IIA iia cia part2 practice test

Senior IT management requests the internal audit activity to perform an audit of a complex IT are
a. The chief audit executive (CAE) knows that the internal audit activity lacks the expertise to
perform the engagement. Which of the following is the most appropriate action for the CAE to take?

• A. Decline the audit engagement, because the Standards prohibit internal auditors from performing engagements where they lack the necessary competencies.
• B. Accept the audit engagement and use the engagement as an opportunity to develop the audit team’s IT expertise while performing the audit work.
• C. Temporarily hire an experienced and knowledgeable IT analyst from the organization's IT department to lead the audit.
• D. Outsource the audit engagement to a reputable IT audit consulting firm.

Which of the following factors should be considered when determining the staff requirements for an
audit engagement?
The internal audit activity's time constraints.
The nature and complexity of the area to be audited.
The period of time since the area was last audited.
The auditors’ preference to audit the area.
The results of a preliminary risk assessment of the activity under review.

• A. 1 and 4 only.
• B. 1, 2, and 5 only.
• C. 2, 3, and 5 only.
• D. 1, 2, 3, 4, and 5.

Which of the following statements is true regarding internal control questionnaires (ICQs)?

• A. ICQs are most useful in more organic, decentralized organizations with specialized departmental or regional characteristics.
• B. An ICQ can be used effectively either by sending it in advance for management of the area under review to complete or by testing each procedure and recording the results.
• C. An ICQ is not an efficient tool, as it can only inquire about controls and it does not test them.
• D. ICQs are also known as checklist audits and encourage management of the area under review to answer "no" or "yes" more accurately.

According to IIA guidance, which of the following is most likely to become part of the engagement
work program?

• A. Information obtained from historic audits and memos.
• B. Risk and control registers or matrices.
• C. Resource deployment plans and sampling methodologies.
• D. Prior findings and management responses.

An internal auditor is performing a review of an organization's vendor for any possible conflicts of
interest. Which of the following would provide the greatest assistance to the auditor in meeting this
objective?

• A. Vendor contracts.
• B. Employee master list.
• C. Payment records.
• D. Purchasing policy.

An internal auditor discovered a control weakness that needs to be communicated to management.
Which of the following is the best method for first communicating the weakness?

• A. Draft report, to be reviewed by management just prior to final report issuance.
• B. Preliminary observation document, discussed during the engagement.
• C. Final report, after review by audit management.
• D. Verbal communication during the engagement, followed by the final report issuance.

Which of the following would be most useful for an internal auditor to obtain during the preliminary
survey of an engagement on internal controls over user access management?

• A. The policy for granting, modifying, and deleting user access to ensure processing requirements are clearly articulated.
• B. A sample of change request forms to verify whether the forms bear the required approval for the user access change.
• C. User access reports that were reviewed by management to ensure that access rights are appropriate for employee roles.
• D. A current listing of system users and an employee listing to determine whether system users are active employees of the organization.

Which of the following is an advantage of an internal audit activity coordinating with a management-
defined risk universe?

• A. Increased completeness, including risk categories like political, supplier, and social media.
• B. Business managers can identify and assess risks that occur within each category.
• C. The internal audit activity can rely on management's risk assessment.
• D. Organizationwide audits are required since risk events within categories occur in many different ways.

Which of the following is the primary reason a chief audit executive should network with an
organization’s executives?

• A. To better understand and influence executives' planning.
• B. To make executives aware of the benefits that the internal audit activity can provide.
• C. To assist executives in setting the organization’s risk appetite.
• D. To have a better understanding of the training needed to strengthen the audit team.

According to IIA guidance, which of the following actions might place the independence of the
internal audit function in jeopardy?

• A. Having no active role or involvement in the risk management process.
• B. Auditing the risk management process for reasonableness.
• C. Coordinating and managing the risk management process.
• D. Participating with management in identifying and evaluating risks.