the audit committee and management confidence that the IAA is operating in conformance
with best practices.
Question 53: Which of the following would not be part of an internal assessment?
a) Reviewing whether the IAA is in compliance with the internal audit charter.
Question 54: A common problem that arises when conducting a quality assessment of an internal audit
activity (IAA) is understanding what is meant by quality. Quality can mean different things to different peo-
ple. When measuring the quality of an IAA, which of the following would be least useful to the assessment
team in its quality assessment?
15
CIA Part 1 Mock Exam #2
c) The assessor should be independent but should be from within the organization.
d) The assessor would determine whether the IAA adds value and improves the operations of the or-
ganization.
Question 56: The function of internal auditing is to add value and improve operations. A quality assurance
and improvement program (QAIP) is established to assess the work of internal auditing. The QAIP consists
of both internal and external assessments. Which of the following would not be part of the external assess-
ment?
a) Get feedback from clients on their satisfaction with the work of the internal auditor.
d) Communicate with the external auditor on the work of the internal auditor.
Question 57: The Chair of the audit committee and the chief audit executive (CAE) were discussing the
need for an external review of the internal auditing activity. The Chair believes that an external review would
be useful for several reasons. The CAE agrees with the Chair on the need, however, the CAE thinks a full-
blown external assessment is not necessary. The CAE believes a self-assessment with external validation
would be adequate. Which of the following is/are true concerning the circumstances where a self-
assessment would be justified?
I. The organization frequently has agency regulators reviewing its books and internal controls.
IV. The CAE believes the costs of a full external assessment outweigh its benefits.
a) I, II and III.
b) I, II and IV.
c) I and IV.
d) I and II.
16
CIA Part 1 Mock Exam #2
Question 58: Regarding internal auditing, which of the following is/are true concerning the quality of indi-
vidual audit engagements? A quality engagement is one which:
IV. Assists independent auditors in their review of an organization’s risk management and control
processes.
a) I and II.
c) I, II and III.
Question 59: A Quality Assurance and Improvement Program (QAIP) should conclude on the quality of the
internal audit activity (IAA) and lead to recommendations for appropriate improvements. Which of the fol-
lowing is/are true? A QAIP enables an evaluation of:
II. Conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards.
IV. Compliance with applicable laws, regulations, and government or industry standards to which
the independent auditor may be subject.
V. Whether the IAA adds value and offers improvements the organization’s operations.
Question 60: The chief audit executive (CAE) of a newly-formed internal audit activity (IAA) knows that a
successful IAA has to be perceived as being a value-added function that improves the organization’s opera-
tions. To understand whether the IAA is doing what it needs to be doing in order to achieve its goals, the
CAE should develop and implement a Quality Assurance and Improvement Program (QAIP). QAIPs are in-
tended to provide the means to assess the efficiency and effectiveness of the IAA. When developing the
QAIP, the CAE needs to determine all of the following except:
b) The role of internal audit management and staff in the quality process.
d) The level of quality desired by the IAA and expected by its stakeholders.
17
CIA Part 1 Mock Exam #2
Question 61: The chief audit executive (CAE) has a responsibility to develop and maintain the Quality As-
surance and Improvement Program (QAIP) for both internal and external assessments. The QAIP should be
reviewed at least annually and individual sections of the program should be updated throughout the year as
needed. The inputs to the review include, but should not be limited to:
I. Results from the independent auditor’s assessment of governance, risk management, and con-
trol.
Question 62: The IIA published a Position Paper titled “The Three Lines of Defense in Effective Risk Man-
agement and Control.” All of the following would be an appropriate internal audit role in the Three Lines of
Defense model except:
a) Taking corrective action to address any and all identified control deficiencies.
b) Working together with other control professionals to help the organization manage its risks.
c) Providing assurance on the effectiveness of governance, risk management, and control processes.
Question 63: At the top of the hierarchy of an organization is the board of directors. Which of the following
statements is false concerning the characteristics of good corporate governance and the board?
d) The board should contain a suitable balance of power in order to prevent one person or group of
people from dominating the decision-making of the board.
Question 64: Based on Mendelow’s power/interest matrix, how should a business respond if a stakeholder
has a high level of interest but a low level of power?
18
CIA Part 1 Mock Exam #2
Question 65: Audit committee members should be independent non-executive directors. In which of the
following situations would an audit committee member not be considered independent?
I. The member is the former CFO. The member left the company eight months ago.
III. The member has significant stock options in the company that have not vested.
IV. The member is also CEO of the company’s main raw material supplier.
a) I and III.
b) II and IV.
Question 66: The Chair of the audit committee was discussing with other committee members the need for
the company to have an internal auditing activity (IAA). The Chair mentioned that good corporate govern-
ance promotes the establishment of an effective IAA. Which of the following would indicate that the
company needs an effective IAA?
III. There has been a recent increase in the number of unexplained or unacceptable risks.
c) I and IV.
Question 67: Which of the following would not likely be part of internal auditing’s role in the evaluation and
improvement of an organization’s control process?
Question 68: An important part of improving an organization’s governance process is to make sure that the
organization conducts its business ethically. The internal audit activity is encouraged to be an ethics advo-
cate for the organization. All of the following are ways that the IAA can be an ethics advocate except:
19
CIA Part 1 Mock Exam #2
Question 69: In the area of governance, internal auditors and the internal audit activity (IAA) are encour-
aged to take an active role in support of the organization’s ethical culture. This may entail sponsoring an
ethics training program or identifying possible ethics violations. During a review of possible ethics violations,
the chief audit executive identified four possible violations. Of the possible violations, which one(s) would be
more likely to be unethical?
I. The marketing manager takes home his business computer for work but also uses the computer
for personal use.
II. The budgeting supervisor promises his assistant an extra day off if she rushes out an important
project by a certain date, but then reneges on the promise by saying there is too much work to
be done.
IV. The finance director applies a common accounting practice to improve earnings that leads to in-
creased management compensation.
a) II and III.
b) I and III.
c) I and II.
d) II and IV.
a) The social environment should be the main focus of a company’s CSR activities.
b) Business ethics is a complex issue and is the responsibility of senior management and the board.
c) The natural environment should be the main focus of a company’s CSR activities.
d) Companies should be conscious of the impact they are having on society, including economic, social,
and environmental.
Question 71: Archie B. Carroll developed the pyramid of corporate social responsibility. The pyramid sug-
gests that philanthropic social responsibility is:
b) Desired by society.
c) Expected by society.
d) Mandated by society.
Question 72: An organization’s chief audit executive (CAE) was discussing with board members why the
organization should implement a corporate social responsibility (CSR) program. One of the arguments made
by the CAE in favor of CSR is that:
b) The company is financially able to absorb the cost of the CSR program.
d) The company’s management and board have the skills to solve today’s social problems.
20
CIA Part 1 Mock Exam #2
Question 73: Of the following, which statement best describes the term risk? Risks are:
a) Events that cannot be insured against, such as natural disasters, death of key employees, or per-
sonal injury on the business premises.
b) Events that can be insured against, such as natural disasters, death of key employees, or personal
injury on the business premises.
c) Events that can cause personal financial loss or property damage, or mission degradation.
d) Events that can cause personal financial loss or property damage, or mission completion.
Question 75: The members of a risk committee of a global service company are assessing the risks associ-
ated with logistical disruptions in the countries in which it operates. Which of the following best describes
these risks?
Question 76: Which of the following would you expect to find in an organization’s risk strategy?
a) I and III.
c) II and IV.
Question 77: Which of the following would not be a factor that influences an organization’s risk appetite?
d) Changes in technology.
21
CIA Part 1 Mock Exam #2
The success of any risk management process depends on the identification of risks. The following list con-
tains some examples of potential risks:
VII. There are quality and service concerns that affect the customers.
Question 78: Of the listed items, which would be considered operational risks?
c) I and IV.
d) V and VII.
Question 79: Of the listed items, which would be considered compliance risks?
c) I and IV.
d) V and VII.
Question 80: Of the listed items, which would be considered strategic risks?
c) I and IV.
d) V and VII.
Question 81: It is common to assess risk based on the probability of the risk occurring and its impact on
operations, if the risk event does occur. Which of the following items are influences of probability?
I. The company uses the derivative market for both hedging and speculative purposes.
II. Top management practices what it preaches concerning the need for strong controls.
III. Top management is particularly concerned about damage to its brand name.
a) I and II.
b) I and III.
c) II and IV.
22
CIA Part 1 Mock Exam #2
Question 82: Risks can be objectively evaluated based on the probability of the risk occurring and its po-
tential impact on operations. One particular risk that an internal auditor assessed had a low impact but a
higher than average probability of occurring. How should the internal auditor respond to the risk?
a) Establish additional control procedures because there is a high probability of something going wrong.
Question 83: ISO 31000: 2018 is a family of standards that provides a set of principles and guidelines for
an organization’s risk management process. ISO 31000 identified six stages in its framework, including
“Monitoring and Review.” Monitoring and Review is best thought of as:
Question 84: Which of the following would not be a reason for management to improve its system of inter-
nal control?
There are three levels of control within organizations: corporate, operational, and transactional.
Question 85: Which of the following would not be an example of an operational-level control?
a) The financial controller submits a 90-day rolling cash budget to the company’s CEO and CFO the first
week of every month.
a) The financial controller submits a 90-day rolling cash budget to the company’s CEO and CFO the first
week of every month.
b) The human resource manager reviews a job description for a financial manager position.
c) The disclosure committee reviews financial and non-financial notes and disclosures over financial
reporting.
