CIA
Preparatory Program
Part 1
Essentials of Internal Auditing
Mock Exam
CIA Part 1 Mock Exam
125 Multiple Choice Questions
Time: 2 Hours, 30 Minutes (150 Minutes)
Select a single answer that best completes the statement or answers the question.
1.
Which of the following is not true with regard to the internal audit charter?
a.
It defines the authorities and responsibilities for the internal audit activity.
b.
It specifies the minimum resources needed for the internal audit activity.
c.
It provides a basis for evaluating the internal audit activity.
d.
It should be approved by senior management and the board.
2.
The function of internal auditing, as related to internal financial reports, would be to:
a.
Ensure compliance with reporting procedures.
b.
Review expenditure items and match each item with expenses incurred.
c.
Determine if there are any employees spending funds without authorization.
d.
Identify inadequate controls that increase the likelihood of unauthorized expenditures.
3.
The status of the internal audit activity should be free from the effects of irresponsible policy changes
by management. The most effective way to assure that freedom is to:
a.
Have the internal audit charter approved by the board.
b.
Adopt policies for the functioning of the internal audit activity.
c.
Establish an audit committee as a subcommittee of the board.
d.
Develop written policies and procedures to serve as standards of performance for the internal audit
activity.
4.
If a department's operating standards are vague and thus subject to interpretation, an auditor should:
a.
Seek agreement with the departmental manager on the criteria needed to measure operating performance.
b.
Determine best practices in the area and use them as the standard.
c.
Interpret the standards in their strictest sense because standards are otherwise only minimum measures
of acceptance.
d.
Omit any comments on standards and the department's performance in relation to those standards,
because such an analysis would be inappropriate.
5.
Which of the following would not be considered mandatory guidance?
a.
The Definition of Internal Auditing.
b.
The Code of Ethics.
c.
The Core Principles.
d.
The Mission of Internal Audit.
1
CIA Part 1 Mock Exam
6.
One of the purposes of the Standards is to:
a.
Encourage the professionalization of internal auditing.
b.
Establish the independence of the internal audit activity and emphasize the objectivity of internal auditing.
c.
Encourage external auditors to make more extensive use of the work of internal auditors.
d.
Establish the basis for evaluating internal auditing performance.
7.
The Standards require that the chief audit executive (CAE) have a formal, written internal audit charter
approved by management and the board. The purpose of the internal audit charter is to:
a.
Protect the internal auditing activity from outside influence.
b.
Establish the purpose, authority, and responsibility of the internal auditing activity.
c.
Define the internal auditor’s relationship with the external auditor.
d.
Define the role of the chief audit executive as a member of the audit committee.
8.
The best means for the internal auditing activity to determine whether it has achieved its goal of implementing broader audit coverage of functional activities is through:
a.
Accumulation of audit findings by auditable area.
b.
Comparison of the audit plan to actual audit activity.
c.
Surveys of management satisfaction with the internal audit activity.
d.
Implementation of a quality assurance and improvement program.
9.
If a department outside of the internal audit activity (IAA) is responsible for reviewing a function or
process, the internal auditor should:
a.
Consider the work of the other department when assessing the function or process.
b.
Ignore the work of the other department and proceed with an independent audit.
c.
Reduce the scope of the audit because the work has already been performed by the other department.
d.
Yield the responsibility for assessing the function or process to the other department.
10.
During an engagement to evaluate the organization’s accounts payable function, an internal auditor
plans to confirm balances with suppliers. What is the source of authority for the auditor’s contact with
units outside the organization?
a.
Internal audit activity policies and procedures.
b.
The Standards.
c.
The Code of Ethics.
d.
The internal audit activity’s charter.
2
CIA Part 1 Mock Exam
11.
Which of the following is not one of the ten Core Principles:
a.
Promotes organizational improvement.
b.
Is appropriately positioned and adequately resourced.
c.
Provides risk-based assurance.
d.
Is insightful, proactive, and focused on the present.
12.
According to the Standards, the internal audit activity’s goals should specify:
a.
Policies and procedures to guide the internal audit staff.
b.
Engagement work schedules and activities to be reviewed.
c.
Measurement criteria and target dates for completion.
d.
Staffing plans and financial budgets.
13.
Which of the following best describes an internal auditor’s purpose in reviewing the organization’s existing risk management, control, and governance processes?
a.
To help determine the nature, timing, and extent of tests necessary to achieve engagement objectives.
b.
To ensure that weaknesses in the internal control system are corrected.
c.
To provide reasonable assurance that the processes will enable the organization’s objectives and goals
to be met efficiently and economically.
d.
To determine whether the processes ensure that the accounting records are correct and that financial
statements are fairly stated.
14.
Of the following activities, which ones are within the scope of internal auditing?
I.
To assess an operating department's effectiveness in achieving stated organizational goals.
II.
To safeguard assets.
III.
To evaluate controls over compliance with laws and regulations.
IV.
To ascertain the extent to which objectives and goals have been established.
a.
I and III only.
b.
I and IV only.
c.
I, III and IV only.
d.
I, II and IV only.
15.
The consultative approach to internal auditing emphasizes:
a.
Imposition of corrective measures.
b.
Participation with engagement clients to improve methods.
c.
Fraud investigation.
d.
Implementation of policies and procedures.
3
CIA Part 1 Mock Exam
16.
A CIA, working as the purchasing director, signs a contract to procure a large order from the supplier
with the best price, quality, and performance. Shortly after signing the contract, the supplier presents
the CIA with a gift of significant monetary value. Which of the following statements regarding the acceptance of the gift is correct?
a.
Acceptance of the gift would be prohibited only if it were non-customary.
b.
Acceptance of the gift would violate the IIA Code of Ethics and would be prohibited.
c.
Because the CIA is not acting as an internal auditor, acceptance of the gift would be governed only by
the organization’s code of conduct.
d.
Because the contract was signed before the gift was offered, acceptance of the gift would not violate
either the IIA Code of Ethics or the organization’s code of conduct.
17.
A review of an organization’s code of conduct revealed that it contained comprehensive guidelines designed to inspire high levels of ethical behavior. The review also revealed that employees were knowledgeable of its provisions. However, some employees still did not comply with the code. What element
should a code of conduct contain to enhance its effectiveness?
a.
Periodic review and acknowledgment by all employees.
b.
Employee involvement in its development.
c.
Public knowledge of its contents and purpose.
d.
Provisions for disciplinary action in the event of violations.
18.
Which of the following statements is not appropriate to include in a manufacturer’s conflict of interest
policy? An employee shall not:
a.
Accept money, gifts, or services from a customer.
b.
Participate (directly or indirectly) in the management of a public agency.
c.
Borrow from or lend money to vendors.
d.
Use organizational information for private purposes.
19.
An internal auditor, during the course of evaluating the policies & procedures for capitalizing fixed assets, uncovered some information that indicated that management had capitalized some general
maintenance costs that should have been expensed. The amount is considered to be material. If the
internal auditor failed to disclose this information to senior management or the audit committee, the
internal auditor would be in violation of which rule of conduct?
a.
Integrity.
b.
Objectivity.
c.
Confidentiality.
d.
Competence.
4
CIA Part 1 Mock Exam
20.
Which of the following concurrent occupations could appear to subvert the ethical behavior of an internal
auditor?
a.
Internal auditor and local in-house chairperson for a well-known charitable organization.
b.
Internal auditor and part-time business insurance broker.
c.
Internal auditor and adjunct faculty member of a local business college that educates potential employees.
d.
Internal auditor and landlord of multiple housing units that publicly advertise for tenants in a local
community newspaper.
21.
As part of a company-sponsored award program, an internal auditor was offered an award of significant
monetary value by a division in recognition of the cost savings that resulted from the auditor's recommendations. According to the International Professional Practices Framework (IPPF), what is the most
appropriate action for the auditor to take?
a.
Accept the gift because the engagement is already concluded and the report issued.
b.
Accept the award under the condition that any proceeds go to charity.
c.
Inform audit management and ask for direction on whether or not to accept the gift.
d.
Decline the gift and advise the division manager's superior.
22.
Towards the end of an engagement, the auditor discovers that the director of marketing has a gambling
habit. The gambling issue is not directly related to the existing engagement and there is pressure to
complete the current engagement. The auditor notes the problem and forwards the information to the
chief audit executive but performs no further follow-up. The auditor's actions would:
a.
Be in violation of the IIA Code of Ethics for withholding meaningful information.
b.
Be in violation of the Standards because the auditor did not properly follow up on a red flag that might
indicate the existence of fraud.
c.
Not be in violation of either the IIA Code of Ethics or Standards.
d.
Both a and b.
23.
In which of the following would an internal auditor potentially lack objectivity?
a.
The internal auditor reviews the procedures for a new electronic data interchange (EDI) connection to
a major customer before it is implemented.
b.
A former purchasing assistant performs a review of the internal controls over purchasing four months
after being transferred to the internal audit activity.
c.
An internal auditor recommends standards of control and performance measures for a contract with a
service organization for the processing of payroll and employee benefits.
d.
A payroll accounting employee assists an internal auditor in verifying the physical inventory of small
motors.
5
CIA Part 1 Mock Exam
24.
An auditor’s objectivity could be compromised in all of the following situations except:
a.
A conflict of interest.
b.
Auditee familiarity with auditor due to lack of rotation in assignment.
c.
Auditor assumption of operational duties on a temporary basis.
d.
Reliance on outside expert opinion when appropriate.
25.
Independence is most likely impaired by an internal auditor’s:
a.
Continuation of an engagement at a division for which (s)he will soon be responsible as the result of a
promotion.
b.
Reduction of the scope of the engagement due to budget restrictions.
c.
Participation on a task force that recommends standards for control of a new distribution system.
d.
Review of a purchasing agent’s contract drafts prior to their execution.
26.
Independence from outside pressure is an important factor for the internal audit activity to work freely
and objectively. Which of the following contributes to the internal auditor’s independence?
a.
Management should assist the IAA by reviewing, revising, and forwarding engagement communications
to the audit committee.
b.
The IAA reports directly to the audit committee, without corroborating engagement communications
with management.
c.
Ideally, the IAA functionally reports to the audit committee but reports to the chief operating officer on
all engagements relating to operations.
d.
The accuracy of the engagement communications should be verified with management, and the IAA
should then report to management and the audit committee.
27.
Internal auditors must distinguish carefully between a scope limitation and other limitations. Which of
the following is not considered a scope limitation?
a.
The divisional manager of an engagement client has indicated that the division is in the process of
converting a major computer system and that the information systems portion of the planned engagement will have to be postponed until next year.
b.
The board reviews the engagement work schedule for the year and deletes an engagement that the
CAE thought was important to conduct.
c.
The engagement client has indicated that certain customers cannot be contacted because the organization is in the process of negotiating long-term contracts and does not want to upset the customers.
d.
None of the answers are correct.
6
CIA Part 1 Mock Exam
28.
Which of the following combinations best illustrates a scope limitation and the appropriate response by
the CAE?
a.
Nature of limitation
Internal audit action
Engagement client limits scope based upon pro-
Report only to the controller
prietary information.
b.
Engagement client will not provide access to rec-
Report to the board.
ords needed for approved work schedule.
c.
Engagement client requests that the engage-
Report directly to the CEO and controller.
ment be delayed for 2 weeks to allow it to
close its books.
d.
Engagement client will not allow the internal au-
No reporting is required because the opera-
ditor to contact major customers as part of
tional engagement concerns operational
an engagement to evaluate the efficiency
efficiency.
of operations.
29.
In practice, internal auditing should have a dual reporting process. The CAE must report to a level within
the organization that allows internal auditing to fulfill its responsibilities. The ideal reporting situation
for a company’s CAE is to:
a.
Functionally report to the CFO and administratively report to the audit committee.
b.
Administratively report to the board and functionally report to upper management.
c.
Functionally report to the board and administratively report to upper management.
d.
Administratively report to upper management and functionally report to the external auditor.
30.
Administrative reporting would typically include all of the following except:
a.
Developing and submitting the annual internal auditing budget.
b.
Approving the risk-based internal audit plan.
c.
Administration of the internal audit activities policies and procedures.
d.
Human resource administration, including personnel evaluations and compensation.
31.
Internal auditors are expected to be objective when conducting their work. Which of the following circumstances would not cause an internal auditor’s objectivity to be impaired?
I.
The internal auditor audited an area for which they were responsible more than one year ago.
II.
The internal auditor accepted a sizable gift from a client after the successful completion of an audit.
III.
The internal auditor designed some control procedures for an engagement client.
IV.
The internal auditor was given a small token of appreciation from a client after the completion of an
audit.
a.
I and II only
b.
II and III only
c.
I and IV only
d.
II and IV only
7
CIA Part 1 Mock Exam
32.
An internal auditor’s involvement in the evaluation of the organization’s accounts payable function
should include all of the following except:
a.
Testing whether the organization’s vendor balances are accurately stated.
b.
Recommending areas for improvement.
c.
Developing audit plans for future audits.
d.
Drafting procedures to improve control over the accounts payable function.
33.
Which of the following statements is correct? In a consulting engagement:
a.
The auditor provides an assessment and states an opinion about whether or not something with the
company is operating or performing correctly.
b.
