CIA Part 1 Mock Exam 1
CIA Part 1 Mock Exam 1
CIA Part 1 Mock Exam 1
Preparatory Program
Part 1
Mock Exam
CIA Part 1 Mock Exam
1. Which of the following is not true with regard to the internal audit charter?
a. It defines the authorities and responsibilities for the internal audit activity.
b. It specifies the minimum resources needed for the internal audit activity.
2. The function of internal auditing, as related to internal financial reports, would be to:
b. Review expenditure items and match each item with expenses incurred.
3. The status of the internal audit activity should be free from the effects of irresponsible policy changes
by management. The most effective way to assure that freedom is to:
d. Develop written policies and procedures to serve as standards of performance for the internal audit
activity.
4. If a department's operating standards are vague and thus subject to interpretation, an auditor should:
a. Seek agreement with the departmental manager on the criteria needed to measure operating perfor-
mance.
b. Determine best practices in the area and use them as the standard.
c. Interpret the standards in their strictest sense because standards are otherwise only minimum measures
of acceptance.
d. Omit any comments on standards and the department's performance in relation to those standards,
because such an analysis would be inappropriate.
1
CIA Part 1 Mock Exam
b. Establish the independence of the internal audit activity and emphasize the objectivity of internal au-
diting.
c. Encourage external auditors to make more extensive use of the work of internal auditors.
7. The Standards require that the chief audit executive (CAE) have a formal, written internal audit charter
approved by management and the board. The purpose of the internal audit charter is to:
b. Establish the purpose, authority, and responsibility of the internal auditing activity.
d. Define the role of the chief audit executive as a member of the audit committee.
8. The best means for the internal auditing activity to determine whether it has achieved its goal of im-
plementing broader audit coverage of functional activities is through:
9. If a department outside of the internal audit activity (IAA) is responsible for reviewing a function or
process, the internal auditor should:
a. Consider the work of the other department when assessing the function or process.
b. Ignore the work of the other department and proceed with an independent audit.
c. Reduce the scope of the audit because the work has already been performed by the other department.
d. Yield the responsibility for assessing the function or process to the other department.
10. During an engagement to evaluate the organization’s accounts payable function, an internal auditor
plans to confirm balances with suppliers. What is the source of authority for the auditor’s contact with
units outside the organization?
b. The Standards.
2
CIA Part 1 Mock Exam
11. Which of the following is not one of the ten Core Principles:
12. According to the Standards, the internal audit activity’s goals should specify:
13. Which of the following best describes an internal auditor’s purpose in reviewing the organization’s ex-
isting risk management, control, and governance processes?
a. To help determine the nature, timing, and extent of tests necessary to achieve engagement objectives.
c. To provide reasonable assurance that the processes will enable the organization’s objectives and goals
to be met efficiently and economically.
d. To determine whether the processes ensure that the accounting records are correct and that financial
statements are fairly stated.
14. Of the following activities, which ones are within the scope of internal auditing?
IV. To ascertain the extent to which objectives and goals have been established.
b. I and IV only.
d. I, II and IV only.
c. Fraud investigation.
3
CIA Part 1 Mock Exam
16. A CIA, working as the purchasing director, signs a contract to procure a large order from the supplier
with the best price, quality, and performance. Shortly after signing the contract, the supplier presents
the CIA with a gift of significant monetary value. Which of the following statements regarding the ac-
ceptance of the gift is correct?
b. Acceptance of the gift would violate the IIA Code of Ethics and would be prohibited.
c. Because the CIA is not acting as an internal auditor, acceptance of the gift would be governed only by
the organization’s code of conduct.
d. Because the contract was signed before the gift was offered, acceptance of the gift would not violate
either the IIA Code of Ethics or the organization’s code of conduct.
17. A review of an organization’s code of conduct revealed that it contained comprehensive guidelines de-
signed to inspire high levels of ethical behavior. The review also revealed that employees were knowl-
edgeable of its provisions. However, some employees still did not comply with the code. What element
should a code of conduct contain to enhance its effectiveness?
18. Which of the following statements is not appropriate to include in a manufacturer’s conflict of interest
policy? An employee shall not:
19. An internal auditor, during the course of evaluating the policies & procedures for capitalizing fixed as-
sets, uncovered some information that indicated that management had capitalized some general
maintenance costs that should have been expensed. The amount is considered to be material. If the
internal auditor failed to disclose this information to senior management or the audit committee, the
internal auditor would be in violation of which rule of conduct?
a. Integrity.
b. Objectivity.
c. Confidentiality.
d. Competence.
4
CIA Part 1 Mock Exam
20. Which of the following concurrent occupations could appear to subvert the ethical behavior of an internal
auditor?
a. Internal auditor and local in-house chairperson for a well-known charitable organization.
c. Internal auditor and adjunct faculty member of a local business college that educates potential employ-
ees.
d. Internal auditor and landlord of multiple housing units that publicly advertise for tenants in a local
community newspaper.
21. As part of a company-sponsored award program, an internal auditor was offered an award of significant
monetary value by a division in recognition of the cost savings that resulted from the auditor's recom-
mendations. According to the International Professional Practices Framework (IPPF), what is the most
appropriate action for the auditor to take?
a. Accept the gift because the engagement is already concluded and the report issued.
b. Accept the award under the condition that any proceeds go to charity.
c. Inform audit management and ask for direction on whether or not to accept the gift.
22. Towards the end of an engagement, the auditor discovers that the director of marketing has a gambling
habit. The gambling issue is not directly related to the existing engagement and there is pressure to
complete the current engagement. The auditor notes the problem and forwards the information to the
chief audit executive but performs no further follow-up. The auditor's actions would:
b. Be in violation of the Standards because the auditor did not properly follow up on a red flag that might
indicate the existence of fraud.
d. Both a and b.
23. In which of the following would an internal auditor potentially lack objectivity?
a. The internal auditor reviews the procedures for a new electronic data interchange (EDI) connection to
a major customer before it is implemented.
b. A former purchasing assistant performs a review of the internal controls over purchasing four months
after being transferred to the internal audit activity.
c. An internal auditor recommends standards of control and performance measures for a contract with a
service organization for the processing of payroll and employee benefits.
d. A payroll accounting employee assists an internal auditor in verifying the physical inventory of small
motors.
5
CIA Part 1 Mock Exam
24. An auditor’s objectivity could be compromised in all of the following situations except:
a. A conflict of interest.
a. Continuation of an engagement at a division for which (s)he will soon be responsible as the result of a
promotion.
c. Participation on a task force that recommends standards for control of a new distribution system.
26. Independence from outside pressure is an important factor for the internal audit activity to work freely
and objectively. Which of the following contributes to the internal auditor’s independence?
a. Management should assist the IAA by reviewing, revising, and forwarding engagement communications
to the audit committee.
b. The IAA reports directly to the audit committee, without corroborating engagement communications
with management.
c. Ideally, the IAA functionally reports to the audit committee but reports to the chief operating officer on
all engagements relating to operations.
d. The accuracy of the engagement communications should be verified with management, and the IAA
should then report to management and the audit committee.
27. Internal auditors must distinguish carefully between a scope limitation and other limitations. Which of
the following is not considered a scope limitation?
a. The divisional manager of an engagement client has indicated that the division is in the process of
converting a major computer system and that the information systems portion of the planned engage-
ment will have to be postponed until next year.
b. The board reviews the engagement work schedule for the year and deletes an engagement that the
CAE thought was important to conduct.
c. The engagement client has indicated that certain customers cannot be contacted because the organi-
zation is in the process of negotiating long-term contracts and does not want to upset the customers.
6
CIA Part 1 Mock Exam
28. Which of the following combinations best illustrates a scope limitation and the appropriate response by
the CAE?
a. Engagement client limits scope based upon pro- Report only to the controller
prietary information.
b. Engagement client will not provide access to rec- Report to the board.
ords needed for approved work schedule.
c. Engagement client requests that the engage- Report directly to the CEO and controller.
ment be delayed for 2 weeks to allow it to
close its books.
d. Engagement client will not allow the internal au- No reporting is required because the opera-
ditor to contact major customers as part of tional engagement concerns operational
an engagement to evaluate the efficiency efficiency.
of operations.
29. In practice, internal auditing should have a dual reporting process. The CAE must report to a level within
the organization that allows internal auditing to fulfill its responsibilities. The ideal reporting situation
for a company’s CAE is to:
a. Functionally report to the CFO and administratively report to the audit committee.
d. Administratively report to upper management and functionally report to the external auditor.
30. Administrative reporting would typically include all of the following except:
31. Internal auditors are expected to be objective when conducting their work. Which of the following cir-
cumstances would not cause an internal auditor’s objectivity to be impaired?
I. The internal auditor audited an area for which they were responsible more than one year ago.
II. The internal auditor accepted a sizable gift from a client after the successful completion of an audit.
III. The internal auditor designed some control procedures for an engagement client.
IV. The internal auditor was given a small token of appreciation from a client after the completion of an
audit.
a. I and II only
c. I and IV only
d. II and IV only
7
CIA Part 1 Mock Exam
32. An internal auditor’s involvement in the evaluation of the organization’s accounts payable function
should include all of the following except:
a. The auditor provides an assessment and states an opinion about whether or not something with the
company is operating or performing correctly.
b. The auditor does not need to be independent but does need to be objective.
c. The auditor should be objective in the investigation and independent in the decision.
a. Internal auditors must make conclusions based on facts without being influenced by feeling, emotions,
relationships, bribes, or any other outside influence.
b. Internal auditors must report to a level within the organization that allows the internal audit activity to
fulfill its responsibilities.
35. To be effective, internal auditors need to have organizational independence. Organizational independ-
ence is achieved largely through the status of the internal audit activity and the authority that the
board gives it. Based on this, the board authorizes the internal audit activity to:
I. Have unrestricted access to all functions, records, property, and personnel pertinent to carrying out
any engagement.
a. I only.
d. I and II only.
8
CIA Part 1 Mock Exam
36. A company has seen tremendous growth in its sales revenue the past few years and management is
considering replacing its legacy system with an ERP system. Management believes that an ERP system
will allow the company to integrate applications to better manage the business. Which of the following
would be an appropriate internal auditing role in purchasing the ERP system?