23
CIA Part 1 Mock Exam #2
Question 87: A company’s human resource manager received a request from the chief executive officer
(CEO) to start working on a job description for a new investment manager position. The CEO is looking for
someone who has at least 3 years of investment management experience, and ideally, the person would be
a chartered financial analyst (CFA). The CEO asked the human resource manager to write up a draft job de-
scription for the position and present it to the executive committee for final review and approval. Making
sure the person is qualified and experienced for the new position is what type of control?
a) Preventive control.
b) Directive control.
c) Corrective control.
d) Detective control.
When a technician in a production area found a product quality problem, he took the initiative and found a
remedy to the problem. Additionally, the technician created procedures so the problem can be quickly identi-
fied and corrected if detective units are found. After meeting with the technician, the quality control
manager decided that additional testing procedures were needed to further minimize the risk of defective
units.
Question 88: The action taken by the technician to create procedures is what type of control?
a) Preventive control.
b) Directive control.
c) Corrective control.
d) Detective control.
Question 89: What type of control is it when the quality control manager decided additional testing proce-
dures were needed?
a) Preventive control.
b) Directive control.
c) Corrective control.
d) Detective control.
Question 90: When reviewing controls over credit sales, an internal auditor found that the sales manager
authorizes new credit sales. The internal auditor knows that the sales manager should not have the authori-
ty to authorize new credit sales. However, because the company is growing and still has not yet reached its
breakeven point, it was decided not to change the current practice. Based on this, the internal auditor still
recommended that someone not in the sales department provide independent verification that all new credi-
tors are credit-worthy. What type of control is this?
a) Preventive control.
b) Compensating control.
c) Corrective control.
d) Detective control.
24
CIA Part 1 Mock Exam #2
Question 91: Controls can focus on events before, during, or after a process. There are three control types
that managers implement to ensure that work is done according to the plan, or based on some standard.
These controls are referred to as feedforward, feedback, and concurrent controls. A program that alerts
technicians of a problem is an example of what type of control?
a) Concurrent control.
b) Feedforward control.
c) Planning control.
d) Feedback control.
Question 92: Which of the following are true concerning feedback controls?
I. Feedback controls can provide management with useful information on how effective their plan-
ning efforts are.
a) I and III.
b) I and II.
c) II and III.
Question 93: Business professionals talk about the importance of information and the need for an effective
internal control system. Which of the following statements is not a characteristic of an effective control sys-
tem?
a) The more material an item is, the more important it is to have tighter controls.
b) The control system should be complex enough so that fraud can be eliminated.
c) The control system must provide the information in a timely manner so that decisions can be made.
d) There should be a positive cost/benefit ratio, which means the cost is less than the benefit received
by implementing the control.
Question 94: Controls can be broken down into two broad categories: (1) automated controls and (2)
manual controls. Which of the following would not be an advantage of an automated control system?
c) Automated controls eliminate the need for manual controls in the tracking and monitoring of risks.
25
CIA Part 1 Mock Exam #2
Question 95: The chief audit executive (CAE) for a large manufacturing company gave a lecture on the im-
portance of internal control to a group of new hires. Which of the following should the CAE list as benefits of
having a sound system of internal control?
I. Greater assurance that all transactions are completely and accurately processed.
III. Assurance that adequate documentation supporting transactions is created and retained.
IV. Assurance that the company’s assets and liabilities are correctly stated so management can
make informed decisions on the operations of the business.
A company was having its annual employee training program. One of the main subjects for this year’s pro-
gram was the topic of internal control. For this part, the company invited its internal auditor to talk about
the company’s control system.
Question 96: The internal auditor started off his lecture by talking about the primary beneficiaries of strong
internal controls. Which of the following is not true concerning the beneficiaries of strong internal controls?
a) Investors benefit because they will feel more confident in the reliability of the company’s financial
statements.
b) Customers benefit because they will feel more confident about the quality of the product and/or ser-
vice.
c) External auditors benefit because they will feel more confident on the opinion they give concerning
the reliability of the company’s financial statements.
d) Management benefits because they will be able to rely less on the work of the internal auditor.
Question 97: The internal auditor further discussed the different parties who are responsible for ensuring
that the company has an effective system of internal control. Which of the following are true concerning
responsibility and a system of internal control?
I. The board is responsible for ensuring that management has the right system of control.
II. The company’s CEO is ultimately responsible for ensuring that the system of control is estab-
lished and being executed.
III. Senior managers are responsible for ensuring that the right control policies and procedures are
implemented.
IV. The external auditor is responsible for ensuring that management is carrying out their control
responsibilities.
26
CIA Part 1 Mock Exam #2
Question 98: Controls can be classified as either manual or automated. Automated controls would include
all of the following except:
Question 99: Application controls are established to ensure that specific applications are processed in ac-
cordance with management’s specifications and in an accurate and timely manner. Application controls can
be classified as input, processing, and output controls. Which of the following would not be an input control?
b) The program checks the validity and accuracy of the inputted data.
c) A note is sent back to the input operator that the sent files are being printed.
Question 100: Internal controls are actions taken by management that enhance the likelihood that estab-
lished goals and objectives will be achieved. Management actions include the establishment and
implementation of control policies and procedures. Which of the following statements are true concerning
the difference between control policies and control procedures?
I. Policies are made by senior management while procedures are usually made in consultation with
employees.
II. Policies guide senior management in decision-making while procedures guide the actions of em-
ployees.
III. Policies can be modified by senior management while procedures can only be modified by em-
ployees.
IV. Policies are more like rules while procedures are less detailed than policies.
a) I and III.
b) II and IV.
c) I and II.
d) II and III.
27
CIA Part 1 Mock Exam #2
Question 101: The Turnbull report was created for the U.K. Financial Reporting Council, which informs di-
rectors of their obligations to keep an effective internal control system, and to maintain appropriate audits
and checks to ensure the quality of financial reporting. Which of the following is/are true concerning what
Turnbull states about a sound system of internal controls? A sound system of control should:
IV. Include procedures for reporting significant weaknesses and failures of controls to the appropri-
ate level of management.
a) I and III.
b) II and IV.
c) II and III.
d) I and IV.
Question 102: COSO states that the foundation of any control system is the company’s control environ-
ment. An important aspect of a company’s control environment is having the right “tone at the top.” All of
the following are examples of having the right “tone at the top” except:
b) The board decided not to take action against a senior manager for embezzlement because the
amount was not considered significant and the person agreed to return the embezzled funds.
c) Based on company policy, an assembly line worker stopped production when a defective unit was
detected.
d) The board is primarily made up of independent directors who regularly review the company’s inter-
nal controls and risk management policies.
Question 103: An internal auditor was reviewing controls in the mailroom and verifying that checks are
properly received and deposited. The internal auditor is particularly concerned that checks might be lost or
stolen, or a check could be fraudulently altered so an employee could cash the check under his or her own
name. The best control to minimize these risks would be:
Question 104: During a review of the sales department, an internal auditor discovered that there had been
several incidences of stock-out, which led to customer complaints. Further investigation found that the items
should have been in stock based on information given by the computer system. The best control to make
sure a sales clerk does not make a sale based on faulty stock information is to:
c) Check to make sure items are in stock before processing the sales order.
28
CIA Part 1 Mock Exam #2
Question 105: The head of security received some information that a purchasing agent was receiving kick-
backs from one of company’s vendors. The best control to minimize the possibility of kickbacks is to:
b) Have a strong code of conduct and periodically rotate the purchasing agents.
d) Verify that the purchasing agent is not living beyond his or her means.
Question 106: Risks assessment includes the identification, analysis, and management of risks. Concerning
risk assessment, which of the following is not true?
b) The formality of a company’s risk assessment process depends on the size and complexity of the
company.
c) Risk assessment in larger companies is most often the responsibility of lower-level managers.
d) It is generally recognized that smaller and less complex companies are going to have less effective
risk assessment processes.
An internal auditor was reviewing controls over the sales process. The internal auditor noted the following
activities within the sales department:
I. The sales clerk, who makes the sale and collects the cash, does not reconcile the daily cash re-
ceipts account.
III. On a regular basis, the internal controller takes a sample of sales to be sure that they are
properly recorded.
b) Segregation of duties.
c) Authorization.
d) Independent checks.
b) Segregation of duties.
c) Authorization.
d) Independent checks.
29
CIA Part 1 Mock Exam #2
b) Segregation of duties.
c) Authorization.
d) Independent checks.
Question 110: The objective of the purchases-payable cycle is to make sure only authorized orders are re-
ceived and inventoried. Concerning the purchases-payable cycle, which of the following activities would not
be compatible?
a) The purchasing manager reviews the purchase requisition and approves the vendor purchase order.
b) The purchasing manager approves the vendor purchase order and records the transaction to the ac-
counts payable journal.
c) The purchasing manager reviews the purchase requisition and approves bad debt write-offs.
d) The purchasing manager approves the vendor purchase order and reconciles daily cash receipts.
Question 111: COSO defines monitoring as a system that is implemented to help ensure that internal con-
trols continue to operate effectively. All of the following are benefits of having a properly designed and
implemented monitoring program except:
b) There is a greater chance that control problems will be identified and corrected on a timely basis.
d) The company should be able to produce more accurate and reliable information for decision-making.
Question 112: If an internal auditor wanted to know if a particular risk had the right control, which matrix
should the internal auditor use?
a) Questionnaire matrix.
b) Sampling matrix.
Question 113: Fraud is defined as any illegal act characterized by deceit, concealment, or violation of trust.
Of particular concern for companies is management fraud, because those in a position of authority are com-
mitting the fraud. Which of the following is not likely to be a fraud risk factor relating to management?