The auditor does not need to be independent but does need to be objective.
c.
The auditor should be objective in the investigation and independent in the decision.
d.
The engagements are an analysis of past events.
34.
Individual objectivity means that:
a.
Internal auditors must make conclusions based on facts without being influenced by feeling, emotions,
relationships, bribes, or any other outside influence.
b.
Internal auditors must report to a level within the organization that allows the internal audit activity to
fulfill its responsibilities.
c.
Neither a nor b are correct.
d.
Both a and b are correct.
35.
To be effective, internal auditors need to have organizational independence. Organizational independence is achieved largely through the status of the internal audit activity and the authority that the
board gives it. Based on this, the board authorizes the internal audit activity to:
I.
Have unrestricted access to all functions, records, property, and personnel pertinent to carrying out
any engagement.
II.
Have unlimited access to all external audit working papers.
III.
Allocate necessary resources to accomplish audit objectives.
a.
I only.
b.
II and III only.
c.
I and III only.
d.
I and II only.
8
CIA Part 1 Mock Exam
36.
A company has seen tremendous growth in its sales revenue the past few years and management is
considering replacing its legacy system with an ERP system. Management believes that an ERP system
will allow the company to integrate applications to better manage the business. Which of the following
would be an appropriate internal auditing role in purchasing the ERP system?
a.
Ascertain whether the feasibility study addresses the cost-benefit relationship.
b.
Solicit bids from vendors.
c.
Determine the requirements for preparing a manual of specifications.
d.
Participate in the ERP acquisition and implementation.
37.
Which of the following is not a true statement concerning a conflict of interest?
a.
A conflict of interest exists even if no unethical or improper act results.
b.
A conflict of interest can create an appearance of impropriety that undermines confidence in the internal auditor.
c.
An internal auditor with a conflict of interest in a consulting activity should be removed.
d.
A conflict of interest could impair an auditor’s ability to perform his or her duties and responsibilities
objectivity.
38.
There are a number of procedures that the chief audit executive can follow in order to maintain objectivity within the internal audit activity. Which of the following would not be a procedure for maintaining objectivity?
a.
Make sure job assignments minimize potential conflicts of interests.
b.
Promote continuing professional development.
c.
Develop a strong QAIP system to ensure organizational independence and objectivity.
d.
Periodically rotate internal auditing assignments so relationships do not develop between the auditor
and the auditee that might impair the auditor’s judgment.
39.
During an internal audit, the internal auditor should exercise due professional care. Due professional
care means that the internal auditor should consider:
I.
The extent of work needed to achieve the engagement’s objectives.
II.
The relative complexity and materiality to which assurance procedures are applied.
III.
The probability of significant errors, irregularities, or noncompliance.
IV.
The engagement procedures necessary to ensure that all significant risks have been identified.
a.
I and II only.
b.
I, II and IV only.
c.
I, II, III and IV.
d.
I, II and III only.
9
CIA Part 1 Mock Exam
40.
As part of the process to improve the relationship between the internal auditor and engagement client,
it is very important to deal with how the internal audit activity is perceived. Certain types of attitudes
in the work performed will help create these perceptions. From a management perspective, which attitude is likely to be the most conducive to a positive perception?
a.
Interrogatory.
b.
Investigative.
c.
Consultative.
d.
Objective.
41.
Internal auditors need to have an understanding of which discipline?
a.
Internal auditing procedures and techniques.
b.
Accounting principles and techniques.
c.
Management principles.
d.
Marketing techniques.
42.
The Standards require that internal auditors possess which of the following skills?
I.
Internal auditors should understand human relations and be skilled in dealing with people.
II.
Internal auditors should be able to recognize and evaluate the materiality and significance of deviations
from good business practices.
III.
Internal auditors should be experts on subjects such as economics, commercial law, taxation, finance,
and information technology.
IV.
Internal auditors should be skilled in oral and written communication.
a.
I and II only.
b.
I, II and III only.
c.
I, II, III and IV.
d.
I, II and IV only.
43.
Your organization has selected you to develop an internal audit activity. Your approach will most likely
be to hire:
a.
Internal auditors who possess all of the skills required to handle all engagements.
b.
Inexperienced personnel and train them in the way that the organization wants them trained.
c.
Individuals with accounting degrees because most internal audit work is accounting-related.
d.
Internal auditors who collectively have the knowledge and skills needed to perform the responsibilities
of the IAA.
10
CIA Part 1 Mock Exam
44.
The IIA Standards require internal auditors to have the knowledge, skills, and disciplines essential to
performing an audit. Which of the following is true considering the level of knowledge or skill required
by the Standards? Internal auditors must:
I.
Be proficient in the application of auditing standards and procedures to specific situations without extensive recourse to technical research and assistance.
II.
Be proficient in accounting principles when auditing the financial records and reports of the organization.
III.
Be proficient in applying knowledge of accounting and computerized information systems to specific or
potential problems.
a.
I only.
b.
I and II only.
c.
II and III only.
d.
I, II and III.
45.
Within the context of quality control, the primary purpose of continuing professional education and
training is to enable the internal audit activity to provide its personnel with:
a.
Technical training so its internal auditors are valuation experts.
b.
Professional education that is required in order to perform engagements with due professional care.
c.
Knowledge required to fulfill assigned responsibilities.
d.
Knowledge required to perform a peer review.
46.
When an internal auditor is not qualified to perform an engagement, the internal auditor should:
a.
Acquire the requisite knowledge and skills.
b.
Suggest someone else who is qualified to perform the work.
c.
Decline the engagement.
d.
Any of the above.
47.
When hiring a prospective internal auditor, reasonable assurance should be obtained as to the candidate’s qualifications and proficiency. Which of the following is the least useful application of this principle?
a.
Determining that all applicants have an accounting degree.
b.
Obtaining college transcripts.
c.
Checking an applicant's references.
d.
Determining previous job experience.
11
CIA Part 1 Mock Exam
48.
The internal audit activity (IAA) can perform an important role in preventing and detecting significant
fraud by being assigned all but which one of the following tasks?
a.
Review large, abnormal, or unexplained expenditures.
b.
Review sensitive expenses such as legal fees, consultant fees, and foreign sales commissions.
c.
Review every control feature pertaining to petty cash receipts.
d.
Review contributions by the organization that appears to be unusual.
49.
A new chief audit executive (CAE) for a major retail company is questioning the audit activity’s extensive
use of store compliance testing, stating that the approach is not responsive to materiality concepts.
Which of the following statements are valid in response to the CAE’s claims?
I.
Materiality is not based only on the size of individual stores; rather it is also based on the control
structure that affects the whole organization.
II.
Any deviation from a prescribed control procedure is, by definition, material.
III.
The only way to ensure that a material amount of the company’s control structure is reviewed is a
comprehensive audit of all stores.
a.
I only.
b.
III only.
c.
I and II only.
d.
I, II and III.
50.
An internal auditor issues a final report that had to do with evaluating the client’s procedures for increasing the diversity of the organization’s workforce. In this regard, the internal auditor made several
recommendations for changes in hiring and retaining practices. Regarding due professional care, the
internal auditor would conduct a follow-up to ensure which of the following actions by the client?
a.
To ascertain whether the client has carried out the internal auditor’s recommendations.
b.
To ascertain whether the organization is in line with the organization’s diversity policies.
c.
To ascertain whether the client has considered the audit findings and has taken action to improve diversity within the organization.
d.
All of the above are true.
51.
Regarding assurance engagements, due professional care calls for:
a.
A detailed review of all transactions.
b.
Infallibility and extraordinary performance when the system of internal control is known to be weak.
c.
The consideration of the possibility of material irregularities during every engagement.
d.
Testing in sufficient detail to give an absolute assurance that noncompliance does not exist.
12
CIA Part 1 Mock Exam
52.
Due professional care is concerned with the work that is done by the internal auditor. For example,
due professional care in the matter of a review of internal controls over financial reporting would consider all of the following except:
a.
b.
The content of the working papers is sufficient to provide support for the internal auditor's opinion.
The audit evidence in the working papers is principally performed to protect the company in the case
of a lawsuit by investors.
c.
The probability of significant errors, fraud, or noncompliance.
d.
The cost of the engagement in relation to potential benefits.
53.
When using the services of an outside service provider, the CAE must:
a.
Be involved in the hiring of the service provider.
b.
Verify that the service provider has the CIA designation.
c.
Evaluate the skills and reputation of the service provider.
d.
Verify the service provider’s knowledge of the internal auditing standards.
54.
An internal auditor should have an appreciation with respect to which discipline?
a.
Quantitative methods.
b.
Auditing techniques.
c.
Auditing procedures.
d.
Internal audit standards.
55.
An internal auditor is employed by a large department store. During a planned engagement the internal auditor performed an audit of the store's cash operations. Which of the following actions would be
deemed lacking in due professional care?
a.
A flowchart of the entire cash operation was developed but only a sample of transactions was tested.
b.
The report included a well-supported recommendation for the reduction in staff although it was known
that such a reduction would adversely impact morale.
c.
Because of a highly developed system of internal controls over cash operations, the audit report assured top management that no irregularities existed.
d.
The auditor informed appropriate authorities within the organization about suspected wrongdoing. No
report was made to external authorities.
13
CIA Part 1 Mock Exam
56.
The CAE is concerned that a recently-disclosed fraud was not uncovered during the last engagement
to evaluate cash operations. A review of the working papers indicated that the fraudulent transaction
was not included in a properly-designed statistical sample of transactions tested. Which of the following applies to this situation?
a.
Because cash operations are a high-risk area, 100% testing of transactions should have been performed.
b.
The internal auditor acted with due professional care because an appropriate statistical sample of material transactions was tested.
c.
Fraud should not have gone undetected in a recently reviewed area.
d.
Extraordinary care is necessary for the performance of a cash operations engagement, and the internal auditor should be held responsible for the oversight.
57.
The CAE of a manufacturing company has interviewed an individual for a staff position. The CAE has
reviewed the individual’s credentials and has performed a detailed background check. The individual
has a strong knowledge of accounting and finance; however, the individual has limited knowledge of
environmental management systems (EMS). What is the most appropriate action for the CAE to take?
a.
Reject the individual because of the lack of knowledge of EMS.
b.
Offer the individual a position despite the lack of knowledge of EMS.
c.
Encourage the individual to obtain additional training in EMS and then reapply.
d.
Offer the individual a position if other staff members have sufficient knowledge of EMS.
58.
A recently-hired internal auditor's first assignment is to review the cash management operations of
the organization. The internal auditor has no background in cash management. Under which of the
following conditions would this arrangement be appropriate?
I.
The senior internal auditor is skilled in the area and closely supervises the staff internal auditor.
II.
The staff internal auditor performs the work and prepares an engagement communication that is reviewed in detail by the CAE.
a.
I only.
b.
Both I and II.
c.
II only.
d.
Neither I nor II.
59.
If internal auditors fail to maintain their proficiency through continuing professional education they
could be found to be in violation of:
a.
The International Standards for the Professional Practice of Internal Auditing.
b.
The IIA’s Code of Ethics.
c.
Both the Standards and The IIA's Code of Ethics.
d.
None of the above.
14
CIA Part 1 Mock Exam
60.
An internal auditor suspects that the company’s financial statements are misstated; however, the internal auditor does not have conclusive evidence to prove his suspicion. The internal auditor has failed
to exercise due professional care if he:
a.
Identified potential ways in which a misstatement could occur and ranked the items for investigation.
b.
Did not test for possible misstatement because the engagement work program had already been approved by engagement management.
c.
Informed the engagement manager of the suspicions and asked for advice on how to proceed.
d.
Expanded the engagement work program without the engagement client's approval to address the
highest-ranked ways in which a misstatement may have occurred.
61. Quality program assessments may be performed internally or externally. A distinguishing feature of an
external assessment is its objective to:
a.
Provide independent assurance.
b.
Set forth the recommendations for improvement.
c.
Determine whether internal auditing services meet professional standards.
d.
Identify tasks that can be performed better.
62. External assessment of an internal audit activity is not likely to evaluate:
a.
The tools and techniques employed by the internal audit activity.
b.
Detailed cost-benefit analysis of the internal audit activity.
c.
Compliance with the Standards for the International Professional Practice of Internal Auditing.
d.
Adherence to the internal audit activity’s charter.
63. You were appointed the chief audit executive (CAE) of an organization one week ago. An engagement
client has come to you complaining vigorously that one of your internal auditors is taking up an excessive
amount of the client’s time on an engagement that seems to be lacking a clear purpose. In handling this
conflict with the client, you should consider:
a.
Promising the client that you will have the internal auditor finish the work within 1 week.
b.
Whether existing procedures within the internal audit activity provide for proper planning and quality
assurance.
c.
Presenting an immediate defense of the internal auditor based upon currently-known facts.
d.
Discounting what is said, but documenting the complaint.
64.
Periodic external assessments of an internal audit activity's quality assurance and improvement program
should be undertaken. On completion of such an assessment, a formal report or other communication
should be issued expressing an opinion as to the:
a.
Adequacy of internal control.
b.
Effectiveness of the internal auditing coverage.
c.