37. Which of the following is not a true statement concerning a conflict of interest?
b. A conflict of interest can create an appearance of impropriety that undermines confidence in the inter-
nal auditor.
d. A conflict of interest could impair an auditor’s ability to perform his or her duties and responsibilities
objectivity.
38. There are a number of procedures that the chief audit executive can follow in order to maintain objec-
tivity within the internal audit activity. Which of the following would not be a procedure for maintain-
ing objectivity?
d. Periodically rotate internal auditing assignments so relationships do not develop between the auditor
and the auditee that might impair the auditor’s judgment.
39. During an internal audit, the internal auditor should exercise due professional care. Due professional
care means that the internal auditor should consider:
II. The relative complexity and materiality to which assurance procedures are applied.
IV. The engagement procedures necessary to ensure that all significant risks have been identified.
a. I and II only.
b. I, II and IV only.
9
CIA Part 1 Mock Exam
40. As part of the process to improve the relationship between the internal auditor and engagement client,
it is very important to deal with how the internal audit activity is perceived. Certain types of attitudes
in the work performed will help create these perceptions. From a management perspective, which atti-
tude is likely to be the most conducive to a positive perception?
a. Interrogatory.
b. Investigative.
c. Consultative.
d. Objective.
c. Management principles.
d. Marketing techniques.
42. The Standards require that internal auditors possess which of the following skills?
I. Internal auditors should understand human relations and be skilled in dealing with people.
II. Internal auditors should be able to recognize and evaluate the materiality and significance of deviations
from good business practices.
III. Internal auditors should be experts on subjects such as economics, commercial law, taxation, finance,
and information technology.
a. I and II only.
d. I, II and IV only.
43. Your organization has selected you to develop an internal audit activity. Your approach will most likely
be to hire:
a. Internal auditors who possess all of the skills required to handle all engagements.
b. Inexperienced personnel and train them in the way that the organization wants them trained.
c. Individuals with accounting degrees because most internal audit work is accounting-related.
d. Internal auditors who collectively have the knowledge and skills needed to perform the responsibilities
of the IAA.
10
CIA Part 1 Mock Exam
44. The IIA Standards require internal auditors to have the knowledge, skills, and disciplines essential to
performing an audit. Which of the following is true considering the level of knowledge or skill required
by the Standards? Internal auditors must:
I. Be proficient in the application of auditing standards and procedures to specific situations without ex-
tensive recourse to technical research and assistance.
II. Be proficient in accounting principles when auditing the financial records and reports of the organization.
III. Be proficient in applying knowledge of accounting and computerized information systems to specific or
potential problems.
a. I only.
b. I and II only.
d. I, II and III.
45. Within the context of quality control, the primary purpose of continuing professional education and
training is to enable the internal audit activity to provide its personnel with:
b. Professional education that is required in order to perform engagements with due professional care.
46. When an internal auditor is not qualified to perform an engagement, the internal auditor should:
47. When hiring a prospective internal auditor, reasonable assurance should be obtained as to the candi-
date’s qualifications and proficiency. Which of the following is the least useful application of this prin-
ciple?
11
CIA Part 1 Mock Exam
48. The internal audit activity (IAA) can perform an important role in preventing and detecting significant
fraud by being assigned all but which one of the following tasks?
b. Review sensitive expenses such as legal fees, consultant fees, and foreign sales commissions.
49. A new chief audit executive (CAE) for a major retail company is questioning the audit activity’s extensive
use of store compliance testing, stating that the approach is not responsive to materiality concepts.
Which of the following statements are valid in response to the CAE’s claims?
I. Materiality is not based only on the size of individual stores; rather it is also based on the control
structure that affects the whole organization.
II. Any deviation from a prescribed control procedure is, by definition, material.
III. The only way to ensure that a material amount of the company’s control structure is reviewed is a
comprehensive audit of all stores.
a. I only.
b. III only.
c. I and II only.
d. I, II and III.
50. An internal auditor issues a final report that had to do with evaluating the client’s procedures for in-
creasing the diversity of the organization’s workforce. In this regard, the internal auditor made several
recommendations for changes in hiring and retaining practices. Regarding due professional care, the
internal auditor would conduct a follow-up to ensure which of the following actions by the client?
a. To ascertain whether the client has carried out the internal auditor’s recommendations.
b. To ascertain whether the organization is in line with the organization’s diversity policies.
c. To ascertain whether the client has considered the audit findings and has taken action to improve di-
versity within the organization.
b. Infallibility and extraordinary performance when the system of internal control is known to be weak.
d. Testing in sufficient detail to give an absolute assurance that noncompliance does not exist.
12
CIA Part 1 Mock Exam
52. Due professional care is concerned with the work that is done by the internal auditor. For example,
due professional care in the matter of a review of internal controls over financial reporting would con-
sider all of the following except:
a. The content of the working papers is sufficient to provide support for the internal auditor's opinion.
b. The audit evidence in the working papers is principally performed to protect the company in the case
of a lawsuit by investors.
53. When using the services of an outside service provider, the CAE must:
54. An internal auditor should have an appreciation with respect to which discipline?
a. Quantitative methods.
b. Auditing techniques.
c. Auditing procedures.
55. An internal auditor is employed by a large department store. During a planned engagement the inter-
nal auditor performed an audit of the store's cash operations. Which of the following actions would be
deemed lacking in due professional care?
a. A flowchart of the entire cash operation was developed but only a sample of transactions was tested.
b. The report included a well-supported recommendation for the reduction in staff although it was known
that such a reduction would adversely impact morale.
c. Because of a highly developed system of internal controls over cash operations, the audit report as-
sured top management that no irregularities existed.
d. The auditor informed appropriate authorities within the organization about suspected wrongdoing. No
report was made to external authorities.
13
CIA Part 1 Mock Exam
56. The CAE is concerned that a recently-disclosed fraud was not uncovered during the last engagement
to evaluate cash operations. A review of the working papers indicated that the fraudulent transaction
was not included in a properly-designed statistical sample of transactions tested. Which of the follow-
ing applies to this situation?
a. Because cash operations are a high-risk area, 100% testing of transactions should have been per-
formed.
b. The internal auditor acted with due professional care because an appropriate statistical sample of ma-
terial transactions was tested.
d. Extraordinary care is necessary for the performance of a cash operations engagement, and the inter-
nal auditor should be held responsible for the oversight.
57. The CAE of a manufacturing company has interviewed an individual for a staff position. The CAE has
reviewed the individual’s credentials and has performed a detailed background check. The individual
has a strong knowledge of accounting and finance; however, the individual has limited knowledge of
environmental management systems (EMS). What is the most appropriate action for the CAE to take?
c. Encourage the individual to obtain additional training in EMS and then reapply.
d. Offer the individual a position if other staff members have sufficient knowledge of EMS.
58. A recently-hired internal auditor's first assignment is to review the cash management operations of
the organization. The internal auditor has no background in cash management. Under which of the
following conditions would this arrangement be appropriate?
I. The senior internal auditor is skilled in the area and closely supervises the staff internal auditor.
II. The staff internal auditor performs the work and prepares an engagement communication that is re-
viewed in detail by the CAE.
a. I only.
c. II only.
59. If internal auditors fail to maintain their proficiency through continuing professional education they
could be found to be in violation of:
14
CIA Part 1 Mock Exam
60. An internal auditor suspects that the company’s financial statements are misstated; however, the in-
ternal auditor does not have conclusive evidence to prove his suspicion. The internal auditor has failed
to exercise due professional care if he:
a. Identified potential ways in which a misstatement could occur and ranked the items for investigation.
b. Did not test for possible misstatement because the engagement work program had already been ap-
proved by engagement management.
c. Informed the engagement manager of the suspicions and asked for advice on how to proceed.
d. Expanded the engagement work program without the engagement client's approval to address the
highest-ranked ways in which a misstatement may have occurred.
61. Quality program assessments may be performed internally or externally. A distinguishing feature of an
external assessment is its objective to:
c. Compliance with the Standards for the International Professional Practice of Internal Auditing.
63. You were appointed the chief audit executive (CAE) of an organization one week ago. An engagement
client has come to you complaining vigorously that one of your internal auditors is taking up an excessive
amount of the client’s time on an engagement that seems to be lacking a clear purpose. In handling this
conflict with the client, you should consider:
a. Promising the client that you will have the internal auditor finish the work within 1 week.
b. Whether existing procedures within the internal audit activity provide for proper planning and quality
assurance.
c. Presenting an immediate defense of the internal auditor based upon currently-known facts.
64. Periodic external assessments of an internal audit activity's quality assurance and improvement program
should be undertaken. On completion of such an assessment, a formal report or other communication
should be issued expressing an opinion as to the:
15
CIA Part 1 Mock Exam
c. Include the internal audit activity only when the external auditor is appointed.
d. Include the internal audit activity at the time of the appointment and regularly thereafter.
66. The interpretation related to quality assurance given by the Standards is that:
b. External assessments can provide senior management and the board with independent assurance about
the quality of the IAA.
c. Continuous supervision is limited to the planning, examination, evaluation, communication, and follow-
up process.
d. Appropriate follow-up to an external assessment is the responsibility of the chief audit executive's im-
mediate supervisor.
67. Which of the following persons might be considered when conducting a periodic external review of the
IAA in an organization’s regional office?
III. A tax consultant who has no audit experience but will review only technical matters related to tax audits.
IV. An external chartered accountant with internal auditing experience who has been an external auditor of
the organization’s external financial reports.
a. I and II only.
d. I, II and IV only.
