IIA-CHAL-QISA Exam Practice Test Instant Access

Question 1

Which of the following internal audit activities is performed in the design evaluation phase?

AThe internal auditor reviews prior audits and workpapers

BThe internal auditor identifies the controls over segregation of duties.

CThe internal auditor checks a process for completeness.

DThe internal auditor communicates the audit results to management

Answer : B

To determine which internal audit activity is performed in the design evaluation phase, it's essential to understand what each phase in the audit process entails. The design evaluation phase involves assessing whether the design of controls is adequate to mitigate risks to acceptable levels.

Option A: The internal auditor reviews prior audits and workpapers.

This activity typically occurs during the planning phase of an audit. Reviewing prior audits and workpapers helps the auditor understand the scope, findings, and context of previous audits, providing valuable information for planning the current audit.

Option B: The internal auditor identifies the controls over segregation of duties.

Identifying controls, particularly those related to segregation of duties, is a key part of the design evaluation phase. In this phase, the auditor assesses whether the control design, including segregation of duties, is sufficient to prevent or detect errors and fraud.

Option C: The internal auditor checks a process for completeness.

Checking a process for completeness is more aligned with the testing phase, where the auditor evaluates the operational effectiveness of controls. During this phase, the auditor ensures that all parts of a process are functioning as intended.

Option D: The internal auditor communicates the audit results to management.

Communicating audit results occurs in the reporting phase, after the audit fieldwork is complete. In this phase, the auditor summarizes findings, conclusions, and recommendations and presents them to management.

According to the Institute of Internal Auditors (IIA) Standards and the guidelines in the IPPF (International Professional Practices Framework), during the design evaluation phase, internal auditors assess the adequacy of control designs. This includes evaluating whether controls like segregation of duties are properly designed to mitigate identified risks. Identifying controls over segregation of duties is a fundamental aspect of assessing the adequacy of the control environment and its design to ensure it can effectively prevent and detect errors and fraud.

Question 2

According to IIA guidance, which of the following objectives was most likely formulated for a non-assurance engagement?

AThe internal audit activity will assess the effects of changes in maintenance strategy on the availability of production equipment

BThe internal audit activity will inform management on the possible risks of moving the data warehouse to a cloud server maintained by a third party.

CThe internal audit activity will ascertain whether the data center security arrangements are compliant with agreed terms

DThe internal audit activity will ensure equipment downtime risks have been managed in accordance with the internal policy.

Answer : B

Non-Assurance Engagements: Non-assurance engagements focus on advisory and consulting services rather than providing an independent assessment. These engagements aim to add value by offering insights and recommendations to management.

Objective Characteristics:

Informing Management: Providing information on potential risks and advising on risk management strategies is typical for non-assurance engagements. This helps management make informed decisions and manage risks effectively.

Assessment and Compliance: Options A, C, and D are more aligned with assurance engagements, where the internal audit activity provides an independent assessment or ensures compliance with policies and procedures.

IIA Guidance:

Standard 2120 -- Risk Management: Internal auditors must evaluate and contribute to the improvement of risk management processes, often through advisory services in non-assurance roles.

Reference:

Non-assurance engagements focus on informing and advising management about risks, improvements, and strategic decisions, as exemplified by informing management about risks related to moving the data warehouse to a third-party cloud server.

Question 3

A chief audit executive (CAE) following up on action plans from previously completed audits identifies that management has determined that certain action plans are no longer necessary If the CAE disagrees with managements decision, which of the following is the most appropriate next step for the CAE to take?

AThe CAE must discuss the matter with senior management

BThe CAE must discuss the matter with key shareholders.

CThe CAE must discuss the matter with legal counsel.

DThe CAE must discuss the matter with the board

Answer : D

Introduction:

The chief audit executive (CAE) must ensure that audit recommendations are appropriately addressed and that any disagreements with management's decisions are resolved effectively.

Escalation Process:

If the CAE disagrees with management's decision to not implement certain action plans, it is important to escalate the issue to the board to ensure that risks are properly managed and that there is accountability.

Options Analysis:

Option A: Discussing with senior management is a preliminary step but may not resolve the issue if there is still disagreement.

Option B: Discussing with key shareholders is not typically within the CAE's direct line of reporting and may not be appropriate.

Option C: Legal counsel can provide advice, but the final decision on audit matters typically rests with the board.

Option D: The most appropriate step is for the CAE to discuss the matter with the board, as they have the ultimate oversight responsibility and can ensure that management's decisions align with the organization's risk management and governance frameworks.