Conformance with the internal audit activity's charter.
d.
Internal audit activity's compliance with the Standards.
15
CIA Part 1 Mock Exam
65.
Assessments of the performance of the organization’s external auditors should:
a.
Be carried out only when the external auditor is appointed.
b.
Not include any participation by the internal audit activity.
c.
Include the internal audit activity only when the external auditor is appointed.
d.
Include the internal audit activity at the time of the appointment and regularly thereafter.
66.
The interpretation related to quality assurance given by the Standards is that:
a.
The IAA is primarily measured against the IIA’s Code of Ethics.
b.
External assessments can provide senior management and the board with independent assurance about
the quality of the IAA.
c.
Continuous supervision is limited to the planning, examination, evaluation, communication, and followup process.
d.
Appropriate follow-up to an external assessment is the responsibility of the chief audit executive's immediate supervisor.
67.
Which of the following persons might be considered when conducting a periodic external review of the
IAA in an organization’s regional office?
I.
An auditor from headquarters.
II.
An internal audit “peer” from another organization’s IAA.
III.
A tax consultant who has no audit experience but will review only technical matters related to tax audits.
IV.
An external chartered accountant with internal auditing experience who has been an external auditor of
the organization’s external financial reports.
a.
I and II only.
b.
II and III only.
c.
I, II, III and IV.
d.
I, II and IV only.
68.
Procedures describing how the supervisory review of staff auditors will be accomplished should be fully
documented so that the internal audit activity will:
a.
Have a basis for promotions, pay raises, or disciplinary actions, if required.
b.
Have substantiation of its quality program.
c.
Comply with the Standards.
d.
Have a consistent framework for evaluating staff performance.
16
CIA Part 1 Mock Exam
69.
An internal audit activity is currently undergoing its first external quality assurance review since its
formation three years ago. From interviews, the review team is informed of certain internal auditor
activities over the past year. Which of the following activities could affect the quality assurance review
team's evaluation of the objectivity of the internal auditors?
a.
One internal auditor told the review team that, during an engagement to review the payroll function,
he was approached by the payroll manager who indicated that he was looking for an accountant to
prepare his financial statements for his part-time business. The internal auditor agreed to perform this
work for a reduced fee during non-work hours.
b.
During an engagement to review the construction of a building addition to the organization's headquarters, the vice president of facilities management gave the internal auditor a commemorative mug with
the organization's logo. These mugs were distributed to all employees present at the ground-breaking
ceremony.
c.
After reviewing the installation of a data processing system, the internal auditor made recommendations
on standards of control. Three months after completion of the engagement, the engagement client
requested the internal auditor's review of certain procedures for adequacy. The internal auditor agreed
and performed this review.
d.
An internal auditor's participation was requested on a task force to reduce the organization's inventory
losses from theft and shrinkage. This is the first consulting assignment undertaken by the internal audit
activity. The internal auditor's role is to advise the task force on appropriate control techniques.
70.
The Institute of Internal Auditing developed a position paper titled The Three Lines of Defense in Effective Risk Management and Control. Which of the following best describes the purpose of the paper?
a.
To provide a simple and effective way to enhance communications on risk management and control.
b.
To lay out the functions of the audit committee.
c.
To describe the monitoring functions of the internal audit activity.
d.
A means of alerting operational management to emerging issues and changing regulatory and risk
scenarios.
71.
Which of the following best describes organizational governance?
a.
Organizational governance is the way in which companies are planned and directed.
b.
Organizational governance is the combination of processes and structures implemented by the board to
inform, direct, manage, and monitor the achievement of its objectives.
c.
Organizational governance entails tracking and minimizing control deficiencies.
d.
Organizational governance processes are rules-based instead of principles-based.
72.
An internal auditor should play a vital role in the assessment and improvement of a company’s governance process. Internal auditing’s role would include all of the following except:
a.
Reviewing existing governance-related documentation.
b.
Developing the audit plan.
c.
Reporting violations to outside authorities.
d.
Executing the approved audit plan.
17
CIA Part 1 Mock Exam
73.
A company’s control environment is the foundation of an effective system of internal control. Which of
the following is not a component of a company’s control environment?
a.
Management philosophy and operating style.
b.
Integrity and ethical values.
c.
Formulate business objectives.
d.
Competence of personnel.
74. Which of the following represents the best governance structure?
Executive Management
Board and Audit Committee
Internal Auditing
a.
Responsibility for risk
Oversight role
Advisory role
b.
Oversight role
Responsibility for risk
Advisory role
c.
Responsibility for risk
Advisory role
Oversight role
d.
Oversight role
Advisory role
Responsibility for risk
75.
Internal auditors can play an important role in assessing the ethical climate of an organization. Methods
to assess an organization’s ethical climate include all of the following except:
a.
Reviewing ethics-related policies and processes.
b.
Conducting an ethics-related survey.
c.
Facilitating an ethics-related training program.
d.
Conducting audits of specific ethics-related functions.
76.
Corporate Social Responsibility (CRS) recognizes that:
a.
Companies have a responsibility for their impact on society and the environment.
b.
The natural environment is every organization’s primary focus.
c.
Human rights are enforced by national governments.
d.
Companies must pay equal attention to the interest of shareholders.
77.
One of the biggest challenges with corporate social responsibility (CSR) is:
a.
Identifying the different groups that have a legitimate interest in the corporation.
b.
Deciding what information to report.
c.
Identifying the financial issues that concern stakeholders.
d.
Deciding the role of internal auditing in CSR.
18
CIA Part 1 Mock Exam
78.
Which of the following would not be a criticism of CSR?
a.
It is too costly.
b.
There is a lack of clarity of the concept of CSR.
c.
It can lead to enhanced brand reputation.
d.
Profit wins over principles.
79.
The IAA’s role in an organization’s risk management process can, and often does, change over time.
The IAA’s role within an organization may encompass all of the following except:
a.
Auditing the risk management process as part of the internal audit plan.
b.
Managing and coordinating the risk of a business operation.
c.
Providing continuous support and involvement in the risk management process, such as monitoring
activities, providing status reports, and participating on an oversight committee.
d.
No role.
80.
Which of the following statements is most accurate concerning inherent risk?
a.
Management can eliminate inherent risk by taking mitigating actions.
b.
Inherent risk is the level of risk that remains after management has taken actions to mitigate the risk.
c.
Inherent risk results in greater losses than operational risk.
d.
None of the above.
81.
A company’s board of directors is concerned that a new children’s toy is not as safe as it should
be. The board is concerned that if word gets out that the toy is not safe, the reputation of the
company could suffer. The board’s concern has to do with:
a.
Financial risk.
b.
Operating risk.
c.
Strategic risk.
d.
Hazard risk.
82.
The first step in the risk management process is the identification of risks. Risk events can be either
internal or external. Which of the following would be an internal risk event?
a.
The loss of key employees.
b.
New regulations.
c.
Changing demographics.
d.
Rising inflation.
19
CIA Part 1 Mock Exam
83.
Which of the following is not a technique for identifying risks?
a.
Conducting a brainstorming session.
b.
Performing variable sampling.
c.
Conducting scenario analysis.
d.
Analyzing feedback from risk questionnaires and risk surveys.
84.
It is common for insurance policies to include a deductible clause, which means that the insured party
will have to pay some portion of the repair or replacement. The amount paid by the insured party is
referred to as what type of risk?
a.
Operational risk.
b.
Inherent risk.
c.
Residual risk.
d.
Transactional risk.
85.
There are four general terms used to express the measurement of potential loss that could occur from
a specific risk. The difference between expected loss and unexpected loss is:
a.
Expected loss is the maximum potential loss that could occur, whereas unexpected loss is the minimum potential loss.
b.
Expected loss is the loss that management expects to be lost during the period, whereas unexpected
loss is the loss that management thinks could be lost in excess of the budgeted amount.
c.
Expected loss is the loss that management expects to occur during the period, whereas unexpected
loss is the worst-case scenario loss.
d.
Expected loss is the loss that is expected to occur during the short-term, whereas unexpected loss is
the loss that is expected to occur during the long term.
86.
Value at Risk (VaR) is a quantitative risk assessment tool used by financial managers for all of the following reasons except:
a.
To measure and control the level of risk that the firm undertakes.
b.
To measure and control a firm’s fat-tailed distribution.
c.
To give management a level of confidence that the loss level will not be exceeded during a certain period of time.
d.
To ensure that risks are not taken beyond the firm’s ability to absorb the losses of a probable worst
outcome.
87.
It is possible for some risks to be negatively correlated with one another. When this situation occurs
the best course of action is to:
a.
Off-set the risk.
b.
Put in place additional controls to mitigate the risk.
c.
Devise a hedging strategy.
d.
Do nothing.
20
CIA Part 1 Mock Exam
88.
The risk management process includes all of the following except:
a.
Risk monitoring and control.
b.
Risk avoidance.
c.
Risk response planning.
d.
Risk assessment.
89.
A risk response that entails eliminating the threat of the risk is referred to as:
a.
Risk mitigation.
b.
Risk deflection.
c.
Risk avoidance.
d.
Residual risk.
90.
A firm has a valuable project that has many hazards that could potentially cause bodily injury. Given
the nature of the project, there is no way to avoid the potential risk for damages. To deflect the risk,
the project manager should consider:
a.
Eliminating the project.
b.
Taking out insurance to cover the potential for bodily injury.
c.
Establish a contingency fund.
d.
Accepting the risk.
91.
Risk appetite is the level of risk that an organization is willing to pursue, retain, or take. Factors that
could influence an organization’s risk appetite might include:
a.
Viewpoints of the major stakeholders.
b.
The complexity of the organization’s accounting system.
c.
External factors, such as changing economic considerations, changes in technology, changes in the
industry, etc.
d.
All of the above.
92. Enterprise risk management (ERM):
a.
Guarantees achievement of organizational objectives.
b.
Requires establishment of risk and control activities by internal auditors.
c.
Involves the identification of events with negative impacts on organizational objectives.
d.
Includes selection of the best risk response for the organization.
21
CIA Part 1 Mock Exam
93.
ERM is a risk management program that is used to assist management in the achievement of its objectives. The benefits of establishing an ERM process include all of the following except:
a.
Determining the firm’s risk appetite.
b.
Identifying potential risk events.
c.
Improving the ability of the firm to act on opportunities.
d.
Improving the utilization of capital and the resources of the company.
94.
The development of a strategic plan is intended to increase a company’s long-term performance.
Which of the following would most likely not be a strategic objective?
a.
Financial growth.
b.
Improved customer satisfaction.
c.
Product innovation.
d.
Administrative cost cutting.
95.
The ERM model has five components. Under which component would the company identify specific risk
events?
a.
Governance and Culture.
b.
Strategy and Objective-setting.
c.
Control Activities.
d.
Performance.
96.
There are numerous benefits to implementing a well-developed ERM system. These benefits include:
I.
The entity will anticipate every risk that could result in a loss.
II.
Better alignment of strategy with risk appetite.
III.
Better resource deployment.
IV.
All unknown risks will become known.
a.
I and II only.
b.
II and III only.
c.
III and IV only.
d.
II and IV only.
97.
Concerning ERM, which of the following is not a role that internal auditing should undertake?
a.
Giving assurance on the risk management processes.
b.
Developing a risk management strategy for board approval.
c.
Setting the risk appetite.
d.
Coordinating ERM activities.
22
CIA Part 1 Mock Exam
98.
Which of the following is not implied by the definition of control?
a.
Measurement of progress toward goals.
b.
Uncovering of deviations from plans.
c.
Assignment of responsibility for deviations.
d.
Indication of the need for corrective action.
99.
Controls should be designed to ensure that:
a.
Operations are performed efficiently.
b.
Management’s plans have not been circumvented by worker collusion.
c.
The IAA’s guidance and oversight of management’s performance is accomplished economically and
efficiently.
d.
Management’s planning, organizing, and directing processes are properly evaluated.
100. Which of the following is true regarding the difference between corporate-level and operational-level
controls?
a.
Corporate-level controls are mostly automated, whereas operational-level controls are mostly manual.
b.
Operational-level controls include both manual and automated controls, whereas corporate–level controls are mostly manual and include general policy statements that concern ethics and corporate values.
c.
Corporate-level controls are mostly manual, whereas operational-level controls are mostly automated,
consisting of complying with specific control procedures and making sure financial information is accurate and complete.
d.
Operational-level controls include both manual and automated controls, whereas corporate-level controls are mostly manual and encompass planning and performance monitoring, the system of accountability to superiors, and risk evaluation.
101. Which of the following types of controls is often difficult to evaluate because they may lack established
criteria or standards?
a.
Operating controls.
b.
Financial controls.
c.
Directive controls.
d.
Preventive controls.
102. Which of the following is not a preventive control?
a.
The general ledger master file is locked in a safe each night.
b.
All bills are marked “Paid” to prevent duplicate payment.
c.
The accounts receivable subsidiary ledger is reconciled against the general ledger accounts receivable
control total.
d.
Customer numbers are verified by the computer before a sales order is accepted to ensure the sales
order is from an established company.
23
CIA Part 1 Mock Exam
103. The control process can be divided into feedforward, concurrent, and feedback controls. Which of the
following is a concurrent control?
a.