68. Procedures describing how the supervisory review of staff auditors will be accomplished should be fully
documented so that the internal audit activity will:
16
CIA Part 1 Mock Exam
69. An internal audit activity is currently undergoing its first external quality assurance review since its
formation three years ago. From interviews, the review team is informed of certain internal auditor
activities over the past year. Which of the following activities could affect the quality assurance review
team's evaluation of the objectivity of the internal auditors?
a. One internal auditor told the review team that, during an engagement to review the payroll function,
he was approached by the payroll manager who indicated that he was looking for an accountant to
prepare his financial statements for his part-time business. The internal auditor agreed to perform this
work for a reduced fee during non-work hours.
b. During an engagement to review the construction of a building addition to the organization's headquar-
ters, the vice president of facilities management gave the internal auditor a commemorative mug with
the organization's logo. These mugs were distributed to all employees present at the ground-breaking
ceremony.
c. After reviewing the installation of a data processing system, the internal auditor made recommendations
on standards of control. Three months after completion of the engagement, the engagement client
requested the internal auditor's review of certain procedures for adequacy. The internal auditor agreed
and performed this review.
d. An internal auditor's participation was requested on a task force to reduce the organization's inventory
losses from theft and shrinkage. This is the first consulting assignment undertaken by the internal audit
activity. The internal auditor's role is to advise the task force on appropriate control techniques.
70. The Institute of Internal Auditing developed a position paper titled The Three Lines of Defense in Effec-
tive Risk Management and Control. Which of the following best describes the purpose of the paper?
a. To provide a simple and effective way to enhance communications on risk management and control.
d. A means of alerting operational management to emerging issues and changing regulatory and risk
scenarios.
a. Organizational governance is the way in which companies are planned and directed.
b. Organizational governance is the combination of processes and structures implemented by the board to
inform, direct, manage, and monitor the achievement of its objectives.
72. An internal auditor should play a vital role in the assessment and improvement of a company’s govern-
ance process. Internal auditing’s role would include all of the following except:
17
CIA Part 1 Mock Exam
73. A company’s control environment is the foundation of an effective system of internal control. Which of
the following is not a component of a company’s control environment?
d. Competence of personnel.
75. Internal auditors can play an important role in assessing the ethical climate of an organization. Methods
to assess an organization’s ethical climate include all of the following except:
a. Reviewing ethics-related policies and processes.
b. Conducting an ethics-related survey.
c. Facilitating an ethics-related training program.
d. Conducting audits of specific ethics-related functions.
a. Companies have a responsibility for their impact on society and the environment.
77. One of the biggest challenges with corporate social responsibility (CSR) is:
a. Identifying the different groups that have a legitimate interest in the corporation.
18
CIA Part 1 Mock Exam
a. It is too costly.
79. The IAA’s role in an organization’s risk management process can, and often does, change over time.
The IAA’s role within an organization may encompass all of the following except:
a. Auditing the risk management process as part of the internal audit plan.
b. Managing and coordinating the risk of a business operation.
c. Providing continuous support and involvement in the risk management process, such as monitoring
activities, providing status reports, and participating on an oversight committee.
d. No role.
80. Which of the following statements is most accurate concerning inherent risk?
b. Inherent risk is the level of risk that remains after management has taken actions to mitigate the risk.
81. A company’s board of directors is concerned that a new children’s toy is not as safe as it should
be. The board is concerned that if word gets out that the toy is not safe, the reputation of the
company could suffer. The board’s concern has to do with:
a. Financial risk.
b. Operating risk.
c. Strategic risk.
d. Hazard risk.
82. The first step in the risk management process is the identification of risks. Risk events can be either
internal or external. Which of the following would be an internal risk event?
b. New regulations.
c. Changing demographics.
d. Rising inflation.
19
CIA Part 1 Mock Exam
84. It is common for insurance policies to include a deductible clause, which means that the insured party
will have to pay some portion of the repair or replacement. The amount paid by the insured party is
referred to as what type of risk?
a. Operational risk.
b. Inherent risk.
c. Residual risk.
d. Transactional risk.
85. There are four general terms used to express the measurement of potential loss that could occur from
a specific risk. The difference between expected loss and unexpected loss is:
a. Expected loss is the maximum potential loss that could occur, whereas unexpected loss is the mini-
mum potential loss.
b. Expected loss is the loss that management expects to be lost during the period, whereas unexpected
loss is the loss that management thinks could be lost in excess of the budgeted amount.
c. Expected loss is the loss that management expects to occur during the period, whereas unexpected
loss is the worst-case scenario loss.
d. Expected loss is the loss that is expected to occur during the short-term, whereas unexpected loss is
the loss that is expected to occur during the long term.
86. Value at Risk (VaR) is a quantitative risk assessment tool used by financial managers for all of the fol-
lowing reasons except:
a. To measure and control the level of risk that the firm undertakes.
c. To give management a level of confidence that the loss level will not be exceeded during a certain pe-
riod of time.
d. To ensure that risks are not taken beyond the firm’s ability to absorb the losses of a probable worst
outcome.
87. It is possible for some risks to be negatively correlated with one another. When this situation occurs
the best course of action is to:
d. Do nothing.
20
CIA Part 1 Mock Exam
88. The risk management process includes all of the following except:
b. Risk avoidance.
d. Risk assessment.
89. A risk response that entails eliminating the threat of the risk is referred to as:
a. Risk mitigation.
b. Risk deflection.
c. Risk avoidance.
d. Residual risk.
90. A firm has a valuable project that has many hazards that could potentially cause bodily injury. Given
the nature of the project, there is no way to avoid the potential risk for damages. To deflect the risk,
the project manager should consider:
91. Risk appetite is the level of risk that an organization is willing to pursue, retain, or take. Factors that
could influence an organization’s risk appetite might include:
c. External factors, such as changing economic considerations, changes in technology, changes in the
industry, etc.
21
CIA Part 1 Mock Exam
93. ERM is a risk management program that is used to assist management in the achievement of its ob-
jectives. The benefits of establishing an ERM process include all of the following except:
94. The development of a strategic plan is intended to increase a company’s long-term performance.
Which of the following would most likely not be a strategic objective?
a. Financial growth.
c. Product innovation.
95. The ERM model has five components. Under which component would the company identify specific risk
events?
c. Control Activities.
d. Performance.
96. There are numerous benefits to implementing a well-developed ERM system. These benefits include:
I. The entity will anticipate every risk that could result in a loss.
a. I and II only.
d. II and IV only.
97. Concerning ERM, which of the following is not a role that internal auditing should undertake?
22
CIA Part 1 Mock Exam
c. The IAA’s guidance and oversight of management’s performance is accomplished economically and
efficiently.
100. Which of the following is true regarding the difference between corporate-level and operational-level
controls?
a. Corporate-level controls are mostly automated, whereas operational-level controls are mostly manual.
b. Operational-level controls include both manual and automated controls, whereas corporate–level con-
trols are mostly manual and include general policy statements that concern ethics and corporate val-
ues.
c. Corporate-level controls are mostly manual, whereas operational-level controls are mostly automated,
consisting of complying with specific control procedures and making sure financial information is accu-
rate and complete.
d. Operational-level controls include both manual and automated controls, whereas corporate-level con-
trols are mostly manual and encompass planning and performance monitoring, the system of ac-
countability to superiors, and risk evaluation.
101. Which of the following types of controls is often difficult to evaluate because they may lack established
criteria or standards?
a. Operating controls.
b. Financial controls.
c. Directive controls.
d. Preventive controls.
c. The accounts receivable subsidiary ledger is reconciled against the general ledger accounts receivable
control total.
d. Customer numbers are verified by the computer before a sales order is accepted to ensure the sales
order is from an established company.
23
CIA Part 1 Mock Exam
103. The control process can be divided into feedforward, concurrent, and feedback controls. Which of the
following is a concurrent control?
105. Budgets are generally classified as both planning documents and control devices. An important differ-
ence between the budget planning information needed and the budget control information needed is
that planning information is more:
b. Detailed.
c. Likely to be quantifiable.
d. Likely to be accurate.
b. A security guard allows a warehouse employee to remove company property from the premises without
authorization.
d. An employee who is unable to read is assigned custody of the company’s tape library and run manuals.
24
CIA Part 1 Mock Exam
1) Select the times or points at which to collect information about the activities that are being meas-
ured and controlled.
a. 2, 1, 6, 3, 8, 7, 4, 5.
b. 1, 2, 3, 6, 5, 7, 8, 4.
c. 2, 1, 3, 6, 8, 4, 7, 5.
d. 1, 3, 2, 6, 7, 5, 8, 4.
108. An internal auditor was evaluating the company’s application controls over financial reporting. Which
of the following would not be an application control objective?
109. A control likely to prevent purchasing agents from favoring specific suppliers is:
a. Requiring management's review of a monthly report of the totals spent by each buyer.
110. The results of an audit of cash controls indicated that the bookkeeper signed expense checks and rec-
onciled the checking account. If the cash account reconciliations were current and no cash shortages
were found, an internal auditor should conclude that the system of internal controls over:
25
CIA Part 1 Mock Exam
111. Which of the following is a control weakness rather than a control strength with regards to the payroll
clerk? The payroll clerk:
112. Which of the following situations would cause an internal auditor to question the adequacy of controls
over a purchasing function?
a. The original and one copy of the purchase order are mailed to the vendor. The copy on which the vendor
acknowledges acceptance is returned to the purchasing department.
b. Receiving reports are forwarded to purchasing where they are matched with the purchase orders and
sent to accounts payable.
d. Unpaid voucher files and perpetual inventory records are independently maintained.
113. Proper segregation of duties reduces the opportunities in which a person could both:
114. Internal auditors use the COSO model to evaluate the strength of a company’s internal control system
over financial reporting. Which of the following is not a core principle of the control environment?
115. An effective control system should have all of the following characteristics except:
a. The control system should actually reflect what the organization is trying to measure and control.
b. The control system must be understandable by all persons using the system.
d. The information provided by the control system must be available in a timely manner.
26
CIA Part 1 Mock Exam
116. Which of the following actions can help reduce the ability of an individual to rationalize fraud?
117. Which of the following are examples of fraud that would not benefit an organization?
b. Tax fraud.
c. Claims submitted for services or goods not actually provided to the organization.
118. Which of the following best describes an auditor's responsibility after noting indicators of fraud?
b. Report the possibility of fraud to top management and ask how to proceed.
c. Consult with external legal counsel to determine the course of action to be taken.
d. Report the matter to the audit committee and request funding for outside specialists to help investigate
the possible fraud.
The manager of a production line has the authority to order and receive replacement parts for all machinery
that requires periodic maintenance. The internal auditor received an anonymous tip that the manager ordered
substantially more parts than were necessary from a family member in the parts supply business. The un-
needed parts were never delivered. Instead, the manager processed receiving documents and charged the
parts to machinery maintenance accounts. The payments for the undelivered parts were sent to the supplier,
and the money was divided between the manager and the family member.