30
CIA Part 1 Mock Exam #2
Question 114: Ian Dunhill, CIA and Certified Fraud Examiner (CFE), is the leader of a team investigating
the finances of GreenVest, a venture capital firm that funds alternative sources of energy. Because of its
wide-ranging investment portfolio, the company has a fairly complex financial structure. Dunhill and his
team are to assess the firm’s operational results, including a recent decline in operating profits and cash
flows. Dunhill must also determine how the firm responds to its strict investment covenants. Lastly, Dunhill
is to investigate the executive directors’ compensation packages, including holdings of stock options in the
firm, which are believed to be quite high. Which portion of the fraud triangle are Dunhill and his team inves-
tigating?
a) Opportunity
b) Policies
c) Incentives
d) Compliance
Question 116: An internal auditor was conducting an engagement to review controls over the capitalization
of fixed assets. The purpose of the review is to verify that:
a) Management has not put some legitimate costs to the balance sheet.
c) Management has not put some immaterial expenses to the fixed asset account.
Question 117: Which of the following situations might undermine a company’s integrity?
a) The marketing manager proposes to delay installment of a new marketing software package until
after closing an important client contract.
b) The CFO tells the chief accountant to expense some costs that the chief accountant believes could be
capitalized.
c) The production manager proposes a new input material mix to reduce costs and increase profitabil-
ity.
d) The procurement manager proposes to source an important input material from a close relative.
31
CIA Part 1 Mock Exam #2
Question 118: When planning an engagement, internal auditors need to have some awareness of the risk
factors and red flags of fraud. All of the following are possible red flags the internal auditor needs to be
aware of except:
c) Managers who refuse to take a vacation because they are too busy.
Question 119: During a fraud investigation, a forensic auditor was hired to help with the investigation. All
of the following are reasons a company would hire a forensic auditor except:
Question 120: Fraud is most often thought of as being a detriment to organizations; however, there are
cases where fraud could be beneficial. Which of the following examples of fraud would benefit an organiza-
tion?
c) The CFO authorizes a payment to a foreign governmental official to expedite a business deal.
d) The sales manager approves the sale of goods to a close relative at below cost.
Question 121: Managers commit fraud for all of the following reasons except:
Question 122: Which of the following is/are true when assessing fraud risk? Internal auditors should de-
termine whether or not:
IV. Recommendations are established to enhance the control structure to help deter fraud.
a) I and II.
32
CIA Part 1 Mock Exam #2
Question 123: The Practice Guide Internal Auditing and Fraud outlines five key steps of fraud risk assess-
ment. Which of the following would not be a fraud risk assessment step?
Question 124: It is not unusual for internal auditing to be part of a fraud investigation. Based on this, at
the conclusion of a fraud investigation, internal auditors should do all of the following except:
Question 125: During a preliminary fraud investigation, an internal auditor suspected that a departmental
manager had embezzled a sizeable amount of money from the company. The internal auditor reported the
matter to management and turned over all findings to the security department. The manager denied embez-
zling the funds, but the internal auditor did not believe the manager. During a company get-together, the
internal auditor talked about the manager’s guilt to other employees. When the manager found out about
the internal auditor’s behavior, the manager proceeded to sue the company for:
a) Malicious prosecution.
b) Libel.
c) Slander.
d) Compounding a felony.
33
CIA Part 1 Mock Exam #2 Answers
Solutions
The chart below cross-references the question numbers for Part 1 (MOCK EXAM #2) with the top-
ics tested:
C. Ethics 68 - 69
Section V: Governance, Risk
D. Corporate Social Responsibility 70 - 72
Management, and Control
E, F, G, H. Risk and Risk Management 73 - 83
34
CIA Part 1 Mock Exam #2 Answers
Solutions
1 Solution: c
a. Incorrect. Mandatory guidance states how internal auditors should act when conducting their work.
b. Incorrect. Mandatory guidance provides a framework for performing and promoting internal auditing.
c. Correct. Practice guides provide guidance for conducting an internal audit. These practice guides in-
clude processes and procedures, tool and techniques, programs, step-by-step approaches, and
examples of deliverables. These practice guides are part of the IIA’s strongly recommended guidance
framework.
d. Incorrect. Mandatory guidance states the fundamental purpose, nature, and scope of internal auditing.
2 Solution: c
b. Incorrect. Internal auditors are held accountable even when performing consulting engagements, not
just during assurance engagements.
c. Correct. This is true concerning Standards. They do help internal auditors fulfill their responsibilities
when conducting internal audits.
I. Not a Violation. Since the internal auditor invited the client, this would not be a violation of the
Standards.
II. Violation. The internal auditor should not functionally report to the CFO. The internal auditor should
functionally report to the board/audit committee.
III. Not a Violation. It is acceptable for the internal auditor to write the draft copy of the charter. Approval
of the charter is the responsibility of senior management and the board.
IV. Not a Violation. Internal auditors are encouraged to be certified, however, it is not mandated that
they are certified.
4 Solution: c
b. Incorrect. Verifying the value of an asset account balance is something internal auditing could do.
d. Incorrect. Determining the company’s compliance with environmental laws and regulations is something
internal auditing could do.
35
CIA Part 1 Mock Exam #2 Answers
5 Solution: b
a. Incorrect. The Implementation Guidance does not detail internal auditing processes and procedures.
b. Correct. The Implementation Guidance does assist internal auditors in applying the Definition of Inter-
nal Auditing, the Code of Ethics, and the Standards, and promoting good practices.
c. Incorrect. The Implementation Guidance does not highlight significant audit findings and recommenda-
tions and report on the approved audit work schedule.
d. Incorrect. The Implementation Guidance does not assist the CAE in resolving issues before reporting
the findings to the audit committee.
6 Solution: b
b. Correct. According to the IPPF, the Standards are principles-focused and provide a framework for per-
forming and promoting internal auditing.
c. Incorrect. The Practice Advisories provide guidelines for conducting an internal audit.
d. Incorrect. The Standards do not assist internal auditors in better understanding significant issues of
internal auditing.
7 Solution: d
b. Incorrect. The mission of internal auditing is not to verify that conflicts between management and
stakeholders do not result in bankruptcies or major frauds.
c. Incorrect. To ensure the quality of information provided to shareholders and financial markets through
the financial statements is the function of the external auditor.
d. Correct. Directing the establishment of internal controls systems would impair objectivity.
8 Solution: d
b. Incorrect. The charter should be approved by the board of directors. It should not be written by some-
one outside the company.
c. Incorrect. If the CFO writes and approves the charter, this would impair the independence of internal
auditing.
d. Correct. If the CFO writes and approves the internal auditing charter, the CFO could control the work
of the internal auditor. This could impair the work of the internal auditor.
36
CIA Part 1 Mock Exam #2 Answers
9 Solution: a
a. Correct. The scope of an individual engagement would not be included in the charter. The scope of the
engagement would be in the engagement work plan.
b. Incorrect. The charter should include the scope, objectives, authority, accountability, and accountability
of the IAA.
c. Incorrect. The charter should include the scope, objectives, authority, accountability, and accountability
of the IAA.
d. Incorrect. The charter should include the scope, objectives, authority, accountability, and accountability
of the IAA.
10 Solution: b
a. Incorrect. The audit committee is responsible for the hiring and firing of the external auditor.
b. Correct. Evaluating the compensation packages of senior managers would be the general responsibility
of the remuneration committee, not the audit committee.
c. Incorrect. The audit committee is responsible for approving the annual audit plan.
d. Incorrect. Reporting to the audit committee confirms the independence of the IAA.
11 Solution: a
a. Correct. Strategic planning is a function generally left to the board and management. It is not some-
thing the audit committee would be involved in.
b. Incorrect. Reviewing financial statements before publication is a function of the audit committee.
c. Incorrect. Reviewing the work of the external auditor is a function of the audit committee.
d. Incorrect. Reviewing the work plan of the IAA is a function of the audit committee.
II. Correct. Assisting management in estimating the savings from outsourcing a process is a possible con-
sulting service.
III. Correct. Assessing the adequacy of internal control in a proposed accounts payable system is a possible
consulting service.
IV. Incorrect. Assessing the adequacy of internal control over the accounts receivable system is an assur-
ance engagement, not consulting.
37
CIA Part 1 Mock Exam #2 Answers
13 Solution: a
a. Correct. Based on the Standards, the charter gives the internal auditor authority to have access to all
records and personnel deemed necessary for the completion of an engagement. However, there still
might be some company information that the internal auditor would not have access to, such as infor-
mation concerning a possible merger or acquisition.
d. Incorrect. The CAE has responsibility to periodically review the IAA charter to make sure it is still ade-
quate for the IAA to accomplish its objectives.
14 Solution: d
a. Incorrect. Stating who the CAE will report to should be included in the IAA charter.
b. Incorrect. Laying out the objectives of the IAA should be included in the IAA charter.
c. Incorrect. Providing information about the need for a QAIP should be included in the IAA charter.
d. Correct. Detailing the compensation package of the CAE is not a function of the charter. The CAE’s
compensation would be the responsibility of the audit committee, not the IAA charter.
I. Correct. “Assurance engagements involve the auditor’s objective assessment of evidence to provide an
independent opinion or conclusion regarding an entity, operation, process system, or other subject
matter.” Based on this, internal auditors are expected to recommend standards of control.
III. Incorrect. Providing advice to a client would be connected with a consulting service.
IV. Correct. “Assurance engagements involve the auditor’s objective assessment of evidence to provide an
independent opinion or conclusion regarding an entity, operation, process system, or other subject
matter.” Based on this, assessing and evaluating credit risk would be connected with an assurance en-
gagement.