Product quality control training.
b.
Online activity monitoring.
c.
Raw materials variance analysis.
d.
90-day cash budgeting.
104. Which of the following is an example of an effectiveness measure?
a.
The rate of absenteeism.
b.
The goal of becoming a leading manufacturer.
c.
The number of insurance claims processed per day.
d.
The rate of customer complaints.
105. Budgets are generally classified as both planning documents and control devices. An important difference between the budget planning information needed and the budget control information needed is
that planning information is more:
a.
Likely to be generated using external data.
b.
Detailed.
c.
Likely to be quantifiable.
d.
Likely to be accurate.
106. Which of the following exemplifies an inherent limitation of internal control?
a.
A controller makes and records cash deposits.
b.
A security guard allows a warehouse employee to remove company property from the premises without
authorization.
c.
The company sells to customers on credit without proper credit approval.
d.
An employee who is unable to read is assigned custody of the company’s tape library and run manuals.
24
CIA Part 1 Mock Exam
107. The following are steps in a typical control process.
1)
Select the times or points at which to collect information about the activities that are being measured and controlled.
2)
Set the standards.
3)
Observe the process, or collect the samples.
4)
Report any significant deviations or problems.
5)
Review and revise the standards.
6)
Record the information that was collected.
7)
Implement whatever corrections to the system or processes are necessary.
8)
Evaluate if the performance is satisfactory.
What is the correct order of these steps?
a.
2, 1, 6, 3, 8, 7, 4, 5.
b.
1, 2, 3, 6, 5, 7, 8, 4.
c.
2, 1, 3, 6, 8, 4, 7, 5.
d.
1, 3, 2, 6, 7, 5, 8, 4.
108. An internal auditor was evaluating the company’s application controls over financial reporting. Which
of the following would not be an application control objective?
a.
Input data is accurate, complete, authorized, and correct.
b.
Data is processed as intended in an acceptable time period.
c.
Outputs are accurate and complete.
d.
Only authorized personnel are able to access information in the network.
109. A control likely to prevent purchasing agents from favoring specific suppliers is:
a.
Requiring management's review of a monthly report of the totals spent by each buyer.
b.
Requiring buyers to adhere to detailed material specifications.
c.
Rotating buyer assignments periodically.
d.
Monitoring the number of orders placed by each buyer.
110. The results of an audit of cash controls indicated that the bookkeeper signed expense checks and reconciled the checking account. If the cash account reconciliations were current and no cash shortages
were found, an internal auditor should conclude that the system of internal controls over:
a.
Recording of cash receipts is adequate.
b.
Accounting for cash is inadequate.
c.
Reconciliations of the cash account are adequate.
d.
Physical safeguards of cash are adequate.
25
CIA Part 1 Mock Exam
111. Which of the following is a control weakness rather than a control strength with regards to the payroll
clerk? The payroll clerk:
a.
Has custody of the check signature stamp.
b.
Prepares the payroll register.
c.
Forwards the payroll register to the chief accountant for approval.
d.
Draws the paychecks on a separate payroll checking account.
112. Which of the following situations would cause an internal auditor to question the adequacy of controls
over a purchasing function?
a.
The original and one copy of the purchase order are mailed to the vendor. The copy on which the vendor
acknowledges acceptance is returned to the purchasing department.
b.
Receiving reports are forwarded to purchasing where they are matched with the purchase orders and
sent to accounts payable.
c.
The accounts payable department prepares documentation for payments.
d.
Unpaid voucher files and perpetual inventory records are independently maintained.
113. Proper segregation of duties reduces the opportunities in which a person could both:
a.
Establish controls and execute them.
b.
Designs the controls and monitor them.
c.
Perpetrate errors and frauds and conceal them.
d.
Record transactions in the accounting journal and general ledger.
114. Internal auditors use the COSO model to evaluate the strength of a company’s internal control system
over financial reporting. Which of the following is not a core principle of the control environment?
a.
Having a commitment to financial reporting competence.
b.
Having the right management philosophy and operating style.
c.
Having the right human resource policies and procedures.
d.
Determining the company’s financial reporting objectives.
115. An effective control system should have all of the following characteristics except:
a.
The control system should actually reflect what the organization is trying to measure and control.
b.
The control system must be understandable by all persons using the system.
c.
The organization saves less than the cost of the control.
d.
The information provided by the control system must be available in a timely manner.
26
CIA Part 1 Mock Exam
116. Which of the following actions can help reduce the ability of an individual to rationalize fraud?
a.
Having a strong human resource department and strong personnel policies.
b.
Having a strong internal control system.
c.
Ethics training and a principled corporate culture.
d.
Having a drug or gambling problem.
117. Which of the following are examples of fraud that would not benefit an organization?
a.
Intentional/improper transfer pricing.
b.
Tax fraud.
c.
Claims submitted for services or goods not actually provided to the organization.
d.
Sale or assignment of fictitious or misrepresented assets.
118. Which of the following best describes an auditor's responsibility after noting indicators of fraud?
a.
Expand audit activities to determine whether an investigation is warranted.
b.
Report the possibility of fraud to top management and ask how to proceed.
c.
Consult with external legal counsel to determine the course of action to be taken.
d.
Report the matter to the audit committee and request funding for outside specialists to help investigate
the possible fraud.
The following information is for questions 119 and 120.
The manager of a production line has the authority to order and receive replacement parts for all machinery
that requires periodic maintenance. The internal auditor received an anonymous tip that the manager ordered
substantially more parts than were necessary from a family member in the parts supply business. The unneeded parts were never delivered. Instead, the manager processed receiving documents and charged the
parts to machinery maintenance accounts. The payments for the undelivered parts were sent to the supplier,
and the money was divided between the manager and the family member.
119. Which of the following internal controls would most likely have prevented this fraud from occurring?
a.
Establishing predefined spending levels for all vendors during the bidding process.
b.
Segregating the receiving function from the authorization of parts purchases.
c.
Comparing the bill of lading for replacement parts to the approved purchase order.
d.
Using the company’s inventory system to match quantities requested with quantities received.
120. Which of the following tests would best assist the auditor in deciding whether to investigate this anonymous tip further?
a.
Comparison of the current quarter’s maintenance expense with prior-period activity.
b.
Physical inventory testing of replacement parts for existence and valuation.
c.
Analysis of repair parts charged to maintenance to review the reasonableness of the number of items
replaced.
d.
Review of a test sample of parts invoices for proper authorization and receipt.
27
CIA Part 1 Mock Exam
121. Which of the following fraudulent entries is most likely to be made to conceal the theft of an asset?
a.
Debit expenses and credit the asset.
b.
Debit the asset and credit another asset account.
c.
Debit revenue and credit the asset.
d.
Debit another asset account and credit the asset.
122. Which of the following would not be considered a condition that indicates a higher likelihood of fraud?
a.
Management has delegated the authority to make purchases under a certain dollar limit to subordinates.
b.
An individual has held the same cash-handling job for an extended period without any rotation of duties.
c.
Individual handling marketable securities is responsible for making the purchases, recording the purchases, and reporting any discrepancies and gains/losses to senior management.
d.
The assignment of responsibility and accountability in the accounts receivable department is not clear.
123. Which of the following statements is (are) true regarding the prevention of fraud?
I.
The primary means of preventing fraud is through internal controls established and maintained by
management.
II.
Internal auditors are responsible for assisting in the prevention of fraud by examining and evaluating
the adequacy of the internal control system.
III.
Internal auditors should assess the operating effectiveness of fraud-related communication systems.
a.
I only.
b.
II only.
c.
I and II only.
d.
I, II and III.
124. Internal auditors are more likely to detect fraud by developing and strengthening their ability to:
a.
Recognize and question changes that occur in organizations.
b.
Interrogate fraud perpetrators to discover why fraud was committed.
c.
Develop internal controls to prevent the occurrence of fraud.
d.
Document computerized operating systems.
125. In some cases of fraud, it is necessary to use the services of a forensic auditor. Which of the following
is generally not a type of investigation that is conducted by forensic auditors?
a.
Deliberate falsification of accounting records.
b.
Management compensation.
c.
Acts of extortion.
d.
Theft of company assets.
28
CIA Part 1 Mock Exam #1 Answers
Solutions
The chart below cross-references the question numbers for Part 1 (Exam #1) with the topics
tested:
Sections
Question Numbers
The IIA’s International Standards
1 - 15
Code of Ethics
16 - 22
Section II: Independence &
Objectivity
Independence & Objectivity
23 - 40
Section III: Proficiency and
Due Diligence
Proficiency & Due Diligence
41 - 60
Section IV: Quality Assurance
& Improvement Program
Quality Assurance & Improvement Program
61 – 69
Organizational Governance and Culture
70 - 74
Ethics
75
Corporate Social Responsibility
76 - 78
Risk and Risk Management
79 - 97
Internal Control Concepts, Effectiveness and Efficiency
98 - 115
Fraud risks
116 – 125
Section I: Foundations of Internal Auditing
Section V: Governance, Risk
Management, and Control
Section VI: Fraud Risks
29
CIA Part 1 Mock Exam Answers
1.
Solution: b
a.
Incorrect. The internal audit charter defines the necessary authorities and responsibilities.
b.
Correct. The internal audit manual and annual audit plan help determine the resource requirements.
c.
Incorrect. The internal audit charter defines the role and responsibility of the internal audit activity and
acts as a benchmark for evaluating the audit function.
d.
Incorrect. The internal audit charter should be approved by senior management and the board.
2.
Solution: d
a.
Incorrect. The Standards do not require internal auditors to ensure compliance with reporting procedures.
b.
Incorrect. There is no expected match of fund flows with expense items in a single time period.
c.
Incorrect. This would be the function of the personnel and/or finance departments.
d.
Correct. Internal auditors are responsible for identifying inadequate controls, for appraising managerial
effectiveness, and pinpointing common risks.
3.
a.
Solution: a
Correct. The purpose, authority, and responsibility of the IAA should be formally defined in the charter,
which is approved by management and the board.
b.
Incorrect. Adoption of policies helps guide the internal auditing staff, but not with its status.
c.
Incorrect. The establishment of the audit committee does not ensure the status of the IAA without its
involvement in matters such as acceptance of the charter.
d.
Incorrect. Written policies and procedures guide the internal auditing staff, not protect the IAA’s status.
4.
Solution: a
a.
Correct. Based on Implementation Standard 2210.A3, if control criteria are inadequate, then internal
auditors must work with management to develop appropriate evaluation criteria.
b.
Incorrect. The auditor should seek to understand the operating standards as they are applied to the
organization. Also, best practices may produce overly high standards.
c.
Incorrect. The Standards state that if internal auditors must interpret standards, they should seek
agreement with the engagement client.
d.
Incorrect. The auditor should first seek to gain an understanding with the departmental manager on
the appropriate standards.
5.
Solution: d
a.
Incorrect. The Definition of Internal Auditing is considered mandatory guidance.
b.
Incorrect. The Code of Ethics is considered mandatory guidance.
c.
Incorrect. The Core Principles for the Professional Practice of Internal Auditing are considered mandatory guidance.
d.
Correct. The Mission of Internal audit is not considered mandatory guidance.
30
CIA Part 1 Mock Exam Answers
6.
Solution: d
a.
Incorrect. The professionalization of internal auditing is important, but it is not one of the purposes of
the Standards.
b.
Incorrect. Independence and objectivity are aspects of the internal audit activity, but not one of the
purposes of the Standards.
c.
Incorrect. This is not one of the purposes of the Standards.
d.
Correct. According to the IIA, the Standards are intended to: 1) Guide adherence with the mandatory
elements of the International Professional Practices Framework. 2) Provide a framework for performing
and promoting a broad range of value-added internal auditing services. 3) Establish the basis for the
evaluation of internal audit performance. 4) Foster improved organizational processes and operations.
7.
Solution: b
a.
Incorrect. The IAA charter does not protect the IAA from outside influence.
b.
Correct. The purpose, authority, and responsibility of the IAA must be formally defined in the charter.
c.
Incorrect. The IAA charter does not define the relationship between the internal and external auditors.
d.
Incorrect. The CAE should not, under any circumstance, be a member of the audit committee.
8.
Solution: d
a.
Incorrect. This will not help the CAE understand whether any specific IAA goal is being met.
b.
Incorrect. Comparing the audit plan with actual audit activity will not tell the CAE whether the IAA’s
broader audit coverage goals are being met.
c.
Incorrect. Surveys of management satisfaction will only tell the IAA how management feels about the
services provided by the IAA and not whether any specific IAA goal is being accomplished.
d.
Correct. Implementing a quality assurance and improvement program (QAIP) can assist the CAE in
determining whether the IAA’s audit coverage goals are being met. The QAIP evaluates and analyzes
the effectiveness and efficiency of IAA operations, which has to do with understanding whether stated
IAA goals and objectives are being achieved.
9.
Solution: a
a.
Correct. Review and testing of the other department’s procedures may reduce necessary audit coverage of the function or process.
b.
Incorrect. Concentrating on the function or process might lead to a duplication of efforts.
c.
Incorrect. The internal auditor cannot rely on the work of others without verifying the results.
d.