119. Which of the following internal controls would most likely have prevented this fraud from occurring?
a. Establishing predefined spending levels for all vendors during the bidding process.
c. Comparing the bill of lading for replacement parts to the approved purchase order.
d. Using the company’s inventory system to match quantities requested with quantities received.
120. Which of the following tests would best assist the auditor in deciding whether to investigate this anon-
ymous tip further?
c. Analysis of repair parts charged to maintenance to review the reasonableness of the number of items
replaced.
d. Review of a test sample of parts invoices for proper authorization and receipt.
27
CIA Part 1 Mock Exam
121. Which of the following fraudulent entries is most likely to be made to conceal the theft of an asset?
122. Which of the following would not be considered a condition that indicates a higher likelihood of fraud?
a. Management has delegated the authority to make purchases under a certain dollar limit to subordinates.
b. An individual has held the same cash-handling job for an extended period without any rotation of duties.
c. Individual handling marketable securities is responsible for making the purchases, recording the pur-
chases, and reporting any discrepancies and gains/losses to senior management.
d. The assignment of responsibility and accountability in the accounts receivable department is not clear.
123. Which of the following statements is (are) true regarding the prevention of fraud?
I. The primary means of preventing fraud is through internal controls established and maintained by
management.
II. Internal auditors are responsible for assisting in the prevention of fraud by examining and evaluating
the adequacy of the internal control system.
III. Internal auditors should assess the operating effectiveness of fraud-related communication systems.
a. I only.
b. II only.
c. I and II only.
d. I, II and III.
124. Internal auditors are more likely to detect fraud by developing and strengthening their ability to:
125. In some cases of fraud, it is necessary to use the services of a forensic auditor. Which of the following
is generally not a type of investigation that is conducted by forensic auditors?
b. Management compensation.
c. Acts of extortion.
28
CIA Part 1 Mock Exam #1 Answers
Solutions
The chart below cross-references the question numbers for Part 1 (Exam #1) with the topics
tested:
Ethics 75
29
CIA Part 1 Mock Exam Answers
1. Solution: b
a. Incorrect. The internal audit charter defines the necessary authorities and responsibilities.
b. Correct. The internal audit manual and annual audit plan help determine the resource requirements.
c. Incorrect. The internal audit charter defines the role and responsibility of the internal audit activity and
acts as a benchmark for evaluating the audit function.
d. Incorrect. The internal audit charter should be approved by senior management and the board.
2. Solution: d
a. Incorrect. The Standards do not require internal auditors to ensure compliance with reporting proce-
dures.
b. Incorrect. There is no expected match of fund flows with expense items in a single time period.
c. Incorrect. This would be the function of the personnel and/or finance departments.
d. Correct. Internal auditors are responsible for identifying inadequate controls, for appraising managerial
effectiveness, and pinpointing common risks.
3. Solution: a
a. Correct. The purpose, authority, and responsibility of the IAA should be formally defined in the charter,
which is approved by management and the board.
b. Incorrect. Adoption of policies helps guide the internal auditing staff, but not with its status.
c. Incorrect. The establishment of the audit committee does not ensure the status of the IAA without its
involvement in matters such as acceptance of the charter.
d. Incorrect. Written policies and procedures guide the internal auditing staff, not protect the IAA’s status.
4. Solution: a
a. Correct. Based on Implementation Standard 2210.A3, if control criteria are inadequate, then internal
auditors must work with management to develop appropriate evaluation criteria.
b. Incorrect. The auditor should seek to understand the operating standards as they are applied to the
organization. Also, best practices may produce overly high standards.
c. Incorrect. The Standards state that if internal auditors must interpret standards, they should seek
agreement with the engagement client.
d. Incorrect. The auditor should first seek to gain an understanding with the departmental manager on
the appropriate standards.
5. Solution: d
c. Incorrect. The Core Principles for the Professional Practice of Internal Auditing are considered manda-
tory guidance.
30
CIA Part 1 Mock Exam Answers
6. Solution: d
a. Incorrect. The professionalization of internal auditing is important, but it is not one of the purposes of
the Standards.
b. Incorrect. Independence and objectivity are aspects of the internal audit activity, but not one of the
purposes of the Standards.
d. Correct. According to the IIA, the Standards are intended to: 1) Guide adherence with the mandatory
elements of the International Professional Practices Framework. 2) Provide a framework for performing
and promoting a broad range of value-added internal auditing services. 3) Establish the basis for the
evaluation of internal audit performance. 4) Foster improved organizational processes and operations.
7. Solution: b
a. Incorrect. The IAA charter does not protect the IAA from outside influence.
b. Correct. The purpose, authority, and responsibility of the IAA must be formally defined in the charter.
c. Incorrect. The IAA charter does not define the relationship between the internal and external auditors.
d. Incorrect. The CAE should not, under any circumstance, be a member of the audit committee.
8. Solution: d
a. Incorrect. This will not help the CAE understand whether any specific IAA goal is being met.
b. Incorrect. Comparing the audit plan with actual audit activity will not tell the CAE whether the IAA’s
broader audit coverage goals are being met.
c. Incorrect. Surveys of management satisfaction will only tell the IAA how management feels about the
services provided by the IAA and not whether any specific IAA goal is being accomplished.
d. Correct. Implementing a quality assurance and improvement program (QAIP) can assist the CAE in
determining whether the IAA’s audit coverage goals are being met. The QAIP evaluates and analyzes
the effectiveness and efficiency of IAA operations, which has to do with understanding whether stated
IAA goals and objectives are being achieved.
9. Solution: a
a. Correct. Review and testing of the other department’s procedures may reduce necessary audit cover-
age of the function or process.
c. Incorrect. The internal auditor cannot rely on the work of others without verifying the results.
d. Incorrect. The internal audit activity’s overall responsibility for assessing the function or process is not
affected by the other department’s coverage.
31
CIA Part 1 Mock Exam Answers
10. Solution: d
a. Incorrect. Policies and procedures provide guidance but will not be the source of authority.
b. Incorrect. The authority of the internal audit activity is detailed in the charter and approved by the
board.
c. Incorrect. The Code of Ethics is the means of promoting an ethical culture in the internal auditing
profession.
d. Correct. The purpose, authority, and responsibility of the internal audit activity should be defined in
the charter. The charter should establish the internal audit activity’s position within the organization;
authorize access to records, personnel, and physical properties relevant to the performance of engage-
ments; and define the scope of internal audit activities (PA 1000-1).
11. Solution: d
d. Correct. The correct principle is, “Is insightful, proactive, and future-focused.”
12. Solution: c
a. Incorrect. Goals are statements of activities that are to be accomplished. Policies and procedures are
the means by which the goals are achieved.
b. Incorrect. Goals are statements of activities that are to be accomplished. Engagement work schedules
are a means to achieve goals.
c. Correct. The goals of the IAA should be capable of being accomplished within specified operating plans
and budgets and, to the extent possible, should be measurable. They should be accompanied by meas-
urement criteria and targeted dates of accomplishment.
d. Incorrect. Staffing plans and financial budgets are a means of accomplishing specified goals.
13. Solution: c
b. Incorrect. Correcting internal control weaknesses is the function of management, not a function of the
internal auditor.
c. Correct. As described by the IIA, the internal auditors’ primary purpose in reviewing an organization’s
existing risk management, control, and governance processes is to provide reasonable assurance that
these processes are functioning as intended and will enable the organization’s objectives and goals to
be met.
d. Incorrect. This is a basic objective from a financial accounting and auditing perspective but is not broad
enough to cover the internal auditor’s entire purpose for review.
32
CIA Part 1 Mock Exam Answers
I. Correct. Internal auditing should assess an operating department’s effectiveness in achieving its stated
goals.
II. Incorrect. The safeguarding of assets is the responsibility of management, not internal auditing.
III. Correct. Internal auditors should evaluate controls over compliance with laws and regulations.
IV. Correct. Internal auditors should ascertain the extent to which objectives and goals have been estab-
lished.
15. Solution: b
a. Incorrect. Internal auditors do not impose corrective measures. This is the responsibility of manage-
ment.
b. Correct. Internal auditors need to maintain a satisfactory relationship with engagement clients. In
order to enhance this relationship, it is good policy to involve the client on all engagements. Developing
a positive relationship produces a more favorable environment for the engagement effort.
c. Incorrect. Internal auditors could be part of a fraud investigation, but such involvement would not be
considered a consultative engagement.
16. Solution: b
a. Incorrect. Acceptance of the gift could easily be presumed to have impaired independence and thus
would not be acceptable.
b. Correct. As long as the individual has the CIA designation, then he or she should be guided by the
profession’s Code of Ethics in addition to the organization’s code of conduct. Rule of conduct 2.2 pre-
cludes such gifts because it could be presumed to have influenced the individual’s decision.
c. Incorrect. As long as the individual has the CIA designation, then the CIA should be guided by the IIA’s
Code of Ethics.
17. Solution: d
a. Incorrect. Periodic review and acknowledgment would not be very helpful, because acceptance of the
code is really not an issue with the employees.
b. Incorrect. Employee involvement in its development would not be very helpful because employee ac-
ceptance is really not an issue.
c. Incorrect. Public knowledge of its contents and purpose might affect a few employees but would not be
as effective as provisions for disciplinary action in the event of violations.
d. Correct. Provisions for disciplinary action in the event of violations would be the most effective method
to deter misconduct.
33
CIA Part 1 Mock Exam Answers
18. Solution: b
a. Incorrect. A conflict of interest policy would prohibit the acceptance of money, gifts, or services from a
customer.
b. Correct. A person has the right to participate in the management of a public agency (a government
agency). Thus, it would not be included in a manufacture’s conflict of interest policy.
c. Incorrect. A conflict of interest policy would prohibit financial dealings between an employee and ven-
dors or suppliers.
d. Incorrect. The IIA Code of Ethics prohibits the use of information for personal gain.
19. Solution: b
b. Correct. The internal auditor would be in violation of the objectivity rule of conduct. According to rule
2.3, internal auditors shall disclose all material facts known to them, that if not disclosed, may distort
the reporting of activities under review. In this case, capitalizing general maintenance cost would distort
the financial statements.