I. Correct. The Standards do provide a framework for performing and promoting a broad range of value-
added internal auditing services.
II. Correct. The Standards do establish a basis for evaluating the performance of internal auditing.
III. Correct. The Standards do describe the basic principles of best practices of internal auditing.
IV. Incorrect. The Standards do not to tell internal auditors how they should conduct themselves during
engagements.
38
CIA Part 1 Mock Exam #2 Answers
17 Solution: d
a. Incorrect. If requested by a judge, an internal auditor would be obliged to divulge confidential infor-
mation.
b. Incorrect. With proper supervision, an internal auditor with limited IT experience could be involved in
an IT audit.
d. Correct. No information should be divulged to a local newspaper under any circumstance. Illegal acts
have to be first reported to senior management, and in some cases, reported to the appropriate author-
ities, if requested to do so.
18 Solution: a
b. Incorrect. Integrity does not have to do with adhering to the IIA’s Code of Conduct.
c. Incorrect. Not disclosing information has to do with confidentiality, not with integrity.
d. Incorrect. Making sure the auditor has the skills, knowledge, qualifications, and capacity to do their job
effectively is connected with competence, not with integrity.
19 Solution: b
a. Incorrect. Even though David’s behavior is suspect, the incident was not related to his professional
work.
b. Correct. The IIA Code of Ethics covers member’s professional activity only, such as fraud, theft, or de-
ceit. Being charged with a misdemeanor because of an altercation during a football game would not be
a violation of the IIA’s Code of Ethics.
c. Incorrect. The Code of Ethics only covers member’s professional activity only.
20 Solution: b
a. Incorrect. Only the principles of integrity and objectivity are violated. The competence principle is not
violated because the internal auditor had the skills and knowledge to perform the engagement.
b. Correct. If the internal auditor does nothing to rectify the situation, then the internal auditor could be
in violation of two ethics principles: integrity and objectivity. Concerning objectivity, the internal au-
ditor “shall disclose all material facts known to them, that if not disclosed, may distort the reporting of
activities under review.” Concerning integrity, the internal auditor “shall perform their work with hones-
ty, diligence, and responsibility.” It also says the internal auditor “shall not knowingly be party to any
illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the
organization.” If the internal auditor does nothing about the matter, then the internal auditor is com-
plicit in the act.
c. Incorrect. The principle of integrity is violated; however, the principle of competence is not violated.
d. Incorrect. The principles of objectivity and integrity are violated; however, the confidentiality principle
is not violated because no information was compromised.
39
CIA Part 1 Mock Exam #2 Answers
21 Solution: a
a. Correct. Objectivity is a mental attitude that internal auditors should maintain while performing en-
gagements. The internal auditor should have an impartial, unbiased attitude and avoid conflict of
interest situations. Independence refers to the freedom to conduct audit activities in an unbiased man-
ner. Therefore, objectivity refers to the unbiased mental attitude of individual auditors while
independence gives internal auditors the freedom to operate with an objective, unbiased attitude.
b. Incorrect. Independence is achieved through the status of the IAA; however, objectivity refers to the
unbiased mental attitude of individual auditors.
c. Incorrect. Independence is gained through the organizational status of the IAA, not objectivity.
d. Incorrect. The terms are different. The words are not synonymous, nor are they interchangeable.
22 Solution: c
a. Incorrect. It is possible that the board might deem some information confidential, even from internal
auditing.
b. Incorrect. Refusing to approve the internal audit work plan is not a scope limitation.
c. Correct. A scope limitation is a restriction that keeps internal auditors from achieving the objectives of
an engagement. Internal auditors need to have complete access to all information deemed necessary to
complete an engagement, including access to records, personnel, and property. The chief accountant
saying that some information is not necessary could be seen as a scope limitation.
d. Incorrect. A company’s controller should suggest ways to improve controls over operations.
23 Solution: d
a. Incorrect. Internal auditors are able to conduct not only assurance engagements, but also perform con-
sulting services as well. It is acceptable for the controller to use the services of the IAA as long as the
IAA does not take ownership of the controls.
c. Incorrect. Independence would be impaired only if the internal auditor has ownership of the control
process, which does not happen automatically simply by helping the controller.
d. Correct. Based on the Standards, internal auditing is able to conduct consulting services as long as the
nature of the internal auditor’s help is known and included in the charter. The internal auditor would be
OK, as long as the internal auditor provided advice and does not take ownership of the controls.
24 Solution: a
a. Correct. The internal auditor should not be assigned the task of reviewing controls over the payable
department because only six months have passed since working in the department. It is advised that
the waiting period should be no less than one year.
b. Incorrect. The internal auditor should not accept the engagement because objectivity would be im-
paired since the internal auditor knows the department.
d. Incorrect. It is generally accepted that a period of no less than one year should pass between working
in a department and auditing it.
40
CIA Part 1 Mock Exam #2 Answers
25 Solution: c
a. Incorrect. Ultimately, the internal auditor works for the CEO and therefore the internal auditor cannot
refuse the CEO.
b. Incorrect. Ultimately, the internal auditor works for the CEO so protesting the CEO would not be a rec-
ommended course of action.
c. Correct. If the CEO makes a request of the internal auditor, the internal auditor has no choice but to
accept the assignment. However, the internal auditor needs to make sure not to participate in the audit
of the department.
d. Incorrect. The best course of action would be to accept the assignment, but when time comes to audit
the department the internal auditor should not participate in the audit of the department.
I. Incorrect. Teaching IAA courses on the weekend would not give rise to a conflict of interest.
II. Correct. The only situation that could give rise to a conflict of interest for the CAE is hiring someone
who worked as a financial manager in the company. The Standards say that a period of at least one
year should pass before auditing the area you were once responsible for. Based on this, the internal
auditor should not be involved in any engagements concerning his or her former responsibility area.
III. Incorrect. Mutual funds are investment funds that consist of many different types of investment assets.
It would not be unusual for the CAE to own a mutual fund that might include the stock of the company
the CAE works for.
IV. Incorrect. Because clerks have no managerial responsibility, it would not be a conflict of interest if a
relative of the CAE works in the department being audited by the IAA.
27 Solution: b
b. Correct. Internal auditors need a mandate that provides the authority they need within a structure that
supports their independence and objectivity. This can best be achieved through a written charter for the
internal audit function that is aligned with the mandate and needs of the audit committee.
c. Incorrect. The IAA should functionally report to the board or audit committee.
d. Incorrect. Only answer (b) is true concerning the mandate of the IAA.
28 Solution: d
b. Incorrect. The primary function of the chief accountant is to oversee all accounting functions such as
ledger accounts, financial statements, and cost control systems. The focus of the chief accountant in-
cludes regulatory compliance and practices and collaborating with the CFO developing financial
strategies.
d. Correct. Both (a) and (c) are true. The board/audit committees do want to get independent and objec-
tive assurance on the adequacy of internal controls from someone other than the CEO or CFO. Also, the
organization gets too large or geographically dispersed for frequent and economical first-hand monitor-
ing of controls by the board/audit committee, CEO, or CFO.
41
CIA Part 1 Mock Exam #2 Answers
29 Solution: c
b. Incorrect. Borrowing money from a client could impair the internal auditor’s objectivity.
c. Correct. Facilitating a control self-assessment workshop is something internal auditors can do, and are
encouraged to do.
d. Incorrect. Auditing a department where the internal auditor’s brother-in-law is the manager could im-
pair the internal auditor’s objectivity.
30 Solution: c
a. Incorrect. Insufficient training might invite compromises or shortcuts that would impair the IAA’s posi-
tion in the organization.
b. Incorrect. Inadequate staffing might invite compromises or shortcuts that would impair the IAA’s posi-
tion in the organization.
c. Correct. The CAE has a responsibility to make sure all working papers provide evidence that sufficient
information was obtained by the internal auditor to support his or her recommendation.
d. Incorrect. Outdated technology might invite compromises or shortcuts that would impair the IAA’s posi-
tion in the organization.
31 Solution: a
a. Correct. Periodically evaluating the bank reconciliation process is something the internal auditor should
do.
b. Incorrect. If the internal auditor is responsible for a part of operations that could be subject to periodic
internal auditing assessment, then this could impair the internal auditor’s objectivity.
c. Incorrect. Reviewing an activity over which the internal auditor was responsible for 9 months ago could
impair the internal auditor’s objectivity.
a) Incorrect. Scheduling an audit of an area that the internal auditor will have future responsibility could
impair the internal auditor’s objectivity.
I. Incorrect. Internal auditing should not design controls, because this could impair the internal auditor’s
objectivity.
II. Correct. Recommending procedures is something that internal auditing could perform.
III. Incorrect. Internal auditing should not install systems of control, because this could impair the internal
auditor’s objectivity.
IV. Correct. Reviewing controls before implementation is something that internal auditing could perform.
42
CIA Part 1 Mock Exam #2 Answers
II. Correct. Reducing the scope of an audit due to budget cutbacks does not constitute a violation of an
auditor's independence.
III. Incorrect. The Standards says that a period of at least one year should pass before assigning an auditor
to an area where he or she previously worked.
IV. Incorrect. The Standards states that an auditor may recommend standards of control for new systems.
However, designing, installing, or operating such systems might impair objectivity.
34 Solution: c
a. Incorrect. The compensation package should be administrated by the organization’s board of directors
or the board’s remuneration committee.
c. Correct. The board of directors should administer the internal auditor’s compensation package.
d. Incorrect. The compensation package might consist of other forms of compensation, such as stock op-
tions, cash bonuses, and so forth, but would not consist only of stock options.