Incorrect. The internal audit activity’s overall responsibility for assessing the function or process is not
affected by the other department’s coverage.
31
CIA Part 1 Mock Exam Answers
10.
Solution: d
a.
Incorrect. Policies and procedures provide guidance but will not be the source of authority.
b.
Incorrect. The authority of the internal audit activity is detailed in the charter and approved by the
board.
c.
Incorrect. The Code of Ethics is the means of promoting an ethical culture in the internal auditing
profession.
d.
Correct. The purpose, authority, and responsibility of the internal audit activity should be defined in
the charter. The charter should establish the internal audit activity’s position within the organization;
authorize access to records, personnel, and physical properties relevant to the performance of engagements; and define the scope of internal audit activities (PA 1000-1).
11.
Solution: d
a.
Incorrect. This is one of the ten Core Principles.
b.
Incorrect. This is one of the ten Core Principles.
c.
Incorrect. This is one of the ten Core Principles.
d.
Correct. The correct principle is, “Is insightful, proactive, and future-focused.”
12.
Solution: c
a.
Incorrect. Goals are statements of activities that are to be accomplished. Policies and procedures are
the means by which the goals are achieved.
b.
Incorrect. Goals are statements of activities that are to be accomplished. Engagement work schedules
are a means to achieve goals.
c.
Correct. The goals of the IAA should be capable of being accomplished within specified operating plans
and budgets and, to the extent possible, should be measurable. They should be accompanied by measurement criteria and targeted dates of accomplishment.
d.
Incorrect. Staffing plans and financial budgets are a means of accomplishing specified goals.
13.
Solution: c
a.
Incorrect. This is the purpose of the audit plan.
b.
Incorrect. Correcting internal control weaknesses is the function of management, not a function of the
internal auditor.
c.
Correct. As described by the IIA, the internal auditors’ primary purpose in reviewing an organization’s
existing risk management, control, and governance processes is to provide reasonable assurance that
these processes are functioning as intended and will enable the organization’s objectives and goals to
be met.
d.
Incorrect. This is a basic objective from a financial accounting and auditing perspective but is not broad
enough to cover the internal auditor’s entire purpose for review.
32
CIA Part 1 Mock Exam Answers
14.
Solution: c (I, III and IV only)
I.
Correct. Internal auditing should assess an operating department’s effectiveness in achieving its stated
goals.
II.
Incorrect. The safeguarding of assets is the responsibility of management, not internal auditing.
III.
Correct. Internal auditors should evaluate controls over compliance with laws and regulations.
IV.
Correct. Internal auditors should ascertain the extent to which objectives and goals have been established.
15.
Solution: b
a.
Incorrect. Internal auditors do not impose corrective measures. This is the responsibility of management.
b.
Correct. Internal auditors need to maintain a satisfactory relationship with engagement clients. In
order to enhance this relationship, it is good policy to involve the client on all engagements. Developing
a positive relationship produces a more favorable environment for the engagement effort.
c.
Incorrect. Internal auditors could be part of a fraud investigation, but such involvement would not be
considered a consultative engagement.
d.
16.
a.
Incorrect. Internal auditors do not implement policies and procedures.
Solution: b
Incorrect. Acceptance of the gift could easily be presumed to have impaired independence and thus
would not be acceptable.
b.
Correct. As long as the individual has the CIA designation, then he or she should be guided by the
profession’s Code of Ethics in addition to the organization’s code of conduct. Rule of conduct 2.2 precludes such gifts because it could be presumed to have influenced the individual’s decision.
c.
Incorrect. As long as the individual has the CIA designation, then the CIA should be guided by the IIA’s
Code of Ethics.
d.
17.
a.
Incorrect. The action could still easily be perceived as a kickback.
Solution: d
Incorrect. Periodic review and acknowledgment would not be very helpful, because acceptance of the
code is really not an issue with the employees.
b.
Incorrect. Employee involvement in its development would not be very helpful because employee acceptance is really not an issue.
c.
Incorrect. Public knowledge of its contents and purpose might affect a few employees but would not be
as effective as provisions for disciplinary action in the event of violations.
d.
Correct. Provisions for disciplinary action in the event of violations would be the most effective method
to deter misconduct.
33
CIA Part 1 Mock Exam Answers
18.
Solution: b
a.
Incorrect. A conflict of interest policy would prohibit the acceptance of money, gifts, or services from a
customer.
b.
Correct. A person has the right to participate in the management of a public agency (a government
agency). Thus, it would not be included in a manufacture’s conflict of interest policy.
c.
Incorrect. A conflict of interest policy would prohibit financial dealings between an employee and vendors or suppliers.
d.
Incorrect. The IIA Code of Ethics prohibits the use of information for personal gain.
19.
Solution: b
a.
Incorrect. See correct answer (b).
b.
Correct. The internal auditor would be in violation of the objectivity rule of conduct. According to rule
2.3, internal auditors shall disclose all material facts known to them, that if not disclosed, may distort
the reporting of activities under review. In this case, capitalizing general maintenance cost would distort
the financial statements.
c.
Incorrect. See correct answer (b).
d.
Incorrect. See correct answer (b).
20.
Solution: b
a.
Incorrect. Being active in a charitable organization is unlikely to be contrary to the interests of the
organization.
b.
Correct. According to the Code, an “Internal auditor shall not participate in any activity or relationship
that may impair or be presumed to impair their unbiased assessment.” Thus, an internal auditor and
part-time business broker would be considered to be incompatible.
c.
Incorrect. Teaching would be considered to be compatible with internal auditing.
d.
Incorrect. The renting of residential units would not be considered to be a conflict.
21.
Solution: c
a.
Incorrect. Audit management should always be informed concerning any such offers.
b.
Incorrect. Audit management should always be informed concerning any such offers.
c.
Correct. Even though the gift is of significant value, because it is part of a company-sponsored program
it might be acceptable for the internal auditor to accept the gift. However, it is still recommended that
the internal auditor first confirm the acceptance with the CAE.
d.
Incorrect. Declining the gift could erode the audit function's relationship with the division in question.
Audit management should first be informed and consulted for guidance.
34
CIA Part 1 Mock Exam Answers
22.
a.
Solution: c
Incorrect. The auditor is not withholding information because the information has been forwarded to
the CAE. The information may be useful in a subsequent engagement in the marketing area.
b.
Incorrect. The auditor has documented a red flag that may be important in a subsequent engagement.
This does not violate the Standards.
c.
Correct. There is no violation of either the Code of Ethics or the Standards.
d.
Incorrect. There is no violation of either the Code of Ethics or the Standards.
23.
Solution: b
a.
Incorrect. Objectivity is not impaired when the internal auditor reviews procedures before they are
implemented.
b.
Correct. According to the Standards, persons transferred to the internal audit activity should not be
assigned to audit activities that they previously performed until a reasonable period of time (at least
one year) has elapsed.
c.
Incorrect. The internal auditor’s objectivity is not adversely affected when the auditor recommends
standards of control for systems before they are implemented. This is in fact what the internal auditor
should do.
d.
Incorrect. The use of staff from other areas to assist the internal auditor does not impair objectivity,
especially when the staff is from outside the area being audited.
24.
Solution: d
a.
Incorrect. A conflict of interest could compromise the internal auditor’s objectivity.
b.
Incorrect. The auditor’s familiarity with the auditee could compromise the internal auditor’s objectivity.
c.
Incorrect. Assuming operational duties could compromise the auditor’s objectivity if the auditor had to
then perform an engagement of the operation.
d.
Correct. It is highly likely that an auditor at some time will have to rely on the opinion of an outside
expert.
25.
a.
Solution: a
Correct. When the IAA or individual internal auditor is responsible, or may be responsible, for an
operation that it might audit, the internal auditor’s independence and objectivity may be impaired.
b.
Incorrect. Budget restrictions do not constitute impairment of an engagement.
c.
Incorrect. It is acceptable for the internal auditor to recommend standards of control, but the internal
auditor is not able to design, install, or draft procedures. These functions may impair the internal auditor’s objectivity.
d.
Incorrect. It is acceptable for the internal auditor to review contracts prior to their execution.
35
CIA Part 1 Mock Exam Answers
26.
Solution: d
a.
Incorrect. Engagement communications should go direct to the audit committee, not be forwarded by
management.
b.
Incorrect. Engagements communications should also be sent to management.
c.
Incorrect. Ideally, the CAE would administratively report to the CEO or high enough officer to maintain
independence, and functionally to the audit committee or some other appropriate governing board.
Under the ideal situation, all engagement communications are sent to the audit committee as well.
d.
Correct. Internal auditors should first discuss conclusions and recommendations with management so
that management is able to verify the accuracy of the engagement communications. Final engagement
communications would then be sent to the audit committee.
27.
Solution: b
a.
Incorrect. Regardless of the reason, there is a scope limitation when a test in an engagement cannot
be performed as planned.
b.
Correct. The board has the right to delete an engagement from the annual IAA work schedule. Therefore, this is not considered to be a scope limitation.
c.
Incorrect. Not being able to contact certain customers would be considered a scope limitation.
d.
Incorrect. Answer (b) would not be considered a scope limitation.
28.
Solution: b
a.
Incorrect. Limiting the scope of the audit based on proprietary information would be considered a scope
limitation, but the internal auditor would report to the limitation to the board or audit committee, not
to the controller.
b.
Correct. This is the best combination. If the internal auditor does not have access to records, then this
needs to be reported to the board.
c.
Incorrect. Delaying the audit by 2 weeks would not be considered a scope limitation.
d.
Incorrect. Not allowing the auditor to contact major customers would be considered a scope limitation.
Additionally, the limitation would have to be reported to the board or audit committee.
29.
Solution: c
a.
Incorrect.
b.
Incorrect.
c.
Correct. This is correct because the CAE should functionally report to the board or audit committee
and administratively report to upper management.
d.
Incorrect.
36
CIA Part 1 Mock Exam Answers
30.
a.
Solution: b
Incorrect. Administrative reporting does include developing and submitting the annual internal auditing
budget.
b.
Correct. Approving the risk-based internal audit plan is connected with functional reporting, not administrative reporting.
c.
Incorrect. Administrative reporting does include the administration of the internal audit activities policies and procedures.
d.
Incorrect. Administrative reporting does include human resource administration.
31.
Solution: c (I and IV)
I.
Correct. Auditing an area for which the auditor was responsible for more than one year ago is perceived
not to impair objectivity.
II.
Incorrect. Accepting a sizable gift from a client after the successful completion of an audit is perceived
to impair objectivity.
III.
Incorrect. Designing control procedures for an engagement client is perceived to impair objectivity.
IV.
Correct. Accepting a small token of appreciation from a client after the successful completion of an
audit is perceived not to impair objectivity.
32.
Solution: d
a.
Incorrect. Internal auditors are able to test whether balances are accurately stated.
b.
Incorrect. Internal auditors should recommend areas for improvement.
c.
Incorrect. Internal auditors should develop audit plans for future audits.
d.
Correct. Internal auditors should not draft or design control procedures.
33.
Solution: b
a.
Incorrect. This is a correct statement concerning an assurance engagement.
b.
Correct. This is a true statement concerning a consulting engagement. The auditor does not need to
be independent but does need to be objective.
c.
Incorrect. This is a correct statement concerning an assurance engagement.
d.
Incorrect. This is a correct statement concerning an assurance engagement.
34.
Solution: a
a.
Correct. This is a correct statement about individual objectivity.
b.
Incorrect. This statement has to do with independence, not with objectivity.
c.
Incorrect. Answer (a) is correct concerning individual objectivity.
d.
Incorrect. Answer (a) is correct concerning individual objectivity.
37
CIA Part 1 Mock Exam Answers
35.
I.
Solution: c (I and III)
Correct. Internal audit independence is achieved when internal auditors have unrestricted access to
all functions, records, property and personnel pertinent to carrying out any engagement.
II.
Incorrect. Internal auditing will not have unlimited access to the external auditor’s working papers.
III.
Correct. Internal audit independence is achieved when internal auditors have the necessary resources to accomplish the audit objectives.
36.
a.
Solution: a
Correct. Ascertaining whether the feasibility study addresses the cost-benefit relationship would be a
role for internal auditing.
b.
Incorrect. Soliciting bids from vendors would be a management role.
c.
Incorrect. Determining the requirements for preparing a manual of specifications would be a management role.
d.
Incorrect. Participating in the ERP acquisition and implementation would be management’s role.
37.
Solution: c
a.
Incorrect. This statement is true. A conflict of interest can exist even if no unethical or improper act
results.
b.
Incorrect. This statement is true. A conflict of interest can create an appearance of impropriety that
can undermine confidence in the internal auditor.
c.
Correct. This statement is not true. An auditor with a conflict of interest in a consulting activity
should be disclosed to the client. If the client has no objections, then the auditor may remain on the
consulting engagement.
d.
Incorrect. This statement is true. A conflict of interest could impair an individual’s ability to perform
his or her duties and responsibilities objectivity.
38.
Solution: b
a.
Incorrect. Making sure job assignments minimize potential conflicts of interests is a way to promote
objectivity.
b.
Correct. Promoting continuing professional development enhances skills and knowledge. It does not
promote objectivity.
c.