20. Solution: b
a. Incorrect. Being active in a charitable organization is unlikely to be contrary to the interests of the
organization.
b. Correct. According to the Code, an “Internal auditor shall not participate in any activity or relationship
that may impair or be presumed to impair their unbiased assessment.” Thus, an internal auditor and
part-time business broker would be considered to be incompatible.
21. Solution: c
a. Incorrect. Audit management should always be informed concerning any such offers.
b. Incorrect. Audit management should always be informed concerning any such offers.
c. Correct. Even though the gift is of significant value, because it is part of a company-sponsored program
it might be acceptable for the internal auditor to accept the gift. However, it is still recommended that
the internal auditor first confirm the acceptance with the CAE.
d. Incorrect. Declining the gift could erode the audit function's relationship with the division in question.
Audit management should first be informed and consulted for guidance.
34
CIA Part 1 Mock Exam Answers
22. Solution: c
a. Incorrect. The auditor is not withholding information because the information has been forwarded to
the CAE. The information may be useful in a subsequent engagement in the marketing area.
b. Incorrect. The auditor has documented a red flag that may be important in a subsequent engagement.
This does not violate the Standards.
23. Solution: b
a. Incorrect. Objectivity is not impaired when the internal auditor reviews procedures before they are
implemented.
b. Correct. According to the Standards, persons transferred to the internal audit activity should not be
assigned to audit activities that they previously performed until a reasonable period of time (at least
one year) has elapsed.
c. Incorrect. The internal auditor’s objectivity is not adversely affected when the auditor recommends
standards of control for systems before they are implemented. This is in fact what the internal auditor
should do.
d. Incorrect. The use of staff from other areas to assist the internal auditor does not impair objectivity,
especially when the staff is from outside the area being audited.
24. Solution: d
b. Incorrect. The auditor’s familiarity with the auditee could compromise the internal auditor’s objectivity.
c. Incorrect. Assuming operational duties could compromise the auditor’s objectivity if the auditor had to
then perform an engagement of the operation.
d. Correct. It is highly likely that an auditor at some time will have to rely on the opinion of an outside
expert.
25. Solution: a
a. Correct. When the IAA or individual internal auditor is responsible, or may be responsible, for an
operation that it might audit, the internal auditor’s independence and objectivity may be impaired.
c. Incorrect. It is acceptable for the internal auditor to recommend standards of control, but the internal
auditor is not able to design, install, or draft procedures. These functions may impair the internal audi-
tor’s objectivity.
d. Incorrect. It is acceptable for the internal auditor to review contracts prior to their execution.
35
CIA Part 1 Mock Exam Answers
26. Solution: d
a. Incorrect. Engagement communications should go direct to the audit committee, not be forwarded by
management.
c. Incorrect. Ideally, the CAE would administratively report to the CEO or high enough officer to maintain
independence, and functionally to the audit committee or some other appropriate governing board.
Under the ideal situation, all engagement communications are sent to the audit committee as well.
d. Correct. Internal auditors should first discuss conclusions and recommendations with management so
that management is able to verify the accuracy of the engagement communications. Final engagement
communications would then be sent to the audit committee.
27. Solution: b
a. Incorrect. Regardless of the reason, there is a scope limitation when a test in an engagement cannot
be performed as planned.
b. Correct. The board has the right to delete an engagement from the annual IAA work schedule. There-
fore, this is not considered to be a scope limitation.
c. Incorrect. Not being able to contact certain customers would be considered a scope limitation.
28. Solution: b
a. Incorrect. Limiting the scope of the audit based on proprietary information would be considered a scope
limitation, but the internal auditor would report to the limitation to the board or audit committee, not
to the controller.
b. Correct. This is the best combination. If the internal auditor does not have access to records, then this
needs to be reported to the board.
c. Incorrect. Delaying the audit by 2 weeks would not be considered a scope limitation.
d. Incorrect. Not allowing the auditor to contact major customers would be considered a scope limitation.
Additionally, the limitation would have to be reported to the board or audit committee.
29. Solution: c
a. Incorrect.
b. Incorrect.
c. Correct. This is correct because the CAE should functionally report to the board or audit committee
and administratively report to upper management.
d. Incorrect.
36
CIA Part 1 Mock Exam Answers
30. Solution: b
a. Incorrect. Administrative reporting does include developing and submitting the annual internal auditing
budget.
b. Correct. Approving the risk-based internal audit plan is connected with functional reporting, not ad-
ministrative reporting.
c. Incorrect. Administrative reporting does include the administration of the internal audit activities poli-
cies and procedures.
I. Correct. Auditing an area for which the auditor was responsible for more than one year ago is perceived
not to impair objectivity.
II. Incorrect. Accepting a sizable gift from a client after the successful completion of an audit is perceived
to impair objectivity.
III. Incorrect. Designing control procedures for an engagement client is perceived to impair objectivity.
IV. Correct. Accepting a small token of appreciation from a client after the successful completion of an
audit is perceived not to impair objectivity.
32. Solution: d
a. Incorrect. Internal auditors are able to test whether balances are accurately stated.
c. Incorrect. Internal auditors should develop audit plans for future audits.
33. Solution: b
b. Correct. This is a true statement concerning a consulting engagement. The auditor does not need to
be independent but does need to be objective.
34. Solution: a
37
CIA Part 1 Mock Exam Answers
I. Correct. Internal audit independence is achieved when internal auditors have unrestricted access to
all functions, records, property and personnel pertinent to carrying out any engagement.
II. Incorrect. Internal auditing will not have unlimited access to the external auditor’s working papers.
III. Correct. Internal audit independence is achieved when internal auditors have the necessary re-
sources to accomplish the audit objectives.
36. Solution: a
a. Correct. Ascertaining whether the feasibility study addresses the cost-benefit relationship would be a
role for internal auditing.
c. Incorrect. Determining the requirements for preparing a manual of specifications would be a manage-
ment role.
d. Incorrect. Participating in the ERP acquisition and implementation would be management’s role.
37. Solution: c
a. Incorrect. This statement is true. A conflict of interest can exist even if no unethical or improper act
results.
b. Incorrect. This statement is true. A conflict of interest can create an appearance of impropriety that
can undermine confidence in the internal auditor.
c. Correct. This statement is not true. An auditor with a conflict of interest in a consulting activity
should be disclosed to the client. If the client has no objections, then the auditor may remain on the
consulting engagement.
d. Incorrect. This statement is true. A conflict of interest could impair an individual’s ability to perform
his or her duties and responsibilities objectivity.
38. Solution: b
a. Incorrect. Making sure job assignments minimize potential conflicts of interests is a way to promote
objectivity.
b. Correct. Promoting continuing professional development enhances skills and knowledge. It does not
promote objectivity.
c. Incorrect. Developing a strong QAIP system is a method to ensure organizational independence and
objectivity.
38
CIA Part 1 Mock Exam Answers
a. Incorrect. Items I and II are correct, but there are also other correct choices.
b. Incorrect. Items I and II are correct. However, item IV is not correct. Engagement procedures, even
when exercised with due professional care, cannot guarantee that all significant risks will be identified.
c. Incorrect. Items I, II, and III are correct. Item IV is not correct. Engagement procedures, even when
exercised with due professional care, cannot guarantee that all significant risks will be identified.
d. Correct. Only items I, II and III are correct. The internal auditor can only provide reasonable assurance
that significant risks will be identified, not a guarantee.
40. Solution: c
41. Solution: c
a. Incorrect. The internal auditor needs to be proficient in auditing procedures and techniques.
b. Incorrect. The internal auditor needs to have an appreciation of accounting principles and techniques.
I. Correct. Internal auditors need to understand human relations and be skilled in dealing with people.
II. Correct. Internal auditors need to be able to understand what constitutes materiality and the signifi-
cance of deviations from good business practice.
III. Incorrect. Internal auditors are not expected to be experts in a wide variety of fields related to their
audit responsibilities.
IV. Correct. Internal auditors should be skilled in oral and written communication.
43. Solution: d
a. Incorrect. It is not likely that an internal auditor would be able to handle all engagements.
c. Incorrect. Accountants may be needed, but other skills will be needed as well.
d. Correct. Collectively, the IAA should have necessary skills, knowledge, and experience to carry out its
activities. The IAA may use both internal and external resources that are qualified in such disciplines
as accounting, tax, engineering, law, environmental, and IT.
39
CIA Part 1 Mock Exam Answers
II. Correct. Internal auditors must be proficient in accounting principles when auditing an organization’s
financial statements.
III. Incorrect. Internal auditors must have an appreciation, not proficiency, of accounting and computerized
information systems.
45. Solution: c
a. Incorrect. Providing technical training to gain proficiency as a valuation expert is not the purpose of
continuing professional education.
b. Incorrect. Continuing professional education is required so internal auditors are able to fulfill their as-
signed responsibilities.
c. Correct. Continuing professional education and training are necessary so internal auditors have the
knowledge and skills required to fulfill their assigned responsibilities.
d. Incorrect. Having knowledge required to perform a peer review is not the purpose of continuing pro-
fessional education.
46. Solution: d
47. Solution: a
a. Correct. Each member of the internal audit staff need not have an accounting degree. The internal
audit activity collectively must possess or obtain the knowledge, skills, and other competencies
needed to perform its responsibilities (Standard 1210).
b. Incorrect. Obtaining college transcripts would be an acceptable way to check the qualifications of the
prospective hire.
c. Incorrect. Checking an applicant's references would be an acceptable way to check the qualifications
of the prospective hire.
d. Incorrect. Determining previous job experience would be an acceptable way to check the qualifica-
tions during the hiring process.
48. Solution: c
a. Incorrect. Reviewing large, abnormal, or unexplained expenditures would be appropriate for the pre-
vention and detection of fraud.
b. Incorrect. Reviewing sensitive expenses such as legal fees, consulting fees, and foreign sales commis-
sions would be appropriate for the prevention and detection of fraud.
c. Correct. The internal auditor must exercise due professional care by considering the relative com-
plexity, materiality, or significance of matters to which assurance procedures are applied. Cost of as-
surance in relation to potential benefits should also be considered (Standard 1220.A1). Therefore, the
review of every control pertaining to petty cash would be considered excessive and inefficient.
d. Incorrect. Reviewing unusual contributions would be appropriate for the prevention and detection of
fraud.