35 Solution: a
a. Correct. Internal auditors must consider standards of control and review procedures before implemen-
tation. However, objectivity is considered to be impaired if internal auditing designs, installs, drafts
procedures, or operates systems (PA 1120-1). However, ascertaining the cost-benefit relationships
would be an appropriate role for the internal auditor.
36 Solution: c
a. Incorrect. Assessing the impact on revenue and bad debt takes an understanding level of competence,
not a proficiency level.
b. Incorrect. The internal auditor would have to have more than an appreciation level of competence.
c. Correct. At a minimum, the internal auditor should have an understanding level of competency. This
means the auditor is able to assess the impact that changes in the credit terms will have on revenue
and bad debt.
d. Incorrect. The internal auditor would have to have more than a knowledge level competence.
43
CIA Part 1 Mock Exam #2 Answers
37 Solution: d
a. Incorrect. To maintain the CIA designation, internal auditors must achieve a specific number of CPD
credits, not accounting credits.
b. Incorrect. Showing proficiency in the application of management principles does not have to do with
maintaining the CIA designation.
c. Incorrect. To maintain the CIA designation, internal auditors must achieve a specific number of CPD
credits, not accounting credits.
d. Correct. All certified internal auditors must achieve a specific number of CPD credits every two years.
The CPDs are required so that the internal auditor can maintain his or her skill and proficiency level.
38 Solution: d
a. Incorrect. Appreciation is the ability to recognize the existence of a problem, not understanding. Also,
proficiency is the ability to know how to solve the problem.
c. Incorrect. Understanding is the ability to recognize the impact the problem will have on operations, not
appreciation. Also, appreciation is the ability to know that there is a problem, not understanding.
d. Correct. Understanding means the ability to apply broad knowledge to situations likely to be encoun-
tered, to recognize significant deviations, and to be able to carry out the research necessary to arrive at
a reasonable solution. Appreciation is the ability to recognize the existence of problems or potential
problems and to identify the additional research to be undertaken or the assistance to be obtained.
39 Solution: b
a. Incorrect. Reviewing controls over the handling of inventory takes an understanding of control process-
es, not a proficiency in accounting standards.
b. Correct. An internal auditor should be proficient in accounting standards if the auditor is checking the
valuation of inventory. The auditor would have to know how to value the inventory based on the ac-
ceptable accounting principles. If inventory is found to be overstated, then the auditor has to know how
much to write down the inventory. This takes a high level of knowledge about accounting.
c. Incorrect. Assessing the impact on operations if credit terms are relaxed takes analytical skills, not a
proficiency in accounting standards.
d. Incorrect. Reviewing controls over petty cash takes an understanding of control processes, not a profi-
ciency in accounting standards.
40 Solution: b
a. Incorrect. Exercising due professional care does not mean internal auditors are expected to be infallible
when conducting engagements.
b. Correct. Even having proper assurance procedures does not guarantee significant risks will be identi-
fied.
c. Incorrect. Exercising due professional care does apply to both assurance and consulting engagements.
d. Incorrect. Exercising due professional care means internal auditors must consider the cost of the en-
gagement in relation to its benefits.
44
CIA Part 1 Mock Exam #2 Answers
41 Solution: b
a. Incorrect. Noting the lack of segregation of duties is exercising due professional care.
b. Correct. The auditor failed to exercise due professional care because the auditor presumed everything
was OK because of his or her relationship with the manager. In this case, the auditor should have ex-
panded the testing to feel comfortable that fraud is not being committed.
c. Incorrect. Recommending additional controls if found to be deficient is exercising due professional care.
d. Incorrect. Informing the CAE of the deficiency and asking for advice is exercising due professional care.
42 Solution: a
a. Correct. It is possible for the CAE to be non-CIA certified, however, the CAE is still encouraged to en-
hance and maintain his or her skill and knowledge level by attending education programs, or obtaining
a relevant professional certification, such as CMA, CIA, CPA, ACA, ACCA, and so on.
b. Incorrect. The work of an internal auditing takes a high level of skill and knowledge. Therefore, internal
auditors should always be looking for ways to improve their skill level through some type of education
program.
c. Incorrect. The work of an internal auditing takes a high level of skill and knowledge. Therefore, internal
auditors should always be looking for ways to improve their skill level through some type of education
program.
d. Incorrect. The work of an internal auditing takes a high level of skill and knowledge. Therefore, internal
auditors should always be looking for ways to improve their skill level through some type of education
program.
43 Solution: a
a. Correct. A single auditor can be proficient in a number of areas, not just accounting.
b. Incorrect. This is true concerning proficiency. Every internal auditor must be able to evaluate the risk of
fraud and identify key IT risks and controls.
c. Incorrect. This is true concerning proficiency. Internal auditors are expected to maintain and update
their skills through continuing professional education (CPE).
d. Incorrect. This is true concerning proficiency. The necessary skills and knowledge are different for each
auditor, and an auditor might be proficient in a number of areas.
44 Solution: c
c. Correct. Satisficing is choosing the first satisfactory option instead of looking for the optimal solution.
Internal auditors should always strive for the optimal solution.
45
CIA Part 1 Mock Exam #2 Answers
45 Solution: b
a. Incorrect. Improvement and innovation is one of the ten core competencies that is considered essential
for all internal auditors.
c. Incorrect. Internal audit delivery is one of the ten core competencies. This means that the internal audit
activity is able to deliver internal audit engagements.
d. Incorrect. Professional ethics promotes ethical behavior and is one of The IIA’s core competencies.
I. Correct. The foundation that forms the Competency Framework consists of Professional Ethics and In-
ternal Auditing Management.
II. Incorrect. Governance, Risk, and Control is under the heading of Technical Expertise.
IV. Correct. The foundation that forms the Competency Framework consists of Professional Ethics and In-
ternal Auditing Management.
V. Incorrect. Internal Audit Delivery is at the top of the Framework, along with Improvement and Innova-
tion.
47 Solution: b
a. Incorrect. The ability of staff to complete audits on time would be part of the CAE’s review process.
b. Correct. Internal auditors should not manage operating systems, so this would not be part of the CAE’s
review process.
c. Incorrect. The knowledge of relevant risk management and control systems would be part of the CAE’s
review process.
d. Incorrect. The knowledge of the regulatory requirements would be part of the CAE’s review process.
II. Correct. Based on PA 1210-1, auditors should know key information-technology risks and controls.
III. Correct. Based on PA 1210-1, auditors should know available technology-based audit techniques.
IV. Incorrect. Maintaining a satisfactory relationship with engagement clients is a skill that internal auditors
should develop.
49 Solution: c
a. Incorrect. The CAE would assess the relevant professional certifications of the specialists.
d. Incorrect. The CAE would review the experience and education of the specialist.
46
CIA Part 1 Mock Exam #2 Answers
50 Solution: a
a. Correct. The adequacy and effectiveness of the audit committee is the responsibility of the board.
b. Incorrect. Internal auditors exercise due professional care by considering the cost of assurance in rela-
tion to potential benefits.
c. Incorrect. Internal auditors exercise due professional care by considering the relative complexity of the
engagement.
d. Incorrect. Internal auditors exercise due professional care by considering the probability of significant
errors and fraud.
51 Solution: d
a. Incorrect. Being the “eyes and ears” of the audit committee is a valid reason for internal auditing to
report to the audit committee.
b. Incorrect. Reporting to the audit committee does in fact enhance the independence of internal auditing.
c. Incorrect. Reporting to the audit committee does allow the audit committee the opportunity to review
the work of internal auditing in order to better understand whether it is a value-added function.
d. Correct. The audit committee reviews, assesses, and evaluates controls, but the audit committee is not
part of management, so it does not have the authority to take action on identified control deficiencies.
52 Solution: c
a. Incorrect. Establishing a QAIP is done so the audit committee and management can have greater as-
surance that the IAA is conforming to best practices.
b. Incorrect. Establishing a QAIP is done so areas of the IAA that need improving can be highlighted.
c. Correct. The QAIP is designed to evaluate whether or not the work of the company’s IAA is in con-
formance with the definition of internal auditing, the Standards of internal auditing, and the Code of
Ethics. Assisting in the planning of engagements is not a reason of the QAIP.
53 Solution: a
a. Correct. Reviewing the IAA charter would be part of the external assessment, not internal assessment.
b. Incorrect. Assessing how many recommendations were implemented by management would be part of
the internal assessment.
c. Incorrect. Assessing how well internal auditing is viewed by its clients would be part of the internal as-
sessment.
d. Incorrect. Reviewing actual and budgeted costs would be part of the internal assessment.
47
CIA Part 1 Mock Exam #2 Answers
54 Solution: b
a. Incorrect. Using The IIA’s Standards would be a useful tool for the assessment team.
b. Correct. Getting feedback from the audit committee would probably assist the team the least in its as-
sessment. The others, including using the Standards, benchmarking, and getting feedback from the
clients would be more helpful in assessing the effectiveness and efficiency of the IAA.
c. Incorrect. It is the clients who benefit from the services of the IAA, therefore, getting feedback from
the clients would be a useful source for the assessment team.
d. Incorrect. Benchmarking against other IAAs would be a useful source for the assessment team.
55 Solution: c
b. Incorrect. The external assessment should be done at least every five years.
c. Correct. The assessor should be independent. This means that there should not be any conflict of in-
terest. This generally means the assessor does not work for the company and is not intimately familiar
with the operations.
d. Incorrect. Assessing whether the IAA adds value and improves operations is a reason for the external
assessment.
