The sole internal auditor of a municipality wants to implement proper supervision over internal audit
workpapers. Which of the following would be the most appropriate?
D
Explanation:
The Global Internal Audit Standards require that workpapers be properly supervised and reviewed to
ensure quality and compliance. A sole auditor cannot perform a meaningful self-review (Option A).
Having clients review workpapers (Option B) compromises independence. Having management or
the board sign off (Option C) is also inappropriate as it undermines audit objectivity.
The most suitable solution is to arrange for peer reviews from external auditors or other
organizations, with confidentiality and legal safeguards in place. This provides independent oversight
while maintaining audit quality.
Reference:
IIA Standards – Standard 1312: External Assessments; Practice Guide – Quality Assurance and
Improvement Program.
After auditing the treasury function, the internal audit team issued a final report, which included an
action plan agreed with management. When the audit team returned three months later to follow
up on the action plan, management indicated that the plan had not been implemented because the
old treasury system was being replaced with a new system. Which of the following is the most
appropriate audit response?
D
Explanation:
When management has not implemented agreed action plans, the internal audit team must escalate
the matter to the CAE. The CAE is responsible for discussing such cases with senior management to
understand the reasons and determine next steps.
Option A is inappropriate because it is management’s responsibility—not internal audit’s—to
propose action plans. Option B disregards the initial high-risk issue. Option C (escalation to the
board) is premature unless senior management fails to act.
Thus, the correct response is Option D: report to the CAE, who should discuss with senior
management.
Reference:
IIA Standards – Standard 2500: Monitoring Progress; Standard 2600: Communicating the Acceptance
of Risks.
Which of the following best describes the chief audit executive's responsibility for assessing the
organization's residual risk?
D
Explanation:
The CAE’s role is to provide assurance that risks are identified and managed appropriately. When
residual risk appears to exceed the organization’s tolerance, the CAE should first communicate the
matter with senior management to discuss the issue and understand management’s acceptance of
risk. Only if the risk remains unresolved should it be escalated to the board.
Option A is management’s responsibility, not internal audit’s. Option B is incomplete as evidence
alone does not fulfill the communication requirement. Option C is premature because immediate
escalation to the board skips management dialogue.
Reference:
IIA Standards – Standard 2600: Communicating the Acceptance of Risks.
During an internal audit engagement, it was found that several vendors were on a government
sanctions list and must no longer be traded with. Which of the following would most effectively
mitigate the risk of noncompliance with sanctions lists that are updated regularly?
C
Explanation:
The most effective mitigation is to embed ongoing controls within vendor management processes to
ensure that both new and existing vendors are continuously screened against updated sanctions lists.
This creates a sustainable and automated compliance mechanism.
Option A is reactive and does not address future compliance. Option B only addresses onboarding of
new vendors but ignores existing ones. Option D undermines compliance obligations and does not
mitigate risk.
Reference:
IIA Global Technology Audit Guide (GTAG): Auditing Third-Party Risk; IIA Standards – Standard 2130:
Control.
Which of the following best describes meaningful recommendations for corrective actions?
D
Explanation:
Meaningful recommendations are those that address the root cause of the condition by comparing it
to the established criteria and propose sustainable, long-term solutions. This ensures that the
identified issue will not recur and strengthens the control environment.
Option A relates to symptoms (condition vs. consequence), not root causes. Option B identifies the
correct gap (criteria vs. condition) but offers only short-term fixes. Option C incorrectly compares
criteria to consequence, which is not a valid basis for audit recommendations.
Thus, Option D is correct.
Reference:
IIA Practice Guide – Audit Findings: Condition, Criteria, Cause, Effect, and Recommendation.
An internal auditor has finalized an engagement of the vendor master file. The results of the current
engagement do not differ significantly from that of last year, in which several significant weaknesses
in internal controls were reported. The internal auditor states in the final communication that the
internal controls are as effective as that of the previous year. Which of the following elements of
quality of communication could be improved?
D
Explanation:
According to the IIA Standards, audit communications must be accurate, objective, clear, concise,
constructive, and timely. In this case, the auditor’s statement that “controls are as effective as last
year” is inaccurate, because the prior year’s report identified significant weaknesses. Equating
ineffective controls with effectiveness misrepresents the actual condition, thereby compromising
accuracy.
Objectivity (Option C), conciseness (Option A), and constructiveness (Option B) are not the main
issue here. The primary weakness is accuracy (Option D).
Reference:
IIA Standards – Standard 2420: Quality of Communications.
Which statement is true regarding the development of a risk-based internal audit plan?
B
Explanation:
A risk-based audit plan must be aligned with the organization’s objectives and risk management
system. According to the Standards, the CAE must consider the organization’s risk management
framework and assess key risks to develop the plan. A maturity review (Option A) is not a
prerequisite, nor is a mandated percentage of strategic coverage (Option C). Option D is incorrect
because an organization does not need to follow a specific external framework to develop a risk-
based plan; internal risk identification suffices.
Reference:
IIA Standards – Standard 2010: Planning; Implementation Guide 2010.
Which of the following statements is true regarding an organization's chief audit executive (CAE)
when prioritizing the audit universe?
A
Explanation:
When prioritizing the audit universe, the CAE typically uses a risk-factor approach. This includes a
combination of likelihood, impact, control effectiveness, and other relevant criteria. Solely relying on
impact (Option C) or likelihood (Option B) is insufficient. Heat maps (Option D) may be tools used
within the process, but they are not the actual method of prioritization.
Thus, the correct description is the risk-factor approach (Option A).
Reference:
IIA Practice Guide – Developing a Risk-based Internal Audit Plan.
During an internal audit engagement, numerous deficiencies in the organization's management of
customer data were discovered, entailing the risk of breaching personal data protection legislation.
An improvement plan was approved by senior management. Which of the following conditions
observed during the periodic follow-up process best justifies the chief audit executive's decision to
escalate the issue to the board?
B
Explanation:
According to IIA guidance, the CAE must escalate to the board when significant risks remain
unaddressed. The most critical concern here is that no resources or budget were allocated to
implement corrective measures. This indicates that management is not taking the risk seriously, and
the exposure to noncompliance with data protection laws remains high.
Option A relates to customer satisfaction, not regulatory compliance. Option C is an issue of
communication but not as critical as failing to allocate resources. Option D shows resistance but can
be managed if resources are in place.
Thus, the condition that best justifies escalation is Option B: lack of allocated resources.
Reference:
IIA Standards – Standard 2600: Communicating the Acceptance of Risks.
Which of the following statements is true regarding multi-report summaries for members of senior
management and the board?
D
Explanation:
Multi-report summaries are designed to provide senior management and the board with aggregated
results across multiple audit engagements. To make them effective, internal audit functions typically
rate findings (e.g., high, medium, low) so results can be compared and summarized efficiently.
Option A is incomplete because summaries are not just about describing audit work but about
presenting meaningful insights. Option B (tables) refers to presentation style, not the key principle.
Option C is incorrect because even if boards review individual reports, summaries provide strategic
insights across engagements.
Thus, the correct answer is Option D.
Reference:
IIA Practice Guide – Formulating and Expressing Internal Audit Opinions.