40
CIA Part 1 Mock Exam Answers
I. Correct. Materiality is defined by the potential impact of an item on the organization and is not limited
to items that can be assessed only in qualitative terms.
II. Incorrect. There may be some control failures of a minor nature that would not be considered material.
III. Incorrect. Sampling approaches may be used to comprehensively cover the control structure of an
organization.
50. Solution: c
b. Incorrect. The audit had to do with evaluating the procedures to increase the diversity of the organiza-
tion’s workforce, not to ascertain whether the company is in line with its diversity policies.
c. Correct. Exercising due professional care includes following up to see that the client has taken appro-
priate action. This does not mean that the client has to implement every recommendation submitted
by the auditor, but it is expected that the client considers the recommendations.
51. Solution: c
a. Incorrect. Due professional care does not entail reviewing all transactions.
b. Incorrect. Due professional care does not entail infallibility and extraordinary performance; it only en-
tails reasonable care and skill.
c. Correct. Due professional care implies reasonable care and competence, not infallibility or extraordi-
nary performance (PA 1220-1).
d. Incorrect. The internal auditor is unable to give 100% absolute assurance, only reasonable assurance.
52. Solution: b
a. Incorrect. Due professional care includes making sure the content of the working papers is sufficient
to provide support for the internal auditor's opinion.
b. Correct. Making sure the company is protected against future lawsuits is not an aspect of due profes-
sional care.
c. Incorrect. Due professional care includes considering the probability of significant errors, fraud or
noncompliance.
d. Incorrect. Due professional care includes considering the cost of the engagement in relation to poten-
tial benefits.
53. Solution: c
a. Incorrect. The CAE may not be directly involved in the hiring of the service provider.
b. Incorrect. The service provider does not need to have the CIA designation.
c. Correct. When using the services of an outside service provider, the CAE needs to evaluate the skills
and reputation of the service provider.
d. Incorrect. The service provider does not need to have knowledge of the internal auditing standards.
41
CIA Part 1 Mock Exam Answers
54. Solution: a
d. Incorrect. Internal auditors need to be proficient in applying the internal audit standards.
55. Solution: c
c. Correct. It is not possible for an auditor to state with absolute assurance that no irregularities exist.
d. Incorrect. The internal auditor is not obligated to report to external authorities unless legally required
to do so.
56. Solution: b
b. Correct. The internal auditor is only able to give reasonable assurances, not absolute. In this case, due
care was applied because the internal auditor used appropriate sampling methods.
c. Incorrect. The internal auditor is not able to give 100% absolute assurance that fraud will not go unde-
tected.
d. Incorrect. The internal auditor should not be held responsible for the oversight because appropriate
sampling methods were used.
57. Solution: d
a. Incorrect. The Standards do not require that every internal auditor possess all knowledge on all sub-
jects.
c. Incorrect. Encouraging additional training will not fulfill the current staffing need.
d. Correct. The CAE should offer the individual a staff position if other staff members have sufficient
knowledge of EMS.
I. Correct. Internal auditors must possess the knowledge, skills, and other competencies needed to
perform their individual responsibilities. The IAA collectively should have or obtain the knowledge,
skills, and other competencies needed to perform its responsibilities (Standard 1210). As long as the
senior internal auditor closely supervises the staff internal auditor then this would be an appropriate
arrangement.
42
CIA Part 1 Mock Exam Answers
59. Solution: c
a. Incorrect.
b. Incorrect.
c. Correct. Rule of Conduct 4.3 states that “internal auditors shall continually improve their proficiency
and the effectiveness and quality of their services.” Rule of Conduct 4.2 states that “internal auditors
shall perform internal auditing services in accordance with the International Standards for the Profes-
sional Practice of Internal Auditing.” Moreover, Standard 1230 states that “internal auditors must en-
hance their knowledge, skills, and competencies through continuing professional development.” Thus,
both the Standards and The IIA’s Code of Ethics are violated by failing to maintain proficiency through
continuing education.
d. Incorrect.
60. Solution: b
a. Incorrect. Identifying potential ways in which a misstatement could occur and ranking them is exercising
due professional care on part of the internal auditor.
b. Correct. It is expected that engagement work programs can be modified if changes in the work envi-
ronment have changed. Thus, the internal auditor would not be exercising due professional care if he
failed to investigate a possible misstatement based on the fact that the work program had already been
approved.
d. Incorrect. In this case, approval from the engagement client is not required.
61. Solution: a
a. Correct. External assessments of the IAA should appraise and express an opinion as to the IAA’s
compliance with the Standards for the International Professional Practice of Internal Auditing and, as
appropriate, should include recommendations for improvement. External assessment should be con-
ducted at least once every five years (PA 1312-1).
b. Incorrect. It will be the internal assessment that will provide recommendations for improvement.
c. Incorrect. It will be the internal assessment that will determine whether internal auditing services meet
professional standards.
d. Incorrect. It will be the internal assessment that will identify tasks that can be performed better.
43
CIA Part 1 Mock Exam Answers
62. Solution: b
a. Incorrect. The tools and techniques employed by the IAA would be within the broad scope of coverage
of the external assessment.
b. Correct. The external assessment should consist of a broad scope of coverage that includes: (1) Con-
formance with the Definition of Internal Auditing, Standards, The Code of Ethics and the internal audit
activity’s charter, plans, policies, procedures, practices, and applicable legislative and regulatory re-
quirements; (2) the expectations of the IAA expressed by the board, executive management and op-
erational managers; (3) the integration of the IAA into the organization’s governance process, including
the relationships between and among the key groups involved in the process; (4) tools and techniques
employed by the IAA; (5) the mix of knowledge, experience, and disciplines within the staff, including
staff focus on process improvement; and (6) the determination as to whether or not the IAA adds value
and improves the organization’s operations (PA 1312-1.10). A detailed cost-benefit analysis of the IAA
would not be part of the external assessment.
c. Incorrect. Compliance with the Standards for the International Professional Practice of Internal Auditing
is within the broad scope of coverage of the external assessment.
d. Incorrect. Adherence with the IAA’s charter is within the broad scope of coverage of the external as-
sessment.
63. Solution: b
a. Incorrect. Promising the client to have the internal auditor finish the work within one week without
proper background information on the current engagement would jeopardize the authority of the IAA.
b. Correct. In this situation, the CAE would have a responsibility to review the existing procedures to
determine whether the IAA has provided for proper planning and quality assurance. Not doing so would
jeopardize the authority of the IAA.
c. Incorrect. Presenting an immediate defense of the internal auditor could potentially harm future com-
munications with the client. It also could jeopardize the authority of the IAA.
d. Incorrect. The CAE has a responsibility not to discard potentially valid complaints.
64. Solution: d
a. Incorrect. External assessments express an opinion on the overall effectiveness of the quality program,
not the adequacy of internal controls.
b. Incorrect. External assessments express an opinion on the overall effectiveness of the quality program,
not the effectiveness of the internal auditing coverage.
c. Incorrect. External assessments express an opinion on the overall effectiveness of the quality program,
not conformance to the IAA charter.
d. Correct. The external assessment should consist of a broad scope of coverage that includes conform-
ance with the Definition of Internal Auditing, the Code of Ethics, and the Standards (PA 1312-1.10).
44
CIA Part 1 Mock Exam Answers
65. Solution: d
a. Incorrect.
b. Incorrect.
c. Incorrect.
d. Correct. Management and the board might request that the IAA to participate in the performance of
the external auditor, including assessment of the external auditor’s independence. This assessment
should be carried out at least annually.
66. Solution: b
a. Incorrect. Quality assurance is not measured against the IIA’s Code of Ethics.
b. Correct. External assessments of an internal audit activity appraise and express an opinion as to the
IAA’s compliance with the Standards and, as appropriate, should include recommendations for improve-
ment.
c. Incorrect. Supervision is not limited to only planning, examination, evaluation, communication, and
follow-up process. It also includes training, employee performance evaluation, time and expense con-
trol, and similar administrative areas.
I. Correct. An auditor from the company’s headquarters could be part of the external review of a regional
office.
II. Correct. An internal audit “peer” from another organization’s IAA could be part of the external review.
III. Incorrect. Only the tax consultant would not be appropriate to have on the external assessment team.
IV. Correct. A chartered accountant with internal auditing experience and who had been an external au-
ditor of the organization’s external financial reports could be part of the external review.
68. Solution: d
a. Incorrect. Staff promotions, pay raises, or disciplinary action result from a proper evaluation of auditor
performance.
b. Incorrect. Substantiating the quality program is significant but is not the primary purpose of supervisory
review.
c. Incorrect. Internal auditors must also conform to the Code of Ethics, the IAA's charter, and other ap-
plicable standards.
d. Correct. The IAA's quality program should provide reasonable assurance that the internal auditing work
conforms to the Standards, the Code of Ethics, the IAA's charter, and other applicable standards.
45
CIA Part 1 Mock Exam Answers
69. Solution: a
a. Correct. It is unethical for an internal auditor to accept a fee or gift from an employee, client, customer,
supplier, or business associate. Accepting a fee or gift may create the appearance that the auditor's
objectivity has been impaired. The appearance that objectivity has been impaired may apply to current
and future engagements conducted by the auditor.
b. Incorrect. The receipt of the mug would not be considered an impairment to objectivity because it is
considered a token gift of insignificant value.
c. Incorrect. Recommending standards of control or reviewing procedures before implementation will not
impair objectivity.
d. Incorrect. As long as the internal auditor does not take on operating responsibility it is acceptable to
recommend standards of control or review procedures before implementation.
70. Solution: a
a. Correct. The paper lays out a simple and effective way to enhance communications on risk manage-
ment and control.
b. Incorrect. The paper does not lay out the functions of the audit committee.
c. Incorrect. Internal auditing is the third line of defense; however, the paper does not specially describe
the monitoring functions of the internal audit activity.
d. Incorrect. The second line of defense is to alert operational management to emerging issues and chang-
ing regulatory and risk scenarios.