56 Solution: d
a. Incorrect. Client satisfaction with internal auditing would be part of the external assessment.
b. Incorrect. Expressing an opinion on the overall work of the IAA would be part of the external assess-
ment.
c. Incorrect. Benchmarking against the best practices would be part of the external assessment.
d. Correct. The results of the external assessment would generally not be communicated to the external
auditor. The results are for internal purposes so the company’s board and management can feel com-
fortable with the work of internal auditing – it is doing what it should be doing.
I. Correct. A self-assessment may be appropriate if the organization frequently has agency regulators
reviewing its books and internal controls.
II. Correct. A self-assessment may be appropriate if the organization operates in an industry that has ex-
tensive oversight.
III. Incorrect. Whether an organization is publicly-listed or not does not impact whether a self-assessment
is appropriate.
IV. Correct. A self-assessment may be appropriate if, in the opinion of the CAE, the costs of the external
assessment outweigh the benefits.
48
CIA Part 1 Mock Exam #2 Answers
I. Correct. A quality audit engagement is one that meets the client’s expectations.
II. Correct. A quality audit engagement is one that conforms with the Standards.
III. Correct. A quality audit engagement is one that is undertaken in accordance with an established meth-
odology that promotes quality.
I. Incorrect. This would be true if the statement said the adequacy of the IAA’s charter.
II. Correct. This is true. The QAIP enables an evaluation of the conformance with the Definition of Internal
Auditing, the Code of Ethics, and the Standards.
III. Correct. This is true. The QAIP enables an evaluation of the risks affecting the operation of the IAA.
IV. Incorrect. This would be true if the statement said compliance with applicable laws, regulations, and
government or industry standards to which the IAA may be subject.
V. Correct. This is true. The QAIP enables an evaluation of whether the IAA adds value and offers im-
provements the organization’s operations.
60 Solution: a
a. Correct. The size, structure, and nature of the IAA will depend on the needs of the organization.
b. Incorrect. This is true. A key aspect to developing a QAIP is to determine the role of internal audit man-
agement and staff in the quality process.
c. Incorrect. This is true. A key aspect to developing a QAIP is to determine the frequency of self-
assessments and external assessments.
d. Incorrect. This is true. A key aspect to developing a QAIP is to determine the level of quality desired by
the IAA and expected by its stakeholders.
I. Incorrect. This is not true. Independent auditors, unless specifically hired to do so, will not do an as-
sessment of governance, risk management, and control.
II. Correct. This is true. The input for the QAIP would include client feedback.
III. Correct. This is true. The input for the QAIP would include follow-up actions from previous assess-
ments and/or reviews.
IV. Correct. This is true. The input for the QAIP would include recommendations for improvement.
V. Correct. This is true. The input for the QAIP would include other changes that could impact the quality
management system.
49
CIA Part 1 Mock Exam #2 Answers
62 Solution: a
a. Correct. Taking corrective action is a management function, not an internal audit function.
b. Incorrect. The role of internal audit is to work together with other control professionals to help organi-
zations manage their risks.
c. Incorrect. The role of internal audit is to provide assurance on the effectiveness of governance, risk
management, and control processes.
d. Incorrect. The role of internal audit is to report to the board and senior management on significant con-
trol deficiencies.
63 Solution: b
a. Incorrect. This statement is true. The roles of the board Chair and CEO should be separated.
b. Correct. This statement is false. The majority of the board members should be independent non-
executive directors.
c. Incorrect. The statement is true. The board members should reflect a mix of backgrounds and perspec-
tives.
d. Incorrect. This statement is true. The board should contain a suitable balance of power in order to pre-
vent one person or group of people from dominating the decision making of the board.
64 Solution: c
a. Incorrect. This statement is true of key players. Key players are stakeholders with high interest and
strong power.
b. Incorrect. Communicating only when necessary would be the strategy for stakeholders with low interest
and low power. Organizations can ignore these stakeholders.
c. Correct. Stakeholders with high interest but low power need to receive regular communications.
Stakeholders in this quadrant can increase their overall influence by forming coalitions with other
stakeholders to exert greater pressure.
d. Incorrect. Stakeholders that need to be kept satisfied have low interest but strong power.
I. Correct. The Standards recommend a period of no less than one year from the time the member left
the position.
II. Correct. If the member’s brother in law was the CEO, then this could be an impairment to independ-
ence.
III. Correct. Having a significant number of stock options could be an impairment to independence.
IV. Correct. The member is also the CEO of the company’s main raw material supplier could be an im-
pairment to independence.
50
CIA Part 1 Mock Exam #2 Answers
b. Correct. Generally, the larger the company, the greater the need for a functioning IAA.
c. Correct. A recent increase in the number of unexplained or unacceptable risks is a good reason to have
a functioning IAA.
d. Correct. Having problems with internal controls is a good reason to have a functioning IAA.
67 Solution: d
a. Incorrect. Developing a plan to systematically assess controls across the organization is something that
internal auditing could do.
b. Incorrect. Reporting on significant control deficiencies to management and the audit committee is
something that internal auditing could do.
c. Incorrect. Testing controls across the organization is something that internal auditing could do.
d. Correct. Internal auditing cannot design, draft, install, or manage controls. This is the function of man-
agement.
68 Solution: b
a. Incorrect. Conducting ethics training programs is a method of promoting ethics within the organization.
b. Correct. Internal auditors are never responsible for disciplining employees for unethical behavior. Man-
agement is responsible for disciplining employees.
c. Incorrect. Reviewing the company’s code of conduct is a method of promoting an ethics-based organi-
zation.
d. Incorrect. Getting feedback from clients is a way for internal auditing to understand whether there are
ethical issues within the company.
I. Not unethical. Taking computers home for work is common. Using the computer for personal use at
home would not be considered unethical as long as it was done at home and not at work.
II. Unethical. The supervisor reneging on a promise promotes future unethical behavior. This is not set-
ting the “right tone at the top.”
III. Unethical. Accepting a gift of non-trivial value is unethical and also sometimes illegal.
IV. Not unethical. As long as the accounting practice is consistently applied, what the finance director is
doing would not be considered unethical. This is referred to as earnings management. If the financial
director were intentionally misstating the financials to get higher levels of compensation, then this
would be considered unethical and illegal.
51
CIA Part 1 Mock Exam #2 Answers
70 Solution: d
a. Incorrect. The focus of CSR is on economic, social, and environmental impact, not just social.
c. Incorrect. The focus of CSR is on economic, social, and environmental issues, not just the environ-
ment.
d. Correct. CSR is where companies are conscious of the kind of impact they are having on all aspects of
society including economic, social, and environmental. To engage in CSR means that a company is op-
erating in ways that enhance society and the environment, instead of contributing negatively to them.
71 Solution: b
b. Correct. Philanthropic responsibility is on top of Carroll’s pyramid. This is where companies want to be
a good corporate citizen, where they contribute resources to the community, and try to improve the
quality of life of the community.
72 Solution: c
c. Correct. This is true. By taking social responsibility, organizations are attempting to ward off future
government regulations.
d. Incorrect. It is unlikely a company’s management and board will have the skills to solve today’s social
problems.
73 Solution: a
a. Correct. Risk is most often defined as any event or action that can keep an organization from achiev-
ing its objectives. Based on this definition, risk are negative events that could occur.
b. Incorrect. Risk is defined as negative events that could occur, not will occur.
c. Incorrect. Risk is defined as negative events that could occur. Uncertainty could be negative or posi-
tive.
d. Incorrect. Risk is defined as negative events that could occur. Uncertainty could be negative or posi-
tive.
74 Solution: b
b. Correct. Hazard risks are events that can be insured against, such as natural disasters, death of key
employees, or personal injury on the business premises
c. Incorrect. Hazard risks are not events that can cause personal financial loss, or mission degradation.
d. Incorrect. Hazard risks are not events that can cause personal financial loss, or mission completion.
52
CIA Part 1 Mock Exam #2 Answers
75 Solution: c
a. Incorrect. Logistical disruptions are not internal, but they are supply chain risks.
b. Incorrect. Logistical disruptions are not internal and not process-related risk events.
c. Correct. Logistical disruptions are external and they are supply chain risks.
I. Incorrect. One of the responsibilities of the CAE is to report to the audit committee/board on a regular
basis, so it would not be part of an organization’s risk strategy.
II. Correct. An organization’s risk strategy is going to define its risk tolerance level.
III. Incorrect. The ownership of risk is going to be delegated to those held responsible for the risks.
IV. Correct. An organization’s risk strategy is going to define its risk appetite.
77 Solution: b
a. Incorrect. The volume of transactions and complexity of the accounting system could be factors that
influence an organization’s risk appetite.
b. Correct. Simply identifying key stakeholders would not be a factor influencing an organization’s risk
appetite; however, the viewpoints of the stakeholders would be a factor.
c. Incorrect. The opportunity for fraud could be a factor that influences an organization’s risk appetite.
d. Incorrect. Changes in technology could be a factor that influences an organization’s risk appetite.
VI. Correct. Potential problems with key machinery would be an operational risk.
VII. Incorrect. Quality and service concerns that affect customers would be strategic risks.
VI. Incorrect. Potential problems with key machinery would be an operational risk.
VII. Incorrect. Quality and service concerns that affect customers would be strategic risks.
53
CIA Part 1 Mock Exam #2 Answers
V. Correct. Strategic risks are risks that could potential keep the company from achieving its long-term
goals and objectives. Potential loss of reputation would be a strategic risk.
