IIA-CIA-Part2 Exam Practice Test Instant Access

Question 1

Which of the following engagements is likely to be most appropriate for an organization that is planning an acquisition?

AA performance engagement.

BA system security engagement.

CA due diligence engagement.

DA compliance engagement.

Answer : C

Due diligence engagements are crucial when planning an acquisition, as they evaluate the financial, operational, and legal aspects of the target entity. This ensures informed decision-making and minimizes acquisition risks. Performance engagements (Option A) focus on efficiency and effectiveness of operations, while system security engagements (Option B) and compliance engagements (Option D) do not address the comprehensive assessment required for acquisitions. The CIA syllabus emphasizes due diligence as a specialized type of consulting engagement (Part 2: Section II).

Question 2

According to IIA guidance, which of the following provides additional insight into errors, problems, missed opportunities, or noncompliance to improve the effectiveness and efficiency of an organization's control process?

AReperformance.

BVouching.

CIndependent confirmation.

DRoot cause analysis.

Answer : D

Root cause analysis identifies underlying reasons for control deficiencies or inefficiencies, enabling organizations to address systemic issues and enhance controls. IIA Practice Guide: Root Cause Analysis (2018) highlights its role in promoting continuous improvement. Reperformance (Option A) and vouching (Option B) are audit techniques to verify accuracy but do not diagnose systemic issues. Independent confirmation (Option C) corroborates evidence but does not uncover root causes. Root cause analysis aligns with the CIA Part 2 objective of enhancing organizational efficiency.

Question 3

The internal audit manager has been delegated the task of preparing the annual internal audit plan for the forthcoming fiscal year. All engagements should be appropriately categorized and presented to the chief audit executive for review. Which of the following would most likely be classified as a consulting engagement?

AEvaluating procurement department process effectiveness.

BHelping in the design of the risk management program.

CAssessing financial reporting control adequacy.

DReviewing environmental, social, and governance reporting compliance.

Answer : B

Consulting engagements involve advisory and value-adding activities requested by management, as outlined in IIA Standard 1000. Helping design the risk management program aligns with this definition, as it supports management's efforts without direct assurance. Options A, C, and D are assurance engagements, as they involve evaluations of process effectiveness or control adequacy. The CIA Part 2 syllabus emphasizes the importance of distinguishing between assurance and consulting engagements (Section II: Types of Engagements).

Question 4

Which of the following is an example of a compliance assurance engagement?

AProviding in-house training to senior management regarding applicable laws and regulations.

BProviding an assessment of the design adequacy of controls related to consumer privacy and confidentiality.

CProviding an assessment of customer satisfaction with customer service provided by the organization.

DProviding testing on the operating effectiveness of controls over the reliability of financial reporting.

Answer : B

Compliance assurance engagements evaluate the organization's adherence to laws, regulations, policies, or procedures. Assessing controls for consumer privacy aligns with compliance objectives, particularly under data protection regulations such as GDPR or CCPA. Option A refers to training, not assurance. Option C pertains to operational metrics, while Option D relates to financial reporting, not compliance. The IIA CIA syllabus identifies compliance engagements as critical for ensuring organizational alignment with external legal and regulatory expectations (Section III: Compliance Audits).

Question 5

Which of the following statements is true regarding internal controls?

AFor assurance engagements, internal auditors should plan to assess the effectiveness of all entity-level controls.

BPoorly designed or deficient entity-level controls can prevent well-designed process controls from working as intended.

CDuring engagement planning, internal auditors should not discuss the identified key risks and controls with management of the area under review, to prevent tipping off probable audit tests.

DReviewing process maps and flowcharts is an appropriate method for the internal auditor to identify all key risks and controls during engagement planning.

Answer : B

Entity-level controls provide the foundation for effective process controls. If these controls are poorly designed, they can undermine the effectiveness of process-level controls (COSO Framework, 2013). Internal auditors assess entity-level controls during risk assessments, as emphasized in CIA Part 2 (Section II). Option A is incorrect as auditors prioritize high-risk controls rather than all controls. Options C and D contradict best practices in engagement planning (Standard 2200), which encourage transparency and comprehensive evaluation of key risks.

Question 6

An internal auditor at a bank informed the branch manager of a malfunctioning lock on one of the vaults. The risk associated with this issue was deemed significant by the chief audit executive (CAE), and immediate remediation was recommended. However, during a follow-up engagement, the branch manager told the CAE that the risk was actually not significant, hence no action was taken. What is the most appropriate next step for the CAE?

AInform senior management that the branch manager decided to cancel the committed action plan without any previous communication.

BDiscuss the issue with the board, which has ultimate responsibility to resolve this risk.

CHave another discussion with the branch manager, attempt to change his view, and encourage him to implement the recommendations.

DDocument the branch manager's decision to accept the risk; otherwise, no other specific course of action is required.

Answer : A

According to IIA Standard 2600: Communicating the Acceptance of Risks, the CAE must inform senior management and the board if management decides to accept a risk that may exceed the organization's risk appetite. The branch manager's unilateral decision without consulting senior management constitutes a governance issue. Escalating the matter ensures proper oversight and adherence to the organization's risk management framework. Options B, C, and D do not fulfill the CAE's responsibility to ensure appropriate communication and accountability at the senior management level.

Question 7

The internal audit activity of an insurance company is reviewing six of the company's 11 branches. During the review of the fourth branch that was selected, the internal audit team discovered control breaches that could result in regulatory sanctions if not addressed. How should the internal audit team proceed?

ACommunicate immediately to the relevant regulatory agency the information regarding the company's control breaches along with details of recommended corrective actions to address the issue.

BComplete the branch reviews, ensure that the issue and impact are adequately detailed in the audit report, hold an exit meeting to discuss the issue with branch management, and provide recommendations for corrective actions.

CHave a discussion with branch management on the matter and recommend in an interim audit report that management take appropriate corrective action in order to address the current identified issues.

DExpand the audit to include the branches that were not previously selected and determine whether there are similar control breaches at those branches prior to compiling a comprehensive audit report and reporting the issue to senior management and the board.

Answer : C

IIA-CIA-Part2 Practice of Internal Auditing Exam Practice Test