71. Solution: b
a. Incorrect. Organizational structure is the way in which companies are directed and controlled.
b. Correct. The IIA Standards Glossary defines organizational governance as the combination of processes
and structures implemented by the board to inform, direct, manage, and monitor the achievement of
its objectives.
72. Solution: c
a. Incorrect. Internal auditing would review existing governance-related documentation so any governance
concerns can be identified.
c. Correct. Internal auditing would generally not report governance violations to outside authorities unless
specifically told to do so or there is a legal obligation.
d. Incorrect. When auditing a company’s governance process the IAA would execute the audit plan.
46
CIA Part 1 Mock Exam Answers
73. Solution: c
a. Incorrect. Management philosophy and operating style is a component of a company’s control environ-
ment.
b. Incorrect. The integrity and ethical values of a company is a component of a company’s control envi-
ronment.
c. Correct. Formulating business objectives comes after assessing a company’s control environment.
74. Solution: a
a. Correct. Executive management is responsible for risk management, the board and audit committee
provide an oversight function, and internal auditors serve in the capacity of oversight and advisory
roles.
b. Incorrect. Executive management is responsible for risk, not the board or audit committee.
d. Incorrect. Executive management is responsible for risk, not internal auditing. The board and audit
committee have an oversight role, not executive management.
75. Solution: c
a. Incorrect. Reviewing ethics-related policies and processes is a method to understand the ethical cli-
mate of the organization.
b. Incorrect. Conducting a survey is a method to understand the ethical climate of the organization.
c. Correct. Facilitating an ethics-related training program is a way to promote an ethical climate within
the organization, not assess it.
76. Solution: a
a. Correct. CSR is generally understood to mean that corporations have a degree of responsibility not
only for the economic consequences of their activities but also for the social and environmental impli-
cations.
b. Incorrect. The main focus of CSR is on both the natural and social environment.
c. Incorrect. CSR recognizes that while the primary responsibility for the enforcement of international
human rights standards lies with national governments, there is a growing acceptance that corporations
also have an important role to play.
d. Incorrect. CSR recognizes that companies need to be good corporate citizens, which means CSR goes
beyond earning money for shareholders. It's concerned with protecting the interests of all stakeholders,
such as employees, customers, suppliers, and the communities in which businesses operate. Companies
must pay equal attention to business ethics and sustainability.
47
CIA Part 1 Mock Exam Answers
77. Solution: b
a. Incorrect. Deciding what information to report is a bigger challenge than identifying the different groups
that have a legitimate interest in the company.
b. Correct. One of the biggest challenges with CSR is deciding what information to report because, unlike
financial reporting, there are no standards for CSR reporting.
d. Incorrect. Deciding the role of internal auditing in CSR is a board and management decision.
78. Solution: c
b. Incorrect. One of the concerns of CSR is that the use of the term CSR has become so broad that it has
allowed people to interpret and adapt it for many different purposes.
d. Incorrect. Despite the assumption of CSR that business outcomes and social objectives can become
more or less aligned, profit undoubtedly wins over principles.
79. Solution: b
a. Incorrect. It is acceptable for the IAA to audit the risk management process as part of the internal audit
plan.
b. Correct. The IAA is able to manage and coordinate the risk management process, but the IAA cannot
manage risk. Managing risk is management’s responsibility.
c. Incorrect. It is acceptable for the IAA to provide continuous support and be involved in the risk man-
agement process such as participation on an oversight committee, monitoring activities, or providing
status reports.
d. Incorrect. It is possible the IAA could have no role in the risk management process. The level of partic-
ipation will depend on the board and senior management.
80. Solution: d
a. Incorrect. There is nothing management can do it eliminate inherent risk; however, management can
take steps to address and, where appropriate, mitigate its effects.
b. Incorrect. The level of risk that remains after management has taken actions to mitigate the risk is
referred to as residual risk.
c. Incorrect. This is incorrect because an inherent risk can be an operational risk, or it can be strategic or
some other type of risk.
d. Correct. None of the answers are correct. SMA defines inherent risk as “the level of risk in each event
before any mitigation action is taken.”
48
CIA Part 1 Mock Exam Answers
81. Solution: c
c. Correct. Reputation risk is a strategic risk. If the reputation of a company suffers, it can take a long
time to regain the trust of the public.
d. Incorrect. Hazard risks are events that can mitigated through insurance.
82. Solution: a
83. Solution: b
b. Correct. Variable sampling is a process used to predict the value of a specific variable.
d. Incorrect. Analyzing feedback from risk questionnaires and risk surveys is a technique for identifying
risks.
84. Solution: c
b. Incorrect. Inherent risk is the level of risk that resides with an event or process prior to management
taking a mitigation action.
c. Correct. Residual risk is the level of risk that remains after management has taken action to mitigate
the risk.
d. Incorrect. Transactional risk is the exchange rate risk associated with the time delay between entering
into a contract and settling it.
85. Solution: b
a. Incorrect. This is incorrect because expected loss is the amount management expects to lose and un-
expected loss is the loss during a very bad year.
b. Correct. Expected loss is the amount that management expects to be lost to a given risk on average
in one year. Unexpected loss is the amount that a cautious manager might think could be lost to the
risk in a very bad year, in excess of the expected loss amount, up to the maximum probable loss.
Businesses could set up a reserve for the amount of an unexpected loss.
c. Incorrect. Expected loss is the loss that management expects to occur during the period; however, the
worst-case scenario loss is referred to as the maximum possible loss.
d. Incorrect. Expected loss is the loss that is expected to occur during the period, which often is the
short-term. Unexpected loss is the loss that is expected during a very bad year.
49
CIA Part 1 Mock Exam Answers
86. Solution: b
a. Incorrect. A reason to use VaR is to measure and control the level of risk that the firm undertakes.
b. Correct. VaR is based on a normal distribution, whereas a fat-tailed distribution exhibits large skew-
ness or kurtosis as the event gets further from the mean.
c. Incorrect. A reason to use VaR is to give management a level of confidence that the loss level will not
be exceeded during a certain period of time.
d. Incorrect. A reason to use VaR is to ensure that risks are not taken beyond the firm’s ability to absorb
the losses of a probable worst outcome.
87. Solution: d
d. Correct. If the risks are negatively correlated with one another, they act as natural hedges for each
other and do not need to be mitigated.
88. Solution: b
a. Incorrect. Risk monitoring and control is the last step in the risk management process.
b. Correct. Risk avoidance is a method of responding to risk, but it is not a step in the risk management
process.
c. Incorrect. Risk response planning is the fourth step in the risk management process.
d. Incorrect. Risk assessment is the second step in the risk management process.
89. Solution: c
a. Incorrect. Risk mitigation entails lowering the risk, not eliminating the threat of the risk.
b. Incorrect. Risk deflection consists of assigning risks to another party in a formal way. This is also
known as transferring the risk.
c. Correct. Risk avoidance involves the company eliminating the risky event or item. This might be
done by selling the business, or not doing the business transaction (e.g., not speculating on deriva-
tives).
d. Incorrect. Residual risk is the risk that is left after controls have been implemented to mitigate the
risk.
90. Solution: b
a. Incorrect. Given the value of the project, eliminating the project is not an option.
b. Correct. In order to deflect the risk, the company could take out some form of insurance to cover for
the potential risk of bodily injury.
c. Incorrect. Establishing a contingency fund is an accounting method to account for the risk of the pro-
ject.
50
CIA Part 1 Mock Exam Answers
91. Solution: d
d. Correct. The following are all factors that could influence an organization’s risk appetite:
• The viewpoints of the major stakeholders, including the views of the company’s major sharehold-
ers, bondholders, lenders, analyst, and many others. Each stakeholder might have a different
opinion as to how much risk a company should take on.
• Accounting factors, such as the volume of transactions, the complexity of the accounting system,
changing rules and regulations.
• External factors, such as changing economic considerations, changes in industry, changes in tech-
nology, etc.
• Governmental restrictions.
• Entity-level factors, such as the quality and quantity of hired personnel, quality for training courses,
changes in key personnel, etc.
92. Solution: c
a. Incorrect. ERM provides reasonable assurance that goals and objectives will be achieved.
b. Incorrect. Risk and control processes are established by management, not by internal auditors. Inde-
pendence and objectivity would be impaired if internal auditors were involved in establishing control
activities.
c. Correct. COSO provides the following definition for enterprise risk management: Enterprise risk man-
agement is a process, effected by an entity’s board of directors, management and other personnel,
applied in strategy setting and across the enterprise, designed to identify potential events that may
affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance re-
garding achievement of entity objectives
d. Incorrect. ERM is not about selecting the best response to risk but selecting the response that fits the
organization’s risk appetite.
93. Solution: a
a. Correct. ERM is able to align the entity’s strategy with the level of risk the firm is willing to take on
(risk appetite); however, it cannot determine the firm’s risk appetite. Determining risk appetite is a
board and management function.
c. Incorrect. ERM can improve the ability of the firm to act on opportunities.
d. Incorrect. ERM can improve utilization of capital and the resources of the company.
94. Solution: d
d. Correct. Administrative cost cutting would more likely be a short-term objective, not a strategic ob-
jective.
51
CIA Part 1 Mock Exam Answers
95. Solution: d
a. Incorrect. Governance and Culture is a component of the ERM model; however, the identification of
risks is one of the principles of the Performance component.
b. Incorrect. Strategy and Objective-setting is a component of the ERM model; however, the identification
of risks is one of the principles of the Performance component.
c. Incorrect. Control Activities is one of the components of COSO’s Control model, not the ERM model.
d. Correct. The identification of risks is one of the principles of the Performance component.
I. Incorrect. ERM is not able to anticipate every risk that could result in a loss.
97. Solution: c
a. Incorrect. Giving assurance on the risk management processes is a core internal audit role in regard to
ERM.
b. Incorrect. Developing a risk management strategy for board approval is a legitimate internal audit role
in regard to ERM.
c. Correct. Setting the risk appetite is a role for management and board.
d. Incorrect. Coordinating ERM activities is a legitimate internal audit role in regard to ERM.
98. Solution: c
c. Correct. The basic process of control is to set objectives, measure performance, and take corrective
action if deficiencies are found. Assigning responsibility is not part of the controlling function.