VI. Incorrect. Potential problems with key machinery would be an operational risk.
VII. Correct. Quality and service concerns that affect customers would be strategic in nature.
I. Correct. Using the derivative markets for hedging and speculative purposes increases the probability of
having losses, and it also increases the risk of there being a material mistake on the financial state-
ments.
II. Correct. If management practices what it preaches concerning the need for strong internal control, the
company is setting the right “top at the top.” If management believes in strong controls there is less
risk of there being a material mistake.
III. Incorrect. Damage to the company’s reputation would influence the size of the impact, not its probabil-
ity.
IV. Incorrect. Cost of getting operations back to normal would influence the size of the impact, not its
probability.
82 Solution: a
a. Correct. If the probability is high and its impact is low, then controls should put in to reduce the risk.
b. Incorrect. The company should do nothing if the probability of the event occurring is low as well.
c. Incorrect. Terminating the activity is appropriate if both probability and impact are high.
d. Incorrect. Transferring the risk is done if impact is high but probability is low, such as the probability of
fire, or a natural disaster.
83 Solution: b
a. Incorrect. The monitoring and review stage is not the final stage. The final stage is recording and re-
porting.
b. Correct. Once a risk management process has been implemented, the next stage is to get feedback
on how the system is working. This is the function of the monitoring and review stage.
c. Incorrect. Documenting and reporting the risk management process is the last stage.
d. Incorrect. The recording of outcomes is part of the recording and reporting stage.
54
CIA Part 1 Mock Exam #2 Answers
84 Solution: a
a. Correct. Establishing a sound system of internal control can only provide reasonable assurance that
fraudulent activities will be prevented and detected. Even the best of control systems cannot fully elim-
inate fraud.
c. Incorrect. Ensuring compliance with laws and regulations is a valid reason for improving controls.
d. Incorrect. Ensuring the reliability of financial reports is a valid reason for improving controls.
85 Solution: c
c. Correct. Operational-level controls encompass planning and performance monitoring, the system of
accountability to supervisors, and risk evaluation. Operational-level controls include both manual and
automated controls. The accounting system flagging a possible duplicate payment is an example of
control at the transaction-level, not at the operational-level.
d. Incorrect. The manager reviewing quarterly production variance reports is an operational level control.
86 Solution: c
b. Incorrect. Having the HR manager review a job description for a financial manager position is an opera-
tional level control.
c. Correct. Corporate-level controls are mostly manual and they include general policy statements such
as values and overall monitoring procedures. COSO refers to these entity-level controls as the control
environment. When the disclosure committee reviews financial and non-financial notes and disclosures
over financial reporting, this is an example of a corporate (or entity) level control.
d. Incorrect. The manager reviewing quarterly production variance reports is an operational level control.
87 Solution: b
a. Incorrect. Making sure there is a job description for the new position is a directive control, not a pre-
ventive control.
b. Correct. Directive controls cause or encourage a desirable event to occur, such as making sure the
new position has a job description. The job description is directive because it lays out the qualifications
and experience needed for the position.
c. Incorrect. Making sure there is a job description for the new position is a directive control, not a correc-
tive control.
d. Incorrect. Making sure there is a job description for the new position is a directive control, not a detec-
tive control.
55
CIA Part 1 Mock Exam #2 Answers
88 Solution: c
c. Correct. The technician putting in production procedures so the problem can be quickly identified and
corrected is a corrective control. Corrective controls are meant to correct problems that have occurred.
89 Solution: d
a. Incorrect. Additional controls to find defective productions are detective, not preventive.
b. Incorrect. Additional controls to find defective productions are detective, not directive.
c. Incorrect. Additional controls to find defective productions are detective, not corrective.
d. Correct. Detective controls are needed to detect undesirable events that occur. Additional controls to
improve the chance of finding defective products is a detective control.
90 Solution: b
b. Correct. Compensating controls compensate for a control weakness, such as a lack of segregation of
duties. In this case, there has to be an independent verification to make sure the sales manager is ap-
proving new credit sales only to credit-worthy customers.
91 Solution: a
a. Correct. Concurrent controls operate at the same time as the process and make ongoing adjustments
based on the immediate feedback from the system. Based on this, a program that alerts a technician of
a problem is a concurrent control.
b. Incorrect. Feedforward controls prevent undesirable events from happening. Getting immediate feed-
back is a concurrent control.
d. Incorrect. Feedback controls detect a defective unit after it has been already produced. Getting imme-
diate feedback is a concurrent control.
I. Correct. Feedback controls can provide management with useful information about the effectiveness of
their planning efforts.
II. Correct. Feedback controls can enhance employee motivation. People want information on how well
they have performed, and feedback controls provide that information. The most desirable type of con-
trol is feedforward.
III. Incorrect. The most desirable type of control is feedforward controls, not feedback. Feedback controls
are more expensive and less efficient because deficiencies are discovered after the fact.
56
CIA Part 1 Mock Exam #2 Answers
93 Solution: b
a. Incorrect. A characteristic of an effective control system is the more material an item, the tighter the
control system needs to be.
b. Correct. An effective control system should be simply enough so the system can be understood by
those using it. The more complex the control system is, the more likely fraud will be committed.
d. Incorrect. A characteristic of an effective control system is that the benefits of the control system are
greater than its cost.
94 Solution: c
c. Correct. Automated controls can help track and monitor risks, but when it comes to managing risks,
automated controls are not a substitute for experienced human insight.
I. Correct. An effective control system ensures that all transactions are complete and accurate is a char-
acteristic of an effective control system.
II. Correct. An effective control system means that there is greater confidence that only authorized trans-
actions take place.
III. Correct. An effective control system makes sure there is adequate documentation supporting transac-
tions.
IV. Correct. An effective control system ensures that assets and liabilities are correctly stated on the fi-
nancial statements.
V. Correct. An effective control system ensures there is less risk of fraud and misappropriation of assets.
96 Solution: d
a. Incorrect. Investors do benefit because they will feel more confident in the reliability of the company’s
financial statements.
b. Incorrect. Customers do benefit because they will feel more confident about the quality of the product
and/or service.
c. Incorrect. External auditors do benefit because they will feel more confident on the opinion they give
concerning the reliability of the company’s financial statements.
d. Correct. Management benefits because with strong control systems they will be able to do their job
more efficiently and effectively.
57
CIA Part 1 Mock Exam #2 Answers
II. Correct. The CEO is ultimately responsible the company’s control system.
III. Correct. Senior managers are responsible for ensuring that the right control policies and procedures
are implemented.
IV. Incorrect. External auditors provide feedback on the effectiveness of the control system; however, ex-
ternal auditors are not responsible for ensuring management is carrying out their control
responsibilities. This is the management’s responsibility.
98 Solution: d
99 Solution: a
a. Correct. Segregation of duties between the programmer and input operator is a processing control, not
an input control.
b. Incorrect. Checking on the validity and accuracy of the inputted data is an example of an input control.
c. Incorrect. A note sent back to the input operator is an example of an input control.
I. Correct. This is true. Policies are made by senior management while procedures are usually made in
consultation with employees.
II. Correct. This is true. Policies guide senior management in decision-making while procedures guide the
actions of employees.
III. Incorrect. Employees can suggest changes to procedures, but management must approve the changes.
IV. Incorrect. Procedures are more detailed than polices, not less.
I. Incorrect. This is not true because a sound system of control should be embedded at all levels of the
organization, not just at the functional level.
II. Correct. This is true because a sound system of control should be part of the company’s way of doing
thing, in other words, a part of its culture.
III. Incorrect. This is not true because a sound system of control should be able to respond to all evolving
internal and external risks.
IV. Correct. This is true because a sound system of control should include procedures for reporting signifi-
cant weaknesses and failures of control to the appropriate level of management.
58
CIA Part 1 Mock Exam #2 Answers
102 Solution: b
a. Incorrect. The right “tone at the top” means sending the message that abusing the company’s credit
card will not be tolerated.
b. Correct. Letting a senior manager get away with embezzlement sends the wrong message to the em-
ployees. Everybody in the organization needs to understand that there are consequences for violations.
c. Incorrect. The right “tone at the top” means that employees do have the ability to take action based on
company policy. This would include the ability to stop production when defective units are detected.
d. Incorrect. The right “tone at the top” means supporting best corporate governance, which means that
the board is primarily made up of independent directors who review the company’s internal controls
and risk management policies.
103 Solution: d
a. Incorrect. Checks could be still be fraudulently altered even if the checks are deposited on a daily basis.
b. Incorrect. Checks could still be fraudulently altered even if there was an independent review of mail-
room procedures.
c. Incorrect. Checks could still be fraudulently altered even if the checks are independently listed by
someone outside the mailroom.
d. Correct. To minimize the risks, the internal auditor needs to verify that checks are immediately en-
dorsed by someone in the mailroom.
104 Solution: c
a. Incorrect. Making sure all stock items are electronically tagged would not ensure items are in stock at
the time of sale.
b. Incorrect. Making sure inventory information is updated at the end of each business day would not en-
sure items are in stock at the time of sale.
c. Correct. The best control is for the sales clerk to make sure the inventory is in stock before processing
the sales order.
d. Incorrect. Having a regular inventory count would not ensure items are in stock at the time of sale.
105 Solution: b
a. Incorrect. Every company should have a code of conduct; however, the company should also rotate the
purchasing agents so that they do not become too close to the vendors.
b. Correct. The best control to minimize the possibility of kickbacks is to make sure the company has a
strong code of conduct and occasionally rotate purchasing agents from one vendor to another.
d. Incorrect. This is incorrect because proving the purchasing agent is not living beyond his or her means
would be subjective and difficult to verify.