Incorrect. Developing a strong QAIP system is a method to ensure organizational independence and
objectivity.
d.
Incorrect. Periodically rotating internal auditing assignments is a method to promote objectivity.
38
CIA Part 1 Mock Exam Answers
39.
Solution: d (I, II and III only)
a.
Incorrect. Items I and II are correct, but there are also other correct choices.
b.
Incorrect. Items I and II are correct. However, item IV is not correct. Engagement procedures, even
when exercised with due professional care, cannot guarantee that all significant risks will be identified.
c.
Incorrect. Items I, II, and III are correct. Item IV is not correct. Engagement procedures, even when
exercised with due professional care, cannot guarantee that all significant risks will be identified.
d.
Correct. Only items I, II and III are correct. The internal auditor can only provide reasonable assurance
that significant risks will be identified, not a guarantee.
40.
Solution: c
a.
Incorrect. An interrogatory attitude is not likely to enhance the relationship.
b.
Incorrect. An investigative attitude is not likely to enhance the relationship.
c.
Correct. A consultative attitude leads to two-way communication.
d.
Incorrect. Objectivity will not lead to a better, more positive relationship.
41.
Solution: c
a.
Incorrect. The internal auditor needs to be proficient in auditing procedures and techniques.
b.
Incorrect. The internal auditor needs to have an appreciation of accounting principles and techniques.
c.
Correct. The internal auditor needs to have an understanding of management principles.
d.
Incorrect. Internal auditors are not concerned with marketing techniques.
42.
Solution: d (I, II and IV)
I.
Correct. Internal auditors need to understand human relations and be skilled in dealing with people.
II.
Correct. Internal auditors need to be able to understand what constitutes materiality and the significance of deviations from good business practice.
III.
Incorrect. Internal auditors are not expected to be experts in a wide variety of fields related to their
audit responsibilities.
IV.
Correct. Internal auditors should be skilled in oral and written communication.
43.
Solution: d
a.
Incorrect. It is not likely that an internal auditor would be able to handle all engagements.
b.
Incorrect. You would want to hire experienced internal auditors.
c.
Incorrect. Accountants may be needed, but other skills will be needed as well.
d.
Correct. Collectively, the IAA should have necessary skills, knowledge, and experience to carry out its
activities. The IAA may use both internal and external resources that are qualified in such disciplines
as accounting, tax, engineering, law, environmental, and IT.
39
CIA Part 1 Mock Exam Answers
44.
Solution: b (I and II only)
I.
Correct. Internal auditors have to be proficient in applying the Standards.
II.
Correct. Internal auditors must be proficient in accounting principles when auditing an organization’s
financial statements.
III.
Incorrect. Internal auditors must have an appreciation, not proficiency, of accounting and computerized
information systems.
45. Solution: c
a.
Incorrect. Providing technical training to gain proficiency as a valuation expert is not the purpose of
continuing professional education.
b.
Incorrect. Continuing professional education is required so internal auditors are able to fulfill their assigned responsibilities.
c.
Correct. Continuing professional education and training are necessary so internal auditors have the
knowledge and skills required to fulfill their assigned responsibilities.
d.
Incorrect. Having knowledge required to perform a peer review is not the purpose of continuing professional education.
46.
Solution: d
d.
Correct. Any of the above.
47.
Solution: a
a.
Correct. Each member of the internal audit staff need not have an accounting degree. The internal
audit activity collectively must possess or obtain the knowledge, skills, and other competencies
needed to perform its responsibilities (Standard 1210).
b.
Incorrect. Obtaining college transcripts would be an acceptable way to check the qualifications of the
prospective hire.
c.
Incorrect. Checking an applicant's references would be an acceptable way to check the qualifications
of the prospective hire.
d.
Incorrect. Determining previous job experience would be an acceptable way to check the qualifications during the hiring process.
48.
Solution: c
a.
Incorrect. Reviewing large, abnormal, or unexplained expenditures would be appropriate for the prevention and detection of fraud.
b.
Incorrect. Reviewing sensitive expenses such as legal fees, consulting fees, and foreign sales commissions would be appropriate for the prevention and detection of fraud.
c.
Correct. The internal auditor must exercise due professional care by considering the relative complexity, materiality, or significance of matters to which assurance procedures are applied. Cost of assurance in relation to potential benefits should also be considered (Standard 1220.A1). Therefore, the
review of every control pertaining to petty cash would be considered excessive and inefficient.
d.
Incorrect. Reviewing unusual contributions would be appropriate for the prevention and detection of
fraud.
40
CIA Part 1 Mock Exam Answers
49.
Solution: a (I only)
I.
Correct. Materiality is defined by the potential impact of an item on the organization and is not limited
to items that can be assessed only in qualitative terms.
II.
Incorrect. There may be some control failures of a minor nature that would not be considered material.
III.
Incorrect. Sampling approaches may be used to comprehensively cover the control structure of an
organization.
50.
Solution: c
a.
Incorrect. Management has to determine whether to implement the auditor’s recommendation.
b.
Incorrect. The audit had to do with evaluating the procedures to increase the diversity of the organization’s workforce, not to ascertain whether the company is in line with its diversity policies.
c.
Correct. Exercising due professional care includes following up to see that the client has taken appropriate action. This does not mean that the client has to implement every recommendation submitted
by the auditor, but it is expected that the client considers the recommendations.
d.
Incorrect. Only answer (c) is correct.
51.
Solution: c
a.
Incorrect. Due professional care does not entail reviewing all transactions.
b.
Incorrect. Due professional care does not entail infallibility and extraordinary performance; it only entails reasonable care and skill.
c.
Correct. Due professional care implies reasonable care and competence, not infallibility or extraordinary performance (PA 1220-1).
d.
Incorrect. The internal auditor is unable to give 100% absolute assurance, only reasonable assurance.
52.
Solution: b
a.
Incorrect. Due professional care includes making sure the content of the working papers is sufficient
to provide support for the internal auditor's opinion.
b.
Correct. Making sure the company is protected against future lawsuits is not an aspect of due professional care.
c.
Incorrect. Due professional care includes considering the probability of significant errors, fraud or
noncompliance.
d.
Incorrect. Due professional care includes considering the cost of the engagement in relation to potential benefits.
53.
Solution: c
a.
Incorrect. The CAE may not be directly involved in the hiring of the service provider.
b.
Incorrect. The service provider does not need to have the CIA designation.
c.
Correct. When using the services of an outside service provider, the CAE needs to evaluate the skills
and reputation of the service provider.
d.
Incorrect. The service provider does not need to have knowledge of the internal auditing standards.
41
CIA Part 1 Mock Exam Answers
54.
Solution: a
a.
Correct. Internal auditors need to have an appreciation of quantitative methods.
b.
Incorrect. Internal auditors need to be proficient in applying auditing techniques.
c.
Incorrect. Internal auditors need to be proficient in applying auditing procedures.
d.
Incorrect. Internal auditors need to be proficient in applying the internal audit standards.
55.
Solution: c
a.
Incorrect. It is appropriate to select only a sample of the transactions to test.
b.
Incorrect. If an internal auditor detects inefficiency due to overstaffing, it is appropriate to include it
in the report.
c.
Correct. It is not possible for an auditor to state with absolute assurance that no irregularities exist.
d.
Incorrect. The internal auditor is not obligated to report to external authorities unless legally required
to do so.
56.
Solution: b
a.
Incorrect. Reviewing all transaction would probably not be feasible.
b.
Correct. The internal auditor is only able to give reasonable assurances, not absolute. In this case, due
care was applied because the internal auditor used appropriate sampling methods.
c.
Incorrect. The internal auditor is not able to give 100% absolute assurance that fraud will not go undetected.
d.
Incorrect. The internal auditor should not be held responsible for the oversight because appropriate
sampling methods were used.
57.
Solution: d
a.
Incorrect. The Standards do not require that every internal auditor possess all knowledge on all subjects.
b.
Incorrect. The needs of the department may not be adequately met.
c.
Incorrect. Encouraging additional training will not fulfill the current staffing need.
d.
Correct. The CAE should offer the individual a staff position if other staff members have sufficient
knowledge of EMS.
58.
Solution: a (I only)
I.
Correct. Internal auditors must possess the knowledge, skills, and other competencies needed to
perform their individual responsibilities. The IAA collectively should have or obtain the knowledge,
skills, and other competencies needed to perform its responsibilities (Standard 1210). As long as the
senior internal auditor closely supervises the staff internal auditor then this would be an appropriate
arrangement.
II.
Incorrect. Supervision entails more than reviewing the engagement.
42
CIA Part 1 Mock Exam Answers
59.
Solution: c
a.
Incorrect.
b.
Incorrect.
c.
Correct. Rule of Conduct 4.3 states that “internal auditors shall continually improve their proficiency
and the effectiveness and quality of their services.” Rule of Conduct 4.2 states that “internal auditors
shall perform internal auditing services in accordance with the International Standards for the Professional Practice of Internal Auditing.” Moreover, Standard 1230 states that “internal auditors must enhance their knowledge, skills, and competencies through continuing professional development.” Thus,
both the Standards and The IIA’s Code of Ethics are violated by failing to maintain proficiency through
continuing education.
d.
Incorrect.
60.
Solution: b
a.
Incorrect. Identifying potential ways in which a misstatement could occur and ranking them is exercising
due professional care on part of the internal auditor.
b.
Correct. It is expected that engagement work programs can be modified if changes in the work environment have changed. Thus, the internal auditor would not be exercising due professional care if he
failed to investigate a possible misstatement based on the fact that the work program had already been
approved.
c.
Incorrect. Asking for advice is exercising due professional care.
d.
Incorrect. In this case, approval from the engagement client is not required.
61.
Solution: a
a.
Correct. External assessments of the IAA should appraise and express an opinion as to the IAA’s
compliance with the Standards for the International Professional Practice of Internal Auditing and, as
appropriate, should include recommendations for improvement. External assessment should be conducted at least once every five years (PA 1312-1).
b.
Incorrect. It will be the internal assessment that will provide recommendations for improvement.
c.
Incorrect. It will be the internal assessment that will determine whether internal auditing services meet
professional standards.
d.
Incorrect. It will be the internal assessment that will identify tasks that can be performed better.
43
CIA Part 1 Mock Exam Answers
62.
Solution: b
a.
Incorrect. The tools and techniques employed by the IAA would be within the broad scope of coverage
of the external assessment.
b.
Correct. The external assessment should consist of a broad scope of coverage that includes: (1) Conformance with the Definition of Internal Auditing, Standards, The Code of Ethics and the internal audit
activity’s charter, plans, policies, procedures, practices, and applicable legislative and regulatory requirements; (2) the expectations of the IAA expressed by the board, executive management and operational managers; (3) the integration of the IAA into the organization’s governance process, including
the relationships between and among the key groups involved in the process; (4) tools and techniques
employed by the IAA; (5) the mix of knowledge, experience, and disciplines within the staff, including
staff focus on process improvement; and (6) the determination as to whether or not the IAA adds value
and improves the organization’s operations (PA 1312-1.10). A detailed cost-benefit analysis of the IAA
would not be part of the external assessment.
c.
Incorrect. Compliance with the Standards for the International Professional Practice of Internal Auditing
is within the broad scope of coverage of the external assessment.
d.
Incorrect. Adherence with the IAA’s charter is within the broad scope of coverage of the external assessment.
63.
Solution: b
a.
Incorrect. Promising the client to have the internal auditor finish the work within one week without
proper background information on the current engagement would jeopardize the authority of the IAA.
b.
Correct. In this situation, the CAE would have a responsibility to review the existing procedures to
determine whether the IAA has provided for proper planning and quality assurance. Not doing so would
jeopardize the authority of the IAA.
c.
Incorrect. Presenting an immediate defense of the internal auditor could potentially harm future communications with the client. It also could jeopardize the authority of the IAA.
d.
Incorrect. The CAE has a responsibility not to discard potentially valid complaints.
64.
Solution: d
a.
Incorrect. External assessments express an opinion on the overall effectiveness of the quality program,
not the adequacy of internal controls.
b.
Incorrect. External assessments express an opinion on the overall effectiveness of the quality program,
not the effectiveness of the internal auditing coverage.
c.
Incorrect. External assessments express an opinion on the overall effectiveness of the quality program,
not conformance to the IAA charter.
d.
Correct. The external assessment should consist of a broad scope of coverage that includes conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards (PA 1312-1.10).
44
CIA Part 1 Mock Exam Answers
65.
Solution: d
a.
Incorrect.
b.
Incorrect.
c.
Incorrect.
d.
Correct. Management and the board might request that the IAA to participate in the performance of
the external auditor, including assessment of the external auditor’s independence. This assessment
should be carried out at least annually.
66.
Solution: b
a.
Incorrect. Quality assurance is not measured against the IIA’s Code of Ethics.
b.
Correct. External assessments of an internal audit activity appraise and express an opinion as to the
IAA’s compliance with the Standards and, as appropriate, should include recommendations for improvement.
c.
Incorrect. Supervision is not limited to only planning, examination, evaluation, communication, and
follow-up process. It also includes training, employee performance evaluation, time and expense control, and similar administrative areas.
d.