99. Solution: a
a. Correct. The purpose of the control process is to support people of the organization in the management
of risks and the achievement of its established and communicated objectives. Control processes are
expected to ensure that operations are performed efficiently and achieve established objectives (PA
2130).
c. Incorrect. The board provides guidance and oversight of management’s performance, not the IAA.
d. Incorrect. Controls are meant to provide reasonable assurance that management’s goals and objectives
will be achieved in a timely manner. Controls do not directly address management’s planning, organiz-
ing, and directing processes.
52
CIA Part 1 Mock Exam Answers
100. Solution: b
a. Incorrect. Corporate-level controls are mostly manual, whereas operational-level controls are both
automated and manual.
b. Correct. Corporate-level controls are mostly manual and include general policy statements, values,
and overall monitoring procedures.
c. Incorrect. Corporate-level controls are mostly manual, whereas operational-level controls are both
automated and manual.
d. Incorrect. Operational-level controls include both manual and automated controls, whereas corporate-
level controls are mostly manual. However, where corporate-level controls do encompass planning
and performance monitoring, risk evaluation is done at the operational level.
101. Solution: a
a. Correct. Operating controls are those applicable to production and support activities. In some cases,
an operating activity like customer service or security is difficult to measure because there is no set
control standard.
b. Incorrect. Financial controls are more specific than operating controls and thus are easier to measure.
c. Incorrect. Directive controls direct a desirable action. Therefore, directive controls are easier to evaluate
than operating controls.
d. Incorrect. Preventive controls prevent an undesirable event from happening. Preventive controls are
easier to evaluate than operating controls.
102. Solution: c
a. Incorrect. Locking the general ledger in a safe each night is a preventive control.
b. Incorrect. Making sure that all bills are marked “Paid” to prevent duplicate payment is a preventive
control.
c. Correct. Preventive controls prevent errors from occurring in the first place. Reconciliation will only
provide evidence that an error has already occurred (a feedback control).
d. Incorrect. Making sure that customer numbers are verified is a preventive control.
103. Solution: b
b. Correct. Concurrent control is a management technique used to monitor processes and behaviors to
ensure that they conform to regulations and standards. The monitoring takes place during the process
or activity, often in real time, with the goal of making adjustments to prevent errors. Online activity
monitoring happens in real-time and would be considered a concurrent control.
53
CIA Part 1 Mock Exam Answers
104. Solution: b
a. Incorrect. This is not an efficiency measure because there is no comparison of input to output.
d. Incorrect. This is not an efficiency measure because there is no comparison of input to output.
105. Solution: a
a. Correct. Because planning is impacted more by the organization's environment, the planning infor-
mation is more likely to be generated using external data.
c. Incorrect. Both types of information need to be quantifiable, but planning is likely to require less quan-
tification.
106. Solution: b
a. Incorrect. This situation could be avoided by making sure the controller is not able to make and record
cash deposits. These functions should be segregated.
b. Correct. This is an example of collusion, where the security guard let the employee steal company
property. Collusion is an inherent limitation of internal control because no matter how tight controls
are, two or more people can work together to circumvent the controls.
c. Incorrect. This situation could be avoided by making sure that credit sales have proper authorization.
d. Incorrect. This situation could be avoided by making sure that hired employees are qualified for their
positions.
107. Solution: c
54
CIA Part 1 Mock Exam Answers
108. Solution: d
a. Incorrect. Application controls ensure that input data is accurate, complete, authorized, and correct.
b. Incorrect. Application controls ensure data is processed as intended in an acceptable time period.
d. Correct. Allowing only authorized personnel access information in the network is a general control,
not an application control.
109. Solution: c
a. Incorrect. Total dollars committed would not detect favoritism shown to individual vendors.
b. Incorrect. Detailed material specifications will not prevent buyer favoritism in placing orders.
c. Correct. Periodic rotation of buyer assignments will limit the opportunity for any buyer to show favor-
itism to a particular supplier.
110. Solution: b
a. Incorrect. The bookkeeper should not sign the checks and reconcile the checking account. These func-
tions should be segregated. Therefore, the recording of cash receipts is inadequate.
b. Correct. The bookkeeper should not sign the checks and reconcile the checking account. These func-
tions should be segregated. Therefore, the accounting for cash is inadequate.
c. Incorrect. The bookkeeper should not sign the checks and reconcile the checking account. These func-
tions should be segregated. Therefore, the reconciliation of the cash account is inadequate.
d. Incorrect. The bookkeeper should not have custody of cash and reconcile the checking account. These
functions should be segregated. Therefore, physical safeguards of cash are inadequate.
111. Solution: a
a. Correct. For proper segregation of duties, the payroll clerk should not have custody of the check sig-
nature stamp.
b. Incorrect. Preparing the payroll register is a record-keeping function of the payroll clerk.
c. Incorrect. The payroll register should be approved by an officer of the organization, such as the chief
accountant.
112. Solution: b
b. Correct. This is a control weakness. The receiving reports should be forwarded to the accounts payable
department, where they are matched the purchase order.
c. Incorrect. The accounts payable department may prepare documentation but should not sign checks.
d. Incorrect. Unpaid vouchers and perpetual inventory records should be independently maintained.
55
CIA Part 1 Mock Exam Answers
113. Solution: c
a. Incorrect. Establishing controls and executing them is not a violation of the segregation of du-
ties.
b. Incorrect. Designing controls and monitoring them is not a violation of the segregation of duties.
c. Correct. The intent of the segregation of duties is to make it difficult to perpetrate errors and
frauds and then conceal them.
d. Incorrect. Recording transactions in the journal and ledger is not a violation of the segregation
of duties.
114. Solution: d
a. Incorrect. Having a commitment to financial reporting competence is a principle of the control envi-
ronment.
b. Incorrect. Having the right management philosophy and operating style is a principle of the control
environment.
c. Incorrect. Having the right human resource policies and procedures is a principle of the control envi-
ronment.
d. Correct. Determining the company’s financial reporting objectives is part of the risk assessment pro-
cess.
115. Solution: c
a. Incorrect. An effective control system reflects what the organization is trying to measure and control.
b. Incorrect. An effective control system is understandable by all persons using the control.
c. Correct. An effective control system has a positive cost-benefit ratio, which means the organization
saves more than the cost of the control.
116. Solution: c
a. Incorrect. Having a strong human resource department and strong personnel policies can reduce the
motivation to commit fraud.
b. Incorrect. Having a strong internal control system can reduce the opportunity to commit fraud.
c. Correct. Ethics training and a principled corporate culture can help a company reduce the ability of an
individual to rationalize fraud.
d. Incorrect. Having a drug and gambling problem is a motivating factor to commit fraud.
117. Solution: c
c. Correct. Claims submitted for services or goods not actually provided to the organization would not
be beneficial to the organization.
d. Incorrect. Sale or assignment of fictitious or misrepresented assets would benefit the company.
56
CIA Part 1 Mock Exam Answers
118. Solution: a
a. Correct. If an internal auditor notes that there is a possibility of fraud, then the internal auditor needs
to expand audit activities to determine whether an investigation is warranted.
b, c, and d are incorrect. The auditor should first expand work to determine the existence of fraud before
reporting the matter to top management. At this point, the auditor only has suspicions of fraud, given
the red flags. More work should be performed before consulting with management, external legal coun-
sel, or the audit committee.
119. Solution: b
a. Incorrect. Predefined spending levels would probably already include the fraudulent amounts and would
only limit the size of the fraud.
b. Correct. Additional authorization would be the most likely method for preventing the fraud.
c. Incorrect. The bill of lading would agree with the purchase order. The quantity received (verified by a
third party) should be compared to both the bill of lading and the purchase order.
d. Incorrect. The computer matching would only verify the fraudulent paperwork.
120. Solution: c
a. Incorrect. The current quarter’s expense would equal the prior period’s activity unless the manager just
started this fraud. The auditor has no information on how long this might have been occurring.
b. Incorrect. Physical testing would not locate nonexistent parts that have already been charged to mainte-
nance.
c. Correct. Analysis of repair parts charged to maintenance would quantify the excessive number of items
and detect that abuse may be occurring.
d. Incorrect. Lack of segregation of duties allowed the fraud to occur. The manager was authorized to
process both the purchase and receipt, so the test would only verify the fraudulent paperwork.
121. Solution: a
a. Correct. Most fraud perpetrators would attempt to conceal their theft by charging it against an expense
account.
b. Incorrect. Debiting the stolen asset account would be going in the wrong direction to conceal an asset
theft.
c. Incorrect. An entry decreasing revenue would be unusual and would stand out.
d. Incorrect. This entry would not permanently conceal the fraud. It would simply shift the irreconcilable
balance to another asset account.
57
CIA Part 1 Mock Exam Answers
122. Solution: a
a. Correct. This is an acceptable control procedure, which is aimed at limiting risk while promoting effi-
ciency. It is not, by itself, considered a condition that indicates a higher likelihood of fraud.
b. Incorrect. Lack of rotation of duties or cross-training for sensitive jobs is an identified red flag.
I. Correct. Fraud is best prevented when management establishes and maintains strong internal controls.
II. Correct. Internal auditors are responsible for assisting management in the prevention and detection of
fraud.
III. Correct. Internal auditors should assess the operating effectiveness of fraud related communication
systems.
124. Solution: a
a. Correct. The responsibility of internal auditors for detecting fraud includes having sufficient knowledge
of fraud to be able to identify indicators that fraud may have been committed. Fraud may be indicated
by negative organizational changes; thus, recognizing and questioning changes can help in the detec-
tion of fraud.
b. Incorrect. Interrogation of fraud perpetrators is done to verify that fraud was committed, not to detect
the fact that fraud was committed.
c. Incorrect. Developing internal controls is done to prevent fraud, not detect it.
d. Incorrect. Documenting computerized operating systems is done to prevent fraud, not to detect it.
125. Solution: b
a. Incorrect. Deliberate falsification of accounting records is something that a forensic auditor would in-
vestigate.
b. Correct. The level of management compensation is not an issue for a forensic auditor.
c. Incorrect. Acts of extortion are something that a forensic auditor would investigate.
d. Incorrect. Theft of company assets is something that a forensic auditor would investigate.
58