Conclusion:

The CAE should discuss the matter with the board to ensure that management's decision is aligned with the organization's risk management strategy and to address any unresolved issues.

Internal Audit Standards and Practice Guides .

Question 4

Which of the following best demonstrates that the internal audit activity is using due professional care?

AThe internal audit activity reports directly to the board on the engagements it performs.

BInternal auditors undertake the necessary training to complete their audit work.

CThe completion of engagements is based on the assumption that fraudulent activities may exist.

DInternal auditors consider the use of technology-based audit and other data analysis techniques

Answer : D

Demonstrating due professional care involves using appropriate technology and data analysis techniques to enhance the audit's effectiveness and efficiency. These tools help auditors identify anomalies, trends, and potential areas of risk more accurately and timely, reflecting a higher standard of care in their audit activities.

'Auditing Standards and Guidelines,' which emphasize the importance of using advanced techniques in audit processes.

Question 5

According to IIA guidance, which of the following statements is true regarding due professional care?

AInternal auditors must exercise due professional care to ensure that all significant risks will be identified.

BInternal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor.

CDue professional care requires the internal auditor to conduct extensive examinations and verifications to ensure fraud does not exist.

DDue professional care is displayed during a consulting engagement when the internal auditor focuses on potential benefits of the engagement rather than the cost

Answer : B

Due professional care is a critical concept in internal auditing, ensuring that auditors conduct their work with the necessary diligence and competence.

Definition and Standards: According to the IIA's International Standards for the Professional Practice of Internal Auditing (Standards), specifically Standard 1220 -- Due Professional Care, internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor.

Expectation of Competence: The standard requires auditors to use their professional judgment and to exercise the level of skill and care that a reasonably prudent internal auditor would use in similar circumstances.

Practical Example: This includes evaluating the nature and complexity of the engagement, the adequacy and effectiveness of risk management, and control processes relevant to the engagement.

Comprehensive, Not Excessive: While due professional care involves being thorough, it does not mandate exhaustive procedures such as those implied in options A and C.

Clarification: Option A overstates the requirement by implying that all significant risks must be identified, which is not always feasible.

Clarification: Option C misinterprets due professional care by suggesting that extensive examinations and verifications to ensure fraud does not exist are always necessary, which is beyond the typical scope of many audits.

Cost vs. Benefit in Consulting: Option D refers to consulting engagements and the consideration of benefits over cost, which is a part of due professional care but does not capture the comprehensive expectation of care and skill.

Clarification: Due professional care in consulting engagements is about balancing benefits and costs but also involves ensuring quality and thoroughness appropriate to the engagement's objectives.

Conclusion: The correct answer is B, as it accurately reflects the IIA's guidance that internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor.

Question 6

Which of the following would most likely form part of the engagement scope?

APotential legislation on privacy topics will be employed as a compliance target O Wire transfers that exceeded $10,000 in the last 12 months will be analyzed.

BBoth random and judgmental samplings will be used during the engagement

CThe probability of significant errors will be considered via risk assessment.

Answer : B

Introduction:

The engagement scope outlines the boundaries of the audit activities, specifying the methods and techniques to be employed during the engagement.

Scope Definition:

The scope includes the areas to be reviewed, the nature and extent of testing, and the specific objectives and criteria to be used.

Options Analysis:

Option A: Specifying compliance targets is part of planning but too specific for the overall engagement scope.

Option B: Detailing the use of both random and judgmental samplings defines the methodology clearly, which is appropriate for the engagement scope.

Option C: Considering the probability of significant errors is part of the risk assessment process, not the scope itself.

Option D: Analyzing wire transfers is a specific audit test rather than a definition of the engagement scope.

Conclusion:

Specifying both random and judgmental samplings as part of the engagement scope provides a clear and comprehensive methodology for the audit, making it the most appropriate choice.

Internal Audit Standards and Practice Guides

Question 7

An internal auditor observed that sales staff are able to modify or cancel an order in the system prior to shipping She wonders whether they can also modify orders after shipping. Which of the following types of controls should she examine?

ABatch controls.

BApplication controls

CGeneral IT controls.

DLogical access controls

Answer : B

Application controls are specific to software applications and ensure that transactions are processed correctly and accurately. They include controls over input, processing, and output. In this scenario, examining application controls will help determine if sales staff can modify orders after shipping, as these controls directly impact how data is handled within the system.

'Information Technology Auditing,' which explains the role of application controls in maintaining data integrity and security.

IIA Qualified Info Systems Auditor CIA Challenge IIA-CHAL-QISA Exam Practice Test