59
CIA Part 1 Mock Exam #2 Answers
106 Solution: d
a. Incorrect. This is true concerning the risk assessment process. A pre-condition to risk assessment is the
establishment of objectives.
b. Incorrect. This is true concerning the risk assessment process. The formality of a company’s risk as-
sessment process is dependent on the size and complexity of the company.
c. Incorrect. This is true concerning the risk assessment process. In larger companies, the risk assess-
ment process is most often the responsibility of lower-level managers.
d. Correct. In smaller companies, senior managers (e.g. the CEO or CFO) will probably take a more ac-
tive role in the assessment of risks. Because senior management will have a better understanding of
the risks, they will probably also have a more effective risk assessment process.
107 Solution: b
a. Incorrect. Item (I) is connected with segregation of duties, not with physical controls to safeguard as-
sets.
b. Correct. The control procedure connected with Item (I) is segregation of duties. The person who col-
lects the cash should not be able to reconcile the daily cash receipts account. Without segregation of
duty, the sales clerk could take the cash and say everything reconciles.
c. Incorrect. Item (I) is connected with segregation of duties, not with authorization.
d. Incorrect. Item (I) is connected with segregation of duties, not with independent checks.
108 Solution: c
a. Incorrect. Item (II) is connected with authorization, not with physical controls to safeguard assets.
b. Incorrect. Item (II) has to do with having proper authorization to perform a transaction, not with seg-
regating duties.
c. Correct. The control procedure connected with Item (II) is authorization. The proper person should
have the authority to sign off on trade discounts.
d. Incorrect. Item (II) has to do with authorization, not with independent checks.
109 Solution: d
a. Incorrect. Item (III) has to do with verifying independently that transactions are processed properly,
not with the physical safeguarding of assets.
b. Incorrect. Item (III) has to do with verifying independently that transactions are processed properly,
not with making sure specific functions are segregated.
c. Incorrect. Item (III) has to do with verifying independently that transactions are processed properly,
not with making sure transactions are properly authorized.
d. Correct. Independent checks are checks performed by someone other than the person responsible for
the original operation and are generally more effective at assuring that transactions are processed and
activities are performed accurately.
60
CIA Part 1 Mock Exam #2 Answers
110 Solution: b
a. Incorrect. It is acceptable for the purchasing manager to review the purchase requisition and approve
the purchase order.
b. Correct. The following functions within the Purchases-Payable cycle should be segregated.
• Approval of purchase: The purchasing manager should review the purchase requisition and ap-
prove (or reject) the purchase of goods.
• Custody of goods: Custody of goods lies with receiving (who receives the goods) and warehouse
(who stores the goods until needed).
• Recording of transaction: An accounts payable clerk records the transaction to the accounts
payable journal. An accounting clerk records the transaction to the general ledger.
• Reconciliation: There needs to be reconciliation between the G/L and A/P file. There also needs
to be reconciliation between the G/L and inventory records. Reconciliations should be done by in-
dependent persons.
Based on segregation of duties, the purchasing manager should not be able record the transaction to
the accounts payable journal.
c. Incorrect. It would be acceptable for the purchasing manager to review the purchase requisition and
approve bad debt write-offs because the functions are not related to each other.
d. Incorrect. It would be acceptable for the purchasing manager to approve the purchase order while at
the same time reconciling daily cash receipts because the functions are not related to each other.
111 Solution: a
a. Correct. This answer is not true because there is no requirement for private companies to be in com-
pliance with SOX 404. Only publicly-listed companies listed in the U.S. have this requirement.
b. Incorrect. A strong monitoring program will increase the chances of identifying control problems.
c. Incorrect. A strong monitoring program increases the likelihood that financial and management infor-
mation will be more accurate and timely.
d. Incorrect. A strong monitoring program increases the likelihood that financial and management infor-
mation will be more accurate.
112 Solution: c
a. Incorrect. A questionnaire matrix would help the internal auditor understand if there is a problem.
b. Incorrect. A sampling matrix would be a useful tool to understand the characteristics of a population,
such as age, race, religion, and so on. It is not a tool that matches controls to risks.
c. Correct. The risk and control matrix would be the most appropriate matrix to use. The risk and control
matrix is an excellent tool that matches controls to risks, assuring that every risk is covered by an ap-
propriate control. This matrix also shows where a particular control might provide protection over more
than one risk.
d. Incorrect. A risk interaction matrix is a good tool to understand the severity of the risks.
61
CIA Part 1 Mock Exam #2 Answers
113 Solution: d
a. Incorrect. A red flag of fraud is high management turnover. This shows that managers are not happy
with management practices.
d. Correct. Management deciding to be conservative in their accounting is a good thing. Being conserva-
tive means not overvaluing assets and not underreporting liabilities. It also means recognizing revenue
when it is earned and not underreporting expenses.
114 Solution: c
c. Correct. The issues Dunhill is investigating represent potential incentives (or motive) for management
to commit accounting fraud.
d. Incorrect. Dunhill is not investigating compliance, but the incentives to commit accounting fraud.
115 Solution: b
a. Incorrect. Actions that management takes to minimize fraud would be to implement control procedures.
b. Correct. The fraud triangle represents three conditions usually present when fraud occurs. The three
conditions are: pressure (motive), opportunity, and rationalization. Without all three of the conditions
being present, a person will not commit fraud.
c. Incorrect. The fraud triangle represents conditions that need to be present for fraud to occur. It is not a
type of fraud.
d. Incorrect. The fraud triangle represents conditions that need to be present for fraud to occur. It is not
the strategies for unearthing fraud.
116 Solution: c
a. Incorrect. There may be some legitimate costs that could have been capitalized; however, that is not
the purpose of the review. The purpose of the review is to make sure no immaterial costs were capital-
ized.
b. Incorrect. Making sure all maintenance charges were expensed in the period they arose is not the pur-
pose of the review.
c. Correct. When reviewing controls over the capitalization of fixed assets, internal auditors want to verify
that management has not put some immaterial expenses, such as maintenance charges, to the fixed
asset account. The reason for putting maintenance charges to the balance sheet is to improve profita-
bility because these charges would not be expensed in the current period.
d. Incorrect. Reviewing fixed asset depreciation is not the reason for the engagement.
62
CIA Part 1 Mock Exam #2 Answers
117 Solution: d
a. Incorrect. Delaying installment of a new marketing software package would not be a source of conflict
for the company.
b. Incorrect. Expensing some costs that might be able to be capitalized would not be a conflict for the
company because accountants are supposed to be conservative.
c. Incorrect. The production manager proposing ways to cut costs is what the manager should do.
d. Correct. The procurement manager’s proposal to source an important input material from a relative is
a conflict of interest.
118 Solution: b
b. Correct. A manager’s inability to override controls is not a red flag, but a control strength.
c. Incorrect. A manager who refuses to take his or her normal vacation might signal that the manager is
trying to hide something.
d. Incorrect. Unrestricted access to electronic data or databases would be a red flag for an auditor.
119 Solution: b
b. Correct. The ultimate goal of the forensic auditor is to obtain a confession by the fraudster, if fraud did
actually occur. Confessions should never be coerced because the accused individual could be innocent.
c. Incorrect. To gather evidence used in court proceedings is a reason to hire a forensic auditor.
d. Incorrect. To quantify the financial loss suffered by the company is a reason to hire a forensic auditor.
120 Solution: c
a. Incorrect. The marketing manager accepting a kickback from an advertising company is detrimental to
the organization. This is because the organization is probably paying more than it should for the ad-
vertising.
c. Correct. Paying governmental officials is illegal, but expediting a service would be beneficial to the
organization.
d. Incorrect. Approving a sale to a close relative at below cost is detrimental to the organization.
121 Solution: a
a. Correct. Overriding controls is how management commits fraud, but it is not a reason that managers
commit fraud.
63
CIA Part 1 Mock Exam #2 Answers
I. Correct. When assessing fraud risk, internal auditors should determine whether or not the organiza-
tion has set realistic goals and objectives.
II. Correct. When assessing fraud risk, internal auditors should determine whether or not the organiza-
tion fosters an environment of control consciousness.
III. Incorrect. It is not likely an organization would have a forensic auditing expert on staff.
IV. Correct. When assessing fraud risk, internal auditors should determine whether or not recommenda-
tions are established to enhance the control structure to help deter fraud.
123 Solution: a
a. Correct. Impact to the organization’s reputation is the result of fraud being committed by the organi-
zation, but it is not a step in the risk assessment process.
b. Incorrect. Identifying relevant fraud risk factors is a step in the risk assessment process.
c. Incorrect. Mapping existing controls to potential fraud schemes and identifying gaps is a step in the
risk assessment process.
d. Incorrect. Documenting and reporting fraud risk assessment is a step in the risk assessment process.
124 Solution: a
a. Correct. Internal auditing should not design, draft, implement, or manage controls. This is the re-
sponsibility of management.
b. Incorrect. At the conclusion of a fraud investigation, internal auditors should maintain sufficient
knowledge of fraud to identify possible future fraud incidents.
c. Incorrect. At the conclusion of a fraud investigation, internal auditors should determine if controls need
to be implemented or strengthened.
d. Incorrect. At the conclusion of a fraud investigation, internal auditors should design engagement tests
to help disclose frauds in the future.
125 Solution: c
a. Incorrect. Malicious prosecution refers to the prosecution of an individual without probable cause.
c. Correct. If found innocent, the manager could sue the company and the internal auditor for slander,
which is spoken defamation.
d. Incorrect. Compounding a felony is a situation where an employee has committed a crime, but the em-
ployer agrees not to prosecute in exchange for a consideration (such as repaying stolen funds).
64