Free IIA IIA-CIA-Part2 Practice Exam with Questions & Answers | Set: 6

 To assess the effectiveness of management’s self-assessment activities regarding the risk management process, internal auditors should directly observe and test the control and monitoring procedures.

 This hands-on approach allows auditors to verify the implementation and functionality of risk management controls and the accuracy of related reporting.

 Direct observation and testing provide the most reliable evidence of the effectiveness of these procedures

To improve collaboration with audit clients during an engagement, it is effective for internal auditors to discuss the engagement plan with the client so they understand the reasoning behind the approach (2), and to review test criteria and procedures where the client expresses concerns about the type of tests to be conducted (3). This approach fosters transparency, helps manage client expectations, and builds trust. Obtaining control concerns before the audit (1) is also useful but less directly related to collaboration during the engagement. Providing all observations at the end of the audit (4) might not facilitate ongoing collaboration during the audit process. References: IIA Standard 2200 – Engagement Planning, IIA Standard 2400 – Communicating Results

According to IIA Standards, acceptable practices for testing conformance through a quality assurance review include conducting a self-assessment with independent validation (2) and arranging for reciprocal peer review with another CAE (4). These methods provide a cost-effective and practical approach to ensuring compliance with professional standards, especially for small internal audit activities. Using an external service provider (1) and arranging for a review by qualified employees outside of the IAA (3) are also valid, but self-assessment with independent validation and peer review are specifically highlighted for smaller IAAs. References: IIA Standard 1312 – External Assessments, IIA Practice Guide – Quality Assurance and Improvement Program

Checklists are helpful tools to ensure systematic coverage of procedures. However, one drawback noted in the CIA study materials is the risk of over-reliance, which can create a false sense of security. Auditors may feel that completing the checklist ensures engagement sufficiency, while overlooking important deviations outside the checklist. In this case, the auditor ignored procurement deviations because they were not on the checklist — demonstrating the risk of over-reliance.

According to IIA guidance, an engagement work program is designed to test the effectiveness of process controls within an organizational process. This involves evaluating whether the controls are adequately designed and operating effectively to mitigate identified risks and achieve the process objectives. The work program outlines the specific procedures and steps auditors will take to gather evidence and assess the controls in place, ensuring that they address the relevant risks and comply with the organization's standards and policies.

IIA Standard 2240: Engagement Work Program

IIA Practice Guide: Internal Audit Quality Assurance

Comprehensive and Detailed Explanation:

According to IIA Standard 2440 and Practice Advisory, internal audit results must be communicated in a controlled and appropriate manner. When reports are to be shared outside the organization, the CAE must evaluate risks, consult with senior management and legal counsel, and restrict dissemination unless disclosure is legally required. Option A is misleading because the CAE must escalate unresolved risk acceptance to the board, not regulators unless mandated. Option B is incorrect since interim reports for urgent, high-risk issues are appropriate and sometimes necessary. Option D is inaccurate because boards may receive executive summaries, not necessarily full reports in every case. The correct requirement is Option C: the CAE ensures external communications are controlled and aligned with laws and organizational policies.

To ensure that the company is not taking any unwanted credit risks, the internal auditor should test controls that ensure construction orders are initiated only after the second invoice, which represents 70% of the payment, is paid. This control is critical because it minimizes the financial risk to the company by ensuring that a significant portion of the payment is received before the majority of the work is undertaken. This practice helps protect the company from potential non-payment issues and reduces the financial exposure associated with the project.

COSO Framework

The Institute of Internal Auditors (IIA) Standard 2130: Control

According to the IIA guidance, when reviewing an organizational process, the engagement work test typically focuses on process controls. This involves evaluating the design and effectiveness of controls in place to mitigate identified risks and ensure the achievement of process objectives. Assessing process controls helps auditors determine if the controls are operating as intended and are sufficient to manage the associated risks.

Bank confirmations are the most reliable source for verifying the current year-end bank balances. These confirmations are direct responses from the bank to the auditor, providing independent verification of the account balances as of the end of the year. This external confirmation is considered more reliable than internal documents like bank statements, reconciliations, or general ledger balances because it comes directly from a third-party source, ensuring its accuracy and completeness.

The Institute of Internal Auditors (IIA) - Practice Guide: External Confirmations

Auditing Standards (e.g., ISA 505 - External Confirmations)

In a compliance audit, the objective is to assess adherence to laws, regulations, or regulatory requirements. For banking compliance, this means verifying whether business continuity plans comply with mandatory regulations (Option B). Options A, C, and D relate to efficiency, best practices, or operations — not compliance.

One of the five basic financial statement assertions that an internal auditor evaluates when assessing controls over financial reporting is "existence or occurrence." This assertion verifies that assets, liabilities, and equity interests actually exist at a given date, and that recorded transactions have actually occurred during a given period. It ensures that the financial statements are not overstated through the inclusion of fictitious or erroneous items.

COSO Framework

PCAOB Auditing Standard No. 15: Audit Evidence

Defining activities by business processes is a structured approach that allows the internal audit activity to identify engagement opportunities effectively. This method ensures that all critical processes are reviewed systematically and that risks are identified and assessed in the context of how they affect the entire business process. This approach is comprehensive and aligns with best practices in internal auditing.

A control weakness occurs when there is a deficiency in internal controls that could allow errors or fraud to occur. While the act of buyers promptly updating the vendor listing might seem efficient, it could bypass necessary oversight and approval processes. This could lead to unauthorized or inappropriate vendors being added, increasing the risk of fraud or favoritism. Effective internal control requires that such updates be reviewed and approved by an independent party to ensure accuracy and appropriateness.

Best practices in internal control recommend segregation of duties and independent review processes to prevent unauthorized changes and ensure control integrity​​​​.

The chief audit executive (CAE) has the responsibility to provide assurance and insight on risk management processes. In a meeting with senior management to discuss significant risks, the CAE should focus on evaluating whether the risks accepted by senior management align with the organization’s risk appetite and are within acceptable levels. The CAE should ensure that the risk management practices are adequate and that senior management is aware of any risks that might exceed the organization's tolerance levels. This approach is aligned with the role of internal audit in providing independent and objective evaluations.

Institute of Internal Auditors (IIA) Standards: Performance Standards 2120: Risk Management

IIA Practice Guide: Assessing the Risk Management Process

When a key control is identified during fieldwork that was not recognized during the planning phase, it is critical to update the audit work program to include tests for this newly identified control. However, this adjustment should be made with the approval of the engagement supervisor. This ensures that the changes are properly documented and that the scope and objectives of the engagement remain aligned with the overall audit plan. Additionally, obtaining approval from the engagement supervisor maintains the integrity and oversight of the audit process.

The Institute of Internal Auditors (IIA) Standard 2240 – Engagement Work Program: "Internal auditors must develop and document work programs that achieve the engagement objectives."

IIA Practice Guide on "Engagement Planning"