Incorrect. Appropriate follow-up is the responsibility of the CAE.
67.
Solution: d (I, II and IV)
I.
Correct. An auditor from the company’s headquarters could be part of the external review of a regional
office.
II.
Correct. An internal audit “peer” from another organization’s IAA could be part of the external review.
III.
Incorrect. Only the tax consultant would not be appropriate to have on the external assessment team.
IV.
Correct. A chartered accountant with internal auditing experience and who had been an external auditor of the organization’s external financial reports could be part of the external review.
68.
a.
Solution: d
Incorrect. Staff promotions, pay raises, or disciplinary action result from a proper evaluation of auditor
performance.
b.
Incorrect. Substantiating the quality program is significant but is not the primary purpose of supervisory
review.
c.
Incorrect. Internal auditors must also conform to the Code of Ethics, the IAA's charter, and other applicable standards.
d.
Correct. The IAA's quality program should provide reasonable assurance that the internal auditing work
conforms to the Standards, the Code of Ethics, the IAA's charter, and other applicable standards.
45
CIA Part 1 Mock Exam Answers
69.
a.
Solution: a
Correct. It is unethical for an internal auditor to accept a fee or gift from an employee, client, customer,
supplier, or business associate. Accepting a fee or gift may create the appearance that the auditor's
objectivity has been impaired. The appearance that objectivity has been impaired may apply to current
and future engagements conducted by the auditor.
b.
Incorrect. The receipt of the mug would not be considered an impairment to objectivity because it is
considered a token gift of insignificant value.
c.
Incorrect. Recommending standards of control or reviewing procedures before implementation will not
impair objectivity.
d.
Incorrect. As long as the internal auditor does not take on operating responsibility it is acceptable to
recommend standards of control or review procedures before implementation.
70.
Solution: a
a.
Correct. The paper lays out a simple and effective way to enhance communications on risk management and control.
b.
Incorrect. The paper does not lay out the functions of the audit committee.
c.
Incorrect. Internal auditing is the third line of defense; however, the paper does not specially describe
the monitoring functions of the internal audit activity.
d.
Incorrect. The second line of defense is to alert operational management to emerging issues and changing regulatory and risk scenarios.
71.
Solution: b
a.
Incorrect. Organizational structure is the way in which companies are directed and controlled.
b.
Correct. The IIA Standards Glossary defines organizational governance as the combination of processes
and structures implemented by the board to inform, direct, manage, and monitor the achievement of
its objectives.
c.
Incorrect. Management should track and minimize control deficiencies.
d.
Incorrect. Organizational governance processes are principles-based and not rules-based.
72.
Solution: c
a.
Incorrect. Internal auditing would review existing governance-related documentation so any governance
concerns can be identified.
b.
Incorrect. Internal auditing would develop the audit plan.
c.
Correct. Internal auditing would generally not report governance violations to outside authorities unless
specifically told to do so or there is a legal obligation.
d.
Incorrect. When auditing a company’s governance process the IAA would execute the audit plan.
46
CIA Part 1 Mock Exam Answers
73.
Solution: c
a.
Incorrect. Management philosophy and operating style is a component of a company’s control environment.
b.
Incorrect. The integrity and ethical values of a company is a component of a company’s control environment.
c.
Correct. Formulating business objectives comes after assessing a company’s control environment.
d.
Incorrect. The competence of personnel is a component of a company’s control environment.
74.
Solution: a
a.
Correct. Executive management is responsible for risk management, the board and audit committee
provide an oversight function, and internal auditors serve in the capacity of oversight and advisory
roles.
b.
Incorrect. Executive management is responsible for risk, not the board or audit committee.
c.
Incorrect. The board has oversight responsibility, not internal auditing.
d.
Incorrect. Executive management is responsible for risk, not internal auditing. The board and audit
committee have an oversight role, not executive management.
75.
Solution: c
a.
Incorrect. Reviewing ethics-related policies and processes is a method to understand the ethical climate of the organization.
b.
c.
Incorrect. Conducting a survey is a method to understand the ethical climate of the organization.
Correct. Facilitating an ethics-related training program is a way to promote an ethical climate within
the organization, not assess it.
d.
Incorrect. Conducting audits of specific ethics-related functions is a method of assessment.
76.
Solution: a
a.
Correct. CSR is generally understood to mean that corporations have a degree of responsibility not
only for the economic consequences of their activities but also for the social and environmental implications.
b.
Incorrect. The main focus of CSR is on both the natural and social environment.
c.
Incorrect. CSR recognizes that while the primary responsibility for the enforcement of international
human rights standards lies with national governments, there is a growing acceptance that corporations
also have an important role to play.
d.
Incorrect. CSR recognizes that companies need to be good corporate citizens, which means CSR goes
beyond earning money for shareholders. It's concerned with protecting the interests of all stakeholders,
such as employees, customers, suppliers, and the communities in which businesses operate. Companies
must pay equal attention to business ethics and sustainability.
47
CIA Part 1 Mock Exam Answers
77.
Solution: b
a.
Incorrect. Deciding what information to report is a bigger challenge than identifying the different groups
that have a legitimate interest in the company.
b.
Correct. One of the biggest challenges with CSR is deciding what information to report because, unlike
financial reporting, there are no standards for CSR reporting.
c.
Incorrect. CSR is concerned with non-financial issues, not financial issues.
d.
Incorrect. Deciding the role of internal auditing in CSR is a board and management decision.
78.
Solution: c
a.
Incorrect. Being too costly is a criticism of CSR.
b.
Incorrect. One of the concerns of CSR is that the use of the term CSR has become so broad that it has
allowed people to interpret and adapt it for many different purposes.
c.
Correct. Enhancing brand reputation is a benefit of CSR.
d.
Incorrect. Despite the assumption of CSR that business outcomes and social objectives can become
more or less aligned, profit undoubtedly wins over principles.
79.
Solution: b
a.
Incorrect. It is acceptable for the IAA to audit the risk management process as part of the internal audit
plan.
b.
Correct. The IAA is able to manage and coordinate the risk management process, but the IAA cannot
manage risk. Managing risk is management’s responsibility.
c.
Incorrect. It is acceptable for the IAA to provide continuous support and be involved in the risk management process such as participation on an oversight committee, monitoring activities, or providing
status reports.
d.
Incorrect. It is possible the IAA could have no role in the risk management process. The level of participation will depend on the board and senior management.
80.
Solution: d
a.
Incorrect. There is nothing management can do it eliminate inherent risk; however, management can
take steps to address and, where appropriate, mitigate its effects.
b.
Incorrect. The level of risk that remains after management has taken actions to mitigate the risk is
referred to as residual risk.
c.
Incorrect. This is incorrect because an inherent risk can be an operational risk, or it can be strategic or
some other type of risk.
d.
Correct. None of the answers are correct. SMA defines inherent risk as “the level of risk in each event
before any mitigation action is taken.”
48
CIA Part 1 Mock Exam Answers
81.
Solution: c
a.
Incorrect. Reputation risk is a strategic risk, not a financial risk.
b.
Incorrect. Reputation risk is a strategic risk, not an operating risk.
c.
Correct. Reputation risk is a strategic risk. If the reputation of a company suffers, it can take a long
time to regain the trust of the public.
d.
Incorrect. Hazard risks are events that can mitigated through insurance.
82.
Solution: a
a.
Correct. The loss of key employees is an internal risk event.
b.
Incorrect. The risk of new regulations is an external risk event.
c.
Incorrect. The risk of changing demographics is an external risk event.
d.
Incorrect. The risk of rising inflation is an external risk event.
83.
Solution: b
a.
Incorrect. Conducting a brainstorming session is a technique for identifying risks.
b.
Correct. Variable sampling is a process used to predict the value of a specific variable.
c.
Incorrect. Conducting scenario analysis is a technique for identifying risks.
d.
Incorrect. Analyzing feedback from risk questionnaires and risk surveys is a technique for identifying
risks.
84.
Solution: c
a.
Incorrect. The deductible amount is a residual risk, not an operational risk.
b.
Incorrect. Inherent risk is the level of risk that resides with an event or process prior to management
taking a mitigation action.
c.
Correct. Residual risk is the level of risk that remains after management has taken action to mitigate
the risk.
d.
Incorrect. Transactional risk is the exchange rate risk associated with the time delay between entering
into a contract and settling it.
85.
Solution: b
a.
Incorrect. This is incorrect because expected loss is the amount management expects to lose and unexpected loss is the loss during a very bad year.
b.
Correct. Expected loss is the amount that management expects to be lost to a given risk on average
in one year. Unexpected loss is the amount that a cautious manager might think could be lost to the
risk in a very bad year, in excess of the expected loss amount, up to the maximum probable loss.
Businesses could set up a reserve for the amount of an unexpected loss.
c.
Incorrect. Expected loss is the loss that management expects to occur during the period; however, the
worst-case scenario loss is referred to as the maximum possible loss.
d.
Incorrect. Expected loss is the loss that is expected to occur during the period, which often is the
short-term. Unexpected loss is the loss that is expected during a very bad year.
49
CIA Part 1 Mock Exam Answers
86.
Solution: b
a.
Incorrect. A reason to use VaR is to measure and control the level of risk that the firm undertakes.
b.
Correct. VaR is based on a normal distribution, whereas a fat-tailed distribution exhibits large skewness or kurtosis as the event gets further from the mean.
c.
Incorrect. A reason to use VaR is to give management a level of confidence that the loss level will not
be exceeded during a certain period of time.
d.
Incorrect. A reason to use VaR is to ensure that risks are not taken beyond the firm’s ability to absorb
the losses of a probable worst outcome.
87.
Solution: d
a.
Incorrect. Negatively correlated risks act as a natural hedge.
b.
Incorrect. Negatively correlated risks act as a natural hedge.
c.
Incorrect. Negatively correlated risks act as a natural hedge.
d.
Correct. If the risks are negatively correlated with one another, they act as natural hedges for each
other and do not need to be mitigated.
88.
Solution: b
a.
Incorrect. Risk monitoring and control is the last step in the risk management process.
b.
Correct. Risk avoidance is a method of responding to risk, but it is not a step in the risk management
process.
c.
Incorrect. Risk response planning is the fourth step in the risk management process.
d.
Incorrect. Risk assessment is the second step in the risk management process.
89.
Solution: c
a.
Incorrect. Risk mitigation entails lowering the risk, not eliminating the threat of the risk.
b.
Incorrect. Risk deflection consists of assigning risks to another party in a formal way. This is also
known as transferring the risk.
c.
Correct. Risk avoidance involves the company eliminating the risky event or item. This might be
done by selling the business, or not doing the business transaction (e.g., not speculating on derivatives).
d.
Incorrect. Residual risk is the risk that is left after controls have been implemented to mitigate the
risk.
90.
Solution: b
a.
Incorrect. Given the value of the project, eliminating the project is not an option.
b.
Correct. In order to deflect the risk, the company could take out some form of insurance to cover for
the potential risk of bodily injury.
c.
Incorrect. Establishing a contingency fund is an accounting method to account for the risk of the project.
d.
Incorrect. Management would do something to mitigate the risk of the project.
50
CIA Part 1 Mock Exam Answers
91.
Solution: d
d.
Correct. The following are all factors that could influence an organization’s risk appetite:
•
The viewpoints of the major stakeholders, including the views of the company’s major shareholders, bondholders, lenders, analyst, and many others. Each stakeholder might have a different
opinion as to how much risk a company should take on.
•
Accounting factors, such as the volume of transactions, the complexity of the accounting system,
changing rules and regulations.
•
The opportunity for fraud to be committed.
•
External factors, such as changing economic considerations, changes in industry, changes in technology, etc.
•
•
Governmental restrictions.
Entity-level factors, such as the quality and quantity of hired personnel, quality for training courses,
changes in key personnel, etc.
92.
Solution: c
a.
Incorrect. ERM provides reasonable assurance that goals and objectives will be achieved.
b.
Incorrect. Risk and control processes are established by management, not by internal auditors. Independence and objectivity would be impaired if internal auditors were involved in establishing control
activities.
c.
Correct. COSO provides the following definition for enterprise risk management: Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel,
applied in strategy setting and across the enterprise, designed to identify potential events that may
affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding achievement of entity objectives
d.
Incorrect. ERM is not about selecting the best response to risk but selecting the response that fits the
organization’s risk appetite.
93.
Solution: a
a.
Correct. ERM is able to align the entity’s strategy with the level of risk the firm is willing to take on
(risk appetite); however, it cannot determine the firm’s risk appetite. Determining risk appetite is a
board and management function.
b.
Incorrect. ERM is a method to identify potential risk events.
c.
Incorrect. ERM can improve the ability of the firm to act on opportunities.
d.
Incorrect. ERM can improve utilization of capital and the resources of the company.
94.
Solution: d
a.
Incorrect. Financial growth would be a strategic objective.
b.
Incorrect. Improved customer satisfaction would be a strategic objective.
c.
Incorrect. Product innovation would be a strategic objective.
d.
Correct. Administrative cost cutting would more likely be a short-term objective, not a strategic objective.
51
CIA Part 1 Mock Exam Answers
95.
Solution: d
a.
Incorrect. Governance and Culture is a component of the ERM model; however, the identification of
risks is one of the principles of the Performance component.
b.
Incorrect. Strategy and Objective-setting is a component of the ERM model; however, the identification
of risks is one of the principles of the Performance component.
c.
Incorrect. Control Activities is one of the components of COSO’s Control model, not the ERM model.
d.
Correct. The identification of risks is one of the principles of the Performance component.
96.
Solution: b (II and III only)
I.
Incorrect. ERM is not able to anticipate every risk that could result in a loss.
II.
Correct. ERM better aligns strategy with risk appetite.
III.
Correct. ERM is able to enhance resource allocation.
IV.
Incorrect. Unfortunately, not all risks will be identified.
97.
Solution: c
a.
Incorrect. Giving assurance on the risk management processes is a core internal audit role in regard to
ERM.
b.
Incorrect. Developing a risk management strategy for board approval is a legitimate internal audit role
in regard to ERM.
c.
Correct. Setting the risk appetite is a role for management and board.
d.
Incorrect. Coordinating ERM activities is a legitimate internal audit role in regard to ERM.
98.
Solution: c
a.
Incorrect. Control is about measuring progress towards some specific goal.
b.
Incorrect. Control is about uncovering deviations from plans.
c.
Correct. The basic process of control is to set objectives, measure performance, and take corrective
action if deficiencies are found. Assigning responsibility is not part of the controlling function.
d.
Incorrect. Control is about indicating the need for corrective action.
99.
Solution: a
a.
Correct. The purpose of the control process is to support people of the organization in the management
of risks and the achievement of its established and communicated objectives. Control processes are
expected to ensure that operations are performed efficiently and achieve established objectives (PA
2130).
b.
Incorrect. Worker collusion is an inherent limitation of control.
c.
Incorrect. The board provides guidance and oversight of management’s performance, not the IAA.
d.
Incorrect. Controls are meant to provide reasonable assurance that management’s goals and objectives
will be achieved in a timely manner. Controls do not directly address management’s planning, organizing, and directing processes.
52
CIA Part 1 Mock Exam Answers
100. Solution: b
a.
Incorrect. Corporate-level controls are mostly manual, whereas operational-level controls are both
automated and manual.
b.
Correct. Corporate-level controls are mostly manual and include general policy statements, values,
and overall monitoring procedures.
c.
Incorrect. Corporate-level controls are mostly manual, whereas operational-level controls are both
automated and manual.
d.
Incorrect. Operational-level controls include both manual and automated controls, whereas corporatelevel controls are mostly manual. However, where corporate-level controls do encompass planning
and performance monitoring, risk evaluation is done at the operational level.
101. Solution: a
a.
Correct. Operating controls are those applicable to production and support activities. In some cases,
an operating activity like customer service or security is difficult to measure because there is no set
control standard.
b.
Incorrect. Financial controls are more specific than operating controls and thus are easier to measure.
c.
Incorrect. Directive controls direct a desirable action. Therefore, directive controls are easier to evaluate
than operating controls.
d.
Incorrect. Preventive controls prevent an undesirable event from happening. Preventive controls are
easier to evaluate than operating controls.
102. Solution: c
a.
Incorrect. Locking the general ledger in a safe each night is a preventive control.
b.
Incorrect. Making sure that all bills are marked “Paid” to prevent duplicate payment is a preventive
control.
c.
Correct. Preventive controls prevent errors from occurring in the first place. Reconciliation will only
provide evidence that an error has already occurred (a feedback control).
d.
Incorrect. Making sure that customer numbers are verified is a preventive control.
103. Solution: b
a.
Incorrect. Product quality control training is an example of a feedforward control.
b.
Correct. Concurrent control is a management technique used to monitor processes and behaviors to
ensure that they conform to regulations and standards. The monitoring takes place during the process
or activity, often in real time, with the goal of making adjustments to prevent errors. Online activity
monitoring happens in real-time and would be considered a concurrent control.
c.
Incorrect. Raw materials variance analysis is an example of a feedback control.
d.
Incorrect. 90-day cash budgeting is an example of a feedforward control.
53
CIA Part 1 Mock Exam Answers
104. Solution: b
a.
Incorrect. This is not an efficiency measure because there is no comparison of input to output.
b.
Correct. Effectiveness has to do with meeting goals.
c.
Incorrect. This is an example of efficiency, not effectiveness.
d.
Incorrect. This is not an efficiency measure because there is no comparison of input to output.
105. Solution: a
a.
Correct. Because planning is impacted more by the organization's environment, the planning information is more likely to be generated using external data.
b.
Incorrect. Control information is more detailed.
c.
Incorrect. Both types of information need to be quantifiable, but planning is likely to require less quantification.
d.
Incorrect. This is more likely to be true of control information.
106. Solution: b
a.
Incorrect. This situation could be avoided by making sure the controller is not able to make and record
cash deposits. These functions should be segregated.
b.
Correct. This is an example of collusion, where the security guard let the employee steal company
property. Collusion is an inherent limitation of internal control because no matter how tight controls
are, two or more people can work together to circumvent the controls.
c.
Incorrect. This situation could be avoided by making sure that credit sales have proper authorization.
d.
Incorrect. This situation could be avoided by making sure that hired employees are qualified for their
positions.
107. Solution: c
The correct order is:
1.
Set the standards.
2.
Select the times or points.
3.
Observe the process.
4.
Record the information.
5.
Compare and measure the results against the standard.
6.
Evaluate if performance is satisfactory.
7.
Report any significant deviations.
8.
Implement whatever corrections are necessary.
9.
Follow-up to see if the corrections are effective.
10. Review and revise the standards.
54
CIA Part 1 Mock Exam Answers
108. Solution: d
a.
Incorrect. Application controls ensure that input data is accurate, complete, authorized, and correct.
b.
Incorrect. Application controls ensure data is processed as intended in an acceptable time period.
c.
Incorrect. Application controls ensure outputs are accurate and complete.
d.
Correct. Allowing only authorized personnel access information in the network is a general control,
not an application control.
109. Solution: c
a.
Incorrect. Total dollars committed would not detect favoritism shown to individual vendors.
b.
Incorrect. Detailed material specifications will not prevent buyer favoritism in placing orders.
c.
Correct. Periodic rotation of buyer assignments will limit the opportunity for any buyer to show favoritism to a particular supplier.
d.
Incorrect. The number of orders placed is not relevant to preventing favoritism.
110. Solution: b
a.
Incorrect. The bookkeeper should not sign the checks and reconcile the checking account. These functions should be segregated. Therefore, the recording of cash receipts is inadequate.
b.
Correct. The bookkeeper should not sign the checks and reconcile the checking account. These functions should be segregated. Therefore, the accounting for cash is inadequate.
c.
Incorrect. The bookkeeper should not sign the checks and reconcile the checking account. These functions should be segregated. Therefore, the reconciliation of the cash account is inadequate.
d.
Incorrect. The bookkeeper should not have custody of cash and reconcile the checking account. These
functions should be segregated. Therefore, physical safeguards of cash are inadequate.
111. Solution: a
a.
Correct. For proper segregation of duties, the payroll clerk should not have custody of the check signature stamp.
b.
Incorrect. Preparing the payroll register is a record-keeping function of the payroll clerk.
c.
Incorrect. The payroll register should be approved by an officer of the organization, such as the chief
accountant.
d.
Incorrect. Paychecks should be drawn on a separate payroll checking account.
112. Solution: b
a.
b.
Incorrect. This is a control strength.
Correct. This is a control weakness. The receiving reports should be forwarded to the accounts payable
department, where they are matched the purchase order.
c.
Incorrect. The accounts payable department may prepare documentation but should not sign checks.
d.
Incorrect. Unpaid vouchers and perpetual inventory records should be independently maintained.
55
CIA Part 1 Mock Exam Answers
113. Solution: c
a.
Incorrect. Establishing controls and executing them is not a violation of the segregation of duties.
b.
Incorrect. Designing controls and monitoring them is not a violation of the segregation of duties.
c.
Correct. The intent of the segregation of duties is to make it difficult to perpetrate errors and
frauds and then conceal them.
d.
Incorrect. Recording transactions in the journal and ledger is not a violation of the segregation
of duties.
114. Solution: d
a.
Incorrect. Having a commitment to financial reporting competence is a principle of the control environment.
b.
Incorrect. Having the right management philosophy and operating style is a principle of the control
environment.
c.
Incorrect. Having the right human resource policies and procedures is a principle of the control environment.
d.
Correct. Determining the company’s financial reporting objectives is part of the risk assessment process.
115. Solution: c
a.
Incorrect. An effective control system reflects what the organization is trying to measure and control.
b.
Incorrect. An effective control system is understandable by all persons using the control.
c.
Correct. An effective control system has a positive cost-benefit ratio, which means the organization
saves more than the cost of the control.
d.
Incorrect. An effective control system provides information in a timely manner.
116. Solution: c
a.
Incorrect. Having a strong human resource department and strong personnel policies can reduce the
motivation to commit fraud.
b.
Incorrect. Having a strong internal control system can reduce the opportunity to commit fraud.
c.
Correct. Ethics training and a principled corporate culture can help a company reduce the ability of an
individual to rationalize fraud.
d.
Incorrect. Having a drug and gambling problem is a motivating factor to commit fraud.
117. Solution: c
a.
Incorrect. Intentional or improper transfer pricing would be beneficial to the company.
b.
Incorrect. Tax fraud would benefit the company.
c.
Correct. Claims submitted for services or goods not actually provided to the organization would not
be beneficial to the organization.
d.
Incorrect. Sale or assignment of fictitious or misrepresented assets would benefit the company.
56
CIA Part 1 Mock Exam Answers
118. Solution: a
a.
Correct. If an internal auditor notes that there is a possibility of fraud, then the internal auditor needs
to expand audit activities to determine whether an investigation is warranted.
b, c, and d are incorrect. The auditor should first expand work to determine the existence of fraud before
reporting the matter to top management. At this point, the auditor only has suspicions of fraud, given
the red flags. More work should be performed before consulting with management, external legal counsel, or the audit committee.
119. Solution: b
a.
Incorrect. Predefined spending levels would probably already include the fraudulent amounts and would
only limit the size of the fraud.
b.
Correct. Additional authorization would be the most likely method for preventing the fraud.
c.
Incorrect. The bill of lading would agree with the purchase order. The quantity received (verified by a
third party) should be compared to both the bill of lading and the purchase order.
d.
Incorrect. The computer matching would only verify the fraudulent paperwork.
120. Solution: c
a.
Incorrect. The current quarter’s expense would equal the prior period’s activity unless the manager just
started this fraud. The auditor has no information on how long this might have been occurring.
b.
Incorrect. Physical testing would not locate nonexistent parts that have already been charged to maintenance.
c.
Correct. Analysis of repair parts charged to maintenance would quantify the excessive number of items
and detect that abuse may be occurring.
d.
Incorrect. Lack of segregation of duties allowed the fraud to occur. The manager was authorized to
process both the purchase and receipt, so the test would only verify the fraudulent paperwork.
121. Solution: a
a.
Correct. Most fraud perpetrators would attempt to conceal their theft by charging it against an expense
account.
b.
Incorrect. Debiting the stolen asset account would be going in the wrong direction to conceal an asset
theft.
c.
d.
Incorrect. An entry decreasing revenue would be unusual and would stand out.
Incorrect. This entry would not permanently conceal the fraud. It would simply shift the irreconcilable
balance to another asset account.
57
CIA Part 1 Mock Exam Answers
122. Solution: a
a.
Correct. This is an acceptable control procedure, which is aimed at limiting risk while promoting efficiency. It is not, by itself, considered a condition that indicates a higher likelihood of fraud.
b.
Incorrect. Lack of rotation of duties or cross-training for sensitive jobs is an identified red flag.
c.
Incorrect. This would be an example of an inappropriate segregation of duties, which is an identified
red flag.
d.
Incorrect. This is an identified red flag.
123. Solution: d (I, II and III)
I.
II.
Correct. Fraud is best prevented when management establishes and maintains strong internal controls.
Correct. Internal auditors are responsible for assisting management in the prevention and detection of
fraud.
III.
Correct. Internal auditors should assess the operating effectiveness of fraud related communication
systems.
124. Solution: a
a.
Correct. The responsibility of internal auditors for detecting fraud includes having sufficient knowledge
of fraud to be able to identify indicators that fraud may have been committed. Fraud may be indicated
by negative organizational changes; thus, recognizing and questioning changes can help in the detection of fraud.
b.
Incorrect. Interrogation of fraud perpetrators is done to verify that fraud was committed, not to detect
the fact that fraud was committed.
c.
Incorrect. Developing internal controls is done to prevent fraud, not detect it.
d.
Incorrect. Documenting computerized operating systems is done to prevent fraud, not to detect it.
125. Solution: b
a.
Incorrect. Deliberate falsification of accounting records is something that a forensic auditor would investigate.
b.
Correct. The level of management compensation is not an issue for a forensic auditor.
c.
Incorrect. Acts of extortion are something that a forensic auditor would investigate.
d.
Incorrect. Theft of company assets is something that a forensic auditor would investigate.
58